From: "cjpsimon@gmail.com" <cjpsimon@gmail.com>
Subject: Re: SPARK code samples
Date: Thu, 12 Aug 2010 00:16:15 -0700 (PDT)
Date: 2010-08-12T00:16:15-07:00 [thread overview]
Message-ID: <120a78e8-8dfd-48be-bc10-1723982b19b6@k10g2000yqa.googlegroups.com> (raw)
In-Reply-To: op.vha0bzhexmjfy8@garhos
On 12 août, 04:39, Yannick Duchêne (Hibou57)
<yannick_duch...@yahoo.fr> wrote:
> Le Wed, 11 Aug 2010 19:33:48 +0200, Dmitry A. Kazakov
> <mail...@dmitry-kazakov.de> a écrit:>http://rosettacode.org/wiki/Category:Programming_Tasks
>
> > (the first 200 (:-))
>
> > Pick any you wish.
>
> Ok. I choose a first one, the one named A+B:http://rosettacode.org/wiki/A%2BB#Ada
>
> I felt it was interesting because it deals with a case of simple I/O,
> which is a first-time issue with SPARK, and because there was the
> opportunity to expose a simple case of validity check.
>
> However, I don't want to post it there straight away, as I came to two
> dirty questions. First the implementation I end up with, then the two
> questions.
>
> --------------------------------------------------------------------
>
> with SPARK_IO;
> --# inherit SPARK_IO;
>
> --# main_program;
>
> procedure A_Plus_B
> --# global in out
> --# SPARK_IO.Inputs,
> --# SPARK_IO.Outputs;
> --# derives
> --# SPARK_IO.Inputs from
> --# SPARK_IO.Inputs &
> --# SPARK_IO.Outputs from
> --# SPARK_IO.Inputs,
> --# SPARK_IO.Outputs;
> is
> A : Integer;
> B : Integer;
> Sum : Integer;
>
> Process_Is_Valid : Boolean;
> Input_Is_OK : Boolean;
> A_And_B_Sumable : Boolean;
>
> begin
> Process_Is_Valid := True;
>
> -- Attempt to Read A from Standard Input.
>
> SPARK_IO.Get_Integer
> (File => SPARK_IO.Standard_Input,
> Item => A,
> Width => 0,
> Read => Input_Is_OK);
>
> if not Input_Is_Ok then
> Process_Is_Valid := False;
> end if;
>
> -- Attempt to Read B from Standard Input.
>
> B := 0;
>
> if Process_Is_Valid then
> SPARK_IO.Get_Integer
> (File => SPARK_IO.Standard_Input,
> Item => B,
> Width => 0,
> Read => Input_Is_OK);
>
> if not Input_Is_Ok then
> Process_Is_Valid := False;
> end if;
> end if;
>
> -- Get A + B checking the sum is valid in the while.
>
> Sum := 0;
>
> if Process_Is_Valid then
> A_And_B_Sumable := False;
>
> if A >= 0 and B >= 0 then
> if (Integer'Last - A) >= B then
> Sum := A + B;
> A_And_B_Sumable := True;
> end if;
> elsif A >= 0 and B < 0 then
> -- Always valid as the sum is
> -- in range A..B
> Sum := A + B;
> A_And_B_Sumable := True;
> elsif A < 0 and B >= 0 then
> -- Always valid as the sum is
> -- in range A..B
> Sum := A + B;
> A_And_B_Sumable := True;
> elsif A < 0 and B < 0 then
> if (Integer'First - A) <= B then
> Sum := A + B;
> A_And_B_Sumable := True;
> end if;
> end if;
>
> if not A_And_B_Sumable then
> Process_Is_Valid := False;
> end if;
> end if;
>
> -- Write A + B.
>
> if Process_Is_Valid then
> SPARK_IO.Put_Integer
> (File => SPARK_IO.Standard_Output,
> Item => Sum,
> Width => 0,
> Base => 10);
> else
> SPARK_IO.Put_Line
> (File => SPARK_IO.Standard_Output,
> Item => "Either the input or the sum was invalid.",
> Stop => 0); -- 0 means no extra spaces will be written.
> end if;
>
> end A_Plus_B;
>
> --------------------------------------------------------------------
>
> Questions:
>
> * The page says the input of both A and B is supposed to be in range
> -1000..+1000. Obviously there is no way to assert this, so I simply
> dropped the assumption. Are you OK ?
>
> * I could have made a test to ensure inputs of A and B is in -1000..+1000,
> while this would not avoid the need to check for the sum validity, as
> formally speaking there is no way to assert anything on Integer range.
> Second reason to dropped this assumption. OK ?
>
The RM : In an implementation, the range of Integer shall include the
range –2**15+1 .. +2**15–1.
> This case apart, I was thinking giving SPARK examples there, we may not
> rely on user defined rules nor on the checker. Things should be provable
> as-is.
>
> --
> There is even better than a pragma Assert: a SPARK --# check.
> --# check C and WhoKnowWhat and YouKnowWho;
> --# assert Ada;
> -- i.e. forget about previous premises which leads to conclusion
> -- and start with new conclusion as premise.
next prev parent reply other threads:[~2010-08-12 7:16 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-11 8:44 SPARK code samples Dmitry A. Kazakov
2010-08-11 11:38 ` Ada novice
2010-08-11 13:54 ` Yannick Duchêne (Hibou57)
2010-08-11 16:07 ` Mark Lorenzen
2010-08-11 16:33 ` (see below)
2010-08-11 16:45 ` Yannick Duchêne (Hibou57)
2010-08-11 16:50 ` Yannick Duchêne (Hibou57)
2010-08-11 17:10 ` Ada novice
2010-08-11 18:21 ` Yannick Duchêne (Hibou57)
2010-08-12 12:08 ` Ada novice
2010-08-12 22:03 ` Phil Thornley
2010-08-11 15:26 ` Yannick Duchêne (Hibou57)
2010-08-11 17:33 ` Dmitry A. Kazakov
2010-08-12 2:39 ` Yannick Duchêne (Hibou57)
2010-08-12 5:02 ` Jeffrey Carter
2010-08-12 13:31 ` Yannick Duchêne (Hibou57)
2010-08-12 7:16 ` cjpsimon [this message]
2010-08-12 7:29 ` Maciej Sobczak
2010-08-12 13:41 ` Yannick Duchêne (Hibou57)
2010-08-12 9:46 ` Jacob Sparre Andersen
2010-08-12 13:43 ` Yannick Duchêne (Hibou57)
2010-08-12 13:58 ` Jacob Sparre Andersen
2010-08-12 3:03 ` Yannick Duchêne (Hibou57)
-- strict thread matches above, loose matches on Subject: below --
2010-08-11 17:32 Mark Lorenzen
2010-08-11 17:39 ` Ada novice
2010-08-11 17:45 ` (see below)
2010-08-11 18:00 ` Ada novice
2010-08-11 18:17 ` Yannick Duchêne (Hibou57)
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox