From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,e8023133274ae02c X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news4.google.com!postnews.google.com!t31g2000cwb.googlegroups.com!not-for-mail From: "Ludovic Brenta" Newsgroups: comp.lang.ada Subject: Re: procedural vs object oriented Date: 27 Apr 2006 03:42:10 -0700 Organization: http://groups.google.com Message-ID: <1146134530.434869.47230@t31g2000cwb.googlegroups.com> References: <1146039364.130635.181590@v46g2000cwv.googlegroups.com> <871wvjh9te.fsf@ludovic-brenta.org> <1xs8jrwjj0dx2$.1ksjkyqyhimw9$.dlg@40tude.net> NNTP-Posting-Host: 212.190.145.10 Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Trace: posting.google.com 1146134535 16771 127.0.0.1 (27 Apr 2006 10:42:15 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Thu, 27 Apr 2006 10:42:15 +0000 (UTC) In-Reply-To: <1xs8jrwjj0dx2$.1ksjkyqyhimw9$.dlg@40tude.net> User-Agent: G2/0.2 X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2,gzip(gfe),gzip(gfe) X-HTTP-Via: 1.1 SEVPXS01 Complaints-To: groups-abuse@google.com Injection-Info: t31g2000cwb.googlegroups.com; posting-host=212.190.145.10; posting-account=ZjNXewwAAADyBPkwI57_UcX8yKfXWOss Xref: g2news2.google.com comp.lang.ada:3945 Date: 2006-04-27T03:42:10-07:00 List-Id: Dmitry A. Kazakov wrote: > On Thu, 27 Apr 2006 07:22:21 +0200, Ludovic Brenta wrote: >> According to Robert Dewar during FOSDEM, nobody uses OOP in avionics >> software, because the uncertainty inherent to dynamic dispatching >> hinders certification. Is someone on this newsgroup in a position to >> give a counter-example? > > Can't tell about avionics, but what uncertainty of dynamic dispatching is > meant? Or, maybe, "certification" is the context of? Then which > certification, according to which criteria? Dynamic dispatching, by definition, means that you don't know which subprogram you call at run-time. The compiler guarantees that the call will succeed (i.e. that there exists a subprogram to dispatch to), but there is uncertainty about which one it is. DO-178B does not prohibit dynamic dispatching; it only requires that the program be completely deterministic, and it requires the software developers to provide reasonable proof that the program is indeed deterministic. If you use dynamic dispatching in a program, you must therefore prove that you know precisely which subprogram you call each time you execute the dispatching call. At DO-178B level A, you must also prove that the machine code in the executable program dispatches correctly and in a deterministic way, in bounded time and memory conditions. This additional burden of proof is on the developer. That's what I meant when I said that dynamic dispatching hinders certification. The question of "how to I use dynamic dispatching while keeping the certification costs reasonable" is quite interesting, complicated, and has received a lot of thought, but no clear answer has come out of it. So, for now, the only clear-cut answer in the conservative world of avionics is, "you don't." > Talking about uncertainty in general, what about "inherent uncertainty" of > a procedure call? Can you tell which procedures will be called and when at > run time? If you can then, you can also do it for dispatching calls. Are > generic bodies more certain? With "with function "*" (Left, Right : Foo) > return Foo"? Really? A static procedure call has no uncertainty: when you read the program source, you know exactly which subprogram is called, even in the presence of overloading. When you instantiate a generic, you also know exactly which subprogram you pass as a parameter. Again there is no inherent uncertainty here. At Barco, our coding standards prohibit access-to-subprogram values, and require all generics to be preelaborated. Thus they eliminate all uncertainty and make all subprogram calls statically deterministic. Needless to say, our coding standards also prohibit dynamic dispatching. -- Ludovic Brenta.