From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_20,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 109fba,1042f393323e22da X-Google-Attributes: gid109fba,public X-Google-Thread: 103376,1042f393323e22da X-Google-Attributes: gid103376,public X-Google-Thread: 1014db,1042f393323e22da X-Google-Attributes: gid1014db,public From: Peter Amey Subject: Re: Any research putting c above ada? Date: 1997/04/16 Message-ID: #1/1 X-Deja-AN: 235153879 References: <5ih6i9$oct$1@waldorf.csc.calpoly.edu> <5j078b$b25$1@NNTP.MsState.Edu> Organization: Praxis plc, U.K. Newsgroups: comp.lang.c++,comp.lang.c,comp.lang.ada Date: 1997-04-16T00:00:00+00:00 List-Id: On 15 Apr 1997, Tom White wrote: > I remember a Turing Award Lecture by C.A.R. Hoare from the early > eighties (dig through some Journals of the ACM). Hoare was not > an Ada booster; he was concerned about the complexity of Ada from > both the application programmer's and compiler implementor's > perspectives. > > As to your second point, Hoare was accepting the award :) > > -- > -- Tom White > A quote from this 1980 lecture includes the following: "It is not too late! I believe that by careful pruning of the Ada language, it is still possible to select a very powerful subset that would be reliable and efficient in implementation and safe and economic in use". This was part of the inspiration for SPARK, our formally-defined, tool-supported, secure SPARK subset. There is another important point here as well: the difference between Ada and most other languages is not just the detail of whether incompatible types can be coerced or whether run-time checks are turned on or off by default. Rather it is that Ada makes a serious attempt to define the semantics of the language under all conditions including those where errors have occurred. This gives the desirable (essential?) property that the meaning of a program can be determined by looking at the source code (especially if it is SPARK) rather than by reviewing the test results :-) This property of Ada is what makes secure subsets feasible (and the nice things that follow from this - like being able to construct a proof, prior to execution, that a SPARK program is exception free). It would not be possible to define a subset of C that had all SPARK's properties because after cutting away the ambiguity and insecurity what would be left would be too small to be useful. Peter