From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,2c6139ce13be9980 X-Google-Attributes: gidfac41,public X-Google-Thread: f43e6,2c6139ce13be9980 X-Google-Attributes: gidf43e6,public X-Google-Thread: 109fba,2c6139ce13be9980 X-Google-Attributes: gid109fba,public X-Google-Thread: 1014db,3d3f20d31be1c33a X-Google-Attributes: gid1014db,public X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public X-Google-Thread: 1108a1,2c6139ce13be9980 X-Google-Attributes: gid1108a1,public From: jsa@alexandria.organon.com (Jon S Anthony) Subject: Re: Safety-critical development in Ada and Eiffel Date: 1997/07/18 Message-ID: #1/1 X-Deja-AN: 257595696 Distribution: world References: <33C56F97.1223@gsfc.nasa.gov> <5qc53v$kb6@alumni.rpi.edu> <33CBF5DE.D5FB1B6C@munich.netsurf.de> <33CF2193.18B0@calfp.co.uk> Organization: PSINet Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel,comp.lang.c,comp.lang.c++ Date: 1997-07-18T00:00:00+00:00 List-Id: In article <33CF2193.18B0@calfp.co.uk> Nick Leaton writes: > Jon S Anthony wrote: > > ... Delete GC comments > > > Highly unlikely given the sort of setting Steve seems to have in mind. > > Think of an ECU where the 10ms time limit is the hard limit on the > > evaluation loop and every cycle available in that time limit is used > > up by "real" work. > > And this is in a safety critical development? Tell me where so I can > avoid it if possible. If you are so close to the time limit, you have no > margin for error which isn't very safe. I was speaking somewhat more generally - realtime applications (which may or may not be safety critical). The most typical example of this sort of thing that most everyone reading this NG probably uses everyday is your car. Turn on the ignition and, voila', you are using such an application. It is also worth noting that a) it is _stunningly_ robust compared to the vast majority of software and b) may well be written in lowly assembler... But, that doesn't mean the same sort of constraint isn't there for safety critical applications and there for a _very important reason_. That hard 10ms time limit may be there in order to _ensure_ enough _spare_ cycles are _always_ available for a non-nominal event. That is, you are _guaranteeing_ an appropriate margin of error. Given that you apparently think that would somehow be a bad thing, all I can say is I'm glad you are not working on such applications (I infer that you are not by the mere suggestion you make). /Jon -- Jon Anthony OMI, Belmont, MA 02178 617.484.3383 "Nightmares - Ha! The way my life's been going lately, Who'd notice?" -- Londo Mollari