Python from Wise Guy's Viewpoint

Markus Mottl markus at oefai.at
Mon Oct 20 11:46:47 EDT 2003 

In comp.lang.functional Kenny Tilton <ktilton at nyc.rr.com> wrote:
> Dennis Lee Bieber wrote:
>>         Short version: The software performed correctly, to specification 
>> (including the failure mode) -- ON THE ARIANE 4 FOR WHICH IT WAS 
>> DESIGNED.

> Nonsense. From: http://www.sp.ph.ic.ac.uk/Cluster/report.html

Dennis is right: it was indeed a specification problem. AFAIK, the coder
had actually even proved formally that the exception could not arise
with the spec of Ariana 4. Lisp code, too, can suddenly raise unexpected
exceptions. The default behaviour of the system was to abort the mission
for safety reasons by blasting the rocket. This wasn't justified in this
case, but one is always more clever after the event...

> "supposed to" fail? chya.

Indeed. Values this extreme were considered impossible on Ariane 4 and
taken as indication of such a serious failure that it would justify
aborting the mission.

> This was nothing more than an unhandled exception crashing the sytem
> and its identical backup.

Depends on what you mean by "crash": it certainly didn't segfault. It
just realized that something happened that wasn't supposed to happen
and reacted AS REQUIRED.

> Other conversions were protected so they could handle things
> intelligently, this bad boy went unguarded.

Bad, indeed, but absolutely safe with regard to the spec of Ariane 4.

> Note also that the code functionality was pre-ignition 
> only, so there is no way they were thinking that a cool way to abort the 
> flight would be to leave a program exception unhandled.

This is a serious design error, not a problem of the programming language.

> What happened (aside from an unnecessary chunk of code running 
> increasing risk to no good end)

Again, it's a design error.

> is that the extra power of the A5 caused 
> oscillations greater than those seen in the A4. Those greater 
> oscillations took the 64-bit float beyond what would fit in the 16-bit 
> int. kablam. Operand Error. This is not a system saying "whoa, out of 
> range, abort".

Well, the system was indeed programmed to say "whoa, out of range, abort".
A design error.

> As for Lisp not helping:

There is basically no difference between checking the type of a value
dynamically for validity and catching exceptions that get raised on
violations of certain constraints. One can forget to do both or react
to those events in a stupid way (or prove in both cases that the check /
exception handling is unnecessary given the spec).

Note that I am not defending ADA in any way or arguing against FPLs: in
fact, being an FPL-advocate myself I do think that FPLs (including Lisp)
have an edge what concerns writing safe code. But the Ariane-example just
doesn't support this claim. It was an absolutely horrible management
mistake to not check old code for compliance with the new spec. End
of story...

Regards,
Markus Mottl

--
Markus Mottl          http://www.oefai.at/~markus          markus at oefai.at

More information about the Python-list mailing list