From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,2ccbce6c5ad05bfd X-Google-Attributes: gid103376,public From: bobduff@world.std.com (Robert A Duff) Subject: Re: Can OO be successful in real-time embedded systems? Date: 1996/05/09 Message-ID: #1/1 X-Deja-AN: 153943278 references: <3191DE76.130F@lmtas.lmco.com> organization: The World Public Access UNIX, Brookline, MA newsgroups: comp.lang.ada Date: 1996-05-09T00:00:00+00:00 List-Id: In article <3191DE76.130F@lmtas.lmco.com>, Ken Garlington wrote: >For safety-critical systems, you might also want to use pragma >Reviewable, coupled with a tool that reads the resulting analysis file, >to examine the object code for each dispatch and verify that the >case-ish object code meets certain criteria. We do this now for case >statements, and I would expect that we would extend the technique for >dispatching. The definition of pragma Reviewable is pretty vague. We'll have to rely on people who really care about this pragma, to admonish vendors to produce useful information. >The real difference between dispatching and case statements, in my >mind, is that case statements usually only generate different code if >the case statement itself is changed. Even if the range of the case >selector is changed, for example, the case itself usually has the same >object code. Thus, you can sometimes limit the scope of analysis for >regression test purposes. Right. To test polymorphic code in this way, you have to track down all overridings. >For dispatching, this isn't going to be the case (so to speak.) We're >going to have to be more careful about doing analysis of dispatch >points. However, with reasonable tools and CM practices, this should >not be insurmountable. Dispatching calls are like case statements, except that the case branches are open-ended. One just needs to take that open-endedness into account. >That's certainly true. Further, I don't see the annex as being all that >much "over-kill." Except for Normalize_Scalars and 'Valid, you can >pretty much have the whole annex with current Ada 83 tools (although >the implementation is not the same, of course). I would like to believe >that, for safety and security related applications, the annex would >serve as a perfectly reasonable tool kit. The SS annex is very much UNDER-kill, and intentionally so. If you say, "my program obeys the SS annex, and therefore can be used safely", I'll think you're a crackpot. If you say, "my program uses the SS annex (among other things) to ensure safety", then I'll take it more seriously. - Bob