Newsgroups: comp.lang.java,comp.object,comp.lang.smalltalk
Path: cantaloupe.srv.cs.cmu.edu!das-news2.harvard.edu!oitnews.harvard.edu!newsfeed.rice.edu!bcm.tmc.edu!cs.utexas.edu!utnut!nott!cunews!tina.mrco.carleton.ca!knight
From: knight@mrco.carleton.ca (Alan Knight)
Subject: Re: Is Java Type-Safe?
X-Nntp-Posting-Host: tina.mrco.carleton.ca
Message-ID: <knight.814792380@tina.mrco.carleton.ca>
Sender: news@cunews.carleton.ca (News Administrator)
Reply-To: knight@mrco.carleton.ca (Alan Knight)
Organization: The Object People
References: <308D14E2.1C7C@cybergate.com> <1995Oct26.220438.22561@schbbs.mot.com>
Date: Fri, 27 Oct 1995 11:13:00 GMT
Lines: 40
Xref: glinda.oz.cs.cmu.edu comp.lang.java:2918 comp.object:39932 comp.lang.smalltalk:29933

In <1995Oct26.220438.22561@schbbs.mot.com> shang@corp.mot.com (David L. Shang) writes:

>If safety is a big deal to Java, Java should look for a better
>solution as people did in Eiffel. Throwing a run-time exception for
>a type error is not a safe way. We cannot imagine that a pilot run-
>time check the type of the landing-gears, and crash the airplane if
>the type is wrong. This is an extreme example given by Bertrand, but
>is true in many safety-critical systems.

IT seems like "safety-critical systems" are becoming the new favourite
bogus example, possibly even replacing "hard real-time systems".
People who don't understand the issues involved (which are very hard)
are willing to make sweeping generalizations about them.

In a real safety-critical system, the major issue is NOT being able to
guarantee that your system will not fail. Your system WILL fail.
Software has bugs. Get used to it. Even when software doesn't have
bugs, hardware fails. The issue in a safety-critical system is being
able to deal with failures in a safe way, where safe means that people
are not injured or killed as a result.

In a real aircraft control system the important thing is that a
run-time check failure should not result in a crash of the airplane,
whether that run-time check is a message not understood, array store
of wrong type, array subscript out of bounds, or out of memory.

Being able to detect a few more errors at compile time may be useful,
but it isn't even a drop in the bucket towards solving the real
problems involved in safety-critical systems.

I am, of course, overgeneralizing, since I don't really understand
these issues either, but at least I don't try to ignore them and
pretend that a program would be usable in a safety-critical system
just because it passes the compiler.

-- 
 Alan Knight                | The Object People
 knight@acm.org             | Smalltalk and OO Training and Consulting
 alan_knight@mindlink.bc.ca | 509-885 Meadowlands Dr.
 +1 613 225 8812            | Ottawa, Canada, K2C 3N2
