From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: f849b,b8d52151b7b306d2 X-Google-Attributes: gidf849b,public X-Google-Thread: 103376,a00006d3c4735d70 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-12-26 22:24:30 PST Path: archiver1.google.com!news2.google.com!newsfeed2.dallas1.level3.net!news.level3.com!crtntx1-snh1.gtei.net!news.gtei.net!chcgil2-snh1.gtei.net!news.bbnplanet.com!wn14feed!worldnet.att.net!attbi_feed3!attbi.com!attbi_s53.POSTED!not-for-mail From: "Jeff C," Newsgroups: comp.arch.embedded,comp.lang.ada References: <3fe00b82.90228601@News.CIS.DFN.DE> <3FE026A8.3CD6A3A@yahoo.com> <$km9afA3DB7$EAYO@phaedsys.demon.co.uk> Subject: Re: Certified C compilers for safety-critical embedded systems X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-ID: NNTP-Posting-Host: 24.34.215.119 X-Complaints-To: abuse@comcast.net X-Trace: attbi_s53 1072506270 24.34.215.119 (Sat, 27 Dec 2003 06:24:30 GMT) NNTP-Posting-Date: Sat, 27 Dec 2003 06:24:30 GMT Organization: Comcast Online Date: Sat, 27 Dec 2003 06:24:30 GMT Xref: archiver1.google.com comp.arch.embedded:6145 comp.lang.ada:3839 Date: 2003-12-27T06:24:30+00:00 List-Id: "James Rogers" wrote in message news:Xns945DE49836882jimmaureenrogers@204.127.36.1... > Robert A Duff wrote in > news:wccekur4151.fsf@shell01.TheWorld.com: > > > Chris Hills writes: > >> So it all has to be enforced by the compiler? > > > > No, it doesn't. I agree with you that (in principle) there's nothing > > wrong with running 'lint' or whatever in addition to the compiler. > > However, 'lint' (in the case of C) doesn't have enough information > > to perform the checks that are routinely done by Ada compilers. > > Two simple examples are array bounds checking and scalar range checking. > > The C standard explicitly permits accessing one element beyond the end > of an array. Neither the C compiler nor lint can determine if an array > index is outside the bounds of the array. Ada compilers detect static > references beyond the end of an array every time. > > Examples: > > int foo[10]; > > int i; > > for(i = 0; i < 100; ++i) > { > foo[i] = i; > } > > Although human inspection clearly identifies the for loop indices > to be beyond the bounds of the array, neither the C compiler nor lint > will detect the problem. Since the problem can be clearly identified While most C compilers and lint won't find this, there are static analysis tools that can. Granted the tools may be able to do a better job on Ada code because there is more information to work with but simple cases like you presented here (even if the loop was "far away:" from foo) can be detected by tools like Programming Research QA C (No Ada Available) and Polyspace (Ada available).. Perhaps even by the LDRA static analysis tools (Ada available) though I have less to go on for this tool.