Developing Software that Matters II

Programming in the Small:
Common C/C++/Java Pitfalls
& How Ada Avoids them
Franco Gasperoni
gasperon@act-europe.fr
http://libre.act-europe.fr/Software_Matters
© ACT Europe under the GNU Free Documentation License

Copyright Notice

► © ACT Europe under the GNU Free Documentation License

► Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation
License, Version 1.1 or any later version published by the Free
Software Foundation; provided its original author is mentioned and
the link to http://libre.act-europe.fr/ is kept at the bottom of every
non-title slide. A copy of the license is included in available at:

http://www.fsf.org/licenses/fdl.html

http://libre.act-europe.fr 2

Suggested Reading

► C Traps and Pitfalls
• by Andrew Koenig (Addison Wesley)

► Guidelines for the Use of the C Language in Vehicle Based
Software
• Purchasing info at http://www.misra.org.uk/misra-c.htm

► Multilanguage Programming on the JVM: The Ada 95 Benefits
• http://libre.act-europe.fr/Why_Ada/ada-on-jvm.pdf


Other Interesting Material

► Other Interesting Links
• http://www.elj.com/cppcv3/
- A critique of C++
• http://www.cs.mdx.ac.uk/harold/srf/javaspae.html
- A critique of Java
• http://www.jaegers.net/humor/stroustrup.php
- Stroustrup's interview leaked
• http://www.web-hits.org/txt/codingunmaintainable.html
- How to write unmaintainable code
► Other interesting books
• Effective C++, by Scott Myers (Addison Wesley)
• Java Pitfalls, by Michael C. Daconta et al., (Wiley)
• Objects Unencapsulated: Java, Eiffel, and C++, by Ian Joyner
(Prentice Hall)

Lecture Summary

► In this lecture we concentrate on programming in the small

► We show some common C/C++/Java pitfalls when programming
in the small

► We show how Ada avoids them


What is Programming in the Small ?

► A computer can perform only very simple operations
► A program performs complex tasks by grouping together large numbers of
simple operations
► Programming in the large
• Designing the abstractions and structure around which the simple computer
operations will be organized
• The structuring unit varies from language to language (e.g. module,
package, class, file, etc.)
• This is like doing the architectural drawing of a building
► Programming in the small
• Sometimes called coding, this activity refers to filling in the details of the
above design
• The details are the explicit, step-by-step instructions for performing fairly
small-scale tasks: arithmetic operations, loops, decisions, etc.


Programming:
Abstraction, Structure & Coding Detail

Uses the services of
Structuring element:
Module, package,
class, file, …


Programming in the Large:
Abstraction & Structure


Programming in the Small:
Coding Detail

.
.
.
if (TYPE_CONVENTION_FORTRAN_P (TREE_TYPE (gnu_array_object)))
for (i = ndim - 1, gnat_temp = First (Expressions (gnat_node));
i >= 0;
i--, gnat_temp = Next (gnat_temp))
gnat_expr_array[i] = gnat_temp;
else
for (i = 0, gnat_temp = First (Expressions (gnat_node));
i < ndim;
i++, gnat_temp = Next (gnat_temp))
gnat_expr_array[i] = gnat_temp;
.
.
.


Programming in the Small with C

► C makes the following assumption:
• Trust the programmers, they never make mistakes
• Favor program conciseness over its readability

► But:
• Programmers do make mistakes
• Programs are written once but read many times

► The C foundation of C++ & Java leads to fragile software
• Software where it is easy to make mistakes
• Software that is hard to read
• Software that is hard to change

Important Note

► All C/C++/Java code examples showed in this lecture compile
• They are quot;correctquot; according to the C/C++/Java semantics
• But they contain some serious FLAWS (they have bugs that are not
detected by C/C++/Java)

► Most of the pitfalls shown in this lecture are written in C/C++
• They can easily be converted to Java

► Some pitfalls only occur in C/C++ and not in Java
• When this is the case it will be pointed out in the example

► This lecture is not an exhaustive list of C/C++/Java pitfalls
• There are many more

Note on the Ada Compiler

► In this course we use GNAT
• GNAT is the GNU Ada 95 compiler

► GNAT is widely available
• You can download the sources of GNAT
• Pre-built GNAT binaries available for
- Linux, Solaris, Windows NT/2000

► Available at
• http://libre.act-europe.fr/GNAT/


C/C++ Consistency Problems


What is the Program Output ?

int main () { ► This program compiles fine
int length = 8265;
int width = 0252;
► What is its output?
int height = 8292;

printf (length);
printf (width);
printf (height);
}


The Program Crashes. Why?


Where does printf() Come From?
int main () {
int length = 8265;
int width = 0252;
int height = 8292;

printf (length);
printf (width);
printf (height);
}

► A default printf is defined in the C standard library as:
- int printf (const char *format, …)
► C philosophy: The programmer is always right
• C compiler assumes there is a routine somewhere with signature:
- void printf (int);
• The programmer must link with the library containing the correct printf

The Ada Version

with Text_IO;

procedure Main is
Length : Integer := 8265;
Width : Integer := 0252;
Height : Integer := 8292;
begin
Text_IO . Put_Line (Length ' img);
Text_IO . Put_Line (Width ' img);
Text_IO . Put_Line (Height ' img);
end Main;

The Ada guarantee:
If it runs it is consistent


Procedure Main
► Procedure Main
• Stored in file main.adb
• Technically this is called a compilation unit
with Text_IO;
► A compilation unit can be the body or the
spec (specification) of a:
procedure Main is
• procedure
• function
Height : Integer := 8292; • package (see next lecture)
begin ► Spec = precise list of services exported
Text_IO . Put_Line (Length'img); ► Body = implementation details
Text_IO . Put_Line (Width'img); ► In GNAT:
Text_IO . Put_Line (Height'img);
• 1 compilation unit per file
end Main;
• File name matches unit name
• 2 file extensions possible
- .adb = Ada Body
- .ads = Ada Spec
Note: Ada is case insensitive


Inside Procedure Main

with Text_IO;

procedure Main is ► Declarative part: Contains the declaration of:
• Variable, types, nested procedures, nested
functions, ... used in procedure Main
begin
► Procedure statements
Text_IO . Put_Line (Length'img);
Text_IO . Put_Line (Width'img);
end Main;


with Text_IO;

► List of compilation units whose services are
used in procedure Main
with Text_IO;
► Text_IO is the predefined Ada text
procedure Main is Input/Output library
begin
► Procedures declared in library Text_IO and
used in Main
end Main;


Ada Guarantees Consistency

► Compiler
• Checks that you quot;withquot; a unit
before using its services
• Checks that you use the
services of with-ed units
correctly

► Binder/Linker
• Check that the object of the
units in the program you are
trying to link are the correct
ones


C Does not Guarantee Consistency
► Check all the warnings
► You can improve the situation as
follows: ► If you are not sure which objects
you are linking delete all objects
► Always #include the headers of
and recompile everything before
the files whose services your are
linking
using
► There are additional tricks


What about C++ and Java?

► C++
• Same problem as in C
• Not only for its C subset but also for C++ methods

► Java
• Problem partly fixed by checks performed by the Java Virtual Machine
at execution time
• The problem still exists in the presence of implicit conversions
- See http://libre.act-europe.fr/Why_Ada/ada-on-jvm.pdf


Notes on the Ada Example


use Text_IO;

► By putting a use clause you can (but don't
have to) omit the Text_IO prefix inside Main
with Text_IO; use Text_IO;

procedure Main is
begin
end Main;


The ' img Attribute


procedure Main is
begin
► ' img is a predefined attribute
Text_IO . Put_Line (Length ' img);
• Given an integer or floating point number X,
Text_IO . Put_Line (Width ' img);
X ' img returns its string representation
Text_IO . Put_Line (Height ' img);
• More on attributes later on
end Main;


Structure of an Ada Program


General Structure of an Ada Program

with …; with …;

with …; with …; with …;

with …;
procedure Some_Main is
…
begin
…
end Some_Main;


A Simple Example
with Text_IO; use Text_IO; function Fact (N : Integer) return Integer is
procedure Display (S : String; X, Y : Integer) is begin
begin if N <= 1 then
Put_Line (S & quot; (quot; & X'img & quot;) = quot; & Y'img); return 1;
end Display; else
return N * Fact (N - 1);
end if;
end Fact;

with Display;
with Fact;
procedure Display_Fact is
begin
for K in 1 .. 4 loop
Display (quot;Factorialquot;, K, Fact (K));
end loop;
end Display_Fact;

Building & Executing Display_Fact

► GNAT has an automatic quot;makequot;
facility: gnatmake
► Gnatmake
• Will compile or recompile the
Ada sources that need to be
compiled
• It will bind and link them
► A make file is not necessary


Note on the Concatenation Operator &

procedure Display (S : String; X, Y : Integer) is
begin
Put_Line (S & quot; (quot; & X'img & quot;) = quot; & Y'img);
end Display;

& =
1 2 3 4 5 A B 1 2 3 4 5 A B

1 dimensional arrays


Note on For Loops

► In for loops, the loop variable (K
with Display;
in the example) is implicitely
with Fact;
declared
procedure Display_Fact is
begin
for K in 1 .. 4 loop ► The loop variable cannot be
Display (quot;Factorialquot;, K, Fact (K));
modified inside the for loop
end loop;
end Display_Fact;
► The loop variable ceases to exist
just after the loop


C/C++/Java Numeric Pitfall


What is the Program Output ?

#include <stdio.h> ► This program compiles fine
int main () {
► What is its output?
int length = 8265;
int width = 0252;
int height = 8292;

printf (quot;length = %dnquot;, length);
printf (quot;width = %dnquot;, width);
printf (quot;height = %dnquot;, height);
}


Surprised ?

Was this the programmer’s intent ?


Numbers in C/C++/Java

► In C/C++/Java numbers starting with 0 are octal numbers

► This is a bad choice
• Error-prone
• Hard-to-read

► There is no way to specify numbers in base 2
• Very surprising giving the fact that C was meant for to be a low-level
systems language

► Never use octal numbers


Numbers in Ada
Width : Integer := 0252; -- regular decimal number
Width_8 : Integer := 8#252#; -- octal number

B_Mask : Integer := 2#1100_1011#;
-- binary number
-- you can use “_” to separate digits
W_Mask : Integer := 16#FFF1_A4B0#; -- Hexadecimal number

► If no base is specified the number a decimal number
► In Ada you can specify any base from 2 to 16 (for both integer
and real (floating point) numbers
► Use the “_” to separate digits for clarity
• 1_000_000_000


Some C/C++ Lexical & Syntactic Pitfalls


Is the Following Code Correct ?

#include <limits.h>

/* If *y is null and x > 0 set *k to the biggest positive integer.
* If *y is null and x <=0 leave *k unchanged.
* If *y is non null set *k to be x divided by *y and increment *y by 1.
*/
void check_divide (int *k, int x, int *y) {
if (*y = 0)
if (x > 0)
*k = INT_MAX;
else
*k = x/*y /* it is safe to divide by *y since it cannot be 0 */;
*y++;
}

► This program compiles fine, but has a number of problems. Which ones?


There are 4 Bugs
► = versus ==
• Using “=“ for assignment and “==“ for equality is a poor choice
• Use a compiler that warns you when you use “=“ inside tests
- This is a hard problem because C++ style encourages the use of “=“ inside tests:
while (*s1++ = *s2++);

► Dangling else problem
• Always bracket everything
► Nestested y++
► Bad comment
• Use //-style comments, never /* */ if your C compiler supports it
• Watch out for nested /* */ comments (/* /* */ */)

► Bad operator precedence *y++ means *(y++)
• Put parentheses everywhere...

What about Java?

► = versus ==
• This problem exists in Java for boolean, boolean safety_flag;
boolean danger_flag;
but has been fixed for other data types
…
if (safety_flag = danger_flag) {
► Dangling else problem sound_alarm ();
}
• Problem is still there

This is OK in Java
► Bad comment but is often a bug
• Problem is still there

► Bad operator precedence *j++ means *(j++)
• No * operator in Java. This Problem has
been solved


The Correct Version

#include <limits.h>

/* If *y is null and x > 0 set *k to the biggest positive integer.
* If *y is null and x <=0 leave *k unchanged.
* If *y is non null set *k to be x divided by *y and increment *y by 1.
*/
void check_divide (int *k, int x, int *y) {
if (*y == 0) {
if ( x > 0)
*k = INT_MAX;
}
else {
*k = x / (*y) /* it is safe to divide by *y since it cannot be 0 */;
(*y)++;
}
}


Ada Solves all the Previous Pitfalls

-- If Y is null and X > 0 set K to the biggest positive integer.
-- If Y is null and X <= 0 leave K unchanged.
-- If Y is non null set K to be X divided by Y and increment Y by 1.

procedure Check_Divide (K : in out Integer; I : Integer; J : in out Integer) is
begin
if Y = 0 then
if X > 0 then
K := Integer’Last; -- K is set to the largest Integer
end if;
else
K := X / Y; -- it is safe to divide by Y since it cannot be 0
Y := Y + 1;
end if;
end Check_Divide;


Simpler Ada Version: quot;elsifquot; quot;and thenquot;

-- If Y is null and X > 0 set K to the biggest positive integer.
-- If Y is null and X <= 0 leave K unchanged.
-- If Y is non null set K to be X divided by Y and increment Y by 1.

procedure Check_Divide (K : in out Integer; I : Integer; J : in out Integer) is
begin
if Y = 0 and then X > 0 then
elsif Y /= 0 then
K := X / Y; -- it is safe to divide by Y since it cannot be 0
Y := Y + 1;
end if;
end Check_Divide;


Lexical & Syntactic Clarity in Ada

► = means equality while := means assignment
• If you use one instead of the other you get a compiler error

► No dangling else in Ada
• if … then must be terminated with an end if;
• If it isn't then you get a compiler error

► In Ada comments start with -- and go to the end of the line.
No other type of comment

► No ++ operators in Ada

► No need for a * operator in Ada

Side Note on Ada Attributes


Attributes

► Ada types, objects, and other entities can have attributes

► An attribute is a property of the type, object, etc


Example of Scalar Attributes

► Given T some scalar type (Integer, Float, etc)
► Given X an object of type T

T ' First Smallest value in T

T ' Last Largest value in T

T ' image (X) String representation of X

In GNAT you can use X ' img
instead of T ' image (X)


Example of Integer ' Last

procedure Check_Divide_And_Increment (K : in out Integer; I : Integer; J : in out Integer) is
begin
if Y = 0 then
if X > 0 then
end if;
else
K = X / Y; -- it is safe to divide by Y since it cannot be 0
end if;
Y := Y + 1;
end Checked_Divide;


More C/C++/Java Syntactic Pitfalls


Case Sensitivity Is Error-Prone
// In file1 // In file2
int totalLength = 0; int totallength = 0;

// In file3
void addLength (int length) {
totallength += length;
}

► C, C++ and Java are case-sensitive, Ada is case insensitive
• K and k refer to two different things in C, C++, Java
• K and k refer to the same thing in Ada
► This is error-prone


Is the Following Code Correct ?

// If the signal ahead is clear then increase the speed.

void increase_speed_if_safe (int speed, int signal) {
if (signal == CLEAR);
increase_speed ();
}

► This program compiles fine, but has a problem. Which one?


Bugs can Have Serious Consequences


Be Careful of Spurious Semicolons

// If the signal ahead is clear then increase the speed.

void increase_speed_if_safe (int speed, int signal) {
if (signal == CLEAR);
increase_speed ();
}


The Ada Version is Always Safe

-- If the signal ahead is clear then increase the speed.

procedure increase_speed_if_safe (speed : integer; signal : integer) is
begin
if signal = CLEAR then
increase_speed;
end if;
end increase_speed_if_safe;

► If you write
if signal = CLEAR then ;
• You get a compiler error


More Bad Luck in C/C++/Java:
Enumerations and Switch Statements
enum Alert_Type {LOW, MEDIUM, HIGH, VERY_HIGH};
// C or C++. Java does not have enumerations, you have to use ints instead

void handle_alert (enum Alert_Type alert) {
switch (alert) {
case LOW:
activate_camera ();
case MEDIUM:
send_guard ();
case HIGH:
sound_alarm ();
}
}

void process_alerts () {
handle_alert (2);
…

► This program compiles fine, but has a number of problems. Which ones?

Defects in the Previous Code
void handle_alert (enum Alert_Type alert) {
switch (alert) {
case LOW:
► Don't forget break statements activate_camera ();
break;
case MEDIUM:
► C/C++/Java do not check that you
send_guard ();
have treated all cases in the switch
break;
case HIGH:
► You can use any integer value or sound_alarm ();
object instead of an enum Alert_Type break;
case VERY_HIGH:
which in most cases will be an error
alert_police ();
break;
}
}
void process_alerts () {
handle_alert (HIGH);


Ada is Safer (and Less Verbose)

type Alert_Type is (LOW, MEDIUM, HIGH, VERY_HIGH); ► No break statements
procedure Process_Alert (Alert : Alert_Type) is
► Ada will check that you
begin
have treated all cases in
case Alert is
the case statement
when LOW =>
Activate_Camera;
when MEDIUM =>
► You can only use an object
Send_Guard;
of type Alert_Type
when HIGH =>
Sound_Alarm;
when VERY_HIGH =>
Alert_Police;
end case;
end Process_Alert;


Combining Cases

begin
case Alert is
when LOW =>
Activate_Camera;
when MEDIUM =>
Send_Guard;
when HIGH
| VERY_HIGH =>
Sound_Alarm;
Alert_Police;
end case;
end Process_Alert;


Using a Default Clause

begin
case Alert is
when LOW =>
Activate_Camera;
when MEDIUM =>
Send_Guard;
when others =>
Sound_Alarm;
Alert_Police;
end case;
end Process_Alert;


Using a Range

begin
case Alert is
when LOW =>
Activate_Camera;
when MEDIUM .. VERY_HIGH =>
Send_Guard;
Sound_Alarm;
Alert_Police;
end case;
end Process_Alert;

► A range is a set of ordered values
• MEDIUM .. VERY_HIGH = MEDIUM, HIGH, VERY_HIGH


Enumeration Types in Ada
type Alert_Types is (LOW, MEDIUM, HIGH, VERY_HIGH);

procedure P (B : Integer) is
A : Alert_Type;
begin
Compilation error
A := B;
…

► Enumerations are true types in Ada not an integer like in C or C++
• Java does not have enumerations so you must use integers

// Java
public static final int LOW = 0;
public static final int MEDIUM = 0;
public static final int HIGH = 0;
public static final int VERY_HIGH = 0;


Enumeration Types and Attributes

Alert_Type ' First LOW

Alert_Type ' Last VERY_HIGH


Predefined Enumerations in Ada

type Boolean is (False, True);

type Character is (…, 'a', 'b', 'c', …);


Predefined Enumerations: Examples

function Is_Letter (C : Character) return Boolean is
begin
return (C in 'a' .. 'z') or (C in 'A' .. 'Z');
end Is_Letter;

function Is_Arithmetic_Operator (C : Character) return Boolean is
begin
case C is
when '+' | '-' | '*' | '/' =>
return True;
when others =>
return False;
end case;
end Is_Arithmetic_Operator;


Conciseness Versus Readability


Always Favor Readability

► What does the following mean: int x;
int y;
• This is valid C/C++/Java
int z;
• It is very concise … …
• … but not very readable x = y---z--;

► What does the following mean:
x : integer;
• This is valid Ada y : integer;
z : integer;
• It is less concise …
…
• … but very readable
x := y - z;
y := y - 1;
z := z - 1;


Conciseness and Non Determinism

► What does the following mean:
int k;
• It compiles fine, but … int v [10];
• … Its semantics are undetermined …
k = v [k++];

► It could mean any one of the following (when written in Ada)

K : Integer; K : Integer;
V : array (0 .. 9) of Integer; V : array (0 .. 9) of Integer;
… …
K := V (K); K := V (K);
K := K + 1;


C/C++ Conciseness is Not So Concise
and It Can Be Inefficient

► What's the problem with this C/C++ typical code sequence?
• It's inefficient on processors with specific string handling instructions
char s1 [10];
char s2 [10];
…
while (*s1++ = *s2++);

► Ada version is shorter and more efficient

S1 : String (1 .. 10);
S2 : String (1 .. 10);
…
S1 := S2;


If Anybody Can't Read It Don't Write It

► A piece of code is written once ….

► … but read and modified many many times

► C/C++/Java syntax favors conciseness over readability
• This leads to bugs and lots of wasted time in debugging
• This means that software is more costly to develop or is buggy or both

► Ada syntax favors readability
• Ada compiler catches silly mistakes
• Faster and cheaper to produce correct code when written in Ada


Coding Conventions and Readability

► Use coding conventions favoring readability
► Typical C++ and Java coding conventions hamper readability

void thisFunctionNameIsHardToRead ();

void This_Function_Name_Is_Easy_To_Read ();


C/C++/Java Type System


What is a Type?

A type is characterized by:

► The set of values an expression of that type can take
► The operations that can be applied to those values


Pre-Defined and User-Defined Types

► Some types can be pre-defined by the language
• E.g. booleans, integers, characters, strings, etc

► Pre-defined types come with pre-defined operations
• E.g. for integers: additions, subtractions, etc.

► Languages typically allow user-defined types and operations
• User-defined operations are provided in the form of procedures and
functions


Objects, Variables and Constants

► An object of a given type is a run-time entity (usually a piece of
memory) containing values of the type

► A variable is an object whose value can change

► A constant is an object whose value cannot change after it has
been initialized


Example

An object with name w
The object is a variable memory

int w;
w

► int is a pre-defined integer type in C whose values go from
INT_MIN to INT_MAX
► Some of the predefined operations that can be applied to int are:
• Addition, subtraction, multiplication, division, module, etc.


