From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,583275b6950bf4e6 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-05-23 11:37:16 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!sn-xit-03!sn-xit-01!sn-post-01!supernews.com!corp.supernews.com!not-for-mail From: "Randy Brukardt" Newsgroups: comp.lang.ada Subject: Re: Quality systems (Was: Using Ada for device drivers? (Was: the Ada mandate, and why it collapsed and died)) Date: Fri, 23 May 2003 13:38:23 -0500 Organization: Posted via Supernews, http://www.supernews.com Message-ID: References: <3ec4b1c9$1@news.wineasy.se> <9fa75d42.0305161748.1735fc32@posting.google.com> <4W%xa.28765$cK5.11964@nwrdny02.gnilink.net> <1053353256.804734@master.nyc.kbcfp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Newsreader: Microsoft Outlook Express 4.72.3612.1700 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3719.2500 X-Complaints-To: abuse@supernews.com Xref: archiver1.google.com comp.lang.ada:37711 Date: 2003-05-23T13:38:23-05:00 List-Id: Hyman Rosen wrote in message ... >Randy Brukardt wrote: >> Virtually every time I use a modular type, I end up tracking down some >> bug at runtime that would have been caught had there been an overflow >> check. > >Why are you using a modular type if you don't want the wraparound >semantics? Just use regular types and do the mod yourself. It seems >unAdalike to use the wrong tool for the job. Your basic point is right, of course, but Ada doesn't quite completely cover the possibilities. Sometimes, the only choice is a modular type. Ada doesn't have unsigned but checked integer types. You can define an unsigned subtype of a signed type, but not all compilers support the unsigned representation, and most do math with the next larger size of signed math. Depending on the processor, that can be more expensive (for instance, if the compiler supports 64-bit math on a 32-bit machine). Moreover, if you want the largest possible unsigned type (say 0 .. 2**32-1 or 0 .. 2**64-1), it has to be modular; you can't declare the needed signed type to make a subtype. >> I often write checks like: >> if Index-1 > 0 then > >Many of us would write > if Index > 1 >and then not have any problems. Why do it the unnatural way? Because the expression is usually more complex than that, and in any case, the problem makes it more natural to write it this. Of course, you can refactor it -- that's how I usually fix such bugs -- but that usually makes the code harder to understand. In any case, this is a relatively minor issue. It's annoying that Ada is less safe than it can be, but you can live with it. Randy.