From: "jimmaureenrogers@worldnet.att.net" <jimmaureenrogers@worldnet.att.net>
Subject: Re: where exactly c++,c fail and Ada gets thru'
Date: 23 Apr 2006 22:05:24 -0700
Date: 2006-04-23T22:05:24-07:00 [thread overview]
Message-ID: <1145855124.720029.35280@t31g2000cwb.googlegroups.com> (raw)
In-Reply-To: 1145852356.559455.222600@i39g2000cwa.googlegroups.com
Ananth the Boss wrote:
> we are developing safety critical software.my seniors say that c and
> c++ are not suitable for safety critical software development and ada
> is very much safe.NASA aslo uses Ada.at what point c++ or c turns to be
> not suitable for devleloping flight software. i may be wrong also. can
> any one give some more justifications for telling "ADA is safe" thanks
> in advance
The Coding Standards for the Joint Strike Fighter
http://public.research.att.com/~bs/JSF-AV-rules.pdf
give you an idea of the kinds of safety problems recognized in both
C and C++.
For example, the standard prohibits the use of C-style arrays as
function parameters. The problem cited is the degeneration of an
array function argument into a pointer. The pointer provides no
information about the size of the array it points to. This problem
commonly leads to overflowing arrays. Accessing elements beyond
the end of an array is always problematic. The C standard explicitly
allows one to access one element beyond the end of an array to
support common practice in thousands of C programs. The C
standard indicates that accessing more than one beyond the end
of an array leads to undefined behavior.
Polymorphism is one of the heavily used features of C++.
Polymorphism intentionally makes it difficult to determine
which over-ridden version of a function will be called. Safety
critical software standards require the ability to statically determine
which function will be called. Polymorphism seriously
complicates such static analysis.
Neither C nor C++ provides any standard means for detecting
overflow or underflow of numeric types. C provides no way to
ensure that a numeric type uses only a valid set of values. C++
forces you to define a class wrapping the numeric value. You
must also provide all the range checking, resulting in a very
inefficient use of programmer time as well as processor time.
C++ allows you to define a restricted range integer class as a
template. It does not allow you to define a restricted range
floating point class because you cannot use floating point
values as template parameters.
There is no way in C++ to define a template class that achieves
the equivalent of:
type Normalized_Type is digits 10 range 0.0..1.0;
Jim Rogers
next prev parent reply other threads:[~2006-04-24 5:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-24 4:19 where exactly c++,c fail and Ada gets thru' Ananth the Boss
2006-04-24 5:05 ` jimmaureenrogers [this message]
2006-04-24 7:45 ` Ananth the Boss
2006-04-24 19:17 ` Martin Krischik
2006-04-24 20:23 ` Simon Wright
2006-04-24 22:34 ` Keith Thompson
2006-04-24 22:33 ` Keith Thompson
2006-04-25 5:23 ` Jeffrey R. Carter
2006-04-26 17:48 ` Martin Krischik
2006-04-26 19:33 ` Keith Thompson
2006-04-26 15:10 ` Maciej Sobczak
2006-04-26 17:32 ` Martin Krischik
2006-04-27 10:07 ` Maciej Sobczak
2006-04-27 21:19 ` Keith Thompson
2006-04-28 7:00 ` Martin Krischik
2006-04-28 12:27 ` Maciej Sobczak
2006-04-29 7:03 ` Martin Krischik
2006-04-29 14:08 ` REH
2006-05-01 10:20 ` Xcriber51
2006-05-01 13:55 ` REH
2006-05-02 6:43 ` Maciej Sobczak
2006-04-27 16:48 ` REH
2006-04-28 7:49 ` Martin Krischik
2006-04-28 11:17 ` REH
2006-04-29 6:47 ` Martin Krischik
2006-04-24 8:13 ` Rod Chapman
2006-04-25 1:57 ` Steve
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox