programming languages and software construction

© ACT Europe under the GNU Free Documentation License

Programming Languages andSoftware Construction

Franco [email protected]

http://libre.act-europe.fr/Software_Matters

2http://libre.act-europe.fr © ACT Europe under the GNU Free Documentation License

Copyright Notice


Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; provided its original author is mentioned and the link to http://libre.act-europe.fr/ is kept. A copy of the license is included in available at:

http://www.fsf.org/licenses/fdl.html


The Construction Analogy*

Development tools:•Editor, compiler, debugger•Config. mgmt, testing tools,…

Tools

•Programming languages•Libraries•Reusable components

Materials

Analysis & design documents(e.g. UML diagrams)

Architectural

drawings

Software ConstructionBuilding Construction

Class1

Class2 Class3«uses»

*Analogy from Tucker Taft invited talk at the Tools USA 99 conferencehttp://www.tools-conferences.com/usa_99/keynotes.html#taft


Software Phases Affected by the P.L.

DesignDesignCreate a software structure Create a software structure (architecture) around which (architecture) around which code will be built code will be built

CodingCodingFill in the software Fill in the software structure with codestructure with code

Testing (Unit Testing)Testing (Unit Testing)Check that the code does what Check that the code does what it is supposed to (functionality, it is supposed to (functionality, performance, reliability, …)performance, reliability, …)


Importance of Tools’ & Materials’ Quality

Imagine working with a compiler that crashes every 3 compilations or that generates executables that run very slowly

Imagine using a hammer whose head flies off if you do not hit the nails perfectly

Imagine using a graphics library where 1 in 4 routines has a bug

Imagine building a wall where 1 in ever 4 bricks breaks when you place it on the wall

Imagine programming with a language which accepts everything that you type and tries to guess what to do

Imagine nailing wooden panels where nails bent if you do not hit them perfectly in their axis

Software ConstructionBuilding Construction


A GoodGood Programming Language …

Helps you build software that is:• Reliable• Safe• Secure• Evolvable

A good programming language will make your life easier. It will NOT do the job for you.


A PoorPoor Programming Language …

Will make it harder to build software that is:• Reliable• Safe• Secure• Evolvable

It is possible to write good software with a poor language. It will require more experienced engineers.In any event it will take longer and will be more COSTLY than with a good language.


Facts of Life in Software Construction

Properties of a Good Programming language

Make it harder to write incorrect code

Support abstraction

Help write readable code

Support modular software organization

Portable

Human Factors

Affecting Programming

Humans make mistakes

People move on• The code authors are not the ones

that will fix bugs, port or add new features to the software

Software evolves constantly


Why?

Software evolves constantly. You must deliver software to your clients before it is actually finished (important to have feedback). Furthermore, once delivered you have to correct bugs, and add new features.

Support modular software organization

Software evolves constantly. You must port it to new hardware.Portable

Humans make mistakes. Especially programmers who are constantly submersed with work.

Make it harder to write incorrect code

People move on. Especially programmers. To preserve your software investment other people must be able to understand the code quickly.

Help write readable code

Humans make mistakes & People move on. Be able to write a program at a conceptual level close to the application domain. This makes the code easier to write & understand.

Support abstraction

ExplanationRequirement for a GoodProgramming Language


Programming Languages Examples


A Programming Example

Can you tell in less than 20 seconds whether the following 3 routines in the following 3 programming languages do the following correctly:

Return the n-bit field of a 32 bit word from • Bit position p• To bit position p-n+1

Bit position 0 is at the right end

n bits

………Bit

0………

Bit

p-n+1…………

Bit

p

Bit

31


C

unsigned get_bits (unsigned x, int p, int n) {return (x >> (p-n+1)) & ~(~0 << n);

}


Ada 95

function Get_Bits (X : Bit_Array; P : Bit; N : Offset) return Bit_Array isbegin

return X (P – N + 1 .. P);end Get_Bits;


History of Some Imperative Languages1950 1960 1970 1980 1990 2000

PL/I(66)

Basic(66)

C(72)

Pascal(70)

Cobol(58)

Algol(60)

Simula(67) Smalltalk(80)

C++(89)

A S

S E

M B

L Y

Ada(83)

Eiffel (86)Ada(95)

Java(96)

Fortran(54)

imperative


1970 1980 1990 2000 2005

Java(96)

C++(89)

Eiffel (86)

ISO C++(98)

ANSI C(88)

Ada(0X)Ada(95)

Ada(83)

Pascal(70)???

C(72) ISO C(99)


Programming Language Design Goals

C• A portable, higher-level assembly language• No safety or security concerns

C++• An object-oriented language upwardly compatible with C• No safety or security concerns

Java• Fix C++ insecurity problems (i.e. cannot create a virus in Java)• No and safety concerns


SECURE != RELIABLESECURE != SAFE

Java is a secure language• That is you cannot create viruses with Java programs

Java (like C and C++) is NOT a safe language• It is easy for a programmer to make mistakes in Java both during regular

development and during software evolution • and create programs that behave incorrectly

Sun Microsystems does not want Java to be used in safety-critical contexts


Contents of the Windows 2000 LicenseNOTE ON JAVA SUPPORT

THE SOFTWARE PRODUCT MAY CONTAIN SUPPORT FOR PROGRAMS WRITTEN IN JAVA.

JAVA TECHNOLOGY IS NOT FAULT TOLERANT AND IS NOT DESIGNED, MANUFACTURED, OR INTENDED FOR USE OR RESALE AS ON-LINE CONTROL EQUIPMENT IN HAZARDOUS ENVIRONMENTS REQUIRING FAIL-SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, DIRECT LIFE SUPPORT MACHINES, OR WEAPONS SYSTEMS, IN WHICH THE FAILURE OF JAVA TECHNOLOGY COULD LEAD DIRECTLY TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE.

Sun Microsystems, Inc. has contractually obligated Microsoft to make this disclaimer.


The Ada Programming Language


Ada

Industrial-strength version of Pascal designed to build:• Safe, and secure software• Software that needs to evolve• Systems where software matters (e.g. real-time systems)• Mixed-language software

Language designed by an international team• 1983: First version of the language

- Object- based language, not object oriented• 1995: First standard revised (e.g. OO programming added)

- First object-oriented language to be an ISO standard

Only language to have a formal compiler validation procedure

• Validation procedure is an ISO standard (> 4,000 compiler tests)


Ada: Use it for Safety-Related Systems

Safety standards recommend the use of Ada for the highest integrity levels

Even the MISRA-C document recommends the use of Ada:Guidelines for the Use of the C Language in Vehicle Based Software:• “… it should be recognized that there are other languages available which

are in general better suited to safety-related systems, having (for example) fewer insecurities and better type checking. Examples of Languages generally recognized to be more suitable than C are Ada and Modula 2. If such languages could be available for a proposed system then their use should be seriously considered in preference to C.” page 3.


Ada-Inspired Programming Features

C++• Templates (Generics)• Exceptions

Java• Array index checking• Division by zero checks


Some Languages Derived from Ada

SPARK• Subset of Ada used to design the most safety-critical systems

VHDL• Used for chip design

PL SQL• New programming language designed to extend SQL and make it a full

programming language


Some Industrial Applications in Ada

Business-critical• Canal+ Technologies: Pay-per-view, access control• BNP: Trading Language• Philips: Semiconductor assembly equipment• Helsinki radiotelescope

Mission-critical• Astree: European-wide railroad signaling• Weirton Steel - process controller• Mondex electronic money• Scanning Electron microscope

Safety-critical • Airbus A340• Boeing 777


Ada & Software Costs


Ada and Software Costs (1995 Study)

0200400600800

10001200140016001800

350 700 1,050 1,400 1,750 2,100Function Points

1000

s of

199

4 D

olla

rs

AdaOther HOLsC

270,000 LOC

225,000 LOC

150,000 LOC

135,000 LOC

112,500 LOC

75,000 LOC

Source: MITRE (Avionics domain)


Ziegler’s Study: Comparing C & Ada1995 study on the VADS compiler

• 60 engineers, from 1984 ..1994 with MS degrees in computer science• All knew C at hire. All programmed in both C and Ada.

VADS • About 4.5 million lines of code, 22000 files, cost >$28m over 10 years

0

500000

1000000

1500000

2000000

2500000

C Code Ada Code Make Scripts Miscellany

All

Line

s


Costs Per Feature During Implementation

cost/feature:

$0

$50

$100

$150

$200

$250

$300

$350

C C, including Makef iles ADA


Post-Delivery (User-Reported) Defects

0

200

400

600

800

1000

1200

Critical Defects Severe Defects Minor defects Total Defects

C

Ada


Some Non-Reasons for Ada’s Advantage

Not because of people: • The same people used both languages

Not because of process: • The same process was used, for design, for testing, for debugging, for

source control, for management, and so forth• C required ‘makefiles’, but had tighter coding standards

Not because of Ada’s highest level constructs:• VADS used few generics or tasks

Not because of reuse:• This study considers only unique code, factoring out reuse


Some Reasons for Ada’s Advantage

Ada Enabled Better Error Locality• Most errors caught at compile-time• Runtime errors are easier to trace

Ada Enabled Better Tool Support• Ada’s richer semantic model allows computers to help more• For example, builds are automated and guaranteed consistent

Ada Reduced Effective Complexity• Function of language complexity and application complexity• Standard language complexity is easier to learn and use

Ada Encouraged Better Program Organization• Packages, with specifications and private parts


Summary

Developing software in Ada is 60% cheaper than in C

Code developed in Ada has 9 times less bugs than in C

Was Ada consistently better? *YES*• Over different subsets of VADS• For experienced AND inexperienced programmers• For both C experts AND Ada experts• For the highest AND lowest rated programmers

Was Ada harder to learn? *No*

Was Ada code more reliable? *YES*

http://www.adaic.com/whyada/ada-vs-c/cada_art.html


Ada & Education


From an Education Perspective

Ada is a good language to teach good software practice• Reliability, safety, security

Ada 95 allows to design functionality-oriented as well as object-oriented software

• Ada allows the construction of software that can evolve

Today there is a Free Software high-quality Ada 95 compiler available to all

• GNAT (GNU Ada)• Linux, Solaris, Windows, …


You Should Know Several Languages

No single programming language is appropriate in every circumstance

Today most systems use a mixture of programming languages


Example: MULTOS CA

Multiple application OS for smart cards

30%: SPARK (Ada subset)• “Security kernel” of tamper- proof software• Certified at the HIGHEST security level

30%: Ada 95 Infrastructure • (concurrency, inter- task and inter- process communications, database interfaces

etc.), bindings to ODBC and Win32

30%: C++• GUI (Microsoft Foundation Classes)

5%: C• Device drivers, cryptographic algorithms

5%: SQL Database stored procedures

programming languages and software construction

Technology