1 / 117

Programming in the Small: C/C++/Java Pitfalls & Ada Benefits

Programming in the Small: C/C++/Java Pitfalls & Ada Benefits. Franco Gasperoni gasperoni@adacore.com http://libre.adacore.com/Software_Matters. Suggested Reading. C Traps and Pitfalls by Andrew Koenig (Addison Wesley) Guidelines for the Use of the C Language in Vehicle Based Software

saber
Download Presentation

Programming in the Small: C/C++/Java Pitfalls & Ada Benefits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Programming in the Small:C/C++/Java Pitfalls& Ada Benefits Franco Gasperoni gasperoni@adacore.com http://libre.adacore.com/Software_Matters

  2. Suggested Reading • C Traps and Pitfalls • by Andrew Koenig (Addison Wesley) • Guidelines for the Use of the C Language in Vehicle Based Software • Purchasing info at http://www.misra.org.uk/misra-c.htm • Multilanguage Programming on the JVM: The Ada 95 Benefits • http://libre.act-europe.fr/Why_Ada/ada-on-jvm.pdf

  3. Lecture Summary • In this lecture we concentrate on programming in the small • We go over some Ada basic constructs • Procedures, functions, types, loops, if and case statements exceptions, etc. • We show some C/C++/Java pitfalls • We show how Ada avoids them

  4. Programming in the Small with C • C makes the following assumption: • Trust the programmers, they never make mistakes • Favor program conciseness over its readability • But: • Programmers do make mistakes • Programs are written once but read many times • The C foundation of C++ & Java leads to fragile software • Software where it is easy to make mistakes • Software that is hard to read • Software that is hard to change

  5. Note on the Ada Development Environment • In this course we use GNAT GAP Edition • GNAT is widely available • You can download the sources of GNAT • Pre-built GNAT binaries available for: Linux, Solaris, Windows • GNAT GPL Edition available at • http://libre.adacore.com

  6. Background on Ada ProgrammingA Simple Example

  7. Procedure Main • Procedure Main • Stored in file main.adb • Technically this is called a compilation unit • A compilation unit can be the body or the spec (specification) of a: • procedure • function • package (see next lecture) • Spec = precise list of services exported • Body = implementation details • In GNAT: • 1 compilation unit per file • File name matches unit name • 2 file extensions possible • .adb = Ada Body • .ads = Ada Spec with Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length'img); Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main; Note: Ada is case insensitive

  8. Inside Procedure Main • Declarative part: Contains the declaration of: • Variable, types, nested procedures, nested functions, ... used in procedure Main with Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length'img); Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main; • Procedure statements

  9. with Text_IO; • List of compilation units whose services are used in procedure Main • Text_IO is the predefined Ada text Input/Output library with Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length'img); Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main; • Procedures declared in library Text_IO and used in Main

  10. use Text_IO; • By putting a use clause you can (but don't have to) omit the Text_IO prefix inside Main with Text_IO; use Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length'img); Text_IO . Put_Line (Width'img); Text_IO . Put_Line (Height'img); end Main;

  11. The ' img Attribute • ' img is a predefined GNAT attribute • Given an integer or floating point number X, X ' img returns its string representation • More on attributes later on with Text_IO; use Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length ' img); Text_IO . Put_Line (Width ' img); Text_IO . Put_Line (Height ' img); end Main;

  12. Structure of an Ada Program

  13. General Structure of an Ada Program with …; with …; with …; with …; with …; with …; procedure Some_Main is … begin … end Some_Main;

  14. A Simple Example with Text_IO; use Text_IO; procedure Display (S : String; X, Y : Integer) is begin Put_Line (S & " (" & X'img & ") = " & Y'img); end Display; function Fact (N : Integer) return Integer is begin if N <= 1 then return 1; else return N * Fact (N - 1); end if; end Fact; with Display; with Fact; procedure Display_Fact is begin for K in 1 .. 4 loop Display ("Factorial", K, Fact (K)); end loop; end Display_Fact;

  15. Building & Executing Display_Fact • GNAT has an automatic "make" facility: gnatmake • Gnatmake • Will compile or recompile the Ada sources that need to be compiled • It will bind and link them • A make file is not necessary

  16. Note on the Concatenation Operator & with Text_IO; use Text_IO; procedure Display (S : String; X, Y : Integer) is begin Put_Line (S & " ("& X'img & ") = "& Y'img); end Display; & = 1 dimensional arrays

  17. In for loops, the loop variable (Kin the example) is implicitly declared The loop variable cannot be modified inside the for loop The loop variable ceases to exist just after the loop Note on For Loops with Display; with Fact; procedure Display_Fact is begin for Kin 1 .. 4 loop Display ("Factorial", K, Fact (K)); end loop; end Display_Fact;

  18. Numeric Pitfallin C/C++/Java

  19. What is the Program Output ? • This program compiles fine • What is its output? #include <stdio.h> int main () { int length = 8265; int width = 0252; int height = 8292; printf ("length = %d\n", length); printf ("width = %d\n", width); printf ("height = %d\n", height); }

  20. Surprised ? Was this the programmer’s intent ?

  21. Numbers in C/C++/Java • In C/C++/Java numbers starting with 0 are octal numbers • This is a bad choice • Error-prone • Hard-to-read • There is no way to specify numbers in base 2 • Very surprising giving the fact that C was meant for to be a low-level systems language • Never use octal numbers

  22. The Ada Version with Text_IO; procedure Main is Length : Integer := 8265; Width : Integer := 0252; Height : Integer := 8292; begin Text_IO . Put_Line (Length ' img); Text_IO . Put_Line (Width ' img); Text_IO . Put_Line (Height ' img); end Main; No surprises in Ada

  23. Numbers in Ada Length : Integer := 8265; Width : Integer := 0252; -- regular decimal number Width_8 : Integer := 8#252#; -- octal number B_Mask : Integer := 2#1100_1011#; -- binary number -- you can use “_” to separate digits W_Mask : Integer := 16#FFF1_A4B0#; -- Hexadecimal number • If no base is specified the number a decimal number • In Ada you can specify any base from 2 to 16 (for both integer and real (floating point) numbers • Use the “_” to separate digits for clarity • 1_000_000_000

  24. Lexical & Syntactic Pitfallsin C/C++/Java

  25. Is the Following Code Correct ? #include <limits.h> /* If *y is zero and x > 0 set *k to the biggest positive integer. * If *y is zero and x <=0 leave *k unchanged. * If *y is not zero set *k to be x divided by *y and increment *y by 1. */ void check_divide(int *k, int x, int *y) { if (*y = 0) if (x > 0) *k = INT_MAX; else *k = x / *y /* it is safe to divide by *y since it cannot be 0 */; *y++; } • This program compiles fine, but has a number of problems. Which ones?

  26. There are 4 Bugs • = versus == • Using “=“ for assignment and “==“ for equality is a poor choice • Use a compiler that warns you when you use “=“ inside tests • This is a hard problem because C++ style encourages the use of “=“ inside tests: • Dangling else problem • Always bracket everything • Nested y++ • Bad operator precedence *y++ means *(y++) • When in doubt use parentheses or separate tokens with white spaces ... while (*s1++ = *s2++);

  27. What about Java? boolean safety_flag; boolean danger_flag; … if (safety_flag = danger_flag) { sound_alarm (); } • = versus == • This problem exists in Java for boolean, but has been fixed for other data types • Dangling else problem • Problem is still there • Bad operator precedence *j++ means *(j++) • No * operator in Java. This Problem has been solved This is OK in Java but is often a bug

  28. The Correct Version #include <limits.h> /* If *y is null and x > 0 set *k to the biggest positive integer. * If *y is null and x <=0 leave *k unchanged. * If *y is non null set *k to be x divided by *y and increment *y by 1. */ void check_divide (int *k, int x, int *y) { if (*y == 0) { if ( x > 0) *k = INT_MAX; } else{ *k = x / *y /* it is safe to divide by *y since it cannot be 0 */; (*y)++; /* or *y ++ */ } }

  29. Ada Solves all the Previous Pitfalls -- If Y = 0 and X > 0 set K to the biggest positive integer. -- If Y = 0 and X <= 0 leave K unchanged. -- If Y /= 0 set K to be X divided by Y and increment Y by 1. procedure Check_Divide(K : in out Integer; X : Integer; Y : in out Integer) is begin if Y = 0 then if X > 0 then K := Integer’Last; -- K is set to the largest Integer end if; else K := X / Y; -- it is safe to divide by Y since it cannot be 0 Y := Y + 1; end if; end Check_Divide;

  30. Simpler Ada Version: "elsif" "and then" -- If Y = 0 and X > 0 set K to the biggest positive integer. -- If Y = 0 and X <= 0 leave K unchanged. -- If Y /= 0 set K to be X divided by Y and increment Y by 1. procedure Check_Divide(K : in out Integer; X : Integer; Y : in out Integer) is begin if Y = 0 and then X > 0 then K := Integer’Last; -- K is set to the largest Integer elsif Y /= 0 then K := X / Y; -- it is safe to divide by Y since it cannot be 0 Y := Y + 1; end if; end Check_Divide;

  31. Lexical & Syntactic Clarity in Ada • = means equality while := means assignment • If you use one instead of the other you get a compiler error • No dangling else in Ada • If it isn't then you get a compiler error • In Ada comments start with -- and go to the end of the line. No other type of comment • No ++ operators in Ada • No need for a * operator in Ada if … then … -- Must be terminated by an end if; end if;

  32. Side Note on Ada Attributes

  33. Attributes • Ada types, objects, and other entities can have attributes • An attribute is a property of the type, object, etc

  34. Example of Scalar Attributes • Given T some scalar type (Integer, Float, etc) • Given X an object of type T In GNAT you can use X ' img instead of T ' image (X)

  35. Example of Integer ' Last procedure Check_Divide_And_Increment(K : in out Integer; X : Integer; Y : in out Integer) is begin if Y = 0 then if X > 0 then K := Integer’Last; -- K is set to the largest Integer end if; else K = X / Y; -- it is safe to divide by Y since it cannot be 0 Y := Y + 1; end if; end Checked_Divide;

  36. More C/C++/Java Syntactic Pitfalls

  37. Is the Following Code Correct ? // If the signal ahead is clear then increase the speed. void increase_speed_if_safe(int speed, int signal) { if (signal == CLEAR); increase_speed (); } • This program compiles fine, but has a problem. Which one?

  38. Be Careful of Spurious Semicolons // If the signal ahead is clear then increase the speed. void increase_speed_if_safe(int speed, int signal) { if (signal == CLEAR); increase_speed (); }

  39. The Ada Version is Always Safe -- If the signal ahead is clear then increase the speed. procedure increase_speed_if_safe(speed : integer; signal : integer) is begin if signal = CLEAR then increase_speed; end if; end increase_speed_if_safe; • If you write if signal = CLEAR then ; • You get a compiler error

  40. More Bad Luck in C/C++/Java:Enumerations and Switch Statements enum Alert_Type {LOW, MEDIUM, HIGH, VERY_HIGH}; // C or C++. Java does not have enumerations, you have to use intsinstead void handle_alert (enum Alert_Typealert) { switch (alert) { case LOW: activate_camera (); case MEDIUM: send_guard (); case HIGH: sound_alarm (); } } void process_alerts () { handle_alert (2); … • This program compiles fine, but has a number of problems. Which ones?

  41. Don't forget break statements C/C++/Java do not check that you have treated all cases in the switch case labels can be integers or (values of) any enum type, not just enum Alert_Typewhich in most cases will be an error Defects in the Previous Code void handle_alert (enum Alert_Typealert) { switch (alert) { case LOW: activate_camera (); break; case MEDIUM: send_guard (); break; case HIGH: sound_alarm (); break; case VERY_HIGH: alert_police (); break; } } void process_alerts () { handle_alert (HIGH);

  42. Ada is Safer (and Less Verbose) type Alert_Type is (LOW, MEDIUM, HIGH, VERY_HIGH); procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM => Send_Guard; when HIGH => Sound_Alarm; when VERY_HIGH => Alert_Police; end case; end Process_Alert; • No break statements • Ada will check that you have treated all cases in the case statement • You can only use an object of type Alert_Type

  43. Combining Cases procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM => Send_Guard; when HIGH | VERY_HIGH => Sound_Alarm; Alert_Police; end case; end Process_Alert;

  44. Using a Default Clause procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM => Send_Guard; when others => Sound_Alarm; Alert_Police; end case; end Process_Alert; • Ada "when others" is equivalent to C/C++/Java "default", and takes away most of the benefit of the checking for all cases covered

  45. Using a Range procedure Process_Alert (Alert : Alert_Type) is begin case Alert is when LOW => Activate_Camera; when MEDIUM .. VERY_HIGH => Send_Guard; Sound_Alarm; Alert_Police; end case; end Process_Alert; • A range is a set of ordered values • MEDIUM .. VERY_HIGH = MEDIUM, HIGH, VERY_HIGH

  46. Enumeration Types in Ada type Alert is (LOW, MEDIUM, HIGH, VERY_HIGH); procedure P (B : Integer) is A : Alert; begin A := B; • Enumerations are true types in Ada • In C enums are just integers • In C++ enums are implicitly converted to ints (not from ints) Compilation error // C++ enum Alert {LOW, MEDIUM, HIGH, VERY_HIGH}; int k = LOW; // accepted by C++ Alert a = 1; // rejected by C++

  47. Ada Enumeration Types and Attributes

  48. Predefined Enumerations in Ada type Booleanis (False, True); type Characteris (…, 'a', 'b', 'c', …);

  49. Predefined Enumerations: Examples function Is_Letter (C : Character) return Boolean is begin return (C in 'a' .. 'z') or (C in 'A' .. 'Z'); end Is_Letter; function Is_Arithmetic_Operator (C : Character) return Boolean is begin case C is when '+' | '-' | '*' | '/' => return True; when others => return False; end case; end Is_Arithmetic_Operator;

  50. C/C++/Java Type System

More Related