From: Robert A Duff <bobduff@world.std.com>
Subject: Re: Is an RTOS Required for Ada?
Date: 1999/06/09
Date: 1999-06-09T00:00:00+00:00 [thread overview]
Message-ID: <wccn1y9i9f2.fsf@world.std.com> (raw)
In-Reply-To: FCCLAJ.Esq@sd.aonix.com
The question was why is a no-run-time-system implementation of Ada
better for safety-critical applications. I don't think Robert Dewar and
George Romanski have answered it in the technical sense. They both
seemed to be saying, "because the standards say so". Well, that's a
reason, but it's not a *technical* reasion.
"George Romanski" <romanski@aonix.com> writes:
> Let's take an array assignment as an example.
> If the arrays do not overlap (slicing is forbidden) then a single decision
> may be present (for the loop - assuming the loop is not unrolled)
>
> Providing the assignment is completed the decision would have been
> evaluated both true and false.
>
> If the arrays overlap, then a decision may be required to decide
> the direction of the indexing, and a decision for the loop.
>
> If the array has a smaller component size than a normal addressed
> memory unit (e.g. we can move a word quicker than 4 bytes) then the
> loop may move words until it gets to the edges. This will require
> more decisions for the operation.
>
> For Level B code, ALL decisions must be shown to have been taken
> in both directions. ( or the code must be identified and analysed
> explicitly). It may be hard to write test conditions that evaluate all
> inlined
> decisions in both directions.
Fine -- we both agree that the more complicated the code is, the harder
it is to test and verify. But I don't see how putting any of the above
array-assignment algorithms in a run-time system, as opposed to
generated code, makes things worse. If anything, it should make things
easier, because there's only one copy of that algorithm to verify
(recall Robert's 1 machine instruction per day metric).
> My personal view (there is majority, but no concensus on this at present) is
> that
> inserted code which includes decisions must be identified and verified, for
> level B. For level A multiple conditions would require additional
> verification.
>
> Inserted code that includes no branches will be verified with the
> application itself, it must be shown that it has been executed, but
> may not require specific tests.
I'm not sure what you mean by "inserted code". Is it any different than
"generated code"? Does it make any difference to what extent the
compiler is table driven? I don't see why it should.
In any case, it seems to me that OF COURSE you have to verify all the
code in a safety-critical application -- and that OF COURSE includes
code from a run-time system, if any. And you have to do your analysis
at the machine code level, because you don't trust the compiler.
- Bob
--
Change robert to bob to get my real email address. Sorry.
next prev parent reply other threads:[~1999-06-09 0:00 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
1999-05-13 0:00 Is an RTOS Required for Ada? Tramse
1999-05-13 0:00 ` Marin David Condic
1999-05-13 0:00 ` Rakesh Malhotra
1999-05-14 0:00 ` Tramse
1999-05-16 0:00 ` Robert Dewar
1999-05-19 0:00 ` Robert A Duff
1999-05-20 0:00 ` Robert Dewar
1999-05-25 0:00 ` George Romanski
1999-05-25 0:00 ` Robert Dewar
1999-05-26 0:00 ` George Romanski
1999-05-28 0:00 ` Robert Dewar
1999-06-09 0:00 ` Robert A Duff [this message]
1999-06-09 0:00 ` Robert Dewar
1999-05-28 0:00 ` Rod Chapman
1999-05-28 0:00 ` Robert Dewar
1999-05-28 0:00 ` Richard D Riehle
1999-05-28 0:00 ` David C. Hoos, Sr.
1999-05-20 0:00 ` Tarjei Tj�stheim Jensen
1999-05-20 0:00 ` Larry Kilgallen
1999-05-20 0:00 ` Tarjei Tj�stheim Jensen
1999-05-20 0:00 ` Larry Kilgallen
1999-05-21 0:00 ` Robert Dewar
1999-05-16 0:00 ` Robert Dewar
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox