Re: Certified C compilers for safety-critical embedded systems

From: Chris Hills (chris_at_phaedsys.org)
Date: 12/31/03 

Date: Wed, 31 Dec 2003 18:03:27 +0000

In article <20619edc.0312310940.4e577ab5@posting.google.com>, Mike Silva
<snarflemike@yahoo.com> writes
>Chris Hills <chris@phaedsys.org> wrote in message news:<8Ib9B0EcKc8$EAT6@phaedsy
>s.demon.co.uk>...
>>
>> >Are you claiming that the Arianne 5 wouldn't have failed
>> >catastrophically if the same bug had occurred in C code? If so, that's
>> >definitely interesting. I'm certainly not knowledgable enough here to
>> >comment, but I'm sure others on this forum are.
>>
>> Definitely. C is not strongly typed. You can chuck a long into a char
>> and nothing will complain. So IN THIS PARTICULAR CASE an error would not
>> have been raised and the rocket continued..... However in the 99 similar
>> cases you would have wanted it to flag an error and it would not have
>> done so :-)
>
>As an aside, I disagree with this for two reasons. First, I expect
>that sensor failure, as indicated by "impossible values," would have
>been checked for in C code as well as in Ada code.

Maybe. Well you would like to thing so.

But I did say in this specific case of putting a large number into a
smaller sized int.

> _Something_ had to
>be done if the Horizontal Bias value went berzerk during a launch.
>Given the stated bias of the project (untrapped errors were assumed to
>indicate hardware failure), the code would have been designed to do
>exactly what the Ada code did, through an explicit range check and
>switch-to-backup-unit action.

No complaint about that. My understanding was that the "error" occurred
after the figures from the SW unit were being used as it was past the
point in the flight where they were needed.

>Second, it appears that the "Operand Error" that started the ball
>rolling (or the rocket dropping) was actually a hardware FPU
>exception.

Ok... thats HW so it makes no difference on the language used.

> The Ariane hardware has been reported as Motorola
>68020/68881, and Operand Error is the name of the FPU exception that
>would result from an out-of-range FP to INT conversion. Even if the
>code were written in C, the exception would have been generated, and
>presumably

presumably... It's like the "should" word that keeps cropping up just
before things go wrong :-)

> the exception handler would have performed the same
>deliberate and intended actions of shutting down the device so the
>backup device could take over.

But as the back up had the same problem.... the rest is history.

Interesting analysis.

/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/\
/\/\/ chris@phaedsys.org www.phaedsys.org \/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/