Re: Ada safety road Was: Which is right ...

[Robert Dewar <robert_dewar@my-deja.com>]

In article <929221844.567.59@news.remarQ.com>,
  "Vladimir Olensky" <vladimir_olensky@yahoo.com> wrote:

> Unfortunately N350 which is a draft of N359  has not been
> advertised across Ada WEB sites so it seems that not too many
> Ada people were aware of it. Otherwise I would get Markus Kuhn
> response with reference to N359 from someone else next after I
> mentioned about "such kind of document".

I think it was publicized at an appropriate level. This was
basically work in progress by one of the Rapporteur Groups
of WG9, and it is not appropriate to put it out for any kind
of official public comment before it has been submitted to
WG9. Most certainly the HRG has been quite open in the way
it proceeds, at quite an appropriate level, but posting drafts
to CLA is certainly NOT appropriate in my view.

Each country decides for itself the extent to which it will
subject such ISO documents to general review. In the case of
the USA, there were several experts in the area of high
integrity programming participating in the HRG, and I think
there was adequate input.

> I could not  agree  that writing reliable software is
> specialized area.

No, but writing high integrity software *IS* more specialized.

If you decide that

  reliable = high integrity

then you reduce the discussion of special concerns of high
integrity programming to general discussions of good style
for writing reliable Ada programs, and I think this is far
too much of a dilution of the intentions here.

> Just contrary I think that this is universal area.

Concern for reliability is universal.
Use of restricted subsets of Ada for high integrity programs
is NOT a universal area at all.

> Remember how many people are complaining that something is
> unreliable for
> example - Windows NT.

No one for a moment would claim OR EXPECT Windows NT to qualify
as high integrity software, and indeed it would be out of the
question for high integrity software to be based on the use
of NT in my view. Indeed only a VERY simple operating executive
could reach the level of being certified as high integrity
software.

Remember that one important aspect of high integrity software
is that in general it must be verified at the object machine
instruction level (because we also do not have trusted Ada
compilers, and indeed we do not know how to build a trusted
Ada compiler). To verify a program like NT at this level (with
its 5-10 million lines of code) is out of the question at our
current level of technology.

A typical productivity level for high integrity code is,
according to several people in the field (this is not from
my personal experience) of the order of 1-2 machine instructions
per person day.

That means that the 10 million lines of code in NT might take
10 million person days = 50,000 person years = a very long
time to get a product out (and perhaps 10 billion dollars).
Quite a bit even for Microsoft, but of course such calculations
are bogus, since these things don't scale, and we just don't
know how to build high integrity programs this large (look at
Dave Parnas' statements concering SDI, this was a substantial
part of his concerns about the credibility of the software
component of this system as originally proposed).

Now please do not misunderstand, I think everyone should read
the HRG report (I would assume that any Ada professional should
always read all official documents from ISO WG9), and there may
be useful things to be learned from the document that have wider
applicability.

But I think you have to be careful not to go in the direction
that Vladimir does, confusing the specific focus of this
document with the generalized need for realiability.

Remember that the WHOLE of the Ada language was carefully
designed to be compatible with the goal of writing highly
reliable programs. There is almost NO feature mentioned in
the RM that does not have a legitimate use in reliable Ada
programs.

I am worried that people will start looking at the
recommendations in the HRG report for restricting the
use of Ada for high integrity programming (a realistic and
necessary step) and make the mistake of thinking that this
means that these features are generally unsafe if your goal
is to write reliable programs.

Robert Dewar





Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.