Re: problems/risks due to programming language

[billwolf%hazel.cs.clemson.edu@hubcap.clemson.edu (William Thomas Wolfe, 2847 )]

From hammondr@sunroof.crd.ge.com (Richard A Hammond):
>>     3. The AT&T breakdown a month ago was caused by a break statement
>>	in C. See the following mail (multiple forwarding headers deleted):
> 
>>| | In the switching software (written in C), there was a long
>>| | "do . . . while" construct, which contained
>>| |    a "switch" statement, which contained 
>>| |       an "if" clause, which contained a
>>| |          "break," which was intended for
>>| |       the "if" clause, but instead broke from
>>| |    the "switch" statement.
>>| | 
>>
>>	Again it looks like this bug wouldn't have occurred in another
>>	programming language.
% 
% What other programming language?  Only one without any GOTO or restricted
% GOTO (e.g. exit, break, ...).  This leaves out Ada!!!!!!
% 
%  [...]  for N in 1 .. MAX loop 
% 	    case ...
% 	    when ... =>
%                 if NEW_ITEMS(N) = FALSE then 
% 			-- some other useful work gets done here
%                         exit; 			-- exits loop, not if!
%                 end if; 
% 	    when ... =>
%   [...] 
% So, in the AT&T case using Ada we would have exited both the switch and the
% loop rather than just the switch.  Hardly an improvement!

   This is not a valid analogy.  In C, the case statement *requires* the
   use of a restricted GOTO in order to accomplish "normal" processing;
   at the end of the section of code processing a given case, one must
   use a restricted GOTO in order to prevent C from sending the flow of
   control straight into the section of code which was intended to process
   the NEXT case.  In other words, C requires the programmer to use a
   dangerous construct on a routine basis.

   With the if construct in C, the default is to exit the if construct 
   automatically, as opposed to continuing on to execute the section of
   code associated with the else part.  Thus, we have an inconsistency
   in C's design: with one flow-of-control construct (the switch), it is
   necessary to use a dangerous GOTO to achieve normal processing, whereas
   with a similar flow-of-control construct (the if-else), the default is
   reversed.  Given such a language design, it should not surprise anyone
   that programmers become confused, particularly when the constructs are
   being used together. 

   Ada, on the other hand, is consistent: in both the if and case statements,
   the default is to exit the construct once the code associated with the
   specified situation has been executed.  Ada also provides the exit
   statement, a restricted GOTO which permits a loop to be exited early,
   but this construct is not used (as is C's break) on a routine basis.  

> In my limited experience the cases where Ada is introduced into a
> programming environment also introduce lots of other good software
> engineering practices.  For example, lots of people I know who
> program in C don't use LINT.   I view it as a deficiency of management
> and not of the language that they don't use available tools.

   This is certainly true; Brooks and others have noted that the good
   software engineering practices which are routinely introduced in
   conjunction with the Ada language are responsible for more of the 
   resulting improvements than the fact that the Ada language was
   introduced.  However, we cannot disregard that fact that Ada was
   specifically designed to provide maximal support for the software 
   engineering process.  C, on the other hand, was designed to provide
   maximal support for the compilation process.  Since compilers and 
   the CPU power required to operate them come far more cheaply than 
   programmers, and especially in view of the fact that better error
   prevention is worth much more than faster compilation, it would seem
   that the tradeoff made by Ada is certainly the one to be preferred.


   Bill Wolfe, wtwolfe@hubcap.clemson.edu