TEAM-ADA Archives

Team Ada: Ada Programming Language Advocacy


Options: Use Forum View

Use Proportional Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Joachim Schröer <[log in to unmask]>
Reply To:
Joachim Schröer <[log in to unmask]>
Thu, 23 Jul 1998 11:52:43 +-200
text/plain (2166 bytes) , (4 kB)

We want to build a safety related system (a control computer for 
a flight simulator connected to a motion platform). The software
consists of two parts:

* a control program 100% written in Ada95 and
* aircraft models consisting of generated and hand written C code
  (using Mathworks Matlab / Simulink and the C code generator from
   the Real Time Workshop, an Ada code generator is not yet available).

Our current design requires, that both parts are linked in one executable.
We trust the Ada part, but (for worst case scenarios) have to assume, 
that the C part is potentially unsafe.

Our safty concept simply requires, that the Ada main detects a failure
in the C part and then shuts down the simulator.

procedure Ada_Main is
  end loop;
    when others => Shutdown;
end Ada_Main;

After first tests calling C from Ada (using ObjectAda for 
Realtime ETS and Microsoft Visual C++) we found, 
that errors in C (which are not totally impossible in our code, 
like zero division, range checks, pointer problems) 
may not be caught by Ada (Exception handlers). 
We did not expect that but had to verify it. 

(The native win32 version catches some errors like
zero division, others are not detected).

The behaviour of the program is twofold:

* after some errors in the C part, an exception handler in
  the runtime system is called and the program ends.
  So an exception handler at the end of the Ada main cannot 
  catch the error and start some safe shutdown of the machine.

* even worse, after other errors in C, the program continues 
  to run with nonsense values.

I think there are some general questions concerning Ada and C
in safety related systems, independent of the used compilers.

* How can an Ada main detect a failing C module and react 
* Is a safe usage of such interfacing only possible using two
  processes with separated address spaces, to prevent a failing
  C module to kill the Ada main? 

Attached is a small example that connects Ada and C and contains
erroneous Ada and corresponding C code. The Ada main catches
errors from erroneous Ada modules. Erroneous C modules kill the
Ada main program or are not detected.

Thanks for any hints.
        J. Schröer