From: "jimmaureenrogers@worldnet.att.net" <jimmaureenrogers@worldnet.att.net>
Subject: Re: why learn C?
Date: 30 Mar 2007 19:41:11 -0700
Date: 2007-03-30T19:41:11-07:00 [thread overview]
Message-ID: <1175308871.266257.77460@e65g2000hsc.googlegroups.com> (raw)
In-Reply-To: <1175236212.771445.135460@y66g2000hsf.googlegroups.com>
On Mar 30, 12:30 am, "Case Crab" <casec...@gmail.com> wrote:
> On Mar 29, 10:52 pm, "jimmaureenrog...@worldnet.att.net"
>
> <jimmaureenrog...@worldnet.att.net> wrote:
> > On Mar 29, 6:51 pm, "kevin cline" <kevin.cl...@gmail.com> wrote:
>
> > > No, what actually happened is that expert C++ developers learned to
> > > use C++ in such a way that those errors can not happen. While it is
> > > possible to write unsafe code in C++, it is also possible to adopt
> > > coding guidelines that makes it easy to find and eliminate unsafe
> > > code, and for most applications, that's quite good enough.
>
> > Coding guidelines cannot by themselves prevent any errors.
>
> Really? I have found that coding practices can preclude certain
> classes of errors.
The JSF C++ coding standards are available from several sources on the
web. One link is http://www.research.att.com/~bs/JSF-AV-rules.pdf
The corresponding Ada coding standard is found at
http://software.gsfc.nasa.gov/AssetsApproved/PA2.4.1.1.1.pdf
>
> > For example,
> > the JSF AV C++ Coding Standard, which is intended to limit the unsafe
> > features of C++, contains 221 rules.
>
> How many rules distinguish SPARK from the full Ada language?
>
> > It is not possible to check
> > 6 million lines of code against 221 rules by hand in any timely or
> > economical manner.
>
> I expect that most of the checking can and will be done
> automatically. In any case, I would expect such
> mission-critical code would be inspected, regardless of whether the
> implementation language is C++ or Ada.
>
Inspection is the problem. It is inefficient and error prone to
manually inspect 6 million lines of code against 221 rules.
There is an automated tool for checking the JSF standard. That
tool cannot perform a 100% check either due to the nature of the
rules.
>
>
> > The NASA Ada Flight Software coding guidelines contain 14 rules.
> > The intent of both coding standards is to produce software safe enough
> > to use for airborne avionics systems.
>
> Interesting that one organization has 221 rules while the other has
> only 14.
If you analyze the two standards, and understand the two languages,
you
will see that the 221 rules for C++ bring you close to the same safety
level you achieve with the 14 rules for Ada.
Many of the language features prohibited in the C++ standard simply do
not exist in Ada. This explains the bulk of the differences in the two
standards. For instance:
AV Rule 20 (MISRA Rule 122)
The setjmp macro and the longjmp function shall not be used.
Ada has no macros and no equivalent to the longjmp function.
There is no reason to prohibit their use in Ada.
Similarly:
AV Rule 29
The #define pre-processor directive shall not be used to create
inline macros. Inline functions shall be used instead.
Rationale: Inline functions do not require text substitutions
and behave well when called with arguments
(e.g. type checking is performed).
Ada does allow inline functions and procedures, but has no
language defined macro capability.
AV Rule 71.1
A class's virtual functions shall not be invoked from its
destructor or any of its constructors.
Rationale: A class's virtual functions are resolved
statically (not dynamically) in its constructors and
destructor.
Ada does not provide a direct equivalent to C++ constructors
and destructors. While this may seem a problem to a C++ or
Java programmer, it does have the virtue of not providing
an avenue for the error handled by this rule.
And the C++ multiple inheritance model provides interesting
opportunities for unsafe code:
AV Rule 89
A base class shall not be both virtual and non-virtual in
the same hierarchy.
Rationale: Hierarchy becomes difficult to comprehend and use.
Do not forget about all the wonders of pointers in C and C++.
For example:
AV Rule 97
Arrays shall not be used in interfaces. Instead, the Array
class should be used.
Rationale: Arrays degenerate to pointers when passed as
parameters. This "array decay" problem has long been known to be
a source of errors.
Ada arrays do not decay to pointers. This problem is unknown in
Ada with or without coding standards.
>
> > Coding standards can help up to a point. When the coding standards are
> > oppresively complex they cease to help.
>
> Compile-time checks can also help, up to a point. But they don't
> solve the whole problem.
No, run time checks are needed for things that cannot be checked at
compile time. Ada helps is more helpful with run time checks than is
C or C++ due to the automated check writing built by the compilers.
For instance, if you define an integer type with a valid range of
values from -10 to 10, the compiler will perform all necessary
range checking for that type.
type My_Int is range -10..10;
You can provide run time checking in any language. In C++ you would
need to define a class for My_Int. The assignment operator would need
to be re-defined to check for the range, and throw an exception when
the range limits are violated.
