<div dir="ltr">Regarding the question<div><br></div><div><span style="font-family:arial,sans-serif;font-size:12.727272033691406px"><font color="#ff00ff">What would you personally fly, software written in C or software written in Common Lisp?</font> </span><br>
</div><div><span style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">In the reality of today's fly-by-wire, the modern planes you fly in are likely to have C in some critical component. Ada is likely there as well.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:12.727272033691406px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.727272033691406px">But let's just examine a few software related disasters to see if they are attributable to programming language:</span></div>
<div><ul><li>Ariane 5 rocket explosion: from the official report: <span style="color:rgb(0,0,0);font-family:Times;font-size:medium;font-style:italic">This loss of information was due to specification and design errors in the software of the inertial reference system.</span></li>
<li><span style="color:rgb(0,0,0);font-family:Times;font-size:medium;font-style:italic"><span style="color:rgb(34,34,34);font-family:arial;font-size:small;font-style:normal">Mars Climate Orbiter: one system used metric units, another used English</span><br>
</span></li><li><span style="color:rgb(0,0,0);font-family:Times;font-size:medium;font-style:italic"><span style="color:rgb(34,34,34);font-family:arial;font-size:small;font-style:normal">Therac 5: improper understanding of multi-tasking code</span></span></li>
<li><span style="color:rgb(0,0,0);font-family:Times;font-size:medium;font-style:italic"><span style="color:rgb(34,34,34);font-family:arial;font-size:small;font-style:normal">Heartbleed: Overly complex protocol combined with being able to read beyond allocated memory</span></span></li>
</ul><div>Of these, only heartbleed can credit language as a contributing factor.</div><div><br></div><div>And I again point out a software non-disaster qmail, whose author offered a bug bounty. Secure programs can be written in C.</div>
<div><br></div></div><div>And if the flight safety of an aircraft depended upon the current Lisp version of Ironclad's impenetrability, we would be in trouble.</div><div><br></div><div>I do prefer Lisp, and as I have said before, I think it is easier to write correct and thus secure and safe programs in Lisp, but that is only a small part of the story. Other critical parts to the story are:</div>
<div><ul><li>How well is the software specified?</li><li>Who is the team writing the software? Are they CMM level 5?</li><li>Is the software tuned to the user situation at hand? When the engine exploded on the Quantas flight 32, the pilots had to deal with an almost overwhelming number of alerts.</li>
</ul><div>You do ask a good question, but in my opinion, choice of language is not at the top of the list.</div></div><div><br></div><div>wglb</div><div>(P. S. I am not a lisp expert, but I have been programming for 48 years, including real-time medical software, compilers, financial feed software. For the medical system, we used assembly language. C had not yet been invented, but turns out that doing coroutines in assembler was better than threads showing up later in C.)</div>
<div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Apr 27, 2014 at 10:31 PM, Jean-Claude Beaudoin <span dir="ltr"><<a href="mailto:jean.claude.beaudoin@gmail.com" target="_blank">jean.claude.beaudoin@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Apr 27, 2014 at 4:27 AM, Steve Haflich <span dir="ltr"><<a href="mailto:shaflich@gmail.com" target="_blank">shaflich@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I agree with essentially everything in wglb's message, but (once again) I'll grumpily jump in to emphasize a point which I think many on this list have missed.<div class="gmail_extra">
<br><br><div class="gmail_quote"><div>
On Fri, Apr 25, 2014 at 1:20 PM, William Lederer <span dir="ltr"><<a href="mailto:william.lederer@gmail.com" target="_blank">william.lederer@gmail.com</a>></span> wrote:<br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><br></div><div>I agree with the general sentiment that Lisp is a much safer language to build anything in. While several in this thread are pointing to bounds checking as one of the advantages that Lisp has over C and other languages, there is something else I find that is also very strong: It is easier to write programs about which a reader can reason about correctness. In Lisp, the programs tend to be closer to provable and errors are more evident. As in "obviously no deficiencies" vs "no obvious deficiencies".</div>
<div><br></div><div>But in my experience, vulnerabilities result from</div><div><ul><li>Buffer Overflows/lack of bounds checking (Heartbleed and friends)</li><li>Configuration errors</li><li>Logic Flaws</li><li>Dangerous use of user input (leading to SQLi, XSS, XSRF)</li>
<li>Improper use of cryptography</li><li>Unclear protocol specification (leading to OpenSSL)</li></ul></div></div></blockquote></div><div>This (IMO entirely worthy and correct) summary can easily be misunderstood! Lisp may be superior because it has bounds checking. (We've previously agreed that isn't guaranteed since it isn't in the ANS, and in any platform likely depends on optimization qualities, including the optimization qualities under which internal called routines were compiled.) But bugs based on buffer overflow don't on normal operating systems in general involve bounds checking. At some point on any modern OS, reading or writing to a socket stream will involve passing to the OS (generally via a thin user-mode C API layer like *nix read() and write(), or some socket analogue). Neither Lisp nor C will provide any automatic bounds checking on such a call. The OS treats the application's address space as a mostly-contiguous undifferentiated sea of bytes(*). It doesn't matter that at the app level C also has this model of a sea of bytes, while in Lisp the ocean is run-time tagged into small plots. That distinction disappears once one calls write(fd,buf,len).</div>
<div><br></div><div>The Lisp Machine in its several manifestations might be the only counterexample, since there was no C boundary over which to cross, and because type and bounds checking was performed for free in the microcode. But Lisp machines aren't around any more largely because of the economy of scale. The number of x86 and x64 processors on the planet must be nearly on the order of 10^9, while the number of Lisp machine processors never got out of the 10^5 range, so Intel and AMD etc. could justify huge investments making those processors 3 orders of magnitude faster in raw speed. Lisp processors could not have kept up at bearable per-item cost. Alas!</div>
<div><br></div><div></div></div></div></div></blockquote><div><br></div><div>I think it is not only a question of level of investment or either a question of Lisp in hardware or an other higher language in hardware for that matter. There seems to be some physico-technical optimality point in question here at the hardware/software interface. From my (fading?) memories of a past era I can somewhat recall that the last (I think) major CPU architecture that took security support seriously in hardware was the Intel iAPX 432, with multiple nested security rings in hardware/descriptor supported gates/instructions. (BTW, the 432 was meant to support Ada of all languages, not C or Lisp, but it was general-purpose enough). And history has recorded how well this iAPX 432 architecture flew.<br>
<br></div><div>And while I am using the word "fly" I have that urge to ask you guys that question: What would you personally fly, software written in C or software written in Common Lisp? And I mean it quite literally, with you sitting in the plane. I think that the fact that one can seriously ask that question is one of the most significant evolution in the demands the general context presents to any programming language standard. In 1994 fly-by-wire was cutting edge and still quite experimental, now in 2014 it is the reality of every day on routine commercial flight.<br>
<br></div><div>I see (a somewhat revised?) Common Lisp as a very good starting point to address this new reality.<br></div><div>Better than C, that is for sure. (How can you even hope to make C more safe and secure and yet still<br>
be C is beyond my understanding, FWIW).<br></div><div><br><br></div></div><br></div></div>
<br>_______________________________________________<br>
pro mailing list<br>
<a href="mailto:pro@common-lisp.net">pro@common-lisp.net</a><br>
<a href="http://common-lisp.net/cgi-bin/mailman/listinfo/pro" target="_blank">http://common-lisp.net/cgi-bin/mailman/listinfo/pro</a><br>
<br></blockquote></div><br></div>