[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: What design is: 911 vs. Fleetwood
Dan Sugalski writes:
> Or that they make the right decisions regarding language choice. I know a
> lot of people who would quit a job rather than program in COBOL or Fortran,
> even though for many tasks those languages are by far the most appropriate
> for the task. (A scary number of accounting and payroll programs are
> written in C. Using floats or doubles to hold money)
>
> "Real hackers" generally ought not be allowed to touch production code.
> Production code generally ought not have any sort of hacking involved in it
> at all.
If production code is not written by real hackers, it will tend to
contain boneheaded idiocies like using floats to hold money amounts,
and even more boneheaded things. (I can't count the number of times
I've had to deal with some business-critical program that regularly
crashed or gave obviously wrong answers.)
When production code is written by people incapable of debugging, too
unconcerned to test, too frightened to fix things that are broken, and
too ignorant to know the limits of their tools, people die, businesses
fail, and money is wasted.
Let me quote a story by a real hacker (Rob Harley) about production
code:
I know somebody who worked for a company programming
microcontrollers for pacemakers (in a simple subset of C). Her part
of the job was to prove the software correct, formally. Commendable
and all. Thing is, the code was compiled with a mondo-weird compiler,
with known bugs which genuinely affected the type of code they were
writing, and the compiler vendor was unresponsive to their plight. So
they were going over the emitted machine code manually after the fact,
to check it hadn't actually screwed up, and shipping the sucker
anyway. I kid you not. I went practically ballistic and tried to
insist that they hire a good guy I know to do quick port of GCC for
circa $30K (i.e., peanuts) so they would have a compiler in which
known bugs, if any, could be squashed ASAP. Deaf ears etc.
Last week I delivered a small project [in C] ... after holding it
up for a week because there was one little assertion which I
couldn't prove correct nor could I find a counter example to break
it.
If I had a pacemaker, I'd definitely rather have Rob Harley program it
than these meticulous goofs. (If you doubt he's a real hacker, you
can look at http://cristal.inria.fr/~harley/main.english.html.)
> It's actually rather good. Ada is dead-on the right language (of the ones
> we have available) for many purposes. Its worst flaw is that it's a
> language to do engineering work in. It isn't a toy language, a play
> language, an art language, or a research language. That's one of the big
> reasons many programmers hate it. It's also why it's the right language for
> things that must work.
>
> I'd feel far happier knowing the plane I was flying in had its control
> systems written in Ada rather than, say, C.
I haven't used Ada, so I don't feel competent to make statements about
its suitability. (I'm curious to hear about your experience with Ada,
Dan.) It appeared to me to be a complex language with many hidden
gotchas, and a language in which all code would be hard to read, slow
to write, and harder to change because of the large overheads
everywhere.
One of Ada's hidden gotchas, triggered by a bug which would have had
no effect whatsoever in any other language I'm familiar with, in
combination with a constellation of other mistakes, destroyed the
first Ariane 5 rocket launched, at a cost of half a billion dollars.
I'm sure you would have been happy to be on board (although it was
unmanned), but I'm glad you weren't.
James Gosling has a copy of the Ariane 5 report at
http://java.sun.com/people/jag/Ariane5.html.
I don't think using Ada is particularly likely to crash your aircraft,
or your pacemaker, or whatever, although its design doesn't seem
particularly inspired (from reading the language definition). But I
don't think it's as much better than C for building reliable systems
as you make it out to be.