From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,ca9eef4d5e2078ea X-Google-Attributes: gid103376,public From: mheaney@ni.net (Matthew Heaney) Subject: Re: Beware: Rep spec on an enumeration type causes code explosion Date: 1997/12/11 Message-ID: #1/1 X-Deja-AN: 297479924 References: <66po35$1a1$1@gte2.gte.net> Organization: Estormza Software Newsgroups: comp.lang.ada Date: 1997-12-11T00:00:00+00:00 List-Id: In article <66po35$1a1$1@gte2.gte.net>, Rakesh Malhotra wrote: >We work on safety critical projects. And if we have a safety critical >bit of code that defines and uses an enumeration then we use the rep >clause to provide more than 1 bit separation between adjacent values in >the enumeration. That way if 1 bit got corrupted the value could not >become some other legal value. > >Hence type SIGNAL_TYPE is (RED, GREEN); >for SIGNAL_TYPE use (RED => 16#00#, GREEN => 16#03#); > >So if a signal was supposed to be RED, with just a 1 bit corruption it >could never become GREEN. Obviously we have these kinds of enum's and >rep clauses all over the code space, and they are used in arrays to >index etc etc. An even worse example (from the coder's point of view) >is that we create our own BOOLEAN_TYPE with states defined as TRUE_STATE >and FALSE_STATE ; then give both true and false explicit values; and >then test for those in "if" statements etc :) Pretty horrible eh ? This is a seriously wrong way to build safety-critical software. As a matter of fact, it's a wrong way to build *any* software. You are quite correct in pointing out that it is "pretty horrible." As John Volan wisely pointed out, create holey types for use at the EXTERNAL INTERFACE ONLY. You should have an "interface object," implemented as a layered machine, to manage communication with each external device. The machine has three purposes: to read in the data from the hardware, verify that the data received is valid, and then convert that data from interface format to application format. If you are using a holey type inside the application, ie not at the interface layer only, then you are probably doing something wrong. The fact that you're using your own Boolean type does not bode well! -------------------------------------------------------------------- Matthew Heaney Software Development Consultant (818) 985-1271