From: dewar@gnat.com (Robert Dewar)
Subject: Re: C.A.R. Hoare on liability
Date: 21 Jun 2002 04:55:50 -0700
Date: 2002-06-21T11:55:52+00:00 [thread overview]
Message-ID: <5ee5b646.0206210355.3533be8f@posting.google.com> (raw)
In-Reply-To: 3D0E09BA.A492AA3D@despammed.com
Wes Groleau <wesgroleau@despammed.com> wrote in message news:<3D0E09BA.A492AA3D@despammed.com>...
> Tying together two recent threads,
> a quote from "The Emperor's Old Clothes":
>
> ... we asked our customers whether they wished us
> to provide an option to switch off these checks
> in the interests of efficiency on production runs.
> Unanimously, they urged us not to--they already knew
> how frequently subscript errors occur on production
> runs where failure to detect them would be disastrous.
> I note with fear and horror that even in 1980, language
> designers and users ahve not learned this lesson.
> In any respectable branch of engineering, failure
> to observe such elementary precautions would have
> long been against the law.
Three comments
First, runtime checks can be deadly if you have not done proper
analysis
of how they can be handled, since they can turn trivial errors that
would
not intefere with overall correct function into disasters (Ariane5 is
an example of this in action).
Second, in safety critical code you often turn run time checks off,
because
you rely on other means to ensure that these checks can never fail.
See for
example the work that Praxis has done in proving programs to be
exception
free. With such a proof in hand, run time checks can be a menace for
certification since you have a whole bunch of useless deactivated
code.
Third, there are situations in which the extra overhead from runtime
checks,
small though it may be, is unacceptable. It is no use saying to
someone, sorry
we know that if the checks could be turned off, you could use Ada just
fine,
but we have decided in Ada 0X that it was a terrible idea to allow
people to
do this, so you will have to use C instead.
As to customers who can't trust themselves to follow their own
procedures, I
have no sympathy whatever. Procedures should be enforced by a
combination of
review and tools, and failure to put in the effort for such
enforcement is
sloppy workmanship in my view.
For example, I would think that project files that describe the
required
compilation options should be under very strict configuration control,
and
not something that can casually be modified by someone who does not
know
what they are doing.
next prev parent reply other threads:[~2002-06-21 11:55 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-17 16:09 C.A.R. Hoare on liability Wes Groleau
2002-06-19 16:14 ` Mike Silva
2002-06-19 16:57 ` Darren New
2002-06-19 18:03 ` Larry Kilgallen
2002-06-19 17:54 ` Wes Groleau
2002-06-20 13:05 ` Marin David Condic
2002-06-21 14:31 ` Wes Groleau
2002-06-21 16:47 ` Marin David Condic
2002-06-21 11:55 ` Robert Dewar [this message]
2002-06-21 20:45 ` Robert I. Eachus
2002-06-22 13:14 ` Robert Dewar
2002-06-22 13:36 ` Jack Flynn
2002-06-22 16:47 ` Mark Biggar
2002-06-23 15:47 ` Robert I. Eachus
2002-06-22 2:55 ` SteveD
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox