How One Line of Code Caused the Most Expensive Software Bug in History

How One Line of Code Caused the Most Expensive Software Bug in History

On June 4, 1996, the European Space Agency's Ariane 5 rocket exploded 37 seconds after launch due to a single line of code that attempted to convert a 64-bit floating-point number to a 16-bit signed integer. The cost: $500 million. The rocket, its payload of 4 scientific satellites, and years of development were destroyed in a fireball over French Guiana because of a data type conversion error that could have been fixed with one additional line of code.

The Bug

What happened:

• The Ariane 5 reused navigation software from the older Ariane 4 rocket
• Ariane 4 used 16-bit integers for horizontal velocity (max value: 32,767)
• Ariane 5 was faster — horizontal velocity exceeded 32,767 within 37 seconds of launch
• The software tried to convert a 64-bit float (37,250) to a 16-bit integer
• 32,767 + 1 = integer overflow (wrapped to negative number)
• The negative velocity value was interpreted as hardware failure
• The onboard computer shut down the navigation system
• The rocket veered off course and self-destructed

The one line of code:

// Ariane 5 tried to do this:
int16_t velocity = (int16_t)horizontal_velocity_64bit;
// horizontal_velocity_64bit = 37250 (exceeds int16 max of 32767)
// Result: velocity = -28286 (overflow)
// Navigation computer: negative velocity = failure = SHUTDOWN

The fix (never implemented):

// What they should have done:
if (horizontal_velocity_64bit > 32767) {
    // Handle the overflow case
} else {
    int16_t velocity = (int16_t)horizontal_velocity_64bit;
}

Why It Happened

1. Code reuse without analysis:

• Ariane 5 software was copied from Ariane 4 with minimal review
• The assumption: "It worked on Ariane 4, it will work on Ariane 5"
• Nobody checked if the data type constraints were still valid
• The velocity calculations were more relevant on Ariane 4 (longer flight profile)
• On Ariane 5, the velocity calculations weren't even NEEDED after launch (but ran anyway)

2. Lack of testing:

• The overflow condition was never tested (it doesn't occur on Ariane 4)
• No simulation tested velocities above 32,767
• The specific code path that failed was considered "unlikely to execute" in post-launch
• Integration testing missed the boundary condition

3. Overconfidence in reused code:

• The navigation software had flown successfully on Ariane 4 for years
• Engineers trusted proven code without re-verifying assumptions
• The code was treated as a "black box" — not re-analyzed for new context

4. Documentation failure:

• The 16-bit integer constraint was documented but not highlighted
• No one flagged it as a risk for the faster Ariane 5
• The assumption that velocity would stay below 32,767 was never questioned

The Aftermath

Financial impact:

• $500 million total loss (rocket + 4 Cluster science satellites)
• Insurance covered most of the loss
• ESA had to rebuild the entire Cluster mission (launched successfully in 2000)
• Total cost including rebuild: estimated $850 million

Industry impact:

• The Ariane 5 failure became the most famous case study in software engineering
• Mandatory code review and reuse analysis policies at ESA and other space agencies
• Triggered widespread adoption of formal verification methods
• Integer overflow became a standard interview topic for software engineers

Lessons learned:

• Reused code must be re-analyzed for new operating conditions
• Data type boundaries must be explicitly tested
• "It worked before" is not a substitute for verification
• Code that runs but isn't needed should be disabled (defensive programming)
• Boundary condition testing is essential for safety-critical systems

Other Expensive Single-Line Bugs

Therac-25 (1985-1987):

• Radiation therapy machine with software bug
• Caused 6 patients to receive lethal radiation overdoses
• Bug: Race condition in concurrent code (no hardware safety interlocks)
• Cost: 6 lives

Knight Capital (2012):

• Trading firm's software deployed with dead code
• Traded $7 billion in 45 minutes (should have been $0)
• Bug: Old code flag (Power Peg) was accidentally reactivated
• Cost: $440 million (company bankrupted in days)

Heartbleed (2014):

• OpenSSL library bug allowing data extraction from servers
• Bug: Missing bounds check on heartbeat packet length (1 line missing)
• Affected 17% of all secure web servers globally
• Cost: Estimated $500 million+ in remediation

Cloudbleed (2017):

• Cloudflare HTML parser bug leaking encrypted data
• Bug: Buffer overrun when parsing malformed HTML
• Leaked passwords, cookies, messages from thousands of sites
• Cost: Estimated $100-200 million in breach remediation

The Takeaway

One line of code destroyed a $500 million rocket. Not because the line was complex — it was a simple type conversion — but because no one questioned whether code written for one system (Ariane 4) was appropriate for another (Ariane 5). The Ariane 5 disaster teaches the most important lesson in software engineering: code reuse saves time but creates invisible assumptions. Every line of reused code carries the assumptions of its original context, and those assumptions become landmines when the context changes. The $500 million bug wasn't a failure of coding — it was a failure of questioning.