Re: [PATCH][4.3] Deprecate -ftrapv

[Robert Dewar <dewar at adacore dot com>]

Steven Bosscher wrote:
> > There has been at least one incident of a software bug in certified
> > code, but it is very rare, and the record is impressive (no life
> > has been lost because of a software bug in the history of commercial
> > aviation).
>
> I agree with all you've said so far, but this statement above is a bit
> too optimistic, unfortunately :-(
>
> Air France flight 296 in 1988 is one example. It killed 3 people. The
> cause was a systems bug that kept engines in idle in a low altitude
> fly-by at a French air show. The systems assumed the pilot was trying
> to land...

That's often cited, but it was not a software bug, the software met
the specifications perfectly, a reasonably complete account is in
http://en.wikipedia.org/wiki/Air_France_Flight_296. Note that the
captain was found guilty of manslaughter, so this is rather far
from being a software problem. Yes, maybe with a different spec,
the software could have helped rescue the situation, but to say this
crashed because of a bug is mistaken. The above cited entry,
dealing with several causes, does not even mention software.
It appears likely the flight recorder was tampered with or
replaced, and the barometric indicator may have failed. This
was not a normal commercial flight, it was a pilot playing
dangerous games at an airshow on a chartered flight. For much
more information and many references, see
http://www.experiencefestival.com/air_france_flight_296_-_investigation_irregularities

> Malaysia Airlines Flight 124 is an example of a near-miss.

Yes, that is the one I referred to, right now it is *the* example.
For official report, see
http://www.atsb.gov.au/publications/investigation_reports/2005/AAIR/pdf/aair200503722_001.pdf
the issue was proper software handling of an unusual dual hardware
failure. A definite bug.

> And the
> recent crash of British Airways Flight 38 also probably was due to a
> software bug (investigation ongoing, of course).

This is not at all the conclusion of the preliminary investigation. We
know it was due to fuel flow limitations, but so far have no idea why,
and there is so far no hint that this was a software problem. I have a
paper copy of the AAIB preliminary report, but as far as I can tell,
this is not posted online, though you can find excerpts at
http://propilotnews.com/2008/01/uks-aaib-initial-report-on-british.html.

> In military aviation, there are plenty examples of software bugs that
> killed people (V-22, Gripen, the F-22 equator bug, etc...). I would
> guess all of these were flying with certified software.

You probably guess wrong, it has only recently become standard to
certify military planes. The only reason it is done is because they
fly through civilian space. Military applications are not considered
safety-critical .. the main purpose of weapons is to kill people, not
to preserve life at all costs!

As for your list, you would have to be more detailed in your citations.
I am not sure what you mean by the equator bug, if you are referring to
the dateline bug, yes, that was a bug in certified software. I know of
no "equator bug", perhaps urban legend at work? I don't know of any
official account of the dateline bug yet.

For confirmation of my basic claim that no commercial aircraft deaths
have been caused by software, see for example
http://online.wsj.com/article/SB114895279859065931-search.html?KEYWORDS=flight+check&COLLECTION=wsjie/6month
"Serious software bugs such as those aboard Malaysia Airlines Flight 124 
haven't been blamed for any major commercial jet crash" ...