From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!feeder.eternal-september.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Newsgroups: comp.lang.ada
Subject: Re: How to get Ada to ?cross the chasm??
Date: Fri, 11 May 2018 22:22:18 +0300
Organization: Tidorum Ltd
Message-ID: <flm8rbFas76U1@mid.individual.net>
References: <fl8lgcF9dqgU1@mid.individual.net> <pcnem2$19mn$1@gioia.aioe.org>
 <fl938cFchk8U1@mid.individual.net> <pcnqgm$1tb4$1@gioia.aioe.org>
 <87k1sg2qux.fsf@nightsong.com> <pcov1b$1cvt$1@gioia.aioe.org>
 <87h8njmk4r.fsf@nightsong.com> <pcq81a$1n85$1@gioia.aioe.org>
 <87po27fbv9.fsf@nightsong.com> <flemg6FkatpU1@mid.individual.net>
 <87in7x62vw.fsf@nightsong.com> <flh2g3F5sg3U1@mid.individual.net>
 <878t8szdtk.fsf@nightsong.com> <fljpeuFogvdU1@mid.individual.net>
 <ivj9fddvde7n7lobbmlpsu0unnm8eeuenf@4ax.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: individual.net rKZLEmsVM7UBMWiwdbZ+3QjT9CD49Wxpso9WWyCM3xclAVj19J
Cancel-Lock: sha1:oKfhcwOBxL5vkP2rp55VC/fArNc=
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:45.0)
 Gecko/20100101 Thunderbird/45.8.0
In-Reply-To: <ivj9fddvde7n7lobbmlpsu0unnm8eeuenf@4ax.com>
Xref: reader02.eternal-september.org comp.lang.ada:52283
Date: 2018-05-11T22:22:18+03:00
List-Id: <comp.lang.ada>

On 18-05-11 02:15 , Dennis Lee Bieber wrote:

   [about restrictions imposed in critical SW]

> 	Even Ada's tasking wasn't allowed -- apparently because the RTL isn't
> deterministic enough.

In my experience of such cases, the crux is usually not non-determinism, 
but the requirement to validate, or qualify, the Run-Time System. A 
"full Ada" RTS is complex, which means that it is hard and/or expensive 
to qualify for a certain target system.

> Instead, some minimal RTOS was embedded into the
> application environment and Ada procedures were activated as tasks in the
> RTOS (with defined stack sizes, priorities, etc.).

If the minimal RTOS is smaller or less complex (and of course also less 
expressive and less functional) it is also cheaper to qualify to the 
same level of trust. It may also be easier to reuse the minimal RTOS for 
different applications on different target systems, with smaller 
changes, and therefore with less effort for requalifying the RTOS for 
new target systems, spreading the qualification cost over many 
applications and users.

Several Ada compiler vendors provide simplified Ravenscar RTSes, and 
some provide even simpler and more restricted RTS versions for more 
critical applications. (I forget what these are called. I don't know of 
any standard Ada RTS profile that is more restrictive than Ravenscar, so 
the names are probably vendor-specific.)

In the space domain, it is not unusual for some highly critical SW to be 
forbidden to use any real-time kernel, forcing the SW to be 
single-threaded. This is common for any SW that resides in (true) 
read-only memory and cannot be patched in flight. Typical cases are the 
"boot SW" or some fall-back "recovery" SW that takes over when the main 
SW fails and is used only to analyse the problem and to patch the main SW.

-- 
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
       .      @       .