Re: Safety Critical Systems and Ada 95

comp.lang.ada
 help / color / mirror / Atom feed

From: eachus@spectre.mitre.org (Robert I. Eachus)
Subject: Re: Safety Critical Systems and Ada 95
Date: 1998/06/18
Date: 1998-06-18T00:00:00+00:00	[thread overview]
Message-ID: <EACHUS.98Jun18180504@spectre.mitre.org> (raw)
In-Reply-To: EuEBLM.97x.0.-s@inmet.camb.inmet.com

In article <EuEBLM.97x.0.-s@inmet.camb.inmet.com> stt@houdini.camb.inmet.com (Tucker Taft) writes:

  > Any restriction whose violation can be detected at compile-time
  > or link-time is treated as an error by the compiler.  It is only
  > restrictions that are undetectable prior to run-time that can
  > result in erroneous execution upon violation.

   I'd like to amplify a bit.  What Tuck says is correct, but
mysterious to people who don't have the full context.  There are
several restrictions which are of great use in a safety context, and
are also useful for performance tuning.  Ada 95 combines these into a
single pragma, even though it is not always possible to detect
violations at compile time.  The easiest example to understand is

     pragma Restrictions(Max_Tasks => 0);

   Annex D requires support of the identifier, but for say Max_Tasks
=> 100, it is impossible to tell whether some programs violate the
restriction at compile time.  However, Annex H at H.4(2) requires that
Max_Tasks of zero be checked at compile or link time.  ("checked prior to
program execution.")

   So pragma Restrictions with some arguments will not be useful for
Annex H purposes.  But the restrictions defined in Annex H can and, if
Annex H is supported, must be checked prior to execution. There are
technically three exceptions: No_Exceptions and hardware signaled
exceptions, No_Recursion, and recursion which can not be detected at
compile time, and No_Reentrancy in a program with multiple tasks.  The
obvious way to avoid those problems is to choose a sensible set of
restrictions.  For example, No_Access_Subprograms and No_Dispatch
should be used with No_Recursion so that all potentially recursive
calls can be checked at compile time, and you can use modular types to
avoid cases where the hardware would signal integer overflow.
--

					Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...

next prev parent reply	other threads:[~1998-06-18  0:00 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
1998-06-10  0:00 Safety Critical Systems and Ada 95 John J Cupak Jr, CCP
1998-06-10  0:00 ` Rakesh Malhotra
1998-06-10  0:00 ` JP Thornley
1998-06-11  0:00   ` Tucker Taft
1998-06-18  0:00     ` Robert I. Eachus [this message]
1998-06-10  0:00 ` Rakesh Malhotra
1998-06-11  0:00   ` Brian Rogoff
1998-06-10  0:00 ` Rakesh Malhotra
1998-06-10  0:00 ` Rakesh Malhotra

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox