[PrairieDawg]

As a C/C++ weenie, I agree entirely. Mission critical code that involves lives need to be in Ada or MISRA C or something safer than C/C++. Barring that, a *whole* lot more testing and review need to be done than what appears to have been done so far on this codebase.

FRegards,
PrairieDawg

[OneWingedShark]

As a C/C++ weenie, I agree entirely. Mission critical code that involves lives need to be in Ada or MISRA C or something safer than C/C++. Barring that, a *whole* lot more testing and review need to be done than what appears to have been done so far on this codebase.

I hear what you're saying; from my POV though it seems that design is what's skimped on in "the industry" -- granted, I've never been involved in a safety-critical codebase such as aviation, but there seems to be a lot of we don't have time to do it right, we need to do it quick mentality that seems to discourage up-front planning. (Indeed, it seems to discourage using the right-tool-for-the-job and encouraging a "sledgehammer"/continuous-debugging method of development and discourage training.)

I'm very impressed/excited about the new Ada 2012 standard which lets you do something like this:

    -- SSN format: ###-##-####
    Subtype Social_Security_Number is String(1..11)
      with Dynamic_Predicate =>
        (for all Index in Social_Security_Number'Range =>
          (case Index is
           when 4|7 => Social_Security_Number(Index) = '-',
           when others => Social_Security_Number(Index) in '0'..'9'
          )
         );

Which ensures a SSN is properly formatted on parameters and return-values of the Social_Security_Number subtype (you can also check with String_Var in Social_Security_Number); there's also pre-/post-conditions, type-invariants and other nice design-by-contract stuff that (unlike annotated comments) won't go stale.