C++ provides additional challenges to the definition and checking of
limited range integer types. In C and C++ (and Java) all numeric types
are initialized by default to 0. What does that do to your program if
0 is not within the valid range for your type? The compiler will
simply initialize the data member of your class to an invalid value.
You will need to provide a default constructor to initialize the value
to some valid value, along with the overridden assignment operator.
Jim Rogers
next prev parent reply other threads:[~2007-03-31 2:41 UTC|newest]
Thread overview: 167+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1172144043.746296.44680@m58g2000cwm.googlegroups.com>
[not found] ` <slrnetr31o.875.Marc.Boyer@localhost.localdomain>
[not found] ` <1172161751.573558.24140@h3g2000cwc.googlegroups.com>
[not found] ` <slrnetri6j.875.Marc.Boyer@localhost.localdomain>
[not found] ` <546qkhF1tr7dtU1@mid.individual.net>
2007-02-23 8:09 ` why learn C? Marc Boyer
2007-03-20 17:37 ` adaworks
2007-03-21 8:07 ` Maciej Sobczak
2007-03-21 13:39 ` Martin Krischik
2007-03-22 7:54 ` Maciej Sobczak
2007-03-21 14:10 ` Dmitry A. Kazakov
2007-03-21 17:57 ` adaworks
2007-03-21 18:48 ` adaworks
2007-03-21 18:39 ` Georg Bauhaus
2007-03-21 20:09 ` Dmitry A. Kazakov
2007-03-21 20:25 ` Use of declare blocks Randy Brukardt
2007-03-21 20:36 ` Gautier
2007-03-21 20:37 ` Gautier
2007-03-21 20:43 ` Niklas Holsti
2007-03-21 21:29 ` Randy Brukardt
2007-03-22 1:17 ` Adam Beneschan
2007-03-22 8:34 ` Dmitry A. Kazakov
2007-03-22 1:06 ` Adam Beneschan
2007-03-22 17:59 ` adaworks
2007-03-23 2:35 ` Randy Brukardt
2007-03-23 5:23 ` adaworks
2007-03-23 5:15 ` Randy Brukardt
2007-03-23 10:20 ` Georg Bauhaus
2007-03-23 18:25 ` commenting, was " tmoran
2007-03-24 0:32 ` adaworks
2007-03-24 2:12 ` tmoran
2007-03-24 3:19 ` Randy Brukardt
2007-03-24 7:36 ` tmoran
2007-03-24 15:35 ` Simon Wright
2007-03-21 13:29 ` why learn C? Alexander E. Kopilovich
2007-03-30 0:51 ` kevin cline
2007-03-30 4:09 ` Steve
2007-03-30 4:58 ` kevin cline
2007-03-30 7:44 ` Lutz Donnerhacke
2007-03-30 9:09 ` Dmitry A. Kazakov
2007-04-02 4:29 ` kevin cline
2007-04-02 6:45 ` adaworks
2007-04-02 7:52 ` Dmitry A. Kazakov
2007-04-02 8:19 ` kevin cline
2007-04-02 12:04 ` Dmitry A. Kazakov
2007-04-02 23:37 ` Randy Brukardt
2007-04-03 12:42 ` Erasing inappropriate operations (was: why learn C?) Ludovic Brenta
2007-04-03 23:44 ` Randy Brukardt
2007-04-04 8:34 ` Erasing inappropriate operations Ludovic Brenta
2007-04-04 22:00 ` Randy Brukardt
2007-04-03 0:16 ` why learn C? Markus E Leypold
2007-04-04 16:14 ` jayessay
2007-04-05 7:14 ` Hyman Rosen
2007-04-05 15:35 ` jayessay
2007-04-06 2:02 ` Hyman Rosen
2007-04-06 5:57 ` Ray Blaak
2007-04-06 11:01 ` Markus E Leypold
2007-04-07 23:00 ` Ray Blaak
2007-04-08 19:41 ` jayessay
2007-04-09 14:08 ` Markus E Leypold
2007-04-10 15:48 ` jayessay
2007-04-08 19:44 ` jayessay
2007-04-06 18:05 ` jayessay
2007-04-06 22:00 ` Hyman Rosen
2007-04-06 23:46 ` jayessay
2007-04-06 23:59 ` jayessay
2007-04-06 22:16 ` Hyman Rosen
2007-04-06 23:52 ` jayessay
2007-04-07 0:39 ` Ray Blaak
2007-04-06 17:52 ` jayessay
2007-03-30 8:29 ` Markus E Leypold
2007-03-30 8:35 ` Markus E Leypold
2007-03-30 17:39 ` adaworks
2007-03-31 14:59 ` Steve
2007-03-31 15:59 ` Markus E Leypold
2007-04-01 14:32 ` Ed Falis
2007-04-02 7:03 ` adaworks
2007-03-31 15:14 ` Pascal Obry
