From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,2c6139ce13be9980 X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,3d3f20d31be1c33a X-Google-Attributes: gid103376,public X-Google-Thread: f43e6,2c6139ce13be9980 X-Google-Attributes: gidf43e6,public X-Google-Thread: 1108a1,2c6139ce13be9980 X-Google-Attributes: gid1108a1,public From: nino@complang.tuwien.ac.look-in-sig (Marinos J. Yannikos) Subject: Re: Safety-critical development in Ada and Eiffel Date: 1997/08/09 Message-ID: #1/1 X-Deja-AN: 263103449 References: <33CD1722.2D24@calfp.co.uk> <33D24C91.C9730CBA@munich.netsurf.de> <33D71492.6F06@uk.ibm.com> <33D9B8F9.4693018C@munich.netsurf.de> <5rh12t$jl0$1@flood.weeg.uiowa.edu> Organization: TU Wien E185/1 Newsgroups: comp.object,comp.software-eng,comp.lang.ada,comp.lang.eiffel Date: 1997-08-09T00:00:00+00:00 List-Id: In article <5rh12t$jl0$1@flood.weeg.uiowa.edu>, Robert S. White wrote: > I hope you never have to do safety-critical hard real-time programming >with more than a very few tasks running. You have never hear of a >deadlock? Race condition? Sure you try to design to avoid such things, >but you can never be sure that you have really successsfully avoided >all timing sensitivities until you _test_ for them! The cold HARD rule >is that if the machine code changes, then regression tests _must_ be >done. (straying off-topic, but second opinions might be interesting sometimes) There is a school of thought which insists that verifying hard real-time systems by testing them is pointless, since you can hardly simulate all possible events, how they interact, occur at the same time ("avalanches") etc. Some other approaches might be taken, a good one is (IMHO) static scheduling and checking of time constraints, which is possible if you reduce the scope of the language the code is written in (e.g. no infinite loops allowed). Have a look at the MARS project if you're interested: http://www.vmars.tuwien.ac.at (not much there, unfortunately) ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-01-89.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-01-91.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-02-91.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-11-91.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-12-91.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-02-92.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-11-92.ps.Z ftp://ftp.vmars.tuwien.ac.at/pub/papers/rr-04-93.ps.Z (Lots of research reports about timing and Modula-r...) A funny coincidence is that during a seminar in '93 or so at that department I had to compare Eiffel to Modula-r regarding suitability for hard real-time systems (the former I knew nothing about and have not read much about since then), the latter I had the luck to have worked on for a student project. Note that I'm slightly biased, and not being enough of a real-time person I may easily have missed some limitations/disadvantages of the MARS and Modula-r approach. -nino -- Please change the last part of my address to "at" if you're replying by mail.