From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 109fba,f23beed6d550d20d
X-Google-Thread: 103376,aaee47ff04b98ae5
X-Google-Attributes: gid109fba,gid103376,public
X-Google-ArrivalTime: 2004-04-26 04:06:08 PST
Path: archiver1.google.com!postnews1.google.com!not-for-mail
From: Michiel.Salters@logicacmg.com (Michiel Salters)
Newsgroups: comp.lang.c++,comp.lang.ada
Subject: Re: "Ravenscar-like" profile for C/C++
Date: 26 Apr 2004 04:06:08 -0700
Organization: http://groups.google.com
Message-ID: <fcaee77e.0404260306.64acbe9@posting.google.com>
References: <c6gdub$j92$1@news-reader4.wanadoo.fr>
 <c6gked$1ha4$1@ulysses.noc.ntua.gr>
 <ev7o80lpud3gfmicusomjs5std2a0dimga@4ax.com>
 <c6hnpg$tio$1@ulysses.noc.ntua.gr>
 <1082964421.KuB1viW3U1@linux1.krischik.com>
NNTP-Posting-Host: 195.109.155.71
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1082977568 9974 127.0.0.1 (26 Apr 2004 11:06:08
 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Mon, 26 Apr 2004 11:06:08 +0000 (UTC)
Xref: archiver1.google.com comp.lang.c++:31689 comp.lang.ada:7504
Date: 2004-04-26T04:06:08-07:00
List-Id: <comp.lang.ada>

Martin Krischik <krischik@users.sourceforge.net> wrote in message news:<1082964421.KuB1viW3U1@linux1.krischik.com>...
> Ioannis Vranos wrote:
>
> The problem with savety critical programming in C or C++ is not what is
> allowed or possible but what should not be allowed and should be
> impossible. And for that I just need two line:
> 
> char X[10];
> X[10]='A';

What's the problem with that code, from a safety perspective? Certainly
a C compiler which is supposed to be suited for safety-critical programs
will diagnose this. The base C and C++ languages have quite a number
of "undefined behavior - no diagnostic required" cases, but a similar
profile may very well tighten that to "undefined behavior - must be 
rejected at compile time". 

The base philosophy in C and C++ is that flexibility can be traded 
for safety, but not vice versa. Certainly, in C++ it is easy to
create a verifiable subset. For instance, it is possible to define
a range template and with it a <int,0,10> type. The toolset would
be hard pressed to prove that the range template is correct and
overflow-free. However, this could be proven by humans. The tool
chain instead only has to check that all possible overflows are
located in this checked range< > code. Together, this would prove
that a body of code is overflow-free.

Regards,
Michiel Salters