From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f849b,b8d52151b7b306d2 X-Google-Attributes: gidf849b,public X-Google-Thread: 103376,a00006d3c4735d70 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-12-26 15:20:29 PST Path: archiver1.google.com!news2.google.com!newsfeed2.dallas1.level3.net!news.level3.com!zeus.visi.com!priapus.visi.com!orange.octanews.net!news.octanews.net!news-out.visi.com!petbe.visi.com!newshub.northeast.verio.net!verio!newsfeed.mathworks.com!nntp.TheWorld.com!not-for-mail From: Robert A Duff Newsgroups: comp.arch.embedded,comp.lang.ada Subject: Re: Certified C compilers for safety-critical embedded systems Date: 26 Dec 2003 18:20:26 -0500 Organization: The World Public Access UNIX, Brookline, MA Message-ID: References: <3fe00b82.90228601@News.CIS.DFN.DE> <3FE026A8.3CD6A3A@yahoo.com> <$km9afA3DB7$EAYO@phaedsys.demon.co.uk> NNTP-Posting-Host: pip1-5.std.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: pcls4.std.com 1072480828 8800 192.74.137.185 (26 Dec 2003 23:20:28 GMT) X-Complaints-To: abuse@TheWorld.com NNTP-Posting-Date: Fri, 26 Dec 2003 23:20:28 +0000 (UTC) User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 Xref: archiver1.google.com comp.arch.embedded:6136 comp.lang.ada:3831 Date: 2003-12-26T18:20:26-05:00 List-Id: Chris Hills writes: > In article , Larry Kilgallen > writes > >In article <$km9afA3DB7$EAYO@phaedsys.demon.co.uk>, Chris Hills > > writes: > >> In article <3fea086c.110513550@News.CIS.DFN.DE>, Dave Hansen > >> writes > > > >>>But C can be, umm, subtle, and static checking tools (particularly > >>>Lint) are IMHO _required_. Sadly, they're not often used. > >> > >> There is NO EXCUSE for not using a static analyser on C. > > > >Certainly there is an excuse -- it is not enforced by the compiler. > > > >That is quite different from the situation with Ada. > > So it all has to be enforced by the compiler? No, it doesn't. I agree with you that (in principle) there's nothing wrong with running 'lint' or whatever in addition to the compiler. However, 'lint' (in the case of C) doesn't have enough information to perform the checks that are routinely done by Ada compilers. The issue is not (primarily) which tool does the analysis (the compiler versus lint). The issue is how much information about the intent of the programmer is contained in the source code. > The main difference between C and ADa is that the average ADA programmer > is in a safety critical environment. The average C programmer is not. I think it's a mistake to assume that that "average" Ada programmer is doing safety critical work. Ada (and/or SPARK) are good in that environment, but Ada is also quite good for writing run-of-the-mill non-safety-critical programs, too. I don't know the statistics, so I can't say about "average", but the program I'm working on right now is not safety critical, or even real-time or embedded, but I get some productivity benefit from Ada's ability to allow me to express various (compile-time-checkable) constraints. So I don't agree that the "main" difference between C and Ada is their environment. (Boy, I guess the spelling police will really get after you for spelling "Ada" wrong twice in the same sentence -- "ADa" and "ADA". Sheesh. ;-)) > If C program development was *normally* taught as though it was going to > be used in a safety critical environment I think things would change. Probably. But to learn Ada, you have to first learn to write "Hello, world", and then learn some more simple stuff, and so on. Same with C. Nobody learns to write real-time/embedded/high-integrity/safety-critical stuff on the first try. - Bob