problems/risks due to programming language
William Thomas Wolfe, 2847
billwolf%hazel.cs.clemson.edu at hubcap.clemson.edu
Thu Feb 22 07:15:56 AEST 1990
>From hammondr at sunroof.crd.ge.com (Richard A Hammond):
>> 3. The AT&T breakdown a month ago was caused by a break statement
>> in C. See the following mail (multiple forwarding headers deleted):
>
>>| | In the switching software (written in C), there was a long
>>| | "do . . . while" construct, which contained
>>| | a "switch" statement, which contained
>>| | an "if" clause, which contained a
>>| | "break," which was intended for
>>| | the "if" clause, but instead broke from
>>| | the "switch" statement.
>>| |
>>
>> Again it looks like this bug wouldn't have occurred in another
>> programming language.
%
% What other programming language? Only one without any GOTO or restricted
% GOTO (e.g. exit, break, ...). This leaves out Ada!!!!!!
%
% [...] for N in 1 .. MAX loop
% case ...
% when ... =>
% if NEW_ITEMS(N) = FALSE then
% -- some other useful work gets done here
% exit; -- exits loop, not if!
% end if;
% when ... =>
% [...]
% So, in the AT&T case using Ada we would have exited both the switch and the
% loop rather than just the switch. Hardly an improvement!
This is not a valid analogy. In C, the case statement *requires* the
use of a restricted GOTO in order to accomplish "normal" processing;
at the end of the section of code processing a given case, one must
use a restricted GOTO in order to prevent C from sending the flow of
control straight into the section of code which was intended to process
the NEXT case. In other words, C requires the programmer to use a
dangerous construct on a routine basis.
With the if construct in C, the default is to exit the if construct
automatically, as opposed to continuing on to execute the section of
code associated with the else part. Thus, we have an inconsistency
in C's design: with one flow-of-control construct (the switch), it is
necessary to use a dangerous GOTO to achieve normal processing, whereas
with a similar flow-of-control construct (the if-else), the default is
reversed. Given such a language design, it should not surprise anyone
that programmers become confused, particularly when the constructs are
being used together.
Ada, on the other hand, is consistent: in both the if and case statements,
the default is to exit the construct once the code associated with the
specified situation has been executed. Ada also provides the exit
statement, a restricted GOTO which permits a loop to be exited early,
but this construct is not used (as is C's break) on a routine basis.
> In my limited experience the cases where Ada is introduced into a
> programming environment also introduce lots of other good software
> engineering practices. For example, lots of people I know who
> program in C don't use LINT. I view it as a deficiency of management
> and not of the language that they don't use available tools.
This is certainly true; Brooks and others have noted that the good
software engineering practices which are routinely introduced in
conjunction with the Ada language are responsible for more of the
resulting improvements than the fact that the Ada language was
introduced. However, we cannot disregard that fact that Ada was
specifically designed to provide maximal support for the software
engineering process. C, on the other hand, was designed to provide
maximal support for the compilation process. Since compilers and
the CPU power required to operate them come far more cheaply than
programmers, and especially in view of the fact that better error
prevention is worth much more than faster compilation, it would seem
that the tradeoff made by Ada is certainly the one to be preferred.
Bill Wolfe, wtwolfe at hubcap.clemson.edu
More information about the Comp.lang.c
mailing list