Don't hardwire OS features
Francois-Rene Rideau
rideau@nef.ens.fr
Sun, 8 Dec 1996 01:50:55 +0100 (MET)
>[limited specifications in Eiffel]
> The extension beyond assert() is that they have an "implies" boolean
> operator, the import of which is not clear. I have seen written:
> "divisor /= 0 implies Valid()"
> and things like that.
This means that Eiffel can manage several kinds
of possible assert() for a piece of code.
More powerful than assert(), but not much more expressive.
Quite far away from full specifications that would allow
to statically check for program correctness.
>> Well, specifications of the programs you write!
>> There is no way in Eiffel for the programmer
>> to specify proofs that the
>> pre/post-conditions will actually be satisfied.
>> Hence, the compiler if anyone/anything
>> is entirely relied-upon to prove it,
>> which I pinpointed was an illusory assumption!
> If that becomes a problem (when somebody starts to write a
> static-checking Eiffel compiler) then syntax for inserting proofs
> like that can be defined!
No! It's even worse than if you said that a syntax for types
could be added later to assembly or C.
It's easier to strongly type an arbitrary assembly/C program
than to prove an arbitrary Eiffel program correct.
In any case, this would mean that all Eiffel programs
would have to be completely rewritten, and then I wonder
why people would stay with that &@%*!$ language.
>> there are infinetely many possible
>> cases of crashes, corruptions, hogs.
>> You just can't enumerate them to mask them off.
> Hmmm. If the hardware is reliable, exceptions such as stack overflows
> are handled correctly, and interrupt handlers behave correctly, then
> surely if we make sure pointers (both code and data) always point to
> valid places (including inside array subscripting) - and our GC works
> - then how can anything crash?
This is *not* enumerating all possible crashes and masking them off.
Possible crashes are not even enumerable.
This is specifically using constructive proof techniques.
Welcome among computer program proof checkers!
>> Being at the same time "low-level", "portable" and "efficient"
>> means lots of bloat anyway...
> How would you implement things like that, then? :-)
Tunes does not pretend to solve contradictory goals.
What it does is allow to dynamically adapt the means to the goals,
instead of making a static uninformed compromise.
> I'm wondering which is more useful: keys form a hierachy
> or to have each colour cover a seperate view of the object.
Whatever it is
* this can needs no more HLL/OS support
than static binding and scoping of views on objects.
* to be useful, views on an object must reflect the semantic structure
of the object, adapt to object. Building an arbitrary static hierarchy
only leads to unadapted design (see VMS bloat).
* you can build all the layering you dream about,
and much more as libraries over the modular Tunes design,
whereas the converse is not securely possible.
== Fare' -- rideau@ens.fr -- Franc,ois-Rene' Rideau -- DDa(.ng-Vu~ Ba^n ==
Join the TUNES project for a computing system based on computing freedom !
TUNES is a Useful, Not Expedient System
URL: "http://www.eleves.ens.fr:8080/home/rideau/Tunes/"