From: "Nick Roberts" <nickroberts@adaos.worldonline.co.uk>
Subject: Re: A case where Ada defaults to unsafe?
Date: Wed, 9 Jan 2002 11:11:12 -0000
Date: 2002-01-09T11:11:12+00:00 [thread overview]
Message-ID: <a1hc2s$qo9j3$1@ID-25716.news.dfncis.de> (raw)
In-Reply-To: 3C3C1438.FBF10FC3@baesystems.com
"Stuart Palin" <stuart.palin@baesystems.com> wrote in message
news:3C3C1438.FBF10FC3@baesystems.com...
> ...
> I think the important point in Simon's message was:
>
> > > making subtle deductions about the **intent of the designer** from
> > > **details of the implementation** is a big mistake.
>
> If a designer is being 'clever' or has done something in a particular
> way for a good reason, then this should be explicitly documented
> (comments at least).
>
> It is a big mistake to **have to** deduce detailed intent by attributing
> subtle meanings to code.
I agree with this principle in a big way.
However, for a lot of Ada code (maybe not flight management code), there are
always going to be situations where the designer is not available, and the
documentation and/or comments do not cover a particular design decision in
the code. Then it is, unfortunately, necessary to make deductions about the
intent of the designer from details of the implementation.
> Relating to the current thread I think I understand where Hyman is
> coming from; but feel that ** if this is an issue ** for a particular
> system that it is not difficult to adopt 'house rule' that mandate using
> 'and then' and 'or else' (and accepting all the downside aspects).
But Hyman and I can argue against such house rules (and I do!).
> I think Hyman is mistaken to think that Ada is 'by default' a ** safe
> language **; it has features that enhance safety by preventing (or
> allowing the detection of) certain types of programming error. Even in
> subsets like SPARK it is quite possible to write unsafe programs
> (Simon's and Nick's posts illustrate this). Safety is a system property
> and software safety can not be assessed in total isolation from the
> system. Quite what makes a system ** unsafe ** will depend on the
> hazards facing the system and what are and are not permitted actions.
I suspect Hyman wouldn't put Ada's safety in quite such stark terms. I think
he was trying to say that Ada's features are normally safe by default,
rather than that the language as a whole is somehow magically safe (and so
programs written in Ada will never fail).
My experience is that the biggest number, and worst kind, of 'bugs' in a
safety-critical system are introduced long before the coding stage. No kind
of coding can eliminate these bugs. [This is why the strategy of hedging
with multiple codings (based on one specification) horrifies me so much, but
that's another argument.]
> My own pet peeve in Ada is the choice of comment token;
> A := very_long_name_B - very_long_name_C
> + very_long_name_D -- very_long_name_E
> - very_long_name_F;
>
> While thorough forms of testing should readily detect the 'missing'
> reference to E, it just seems silly to introduce the risk of a simple
> typo involving a commonly used mathematical symbol; especially when
> there seem to be plenty of (otherwise) unused symbols available.
Hmm. How about:
A := B + C; \~~~@@@^^^$$$^^^@@@~~~\ comment here
:-)
NB: I use a German server which is pretty good, but (in common with most
Usenet servers, I gather) it doesn't get everything posted to comp.lang.ada;
I didn't get Simon's most recent reply to me in this thread. So if my
comments appear disjointed in this way, you know why.
:-( ;-)
--
Best wishes,
Nick Roberts
next prev parent reply other threads:[~2002-01-09 11:11 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-01-03 20:29 A case where Ada defaults to unsafe? Hyman Rosen
2002-01-03 20:38 ` Darren New
2002-01-03 21:36 ` Hyman Rosen
2002-01-04 14:29 ` Wes Groleau
2002-01-03 21:27 ` James Rogers
2002-01-03 21:32 ` Frank J. Lhota
2002-01-03 21:51 ` Hyman Rosen
2002-01-03 22:22 ` Ted Dennison
2002-01-03 23:07 ` Hyman Rosen
2002-01-03 23:38 ` Nick Williams
2002-01-04 0:15 ` Florian Weimer
2002-01-04 7:40 ` Preben Randhol
2002-01-04 14:39 ` Wes Groleau
2002-01-04 15:16 ` Ted Dennison
2002-01-04 3:35 ` Eric Merritt
2002-01-04 14:39 ` Robert A Duff
2002-01-04 14:27 ` Robert A Duff
2002-01-04 15:39 ` Larry Kilgallen
2002-01-04 15:57 ` Ted Dennison
2002-01-04 16:05 ` Ted Dennison
2002-01-10 21:22 ` Robert A Duff
2002-01-11 9:14 ` Dmitry A. Kazakov
2002-01-04 16:19 ` Brian Rogoff
2002-01-04 16:31 ` Ted Dennison
2002-01-08 20:55 ` Mark Lundquist
2002-01-16 0:14 ` Matthew Heaney
2002-01-16 20:19 ` Robert A Duff
2002-01-10 21:29 ` Robert A Duff
2002-01-11 9:25 ` Dmitry A. Kazakov
2002-01-19 0:35 ` Brian Rogoff
2002-01-19 14:15 ` Robert A Duff
2002-01-19 23:10 ` Brian Rogoff
2002-01-04 16:29 ` Robert Dewar
2002-01-04 17:32 ` Hyman Rosen
2002-01-04 18:50 ` Matthew Heaney
2002-01-04 18:56 ` Darren New
2002-01-04 19:10 ` Hyman Rosen
2002-01-04 20:08 ` Matthew Heaney
2002-01-04 20:14 ` Ted Dennison
2002-01-04 20:20 ` Hyman Rosen
2002-01-04 21:16 ` Larry Kilgallen
2002-01-04 21:33 ` Ted Dennison
2002-01-07 15:39 ` Hyman Rosen
2002-01-07 16:06 ` Ted Dennison
2002-01-07 16:50 ` Larry Kilgallen
2002-01-07 17:18 ` Hyman Rosen
2002-01-07 17:26 ` Pat Rogers
2002-01-07 18:12 ` Hyman Rosen
2002-01-07 18:40 ` FGD
2002-01-07 20:04 ` Pat Rogers
2002-01-05 0:08 ` Nick Roberts
2002-01-05 10:57 ` Simon Wright
2002-01-08 23:27 ` Nick Roberts
2002-01-09 9:58 ` Stuart Palin
2002-01-09 11:11 ` Nick Roberts [this message]
2002-01-10 20:32 ` Robert A Duff
2002-01-11 9:45 ` Stuart Palin
2002-01-11 13:32 ` Robert A Duff
2002-01-11 20:26 ` Literate Programming [was: A case where ...] Nick Roberts
2002-01-12 16:37 ` Georg Bauhaus
2002-01-13 14:46 ` Nick Roberts
2002-01-14 14:17 ` Eric Merritt
2002-01-14 23:20 ` Nick Roberts
2002-01-15 18:54 ` Eric Merritt
2002-01-14 14:34 ` Stephen Leake
2002-01-14 13:14 ` A case where Ada defaults to unsafe? Stuart Palin
2002-01-14 14:38 ` Preben Randhol
2002-01-16 6:00 ` Simon Wright
2002-01-17 3:04 ` David Starner
2002-01-17 15:08 ` Georg Bauhaus
2002-01-17 20:25 ` Simon Wright
2002-01-17 9:56 ` Stuart Palin
[not found] ` <3 <3C469FE6.B2C67ED6@baesystems.com>
2002-01-17 20:32 ` Simon Wright
2002-01-14 14:35 ` Preben Randhol
2002-01-14 16:36 ` Robert A Duff
2002-01-12 12:27 ` Simon Wright
2002-01-05 0:32 ` Robert Dewar
2002-01-14 16:09 ` Matthieu Moy
2002-01-20 8:59 ` Hyman Rosen
2002-01-20 19:13 ` Jim Rogers
2002-01-20 21:19 ` Ray Blaak
2002-01-03 22:07 ` Ted Dennison
2002-01-04 17:12 ` Preben Randhol
2002-01-04 17:21 ` Jean-Marc Bourguet
2002-01-04 18:54 ` Ted Dennison
2002-01-04 3:17 ` Larry Kilgallen
2002-01-04 8:27 ` Thierry Lelegard
2002-01-04 8:39 ` tmoran
2002-01-04 9:03 ` Thierry Lelegard
2002-01-04 14:43 ` Wes Groleau
2002-01-04 15:45 ` Ted Dennison
2002-01-04 16:37 ` Wes Groleau
2002-01-04 16:56 ` Ted Dennison
2002-01-04 11:51 ` Larry Kilgallen
2002-01-04 12:41 ` M. A. Alves
2002-01-04 15:42 ` Ted Dennison
2002-01-04 17:16 ` Hyman Rosen
2002-01-04 19:12 ` Ted Dennison
2002-01-04 23:36 ` Matthew Woodcraft
2002-01-05 15:00 ` Steve Doiel
2002-01-10 20:49 ` Robert A Duff
-- strict thread matches above, loose matches on Subject: below --
2002-01-03 23:18 Gautier Write-only-address
2002-01-03 23:26 Gautier Write-only-address
2002-01-03 23:54 ` Larry Hazel
2002-01-04 14:33 ` Robert A Duff
2002-01-05 12:47 Gautier Write-only-address
2002-01-07 16:24 ` Ted Dennison
2002-01-07 18:17 ` FGD
2002-01-07 18:21 ` Hyman Rosen
2002-01-07 20:26 ` Matthew Woodcraft
2002-01-07 21:16 ` Hyman Rosen
2002-01-13 8:23 ` Hyman Rosen
2002-01-13 9:06 ` Preben Randhol
2002-01-13 10:41 ` Larry Kilgallen
2002-01-14 5:47 ` Hyman Rosen
2002-01-14 12:41 ` Georg Bauhaus
2002-01-13 18:21 ` Michal Nowak
2002-01-14 1:29 ` Ted Dennison
2002-01-14 14:36 ` Ted Dennison
2002-01-14 22:43 ` Michal Nowak
2002-01-10 20:47 ` Robert A Duff
2002-01-10 23:37 ` Preben Randhol
2002-01-11 1:31 ` Robert A Duff
2002-01-11 20:32 ` Nick Roberts
2002-01-11 16:47 ` Hyman Rosen
2002-01-07 16:45 Gautier Write-only-address
2002-01-07 19:33 ` Ted Dennison
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox