From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,fee8802cc3d8334d X-Google-Attributes: gid103376,public From: Sera Hirasuna Subject: Re: Ada and Java. different behaviour. casting long to int problem. Date: 1999/06/20 Message-ID: <7kg9is$85g@dfw-ixnews8.ix.netcom.com>#1/1 X-Deja-AN: 491433697 References: <7jt2c0$vrb@drn.newsguy.com> <7k57vb$1ipf@drn.newsguy.com> <3766650F.705125B7@pwfl.com> <7k64t7$igo$1@its.hooked.net> <7k689a$ci2@drn.newsguy.com> <3766C842.E1EAB60A@pwfl.com> <3766D1CC.D712895E@itools.symantec.com> <7k8nn5$qcb$1@its.hooked.net> <3767E8A2.EF1A0570@itools.symantec.com> <7k8tv3$3gm@drn.newsguy.com> Organization: Netcom X-NETCOM-Date: Sat Jun 19 9:30:52 AM CDT 1999 Newsgroups: comp.lang.ada Date: 1999-06-19T09:30:52-05:00 List-Id: This is Richard Riehle appropriating time on his wife's email account. In article , Hyman Rosen wrote: >Looks like it's time to mention again that an unhandled exception >raised by conversion overflow caused the Ariane 5 rocket to go off >course, resulting in its destruction. This example serves us well in this kind of discusson because it illustrates a key difference between Ada and most other languages: the language design criteria. The design criteria for Ada are critically different from those of the C family of languages (C, C++, Java, etc.) One of the most important of those criteria is that each Ada statement should default to "safe." That is, "safe" is the normal mode for an Ada program construct. The default mode for C is "unsafe." C++ and Java inherit many of the unsafe features of C, particularly at the algorithmic level. It is easy to include in a language for which the default is "safe," features that relax those safety constraints. It is more difficult to start with an unsafe language and make it more safe. Ada permits a designer to bypass the safety default using such features as unchecked operations and interfaces to unsafe languages. The ability to bypass the default is sometimes necessary. Sadly, some Ada programmers use it too often. As long as one is designing with standard Ada constructs, the safety is in place and an huge number of errors are detected by the compiler. The Arianne engineers, if I recall correctly, chose to use one of the unchecked operations. Such operations have a default of "unsafe." In effect, unchecked operations allow a programmer the same freedom permitted by C, C++, or Java, but require the same responsibility -- more, because the rest of the program is under the rules of the Ada language. It should be clear that, once one has decided to override the default mode of the language, that decision carries enormous burden of care. If I tell you that crossing the freeway on foot instead of using the pedestrian overpass will be dangerous, and you are killed ignoring my admonition, is the pedestrian overpass at fault? Oh yes, you say, "The pedestrian overpass is so inconvenient." We hear the same argument about Ada, it is so inconvenient. So is death. And that is why Ada is the correct choice for safety-critical software. Let me emphasize that the C family languages is not evil. It is simply designed with different criteria than Ada. When, to quote a former NASA engineer, "Failure is not an option," the correct choice will be Ada. If a software failure is tolerable from time to time, C and C++ might be good choices. Pick the tool that best fits the need. But do not pick a tool because it is convenient. Don't just pick up any old long-handled wrench when you should be using a torque wrench. You may spend a long time drilling bolts out of head blocks. Richard Riehle richard@adaworks.com