From: Simon Wright <simon@pushface.org>
Subject: Re: A case where Ada defaults to unsafe?
Date: 05 Jan 2002 10:57:17 +0000
Date: 2002-01-05T10:57:17+00:00 [thread overview]
Message-ID: <x7vn0ztysj6.fsf@smaug.pushface.org> (raw)
In-Reply-To: a15j7p$ogtku$1@ID-25716.news.dfncis.de
"Nick Roberts" <nickroberts@adaos.worldonline.co.uk> writes:
> Original code:
>
>
> if Fire_Alarm(Engine) and Gearbox_Alarm(Engine) then -- A
> Activate_Extinguisher(Engine,Trickle_Mode);
> end if;
> if Gearbox_Alarm(Engine) then -- B
> Display.Activate(Gearbox_Alert(Engine));
> end if;
>
>
> Supposing a programmer comes back to this code, having been told to do her
> best to make indications code precede actions code. She might make the
> following change:
>
>
> if Gearbox_Alarm(Engine) then -- B
> Display.Activate(Gearbox_Alert(Engine));
> end if;
> if Fire_Alarm(Engine) and Gearbox_Alarm(Engine) then -- A
> Activate_Extinguisher(Engine,Trickle_Mode);
> end if;
>
>
> based on the simple deduction that since the call to Gearbox_Alarm could be
> made before the call to Fire_Alarm in line A, she can assume that Fire_Alarm
> does not need to be called before Gearbox_Alarm, and that it is therefore
> safe to move the call the Gearbox_Alarm in line B to precede the call to
> Fire_Alarm in line A.
>
> If line A had contained "and then" instead of "and", she would not have been
> able to make this deduction, and may have not made an improvement to the
> code (which just might save a pilot's life one day).
I find it quite hard to imagine this scenario, I must say.
We have a safety-related system where it is important that the
extinguisher is set off as soon as possible and activating the gearbox
alert takes sufficiently long that it can delay the extinguisher
activation beyond tolerance[1]. And we are allowing a programmer to
change this code without any process to ensure that the safety
properties of the system aren't compromised?
[1] If I'm wrong about why you think your example causes a problem,
that (to my mind) reinforces the point that making subtle deductions
about the intent of the designer from details of the implementation is
a big mistake.
next prev parent reply other threads:[~2002-01-05 10:57 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-01-03 20:29 A case where Ada defaults to unsafe? Hyman Rosen
2002-01-03 20:38 ` Darren New
2002-01-03 21:36 ` Hyman Rosen
2002-01-04 14:29 ` Wes Groleau
2002-01-03 21:27 ` James Rogers
2002-01-03 21:32 ` Frank J. Lhota
2002-01-03 21:51 ` Hyman Rosen
2002-01-03 22:22 ` Ted Dennison
2002-01-03 23:07 ` Hyman Rosen
2002-01-03 23:38 ` Nick Williams
2002-01-04 0:15 ` Florian Weimer
2002-01-04 7:40 ` Preben Randhol
2002-01-04 14:39 ` Wes Groleau
2002-01-04 15:16 ` Ted Dennison
2002-01-04 3:35 ` Eric Merritt
2002-01-04 14:39 ` Robert A Duff
2002-01-04 14:27 ` Robert A Duff
2002-01-04 15:39 ` Larry Kilgallen
2002-01-04 15:57 ` Ted Dennison
2002-01-04 16:05 ` Ted Dennison
2002-01-10 21:22 ` Robert A Duff
2002-01-11 9:14 ` Dmitry A. Kazakov
2002-01-04 16:19 ` Brian Rogoff
2002-01-04 16:31 ` Ted Dennison
2002-01-08 20:55 ` Mark Lundquist
2002-01-16 0:14 ` Matthew Heaney
2002-01-16 20:19 ` Robert A Duff
2002-01-10 21:29 ` Robert A Duff
2002-01-11 9:25 ` Dmitry A. Kazakov
2002-01-19 0:35 ` Brian Rogoff
2002-01-19 14:15 ` Robert A Duff
2002-01-19 23:10 ` Brian Rogoff
