more on safe-loop alternative

more on safe-loop alternative

[W. Wesley Groleau (Wes)]

An e-mail response to my safe loop musings said:
:> My concern would be with the accuracy of any kind of delay.  With
:> Ada 83, it was a minimum delay, so for a real time system, that would
:> not be very reliable.  With Ada 95, you have the "delay until"
:> which is somewhat better.  However, many of the same concerns
:> still apply.  Also, the AQS 95 recommendation is to minimize the
:> use of the asynchronous abort. (See 6.1.7, 6.2.5, and 6.3.3.)

Actually, with Ada 95, it's still only a minimum.  "delay until Deadline;"
is semantically the same as "delay Deadline - Calendar.Clock;" (except
for any inaccuracy of the clock call). However, the accuracy of the delay
is not an issue in this case, for the same reason the AQS says (page 92),
"The bounds of these checks do not have to be exact, just realistic."

Let me consider your references:

6.1.7 -- "delay until" might be used if you need to ensure that the loop
is abandoned before the deadline to do something else.  If you just want
to ensure that the loop isn't a "runaway" the "old" delay is better.

6.2.5 -- Although these guidelines are not directed at the "asynchronous
transfer," the advice the give IS applicable.  However, in this case we
again do not need precision.

6.3.3 -- The objection in the first rationale para. is valid.  Presumably
the statements after the delay would ensure things are restored to a valid
state.

The second paragraph is also valid, but again, accuracy is not essential.
(Of course, if it never stops....)

(Some of the second paragraph's objections will not apply if no other tasks
but the one containing the loop are affected.)

--
---------------------------------------------------------------------------
W. Wesley Groleau (Wes)                                Office: 219-429-4923
Magnavox--a Hughes Defense Communications Company.       Home: 219-471-7206
Fort Wayne,  IN   46808              elm (Unix): wwgrol@pseserv3.fw.hac.com
---------------------------------------------------------------------------

Re: more on safe-loop alternative

[Robert Dewar]

An obvious objection to using delay is that it measures wall clock time,
not CPU time. Pity a poor low priority task that never got control but
after five minutes is killed on the grounds of an infinite recursion
that has run amuck ("but, but, I didn't even get to call the recursive
routne *once*)

Frankly I find the advice in the AQS a bit bogus. The best defence against
run away recursion is careful reasoning about your program!

Re: more on safe-loop alternative

[Robert A Duff]

An ATC is a rather dangerous tool, because it causes an abort, and an
abort can do all kinds of damage.  If you're just going to print some
debugging info and shut down, then it's probably OK.  But if you're
going to try to continue after shutting down the supposedly-infinite
loop, using ATC seems like a bad idea, because to do it correctly, you
have to put in all kinds of protection and/or reason carefully about
places where you don't need protection.  It is far easier, IMHO, to
prove that your loop terminates, than it is to prove that you've done an
ATC correctly.

AARM-13.9.1 and 13.9.2 describe the potential damage caused by aborts,
if you're interested.  Also, 11.6(6).

Abort_statements are equally troublesome.

In article <dewar.828705553@schonberg>, Robert Dewar <dewar@cs.nyu.edu> wrote:
>Frankly I find the advice in the AQS a bit bogus. The best defence against
>run away recursion is careful reasoning about your program!

I agree.

By the way, ATC was rather controversial during the Ada 9X design.  Some
folks thought it to be so dangerous, it shouldn't be in the language at
all.  At one point, the syntax was changed from something
innocuous-looking to "then abort".  This made the nay-sayers *slightly*
happier -- Rudolf Landwehr called it "syntactic poison" (the opposite of
syntactic sugar).

My advice is, use static analysis (formal or informal, as appropriate)
to prove that things terminate.  If you insist on writing the extra
checking code, do it with a counter, not with a timed ATC.

- Bob