From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Thread: 103376,fc52c633190162e0
X-Google-Attributes: gid103376,public
X-Google-Language: ENGLISH,ASCII-7-bit
Path: 
 g2news1.google.com!postnews.google.com!e65g2000hsc.googlegroups.com!not-for-mail
From: "jimmaureenrogers@worldnet.att.net" <jimmaureenrogers@worldnet.att.net>
Newsgroups: comp.lang.ada
Subject: Re: why learn C?
Date: 30 Mar 2007 19:41:11 -0700
Organization: http://groups.google.com
Message-ID: <1175308871.266257.77460@e65g2000hsc.googlegroups.com>
References: <1172144043.746296.44680@m58g2000cwm.googlegroups.com>
   <slrnetr31o.875.Marc.Boyer@localhost.localdomain>
   <1172161751.573558.24140@h3g2000cwc.googlegroups.com>
   <slrnetri6j.875.Marc.Boyer@localhost.localdomain>
   <546qkhF1tr7dtU1@mid.individual.net>
   <slrnett8ph.807.Marc.Boyer@localhost.localdomain>
   <5ZULh.48$YL5.40@newssvr29.news.prodigy.net>
   <1175215906.645110.217810@e65g2000hsc.googlegroups.com>
   <1175230352.808212.15550@e65g2000hsc.googlegroups.com>
   <1175236212.771445.135460@y66g2000hsf.googlegroups.com>
NNTP-Posting-Host: 75.70.221.169
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Trace: posting.google.com 1175308872 22079 127.0.0.1 (31 Mar 2007 02:41:12
 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Sat, 31 Mar 2007 02:41:12 +0000 (UTC)
In-Reply-To: <1175236212.771445.135460@y66g2000hsf.googlegroups.com>
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
 rv:1.8.0.11) Gecko/20070312 Firefox/1.5.0.11,gzip(gfe),gzip(gfe)
Complaints-To: groups-abuse@google.com
Injection-Info: e65g2000hsc.googlegroups.com; posting-host=75.70.221.169;
   posting-account=SqOfxAwAAAAkL81YAPGH1JdBwpUXw9ZG
Xref: g2news1.google.com comp.lang.ada:14689
Date: 2007-03-30T19:41:11-07:00
List-Id: <comp.lang.ada>

On Mar 30, 12:30 am, "Case Crab" <casec...@gmail.com> wrote:
> On Mar 29, 10:52 pm, "jimmaureenrog...@worldnet.att.net"
>
> <jimmaureenrog...@worldnet.att.net> wrote:
> > On Mar 29, 6:51 pm, "kevin  cline" <kevin.cl...@gmail.com> wrote:
>
> > > No, what actually happened is that expert C++ developers learned to
> > > use C++ in such a way that those errors can not happen.  While it is
> > > possible to write unsafe code in C++, it is also possible to adopt
> > > coding guidelines that makes it easy to find and eliminate unsafe
> > > code, and for most applications, that's quite good enough.
>
> > Coding guidelines cannot by themselves prevent any errors.
>
> Really?  I have found that coding practices can preclude certain
> classes of errors.

The JSF C++ coding standards are available from several sources on the
web. One link is http://www.research.att.com/~bs/JSF-AV-rules.pdf

The corresponding Ada coding standard is found at
http://software.gsfc.nasa.gov/AssetsApproved/PA2.4.1.1.1.pdf

>
> > For example,
> > the JSF AV C++ Coding Standard, which is intended to limit the unsafe
> > features of C++, contains 221 rules.
>
> How many rules distinguish SPARK from the full Ada language?
>
> > It is not possible to check
> > 6 million lines of code against 221 rules by hand in any timely or
> > economical manner.
>
> I expect that most of the checking can and will be done
> automatically.  In any case, I would expect such
> mission-critical code would be inspected, regardless of whether the
> implementation language is C++ or Ada.
>

Inspection is the problem. It is inefficient and error prone to
manually inspect 6 million lines of code against 221 rules.

There is an automated tool for checking the JSF standard. That
tool cannot perform a 100% check either due to the nature of the
rules.

>
>
> > The NASA Ada Flight Software coding guidelines contain 14 rules.
> > The intent of both coding standards is to produce software safe enough
> > to use for airborne avionics systems.
>
> Interesting that one organization has 221 rules while the other has
> only 14.

If you analyze the two standards, and understand the two languages,
you
will see that the 221 rules for C++ bring you close to the same safety
level you achieve with the 14 rules for Ada.

Many of the language features prohibited in the C++ standard simply do
not exist in Ada. This explains the bulk of the differences in the two
standards. For instance:

AV Rule 20 (MISRA Rule 122)
The setjmp macro and the longjmp function shall not be used.

Ada has no macros and no equivalent to the longjmp function.
There is no reason to prohibit their use in Ada.

Similarly:

AV Rule 29
  The #define pre-processor directive shall not be used to create
inline macros. Inline functions shall be used instead.
  Rationale: Inline functions do not require text substitutions
and behave well when called with arguments
(e.g. type checking is performed).

Ada does allow inline functions and procedures, but has no
language defined macro capability.

AV Rule 71.1
  A class's virtual functions shall not be invoked from its
destructor or any of its constructors.
  Rationale: A class's virtual functions are resolved
statically (not dynamically) in its constructors and
destructor.

Ada does not provide a direct equivalent to C++ constructors
and destructors. While this may seem a problem to a C++ or
Java programmer, it does have the virtue of not providing
an avenue for the error handled by this rule.

And the C++ multiple inheritance model provides interesting
opportunities for unsafe code:

AV Rule 89
  A base class shall not be both virtual and non-virtual in
the same hierarchy.
  Rationale: Hierarchy becomes difficult to comprehend and use.

Do not forget about all the wonders of pointers in C and C++.
For example:

AV Rule 97
  Arrays shall not be used in interfaces. Instead, the Array
class should be used.
  Rationale: Arrays degenerate to pointers when passed as
parameters. This "array decay" problem has long been known to be
a source of errors.

Ada arrays do not decay to pointers. This problem is unknown in
Ada with or without coding standards.

>
> > Coding standards can help up to a point. When the coding standards are
> > oppresively complex they cease to help.
>
> Compile-time checks can also help, up to a point.  But they don't
> solve the whole problem.

No, run time checks are needed for things that cannot be checked at
compile time. Ada helps is more helpful with run time checks than is
C or C++ due to the automated check writing built by the compilers.
For instance, if you define an integer type with a valid range of
values from -10 to 10, the compiler will perform all necessary
range checking for that type.

type My_Int is range -10..10;

You can provide run time checking in any language. In C++ you would
need to define a class for My_Int. The assignment operator would need
to be re-defined to check for the range, and throw an exception when
the range limits are violated.

C++ provides additional challenges to the definition and checking of
limited range integer types. In C and C++ (and Java) all numeric types
are initialized by default to 0. What does that do to your program if
0 is not within the valid range for your type? The compiler will
simply initialize the data member of your class to an invalid value.
You will need to provide a default constructor to initialize the value
to some valid value, along with the overridden assignment operator.

Jim Rogers