ESA's Schiaparelli Mars probe crashed because of integer overflow
Walter Bright via Digitalmars-d
digitalmars-d at puremagic.com
Fri Nov 25 21:50:19 PST 2016
On 11/25/2016 4:22 AM, Claude wrote:
> So, I like too to think it's just due to an integer overflow. But not from a
> software engineer perspective, but more from a Marxist approach. One misses a
> simple test over an integer, and you make a rocket-ship worth billions of good
> money (that could be used in education, medical care or whatever) explode in
> tiny cold little pieces, 54 millions km from here.
>
> What an ironic and subversive bug, the engineer who did that should be immensely
> proud of himself. :)
I'd like to know what really happened with the code.
But as someone who has worked on flight critical systems for airliners, the
designs are required to account for any single failure of anything. That means
all inputs must be validated for "reasonableness", and the same for outputs. If
any of this is outside reasonable bounds, there must be failover to a backup method.
A negative altitude is not reasonable.
-----
It reminds me of college, where we were told that if we worked a problem and
came up with unreasonable answers, such as negative energy, we were expected to
note:
"I know this answer is unreasonable, but I cannot find the mistake."
and the worst you'd get is a 0. Unreasonable answers, and no note, meant you'd
get a negative score!
More information about the Digitalmars-d
mailing list