From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=ham autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: f849b,b8d52151b7b306d2
X-Google-Attributes: gidf849b,public
X-Google-Thread: 103376,a00006d3c4735d70
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2003-12-29 11:00:08 PST
Path: 
 archiver1.google.com!news2.google.com!news.maxwell.syr.edu!logbridge.uoregon.edu!msunews!not-for-mail
From: "Chad R. Meiners" <crmeiners@hotmail.com>
Newsgroups: comp.arch.embedded,comp.lang.ada
Subject: Re: Certified C compilers for safety-critical embedded systems
Date: Mon, 29 Dec 2003 13:56:10 -0500
Organization: Michigan State University
Message-ID: <bsptbb$e4$1@msunews.cl.msu.edu>
References: <3fe00b82.90228601@News.CIS.DFN.DE> <3FE026A8.3CD6A3A@yahoo.com>
 <x0%Db.16$_l6.25998@news.uswest.net>
 <3bf1uvg2ntadvahfud2rg6ujk24sora6gr@4ax.com>
 <2u3auvogde8ktotlaq0ldiaska3g416gus@4ax.com> <bs62ph$giu$1@newshost.mot.com>
 <20619edc.0312221020.3fd1b4ee@posting.google.com>
 <b5feuv06s2nmpakq0o1b7v0kpd450v3eli@4ax.com>
 <20619edc.0312222106.3b369547@posting.google.com>
 <45cs9hAbLc6$EAAx@phaedsys.demon.co.uk>
 <bsmagl$e5ajv$1@ID-69815.news.uni-berlin.de>
 <GawT1aBurv7$EA8G@phaedsys.demon.co.uk> <bsnn5q$scd$1@msunews.cl.msu.edu>
 <ItOdncXDf7nrHnKiRVn-gw@comcast.com> <bsoao6$1j77$1@msunews.cl.msu.edu>
 <H_mdnevqls8nwW2iRVn-iQ@comcast.com>
NNTP-Posting-Host: arctic.cse.msu.edu
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Xref: archiver1.google.com comp.arch.embedded:6302 comp.lang.ada:3934
Date: 2003-12-29T13:56:10-05:00
List-Id: <comp.lang.ada>


"Robert I. Eachus" <rieachus@comcast.net> wrote in message
news:H_mdnevqls8nwW2iRVn-iQ@comcast.com...
> I think we are agreeing violently. ;-)  My point is that you can use
> external (from a SPARK viewpoint) storage to make SPARK Turing-Complete.
>   For an example, consider an embedded system that includes a tape drive
> for data logging. The system as a whole is Turing Complete, given an
> operator to change tapes, but it wouldn't normally be used in that way.

Yep. We are agreeing.  I was going to use the tape drive example but you
beat me to it.

> So you would be able to prove that a package that used the tape drive to
> implement a stack was correct, but you couldn't validate programs that
> used the tape as an unbounded store.
>
> Once you get into this situation, which I have run into on several
> projects you have to decide where to make the cut.  I remember one
> particular (pre-SPARK) Ada project where we validated that the program
> would not fail if it ran out of logging space, and that the amount of
> logging space available met the system spec.  We just had to live with
> the fact that the logging requirement was somewhat arbitrary.

Interesting...I had always suspected that this had to happen in practice,
but I didn't actually know how professionals (at least a set of
professionals;) reacted to these sorts of impasses.  Thank you, I bet this
bit of information will turn up useful to me sometime in the future.

-CRM