From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,42427d0d1bf647b1
X-Google-Attributes: gid103376,public
From: dewar@cs.nyu.edu (Robert Dewar)
Subject: Re: Ada Core Technologies and Ada95 Standards
Date: 1996/04/04
Message-ID: <dewar.828601117@schonberg>#1/1
X-Deja-AN: 145760537
references: <00001a73+00002c20@msn.com> <dewar.827809782@schonberg>
 <828038680.5631@assen.demon.co.uk> <dewar.828062076@schonberg>
 <828127251.85@assen.demon.co.uk> <dewar.828157508@schonberg>
 <315FD5C9.342F@lfwc.lockheed.com> <dewar.828415807@schonberg>
 <3160EFBF.BF9@lfwc.lockheed.com> <828475321.18492@assen.demon.co.uk>
 <dewar.828492539@schonberg> <31623F5E.4EAE@lfwc.lockheed.com>
organization: Courant Institute of Mathematical Sciences
newsgroups: comp.lang.ada
Date: 1996-04-04T00:00:00+00:00
List-Id: <comp.lang.ada>

Ken Garlington says:

  1. The ACVC is not an adequate standard of proof, because of inherent
     limitations of a general certification test suite. I'm not sure I fully
     accept that rationale, but as we've already agreed, you're far more
     knowledgeable of the ACVC than I, so I'll have to bow to your expertise.

Ken, it continues to worry me that you could possibly think that a set
of black box tests (no code coverage testing, no path testing) could
possibly be sufficient as proof at any high level of assurance of a
complex program. Surely you do not mean to tell me that safety critical
programs that you write are tested only to this extent (or for that
matter that these programs trust the compiler!)

  2. The real standard of proof should come from the actions of the individual
     vendors. In particular, you said that GNAT has a development and test
     process, and that this process was probably common to other vendors.
     I requested a description of this process. Is this an unreasonable demand
     from potential customers like Mr. McCabe and myself? I know that any
     potential customer can ask for my company's process at any time (in fact,
     we have booths at conferences like the Software Technology Conference
     _promoting_ our process).

We have described our process in a number of forums. It is a long story
which I am not about to post here! In short we have an extensive test
suite that we run every night and before any modification to the system
occurs, but there is much more to the story than that. If you are indeed
a serious potential customer for GNAT, contact support@gnat.com.
(or stop by our booth at STC!)