[taeric]

:( Why are we replying without going down the chain? I almost didn't even see you put more of a response to me.

Regardless, I'm familiar with Ada. I'm also familiar with some fun disasters using software by Ada.[1] Now, do I blame that it was in Ada? No. However, the attitude you are displaying of "if all you know is it was in Ada, then it is safer than the alternatives" seems to be the exact problem that led to that disaster.

If the only thing I know of two irradiation devices is one was statically typed and the other wasn't, I'd likely pass on both. Or I'd like to know how much radiation each is capable of outputting. Consider, x-ray machines far predate what we realize as programmable computers. And much more goes into the safety of the devices than just the language used.

[1] http://www.adapower.com/index.php?Command=Class&ClassID=FAQ&...

[srean]

> :( Why are we replying without going down the chain?

I dislike deeply nested, indentation cramped and tangential threads, so sometimes if I dont have anything that important to say I inline it. More so when everyone has left the building.

> I'm also familiar with some fun disasters using software by Ada.

I dont think we were ever discussing whether using Ada or some other statically type checked language immunizes a project against all other peripheral errors. That would be a supremely ridiculous and stupid claim to make.

Typechecking proves either that the code is type error free or that the typechecker has a bug. In the case of the latter, you try and fix it and the benefit percolates to every software verified by it. Testing proves that it passes only those specific test cases and only if the programmer tested it at all.

BTW the very first line says the fault had nothing to do with Ada. The source of the error was beyond the scope of typechecking.

To backtrack, our discussion was on whether there are notable examples of software written in dynamically typed languages where the cost of error is high.

Runtime error while spaceshuttle descends backs to earth, no thank you, on a fly-by-wire unit, when the pilot is breaking out of a loop, again no thank you. There are times when, no pun intended, you just cannot bail out and wash your hands off the situation, without terrible consequences. In such cases I would rather have the error surfaced in an environment where I can control the consequences, meaning early, and as exhaustively as possible.

Most importantly typechecking does not preclude/replace testing, it complements it.

Everything cannot be statically verified or insured against, but that does not mean that just because we cannot verify everything statically, we should verify nothing statically.

BTW Typical x-ray machines do not have the power to kill you in a single exposure, radiotherapy units absolutely can, example Therac.

  The accidents occurred when the high-power electron beam
  was activated instead of the intended low power beam, and
  without the beam spreader plate rotated into place.
  Previous models had hardware interlocks in place to
  prevent this, but Therac-25 had removed them, depending
  instead on software interlocks for safety. The software
  interlock could fail due to a race condition.

I would rather have it proved (exhaustively, rather than with typical tests which would be anecdotaly) that such errors cannot happen.

[taeric]

Well, apologies for the nesting. :( I agree it is ugly, but is easier to spot changes. (Also.... I went to sleep. Sorry. Which, also, I was tired. My tone has been terrible in some of these messages. Apologies for that, as well. To all involved.)

I am aware, and agree with the opinion, that Ada had nothing to do with the error. However, I don't think many would disagree that the fact the code was in Ada gave the team that decided to reuse it more faith that it was "safely" reusable than had it been written in another language.

This is still not the fault of Ada, but it was the exact reasoning you are using to say I should prefer the statically typed solution over another, if that is all I know. My point is if that is all you know, you don't know enough to make a decision.

So, in my mind, our discussion was not over whether there are notable examples of software written in dynamically typed languages where the cost of error is high. The discussion is whether there have been studies showing that statically typed languages produce less bug prone software.

So, to your own example, what was Therac written in? Because, honestly, right off I don't know. I would not be surprised to know it was in a statically typed language. And note, I would not use that as an example of where typed safe languages are failures.

And then to wrap up back to your question. It doesn't take a lot of googling to find that Nasa used to use a Symbolics Lisp machine in their work. http://stackoverflow.com/a/563378/392812

[srean]

> that the fact the code was in Ada gave the team that decided to reuse it more faith that it was "safely" reusable than had it been written in another language.

And you are making ridiculous analogies from the Ariane example. Ada had no bearing on the failure. They plugged in a controller for a different vehicle entirely.

The question is about relative confidence between a statically typed and a runtime typed software. The fact remains that given a fixed/finite budget of testing, wise people will not even think of deploying a runtime typed system for such tasks. These tasks cannot afford runtime errors, so it is imperative that due diligence be made to prove that they cannot happen.

(You cannot send several manned missions to the moon just to test) I am not aware of runtime typed systems that afford such proofs before running it and if some do, it is a statically proven system to begin with.

Revisit my points about runtime errors on a flight controller. Or to be less fancy, runtime error in trading software, "oops sent the wrong million dollar transaction request and bailed out because of runtime error". Has happened, and run companies to the ground.

> what was Therac written in? Given its age, I would assume it was some fairly low level language. Whatever it was, it was something that did not prove that such races cannot happen, in other words it was open to runtime error, which is exactly what we want to eliminate as far as possible. We will run it a few times and see what gives, is not a tenable strategy for many important tasks.

> It doesn't take a lot of googling to find that Nasa used to use a Symbolics Lisp machine

You are being slightly disingenuous here, I was talking about deployed flight controllers that actually control the thing when its on flight.

As I have said its like arguing with birthers, you have made up your mind and no matter what I say you will try to avoid the logic of eliminating costly runtime errors.

[taeric]

What the shit? Your question: "You are given two systems, one implemented in language class X, one implemented in language class Y, pick the one you trust." Me: "Not enough information to make a valid answer."

To be clear, I think mistakes have been made with all paradigms of programming. In many cases, the mistakes were made completely outside the realm of the program. Like the Ariane example. I only mentioned it as a "failure" of static typing because of your bloody question.

Seriously, it is your hypothetical: "Here is a rocket where the control system was implemented in Ada. Do you trust it more than a competing one that was implemented in machine language?" That is essentially the question you gave me. I turned it around precisely to show that just knowing the type of language that something was implemented in is bloody worthless.

I have made up my mind. To remain skeptical of claims that are not backed by empirical evidence. I'm optimistic enough to think that static typing is actually a good thing. The arguments used to put it lack any backing with verification. (Which, I find ironic, since they are supposed to be about verification.)

[srean]

Ah I see what happened. We somehow managed to talk past each other and go out of sync and ended up responding to something that was not on the others mind.

If you thought I am not in agreement with this comment of yours, then let me assure you that I am (with certain differences).

My point remains that your Ariane example is irrelevant, it shows that statically typed systems can still fail if there are failure modes outside of the purview of the typechecker. That is obvious and was never in contest. What was in contest, however, was the relative safeties of statically typed vs dynamically typed. Your example has no bearing in clearing that question. I am claiming superiority of the static paradigm because no one has been forthcoming in putting their money and lives in control of a dynamically typed controller. You are just refusing to concede this because it affects your view in some way, and I dont expect to see any change in that behavior.

Let me put forward my main claim (and ignore the silly hypothetical ones): dynamically typed/checked languages are unsuitable and dangerous for cases where runtime errors are egregiously costly because they cannot prove that such eventualities cannot happen before they actually happen. Because of these risks involved such systems are sensibly not implemented in dynamically typed/checked languages. Statically typed languages cannot immunizes against all possible failures, yet they are better than dynamically typed languages in this scenario because they can eliminate a large class of these runtime errors that dynamically typed languages just cannot (if they can they are statically typed by definition), whereas testing applies equally to both.

BTW a dynamically typed language with exhaustive static analysis is a statically typechecked language.

[taeric]

Makes sense. Though, I disagree with your last assertion. That is, no matter how exhaustively a solution has been explored, if the implementation language is a dynamic one, then it is implemented in a dynamic language.

As an example, I take any of the MIX algorithms in Knuth's books. They are more thoroughly documented and explained than anything under other software I have ever seen. They still aren't statically typed. (Simply put, if someone makes a mistake in transcribing it or "cleaning" it up, it will not be caught by a type checker.)

And, yes, I do think we ultimately agree. The heart of my question is just wanting evidence. I even agree with the premise that "in the absence of other evidence*, I would have more faith in a statically typed solution than otherwise. I just wouldn't have that much faith without more. :)