Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!umd5!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: comp.lang.c
Subject: Re: Volatile is stupid
Message-ID: <8180@brl-smoke.ARPA>
Date: 28 Jun 88 20:57:27 GMT
References: <278@ralph.UUCP> <225800039@uxe.cso.uiuc.edu>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) )
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 13

In article <225800039@uxe.cso.uiuc.edu> mcdonald@uxe.cso.uiuc.edu writes:
>>Then the program will work fine for five years, and someone will install
>>it in an airplane controller, then someone else will manually `correct'
>>something, and your program will crash, along with the airplane.  This
>>is what correctness checking is all about.
>Does anyone know what language was used to write the control program
>for the Airbus A320 "crash by wire" plane?

Who cares?  Such programs should NOT repeat NOT rely on theoretical
total correctness of the compiler, application code, etc. for their
safety!  It is known how to engineer reliability into systems.

I think someone has been listening too intently to the bogus anti-SDI
argument that "everything has to function perfectly the first time".