From: "kevin cline" <kevin.cline@gmail.com>
Subject: Re: why learn C?
Date: 2 Apr 2007 00:43:41 -0700
Date: 2007-04-02T00:43:41-07:00 [thread overview]
Message-ID: <1175499821.557815.303270@y80g2000hsf.googlegroups.com> (raw)
In-Reply-To: <1175308871.266257.77460@e65g2000hsc.googlegroups.com>
On Mar 30, 9:41 pm, "jimmaureenrog...@worldnet.att.net"
<jimmaureenrog...@worldnet.att.net> wrote:
> On Mar 30, 12:30 am, "Case Crab" <casec...@gmail.com> wrote:
>
> > On Mar 29, 10:52 pm, "jimmaureenrog...@worldnet.att.net"
>
> > <jimmaureenrog...@worldnet.att.net> wrote:
> > > On Mar 29, 6:51 pm, "kevin cline" <kevin.cl...@gmail.com> wrote:
>
> > > > No, what actually happened is that expert C++ developers learned to
> > > > use C++ in such a way that those errors can not happen. While it is
> > > > possible to write unsafe code in C++, it is also possible to adopt
> > > > coding guidelines that makes it easy to find and eliminate unsafe
> > > > code, and for most applications, that's quite good enough.
>
> > > Coding guidelines cannot by themselves prevent any errors.
>
> > Really? I have found that coding practices can preclude certain
> > classes of errors.
>
> The JSF C++ coding standards are available from several sources on the
> web. One link ishttp://www.research.att.com/~bs/JSF-AV-rules.pdf
>
> The corresponding Ada coding standard is found athttp://software.gsfc.nasa.gov/AssetsApproved/PA2.4.1.1.1.pdf
>
>
>
>
>
> > > For example,
> > > the JSF AV C++ Coding Standard, which is intended to limit the unsafe
> > > features of C++, contains 221 rules.
>
> > How many rules distinguish SPARK from the full Ada language?
>
> > > It is not possible to check
> > > 6 million lines of code against 221 rules by hand in any timely or
> > > economical manner.
>
> > I expect that most of the checking can and will be done
> > automatically. In any case, I would expect such
> > mission-critical code would be inspected, regardless of whether the
> > implementation language is C++ or Ada.
>
> Inspection is the problem. It is inefficient and error prone to
> manually inspect 6 million lines of code against 221 rules.
>
> There is an automated tool for checking the JSF standard. That
> tool cannot perform a 100% check either due to the nature of the
> rules.
>
>
>
> > > The NASA Ada Flight Software coding guidelines contain 14 rules.
> > > The intent of both coding standards is to produce software safe enough
> > > to use for airborne avionics systems.
>
> > Interesting that one organization has 221 rules while the other has
> > only 14.
>
> If you analyze the two standards, and understand the two languages,
> you
> will see that the 221 rules for C++ bring you close to the same safety
> level you achieve with the 14 rules for Ada.
>
> Many of the language features prohibited in the C++ standard simply do
> not exist in Ada. This explains the bulk of the differences in the two
> standards. For instance:
>
> AV Rule 20 (MISRA Rule 122)
> The setjmp macro and the longjmp function shall not be used.
>
> Ada has no macros and no equivalent to the longjmp function.
> There is no reason to prohibit their use in Ada.
>
> Similarly:
>
> AV Rule 29
> The #define pre-processor directive shall not be used to create
> inline macros. Inline functions shall be used instead.
> Rationale: Inline functions do not require text substitutions
> and behave well when called with arguments
> (e.g. type checking is performed).
>
> Ada does allow inline functions and procedures, but has no
> language defined macro capability.
>
> AV Rule 71.1
> A class's virtual functions shall not be invoked from its
> destructor or any of its constructors.
> Rationale: A class's virtual functions are resolved
> statically (not dynamically) in its constructors and
> destructor.
>
> Ada does not provide a direct equivalent to C++ constructors
> and destructors. While this may seem a problem to a C++ or
> Java programmer, it does have the virtue of not providing
> an avenue for the error handled by this rule.
