Path: ...!feeds.phibee-telecom.net!news.mixmin.net!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Newsgroups: comp.arch
Subject: Re: is Vax addressing sane today
Date: Tue, 10 Sep 2024 20:55:37 +0300
Organization: Tidorum Ltd
Lines: 55
Message-ID: <lkbfgpFamojU1@mid.individual.net>
References: <vbd6b9$g147$1@dont-email.me>
 <memo.20240905225550.19028d@jgd.cix.co.uk>
 <2024Sep6.080535@mips.complang.tuwien.ac.at> <vbiftm$ui9$1@gal.iecc.com>
 <2024Sep8.155511@mips.complang.tuwien.ac.at>
 <73c6d21457c487c61051ec52fe25ea5d@www.novabbs.org>
 <vbl3qj$22a2q$1@dont-email.me>
 <09ce1622b872f0b0fa944e868a8c97be@www.novabbs.org>
 <vbnisc$2hb59$1@dont-email.me> <2024Sep10.094353@mips.complang.tuwien.ac.at>
 <20240910120840.000071e1@yahoo.com>
 <2024Sep10.174225@mips.complang.tuwien.ac.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net dFfx58ly8tKotORAGQTkcQhEyV2P9+0gYBW9NHxsgJfqSwiPbJ
Cancel-Lock: sha1:rUuCpwY5kkZU4bkEd4xIzobvNcA= sha256:T7GnwwtXJ1zNaSsdOWn3dHGUjW4XN+ce3hQsfJYf7os=
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <2024Sep10.174225@mips.complang.tuwien.ac.at>
Bytes: 3706

On 2024-09-10 18:42, Anton Ertl wrote:

> And it seems to me that Swift with its trapping arithmetic is a
> blast from the past


The dominance of C and its descendants has corrupted the world of 
programming on this point. :-(

Fortunately, among up-and-coming new languages Rust is in the 
overflow-checking camp, at least in DEBUG-mode compilations.


> (with Algol, Pascal etc. usually erroring out on 
> overflow, and Ada raising an exception (with famously explosive 
> consequences for the Ariane 5)),


A bit misleading, as so often when the Ariane 501 incident is brought up.

The Ariane 501 failure was a HW trap on an instruction converting a 
floating-point value into a 16-bit integer, not an Ada exception.

As I understand it, the analogous C code could have used the same 
instruction and failed in the same way (an example of Undefined Behavior)

The original designers of that Ada SW had carefully analysed the 
possible ranges of the numbers and correctly concluded that an overflow 
could not happen if the HW operated correctly. Correctly, that is, for 
the Ariane 4, but not for the Ariane 5 where the SW was sloppily reused 
through multiple process skimps and failures.

Several other similar conversions were protected with programmed range 
checks and suitable alternative code paths, but the analysis showed that 
this particular conversion did not need such checks for the Ariane 4.

One of the process failures was that the SW was never tested with the 
Ariane 5 launch trajectory, which would have revealed the error.

If the SW had really used Ada exceptions (difficult as the processor was
quite maxed out) a reasonable SW designer would have added an exception
handler and could have made this part of the SW fail gracefully. But
the mission would probably not have been saved because the failure 
investigation found other potentially fatal flaws in the systems, 
pointing to more process failures.


> and that the trend in safe languages is to eliminate integer overflow
> by allowing arbitrarily large integers.


That is not practical in a real-time, resource-limited context, at least 
not without a large over-provision of computing resources. And sending 
the resulting over-large integer to a HW register will still fail in 
some way if the value is too large for the HW to accept.