From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=BAYES_00,INVALID_MSGID, MSGID_RANDY autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,74b55538385b7366 X-Google-Attributes: gid103376,public From: Robert Dewar Subject: Re: Ada safety road Was: Which is right ... Date: 1999/06/13 Message-ID: <7jvc2j$o68$1@nnrp1.deja.com>#1/1 X-Deja-AN: 488972132 References: <928083159.436.79@news.remarQ.com> <928174549.336.98@news.remarQ.com> <7iuqkc$ln6$1@nnrp1.deja.com> <928529202.956.79@news.remarQ.com> <928569312.951.42@news.remarQ.com> <7jb1l9$694$1@nnrp1.deja.com> <928703068.617.98@news.remarQ.com> <375F6F0B.AD735B5B@praxis-cs.co.uk> <7jo1d2$kno$1@pegasus.csx.cam.ac.uk> <929128919.557.95@news.remarQ.com> <7jsdkf$v3p$1@nnrp1.deja.com> <929221844.567.59@news.remarQ.com> X-Http-Proxy: 1.0 x39.deja.com:80 (Squid/1.1.22) for client 205.232.38.14 Organization: Deja.com - Share what you know. Learn what you don't. X-Article-Creation-Date: Sun Jun 13 04:29:13 1999 GMT Newsgroups: comp.lang.ada X-Http-User-Agent: Mozilla/4.04 [en] (OS/2; I) Date: 1999-06-13T00:00:00+00:00 List-Id: In article <929221844.567.59@news.remarQ.com>, "Vladimir Olensky" wrote: > Unfortunately N350 which is a draft of N359 has not been > advertised across Ada WEB sites so it seems that not too many > Ada people were aware of it. Otherwise I would get Markus Kuhn > response with reference to N359 from someone else next after I > mentioned about "such kind of document". I think it was publicized at an appropriate level. This was basically work in progress by one of the Rapporteur Groups of WG9, and it is not appropriate to put it out for any kind of official public comment before it has been submitted to WG9. Most certainly the HRG has been quite open in the way it proceeds, at quite an appropriate level, but posting drafts to CLA is certainly NOT appropriate in my view. Each country decides for itself the extent to which it will subject such ISO documents to general review. In the case of the USA, there were several experts in the area of high integrity programming participating in the HRG, and I think there was adequate input. > I could not agree that writing reliable software is > specialized area. No, but writing high integrity software *IS* more specialized. If you decide that reliable = high integrity then you reduce the discussion of special concerns of high integrity programming to general discussions of good style for writing reliable Ada programs, and I think this is far too much of a dilution of the intentions here. > Just contrary I think that this is universal area. Concern for reliability is universal. Use of restricted subsets of Ada for high integrity programs is NOT a universal area at all. > Remember how many people are complaining that something is > unreliable for > example - Windows NT. No one for a moment would claim OR EXPECT Windows NT to qualify as high integrity software, and indeed it would be out of the question for high integrity software to be based on the use of NT in my view. Indeed only a VERY simple operating executive could reach the level of being certified as high integrity software. Remember that one important aspect of high integrity software is that in general it must be verified at the object machine instruction level (because we also do not have trusted Ada compilers, and indeed we do not know how to build a trusted Ada compiler). To verify a program like NT at this level (with its 5-10 million lines of code) is out of the question at our current level of technology. A typical productivity level for high integrity code is, according to several people in the field (this is not from my personal experience) of the order of 1-2 machine instructions per person day. That means that the 10 million lines of code in NT might take 10 million person days = 50,000 person years = a very long time to get a product out (and perhaps 10 billion dollars). Quite a bit even for Microsoft, but of course such calculations are bogus, since these things don't scale, and we just don't know how to build high integrity programs this large (look at Dave Parnas' statements concering SDI, this was a substantial part of his concerns about the credibility of the software component of this system as originally proposed). Now please do not misunderstand, I think everyone should read the HRG report (I would assume that any Ada professional should always read all official documents from ISO WG9), and there may be useful things to be learned from the document that have wider applicability. But I think you have to be careful not to go in the direction that Vladimir does, confusing the specific focus of this document with the generalized need for realiability. Remember that the WHOLE of the Ada language was carefully designed to be compatible with the goal of writing highly reliable programs. There is almost NO feature mentioned in the RM that does not have a legitimate use in reliable Ada programs. I am worried that people will start looking at the recommendations in the HRG report for restricting the use of Ada for high integrity programming (a realistic and necessary step) and make the mistake of thinking that this means that these features are generally unsafe if your goal is to write reliable programs. Robert Dewar Sent via Deja.com http://www.deja.com/ Share what you know. Learn what you don't.