>
> And the C++ multiple inheritance model provides interesting
> opportunities for unsafe code:
>
> AV Rule 89
> A base class shall not be both virtual and non-virtual in
> the same hierarchy.
> Rationale: Hierarchy becomes difficult to comprehend and use.
>
> Do not forget about all the wonders of pointers in C and C++.
> For example:
>
> AV Rule 97
> Arrays shall not be used in interfaces. Instead, the Array
> class should be used.
> Rationale: Arrays degenerate to pointers when passed as
> parameters. This "array decay" problem has long been known to be
> a source of errors.
>
> Ada arrays do not decay to pointers. This problem is unknown in
> Ada with or without coding standards.
>
>
>
> > > Coding standards can help up to a point. When the coding standards are
> > > oppresively complex they cease to help.
>
> > Compile-time checks can also help, up to a point. But they don't
> > solve the whole problem.
>
> No, run time checks are needed for things that cannot be checked at
> compile time. Ada helps is more helpful with run time checks than is
> C or C++ due to the automated check writing built by the compilers.
> For instance, if you define an integer type with a valid range of
> values from -10 to 10, the compiler will perform all necessary
> range checking for that type.
>
> type My_Int is range -10..10;
>
> You can provide run time checking in any language. In C++ you would
> need to define a class for My_Int.
Actually, you would define a template class RangedInt, and then write
something like:
typedef RangedInt<-10,10> My_Int;
> The assignment operator would need
> to be re-defined to check for the range, and throw an exception when
> the range limits are violated.
Right. One eight-line class to replicate the Ada ranged integer type.
>
> C++ provides additional challenges to the definition and checking of
> limited range integer types. In C and C++ (and Java) all numeric types
> are initialized by default to 0.
Not exactly.
> What does that do to your program if
> 0 is not within the valid range for your type?
> The compiler will
> simply initialize the data member of your class to an invalid value.
> You will need to provide a default constructor to initialize the value
> to some valid value, along with the overridden assignment operator.
True. The C++ design philosophy was that features would not be added
to the language if they could be implemented as library classes. A
limited-range integer is a pretty trivial class to write, so there was
no need to add it to the language. Also, C++ was designed with the
idea that if you didn't need it, you didn't have to pay for it. So
variables are not automatically initialized. Modern compilers produce
warnings if it is possible for a variable to be used before it has
been initialized.
next prev parent reply other threads:[~2007-04-02 7:43 UTC|newest]
Thread overview: 167+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1172144043.746296.44680@m58g2000cwm.googlegroups.com>
[not found] ` <slrnetr31o.875.Marc.Boyer@localhost.localdomain>
[not found] ` <1172161751.573558.24140@h3g2000cwc.googlegroups.com>
[not found] ` <slrnetri6j.875.Marc.Boyer@localhost.localdomain>
[not found] ` <546qkhF1tr7dtU1@mid.individual.net>
2007-02-23 8:09 ` why learn C? Marc Boyer
2007-03-20 17:37 ` adaworks
2007-03-21 8:07 ` Maciej Sobczak
2007-03-21 13:39 ` Martin Krischik
2007-03-22 7:54 ` Maciej Sobczak
2007-03-21 14:10 ` Dmitry A. Kazakov
2007-03-21 17:57 ` adaworks
2007-03-21 18:48 ` adaworks
2007-03-21 18:39 ` Georg Bauhaus
2007-03-21 20:09 ` Dmitry A. Kazakov
2007-03-21 20:25 ` Use of declare blocks Randy Brukardt
2007-03-21 20:36 ` Gautier
2007-03-21 20:37 ` Gautier
2007-03-21 20:43 ` Niklas Holsti
2007-03-21 21:29 ` Randy Brukardt
2007-03-22 1:17 ` Adam Beneschan
2007-03-22 8:34 ` Dmitry A. Kazakov
2007-03-22 1:06 ` Adam Beneschan
2007-03-22 17:59 ` adaworks
2007-03-23 2:35 ` Randy Brukardt
2007-03-23 5:23 ` adaworks
2007-03-23 5:15 ` Randy Brukardt
2007-03-23 10:20 ` Georg Bauhaus
2007-03-23 18:25 ` commenting, was " tmoran
2007-03-24 0:32 ` adaworks
2007-03-24 2:12 ` tmoran
2007-03-24 3:19 ` Randy Brukardt
2007-03-24 7:36 ` tmoran
2007-03-24 15:35 ` Simon Wright
2007-03-21 13:29 ` why learn C? Alexander E. Kopilovich
2007-03-30 0:51 ` kevin cline
2007-03-30 4:09 ` Steve
2007-03-30 4:58 ` kevin cline
2007-03-30 7:44 ` Lutz Donnerhacke
2007-03-30 9:09 ` Dmitry A. Kazakov
2007-04-02 4:29 ` kevin cline
2007-04-02 6:45 ` adaworks
2007-04-02 7:52 ` Dmitry A. Kazakov
2007-04-02 8:19 ` kevin cline
2007-04-02 12:04 ` Dmitry A. Kazakov
2007-04-02 23:37 ` Randy Brukardt
2007-04-03 12:42 ` Erasing inappropriate operations (was: why learn C?) Ludovic Brenta
2007-04-03 23:44 ` Randy Brukardt
2007-04-04 8:34 ` Erasing inappropriate operations Ludovic Brenta
2007-04-04 22:00 ` Randy Brukardt
2007-04-03 0:16 ` why learn C? Markus E Leypold
2007-04-04 16:14 ` jayessay
2007-04-05 7:14 ` Hyman Rosen
2007-04-05 15:35 ` jayessay
2007-04-06 2:02 ` Hyman Rosen
2007-04-06 5:57 ` Ray Blaak
2007-04-06 11:01 ` Markus E Leypold
2007-04-07 23:00 ` Ray Blaak
2007-04-08 19:41 ` jayessay
2007-04-09 14:08 ` Markus E Leypold
2007-04-10 15:48 ` jayessay
2007-04-08 19:44 ` jayessay
2007-04-06 18:05 ` jayessay
2007-04-06 22:00 ` Hyman Rosen
2007-04-06 23:46 ` jayessay
2007-04-06 23:59 ` jayessay
2007-04-06 22:16 ` Hyman Rosen
2007-04-06 23:52 ` jayessay
2007-04-07 0:39 ` Ray Blaak
2007-04-06 17:52 ` jayessay
2007-03-30 8:29 ` Markus E Leypold
2007-03-30 8:35 ` Markus E Leypold
2007-03-30 17:39 ` adaworks
2007-03-31 14:59 ` Steve
2007-03-31 15:59 ` Markus E Leypold
2007-04-01 14:32 ` Ed Falis
2007-04-02 7:03 ` adaworks
2007-03-31 15:14 ` Pascal Obry
2007-04-02 5:27 ` kevin cline
2007-04-02 6:04 ` Harald Korneliussen
2007-04-02 6:33 ` Shortage on C / C++ experts Martin Krischik
2007-04-02 7:07 ` why learn C? adaworks
2007-04-02 7:18 ` kevin cline
2007-04-02 13:00 ` adaworks
2007-04-12 15:28 ` Hyman Rosen
2007-04-12 18:32 ` Robert A Duff
2007-04-13 15:59 ` Hyman Rosen
2007-04-14 22:20 ` Robert A Duff
