Flying With Python (Strong versus Weak Typing)

Wed Mar 12 01:52:38 EST 2003

Peter Hansen <peter at engcorp.com> wrote in message news:<3E6E5EEF.F128744B at engcorp.com>...
> Mike Silva wrote:
> > 
> > Alex Martelli <aleax at aleax.it> wrote in message news:<hkiba.49303$zo2.1483266 at news2.tin.it>...
> > > ....isn't it obvious that it's totally
> > > irrelevant to the system's overall safety whether the compiler has
> > > performed the further smattering of semantically puny "verifications"
> > > allowed by mandatory-declaration, stating-typing languages?
> > >
> > > Static typing makes it easier for the compiler to generate fast
> > > code, and (depending also on other issues) may slightly enhance
> > > programmer productivity by catching a small percentage of errors
> > > a bit earlier than testing would catch them -- that's all.  It has
> > > no real bearing on safety issues for life-critical software.
> > 
> > Is a factor of 100 difference in error rates of certified, fielded
> > aviation software relevant?
> > 
> > http://www.sparkada.com/downloads/Mar2002Amey.pdf
> > 
> > (2nd page, 3rd column, re UK MoD analysis of DO-178B Level A software)
> > 
> > Language (including, but not limited to, static typing) definitely
> > makes a difference.
> 
> I don't think Alex was arguing that *language* does not matter at all, 
> just that the minimal extra verification provided by statically typed 
> languages does not much matter.

Well, he did write:
"The issue of what programming language[s] has/have been used
in developing the control software is largely irrelevant to the issue
of system safety, which depends instead on the process used for the
development and the proper mindset on the part of the development
team."
> 
> Anyway, the article doens't necessarily support the conclusion you
> appear to be claiming (that static typing produced a factor of 100
> improvement in error rates).

My only claim was that "Language (including, but not limited to,
static typing) definitely makes a difference."
> 
> For one thing, it is comparing the SPARK results to common results 
> with Ada, which are then compared with common C results.  C is 
> hardly on a par with Python as far as weak and strong typing goes 
> (though it is somewhat statically typed... when you avoid casting).

But *all* the code was certified to DO-178B Level A (the highest [most
safety-critical] level).  It's probably just about as close as you can
get to an oranges vs. oranges comparison.  Neither the SPARK code, nor
the Ada code, nor the C code, was in any way "common."
> 
> For another thing, the results came from not just a language, but the
> approach used, including "semi-formal specifications", "thin-slice
> prototyping of high risk areas" (i.e. "testing"), a "template-driven
> approach" for boilerplate types of code, plus the static analysis
> to which you appear to give all the credit.

Arrgh!!! :-]  I don't give "all the credit" to static analysis (I
think you mean static typing here?)  I am simply arguing against the
claim that "The issue of what programming language[s] has/have been
used in developing the control software is largely irrelevant."  It's
a claim I hear a lot, and I just don't believe it.  Neither,
apparently, does the author of the paper.
> 
> Perhaps this quote summarizes it best: "Lockheed succeeded because 
> they had a strong process with an emphasis on requirements capture 
> and accurate specifications."

Then by implication all of the other code, which had also been
certified to Level A, was developed *without* a strong process, etc?
> 
> In other words, exactly what we've been saying.

But not what the paper says.
> 
> (Disclaimer: I'm just rushing off to a meeting and having read the
> whole thing, so I risk looking foolish for overlooking something
> key to that article.)

(Disclaimer: I often look foolish even when I'm not rushing, so I can
empathize!)

Mike