Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Programming in the Small:
Common C/C++/Java Pitfalls
  & How Ada Avoids them
               Franco Gasperoni
            g...
Copyright Notice

              ► © ACT Europe under the GNU Free Documentation License

              ► Permission is gra...
Suggested Reading

              ► C Traps and Pitfalls
                     • by Andrew Koenig (Addison Wesley)


       ...
Other Interesting Material

              ► Other Interesting Links
                     • http://www.elj.com/cppcv3/
    ...
Lecture Summary


             ► In this lecture we concentrate on programming in the small

             ► We show some c...
What is Programming in the Small ?

              ► A computer can perform only very simple operations
              ► A p...
Programming:
                              Abstraction, Structure & Coding Detail




                                    ...
Programming in the Large:
                             Abstraction & Structure




http://libre.act-europe.fr             ...
Programming in the Small:
                             Coding Detail



                                .
                ...
Programming in the Small with C

              ► C makes the following assumption:
                     • Trust the progra...
Important Note

              ► All C/C++/Java code examples showed in this lecture compile
                     • They ar...
Note on the Ada Compiler

              ► In this course we use GNAT
                     • GNAT is the GNU Ada 95 compile...
C/C++ Consistency Problems




       © ACT Europe under the GNU Free Documentation License
What is the Program Output ?

                               int main () {                              ► This program com...
The Program Crashes. Why?




http://libre.act-europe.fr                                                                 1...
Where does printf() Come From?
                                              int main () {
                               ...
The Ada Version

            with Text_IO;

            procedure Main is
               Length : Integer := 8265;
       ...
Procedure Main
                                                            ► Procedure Main
                              ...
Inside Procedure Main


         with Text_IO;

         procedure Main is                                  ► Declarative ...
with Text_IO;

                                                              ► List of compilation units whose services ar...
Ada Guarantees Consistency

                                                                  ► Compiler
                 ...
C Does not Guarantee Consistency
                                                                    ► Check all the warni...
What about C++ and Java?

              ► C++
                     • Same problem as in C
                     • Not only ...
Notes on the Ada Example




      © ACT Europe under the GNU Free Documentation License
use Text_IO;

                                                              ► By putting a use clause you can (but don't
 ...
The ' img Attribute


         with Text_IO; use Text_IO;

         procedure Main is
            Length : Integer := 8265...
Structure of an Ada Program




       © ACT Europe under the GNU Free Documentation License
General Structure of an Ada Program



                              with …;                                         with ...
A Simple Example
        with Text_IO; use Text_IO;                                       function Fact (N : Integer) retu...
Building & Executing Display_Fact



                                                                   ► GNAT has an auto...
Note on the Concatenation Operator &

                                  with Text_IO; use Text_IO;
                       ...
Note on For Loops

                                                                           ► In for loops, the loop var...
C/C++/Java Numeric Pitfall




       © ACT Europe under the GNU Free Documentation License
What is the Program Output ?

                        #include <stdio.h>                                      ► This progr...
Surprised ?




                                                                     Was this the programmer’s intent ?


...
Numbers in C/C++/Java

              ► In C/C++/Java numbers starting with 0 are octal numbers

              ► This is a ...
Numbers in Ada
                             Length : Integer := 8265;
                             Width   : Integer := 02...
Some C/C++ Lexical & Syntactic Pitfalls




             © ACT Europe under the GNU Free Documentation License
Is the Following Code Correct ?

                              #include <limits.h>

                              /* If *y...
There are 4 Bugs
              ► = versus ==
                 • Using “=“ for assignment and “==“ for equality is a poor c...
What about Java?

            ► = versus ==
               • This problem exists in Java for boolean,                     ...
The Correct Version

                              #include <limits.h>

                              /* If *y is null and...
Ada Solves all the Previous Pitfalls

            -- If Y is null and X > 0 set K to the biggest positive integer.
       ...
Simpler Ada Version: quot;elsifquot; quot;and thenquot;

            -- If Y is null and X > 0 set K to the biggest positi...
Lexical & Syntactic Clarity in Ada

              ► = means equality while := means assignment
                     • If y...
Side Note on Ada Attributes




       © ACT Europe under the GNU Free Documentation License
Attributes


              ► Ada types, objects, and other entities can have attributes

              ► An attribute is a...
Example of Scalar Attributes

              ► Given T some scalar type (Integer, Float, etc)
              ► Given X an ob...
Example of Integer ' Last

            procedure Check_Divide_And_Increment (K : in out Integer; I : Integer; J : in out I...
More C/C++/Java Syntactic Pitfalls




           © ACT Europe under the GNU Free Documentation License
Case Sensitivity Is Error-Prone
                              // In file1                                          // In f...
Is the Following Code Correct ?

                               // If the signal ahead is clear then increase the speed.

...
Bugs can Have Serious Consequences




http://libre.act-europe.fr                                                         ...
Be Careful of Spurious Semicolons

                               // If the signal ahead is clear then increase the speed....
The Ada Version is Always Safe

                               -- If the signal ahead is clear then increase the speed.

 ...
More Bad Luck in C/C++/Java:
                             Enumerations and Switch Statements
                             ...
Defects in the Previous Code
                                                                     void handle_alert (enum ...
Ada is Safer (and Less Verbose)

     type Alert_Type is (LOW, MEDIUM, HIGH, VERY_HIGH);                                ► ...
Combining Cases

                               procedure Process_Alert (Alert : Alert_Type) is
                          ...
Using a Default Clause

                               procedure Process_Alert (Alert : Alert_Type) is
                   ...
Using a Range

                               procedure Process_Alert (Alert : Alert_Type) is
                            ...
Enumeration Types in Ada
                             type Alert_Types is (LOW, MEDIUM, HIGH, VERY_HIGH);

               ...
Enumeration Types and Attributes



                              Alert_Type ' First                           LOW

      ...
Predefined Enumerations in Ada




                              type Boolean                          is (False, True);

...
Predefined Enumerations: Examples

                             function Is_Letter (C : Character) return Boolean is
     ...
Conciseness Versus Readability




         © ACT Europe under the GNU Free Documentation License
Always Favor Readability

              ► What does the following mean:                                               int ...
Conciseness and Non Determinism

              ► What does the following mean:
                                           ...
C/C++ Conciseness is Not So Concise
                             and It Can Be Inefficient

              ► What's the pro...
If Anybody Can't Read It Don't Write It

              ► A piece of code is written once ….

              ► … but read an...
Coding Conventions and Readability

              ► Use coding conventions favoring readability
              ► Typical C+...
C/C++/Java Type System




     © ACT Europe under the GNU Free Documentation License
What is a Type?

              A type is characterized by:

              ► The set of values an expression of that type c...
Pre-Defined and User-Defined Types

              ► Some types can be pre-defined by the language
                     • E...
Objects, Variables and Constants


              ► An object of a given type is a run-time entity (usually a piece of
    ...
Example

                                  An object with name w
                                  The object is a variabl...
Type Checking
              ► Type checking is the process that checks that programs
                conform to the typing...
Strong Typing is Good


              ► It guarantees a program will not crash

              ► It tells the programmer wh...
Some Examples

              ► Strongly (mainly statically) typed languages:
                     • Ada, Eiffel, Java

   ...
Typing Problems Common to C/C++/Java

              ► No user-defined types for
                     • Scalars (characters...
Example of
C/C++/Java Type System Weakness
    No User-Defined Scalar Types


           © ACT Europe under the GNU Free D...
C/C++ Example
             typedef int Time;
                                                                        ► The...
Bugs can have Disastrous Consequences




http://libre.act-europe.fr                                                      ...
What's Wrong with C/C++
             typedef int Time;
                                                                  ►...
Things are Even Worse in Java

           ► There are no typedef in Java                                  final int SAFETY...
What About Ada?
                                                                         -- Buggy code. DON'T write this
 ...
Defining New Types in Ada

              ► Users can define their own types in Ada

              ► In C/C++/Java users ca...
User Defined Integer Types in Ada

                                                             ► Each user defined intege...
Ada is Strongly Typed (1 of 2)

                                                                     ► When you define the...
Ada is Strongly Typed (2 of 2)


     type Time       is range 0 .. 3_600;
     type Distance   is range 0 .. 1_000;
     ...
The Correct Ada Version
      type Time     is range 0 .. 3_600;
      type Distance is range 0 .. 1_000;
      type Speed...
But What About?

                                                                         ► How do you know it was
    typ...
Ada has Named Parameters

                             type A_Type is …;

                             procedure Safe_Copy...
Avoiding Parameter Confusion in Ada

              Summary: Two lines of defense

              ► User defined types

    ...
Example of
C/C++/Java Type System Weakness
     Integer Overflow Semantics


           © ACT Europe under the GNU Free Do...
Overflow in C/C++/Java
                                #include <limits.h>

                                void compute (...
Overflow in Ada

                                procedure Compute is
                                   K : Integer := In...
Example: Overflow in Action in Ada

                                                                         ► In GNAT you...
The Pernicious Effects of Wrap-Around
                             Semantics: A Java Example

       final int RADIO_PORT ...
Infinite Loop when last_byte == 127

              Two problems:

              1. Wrap around semantics of type byte
    ...
The Ada Version is Safe

     type Port is range 0 .. 255;
     type Byte is range -128 .. 127;

     RADIO_PORT : constan...
Checks and Overflows Summary

              ► In Ada
                     •       Every integer overflow raises an excepti...
Side Notes on Ada Types




      © ACT Europe under the GNU Free Documentation License
Unsigned Integers

              ► Ada has the choice of two sorts of integer types:
                     • Signed integer...
Subtypes

              ► Sometimes you want to add additional constraints to a type
                without creating a ne...
Predefined Ada Subtypes


                             subtype Natural is Integer range 0 .. Integer ’ Last;

            ...
Exceptions in Ada




  © ACT Europe under the GNU Free Documentation License
When a Check Fails an Exception is
                             Raised in Ada




http://libre.act-europe.fr              ...
Ada Predefined Exceptions

                    The following predefined exceptions are raised when
                    som...
Creating Your Own Exceptions
                                       procedure Checks is
                                  ...
What Happens at Execution Time?
                                      procedure Checks is
                                ...
http://libre.act-europe.fr                                                           112
                             © AC...
Displaying the Traceback
                             (How you Got There)
                                   with Ada.Exce...
-bargs: Program binder arguments:
                                                                                        ...
What Happens at Execution Time
                                   with Ada.Exceptions;                                 use...
Catching a Predefined Exception


             with Text_IO; use Text_IO;
             procedure Checks is
               ...
Catching Your Own Exceptions
 with Text_IO; use Text_IO;
 procedure Checks is
    Internal_Error : Exception;

     proced...
Catching an Exception Where You Want
                     procedure Checks is
                       …
                   ...
Example of a Declare Block
                                   procedure Calc (A, B : Float) is
                           ...
Array Pitfalls in C




   © ACT Europe under the GNU Free Documentation License
Arrays in C

              ► No real arrays in C
              ► An array is just a pointer to a chunk of memory

        ...
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Developing Software that Matters II
Upcoming SlideShare
Loading in …5
×

Developing Software that Matters II

1,430 views

Published on

Author: ACT Europe.
License: GFDL

Slides objectives:

Help you build software that are more:
• Dependable
• Adaptable
• Fun to develop

Show problems & pitfalls in
• Functionality-oriented C-derived languages
• C, C++, Java • Object-oriented
• Structural problems

Published in: Technology, News & Politics

Developing Software that Matters II

  1. 1. Programming in the Small: Common C/C++/Java Pitfalls & How Ada Avoids them Franco Gasperoni gasperon@act-europe.fr http://libre.act-europe.fr/Software_Matters © ACT Europe under the GNU Free Documentation License
  2. 2. Copyright Notice ► © ACT Europe under the GNU Free Documentation License ► Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; provided its original author is mentioned and the link to http://libre.act-europe.fr/ is kept at the bottom of every non-title slide. A copy of the license is included in available at: http://www.fsf.org/licenses/fdl.html http://libre.act-europe.fr 2 © ACT Europe under the GNU Free Documentation License
  3. 3. Suggested Reading ► C Traps and Pitfalls • by Andrew Koenig (Addison Wesley) ► Guidelines for the Use of the C Language in Vehicle Based Software • Purchasing info at http://www.misra.org.uk/misra-c.htm ► Multilanguage Programming on the JVM: The Ada 95 Benefits • http://libre.act-europe.fr/Why_Ada/ada-on-jvm.pdf http://libre.act-europe.fr 3 © ACT Europe under the GNU Free Documentation License
  4. 4. Other Interesting Material ► Other Interesting Links • http://www.elj.com/cppcv3/ - A critique of C++ • http://www.cs.mdx.ac.uk/harold/srf/javaspae.html - A critique of Java • http://www.jaegers.net/humor/stroustrup.php - Stroustrup's interview leaked • http://www.web-hits.org/txt/codingunmaintainable.html - How to write unmaintainable code ► Other interesting books • Effective C++, by Scott Myers (Addison Wesley) • Java Pitfalls, by Michael C. Daconta et al., (Wiley) • Objects Unencapsulated: Java, Eiffel, and C++, by Ian Joyner (Prentice Hall) http://libre.act-europe.fr 4 © ACT Europe under the GNU Free Documentation License
  5. 5. Lecture Summary ► In this lecture we concentrate on programming in the small ► We show some common C/C++/Java pitfalls when programming in the small ► We show how Ada avoids them http://libre.act-europe.fr 5 © ACT Europe under the GNU Free Documentation License
  6. 6. What is Programming in the Small ? ► A computer can perform only very simple operations ► A program performs complex tasks by grouping together large numbers of simple operations ► Programming in the large • Designing the abstractions and structure around which the simple computer operations will be organized • The structuring unit varies from language to language (e.g. module, package, class, file, etc.) • This is like doing the architectural drawing of a building ► Programming in the small • Sometimes called coding, this activity refers to filling in the details of the above design • The details are the explicit, step-by-step instructions for performing fairly small-scale tasks: arithmetic operations, loops, decisions, etc. http://libre.act-europe.fr 6 © ACT Europe under the GNU Free Documentation License
  7. 7. Programming: Abstraction, Structure & Coding Detail Uses the services of Structuring element: Module, package, class, file, … http://libre.act-europe.fr 7 © ACT Europe under the GNU Free Documentation License
  8. 8. Programming in the Large: Abstraction & Structure http://libre.act-europe.fr 8 © ACT Europe under the GNU Free Documentation License
  9. 9. Programming in the Small: Coding Detail . . . if (TYPE_CONVENTION_FORTRAN_P (TREE_TYPE (gnu_array_object))) for (i = ndim - 1, gnat_temp = First (Expressions (gnat_node)); i >= 0; i--, gnat_temp = Next (gnat_temp)) gnat_expr_array[i] = gnat_temp; else for (i = 0, gnat_temp = First (Expressions (gnat_node)); i < ndim; i++, gnat_temp = Next (gnat_temp)) gnat_expr_array[i] = gnat_temp; . . . http://libre.act-europe.fr 9 © ACT Europe under the GNU Free Documentation License
  10. 10. Programming in the Small with C ► C makes the following assumption: • Trust the programmers, they never make mistakes • Favor program conciseness over its readability ► But: • Programmers do make mistakes • Programs are written once but read many times ► The C foundation of C++ & Java leads to fragile software • Software where it is easy to make mistakes • Software that is hard to read • Software that is hard to change http://libre.act-europe.fr 10 © ACT Europe under the GNU Free Documentation License
  11. 11. Important Note ► All C/C++/Java code examples showed in this lecture compile • They are quot;correctquot; according to the C/C++/Java semantics • But they contain some serious FLAWS (they have bugs that are not detected by C/C++/Java) ► Most of the pitfalls shown in this lecture are written in C/C++ • They can easily be converted to Java ► Some pitfalls only occur in C/C++ and not in Java • When this is the case it will be pointed out in the example ► This lecture is not an exhaustive list of C/C++/Java pitfalls • There are many more http://libre.act-europe.fr 11 © ACT Europe under the GNU Free Documentation License
  12. 12. Note on the Ada Compiler ► In this course we use GNAT • GNAT is the GNU Ada 95 compiler ► GNAT is widely available • You can download the sources of GNAT • Pre-built GNAT binaries available for - Linux, Solaris, Windows NT/2000 ► Available at • http://libre.act-europe.fr/GNAT/ http://libre.act-europe.fr 12 © ACT Europe under the GNU Free Documentation License
  13. 13. C/C++ Consistency Problems © ACT Europe under the GNU Free Documentation License
  14. 14. What is the Program Output ? int main () { ► This program compiles fine int length = 8265; int width = 0252; ► What is its output? int height = 8292; printf (length); printf (width); printf (height); } http://libre.act-europe.fr 14 © ACT Europe under the GNU Free Documentation License
  15. 15. The Program Crashes. Why? http://libre.act-europe.fr 15 © ACT Europe under the GNU Free Documentation License
  16. 16. Where does printf() Come From? int main () { int length = 8265; int width = 0252; int height = 8292; printf (length); printf (width); printf (height); } ► A default printf is defined in the C standard library as: - int printf (const char *format, …) ► C philosophy: The programmer is always right • C compiler assumes there is a routine somewhere with signature: - void printf (int); • The programmer must link with the library containing the correct printf http://libre.act-europe.fr 16 © ACT Europe under the GNU Free Documentation License
  17. 17. The Ada Version with Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length ' img); Text_IO . Put_Line (Width ' img); Text_IO . Put_Line (Height ' img); end Main; The Ada guarantee: If it runs it is consistent http://libre.act-europe.fr 17 © ACT Europe under the GNU Free Documentation License
  18. 18. Procedure Main ► Procedure Main • Stored in file main.adb • Technically this is called a compilation unit with Text_IO; ► A compilation unit can be the body or the spec (specification) of a: procedure Main is • procedure Length : Integer := 8265; • function Width : Integer := 0252; Height : Integer := 8292; • package (see next lecture) begin ► Spec = precise list of services exported Text_IO . Put_Line (Length'img); ► Body = implementation details Text_IO . Put_Line (Width'img); ► In GNAT: Text_IO . Put_Line (Height'img); • 1 compilation unit per file end Main; • File name matches unit name • 2 file extensions possible - .adb = Ada Body - .ads = Ada Spec Note: Ada is case insensitive http://libre.act-europe.fr 18 © ACT Europe under the GNU Free Documentation License
  19. 19. Inside Procedure Main with Text_IO; procedure Main is ► Declarative part: Contains the declaration of: Length : Integer := 8265; • Variable, types, nested procedures, nested Width : Integer := 0252; functions, ... used in procedure Main Height : Integer := 8292; begin ► Procedure statements Text_IO . Put_Line (Length'img); Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main; http://libre.act-europe.fr 19 © ACT Europe under the GNU Free Documentation License
  20. 20. with Text_IO; ► List of compilation units whose services are used in procedure Main with Text_IO; ► Text_IO is the predefined Ada text procedure Main is Input/Output library Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin ► Procedures declared in library Text_IO and Text_IO . Put_Line (Length'img); used in Main Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main; http://libre.act-europe.fr 20 © ACT Europe under the GNU Free Documentation License
  21. 21. Ada Guarantees Consistency ► Compiler • Checks that you quot;withquot; a unit before using its services • Checks that you use the services of with-ed units correctly ► Binder/Linker • Check that the object of the units in the program you are trying to link are the correct ones http://libre.act-europe.fr 21 © ACT Europe under the GNU Free Documentation License
  22. 22. C Does not Guarantee Consistency ► Check all the warnings ► You can improve the situation as follows: ► If you are not sure which objects you are linking delete all objects ► Always #include the headers of and recompile everything before the files whose services your are linking using ► There are additional tricks http://libre.act-europe.fr 22 © ACT Europe under the GNU Free Documentation License
  23. 23. What about C++ and Java? ► C++ • Same problem as in C • Not only for its C subset but also for C++ methods ► Java • Problem partly fixed by checks performed by the Java Virtual Machine at execution time • The problem still exists in the presence of implicit conversions - See http://libre.act-europe.fr/Why_Ada/ada-on-jvm.pdf http://libre.act-europe.fr 23 © ACT Europe under the GNU Free Documentation License
  24. 24. Notes on the Ada Example © ACT Europe under the GNU Free Documentation License
  25. 25. use Text_IO; ► By putting a use clause you can (but don't have to) omit the Text_IO prefix inside Main with Text_IO; use Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length'img); Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main; http://libre.act-europe.fr 25 © ACT Europe under the GNU Free Documentation License
  26. 26. The ' img Attribute with Text_IO; use Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin ► ' img is a predefined attribute Text_IO . Put_Line (Length ' img); • Given an integer or floating point number X, Text_IO . Put_Line (Width ' img); X ' img returns its string representation Text_IO . Put_Line (Height ' img); • More on attributes later on end Main; http://libre.act-europe.fr 26 © ACT Europe under the GNU Free Documentation License
  27. 27. Structure of an Ada Program © ACT Europe under the GNU Free Documentation License
  28. 28. General Structure of an Ada Program with …; with …; with …; with …; with …; with …; procedure Some_Main is … begin … end Some_Main; http://libre.act-europe.fr 28 © ACT Europe under the GNU Free Documentation License
  29. 29. A Simple Example with Text_IO; use Text_IO; function Fact (N : Integer) return Integer is procedure Display (S : String; X, Y : Integer) is begin begin if N <= 1 then Put_Line (S & quot; (quot; & X'img & quot;) = quot; & Y'img); return 1; end Display; else return N * Fact (N - 1); end if; end Fact; with Display; with Fact; procedure Display_Fact is begin for K in 1 .. 4 loop Display (quot;Factorialquot;, K, Fact (K)); end loop; end Display_Fact; http://libre.act-europe.fr 29 © ACT Europe under the GNU Free Documentation License
  30. 30. Building & Executing Display_Fact ► GNAT has an automatic quot;makequot; facility: gnatmake ► Gnatmake • Will compile or recompile the Ada sources that need to be compiled • It will bind and link them ► A make file is not necessary http://libre.act-europe.fr 30 © ACT Europe under the GNU Free Documentation License
  31. 31. Note on the Concatenation Operator & with Text_IO; use Text_IO; procedure Display (S : String; X, Y : Integer) is begin Put_Line (S & quot; (quot; & X'img & quot;) = quot; & Y'img); end Display; & = 1 2 3 4 5 A B 1 2 3 4 5 A B 1 dimensional arrays http://libre.act-europe.fr 31 © ACT Europe under the GNU Free Documentation License
  32. 32. Note on For Loops ► In for loops, the loop variable (K with Display; in the example) is implicitely with Fact; declared procedure Display_Fact is begin for K in 1 .. 4 loop ► The loop variable cannot be Display (quot;Factorialquot;, K, Fact (K)); modified inside the for loop end loop; end Display_Fact; ► The loop variable ceases to exist just after the loop http://libre.act-europe.fr 32 © ACT Europe under the GNU Free Documentation License
  33. 33. C/C++/Java Numeric Pitfall © ACT Europe under the GNU Free Documentation License
  34. 34. What is the Program Output ? #include <stdio.h> ► This program compiles fine int main () { ► What is its output? int length = 8265; int width = 0252; int height = 8292; printf (quot;length = %dnquot;, length); printf (quot;width = %dnquot;, width); printf (quot;height = %dnquot;, height); } http://libre.act-europe.fr 34 © ACT Europe under the GNU Free Documentation License
  35. 35. Surprised ? Was this the programmer’s intent ? http://libre.act-europe.fr 35 © ACT Europe under the GNU Free Documentation License
  36. 36. Numbers in C/C++/Java ► In C/C++/Java numbers starting with 0 are octal numbers ► This is a bad choice • Error-prone • Hard-to-read ► There is no way to specify numbers in base 2 • Very surprising giving the fact that C was meant for to be a low-level systems language ► Never use octal numbers http://libre.act-europe.fr 36 © ACT Europe under the GNU Free Documentation License
  37. 37. Numbers in Ada Length : Integer := 8265; Width : Integer := 0252; -- regular decimal number Width_8 : Integer := 8#252#; -- octal number B_Mask : Integer := 2#1100_1011#; -- binary number -- you can use “_” to separate digits W_Mask : Integer := 16#FFF1_A4B0#; -- Hexadecimal number ► If no base is specified the number a decimal number ► In Ada you can specify any base from 2 to 16 (for both integer and real (floating point) numbers ► Use the “_” to separate digits for clarity • 1_000_000_000 http://libre.act-europe.fr 37 © ACT Europe under the GNU Free Documentation License
  38. 38. Some C/C++ Lexical & Syntactic Pitfalls © ACT Europe under the GNU Free Documentation License
  39. 39. Is the Following Code Correct ? #include <limits.h> /* If *y is null and x > 0 set *k to the biggest positive integer. * If *y is null and x <=0 leave *k unchanged. * If *y is non null set *k to be x divided by *y and increment *y by 1. */ void check_divide (int *k, int x, int *y) { if (*y = 0) if (x > 0) *k = INT_MAX; else *k = x/*y /* it is safe to divide by *y since it cannot be 0 */; *y++; } ► This program compiles fine, but has a number of problems. Which ones? http://libre.act-europe.fr 39 © ACT Europe under the GNU Free Documentation License
  40. 40. There are 4 Bugs ► = versus == • Using “=“ for assignment and “==“ for equality is a poor choice • Use a compiler that warns you when you use “=“ inside tests - This is a hard problem because C++ style encourages the use of “=“ inside tests: while (*s1++ = *s2++); ► Dangling else problem • Always bracket everything ► Nestested y++ ► Bad comment • Use //-style comments, never /* */ if your C compiler supports it • Watch out for nested /* */ comments (/* /* */ */) ► Bad operator precedence *y++ means *(y++) • Put parentheses everywhere... http://libre.act-europe.fr 40 © ACT Europe under the GNU Free Documentation License
  41. 41. What about Java? ► = versus == • This problem exists in Java for boolean, boolean safety_flag; boolean danger_flag; but has been fixed for other data types … if (safety_flag = danger_flag) { ► Dangling else problem sound_alarm (); } • Problem is still there This is OK in Java ► Bad comment but is often a bug • Problem is still there ► Bad operator precedence *j++ means *(j++) • No * operator in Java. This Problem has been solved http://libre.act-europe.fr 41 © ACT Europe under the GNU Free Documentation License
  42. 42. The Correct Version #include <limits.h> /* If *y is null and x > 0 set *k to the biggest positive integer. * If *y is null and x <=0 leave *k unchanged. * If *y is non null set *k to be x divided by *y and increment *y by 1. */ void check_divide (int *k, int x, int *y) { if (*y == 0) { if ( x > 0) *k = INT_MAX; } else { *k = x / (*y) /* it is safe to divide by *y since it cannot be 0 */; (*y)++; } } http://libre.act-europe.fr 42 © ACT Europe under the GNU Free Documentation License
  43. 43. Ada Solves all the Previous Pitfalls -- If Y is null and X > 0 set K to the biggest positive integer. -- If Y is null and X <= 0 leave K unchanged. -- If Y is non null set K to be X divided by Y and increment Y by 1. procedure Check_Divide (K : in out Integer; I : Integer; J : in out Integer) is begin if Y = 0 then if X > 0 then K := Integer’Last; -- K is set to the largest Integer end if; else K := X / Y; -- it is safe to divide by Y since it cannot be 0 Y := Y + 1; end if; end Check_Divide; http://libre.act-europe.fr 43 © ACT Europe under the GNU Free Documentation License
  44. 44. Simpler Ada Version: quot;elsifquot; quot;and thenquot; -- If Y is null and X > 0 set K to the biggest positive integer. -- If Y is null and X <= 0 leave K unchanged. -- If Y is non null set K to be X divided by Y and increment Y by 1. procedure Check_Divide (K : in out Integer; I : Integer; J : in out Integer) is begin if Y = 0 and then X > 0 then K := Integer’Last; -- K is set to the largest Integer elsif Y /= 0 then K := X / Y; -- it is safe to divide by Y since it cannot be 0 Y := Y + 1; end if; end Check_Divide; http://libre.act-europe.fr 44 © ACT Europe under the GNU Free Documentation License
  45. 45. Lexical & Syntactic Clarity in Ada ► = means equality while := means assignment • If you use one instead of the other you get a compiler error ► No dangling else in Ada • if … then must be terminated with an end if; • If it isn't then you get a compiler error ► In Ada comments start with -- and go to the end of the line. No other type of comment ► No ++ operators in Ada ► No need for a * operator in Ada http://libre.act-europe.fr 45 © ACT Europe under the GNU Free Documentation License
  46. 46. Side Note on Ada Attributes © ACT Europe under the GNU Free Documentation License
  47. 47. Attributes ► Ada types, objects, and other entities can have attributes ► An attribute is a property of the type, object, etc http://libre.act-europe.fr 47 © ACT Europe under the GNU Free Documentation License
  48. 48. Example of Scalar Attributes ► Given T some scalar type (Integer, Float, etc) ► Given X an object of type T T ' First Smallest value in T T ' Last Largest value in T T ' image (X) String representation of X In GNAT you can use X ' img instead of T ' image (X) http://libre.act-europe.fr 48 © ACT Europe under the GNU Free Documentation License
  49. 49. Example of Integer ' Last procedure Check_Divide_And_Increment (K : in out Integer; I : Integer; J : in out Integer) is begin if Y = 0 then if X > 0 then K := Integer’Last; -- K is set to the largest Integer end if; else K = X / Y; -- it is safe to divide by Y since it cannot be 0 end if; Y := Y + 1; end Checked_Divide; http://libre.act-europe.fr 49 © ACT Europe under the GNU Free Documentation License
  50. 50. More C/C++/Java Syntactic Pitfalls © ACT Europe under the GNU Free Documentation License
  51. 51. Case Sensitivity Is Error-Prone // In file1 // In file2 int totalLength = 0; int totallength = 0; // In file3 void addLength (int length) { totallength += length; } ► C, C++ and Java are case-sensitive, Ada is case insensitive • K and k refer to two different things in C, C++, Java • K and k refer to the same thing in Ada ► This is error-prone http://libre.act-europe.fr 51 © ACT Europe under the GNU Free Documentation License
  52. 52. Is the Following Code Correct ? // If the signal ahead is clear then increase the speed. void increase_speed_if_safe (int speed, int signal) { if (signal == CLEAR); increase_speed (); } ► This program compiles fine, but has a problem. Which one? http://libre.act-europe.fr 52 © ACT Europe under the GNU Free Documentation License
  53. 53. Bugs can Have Serious Consequences http://libre.act-europe.fr 53 © ACT Europe under the GNU Free Documentation License
  54. 54. Be Careful of Spurious Semicolons // If the signal ahead is clear then increase the speed. void increase_speed_if_safe (int speed, int signal) { if (signal == CLEAR); increase_speed (); } http://libre.act-europe.fr 54 © ACT Europe under the GNU Free Documentation License
  55. 55. The Ada Version is Always Safe -- If the signal ahead is clear then increase the speed. procedure increase_speed_if_safe (speed : integer; signal : integer) is begin if signal = CLEAR then increase_speed; end if; end increase_speed_if_safe; ► If you write if signal = CLEAR then ; • You get a compiler error http://libre.act-europe.fr 55 © ACT Europe under the GNU Free Documentation License
  56. 56. More Bad Luck in C/C++/Java: Enumerations and Switch Statements enum Alert_Type {LOW, MEDIUM, HIGH, VERY_HIGH}; // C or C++. Java does not have enumerations, you have to use ints instead void handle_alert (enum Alert_Type alert) { switch (alert) { case LOW: activate_camera (); case MEDIUM: send_guard (); case HIGH: sound_alarm (); } } void process_alerts () { handle_alert (2); … ► This program compiles fine, but has a number of problems. Which ones? http://libre.act-europe.fr 56 © ACT Europe under the GNU Free Documentation License
  57. 57. Defects in the Previous Code void handle_alert (enum Alert_Type alert) { switch (alert) { case LOW: ► Don't forget break statements activate_camera (); break; case MEDIUM: ► C/C++/Java do not check that you send_guard (); have treated all cases in the switch break; case HIGH: ► You can use any integer value or sound_alarm (); object instead of an enum Alert_Type break; case VERY_HIGH: which in most cases will be an error alert_police (); break; } } void process_alerts () { handle_alert (HIGH); http://libre.act-europe.fr 57 © ACT Europe under the GNU Free Documentation License
  58. 58. Ada is Safer (and Less Verbose) type Alert_Type is (LOW, MEDIUM, HIGH, VERY_HIGH); ► No break statements procedure Process_Alert (Alert : Alert_Type) is ► Ada will check that you begin have treated all cases in case Alert is the case statement when LOW => Activate_Camera; when MEDIUM => ► You can only use an object Send_Guard; of type Alert_Type when HIGH => Sound_Alarm; when VERY_HIGH => Alert_Police; end case; end Process_Alert; http://libre.act-europe.fr 58 © ACT Europe under the GNU Free Documentation License
  59. 59. Combining Cases procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM => Send_Guard; when HIGH | VERY_HIGH => Sound_Alarm; Alert_Police; end case; end Process_Alert; http://libre.act-europe.fr 59 © ACT Europe under the GNU Free Documentation License
  60. 60. Using a Default Clause procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM => Send_Guard; when others => Sound_Alarm; Alert_Police; end case; end Process_Alert; http://libre.act-europe.fr 60 © ACT Europe under the GNU Free Documentation License
  61. 61. Using a Range procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM .. VERY_HIGH => Send_Guard; Sound_Alarm; Alert_Police; end case; end Process_Alert; ► A range is a set of ordered values • MEDIUM .. VERY_HIGH = MEDIUM, HIGH, VERY_HIGH http://libre.act-europe.fr 61 © ACT Europe under the GNU Free Documentation License
  62. 62. Enumeration Types in Ada type Alert_Types is (LOW, MEDIUM, HIGH, VERY_HIGH); procedure P (B : Integer) is A : Alert_Type; begin Compilation error A := B; … ► Enumerations are true types in Ada not an integer like in C or C++ • Java does not have enumerations so you must use integers // Java public static final int LOW = 0; public static final int MEDIUM = 0; public static final int HIGH = 0; public static final int VERY_HIGH = 0; http://libre.act-europe.fr 62 © ACT Europe under the GNU Free Documentation License
  63. 63. Enumeration Types and Attributes Alert_Type ' First LOW Alert_Type ' Last VERY_HIGH http://libre.act-europe.fr 63 © ACT Europe under the GNU Free Documentation License
  64. 64. Predefined Enumerations in Ada type Boolean is (False, True); type Character is (…, 'a', 'b', 'c', …); http://libre.act-europe.fr 64 © ACT Europe under the GNU Free Documentation License
  65. 65. Predefined Enumerations: Examples function Is_Letter (C : Character) return Boolean is begin return (C in 'a' .. 'z') or (C in 'A' .. 'Z'); end Is_Letter; function Is_Arithmetic_Operator (C : Character) return Boolean is begin case C is when '+' | '-' | '*' | '/' => return True; when others => return False; end case; end Is_Arithmetic_Operator; http://libre.act-europe.fr 65 © ACT Europe under the GNU Free Documentation License
  66. 66. Conciseness Versus Readability © ACT Europe under the GNU Free Documentation License
  67. 67. Always Favor Readability ► What does the following mean: int x; int y; • This is valid C/C++/Java int z; • It is very concise … … • … but not very readable x = y---z--; ► What does the following mean: x : integer; • This is valid Ada y : integer; z : integer; • It is less concise … … • … but very readable x := y - z; y := y - 1; z := z - 1; http://libre.act-europe.fr 67 © ACT Europe under the GNU Free Documentation License
  68. 68. Conciseness and Non Determinism ► What does the following mean: int k; • It compiles fine, but … int v [10]; • … Its semantics are undetermined … k = v [k++]; ► It could mean any one of the following (when written in Ada) K : Integer; K : Integer; V : array (0 .. 9) of Integer; V : array (0 .. 9) of Integer; … … K := V (K); K := V (K); K := K + 1; http://libre.act-europe.fr 68 © ACT Europe under the GNU Free Documentation License
  69. 69. C/C++ Conciseness is Not So Concise and It Can Be Inefficient ► What's the problem with this C/C++ typical code sequence? • It's inefficient on processors with specific string handling instructions char s1 [10]; char s2 [10]; … while (*s1++ = *s2++); ► Ada version is shorter and more efficient S1 : String (1 .. 10); S2 : String (1 .. 10); … S1 := S2; http://libre.act-europe.fr 69 © ACT Europe under the GNU Free Documentation License
  70. 70. If Anybody Can't Read It Don't Write It ► A piece of code is written once …. ► … but read and modified many many times ► C/C++/Java syntax favors conciseness over readability • This leads to bugs and lots of wasted time in debugging • This means that software is more costly to develop or is buggy or both ► Ada syntax favors readability • Ada compiler catches silly mistakes • Faster and cheaper to produce correct code when written in Ada http://libre.act-europe.fr 70 © ACT Europe under the GNU Free Documentation License
  71. 71. Coding Conventions and Readability ► Use coding conventions favoring readability ► Typical C++ and Java coding conventions hamper readability void thisFunctionNameIsHardToRead (); void This_Function_Name_Is_Easy_To_Read (); http://libre.act-europe.fr 71 © ACT Europe under the GNU Free Documentation License
  72. 72. C/C++/Java Type System © ACT Europe under the GNU Free Documentation License
  73. 73. What is a Type? A type is characterized by: ► The set of values an expression of that type can take ► The operations that can be applied to those values http://libre.act-europe.fr 73 © ACT Europe under the GNU Free Documentation License
  74. 74. Pre-Defined and User-Defined Types ► Some types can be pre-defined by the language • E.g. booleans, integers, characters, strings, etc ► Pre-defined types come with pre-defined operations • E.g. for integers: additions, subtractions, etc. ► Languages typically allow user-defined types and operations • User-defined operations are provided in the form of procedures and functions http://libre.act-europe.fr 74 © ACT Europe under the GNU Free Documentation License
  75. 75. Objects, Variables and Constants ► An object of a given type is a run-time entity (usually a piece of memory) containing values of the type ► A variable is an object whose value can change ► A constant is an object whose value cannot change after it has been initialized http://libre.act-europe.fr 75 © ACT Europe under the GNU Free Documentation License
  76. 76. Example An object with name w The object is a variable memory int w; w ► int is a pre-defined integer type in C whose values go from INT_MIN to INT_MAX ► Some of the predefined operations that can be applied to int are: • Addition, subtraction, multiplication, division, module, etc. http://libre.act-europe.fr 76 © ACT Europe under the GNU Free Documentation License
  77. 77. Type Checking ► Type checking is the process that checks that programs conform to the typing rules of the language ► Type checking can be performed • Statically at compile-time • Dynamically at execution-time ► A language is strongly typed if it prohibits • The application of an operation to an object that is not intended to support the operation (assignment is considered an operation) ► A language is weakly typed if it is not strongly typed http://libre.act-europe.fr 77 © ACT Europe under the GNU Free Documentation License
  78. 78. Strong Typing is Good ► It guarantees a program will not crash ► It tells the programmer when she has mixed quot;applesquot; with quot;orangesquot; http://libre.act-europe.fr 78 © ACT Europe under the GNU Free Documentation License
  79. 79. Some Examples ► Strongly (mainly statically) typed languages: • Ada, Eiffel, Java ► Strongly dynamically typed languages • Lisp, Smalltalk ► Weakly typed languages • C, C++ ► Completely untyped languages • assembly languages, shell scripts http://libre.act-europe.fr 79 © ACT Europe under the GNU Free Documentation License
  80. 80. Typing Problems Common to C/C++/Java ► No user-defined types for • Scalars (characters, integers, reals) • Pointers • Arrays ► Implicit conversions from integers to reals ► Weak overflow semantics rules for integers types ► Missing types • Enumerations • Character types in C/C++ • Fixed points • Unsigned integers in Java • Pointers to functions in Java http://libre.act-europe.fr 80 © ACT Europe under the GNU Free Documentation License
  81. 81. Example of C/C++/Java Type System Weakness No User-Defined Scalar Types © ACT Europe under the GNU Free Documentation License
  82. 82. C/C++ Example typedef int Time; ► The program to the left compiles typedef int Distance; fine … typedef int Speed; … const Speed SAFETY_SPEED = 120; ► … But there is something wrong … with it. What ? void increase_speed (Speed s); … void check_speed (Time t, Distance d) { Speed s = d/t; if (s < SAFETY_SPEED) increase_speed (t); } void perform_safety_checks () { Time t = get_time (); Distance d = get_distance (); … check_speed (d, t); } http://libre.act-europe.fr 82 © ACT Europe under the GNU Free Documentation License
  83. 83. Bugs can have Disastrous Consequences http://libre.act-europe.fr 83 © ACT Europe under the GNU Free Documentation License
  84. 84. What's Wrong with C/C++ typedef int Time; ► Program compiles fine but has 2 typedef int Distance; serious flaws that go undetected typedef int Speed; ► FLAW 1: … const Speed SAFETY_SPEED = 120; • t is a Time … • increase_speed() takes a Speed void increase_speed (Speed s); parameter … • Time and Speed are conceptually void check_speed (Time t, Distance d) { different, they should not be mixed up Speed s = d/t; ► FLAW 2: if (s < SAFETY_SPEED) increase_speed (t); • Distance and Time parameters have } been inverted void perform_safety_checks () { • Time and Distance are conceptually Time t = get_time (); different, they should not be mixed up Distance d = get_distance (); ► C/C++ provide NO HELP to the … programmer in detecting these check_speed (d, t); mistakes } http://libre.act-europe.fr 84 © ACT Europe under the GNU Free Documentation License
  85. 85. Things are Even Worse in Java ► There are no typedef in Java final int SAFETY_SPEED = 120; … ► Everything must be an int void check_speed (int t, int d) { int s = d/t; ► typedef are useful for documentation if (s < SAFETY_SPEED) purposes increase_speed (t); } ► typedef could be used to perform sanity void increase_speed (int s) { … } checks during code walkthroughs or void perform_safety_checks () { with simple tools int t = get_time (); int d = get_distance (); ► This problem is particularly severe in … check_speed (d, t); Java given that many API calls have } several indistinguishible int parameters: • AdjustmentEvent (Adjustable source, int id, int type, int value) http://libre.act-europe.fr 85 © ACT Europe under the GNU Free Documentation License
  86. 86. What About Ada? -- Buggy code. DON'T write this ► You can write the same buggy code in Ada, but … SAFETY_SPEED : constant Integer := 120; … procedure Increase_Speed (S : Integer); … ► … Ada has two lines of defense procedure Check_Speed (T : Integer; D : Integer) is S : Integer := D / T; that do not exist in C/C++ or begin if S < SAFETY_SPEED then Java to protect the programmer Increase_Speed (T); end if; • User defined types end Check_Speed; • Parameter associations procedure Perform_Safety_Checks is T : Integer := Get_Time; D : Integer := Get_Distance; begin … Check_Speed (D, T); end Perform_Safety_Checks; http://libre.act-europe.fr 86 © ACT Europe under the GNU Free Documentation License
  87. 87. Defining New Types in Ada ► Users can define their own types in Ada ► In C/C++/Java users can only define struct/union/class types • No user-defined scalar, pointer or array types -- Example of integer type definition in Ada type Time is range 0 .. 3_600; type Distance is range 0 .. 1_000; type Speed is range 0 .. 4_000; http://libre.act-europe.fr 87 © ACT Europe under the GNU Free Documentation License
  88. 88. User Defined Integer Types in Ada ► Each user defined integer type introduces a new type type Time is range 0 .. 3_600; ► This new type is NOT a synonym of Integer type Distance is range 0 .. 1_000; ► Each user defined integer type gives its type Speed is range 0 .. 4_000; bounds, i.e. the values any object of this type can take • Time ' First = 0 • Time ' Last = 3_600 http://libre.act-europe.fr 88 © ACT Europe under the GNU Free Documentation License
  89. 89. Ada is Strongly Typed (1 of 2) ► When you define the proper types type Time is range 0 .. 3_600; the Ada compiler catches the errors type Distance is range 0 .. 1_000; type Speed is range 0 .. 4_000; ► To mix different types you must SAFETY_SPEED : constant Speed := 120; use explicit conversions in Ada procedure Increase_Speed (S : Speed); ► D is of type Distance, T is of type procedure Check_Speed (T : Time; D : Distance) is Time, S is of type Speed S : Speed := D / T; Compilation error • Only objects of the same type can begin be mixed together in this fashion if S < SAFETY_SPEED then Increase_Speed (T); Compilation error end if; ► Increase_Speed is expecting a end Check_Speed; Speed parameter not a Time … http://libre.act-europe.fr 89 © ACT Europe under the GNU Free Documentation License
  90. 90. Ada is Strongly Typed (2 of 2) type Time is range 0 .. 3_600; type Distance is range 0 .. 1_000; type Speed is range 0 .. 4_000; … procedure Check_Speed (T : Time; D : Distance); … ► Parameter switched procedure Perform_Safety_Checks is T : Time := Get_Time; D : Distance := Get_Distance; begin … Check_Speed (D, T); Compilation error end Perform_Safety_Checks; http://libre.act-europe.fr 90 © ACT Europe under the GNU Free Documentation License
  91. 91. The Correct Ada Version type Time is range 0 .. 3_600; type Distance is range 0 .. 1_000; type Speed is range 0 .. 4_000; SAFETY_SPEED : constant Speed := 120; procedure Increase_Speed (S : Speed); procedure Check_Speed (T : Time; D : Distance) is S : Speed := Speed ( Integer(D) / Integer (T)); ► You must convert D and T to begin Integer to perform the division if S < SAFETY_SPEED then ► And then convert the result to Increase_Speed (S); type Speed end if; end Check_Speed; procedure Perform_Safety_Checks is T : Time := Get_Time; D : Distance := Get_Distance; begin … Check_Speed (T, D); end Perform_Safety_Checks; http://libre.act-europe.fr 91 © ACT Europe under the GNU Free Documentation License
  92. 92. But What About? ► How do you know it was type A_Type is …; Safe_Copy (X, Y) procedure Safe_Copy (Source : A_Type; Target : A_Type); and not procedure Try is Safe_Copy (Y, X) X : A_Type := …; Y : A_Type := …; begin ► You don't. That's why Ada Safe_Copy (X, Y); provides name parameters … end Try; http://libre.act-europe.fr 92 © ACT Europe under the GNU Free Documentation License
  93. 93. Ada has Named Parameters type A_Type is …; procedure Safe_Copy (Source : A_Type; Target : A_Type); procedure Try is X : A_Type := …; Y : A_Type := …; begin Safe_Copy (Source => X, Target => Y); … end Try; Named parameter http://libre.act-europe.fr 93 © ACT Europe under the GNU Free Documentation License
  94. 94. Avoiding Parameter Confusion in Ada Summary: Two lines of defense ► User defined types ► Named parameters http://libre.act-europe.fr 94 © ACT Europe under the GNU Free Documentation License
  95. 95. Example of C/C++/Java Type System Weakness Integer Overflow Semantics © ACT Europe under the GNU Free Documentation License
  96. 96. Overflow in C/C++/Java #include <limits.h> void compute () { int k = INT_MAX; k = k + 1; } ► In C/C++ signed integer overflow is undefined, anything can happen • All known implementations quot;wrap aroundquot; ► In Java wrap around semantics are part of the language http://libre.act-europe.fr 96 © ACT Europe under the GNU Free Documentation License
  97. 97. Overflow in Ada procedure Compute is K : Integer := Integer'Last; begin Exception raised K := K + 1; at execution time end Compute; ► EVERY time there is an integer overflow in Ada an exception is raised http://libre.act-europe.fr 97 © ACT Europe under the GNU Free Documentation License
  98. 98. Example: Overflow in Action in Ada ► In GNAT you have to use the switch -gnato to ask for integer overflow checking http://libre.act-europe.fr 98 © ACT Europe under the GNU Free Documentation License
  99. 99. The Pernicious Effects of Wrap-Around Semantics: A Java Example final int RADIO_PORT = …; void open (int port) {…} ► The program to the left compiles void send (int port, byte data) {…} fine, and runs … void close (int port) {…} void send_bytes (byte first_byte, byte last_byte) { ► … But there is something wrong open (RADIO_PORT); with it. What ? for (byte b = first_byte; b <= last_byte; b++) { send (RADIO_PORT, b); } close (RADIO_PORT); } http://libre.act-europe.fr 99 © ACT Europe under the GNU Free Documentation License
  100. 100. Infinite Loop when last_byte == 127 Two problems: 1. Wrap around semantics of type byte • When last_byte = b = 127 we execute the loop, we do b++ and b wraps to -128 2. There is no real for loop instruction in C/C++/Java for (x; y; z) {…} Means x; while (y) { …; z; } http://libre.act-europe.fr 100 © ACT Europe under the GNU Free Documentation License
  101. 101. The Ada Version is Safe type Port is range 0 .. 255; type Byte is range -128 .. 127; RADIO_PORT : constant Port := …; ► The code on the left runs fine procedure Open (P : Port); procedure Send (P : Port; B : Byte); ► There is a true for loop in Ada procedure Close (P : Port); (unlike C/C++/Java) procedure Send_Bytes (First : Byte; Last : Byte) is begin Open (RADIO_PORT); for B in First .. Last loop Send (RADIO_PORT, B); end loop; Close (RADIO_PORT); end Send_Bytes; http://libre.act-europe.fr 101 © ACT Europe under the GNU Free Documentation License
  102. 102. Checks and Overflows Summary ► In Ada • Every integer overflow raises an exception in Ada • Every division by zero raises an exception in Ada • Every array index overflow raises an exception in Ada • Etc. • You can disable all the Ada checks for deployment if you wish ► In Java • Java adopted most of the Ada checks except for integer overflow which wraps around in Java • Cannot disable checks in Java ► In C/C++ • No checks http://libre.act-europe.fr 102 © ACT Europe under the GNU Free Documentation License
  103. 103. Side Notes on Ada Types © ACT Europe under the GNU Free Documentation License
  104. 104. Unsigned Integers ► Ada has the choice of two sorts of integer types: • Signed integers (an exception is raised in case of an overflow) • Unsigned integers (wrap-around semantics) -- Example of unsigned integers in Ada procedure Try is type Hash_Index is mod 1023; H : Hash_Index := 1022; begin H := H + 1; -- H is equal to zero here end Try; http://libre.act-europe.fr 104 © ACT Europe under the GNU Free Documentation License
  105. 105. Subtypes ► Sometimes you want to add additional constraints to a type without creating a new type ► Ada provides the notion of subtype for that -- Example of unsigned integers in Ada procedure Try is type Day is (Mon, Tue, Wed, Thu, Fri, Sat, Sun); subtype Working_Day is Day range Mon .. Fri; D : Day := Mon; WD : Working_Day; begin WD := D; -- This is OK WD := Sun; -- This raises an exception end Try; http://libre.act-europe.fr 105 © ACT Europe under the GNU Free Documentation License
  106. 106. Predefined Ada Subtypes subtype Natural is Integer range 0 .. Integer ’ Last; subtype Positive is Natural range 1 .. Natural ’ Last; http://libre.act-europe.fr 106 © ACT Europe under the GNU Free Documentation License
  107. 107. Exceptions in Ada © ACT Europe under the GNU Free Documentation License
  108. 108. When a Check Fails an Exception is Raised in Ada http://libre.act-europe.fr 108 © ACT Europe under the GNU Free Documentation License
  109. 109. Ada Predefined Exceptions The following predefined exceptions are raised when something goes wrong in an Ada program ► Constraint_Error: integer overflow, computation error (divide by zero), array index out of range, null pointer dereferencing, … ► Storage_Error: no more memory available ► Program_Error: fundamental program error (e.g. end of function with no return statement) http://libre.act-europe.fr 109 © ACT Europe under the GNU Free Documentation License
  110. 110. Creating Your Own Exceptions procedure Checks is Internal_Error : Exception; procedure Foo is begin raise Internal_Error; end Foo; procedure Bar is begin Foo; end Bar; begin -- of Checks Bar; end Checks; http://libre.act-europe.fr 110 © ACT Europe under the GNU Free Documentation License
  111. 111. What Happens at Execution Time? procedure Checks is Internal_Error : Exception; procedure Foo is begin Exception raise Internal_Error; 3 raised end Foo; 2 procedure Bar is begin Foo; end Bar; 1 begin -- of Checks Bar; end Checks; http://libre.act-europe.fr 111 © ACT Europe under the GNU Free Documentation License
  112. 112. http://libre.act-europe.fr 112 © ACT Europe under the GNU Free Documentation License
  113. 113. Displaying the Traceback (How you Got There) with Ada.Exceptions; use Ada.Exceptions; with GNAT.Traceback.Symbolic; use GNAT.Traceback.Symbolic; with Text_IO; use Text_IO; procedure Checks is Internal_Error : Exception; procedure Foo is begin raise Internal_Error; end Foo; procedure Bar is begin Foo; end Bar; begin -- of Checks Bar; exception Exception Handler when E : others => Put_Line (quot;Raised exception : quot; & Exception_Name (E)); Put_Line (Symbolic_Traceback (E)); end Checks; http://libre.act-europe.fr 113 © ACT Europe under the GNU Free Documentation License
  114. 114. -bargs: Program binder arguments: -E: give exception traceback -cargs: Compiler arguments: -g: debugging on -gnatl: print out a program listing -gnato: overflow checks on http://libre.act-europe.fr 114 © ACT Europe under the GNU Free Documentation License
  115. 115. What Happens at Execution Time with Ada.Exceptions; use Ada.Exceptions; with GNAT.Traceback.Symbolic; use GNAT.Traceback.Symbolic; with Text_IO; use Text_IO; procedure Checks is Internal_Error : Exception; procedure Foo is begin raise Internal_Error; a end Foo; b procedure Bar is begin Foo; c end Bar; d begin -- of Checks Bar; e exception when E : others => Put_Line (quot;Raised exception : quot; & Exception_Name (E)); Put_Line (Symbolic_Traceback (E)); end Checks; http://libre.act-europe.fr 115 © ACT Europe under the GNU Free Documentation License
  116. 116. Catching a Predefined Exception with Text_IO; use Text_IO; procedure Checks is A : Integer := Integer ’ First; begin A := A - 1; exception when Constraint_Error => Put_Line (“Overflow occurred”); end Checks; http://libre.act-europe.fr 116 © ACT Europe under the GNU Free Documentation License
  117. 117. Catching Your Own Exceptions with Text_IO; use Text_IO; procedure Checks is Internal_Error : Exception; procedure Foo is begin raise Internal_Error; end Foo; procedure Bar is begin Foo; end Bar; begin -- of Checks Bar; exception when Internal_Error => Put_Line (“problem occurred”); when others => Put_Line (“some other exception”); end Checks; http://libre.act-europe.fr 117 © ACT Europe under the GNU Free Documentation License
  118. 118. Catching an Exception Where You Want procedure Checks is … begin -- of Checks : : : : to catch some : exception in a region : of code without exiting : : from the subprogram : you can use a declare block : : : : : : end Checks; http://libre.act-europe.fr 118 © ACT Europe under the GNU Free Documentation License
  119. 119. Example of a Declare Block procedure Calc (A, B : Float) is C, D : Float; begin … declare Old_C : Float := C; begin C := A * B; D := C ** 2; exception when Constraint_Error => C := Old_C; D := 0.0; end; … end Calc; http://libre.act-europe.fr 119 © ACT Europe under the GNU Free Documentation License
  120. 120. Array Pitfalls in C © ACT Europe under the GNU Free Documentation License
  121. 121. Arrays in C ► No real arrays in C ► An array is just a pointer to a chunk of memory #include <stdio.h> int main () { char *str = quot;bugyquot;; printf (quot;%cnquot;, 0 [str]); printf (quot;%cnquot;, * (str+1)); printf (quot;%cnquot;, * (2+str)); printf (quot;%cnquot;, str [3]); } http://libre.act-europe.fr 121 © ACT Europe under the GNU Free Documentation License

×