Kerosene vs. Patriots: How American military programmers learned how to round correctly
On February 11, 1991, the Patriot Project Office received Israeli data on a defect in the Patriot missile system. They found that if the system is running for 8 hours, it starts smearing by 20%. They figured that after 20 hours of operation, the system begins to miss so much that it will no longer be able to capture, track and hit ballistic missiles. The US military did not take into account the importance of the discovery, saying that the system is designed for portable and short-term protective operations and that no one will ever use the system for more than 8 hours.
February 16 was released Bug Fix, but to introduce it into all units of military equipment, it took time, because the war.
February 21, the military issued an indication that the system should not work for a long time. The military did not specify how long it lasts.
')
On February 25 in Dhahran (Saudi Arabia) a ballistic missile " kerosene " flew into the barracks to visit the Americans (it’s also the P-17, it’s Scud). 28 killed 96 were wounded because the Patriot missile system had missed due to a program error.
February 26 Bug Fix was delivered to Dhahran.
R-17 (according to the classification of the US and NATO Defense Forces - SS-1c Scud B, export designation R-300, unofficially - “kerosene”) - Soviet liquid single-stage ballistic missile on long-lasting fuel components.
MIM-104 "Patriot" (eng. MIM-104 Patriot, translated from English - Patriot) - American anti-aircraft missile system (ZRK), used by the US Army and its allies.
In the software responsible for maintaining the goal, there was a bug, due to which over time the internal clock gradually deviated from the true value of time.
The system time was stored as an integer in a 24-bit register with an accuracy of one tenth of a second. Therefore, at each cycle, 0.1 sec was “lost” part of the time. When calculating the data were translated in real numbers.
[ source ]
The number 1/10 equals 1/2 4 +1/2 5 +1/2 8 +1/2 9 +1/2 12 +1/2 13 + ... In other words, the binary 1/10 decomposition = 0.0001100110011001100110011001100 ... Therefore, 24 bit the register in the Patriot system kept 0.00011001100110011001100 instead, introducing an error of 0.000000000000000000001111111100 ... in binary terms, or approximately 0.000000095 in decimal. During one hundred hours of operation, 0.000000095 Ă— 100 Ă— 60 Ă— 60 Ă— 10 = 0.34 seconds
"Kerosene" flies at a speed of 1676 meters per second, and passes in 0.34 seconds more than half a kilometer. This is more than enough to smash the radius of defeat of the Patriots. It's funny that the crooked time calculation was fixed in some parts of the program, but not in all.
The software was written in assembler 15-20 years ago and since then has been modified several times by various programming teams.
Several slides from the report , which revealed problems with the Patriot system:
Article from PVS: Why do we get different results in 32-bit and 64-bit code?
Article from habraravtora (229 comments): Fatal errors of binary arithmetic when working with floating-point numbers .
We want to draw people's attention to the problems of software reliability. Programs are not only strange incomprehensible calculations of scientists on Fortran or computer games for a long time. This is what surrounds us for a long time and everywhere.
Previously, serious bugs caused damage in narrow specific areas - peaceful rocketry ( Ariane 5 ) and military ( Patriot ). Now you may encounter an error in the program not only sitting at the computer, but also sitting in the car ( Toyota ) or visiting the hospital ( Therac-25 ). We are one of those who fight on the side of programmers against bugs. We have developed a static code analyzer PVS-Studio , which allows detecting many errors in C, C ++ and C # programs at the coding stage. And taking this opportunity, I want to remind you that from October 25, 2016, not only Windows, but also the Linux version of this analyzer will be available.
February 16 was released Bug Fix, but to introduce it into all units of military equipment, it took time, because the war.
February 21, the military issued an indication that the system should not work for a long time. The military did not specify how long it lasts.
')
On February 25 in Dhahran (Saudi Arabia) a ballistic missile " kerosene " flew into the barracks to visit the Americans (it’s also the P-17, it’s Scud). 28 killed 96 were wounded because the Patriot missile system had missed due to a program error.
February 26 Bug Fix was delivered to Dhahran.
R-17 (according to the classification of the US and NATO Defense Forces - SS-1c Scud B, export designation R-300, unofficially - “kerosene”) - Soviet liquid single-stage ballistic missile on long-lasting fuel components.
photos P-17
Military inspect the R-17 type missile shot down in the desert by the Patriot MIM-104 air defense missile system during Operation Desert Storm
Military inspect the R-17 type missile shot down in the desert by the Patriot MIM-104 air defense missile system during Operation Desert Storm
MIM-104 "Patriot" (eng. MIM-104 Patriot, translated from English - Patriot) - American anti-aircraft missile system (ZRK), used by the US Army and its allies.
Patriot pictures
A detailed view of an AN / MPQ-53 radar set. It is the main component of the phased array, which constitutes 5,000 individual elements, each of 39 millimeters (1.535 in) diameter.
PAC-3 missile launcher, note four missiles in each canister
A detailed view of an AN / MPQ-53 radar set. It is the main component of the phased array, which constitutes 5,000 individual elements, each of 39 millimeters (1.535 in) diameter.
PAC-3 missile launcher, note four missiles in each canister
In the software responsible for maintaining the goal, there was a bug, due to which over time the internal clock gradually deviated from the true value of time.
The system time was stored as an integer in a 24-bit register with an accuracy of one tenth of a second. Therefore, at each cycle, 0.1 sec was “lost” part of the time. When calculating the data were translated in real numbers.
[ source ]
The number 1/10 equals 1/2 4 +1/2 5 +1/2 8 +1/2 9 +1/2 12 +1/2 13 + ... In other words, the binary 1/10 decomposition = 0.0001100110011001100110011001100 ... Therefore, 24 bit the register in the Patriot system kept 0.00011001100110011001100 instead, introducing an error of 0.000000000000000000001111111100 ... in binary terms, or approximately 0.000000095 in decimal. During one hundred hours of operation, 0.000000095 Ă— 100 Ă— 60 Ă— 60 Ă— 10 = 0.34 seconds
"Kerosene" flies at a speed of 1676 meters per second, and passes in 0.34 seconds more than half a kilometer. This is more than enough to smash the radius of defeat of the Patriots. It's funny that the crooked time calculation was fixed in some parts of the program, but not in all.
The software was written in assembler 15-20 years ago and since then has been modified several times by various programming teams.
Several slides from the report , which revealed problems with the Patriot system:
Golden Rules
- Choose the right size. Always carefully double-check how many bits you need to store each variable to choose (long, int, double, float, etc.) in a particular language and specific operating system.
- Use integers instead of float where possible. Keep money in cents, not dollars (or rather satosi). If you still need to use float, use double precision.
- Never use float as a loop counter.
- Avoid mixed types (signed, unsigned; integer, floating point; single precision, double precision). Carefully perform the conversion.
- Check for possible overflow situations. Check the division by zero.
Article from PVS: Why do we get different results in 32-bit and 64-bit code?
Article from habraravtora (229 comments): Fatal errors of binary arithmetic when working with floating-point numbers .
Read more about the Patriot
- Bug talk on hackernews
- New York Times: AFTER THE WAR; For the Failure to Stop the Dhahran Scud Army
- Lethal Software Defects: Patriot Missile Failure
- Software Bug Report: Patriot Missile Software Problem
Conclusion
We want to draw people's attention to the problems of software reliability. Programs are not only strange incomprehensible calculations of scientists on Fortran or computer games for a long time. This is what surrounds us for a long time and everywhere.
Previously, serious bugs caused damage in narrow specific areas - peaceful rocketry ( Ariane 5 ) and military ( Patriot ). Now you may encounter an error in the program not only sitting at the computer, but also sitting in the car ( Toyota ) or visiting the hospital ( Therac-25 ). We are one of those who fight on the side of programmers against bugs. We have developed a static code analyzer PVS-Studio , which allows detecting many errors in C, C ++ and C # programs at the coding stage. And taking this opportunity, I want to remind you that from October 25, 2016, not only Windows, but also the Linux version of this analyzer will be available.
Source: https://habr.com/ru/post/312890/
All Articles