From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,INVALID_MSGID, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,2c6139ce13be9980 X-Google-Attributes: gidfac41,public X-Google-Thread: 1108a1,2c6139ce13be9980 X-Google-Attributes: gid1108a1,public X-Google-Thread: f43e6,2c6139ce13be9980 X-Google-Attributes: gidf43e6,public X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public From: donh@syd.csa.com.au (Don Harrison) Subject: Re: Safety-critical development in Ada and Eiffel Date: 1997/07/25 Message-ID: #1/1 X-Deja-AN: 258633534 Sender: news@syd.csa.com.au X-Nntp-Posting-Host: dev50 References: <33D6A5BC.12D4@flash.net> Organization: CSC Australia, Sydney Reply-To: donh@syd.csa.com.au Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel Date: 1997-07-25T00:00:00+00:00 List-Id: All of the following issues become irrelevant in the context of library classes that allow thread-based timing. See my previous post about class TIMED. Ken Garlington wrote: :Don Harrison wrote: :> :> Ken Garlington wrote: :> :> :Richie Bielak wrote: :> :> :> I always thought it would be nice to have postconditions of the form: :> :> :> :> ensure :> :> execution_time < 10 -- 10 milliseconds, let's say :> end :> ^^^ :> my addition :> :> :> :> So an exception would be raised if the routine took too long :> :> to execute. :> : :> :Of course, you have to decide if "execution time" includes the time for :> :the postcondition (including any code that executes after the actual :> :test instruction)! :> :> It would be the duration when the expression "execution_time" is evaluated. :> There would be no statements following the assertion so it should be accurate :> enough for most purposes. : :1. Why would there be no statements afterwards? :2. If there were assertions _before_ this one, would their time be :included? :3. How is the assumption "accurate enough" captured in an Eiffel :assertion? (_Would_ :it be captured?) : :> If not, you can apply a small compensating adjustment :> to the relational expression: :> :> ensure :> execution_time < 9.99 -- milliseconds :> end : :However, this compensation depends upon making assumptions of the :time it takes to do the assertions... and we want to avoid writing code :whose correctness depends upon assumptions about how fast the code runs, :right? : :> :> :We usually have such measurements _outside_ the code sequence being :> :measured (i.e., in the scheduler). :> :> ..in which case, you'd presumably be subject to the timing inaccuracies of :> the scheduler, anyway. : :But the timing inaccuracies of the scheduler are at the thread level. :Your :inaccuracies are at the object level. If a lot of objects are called in :the course of a thread's execution (or a few are called a lot of times), :your inaccuracies build. Mine don't (particularly if the start of the :thread is controlled by a high-accuracy timer/low-overhead interrupt :handler, which is typical for hard real-time systems). : :> :> Don. :> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- :> Don Harrison donh@syd.csa.com.au -- Don. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Don Harrison donh@syd.csa.com.au