>> And no open-ended processes are allowed per frame. > But.... Nothing about throwing exceptions is open-ended.
How deep is your stack? > It "simply" pops the stack & starts to execute some other code. at least in life critical avionics, the verification process is bottom up. You verify the low level blocks do what they're supposed to do, and then you integrate the blocks. Integration does not change the behaviour of teh blocks, so integration does not require that you verify that you created new behaviours. How do you verify a low level block that does a throw? It will behave differently depending on who is doing the catch. What if the catcher is doing a rethrow? Then you can't verify the first catcher as a standalone block. It's behaviour will depend on the next level of catch. How do you *guarantee* (to the level that your own life may be on the line when you're riding on this airplane) that your throwers and catchers and rethrowers and those catchers won't do something you didn't think of? How do you guarantee that someone else doesn't catch your exception and use it in an unintended way, and cause a real problem? How do you guarantee that there isn't some small, slight, unintended consequence to some permutation of throwers and catchers that you didn't think of, and that small, slight, unintended consequence ends up crashing the plane? The behaviour of throw depends on who is doing the catching. To you, you're "simply" popping the stack, but you have no idea whats on the stack. you have no idea who is going to call you. The behaviour of the system is no longer a simple aggregate of the lower level blocks. The behaviour of teh system depends on how the blocks are put together. And then verification becomes a nightmare, because you can't verify it bottom up anymore. Top-down verification is exhaustive verification and if one block can affect another, you have to check every possible combination of inputs on those blocks to make sure some combination doesn't kill it. That's why they do things bottom up and demand that the system design is such that integrating the blocks doesn't change the behavioru of the blocks. At which point, the desktop application programmer will say something along the lines of "But I know what I'm doing". And the FAA guy will say "I can't prove that". _______________________________________________ Boston-pm mailing list Boston-pm@mail.pm.org http://mail.pm.org/mailman/listinfo/boston-pm
