Newsgroups: comp.object,comp.lang.c++,comp.lang.ada,comp.lang.smalltalk,comp.lang.eiffel
Path: cantaloupe.srv.cs.cmu.edu!das-news2.harvard.edu!cam-news-feed3.bbnplanet.com!news.bbnplanet.com!cam-news-hub1.bbnplanet.com!howland.erols.net!rill.news.pipex.net!pipex!uunet!in1.uu.net!uucp2.uu.net!allegra!akalice!bs
From: bs@research.att.com (Bjarne Stroustrup)
Subject: Re: OO, C++, and something much better!
Message-ID: <E509oy.LDB@research.att.com>
Organization: AT&T Research, Murray Hill, NJ, USA
References: <32ED02EE.22E2@netright.com> <32ED2448.685A@parcplace.com> <EACHUS.97Jan28144125@spectre.mitre.org>
Date: Mon, 3 Feb 1997 02:31:45 GMT
Lines: 79
Xref: glinda.oz.cs.cmu.edu comp.object:60817 comp.lang.c++:245513 comp.lang.ada:57158 comp.lang.smalltalk:50916 comp.lang.eiffel:18183


eachus@spectre.mitre.org (Robert I. Eachus) writes:

 > In article <32ED2448.685A@parcplace.com> Eric Clayberg <clayberg@parcplace.com> writes:
 > 
 >   > OK, then, back it up. So far, *you* haven't *proven* anything. The above
 >   > is yet another unsubstantiated claim that statically typed systems are
 >   > somehow more reliable than dynamically typed systems. Show me some proof
 >   > that Smalltalk is somehow less reliable for building applications than
 >   > any arbitrary statically typed language.
 > 
 >    Try this.  Build a new aircraft with radical new avionics
 > requirements, or a vertical takeoff and landing rocket (DC-X), or a
 > railroad traffic control system for high-speed trains, or run an
 > air-traffic control system, or anything where the software is large
 > and complex and it has to work the first time.  Write the operational
 > software in Smalltalk.  Come back when your software has been proven
 > in service.

As someone who is frequently reminded in these newsgroups that heavy use
isn't necessarily a proof of quality, I'd like to point out that the
choice of language in these fields are often directly and indirectly
dictated by the US government. Even work that that are not legally
required to be written in Ada often are for semi-technical reasons,
such as "we have to do half of our work in Ada and we cannot afford
to support two language and design cultures." (half :-)


 >    Langauges other than Ada have been used for this, including Jovial,
 > Fortran, C and even CMS-2.  But to my knowledge neither C++ or
 > Smalltalk has been used.  NOT because they are bad languages, but
 > because in this role it is difficult to do the amount of "bench"
 > checking required to get someone to foot the bill and take the risk of
 > actually fielding the software.

C++ has been used for missile cone software (e.g. penguin surface-to-ship
missile), for medical monitoring (e.g. HP medical), for air traffic control
(new system monitoring the airspace around Paris), and other "control"
applications.

I have no doubt that you can build good real-time control software in
Ada and good banking software in Smalltalk. It has been done. So it
has in C++.


 > Well, not quite true, AT&T has used
 > C++ in phone switching systems and gotten roundly castigated for it
 > when the inevitable failures occured.

I know of no case where a critical AT&T system written in C++ has failed
in a way that impacted customers. I think I would know if it had happened.
The much publicised breakdowns has been few and in systems written in
early dialects of C.

The are semi-critical AT&T systems written in C++, such as the 800 number
software, the software that reconfigures the network after a physical
failure (e.g. a backhoe/fiber encounter), and much of the network monitoring
software.

Let me add that AT&T takes reliability very seriously. A 911 call that
doesn't go through may not be as critical as missing a nuclear attack
on the US, but 911 calls happen somewhat more frequently. System quality
and integrity is less of a function of the choice of programming language
than one might be led to believe by reading comp.lang.*

 
 >    By the way, you can write Ada code which uses dynamic dispatching,
 > and there are some safety-critical systems where it is permitted.  The
 > same with pointers, dynamic allocations, and tasking.  This is not
 > about such features, this is about how much confidence can you have
 > before the software is run.  When it absolutely has to work the first
 > time, you get very conservative in your design rules.

Yes. In Ada, in C++, and in other languages. I think we should be happy
that's the case.

	- Bjarne

Bjarne Stroustrup, AT&T Research, http://www.research.att.com/~bs/homepage.html
