2017 Make with Ada competition

[Kalvin]

In Ada one would probably operate with unsigned integers to access the elements of the byte array, so the index cannot be negative and will be caught at runtime.

oh i would love to see this when it get caught in life threatening situation such as in Avionics... i would love.... but actually not, for the sake of the souls involved.

Yes, I know what you mean: It would be much better to keep on computing using invalid data, like the air speed, instead of letting the programmer to decide what to do if the exception should happen. Right?

exception is certainly supported in C/C++. but we are not comfortable enough with any compiler's high level built in functions/features, so we make our own check in every loops, tuned specifically so there is no unecessary degradation in performance (aka bloatware). modular programming style is a must, so we can break down applications into smaller unit test, and we make sure every single one of it is bulletproof of any possible inputs, we test them to fail. please distinguish... we test our code/application, we are not testing the "language" or the "tool", we test the real deal. that is if... and only if... we are paid good money for it. you call that tedious? not much difference than exception handling in any languages, generic or specific.

In my opinion Ada has superior type system compared to C or C++ as it allows the system designer or programmer specify the limits of the data types very specifically and the compiler is able to perform compile-time checking - as well as run-time checking if enabled. Ada has also pre-conditions and post-conditions which help the compiler to validate the code and help unit testing, in addition to providing the person reading the code the intention of the original programmer very clearly. Ada has also a SPARK subset which makes it possible to mathematically prove the code correct against the specifications. Of course, if the specs are wrong or poorly written no language can improve poor design.

[Kalvin]

One thing came to my mind while thinking of "what can be done in C but not in Ada": Protothreads used in Contiki OS.

http://dunkels.com/adam/pt/

The protothreads implementation depends heavily on C preprocessor macros and it exploits heavily some C language constructs that may not available in Ada.

[westfw]

"what can be done in C but not in Ada": Protothreads used in Contiki OS.

Doesn't Ada have it's own multitasking?

This is the perfect time for one of the Ada experts to chime in and say something like "Contiki protothreads are a prefect example of C programmers doing things that are extremely dangerous, just because the language lacks important features like built-in multitasking."  :-)

On the third hand, Contiki uses protothreads to save space and overhead in systems that would have problems implementing real multitasking (say: "Posix threads"), and support of multitasking is one of the things that adds "bloat" to the Ada runtimes...  TANSTAAFL!

(Hmm.  Serious question:  relatively recently, there has been a fair amount of development of link-time optimization; so that unused functions from libraries (or from user code) are simply omitted from the final binary.  Do Ada compilers like GNAT for embedded ARM manage to take advantage of that for reducing the footprint of the runtime environment, or are they still in the "the runtime is the runtime; you get the whole thing."  (usually a DLL on "real" computers; I'm not sure how it's handled on embedded targets.)  (A big advantage of C is that is mostly doesn't have any runtime environment.  Just libraries.  This makes it terrifyingly easy to port to new targets; at least "partially.")

[nctnico]

On the third hand, Contiki uses protothreads to save space and overhead in systems that would have problems implementing real multitasking (say: "Posix threads"), and support of multitasking is one of the things that adds "bloat" to the Ada runtimes...  TANSTAAFL!

I've looked at protothreads but it is a mess. It is a typical solution which makes a piece of code unreadable and thus hard to transfer to a different programmer.

Do Ada compilers like GNAT for embedded ARM manage to take advantage of that for reducing the footprint of the runtime environment, or are they still in the "the runtime is the runtime; you get the whole thing."

IMHO you should always aim to get the whole thing. A half baked runtime just sucks because one or another you have to contort yourself into all kinds of limitations. I've seen that happen with Windows CE (half baked) versus Linux (whole package) on embedded systems.

[NorthGuy]

Yes, you are correct that changing a programming language wouldn't make a poorly designed and poorly written code any better. But in the hands of a good programmer it does make difference.

You keep saying this, but you don't really show where the difference is. I suggested a small example, and, by your words, it would be about the same in Ada as in C and Ada can mimic C. So what? I can re-write the example in Pascal which compiles with old Delphi (great compiler BTW, way better than most C compilers):

Code: [Select]

type
  PObj = ^TObj;
  TObj = record
    sibling: cardinal; // offset of the sibling's record from the beginning of the file
    child: cardinal; // offset of the first child's record from the beginning of the file
    payload: array[0..3] of char; // variable length payload
  end;
 
function process_object(file_base: PChar; file_size: cardinal; o: PObj): boolean;
var
  offs: cardinal;
begin
  process_object := FALSE;
  //TODO: here goes the code to process the payload

  // now deal with the tree

  // process the rest of the siblings (if any)
  offs := o^.sibling and $fffffffc;
  if offs > (file_size - sizeof(TObj)) then exit;
  if offs > 0 then begin
    if not process_object(file_base, file_size, PObj(file_base + offs)) then exit;
  end;

  // process the children (if any)
  offs := o^.sibling and $fffffffc;
  if offs > (file_size - sizeof(TObj)) then exit;
  if offs > 0 then begin
    if not process_object(file_base, file_size, PObj(file_base + offs)) then exit;
  end;

  process_object := TRUE;
end;
But this doesn't make Pascal better than C. It only demonstrates that it has enough low-level capabilities to replicate anything that can be done in C. From your explanations, it appears that Ada can do the same, so anyone who works in C could replicate his work in Ada. But this doesn't make Ada better than C.

May be the example was not good to show the advantages of Ada. Can you come up with a new example which would show the difference?

Btw, you are making an assignment in if statement, which is considered as illegal in many organizations.

Like companies who use MISRA? This is another way to sacrifice freedom for imaginary safety. I couldn't care less about this. I don't work for such organization, and I never will.

You are also assuming that the endianess doesn't matter. It would be also a good thing to make the struct as packed just in case. Ada has a built-in capability to specify the endianess, so one doesn't have to decorate the code with the endianess conversion macros.

I don't assume anything (try not to anyway). In the real life I would know the endianness of my target CPU(s). If I had to flip bytes (e.g. with TCP/IP) I would. If not, I wouldn't.

Of course, there is a theoretical possibility that I may target different platforms which have different endianness, but I don't envision this in the near future, and I'm not going to make any provisions in my code until this really happens. Until then, I wouldn't try to write a code which would work for either endianness. This would be extra work, extra clutter, and extra testing.

In general, I write my code for specific target(s) and I don't worry if it can be ported to somewhere else. In my experience, if I want to port something to a different target 10 years from now, I'll have to re-write anyway - life will be very different then. Why waste time ensuring portability of code which will never be ported? In my early years, I did waste lots of time "universalizing" my code. I tried to make it flexible, so that I could use it in different situations. I seriously believed that I would be reusing my code for the rest of my life. I had such a nice collection of punchcards. How silly that was. Since then, I figured out that I can gain a lot by making my code specific (as opposed to universal).

Language designers are in a different position. When you design a language, such as Ada, you would expect it to be used everywhere. And endianness was of a big importance back then. If they created language constructions to handle endianness, this is certainly a good thing. But I doubt it is substantially better than using htons(), ntohs() etc.

[legacy]

But this doesn't make Pascal better than C. It only demonstrates that

to talk is futile. We are again stopped at the same point.

People wants examples, so the better advice is: find a job in avionics, it will full of them, with all the details and the low level you need to see, and it doesn't cost time to repeat concept again and again and again, without a context.

[NorthGuy]

People wants examples, so the better advice is: find a job in avionics, it will full of them, with all the details and the low level you need to see, and it doesn't cost time to repeat concept again and again and again, without a context.

So, there's a concept, mindset. Specific examples cannot be given. Smells like snake oil.

[FrankBuss]

So, there's a concept, mindset. Specific examples cannot be given. Smells like snake oil.

There are many examples on the web. Some interesting ones are which you can't write in C or C++, see for example this article and contracts. Post-conditions are not easily possible with C++. Only recently they proposed it for C++17, see here, so it is obviously missing from the language and useful for bigger projects, and even Stroustrup recommends it.

You are right, you can do anything in C that you can do in Ada, regarding the pure computation of something, and the source code might be smaller, because of the more verbose syntax of Ada, and the executable might be smaller, because of less runtime checks. But Ada claims to help you to avoid bugs with the compile time and runtime checks. This is not important for a blinking LED program on a microcontroller, but there are interesting studies, like this, which compares C and Ada for the number of bugs per lines. For C it was 7 times more bugs compared to Ada. Even if you consider that an Ada program might have twice as much lines as a C program, it would be a good reason to use Ada, because the study shows also, that programming a feature in Ada was cheaper than programming it in C, and even many of the programmers hired for this company had to learn Ada first, because the were only C programmers. And the additional time and space required for the runtime checks doesn't matter for modern microcontrollers. But granted, you might not want to use it for a 4 bit CPU in a toy, where every opcode and cent counts. I guess there is no silver bullet and perfect language for all use cases.

So far looks like every C programmer who has tried Ada thinks it should be used more often. I'll report after I finished my competition entry, for which I have to learn Ada first, and which is bigger than a blinking LED. Maybe you should write some Ada programs, too, to see if it is just snake oil or if it helps you.

[Mechatrommer]

funnily enough i never have the need for assert function, or i believe with this same "contract" concept. i have a stereotype that assert, or "throw catch all" feature are only for lazy programmer. but well maybe thats just me. as i said i made my own checking and divert code execution to whenever it needs to be, when some condition (or contract? same meaning but different word labelling?) is violated. it does obscure program logic or semantics (readability) though (well i dont see much difference with bloated syntaxes just to handle pre/post conditions), but handling exception from unknown source is just as tedious imho. things like assert do help in debugging software, but in real/published/distributed application esp in life threatening application, thrown assert or exception is just not tolerable. hell who can afford to click ok button with "this line error to variable this...." in the middle of the sky where you are the pilot struggle to balance the pitch and aileron just because autopilot is stopped calculating. ymmv...

[NorthGuy]

Code: [Select]

[quote author=FrankBuss link=topic=88483.msg1214330#msg1214330 date=1495384769]
There are many examples on the web. Some interesting ones are which you can't write in C or C++, see for example this article and contracts.
This article starts from building a storage stack and checking for stack overflows. It may be useful in debugging. However, even in C, you can use macros which will insert checks during debugging. Then you can re-define the macros, so that all the checks are removed for production.

What is important to me, I don't perceive that doing checks is a problem worth addressing. Imagine, you have life critical application, your patient is dying and your stack overflows over and over again. Would it really matter if the patient died because of a reset by bloody unchecked exception in C code, or ... because Ada caught the condition and organizely reported it to a software handler which happily reset the chip.

<disclaimer>I never participated in life critical projects.

IMHO, the real problem is how to design the firmware so that the storage stack never overflows - analyze timing paths, execution flow, and make sure that the adverse conditions never happen. This, surely, is not related to any language. But since the stack never overflows, who cares if there's a check for the overflow or not.

However, to make sure everything goes as planned, I need a language which cooperates and does exactly what I say. If Ada inserts a bunch of checks on my timing critical path, upsets the timing and destroys my safety mechanisms, I don't want to be the one fixing the mess. Worse yet, what if Ada does such thing unpredictably, just because I made a small change which caused extra checks to appear. And this all a day before production deadline? I better go with full control and C (or similar), or even assembler if needed.

Post-conditions are not easily possible with C++.

"try" can do it in C++. In C, you can encapsulate your block into a function call.

... there are interesting studies, like this, which compares C and Ada for the number of bugs per lines.

It is a very interesting study. I'm not sure it was because of Ada safety features, or because of the overall verbosity of the language. C is somewhat cryptic and often perceived as unfriendly. I suspect, if they compared C to Pascal, the result would be similar, although there's no safety in Pascal. I do like Pascal better than C, but unfortunately it isn't used much.

Maybe you should write some Ada programs, too, to see if it is just snake oil or if it helps you.

My interests are more at lower levels. When I was young I had a book on Algol-68, which I found fascinating at a time, but then I moved from high abstractions to physical realities, for better or for worse ...

I wish you luck in the Ada contest.

[nctnico]

Code: [Select]

[quote author=FrankBuss link=topic=88483.msg1214330#msg1214330 date=1495384769]
There are many examples on the web. Some interesting ones are which you can't write in C or C++, see for example this article and contracts.
This article starts from building a storage stack and checking for stack overflows. It may be useful in debugging. However, even in C, you can use macros which will insert checks during debugging. Then you can re-define the macros, so that all the checks are removed for production.

Which is exactly what you don't want! Boundary checks in production software prevent a bug in module A to spread across your software and cause problems in module F. You'll never find the cause of 'quirky' behaviour especially if it occurs only a few times per year. Is it that really so hard to see the benefits of a language which does that for you so you don't have to deal with it yourself?

[tggzzz]

Btw, you are making an assignment in if statement, which is considered as illegal in many organizations.

Like companies who use MISRA? This is another way to sacrifice freedom for imaginary safety. I couldn't care less about this. I don't work for such organization, and I never will.

Good. That's a relief.

[tggzzz]

<disclaimer>I never participated in life critical projects.

Given your other questions and statements in your posting, that is quite evident.

Please try to imagine what you would do and what choices you would make if your code was responsible for, say, your mother's life.

Then move on to consider the same question if your code was responsible for you companies' continued existence (i.e. if you got it seriously wrong, your company would go bankrupt).

[tggzzz]

Code: [Select]

[quote author=FrankBuss link=topic=88483.msg1214330#msg1214330 date=1495384769]
There are many examples on the web. Some interesting ones are which you can't write in C or C++, see for example this article and contracts.
This article starts from building a storage stack and checking for stack overflows. It may be useful in debugging. However, even in C, you can use macros which will insert checks during debugging. Then you can re-define the macros, so that all the checks are removed for production.

Which is exactly what you don't want! Boundary checks in production software prevent a bug in module A to spread across your software and cause problems in module F. You'll never find the cause of 'quirky' behaviour especially if it occurs only a few times per year. Is it that really so hard to see the benefits of a language which does that for you so you don't have to deal with it yourself?

Precisely.

I have successfully used that mentality to avoid becoming involved in lawsuits by quickly and simply demonstrating that other company's code was at fault, not my company's code.

[tggzzz]

On the third hand, Contiki uses protothreads to save space and overhead in systems that would have problems implementing real multitasking (say: "Posix threads"), and support of multitasking is one of the things that adds "bloat" to the Ada runtimes...  TANSTAAFL!

I've looked at protothreads but it is a mess. It is a typical solution which makes a piece of code unreadable and thus hard to transfer to a different programmer.

When I looked at it I regarded it as a brittle solution to the wrong problem. You know, the "if all you have is a hammer, everything looks like a nail" syndrome.

Engineers (cf amateurs) choose the right tool for the job, and don't try to "MacGuyver" everything.

Do Ada compilers like GNAT for embedded ARM manage to take advantage of that for reducing the footprint of the runtime environment, or are they still in the "the runtime is the runtime; you get the whole thing."

IMHO you should always aim to get the whole thing. A half baked runtime just sucks because one or another you have to contort yourself into all kinds of limitations. I've seen that happen with Windows CE (half baked) versus Linux (whole package) on embedded systems.

A half-baked runtime is as dangerous as a half-baked garbage collector.

C programmers are infamous for thinking that they can knock up a quick special purpose GC on the fly. And when it turns out to have problems they don't blame themselves, but they do go on to damn all GCs as being useless! Doh!

[NorthGuy]

Is it that really so hard to see the benefits of a language which does that for you so you don't have to deal with it yourself?

I accustomed to dealing with my problems by myself. I don't feel it is hard, time consuming, or anything of the sort. So, I choose to give up whatever are the benefits of unknown checks, and do my own checks as I feel appropriate.

[tggzzz]

Is it that really so hard to see the benefits of a language which does that for you so you don't have to deal with it yourself?

