From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a83c46b54bacb7f6 X-Google-Attributes: gid103376,public From: "Pat Rogers" Subject: Re: JOB:Sr. SW Engineers Wanted-Fortune 500 Co Date: 2000/02/01 Message-ID: #1/1 X-Deja-AN: 580399118 References: <3894A823.92EC75D1@bondtechnologies.com> <874b7r$mj9$1@nnrp1.deja.com> <38967537_1@news.jps.net> X-Priority: 3 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Complaints-To: newsabuse@supernews.com Organization: Software Arts & Sciences X-MSMail-Priority: Normal Newsgroups: comp.lang.ada Date: 2000-02-01T00:00:00+00:00 List-Id: "Hyman Rosen" wrote in message news:t7n1pk6gwx.fsf@calumny.jyacc.com... > "Mike Silva" writes: > > This is a silly strawman, since nobody (at least, nobody who wants to be > > taken seriously) ever makes such extreme claims. It's all a matter of > > increasing the odds, and both the C language and the C culture invite buggy > > code (sad to say, I've written my share). Every C programmer should perform > > the eye-opening exercise of determining how many C bugs they encounter would > > not have been possible, or would have been quickly spotted, in Ada. > > I would assume that for safety-critical code, the development process > is such that these errors would be found if they were present. After > all, Ada's error checks can help only in the development process, not > once the pacemaker is installed, so the code would have to be carefully > checked to make sure that no exceptions would actually be triggered. > This is the same process the C code would go through. Error checking at run-time is still vital, and Ada's checking (if left in) can help. Although it is a common practice in (well-done!) safety-critical development to prove that exceptions cannot occur, they still can. The obvious cause is radiation-induced hardware errors. The more difficult issue, because it is based upon human imperfection, is that of errors in the specification. No amount of program proof will circumvent that problem. In that case run-time checks can serve to invoke the fault tolerance mechanisms, however extensive those may or may not be. Clearly some applications can have no fall-back position (the classic example is a launched missile) and in those cases there's no point in checking. But in those cases in which faults can be tolerated the checks are directly helpful. That's not to say that similar checks cannot be hand-coded in any language, but that is another issue. -- Pat Rogers Training and Consulting in: http://www.classwide.com Deadline Schedulability Analysis progers@classwide.com Software Fault Tolerance (281)648-3165 Real-Time/OO Languages