Re: Ada safety road Was: Which is right ...

["Vladimir Olensky" <vladimir_olensky@yahoo.com>]

Robert Dewar wrote in message <7jvc2j$o68$1@nnrp1.deja.com>...
>In article <929221844.567.59@news.remarQ.com>,
>  "Vladimir Olensky" <vladimir_olensky@yahoo.com> wrote:
>
>No, but writing high integrity software *IS* more specialized.
>
>If you decide that
>
>  reliable = high integrity
>
>then you reduce the discussion of special concerns of high
>integrity programming to general discussions of good style
>for writing reliable Ada programs, and I think this is far
>too much of a dilution of the intentions here.
>
>> Just contrary I think that this is universal area.
>
>Concern for reliability is universal.
>Use of restricted subsets of Ada for high integrity programs
>is NOT a universal area at all.


************
I am not trying to set the rule that "reliable = high integrity".
There are a lot of intermediate levels between them.
N359 just helps to choose appropriate approach for particular design goal.
Again I would like to stress that there should not be a black and white
approaches.
*************
>> Remember how many people are complaining that something is
>> unreliable for
>> example - Windows NT.
>
>No one for a moment would claim OR EXPECT Windows NT to qualify
>as high integrity software, and indeed it would be out of the
>question for high integrity software to be based on the use
>of NT in my view. Indeed only a VERY simple operating executive
>could reach the level of being certified as high integrity
>software.
>
>Remember that one important aspect of high integrity software
>is that in general it must be verified at the object machine
>instruction level (because we also do not have trusted Ada
>compilers, and indeed we do not know how to build a trusted
>Ada compiler). To verify a program like NT at this level (with
>its 5-10 million lines of code) is out of the question at our
>current level of technology.
>
>A typical productivity level for high integrity code is,
>according to several people in the field (this is not from
>my personal experience) of the order of 1-2 machine instructions
>per person day.
>
>That means that the 10 million lines of code in NT might take
>10 million person days = 50,000 person years = a very long
>time to get a product out (and perhaps 10 billion dollars).
>Quite a bit even for Microsoft, but of course such calculations
>are bogus, since these things don't scale, and we just don't
>know how to build high integrity programs this large (look at
>Dave Parnas' statements concering SDI, this was a substantial
>part of his concerns about the credibility of the software
>component of this system as originally proposed).


***************
Here I was just  saying that in many cases some people blame OS instead of
blaming badly written applications (especially in OS flames).  As for me I
am using WinNT as an equipment  control center that runs (7 days 24 hours) a
dozen of applications controlling different pieces of equipment along with
number of "run and stop" applications.  It never crashed during last three
years ( it was put into operation three years ago).
**********

>Now please do not misunderstand, I think everyone should read
>the HRG report (I would assume that any Ada professional should
>always read all official documents from ISO WG9), and there may
>be useful things to be learned from the document that have wider
>applicability.
>
>But I think you have to be careful not to go in the direction
>that Vladimir does, confusing the specific focus of this
>document with the generalized need for realiability.

**********
Direction is to fully understand all strong and weak sides and to chose
consciously what is needed for particular purpose.

************

>Remember that the WHOLE of the Ada language was carefully
>designed to be compatible with the goal of writing highly
>reliable programs. There is almost NO feature mentioned in
>the RM that does not have a legitimate use in reliable Ada
>programs.


*******
I mentioned once about some kind of trap here. Some people may have wrong im
pression that Ada is so reliable itself that there is no need of careful
consideration of potentially unsafe features. Sometimes even safe features
can cause problems.
I have an impression that developers of Arian 5 were caught in such kind of
trap and as result they did not do what was needed.
***********


>I am worried that people will start looking at the
>recommendations in the HRG report for restricting the
>use of Ada for high integrity programming (a realistic and
>necessary step) and make the mistake of thinking that this
>means that these features are generally unsafe if your goal
>is to write reliable programs.

There are people and people.
Some take any written paper as direct instructions.
Others understand that it is just summary of other people knowledge  and
experience.
Such kind of documents could help to safely use some potentially unsafe
features.



Regards,

Vladimir Olensky