Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!att!cbnewsh!warren
From: warren@cbnewsh.att.com (warren.a.montgomery)
Newsgroups: comp.object
Subject: Run-time checks, Compile time Checks, and reliability
Keywords: type checking, high reliability, fault tolerance
Message-ID: <1991Mar28.161307.6071@cbnewsh.att.com>
Date: 28 Mar 91 16:13:07 GMT
Organization: AT&T Bell Laboratories
Lines: 42

In the discussion of statically and dynamically typed languages,
there are two positions being asserted that I want to take
exception with:

"Run-time checks are unsuitable for high reliability systems,
	because you can't afford a run-time detected error".  In
	fact, any high reliability system, like spacecraft control
	or telephone network control, must cope sensibly with
	run-time detected errors of all sorts.  Just because your
	favorite tool throws up it's hands and coredumps because
	it got an error, don't assume that that is the only
	response possible.  High reliability systems must have
	strategies for recovery from even "impossible" errors that
	keep the system running safely.
	
"Compile time checking and certified compilers eliminate the need
	for run-time checking."  As noted above, high reliability
	systems need to recover from impossible errors, because no
	error is really impossible.  To do this, errors must be
	detected, preferably as soon as possible and before too
	much damage is done as the result of using erroneous
	data.  Run time checks of type and data structure
	consistency are a major aid in early error detection, and
	in sensible recovery once the error is detected, and are a
	major strategy in building this kind of system.
	Optimizing compilers that throw away "redundant"
	information at run-time and restructure the text and data
	can be a problem in building systems like this, because
	the state the system reached before the error may not be
	easy to determine.
	
I'm not arguing against eliminating as many errors as possible
before the software winds up controling a reactor, but PLEASE
design the software that does control the reactor under the
assumption that anything, even impossible things, can go wrong,
and design the language and compiler used for that software to
leave enough information around at run-time to support defensive
checks and effective error recovery procedures.
-- 

	Warren Montgomery
	att!ihlpf!warren