Comments on: Gem #32: Safe and Secure Software : Chapter 1, Safe Syntax http://www.adacore.com/2008/04/21/gem-32/ AdaCore technology and news Mon, 06 Feb 2012 18:59:19 -0500 http://wordpress.org/?v=2.9 hourly 1 By: Alan Barnes http://www.adacore.com/2008/04/21/gem-32/comment-page-1/#comment-1421 Alan Barnes Thu, 01 May 2008 08:57:00 +0000 http://www2.adacore.com/2008/04/21/gem-32/#comment-1421 Regarding renoX's comment: The fact that = in the C-family of languages returns a value is just one instance of the lack of clear separation between expressions (which should return a value but not affect program state) and commands (which alter program state but do not have a value). Other instances are the possibility of ignoring function return values, i.e. using a function call as a complete program step and the ++ and -- operators (both prefix and postfix!) which are useful abbreviations if used solely as commands but lead to many obscurities if used in expressions. In Ada the separation is much clearer although not complete as function calls can directly affect program state by altering non-local variables and/or by performing I/O (and also through the use of access parameters) Regarding renoX’s comment:

The fact that = in the C-family of languages returns a value is just one instance of the lack of clear separation between
expressions (which should return a value but not affect program state) and commands (which alter program state but do not have a value).

Other instances are the possibility of ignoring function return values, i.e. using a function call as a complete program step and the ++ and — operators (both prefix and postfix!) which are useful abbreviations if used solely as commands but lead to many obscurities if used in expressions.

In Ada the separation is much clearer although not complete as function calls can directly affect program state by altering non-local variables and/or by performing I/O (and also through the use of access parameters)

]]> By: renoX http://www.adacore.com/2008/04/21/gem-32/comment-page-1/#comment-1405 renoX Fri, 25 Apr 2008 12:34:18 +0000 http://www2.adacore.com/2008/04/21/gem-32/#comment-1405 I find the "analysis" of = vs := misleading, the reason why = in C can leads to error if used in the test part of an 'if' instruction isn't so much because of its name but because = in C returns a value whereas := in Ada doesn't. If = in C didn't return a value, the error couldn't happen.. As for the 'superiority' of reading Y:=X instead of Y=X, let's just say that this is highly debatable and I've never, ever been confused about it.. The other examples are correct though (except the structure assignment as was already remarked). I find the “analysis” of = vs := misleading, the reason why = in C can leads to error if used in the test part of an ‘if’ instruction isn’t so much because of its name but because = in C returns a value whereas := in Ada doesn’t.
If = in C didn’t return a value, the error couldn’t happen..

As for the ’superiority’ of reading Y:=X instead of Y=X, let’s just say that this is highly debatable and I’ve never, ever been confused about it..

The other examples are correct though (except the structure assignment as was already remarked).

]]> By: Alan Barnes http://www.adacore.com/2008/04/21/gem-32/comment-page-1/#comment-1401 Alan Barnes Thu, 24 Apr 2008 11:28:20 +0000 http://www2.adacore.com/2008/04/21/gem-32/#comment-1401 My previous reply seems to have been mangled somewhere along the line. I meant to say 2) Problems with for loops a) One more/one fewer repetition than intended, e.g. writing for (int i=0; i= 0) if (x > 0) System.out.println("Positive"); else System.out.println("Negative"); My previous reply seems to have been mangled somewhere along the line. I meant to say

2) Problems with for loops

a) One more/one fewer repetition than intended, e.g. writing

for (int i=0; i= 0)
if (x > 0)
System.out.println(“Positive”);
else
System.out.println(“Negative”);

]]> By: Alan Barnes http://www.adacore.com/2008/04/21/gem-32/comment-page-1/#comment-1400 Alan Barnes Thu, 24 Apr 2008 11:20:30 +0000 http://www2.adacore.com/2008/04/21/gem-32/#comment-1400 There are of course other examples of unsafe syntax in the C family of languages: 1) The fall-through in switch statements if break is omitted. 2) Problems with for loops a) One more/one fewer repetition than intended, e.g. writing for(int i=0; i<=10; i++) when one intends for(int i=0; i<10; i++) or vice-versa For example int a[10]; for(int i=0; i<=10; i++) a[i] =0; This type of error is much less likely if one uses an explicit range FOR I IN 0 .. 9 LOOP A(I) := 0; END LOOP; or better FOR I IN A'Range LOOP A(I) := 0; END LOOP; b) Wrap-around in, for example in Java for(byte i=0; i<128; i++) { do_something() } 3) The dangling else For example in Java if (x >= 0) if (x > 0) System.out.println("Positive"); else System.out.println("Negative"); There are of course other examples of unsafe syntax in the C family of languages:

1) The fall-through in switch statements if break is omitted.

2) Problems with for loops

a) One more/one fewer repetition than intended, e.g. writing
for(int i=0; i< =10; i++)

when one intends

for(int i=0; i<10; i++)

or vice-versa

For example
int a[10];
for(int i=0; i<=10; i++)
a[i] =0;

This type of error is much less likely if one uses an explicit range

FOR I IN 0 .. 9 LOOP
A(I) := 0;
END LOOP;

or better

FOR I IN A'Range LOOP
A(I) := 0;
END LOOP;

b) Wrap-around in, for example in Java

for(byte i=0; i<128; i++) {
do_something()
}

3) The dangling else
For example in Java
if (x >= 0)
if (x > 0)
System.out.println(“Positive”);
else
System.out.println(“Negative”);

]]> By: Qunying http://www.adacore.com/2008/04/21/gem-32/comment-page-1/#comment-1387 Qunying Mon, 21 Apr 2008 17:59:29 +0000 http://www2.adacore.com/2008/04/21/gem-32/#comment-1387 In page 5, struct date today = (1, 12, 8); It is not a legal C construct, it should be: struct date today = {1, 12, 8}; And in C99, there is designated initializer. struct date today = { .day = 1, .month = 12, .year = 8 }; So it is not an advantage over C any more on this particular example. In page 5,

struct date today = (1, 12, 8);
It is not a legal C construct, it should be:
struct date today = {1, 12, 8};

And in C99, there is designated initializer.

struct date today = {
.day = 1,
.month = 12,
.year = 8
};

So it is not an advantage over C any more on this particular example.

]]> By: MichaelP http://www.adacore.com/2008/04/21/gem-32/comment-page-1/#comment-1385 MichaelP Mon, 21 Apr 2008 12:46:17 +0000 http://www2.adacore.com/2008/04/21/gem-32/#comment-1385 Minor typo on page 6: float index(float height, weight) { should be: float index(float height, float weight) { Minor typo on page 6:

float index(float height, weight) {

should be:

float index(float height, float weight) {

]]>