2002-01-04 16:29 ` Robert Dewar
2002-01-04 17:32 ` Hyman Rosen
2002-01-04 18:50 ` Matthew Heaney
2002-01-04 18:56 ` Darren New
2002-01-04 19:10 ` Hyman Rosen
2002-01-04 20:08 ` Matthew Heaney
2002-01-04 20:14 ` Ted Dennison
2002-01-04 20:20 ` Hyman Rosen
2002-01-04 21:16 ` Larry Kilgallen
2002-01-04 21:33 ` Ted Dennison
2002-01-07 15:39 ` Hyman Rosen
2002-01-07 16:06 ` Ted Dennison
2002-01-07 16:50 ` Larry Kilgallen
2002-01-07 17:18 ` Hyman Rosen
2002-01-07 17:26 ` Pat Rogers
2002-01-07 18:12 ` Hyman Rosen
2002-01-07 18:40 ` FGD
2002-01-07 20:04 ` Pat Rogers
2002-01-05 0:08 ` Nick Roberts
2002-01-05 10:57 ` Simon Wright [this message]
2002-01-08 23:27 ` Nick Roberts
2002-01-09 9:58 ` Stuart Palin
2002-01-09 11:11 ` Nick Roberts
2002-01-10 20:32 ` Robert A Duff
2002-01-11 9:45 ` Stuart Palin
2002-01-11 13:32 ` Robert A Duff
2002-01-11 20:26 ` Literate Programming [was: A case where ...] Nick Roberts
2002-01-12 16:37 ` Georg Bauhaus
2002-01-13 14:46 ` Nick Roberts
2002-01-14 14:17 ` Eric Merritt
2002-01-14 23:20 ` Nick Roberts
2002-01-15 18:54 ` Eric Merritt
2002-01-14 14:34 ` Stephen Leake
2002-01-14 13:14 ` A case where Ada defaults to unsafe? Stuart Palin
2002-01-14 14:38 ` Preben Randhol
2002-01-16 6:00 ` Simon Wright
2002-01-17 3:04 ` David Starner
2002-01-17 15:08 ` Georg Bauhaus
2002-01-17 20:25 ` Simon Wright
2002-01-17 9:56 ` Stuart Palin
[not found] ` <3 <3C469FE6.B2C67ED6@baesystems.com>
2002-01-17 20:32 ` Simon Wright
2002-01-14 14:35 ` Preben Randhol
2002-01-14 16:36 ` Robert A Duff
2002-01-12 12:27 ` Simon Wright
2002-01-05 0:32 ` Robert Dewar
2002-01-14 16:09 ` Matthieu Moy
2002-01-20 8:59 ` Hyman Rosen
2002-01-20 19:13 ` Jim Rogers
2002-01-20 21:19 ` Ray Blaak
2002-01-03 22:07 ` Ted Dennison
2002-01-04 17:12 ` Preben Randhol
2002-01-04 17:21 ` Jean-Marc Bourguet
2002-01-04 18:54 ` Ted Dennison
2002-01-04 3:17 ` Larry Kilgallen
2002-01-04 8:27 ` Thierry Lelegard
2002-01-04 8:39 ` tmoran
2002-01-04 9:03 ` Thierry Lelegard
2002-01-04 14:43 ` Wes Groleau
2002-01-04 15:45 ` Ted Dennison
2002-01-04 16:37 ` Wes Groleau
2002-01-04 16:56 ` Ted Dennison
2002-01-04 11:51 ` Larry Kilgallen
2002-01-04 12:41 ` M. A. Alves
2002-01-04 15:42 ` Ted Dennison
2002-01-04 17:16 ` Hyman Rosen
2002-01-04 19:12 ` Ted Dennison
2002-01-04 23:36 ` Matthew Woodcraft
2002-01-05 15:00 ` Steve Doiel
2002-01-10 20:49 ` Robert A Duff
-- strict thread matches above, loose matches on Subject: below --
2002-01-03 23:18 Gautier Write-only-address
2002-01-03 23:26 Gautier Write-only-address
2002-01-03 23:54 ` Larry Hazel
2002-01-04 14:33 ` Robert A Duff
2002-01-05 12:47 Gautier Write-only-address
2002-01-07 16:24 ` Ted Dennison
2002-01-07 18:17 ` FGD
2002-01-07 18:21 ` Hyman Rosen
2002-01-07 20:26 ` Matthew Woodcraft
2002-01-07 21:16 ` Hyman Rosen
2002-01-13 8:23 ` Hyman Rosen
2002-01-13 9:06 ` Preben Randhol
2002-01-13 10:41 ` Larry Kilgallen
2002-01-14 5:47 ` Hyman Rosen
2002-01-14 12:41 ` Georg Bauhaus
2002-01-13 18:21 ` Michal Nowak
2002-01-14 1:29 ` Ted Dennison
2002-01-14 14:36 ` Ted Dennison
2002-01-14 22:43 ` Michal Nowak
2002-01-10 20:47 ` Robert A Duff
2002-01-10 23:37 ` Preben Randhol
2002-01-11 1:31 ` Robert A Duff
2002-01-11 20:32 ` Nick Roberts
2002-01-11 16:47 ` Hyman Rosen
2002-01-07 16:45 Gautier Write-only-address
2002-01-07 19:33 ` Ted Dennison
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox