From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a00006d3c4735d70 X-Google-Attributes: gid103376,public X-Google-Thread: f849b,b8d52151b7b306d2 X-Google-Attributes: gidf849b,public X-Google-ArrivalTime: 2003-12-30 11:16:58 PST Path: archiver1.google.com!news2.google.com!fu-berlin.de!uni-berlin.de!mail.nartron.COM!not-for-mail From: iddw@hotmail.com (Dave Hansen) Newsgroups: comp.arch.embedded,comp.lang.ada Subject: Re: Certified C compilers for safety-critical embedded systems Date: Tue, 30 Dec 2003 19:20:50 GMT Message-ID: <3ff1b8ef.614528516@News.CIS.DFN.DE> References: <3fe00b82.90228601@News.CIS.DFN.DE> <3FE026A8.3CD6A3A@yahoo.com> <3bf1uvg2ntadvahfud2rg6ujk24sora6gr@4ax.com> <2u3auvogde8ktotlaq0ldiaska3g416gus@4ax.com> <20619edc.0312221020.3fd1b4ee@posting.google.com> <20619edc.0312222106.3b369547@posting.google.com> <45cs9hAbLc6$EAAx@phaedsys.demon.co.uk> <3fe9f0d7.104475725@News.CIS.DFN.DE> <5802069.JsgInS3tXa@linux1.krischik.com> <1072464162.325936@master.nyc.kbcfp.com> <1563361.SfB03k3vvC@linux1.krischik.com> <11LvOkBBXw7$EAJw@phaedsys.demon.co.uk> <3ff0687f.528387944@News.CIS.DFN.DE> <1086072.fFeiH4ICbz@linux1.krischik.com> <3ff18d4d.603356952@News.CIS.DFN.DE> <1731094.1f7Irsyk1h@linux1.krischik.com> NNTP-Posting-Host: mail.nartron.com (216.65.187.224) X-Trace: news.uni-berlin.de 1072811816 1072020 216.65.187.224 ([97677]) X-Newsreader: Forte Free Agent 1.21/32.243 Xref: archiver1.google.com comp.arch.embedded:6379 comp.lang.ada:3961 Date: 2003-12-30T19:20:50+00:00 List-Id: On Tue, 30 Dec 2003 18:08:23 +0100, Martin Krischik wrote: >Dave Hansen wrote: [...] >> Then don't do that. ;-) > >But is it not much better if the compiler stoped you from doing that >mistake? Of course. Thus the smiley. I freely admit that Ada does checking that no C compiler does. I even admit it may (may!) be a better langauge than C (for appropriate values of "better"). But with the possible exception of the Atmel AVR (GNAT?), there is _no_ Ada compiler for _any_ of the microprocessors I'm using today. For me, that makes C a better language. > >Anyway, all above is is just plain C and it is not at all as save as the Ada >code. Nor is it as easy to read (safety-critical software in my book should >be code reviewed). And this is just No, it's not the same, it's just as close as I could get. But "easy-to-read" is in the eye of the reader. I learned Pascal and Modula-2 years ago, so Ada doesn't look too bad. But other than the variable declaration syntax and some of the strange precedence rules, I find C very easy to read. Many consider the terseness of C to be a problem or even a disadvantage. But sometimes it helps in comprehension. Consider: int key; extern int get_key(void); extern void process(int); #define EXIT_KEY 'X' while ( (key = get_key()) != EXIT_KEY ) process(key); How do you do that in Ada? Even the canonical strcpy function is obvious and has a certain beauty. Perhaps you think it looks more like line noise: char *strcpy(char *dest, char *src) { char *retval = dest; while (*dest++ = *src++) continue; return retval; } But it's "safe" only when used properly. > >The claim here in the group is that by use of a static analysis tool the C >code can be made as secure as the Ada code. So let me expand my question: I wouldn't make that claim. Mine would be that the proper use of a static analysis tool will make C code much better than if you didn't use a static analysis tool at all. Substituting "Ada" for "C" in the previous statement would probably leave it true. >How with the static analysis tool find out the the follwing might lead to >the plane crashing. > >Ada: > >Display (1) = 11; -- Compiler will warn you compile time >Display (2) = Value + 2; -- exeption if Value is greater 7 Exceptions are valuable only if handled (think Ariane 5). How would you handle this one? > >C: > >Display->elt0 = 11; >Display->elt1 = Value + 2; > >This example might be over primitive but humans somtimes make this little >mistakes. True. But I don't think even Ada will catch them all. And it certainly does no better than C for e.g. sensor failures. Regards, -=Dave -- Change is inevitable, progress is not.