From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: fac41,2c6139ce13be9980
X-Google-Attributes: gidfac41,public
X-Google-Thread: 103376,3d3f20d31be1c33a
X-Google-Attributes: gid103376,public
X-Google-Thread: 1108a1,2c6139ce13be9980
X-Google-Attributes: gid1108a1,public
X-Google-Thread: f43e6,2c6139ce13be9980
X-Google-Attributes: gidf43e6,public
From: Ken Garlington <kennieg@flash.net>
Subject: Re: Safety-critical development in Ada and Eiffel
Date: 1997/08/19
Message-ID: <33FA7574.13B3@flash.net>#1/1
X-Deja-AN: 268132407
References: <33E9ADE9.4709@flash.net> <EEsF5y.F5H@syd.csa.com.au>
 <JSA.97Aug12131358@alexandria.organon.com> <33F133D7.71AC@erols.com>
 <33F25933.7F83@flash.net> <33F27B5C.6A3C@erols.com> <33F44261.7BD3@flash.net>
 <33F527C8.32B3@erols.com> <33F5D274.30C4@flash.net> <33F7D014.70B5@erols.com>
Reply-To: Ken.Garlington@computer.org
Organization: Flashnet Communications, http://www.flash.net
Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel
Date: 1997-08-19T00:00:00+00:00
List-Id: <comp.lang.ada>


Ted Velkoff wrote:
> 
> Forget about Eiffel for a moment, and consider Ada.  I'm starting to
> think that the approach being advocated would suggest using "pragma
> Supress" throughout the entire development cycle, starting with unit
> test.  Without ever having tried to do things that way, it seems on the
> surface that it would be harder to detect and correct bugs in the early
> going.  Isn't there some amount of run-time checking that is appropriate
> during development even if it is turned off later?

Only if you believe the benefits outweigh the penalties described in my
paper. I have delivered Ada systems where checking was never enabled,
and
where the "assertions" were checked using non-intrusive debugger
commands.
Of course, I still got the benefit of the static checking, which
(usually)
exists even if the run-time code is suppressed.

Note that, for non-safety-critical code written in Ada, I have delivered
the
code where the checks were left on in the production system. Again, this
is a very narrowly-focused domain we are discussing (which just happens
to
potentially include the Ariane 5 IRS).

> 
> -- Ted Velkoff