Re: Beware: Rep spec on an enumeration type clause

[Ken Garlington <kennieg@nospam.flash.net>]

Franco Mazzanti wrote:
> 
> Rakesh Malhotra wrote:
> 
> > We work on safety critical projects.  And if we have a safety critical
> > bit of code that defines and uses an enumeration then we use the rep
> > clause to provide more than 1 bit separation between adjacent values in
> > the enumeration.  That way if 1 bit got corrupted the value could not
> > become some other legal value.
> >

[snip]

> 
> Since the program behaviour when some invalid object is encountered is
> highly
> implementation dependent, this approach seems really dangerous to me ...
> For example, for example, the following program, compiled with GNAT v.3.09
> happily (and legally) produces the output:
> 
> > I is neither AA, BB or CC
> > I is  AA or BB

You may want to look at Dr. Wichmann's implementation of such a "safe"
boolean
type, as described in an issue of Ada Letters some time back. The
difference is
that Safe_Boolean is defined as an abstract data type, and (I recall)
each
access to such an object is checked within the ADT, with an exception
raised
for invalid values. Thus, the "I is AA or BB" would not be reached when
"I" was
a Safe_Boolean type.

Personally, I don't think the added protection for a single data type is
worth
the complexity, particularly given the availability of more
comprehensive hardware-
based approaches to detecting and handling memory faults, but I wouldn't
describe
the approach as either "wrong" or "dangerous," assuming a proper
implementation.

> 
> ------------------------------------------------------------
>    Franco Mazzanti
>    Istituto di Elaborazione della Informazione
>    mazzanti@iei.pi.cnr.it
> ------------------------------------------------------------