home *** CD-ROM | disk | FTP | other *** search
- Path: anvil.ugrad.cs.ubc.ca!not-for-mail
- From: c2a192@ugrad.cs.ubc.ca (Kazimir Kylheku)
- Newsgroups: comp.lang.ada,comp.lang.c,comp.lang.c++
- Subject: Re: C/C++ knocks the crap out of Ada
- Date: 1 Mar 1996 11:41:08 -0800
- Organization: Computer Science, University of B.C., Vancouver, B.C., Canada
- Message-ID: <4h7jskINNnph@anvil.ugrad.cs.ubc.ca>
- References: <00001a73+00002504@msn.com> <1996Feb22.005518.13396@leeweyr.sccsi.com> <4gvrffINNlqo@anvil.ugrad.cs.ubc.ca> <4h5hgj$vpd@tomquartz.niestu.com>
- NNTP-Posting-Host: anvil.ugrad.cs.ubc.ca
-
- In article <4h5hgj$vpd@tomquartz.niestu.com>,
- Chip Richards <chipr@niestu.com> wrote:
- >Sigh.
- >
- >In article <4gvrffINNlqo@anvil.ugrad.cs.ubc.ca>, Kazimir Kylheku writes:
- >
- > What is intrinsically unsafe about C?
- >
- >Lots of things. How much time have you?
- >
- >My current employer produces industrial process control systems. Ada and C
- >were considered for the implementation back in 1981, but neither was
- >sufficiently well-supported on the "mandated" hardware, so an extended Pascal
- >was chosen instead. That decision has paid off repeatedly in terms of
- >reliability, which translates directly into a reduction in certain unpleasant
- >side-effects such as down-time, explosions, lawsuits, and even injuries and
- >death.
- >
- >The most common failure for one of these control computers is "range check",
- >which is completely missing from C. Certainly, a C coder *could* add range
-
- The C states that accessing arrays past their boundaries is undefined behavior.
- Some implementations offer range checking, though it's not required.
-
- >checks, but so could those Pascal programmers. However, if they had, the
- >compiler-generated checks would not be triggered. C programmers, feeling
- >"close to the hardware" and so often paying homage to the god of "efficiency",
- >fail to put checks in just as often, but their compiler provides no option for
- >backing them up in those instances.
-
- This is false. There are compilers which offer range checking. In a situation
- where safety-critical software is designed, such a compiler should be used.
- No feature of the C standard is incompatible with an implementation that offers
- range checking. The only fault is that it is not made a mandatory
- implementation feature. And if it were, the lack of an official validation
- suite would still take away from your confidence.
-
- >There actually was an over-zealous vice-president who, upon learning that the
- >most common error was a range check, suggested that all the range checks be
- >removed from the code, thus preventing the majority of errors! Cooler heads,
-
-
- >who understand that it is much better (given the control system architecture)
- >to simply stop processing than to continue processing with erroneous data,
- >prevailed, and the range checks are still shipping.
- >
- > I could write a strict, standard-conforming, anally-retentive program in
- > any language that could kill people (maliciously, of course).
- >
- >So you could. So could I, so could anyone. What is much more the treat (and
- >much more difficult) is to write a program (*any* program) which does *not*
- >kill people, even when it is entrusted with their safety. The skill lies not
- >in writing a dangerous program intentionally, but in *not* writing such a
- >program *unintentionally*.
-
- This is a matter of religious debate. The programming tools can catch some
- trivial mistakes (such as range overruns), but many other mistakes are not
- easily caught. I just found a bug in a project that I'm working on which was
- simply an incorrect calculation. It could easily have been written in Ada, and
- wasn't all _that_ trivial to find.
-
- I bet I could get a Fortran programmer to write Ada code that looks like Ada
- but is really Fortran in disguise. :)
-
- >Oh, this is rich! Have the words "implementation defined" been driven from
- >that spec? Have they at least been eliminated from the *important* areas,
- >like bitfields? Formality of specification and predictability of results are
-
- Bitfields are important? They are rarely used. Some aspects of bitfields are
- well-defined. They serve a purpose, which is compact storage of small integers
- at some computing cost. There is a way to use them properly, in a well-defined
- manner. Using bitmasks defined as symbolic constants is also well-defined and
- portable. The unsigned long type is guaranteed large enough to hold 32 bits.
-
- The ULONG_MAX constant defined in the <limits.h> header file is at least
- 2^32-1, which makes unsigned long suitable for storing a bitfield of size 32.
-
- >attributes that all languages possess to smaller or greater degree; I would
- >venture to say that C++ exceeds C in these areas, and Ada exceeds C++. And
- >Ada could itself stand some work.
- >
- > I don't think you can say the same for Ada or C++.
- >
- >Well, obviously *you* can't say that about Ada or C++, but only because you
- >are underinformed. I can say i.t fine: Ada95 is *already* an ISO standard,
-
- I have apologized for that error already.
-
- >and C++ is well along its way to becoming one.
-
- Which is far from actually being standardized. Until I can actually go out and
- put my hands on the document, it is ``vaporware''.
- --
-
-