2007-04-14 22:46 ` Randy Brukardt
2007-04-22 18:53 ` adaworks
2007-04-22 19:50 ` Gautier
2007-04-03 0:26 ` Markus E Leypold
2007-04-03 0:34 ` Markus E Leypold
2007-04-03 2:22 ` jimmaureenrogers
2007-04-12 15:47 ` Hyman Rosen
2007-04-12 16:18 ` Markus E Leypold
2007-04-13 23:18 ` kevin cline
2007-04-14 9:38 ` Georg Bauhaus
2007-04-14 10:57 ` Markus E Leypold
2007-04-15 15:10 ` Simon Wright
2007-04-15 16:05 ` Markus E Leypold
2007-04-15 0:59 ` Hyman Rosen
2007-04-15 15:28 ` Markus E Leypold
2007-04-12 16:39 ` Dmitry A. Kazakov
2007-04-12 20:54 ` Georg Bauhaus
2007-04-12 20:33 ` Dmitry A. Kazakov
2007-04-12 21:40 ` Georg Bauhaus
2007-04-12 20:50 ` Dmitry A. Kazakov
2007-04-13 0:32 ` Markus E Leypold
2007-04-14 22:27 ` Robert A Duff
2007-04-14 1:20 ` jimmaureenrogers
2007-04-02 5:03 ` Brian May
2007-04-02 6:16 ` kevin cline
2007-04-03 0:00 ` Brian May
2007-04-12 15:56 ` Hyman Rosen
2007-04-12 16:19 ` Markus E Leypold
2007-04-13 23:42 ` Georg Bauhaus
2007-04-03 0:13 ` Markus E Leypold
2007-04-02 11:47 ` Shortage on C / C++ experts Larry Kilgallen
2007-04-02 12:01 ` Ludovic Brenta
2007-04-02 12:15 ` Dmitry A. Kazakov
2007-04-02 18:47 ` Alexander E. Kopilovich
2007-04-02 20:43 ` tmoran
2007-03-30 4:52 ` why learn C? jimmaureenrogers
2007-03-30 6:30 ` Case Crab
2007-03-30 6:37 ` Gautier
2007-03-30 9:17 ` Georg Bauhaus
2007-03-31 13:18 ` Peter C. Chapin
2007-04-01 1:23 ` Georg Bauhaus
2007-04-01 11:59 ` Peter C. Chapin
2007-04-02 6:37 ` kevin cline
2007-04-02 9:39 ` Harald Korneliussen
2007-03-30 17:47 ` adaworks
2007-03-30 19:25 ` Markus E Leypold
2007-03-30 20:29 ` Randy Brukardt
2007-03-31 9:52 ` Dmitry A. Kazakov
2007-04-01 1:35 ` adaworks
2007-03-31 2:41 ` jimmaureenrogers
2007-03-31 12:25 ` not NASA Ada coding standard Stephen Leake
2007-03-31 15:44 ` Markus E Leypold
2007-04-01 16:22 ` Simon Clubley
2007-04-02 10:08 ` Stephen Leake
2007-04-02 7:43 ` kevin cline [this message]
2007-04-02 8:45 ` why learn C? Martin Krischik
2007-04-02 10:54 ` Georg Bauhaus
2007-04-12 16:05 ` Hyman Rosen
2007-04-12 16:48 ` Dmitry A. Kazakov
2007-04-12 18:27 ` Robert A Duff
2007-04-13 16:21 ` Hyman Rosen
2007-04-12 21:11 ` Georg Bauhaus
2007-04-13 15:45 ` Hyman Rosen
2007-04-02 8:13 ` kevin cline
2007-04-02 23:54 ` Randy Brukardt
2007-04-03 2:58 ` jimmaureenrogers
2007-04-12 16:24 ` Hyman Rosen
2007-04-12 18:05 ` Markus E Leypold
2007-04-15 0:55 ` Hyman Rosen
2007-04-15 7:55 ` Dmitry A. Kazakov
2007-04-15 15:25 ` Markus E Leypold
2007-03-31 11:40 ` Larry Kilgallen
[not found] ` <1175236212.771445.135460@y66g2Organization: LJK Software <c82IfUV$xbi8@eisner.encompasserve.org>
2007-03-31 18:56 ` adaworks
2007-03-31 20:10 ` Markus E Leypold
2007-04-01 18:13 ` tmoran
2007-03-31 19:33 ` Cesar Rabak
2007-03-31 20:11 ` Markus E Leypold
2007-03-30 8:16 ` Markus E Leypold
2007-03-30 9:10 ` Georg Bauhaus
2007-03-30 19:16 ` Pascal Obry
2007-04-01 11:41 ` Martin Krischik
2007-04-01 17:03 ` Pascal Obry
2007-04-01 18:13 ` tmoran
2007-04-16 2:09 ` Brian May
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox