From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,9da298537a16487e X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 1995-01-29 05:00:21 PST Path: nntp.gmd.de!newsserver.jvnc.net!howland.reston.ans.net!usc!bloom-beacon.mit.edu!panix!cmcl2!thecourier.cims.nyu.edu!thecourier.cims.nyu.edu!nobody From: dewar@cs.nyu.edu (Robert Dewar) Newsgroups: comp.lang.ada Subject: Re: Run-time checking and speed Date: 29 Jan 1995 08:00:21 -0500 Organization: Courant Institute of Mathematical Sciences Message-ID: <3gg3h6$p8a@gnat.cs.nyu.edu> References: <3ev16u$ojc@pong.lasc.lockheed.com> <3f3deb$4us@gnat.cs.nyu.edu> <3fa2pk$kbi@felix.seas.gwu.edu> <3fu902$6al@felix.seas.gwu.edu> <3g1eku$lmd@gnat.cs.nyu.edu> <3gbr4f$p4b@theopolis.orl.mmc.com> NNTP-Posting-Host: gnat.cs.nyu.edu Date: 1995-01-29T08:00:21-05:00 List-Id: >dewar@cs.nyu.edu (Robert Dewar) wrote: >> >> Mike, you miss the point that in some environments it is REQUIRED to turn >> off runtime checking. >> >> Why, because runtime checking can create code that cannot be executed, and >> in some verification environments coverage testing is required, so you cannot >> have code and logic paths that cannot be executed. >> > >Whenever we had such requirements, they were for the SOURCE code, not >for the EXECUTABLE code! Are you telling me you actually dissasembled >your executables and checked to make sure there was no dead code? >Unless your compiler was REAL good at optimization, your executables >were probably FULL of dead code by this definition. Absolutely, I am talking about coverage testing on the generated object code, which ensures that every reachable instruction has been executed by at least one test program, and, in a stronger form, that every logic branch has been executed both ways, and all branches of a case have been taken etc. This seems normal to me in a safety critical environment (people aren't very trusting of their compilers in such environments, or of anything else, and that's the way you would hope it would be). Dead code is a problem. You can take one of two approaches (I have seen both done). First, you can just require that there be no dead code (code that has no branch path to it should be trivially eliminated even by a pretty weak optimizer, so I don't quite know what T.E.D is referring to when he says that executables would be full of dead code. This is the approach that I have most often seen used. The second approach concentrates on making sure that all logic paths are tested, and then you don't care about dead code, but I am afraid that in Ada you DO have to consider failing a check and signalling an exception as a logic path, and making sure that all logic paths are taken means making sure all exception handlers are executed. Robert