I accustomed to dealing with my problems by myself. I don't feel it is hard, time consuming, or anything of the sort. So, I choose to give up whatever are the benefits of unknown checks, and do my own checks as I feel appropriate.

I taught my daughter to do her best to learn from other peoples' mistakes - because repeating known mistakes is a waste of at least on person's life. Let's make new mistakes!

Alternatively: it is better to stand on the shoulders of giants than to tread on the toes of giants

[NorthGuy]

<disclaimer>I never participated in life critical projects.

Given your other questions and statements in your posting, that is quite evident.

Please try to imagine what you would do and what choices you would make if your code was responsible for, say, your mother's life.

Then move on to consider the same question if your code was responsible for you companies' continued existence (i.e. if you got it seriously wrong, your company would go bankrupt).

  I have put this one in for you. I though zzz would byte on it. And you did! 

[tggzzz]

<disclaimer>I never participated in life critical projects.

Given your other questions and statements in your posting, that is quite evident.

Please try to imagine what you would do and what choices you would make if your code was responsible for, say, your mother's life.

Then move on to consider the same question if your code was responsible for you companies' continued existence (i.e. if you got it seriously wrong, your company would go bankrupt).

  I have put this one in for you. I though zzz would byte on it. And you did! 

So, you admit you are a troll.

[Mechatrommer]

so much so for the engineering workflow... and language's tool robustness...
http://www-users.math.umn.edu/~arnold/disasters/ariane.html
http://www-users.math.umn.edu/~arnold/disasters/ariane5rep.html
teach our daughter not to repeat people's mistake...
ie relying on "robust" language... and trusting advertisements.

[FrankBuss]

so much so for the engineering workflow... and language's tool robustness...
http://www-users.math.umn.edu/~arnold/disasters/ariane.html
http://www-users.math.umn.edu/~arnold/disasters/ariane5rep.html

This has nothing to do with Ada. I think the main reason for the failure was the missing requirement ("SRI specification (which is supposed to be a requirements document for the SRI) does not contain the Ariane 5 trajectory data as a functional requirement."). They used a system which was developed for the Ariane 4, and they knew the trajectory of the Ariane 5 was different, but they didn't bother to simulate the new trajectory. That's just careless. You can use the best and safest language, even mathematically prove that it works according to the specification, but this doesn't mean that the specification is right or that it will work in the real world. Both things are orthogonal: safe language and coding, and testing.

[tggzzz]

so much so for the engineering workflow... and language's tool robustness...
http://www-users.math.umn.edu/~arnold/disasters/ariane.html
http://www-users.math.umn.edu/~arnold/disasters/ariane5rep.html
teach our daughter not to repeat people's mistake...
ie relying on "robust" language... and trusting advertisements.

That interpretation is a failure of your critical thinking. A problem would have occurred with any programming language since the specification was faulty.

You need to understand the vital difference between "validation" and "verification". If you can't show such understanding, then it is completely reasonable for anyone reading your opinions to disregard them as worthless.

[Mechatrommer]

yeah but the point is Ada let stupid mistake like overflowed conversion from 64 bit float value to 16 bits integer value... and another point, as you put it, specification, and its decided by human, those human are given the safest gun on earth and they eventually did manage to shoot their foot . so much so on the Ada "on rail" bulletproof checking... if you cant see the basic point to the problem discussed here, arguing/wandering with inadequately solid proof, then your opinion may as well be disregarded as worthless.

[FrankBuss]

If you read the detailed documentation about the problem, the Ada system generated an exception when the overflow occurred, which caused the system to turn off. And the programmers even identified all possible overflow problems and decided to not protect this conversion (I guess with try/catch or something), which they have done for other conversions. But as I wrote, you can think it is all 100% correct, but if you don't test it in the real world or at least with simulated data for the real device, it is very likely that it will fail.

[legacy]

You need to understand the vital difference between "validation" and "verification"

so, in their mind ( "validation" isEqualTo "verification )

LOL 

That's the first difference they will learn in avionics.

( someone still thinks, he/she can have the same experience, mastering the difference between "validation" and "verification", by translating C sketches from Arduino into gNAT )