Automatic code generation (was ARIANE-5 Failure (DC-X works))

[vestal@src.honeywell.com (Steve Vestal)]

MATRIXx is one of a number of toolsets that allow feed-back control
engineers to specify both control algorithms and models of physical systems
in what some call a domain-specific language (MATLAB, BEACON, ACSL, and our
own ControlH are other examples).  Such languages are used to model plants
(e.g. aircraft) as well as specify control algorithms.  The tools typically
support simulation and mathematical analysis as well as automatic
generation of code.  I think computer scientists would catalog them as data
flow languages, although they have a precise semantics based on dynamical
systems theory (the meaning of a specification is a system of differential
or difference equations, at least until the control engineer starts
throwing in discrete event or procedural constructs :-)

There are several reasons why we think the nature of the code produced by
such tools is a consideration, and we favor generation of well-structured
code where there is good traceability between specification and code (a
principle we try to follow in our tools):

  - Some bugs first manifest themselves at the "object" code level.  For
    example, on several occasions I have been given a specification that
    was debugged in simulation (using C code generation), flipped the
    translator switch to generate Ada code for a real-time target, and
    discovered the algorithm was dividing by zero (something C seems to
    allow and Ada seems to think objectionable).  It is helpful to be able to
    read the generated code and trace bugs found at that level back to the
    originating constructs in the control specification.

  - Safety-critical software requires various certification steps,
    typically including unit testing that achieves full path coverage
    (according to a particular definition of path) on the target hardware.
    It is helpful if the generated code is broken into units as that term is
    used by the software testers, and it is helpful if localized changes in
    the control specification cause only a few units to be re-generated and
    re-unit-tested.

  - There are other kinds of domain-specific languages and generators used
    by other kinds of engineers for other purposes, e.g. generators of
    display management code.  A complex system (such as an avionics system)
    consists of many kinds of functions, only some of which are candidates
    for automatic generation from feed-back control specifications.  In
    general, automatically generated code produced by various tools will
    need to be integrated with each other, with hand-written modules, and
    with modules re-engineered/re-used from previous systems. (Software and
    (computer) systems analysis and integration is a problem area in its
    own right, we have another language and toolset for that task called
    MetaH.)

We generate both Ada and C.  Unconstrained arrays were certainly a
convenience when generating code from a language where matrices are a
fundamental data type.  Discriminant records were also a convenience.

Our web pages contain some more information, although not about Ada
issues specifically:
        http://www.htc.honeywell.com/projects/dssa

Steve Vestal
Mail: Honeywell Technology Center, 3660 Technology Drive, Minneapolis MN 55418 
Phone: (612) 951-7049      Fax: 7438     Email: vestal_steve@htc.honeywell.com