At 11:52 AM 7/23/98 +-200, Joachim Schröer wrote:
>Our current design requires, that both parts are linked in one executable.
>We trust the Ada part, but (for worst case scenarios) have to assume, 
>that the C part is potentially unsafe.

>Our safty concept simply requires, that the Ada main detects a failure
>in the C part and then shuts down the simulator.

    There are four possible solutions:

    1) Hand-translate the C into Ada.

    2) Write a SDTS (Syntax directed translation scheme) or other program
to translate the C into Ada.

    If the C is machine generated and uses a predictable subset of the
language, a translator is about a man-month of work.  (Of course, there is
little or no point to getting one written to work with a different machine
generator--most of the work is in looking at the generated output and
defining the mapping.  Writing the code is trivial if you understand
recursive descent (LL1) grammars.  You just need a grammar for the C and
one for the Ada where every production in the C has a matching production
in the Ada grammar with the non-terminals in the same order.  (The C
grammar needs to be LL1, the Ada grammar does not.)

    3) Take the gcc compiler and modify it to generate C code that is
trustworthy in a safety-critical system.  Allocate about ten man years to
the job.  (The hard part is not modifying the compiler to put in the range
checks, it is VALIDATING the compiler.  There is no suite of tests I know
of for checking C compilers with added range checking and exception
handling, so you would have to roll your own.)

    4) Use a tool to guarentee that the C code can never fail.  You seem to
have ruled this choice out already.  If you can validate that any out of
range value in the C code will be signalled in a way that will be caught on
by the Ada program you could avoid this, but you have already proven that
that is not the case.

     Depending on the amount of C code and the frequency with which it
changes either of the first two options could be your best choice.

                                        Robert I. Eachus

with Standard_Disclaimer;
use  Standard_Disclaimer;
function Message (Text: in Clever_Ideas) return Better_Ideas is...