TEAM-ADA Archives

Team Ada: Ada Programming Language Advocacy

TEAM-ADA@LISTSERV.ACM.ORG

Options: Use Forum View

Use Proportional Font
Show HTML Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Sender:
"Team Ada: Ada Advocacy Issues (83 & 95)" <[log in to unmask]>
X-To:
Date:
Thu, 23 Jul 1998 09:31:11 -0500
Reply-To:
Samuel Mize <[log in to unmask]>
Subject:
From:
Samuel Mize <[log in to unmask]>
Content-Transfer-Encoding:
7bit
In-Reply-To:
<01BDB630.67838580@prg08> from "Joachim Schröer" at Jul 23, 98 11:52:43 am
Content-Type:
text/plain; charset=US-ASCII
MIME-Version:
1.0
Parts/Attachments:
text/plain (75 lines)
> Hello,
>
> We want to build a safety related system (a control computer for=20
> a flight simulator connected to a motion platform).
...
> Our safty concept simply requires, that the Ada main detects a failure
> in the C part and then shuts down the simulator.
>
> procedure Ada_Main is
> begin
>   loop
>      Execute_C_model;
>   end loop;
> exception
>     when others =3D> Shutdown;
> end Ada_Main;

I'm sorry, but you're just flat out of luck.

A C routine won't necessarily be set up to trigger the Ada exception
mechanism when it fails, even with a hardware-detected error (like a
divide by zero).  You'll get whatever behavior C exhibits for that
error, either bad results or program termination.  So your exception
handler will never be thrown any exceptions to catch.

Also, Ada won't necessarily catch nonsense values from C.  For
example, if you pass C a pointer to an enumeration value 0..7, C can
write 38 there.  Ada won't catch that.  Worse, Ada can propagate that
value quite a ways before the compiler is required to check the range.
(Many range checks can be left out, if the compiler can prove that a
computation can't exceed the range if the inputs were in range, and
the compiler doesn't have to assume that an interfaced routine might
have messed up a value.)

To detect out-of-range values, you'd have to use the 'valid attribute
to check all data returned from the C routines.  This won't catch
in-range wrong values, of course, for instance your platform's
acceleration could go from -maximum to +maximum in one computation.


> I think there are some general questions concerning Ada and C
> in safety related systems, independent of the used compilers.
>
> * How can an Ada main detect a failing C module and react
>   correspondingly?

Can't.  You have to design mechanisms into the C code that will detect
failures and handle them.  Having done that, one option is to turn
them into Ada exceptions, but the C code to do that will be
compiler-dependent.


> * Is a safe usage of such interfacing only possible using two
>   processes with separated address spaces, to prevent a failing
>   C module to kill the Ada main?

A rogue pointer in the C section can be used to write over anything in
its address space: C data, Ada data, C or Ada code...  If your
hardware and OS don't detect address-space violations, the C can write
into random parts of the Ada even if they're in separate processes, or
even into the OS data or code.

This is awfully basic stuff for a safety-critical application.  You
may need to do some basic research, and/or hire a specialist in this
area as a consultant.

I wish you the best of luck with it.

Best,
Sam Mize

--
Samuel Mize -- [log in to unmask] (home email) -- Team Ada
Fight Spam: see http://www.cauce.org/ \\\ Smert Spamonam

ATOM RSS1 RSS2