From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 10.140.196.76 with SMTP id r73mr21323260qha.3.1445686827569; Sat, 24 Oct 2015 04:40:27 -0700 (PDT) X-Received: by 10.182.153.70 with SMTP id ve6mr149023obb.18.1445686827533; Sat, 24 Oct 2015 04:40:27 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!news.glorb.com!m48no1491797qgd.0!news-out.google.com!n2ni44033igy.0!nntp.google.com!kq10no27881275igb.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Sat, 24 Oct 2015 04:40:27 -0700 (PDT) In-Reply-To: <3c3ef412-4a5c-419f-a1c5-ae5e4fe4d0a9@googlegroups.com> Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=94.174.195.8; posting-account=g4n69woAAACHKbpceNrvOhHWViIbdQ9G NNTP-Posting-Host: 94.174.195.8 References: <3c3ef412-4a5c-419f-a1c5-ae5e4fe4d0a9@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: <0fa327b0-fdac-4419-8bc1-237a0aa822ed@googlegroups.com> Subject: Re: GNATProve - interactions between units From: Martin Injection-Date: Sat, 24 Oct 2015 11:40:27 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Xref: news.eternal-september.org comp.lang.ada:28041 Date: 2015-10-24T04:40:27-07:00 List-Id: On Friday, October 23, 2015 at 11:25:21 AM UTC+1, Maciej Sobczak wrote: > Hi, >=20 > My understanding of SPARK rules is that it is possible to reason about th= e correctness of the program by proving its units individually and the role= of package specifications and subprogram contracts is to isolate units fro= m each other in the sense that it is not necessary to look into other units= in order to declare the correctness of the unit being analyzed. >=20 > In other words, we can run GNATProve on each unit separately. >=20 > On the other hand, running GNATProve on all program units allows the tool= (apart from reusing the runtime infrastructure of the prover, which amorti= zes the startup time over many units) to get more information about how uni= ts use each other and from this additional information it can discharge mor= e VCs than would be possible otherwise. > If this is true, then running GNATProve on the whole program should produ= ce the same or *smaller* amount of undischarged VCs. >=20 > I have a project where the opposite can be observed - that is, individual= units prove clean, whereas the whole produces warning messages about range= checks. >=20 > Is it acceptable to consider this to be a tool bug? Or are there any flaw= s in my reasoning above and in fact proving units separately is not suffici= ent for analyzing correctness of the program as a whole? >=20 > --=20 > Maciej Sobczak * http://www.inspirel.com It may be down to the size of the problem space being analysed. It may have= to 'loose' some of the information (i.e. make approximations) that it has = room for in the unit analysis. Are there any 'depth of analysis' settings? = It may be that you need to crank it up to 11 to ensure a "lossless" analysi= s and be prepared to wait for potentially very much longer to get results. This is just a guess (I haven't used GNATProve), but it's a guess based on = using other static (semantic) analysis tools for about 15 years now. ;-) -- Martin