From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,7a58195927ccb785 X-Google-Attributes: gid103376,public From: kaz@vision.crest.nt.com (Kaz Kylheku) Subject: Re: Not intended for use in medical devices Date: 1997/05/05 Message-ID: <5kl8g4$fcb@bcrkh13.bnr.ca>#1/1 X-Deja-AN: 239555143 References: <3.0.32.19970504232023.006f5c8c@mail.4dcomm.com> Organization: Prism Systems Inc. Newsgroups: comp.lang.ada Date: 1997-05-05T00:00:00+00:00 List-Id: In article <3.0.32.19970504232023.006f5c8c@mail.4dcomm.com>, Robert C. Leif, Ph.D. wrote: ><configuration management tools could be configured to prevent changes in >the object code, I believe that there would be a very strong temptation for >some of the programmers to hand optimize the object code.>> This is unlikely. Perhaps if assembly language output were available from the compiler there might be a temptation. Would such an optimization effort go unnoticed? Secondly, it's not clear how the review process affects the temptation. Those programmers who are likely to be tempted into modifying assembly language or even object code will probably carry that temptation with or without the object code review. At some point you have to trust that your programmers can overcome temptations. Even if someone optimizes object code, how will that go unnoticed in an organized project? The only way for those optimizations to become a permanent part of the project, rather than just a patch for a single build, is if assembly language is incorporated into the source tree. I agree with R. Dewar: your concerns are misplaced, and don't make a good case for avoiding inspections of the object code. In a safety critical system, an incorrect translation of a correct program could lead to death, injury or property damage. There is no other way to catch this sort of error except to compile the code and then inspect the results of the translation. In some ways, this could make somewhat of a case for using assembly language in the first place, since in the process of reviewing object code, you have to acquire an understanding of the program at the machine language level anyway. I can at least appreciate where this extreme viewpoint is coming from. How many of Ada's advantages over something like C are still relevant when you have to inspect the object code instruction by instruction?