Advanced Minds

C++ provides the necessary structures to built very reliable, efficient and mission critical systems. In the above i define what exceptions are expected from each member function, and we can also use the Resrource Aquisition is Initializatization technique which the standard library itself also uses. The problem with savety critical programming in C or C++ is not what is allowed or possible but what should not be allowed and should be impossible. And for that I just need two line: char X[10]; X[10]='A'; With Regards Martin

This discussion, as I already pointed out, belongs in groups like news:comp.programming and news:comp.software-eng.  Language subsetting, for whatever purpose, is not defined by the ISO standard for either C or C++, and is not topical here. Nor is safety critical programming. Finaly a C / C++ programmer who confesses that safety critical programming is in deed off topic in C and C++. Grin Martin

C++ provides the necessary structures to built very reliable, efficient and mission critical systems. In the above i define what exceptions are expected from each member function, and we can also use the Resrource Aquisition is Initializatization technique which the standard library itself also uses. The problem with savety critical programming in C or C++ is not what is allowed or possible but what should not be allowed and should be impossible. And for that I just need two line: char X[10]; X[10]='A'; From TC++PL3: Indexing is done by operator[]() and at(); operator[]() provides unchecked access, whereas at() does a range check and throws out_of_range if an index is out of range. For example: void f(vector<int& v, int i1, int i2) try {       for(int i = 0; i < v.size() ; i++) {        // range already checked: use unchecked v[i] here      }      v.at(i1) = v.at(i2) ; // check range on access      // ...    }      catch(out_  of_  range) {      // oops: out-of-range error } This illustrates one idea for use. That is, if the range has already been checked, the unchecked sub_script_ing operator can be used safely; otherwise, it is wise to use the range-checked at() function. This distinction is important when efficiency is at a premium. Ioannis Vranos

The problem with savety critical programming in C or C++ is not what is allowed or possible but what should not be allowed and should be impossible. And for that I just need two line: char X[10]; X[10]='A'; What's the problem with that code, from a safety perspective? Certainly a C compiler which is supposed to be suited for safety-critical programs will diagnose this. The _base_ C and C++ languages have quite a number of undefined behavior - no diagnostic required cases, but a similar profile may very well tighten that to undefined behavior - must be rejected at compile time . The _base_ philosophy in C and C++ is that flexibility can be traded for safety, but not vice versa. Certainly, in C++ it is easy to create a verifiable subset. For instance, it is possible to define a range template and with it a <int,0,10 type. The toolset would be hard pressed to prove that the range template is correct and overflow-free. However, this could be proven by humans. The tool chain instead only has to check that all possible overflows are located in this checked range< code. Together, this would prove that a body of code is overflow-free. Regards, Michiel Salters

Certainly, in C++ it is easy to create a verifiable subset. Not quite true. Or maybe the FIASCO project just did not find it yet? Vinzent.

Certainly, in C++ it is easy to create a verifiable subset. Not quite true. Or maybe the FIASCO project just did not find it yet? Damn itchy fingers. Wanted to include the URL, too... <URL:http://os.inf.tu-dresden.de/vfiasco/ Still doesn't look too easy to me. Vinzent.