From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,c8c049083de75c04
X-Google-Attributes: gid103376,public
From: bobduff@world.std.com (Robert A Duff)
Subject: Re: more on safe-loop alternative
Date: 1996/04/05
Message-ID: <DpEAuz.Frr@world.std.com>#1/1
X-Deja-AN: 145956885
references: <9604041927.AA07653@most> <dewar.828705553@schonberg>
organization: The World Public Access UNIX, Brookline, MA
newsgroups: comp.lang.ada
Date: 1996-04-05T00:00:00+00:00
List-Id: <comp.lang.ada>

An ATC is a rather dangerous tool, because it causes an abort, and an
abort can do all kinds of damage.  If you're just going to print some
debugging info and shut down, then it's probably OK.  But if you're
going to try to continue after shutting down the supposedly-infinite
loop, using ATC seems like a bad idea, because to do it correctly, you
have to put in all kinds of protection and/or reason carefully about
places where you don't need protection.  It is far easier, IMHO, to
prove that your loop terminates, than it is to prove that you've done an
ATC correctly.

AARM-13.9.1 and 13.9.2 describe the potential damage caused by aborts,
if you're interested.  Also, 11.6(6).

Abort_statements are equally troublesome.

In article <dewar.828705553@schonberg>, Robert Dewar <dewar@cs.nyu.edu> wrote:
>Frankly I find the advice in the AQS a bit bogus. The best defence against
>run away recursion is careful reasoning about your program!

I agree.

By the way, ATC was rather controversial during the Ada 9X design.  Some
folks thought it to be so dangerous, it shouldn't be in the language at
all.  At one point, the syntax was changed from something
innocuous-looking to "then abort".  This made the nay-sayers *slightly*
happier -- Rudolf Landwehr called it "syntactic poison" (the opposite of
syntactic sugar).

My advice is, use static analysis (formal or informal, as appropriate)
to prove that things terminate.  If you insist on writing the extra
checking code, do it with a counter, not with a timed ATC.

- Bob