Re: Vendor introduces "safe" Ada subset

comp.lang.ada
 help / color / mirror / Atom feed

From: ryer@inmet.UUCP
Subject: Re: Vendor introduces "safe" Ada subset
Date: 18 Oct 88 14:17:00 GMT	[thread overview]
Message-ID: <124000017@inmet> (raw)
In-Reply-To: 6073@june.cs.washington.edu

Regarding:

>... To achieve Ada integrity, Spark has introduced several restrictions.  It
>does not allow the use of tasks, exceptions or generic units.  Access types 
>are also omitted, as these are considered unacceptable in real-time safety
>critical applications.  ... Certain features - such as "go to" statements
>and "declare" statements - are totally barred.

From a compiler writer's viewpoint, generics, exceptions, and even tasks are
just compile-time notions:  We know *exactly* how to translate them to
simpler language features.  For example the compiler creates new (non-generic)
code for each instantiation of a generic.  It converts tasking constructs into
calls on subprograms which themselves are written in Ada without using tasking.
Ultimately there is a piece of hardware at the bottom that only has gotos and
a handful of datatypes.

I appreciate the *complexity* of doing any kind of program proving in
the presence of generics, separate compilation, tasking, exceptions, and
so on.  What I find irritating is the often repeated premise that one
*must* subset in order to make proving feasible.  If a compiler can translate
generics into non-generic code, why can't a program prover do the same?

What if my application *needs* more than one thread of control, because of
multiple asynchronous interactions with the outside world?  Am I to implement
a full executive in Ada (or assembler) and prove it?  If so, how is this any
easier than proving the implementation of the tasking semantics that happen
to be built into Ada already?

If exceptions are not permitted, I presume that the prover is able to prove
that no exceptions such as numeric error or constraint error can ever occur.
If so, it can *surely* also tell whether a given raise statement is going
to be executed and when (i.e. which handler will be activated).  If I were
on an airplane, I'd rather believe that there was an appropriate handler for
every possible exceptional condition than that someone had mathematically
proven that the *source code* of the flight control software would never
cause an exception.

There is no doubt that Spark is *easier* to prove than Ada.  If the claim
is being made that full Ada is inherently unprovable, I'd like to see
the proof.

Please excuse the flame, which is personal, not corporate.
Mike Ryer
Intermetrics

     prev parent reply	other threads:[~1988-10-18 14:17 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
1988-10-14 16:06 Vendor introduces "safe" Ada subset Jon Jacky
1988-10-15 18:43 ` Jacob Gore
1988-10-18 14:17 ` ryer [this message]

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox