Re: Ada and Java. different behaviour. casting long to int problem.

[Sera Hirasuna <serah@ix.netcom.com>]

This is Richard Riehle appropriating time on his wife's email account.


In article <t7so7rdd1u.fsf@calumny.jyacc.com>,
	Hyman Rosen <hymie@prolifics.com> wrote:

>Looks like it's time to mention again that an unhandled exception
>raised by conversion overflow caused the Ariane 5 rocket to go off
>course, resulting in its destruction.

This example serves us well in this kind of discusson because
it illustrates a key difference between Ada and most other 
languages:  the language design criteria.

The design criteria for Ada are critically different from those
of the C family of languages (C, C++, Java, etc.)  One of the 
most important of those criteria is that each Ada statement
should default to "safe."  That is, "safe" is the normal mode
for an Ada program construct.   The default mode for C is "unsafe."
C++ and Java inherit many of the unsafe features of C, particularly
at the algorithmic level.

It is easy to include in a language for which the default is "safe," 
features that relax those safety constraints.  It is more
difficult to start with an unsafe language and make it more safe. 

Ada permits a designer to bypass the safety default using such features
as unchecked operations and interfaces to unsafe languages.  The 
ability to bypass the default is sometimes necessary.  Sadly, some Ada 
programmers use it too often.  As long as one is designing with standard
Ada constructs, the safety is in place and an huge number of errors
are detected by the compiler.  

The Arianne engineers, if I recall correctly, chose to use one of the
unchecked operations.  Such operations have a default of "unsafe."  In
effect, unchecked operations allow a programmer the same freedom permitted
by C, C++, or Java, but require the same responsibility -- more, because
the rest of the program is under the rules of the Ada language.

It should be clear that, once one has decided to override the default
mode of the language, that decision carries enormous burden of
care.  If I tell you that crossing the freeway on foot instead of
using the pedestrian overpass will be dangerous, and you are killed
ignoring my admonition, is the pedestrian overpass at fault?  Oh yes,
you say, "The pedestrian overpass is so inconvenient."   We hear the
same argument about Ada, it is so inconvenient.  So is death.  

And that is why Ada is the correct choice for safety-critical software.

Let me emphasize that the C family languages is not evil.  It is simply
designed with different criteria than Ada.  When, to quote a former
NASA engineer, "Failure is not an option,"  the correct choice will
be Ada.  If a software failure is tolerable from time to time, C and
C++ might be good choices.  Pick the tool that best fits the need.
But do not pick a tool because it is convenient.  Don't just pick up
any old long-handled wrench when you should be using a torque wrench.
You may spend a long time drilling bolts out of head blocks.


Richard Riehle
richard@adaworks.com