From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,25aa3c7e1b59f7b5 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2002-01-05 10:05:02 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!dispose.news.demon.net!news.demon.co.uk!demon!pogner.demon.co.uk!zap!not-for-mail From: Simon Wright Newsgroups: comp.lang.ada Subject: Re: A case where Ada defaults to unsafe? Date: 05 Jan 2002 10:57:17 +0000 Organization: Pushface Message-ID: References: <3C34BF2C.6030500@mail.com> <3C34D252.4070307@mail.com> <5ee5b646.0201040829.18db8001@posting.google.com> <3C35E733.6030603@mail.com> <3C35FE2A.9020802@mail.com> NNTP-Posting-Host: localhost X-NNTP-Posting-Host: pogner.demon.co.uk:158.152.70.98 X-Trace: news.demon.co.uk 1010253860 nnrp-13:297 NO-IDENT pogner.demon.co.uk:158.152.70.98 X-Complaints-To: abuse@demon.net NNTP-Posting-Date: 5 Jan 2002 10:57:17 GMT X-Newsreader: Gnus v5.7/Emacs 20.7 Xref: archiver1.google.com comp.lang.ada:18581 Date: 2002-01-05T10:57:17+00:00 List-Id: "Nick Roberts" writes: > Original code: > > > if Fire_Alarm(Engine) and Gearbox_Alarm(Engine) then -- A > Activate_Extinguisher(Engine,Trickle_Mode); > end if; > if Gearbox_Alarm(Engine) then -- B > Display.Activate(Gearbox_Alert(Engine)); > end if; > > > Supposing a programmer comes back to this code, having been told to do her > best to make indications code precede actions code. She might make the > following change: > > > if Gearbox_Alarm(Engine) then -- B > Display.Activate(Gearbox_Alert(Engine)); > end if; > if Fire_Alarm(Engine) and Gearbox_Alarm(Engine) then -- A > Activate_Extinguisher(Engine,Trickle_Mode); > end if; > > > based on the simple deduction that since the call to Gearbox_Alarm could be > made before the call to Fire_Alarm in line A, she can assume that Fire_Alarm > does not need to be called before Gearbox_Alarm, and that it is therefore > safe to move the call the Gearbox_Alarm in line B to precede the call to > Fire_Alarm in line A. > > If line A had contained "and then" instead of "and", she would not have been > able to make this deduction, and may have not made an improvement to the > code (which just might save a pilot's life one day). I find it quite hard to imagine this scenario, I must say. We have a safety-related system where it is important that the extinguisher is set off as soon as possible and activating the gearbox alert takes sufficiently long that it can delay the extinguisher activation beyond tolerance[1]. And we are allowing a programmer to change this code without any process to ensure that the safety properties of the system aren't compromised? [1] If I'm wrong about why you think your example causes a problem, that (to my mind) reinforces the point that making subtle deductions about the intent of the designer from details of the implementation is a big mistake.