Type Checking
► Type checking is the process that checks that programs
conform to the typing rules of the language

► Type checking can be performed
• Statically at compile-time
• Dynamically at execution-time

► A language is strongly typed if it prohibits
• The application of an operation to an object that is not intended to
support the operation (assignment is considered an operation)

► A language is weakly typed if it is not strongly typed

Strong Typing is Good

► It guarantees a program will not crash

► It tells the programmer when she has mixed quot;applesquot; with
quot;orangesquot;


Some Examples

► Strongly (mainly statically) typed languages:
• Ada, Eiffel, Java

► Strongly dynamically typed languages
• Lisp, Smalltalk

► Weakly typed languages
• C, C++

► Completely untyped languages
• assembly languages, shell scripts


Typing Problems Common to C/C++/Java

► No user-defined types for
• Scalars (characters, integers, reals)
• Pointers
• Arrays
► Implicit conversions from integers to reals
► Weak overflow semantics rules for integers types
► Missing types
• Enumerations
• Character types in C/C++
• Fixed points
• Unsigned integers in Java
• Pointers to functions in Java

Example of
C/C++/Java Type System Weakness
No User-Defined Scalar Types


C/C++ Example
typedef int Time;
► The program to the left compiles
typedef int Distance;
fine …
typedef int Speed;
…
const Speed SAFETY_SPEED = 120;
► … But there is something wrong
…
with it. What ?
void increase_speed (Speed s);
…
void check_speed (Time t, Distance d) {
Speed s = d/t;
if (s < SAFETY_SPEED)
increase_speed (t);
}
void perform_safety_checks () {
Time t = get_time ();
Distance d = get_distance ();
…
check_speed (d, t);
}

Bugs can have Disastrous Consequences


What's Wrong with C/C++
typedef int Time;
► Program compiles fine but has 2
typedef int Distance;
serious flaws that go undetected
typedef int Speed;
► FLAW 1:
…
const Speed SAFETY_SPEED = 120; • t is a Time
…
• increase_speed() takes a Speed
void increase_speed (Speed s);
parameter
…
• Time and Speed are conceptually
void check_speed (Time t, Distance d) {
different, they should not be mixed up
Speed s = d/t;
► FLAW 2:
if (s < SAFETY_SPEED)
increase_speed (t); • Distance and Time parameters have
} been inverted
void perform_safety_checks () { • Time and Distance are conceptually
Time t = get_time (); different, they should not be mixed up
Distance d = get_distance ();
► C/C++ provide NO HELP to the
…
programmer in detecting these
check_speed (d, t);
mistakes
}

Things are Even Worse in Java

► There are no typedef in Java final int SAFETY_SPEED = 120;
…
► Everything must be an int
void check_speed (int t, int d) {
int s = d/t;
► typedef are useful for documentation if (s < SAFETY_SPEED)
purposes increase_speed (t);
}
► typedef could be used to perform sanity
void increase_speed (int s) { … }
checks during code walkthroughs or
void perform_safety_checks () {
with simple tools
int t = get_time ();
int d = get_distance ();
► This problem is particularly severe in …
check_speed (d, t);
Java given that many API calls have
}
several indistinguishible int parameters:
• AdjustmentEvent (Adjustable source,
int id, int type, int value)


What About Ada?
-- Buggy code. DON'T write this
► You can write the same buggy
code in Ada, but … SAFETY_SPEED : constant Integer := 120;
…
procedure Increase_Speed (S : Integer);
…
► … Ada has two lines of defense procedure Check_Speed (T : Integer; D : Integer) is
S : Integer := D / T;
that do not exist in C/C++ or begin
if S < SAFETY_SPEED then
Java to protect the programmer Increase_Speed (T);
end if;
• User defined types end Check_Speed;

• Parameter associations procedure Perform_Safety_Checks is
T : Integer := Get_Time;
D : Integer := Get_Distance;
begin
…
Check_Speed (D, T);
end Perform_Safety_Checks;


Defining New Types in Ada

► Users can define their own types in Ada

► In C/C++/Java users can only define struct/union/class types
• No user-defined scalar, pointer or array types

-- Example of integer type definition in Ada

type Time is range 0 .. 3_600;

type Distance is range 0 .. 1_000;

type Speed is range 0 .. 4_000;


User Defined Integer Types in Ada

► Each user defined integer type introduces
a new type
► This new type is NOT a synonym of Integer

► Each user defined integer type gives its
bounds, i.e. the values any object of this
type can take
• Time ' First = 0
• Time ' Last = 3_600


Ada is Strongly Typed (1 of 2)

► When you define the proper types
the Ada compiler catches the errors
► To mix different types you must
SAFETY_SPEED : constant Speed := 120; use explicit conversions in Ada
procedure Increase_Speed (S : Speed);
► D is of type Distance, T is of type
procedure Check_Speed (T : Time; D : Distance) is Time, S is of type Speed
S : Speed := D / T; Compilation error • Only objects of the same type can
begin
be mixed together in this fashion
Increase_Speed (T); Compilation error
end if; ► Increase_Speed is expecting a
end Check_Speed; Speed parameter not a Time
…


Ada is Strongly Typed (2 of 2)

…
procedure Check_Speed (T : Time; D : Distance);
…
► Parameter switched
procedure Perform_Safety_Checks is
T : Time := Get_Time;
D : Distance := Get_Distance;
begin
…
Check_Speed (D, T); Compilation error


The Correct Ada Version

SAFETY_SPEED : constant Speed := 120;
procedure Increase_Speed (S : Speed);

procedure Check_Speed (T : Time; D : Distance) is
S : Speed := Speed ( Integer(D) / Integer (T)); ► You must convert D and T to
begin
Integer to perform the division
► And then convert the result to
Increase_Speed (S);
type Speed
end if;
end Check_Speed;
procedure Perform_Safety_Checks is
T : Time := Get_Time;
D : Distance := Get_Distance;
begin
…
Check_Speed (T, D);

But What About?

► How do you know it was
type A_Type is …;
Safe_Copy (X, Y)
procedure Safe_Copy (Source : A_Type; Target : A_Type);
and not
procedure Try is Safe_Copy (Y, X)
X : A_Type := …;
Y : A_Type := …;
begin ► You don't. That's why Ada
Safe_Copy (X, Y);
provides name parameters
…
end Try;


Ada has Named Parameters

type A_Type is …;

procedure Safe_Copy (Source : A_Type; Target : A_Type);

procedure Try is
X : A_Type := …;
Y : A_Type := …;
begin
Safe_Copy (Source => X, Target => Y);
…
end Try;

Named parameter


Avoiding Parameter Confusion in Ada

Summary: Two lines of defense

► User defined types

► Named parameters


Example of
C/C++/Java Type System Weakness
Integer Overflow Semantics


Overflow in C/C++/Java
#include <limits.h>

void compute () {
int k = INT_MAX;

k = k + 1;
}

► In C/C++ signed integer overflow is undefined, anything can
happen
• All known implementations quot;wrap aroundquot;

► In Java wrap around semantics are part of the language


Overflow in Ada

procedure Compute is
K : Integer := Integer'Last;
begin
Exception raised
K := K + 1;
at execution time
end Compute;

► EVERY time there is an integer overflow in Ada an exception is
raised


Example: Overflow in Action in Ada

► In GNAT you have to use the
switch -gnato to ask for integer
overflow checking


The Pernicious Effects of Wrap-Around
Semantics: A Java Example

final int RADIO_PORT = …;

void open (int port) {…}
► The program to the left compiles
void send (int port, byte data) {…}
fine, and runs …
void close (int port) {…}

void send_bytes (byte first_byte, byte last_byte) { ► … But there is something wrong
open (RADIO_PORT);
with it. What ?
for (byte b = first_byte; b <= last_byte; b++) {
send (RADIO_PORT, b);
}
close (RADIO_PORT);
}


Infinite Loop when last_byte == 127

Two problems:

1. Wrap around semantics of type byte
• When last_byte = b = 127 we execute the loop, we do b++ and b
wraps to -128

2. There is no real for loop instruction in C/C++/Java
for (x; y; z) {…}
Means
x; while (y) { …; z; }


The Ada Version is Safe

type Port is range 0 .. 255;
type Byte is range -128 .. 127;

RADIO_PORT : constant Port := …;
► The code on the left runs fine
procedure Open (P : Port);
procedure Send (P : Port; B : Byte); ► There is a true for loop in Ada
procedure Close (P : Port);
(unlike C/C++/Java)
procedure Send_Bytes (First : Byte; Last : Byte) is
begin
Open (RADIO_PORT);
for B in First .. Last loop
Send (RADIO_PORT, B);
end loop;
Close (RADIO_PORT);
end Send_Bytes;


Checks and Overflows Summary

► In Ada
• Every integer overflow raises an exception in Ada
• Every division by zero raises an exception in Ada
• Every array index overflow raises an exception in Ada
• Etc.
• You can disable all the Ada checks for deployment if you wish
► In Java
• Java adopted most of the Ada checks except for integer overflow
which wraps around in Java
• Cannot disable checks in Java
► In C/C++
• No checks

Side Notes on Ada Types


Unsigned Integers

► Ada has the choice of two sorts of integer types:
• Signed integers (an exception is raised in case of an overflow)
• Unsigned integers (wrap-around semantics)

-- Example of unsigned integers in Ada

procedure Try is
type Hash_Index is mod 1023;
H : Hash_Index := 1022;
begin
H := H + 1;
-- H is equal to zero here
end Try;


Subtypes

► Sometimes you want to add additional constraints to a type
without creating a new type
► Ada provides the notion of subtype for that
-- Example of unsigned integers in Ada

procedure Try is
type Day is (Mon, Tue, Wed, Thu, Fri, Sat, Sun);
subtype Working_Day is Day range Mon .. Fri;

D : Day := Mon;
WD : Working_Day;
begin
WD := D; -- This is OK
WD := Sun; -- This raises an exception
end Try;


Predefined Ada Subtypes

subtype Natural is Integer range 0 .. Integer ’ Last;

subtype Positive is Natural range 1 .. Natural ’ Last;


Exceptions in Ada


When a Check Fails an Exception is
Raised in Ada


Ada Predefined Exceptions

The following predefined exceptions are raised when
something goes wrong in an Ada program

► Constraint_Error: integer overflow, computation error (divide
by zero), array index out of range, null pointer dereferencing,
…

► Storage_Error: no more memory available

► Program_Error: fundamental program error (e.g. end of
function with no return statement)


Creating Your Own Exceptions
procedure Checks is
Internal_Error : Exception;

procedure Foo is
begin
raise Internal_Error;
end Foo;

procedure Bar is
begin
Foo;
end Bar;

begin -- of Checks
Bar;
end Checks;


What Happens at Execution Time?
procedure Checks is

procedure Foo is
begin Exception
raise Internal_Error; 3 raised
end Foo;
2
procedure Bar is
begin
Foo;
end Bar;
1
begin -- of Checks
Bar;
end Checks;


Displaying the Traceback
(How you Got There)
with Ada.Exceptions; use Ada.Exceptions;
with GNAT.Traceback.Symbolic; use GNAT.Traceback.Symbolic;

procedure Checks is

procedure Foo is
begin
end Foo;

procedure Bar is
begin
Foo;
end Bar;

begin -- of Checks
Bar;
exception
Exception Handler when E : others =>
Put_Line (quot;Raised exception : quot; & Exception_Name (E));
Put_Line (Symbolic_Traceback (E));
end Checks;


-bargs: Program binder arguments:
-E: give exception traceback

-cargs: Compiler arguments:
-g: debugging on
-gnatl: print out a program listing
-gnato: overflow checks on


What Happens at Execution Time
with Ada.Exceptions; use Ada.Exceptions;
with GNAT.Traceback.Symbolic; use GNAT.Traceback.Symbolic;

procedure Checks is

procedure Foo is
begin
a
end Foo;

b procedure Bar is
begin
Foo;
c
end Bar;
d
begin -- of Checks
Bar;
e
exception
when E : others =>
Put_Line (quot;Raised exception : quot; & Exception_Name (E));
Put_Line (Symbolic_Traceback (E));
end Checks;


Catching a Predefined Exception

procedure Checks is
A : Integer := Integer ’ First;
begin
A := A - 1;
exception
when Constraint_Error =>
Put_Line (“Overflow occurred”);
end Checks;


Catching Your Own Exceptions
procedure Checks is

procedure Foo is
begin
end Foo;

procedure Bar is
begin
Foo;
end Bar;

begin -- of Checks
Bar;

exception
when Internal_Error =>
Put_Line (“problem occurred”);
when others =>
Put_Line (“some other exception”);
end Checks;

Catching an Exception Where You Want
procedure Checks is
…
begin -- of Checks
:
:
:
:
to catch some
:
exception in a region
:
of code without exiting
:
:
from the subprogram
:
you can use a declare block
:
:
:
:
:
:
end Checks;

Example of a Declare Block
procedure Calc (A, B : Float) is
C, D : Float;
begin
…
declare
Old_C : Float := C;
begin
C := A * B;
D := C ** 2;
exception
when Constraint_Error =>
C := Old_C;
D := 0.0;
end;
…
end Calc;


Array Pitfalls in C


Arrays in C

► No real arrays in C
► An array is just a pointer to a chunk of memory

#include <stdio.h>

int main () {
char *str = quot;bugyquot;;

printf (quot;%cnquot;, 0 [str]);
printf (quot;%cnquot;, * (str+1));
printf (quot;%cnquot;, * (2+str));
printf (quot;%cnquot;, str [3]);
}


Developing Software that Matters II

Developing Software that Matters II

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Developing Software that Matters II

Ähnlich wie Developing Software that Matters II (20)

Mehr von Gneuromante canalada.org

Mehr von Gneuromante canalada.org (9)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Developing Software that Matters II