2007-04-02 5:27 ` kevin cline
2007-04-02 6:04 ` Harald Korneliussen
2007-04-02 6:33 ` Shortage on C / C++ experts Martin Krischik
2007-04-02 7:07 ` why learn C? adaworks
2007-04-02 7:18 ` kevin cline
2007-04-02 13:00 ` adaworks
2007-04-12 15:28 ` Hyman Rosen
2007-04-12 18:32 ` Robert A Duff
2007-04-13 15:59 ` Hyman Rosen
2007-04-14 22:20 ` Robert A Duff
2007-04-14 22:46 ` Randy Brukardt
2007-04-22 18:53 ` adaworks
2007-04-22 19:50 ` Gautier
2007-04-03 0:26 ` Markus E Leypold
2007-04-03 0:34 ` Markus E Leypold
2007-04-03 2:22 ` jimmaureenrogers
2007-04-12 15:47 ` Hyman Rosen
2007-04-12 16:18 ` Markus E Leypold
2007-04-13 23:18 ` kevin cline
2007-04-14 9:38 ` Georg Bauhaus
2007-04-14 10:57 ` Markus E Leypold
2007-04-15 15:10 ` Simon Wright
2007-04-15 16:05 ` Markus E Leypold
2007-04-15 0:59 ` Hyman Rosen
2007-04-15 15:28 ` Markus E Leypold
2007-04-12 16:39 ` Dmitry A. Kazakov
2007-04-12 20:54 ` Georg Bauhaus
2007-04-12 20:33 ` Dmitry A. Kazakov
2007-04-12 21:40 ` Georg Bauhaus
2007-04-12 20:50 ` Dmitry A. Kazakov
2007-04-13 0:32 ` Markus E Leypold
2007-04-14 22:27 ` Robert A Duff
2007-04-14 1:20 ` jimmaureenrogers
2007-04-02 5:03 ` Brian May
2007-04-02 6:16 ` kevin cline
2007-04-03 0:00 ` Brian May
2007-04-12 15:56 ` Hyman Rosen
2007-04-12 16:19 ` Markus E Leypold
2007-04-13 23:42 ` Georg Bauhaus
2007-04-03 0:13 ` Markus E Leypold
2007-04-02 11:47 ` Shortage on C / C++ experts Larry Kilgallen
2007-04-02 12:01 ` Ludovic Brenta
2007-04-02 12:15 ` Dmitry A. Kazakov
2007-04-02 18:47 ` Alexander E. Kopilovich
2007-04-02 20:43 ` tmoran
2007-03-30 4:52 ` why learn C? jimmaureenrogers
2007-03-30 6:30 ` Case Crab
2007-03-30 6:37 ` Gautier
2007-03-30 9:17 ` Georg Bauhaus
2007-03-31 13:18 ` Peter C. Chapin
2007-04-01 1:23 ` Georg Bauhaus
2007-04-01 11:59 ` Peter C. Chapin
2007-04-02 6:37 ` kevin cline
2007-04-02 9:39 ` Harald Korneliussen
2007-03-30 17:47 ` adaworks
2007-03-30 19:25 ` Markus E Leypold
2007-03-30 20:29 ` Randy Brukardt
2007-03-31 9:52 ` Dmitry A. Kazakov
2007-04-01 1:35 ` adaworks
2007-03-31 2:41 ` jimmaureenrogers [this message]
2007-03-31 12:25 ` not NASA Ada coding standard Stephen Leake
2007-03-31 15:44 ` Markus E Leypold
2007-04-01 16:22 ` Simon Clubley
2007-04-02 10:08 ` Stephen Leake
2007-04-02 7:43 ` why learn C? kevin cline
2007-04-02 8:45 ` Martin Krischik
2007-04-02 10:54 ` Georg Bauhaus
2007-04-12 16:05 ` Hyman Rosen
2007-04-12 16:48 ` Dmitry A. Kazakov
2007-04-12 18:27 ` Robert A Duff
2007-04-13 16:21 ` Hyman Rosen
2007-04-12 21:11 ` Georg Bauhaus
2007-04-13 15:45 ` Hyman Rosen
2007-04-02 8:13 ` kevin cline
2007-04-02 23:54 ` Randy Brukardt
2007-04-03 2:58 ` jimmaureenrogers
2007-04-12 16:24 ` Hyman Rosen
2007-04-12 18:05 ` Markus E Leypold
2007-04-15 0:55 ` Hyman Rosen
2007-04-15 7:55 ` Dmitry A. Kazakov
2007-04-15 15:25 ` Markus E Leypold
2007-03-31 11:40 ` Larry Kilgallen
[not found] ` <1175236212.771445.135460@y66g2Organization: LJK Software <c82IfUV$xbi8@eisner.encompasserve.org>
2007-03-31 18:56 ` adaworks
2007-03-31 20:10 ` Markus E Leypold
2007-04-01 18:13 ` tmoran
2007-03-31 19:33 ` Cesar Rabak
2007-03-31 20:11 ` Markus E Leypold
2007-03-30 8:16 ` Markus E Leypold
2007-03-30 9:10 ` Georg Bauhaus
2007-03-30 19:16 ` Pascal Obry
2007-04-01 11:41 ` Martin Krischik
2007-04-01 17:03 ` Pascal Obry
2007-04-01 18:13 ` tmoran
2007-04-16 2:09 ` Brian May
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox