From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Class wide preconditions: error in GNAT implementation?
Date: Tue, 19 Feb 2013 10:07:28 +0100
Date: 2013-02-19T10:07:28+01:00 [thread overview]
Message-ID: <11ib1znk4xdxd$.a0hnpfw4er6b$.dlg@40tude.net> (raw)
In-Reply-To: lyppzxpd4f.fsf@pushface.org
On Mon, 18 Feb 2013 20:42:56 +0000, Simon Wright wrote:
> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>
>> On Mon, 18 Feb 2013 18:04:53 +0000, Simon Wright wrote:
>>
>>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>
>>>> Anyway, trivially, consider the following types:
>>>>
>>>> type A is ...;
>>>> type B is new A with ...;
>>>>
>>>> The predicate P=x in A'Class is true for both A and B. The predicate
>>>> Q=y in B'Class is true B and false for A. hence Q=>P, Q is stronger.
>>>
>>> If you allow code like this, how can you draw any conclusions about the
>>> correctness of a call through a pointer to A'Class?
>>
>> Do you believe in correctness proofs without looking into the bodies?
>
> Well, you've consructed a situation which is plainly wrong if we're
> going to be talking substitutablity.
But that is not same as correctness. Even if substitutability were
decidable that would not ensure correctness. And conversely a program can
be correct even with substitutability violated.
> I would expect that if you could prove that
>
> * all calls via A'Class meet A's precondition; and
>
> * all derived type implementations produce valid output when given
> parameters that meet A's precondition
>
> then you'd be a long way toward a correctness proof.
The first is trivial, the second is undecidable.
>>>> [Tag checks violate LSP]
>>>
>>> Don't understand.
>>
>> Because these could be used to construct predicates which would depend
>> on the actual type. Absolute substitutability as required by "naive"
>> interpretations of LSP is based on types being absolutely
>> indistinguishable for the clients, which tags obviously defeat.
>
> Then don't write predicates like that! (and slap the wrist of anyone you
> find doing it).
But the idea of LSP (behavioral notion of subtype) was to prevent such
predicates coming into existence per construction of subtypes. The sad
reality is that we need them to make our programs working, e.g. for
dispatching. Mere existence of predicates which do not hold upon subtyping
does not make program incorrect and sometimes they do it correct.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2013-02-19 9:07 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-15 3:55 Class wide preconditions: error in GNAT implementation? ytomino
2013-02-15 10:15 ` Georg Bauhaus
2013-02-15 13:16 ` ytomino
2013-02-16 1:01 ` Randy Brukardt
2013-02-16 2:50 ` ytomino
2013-02-16 9:28 ` Dmitry A. Kazakov
2013-02-16 13:13 ` ytomino
2013-02-16 16:35 ` Dmitry A. Kazakov
2013-02-16 19:55 ` ytomino
2013-02-16 20:34 ` ytomino
2013-02-18 8:30 ` Dmitry A. Kazakov
2013-02-18 9:17 ` Simon Wright
2013-02-18 14:25 ` Dmitry A. Kazakov
2013-02-18 18:04 ` Simon Wright
2013-02-18 19:27 ` Dmitry A. Kazakov
2013-02-18 20:42 ` Simon Wright
2013-02-19 9:07 ` Dmitry A. Kazakov [this message]
2013-02-18 19:02 ` ytomino
2013-02-18 19:44 ` Dmitry A. Kazakov
2013-02-16 15:16 ` Georg Bauhaus
2013-02-16 20:23 ` Simon Wright
2013-02-17 15:12 ` ytomino
2013-02-18 17:49 ` Simon Wright
2013-02-18 18:45 ` ytomino
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox