From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Operation can be dispatching in only one type
Date: Tue, 8 Dec 2009 11:49:21 +0100
Date: 2009-12-08T11:49:21+01:00 [thread overview]
Message-ID: <14b9m5vc93pw3$.17meyeuqpwoz7$.dlg@40tude.net> (raw)
In-Reply-To: 4b1e2b75$0$6732$9b4e6d93@newsspool2.arcor-online.net
On Tue, 08 Dec 2009 11:33:25 +0100, Georg Bauhaus wrote:
> Dmitry A. Kazakov schrieb:
>> On Tue, 08 Dec 2009 11:06:54 +0100, Georg Bauhaus wrote:
>>
>>> Dmitry A. Kazakov schrieb:
>>>> In my view pre-/postconditions and
>>>> invariants should be static, used strictly for program correctness proofs.
>>>> Subtypes should complement them for dynamic run-time checks (recoverable
>>>> faults).
>>> Hm. What would be your subtype based expression for
>>>
>>> generic
>>> type E is private;
>>> package Stacks is
>>>
>>> type Stack is private;
>>>
>>> procedure push (Modified_Stack : in out Stack;
>>> Another : Element)
>>> with pre => not Full (Modified_Stack),
>>> post => Size (Modified_Stack'Exit) = Size (Modified_Stack);
>>>
>>> procedure pop (Modified_Stack : in out Stack)
>>> with pre => not Empty (Modified_Stack),
>>> post => Empty (Modified_Stack);
>>
>> None. The above is wrong. You cannot implement this contract (if we deduced
>> one from the given pre- and postconditions). Proof:
>>
>> loop
>> Push (Stack, X);
>> end loop;
>>
>> q.e.d.
>>
>> Therefore the contract of a stack must always contain ideals, e.g.
>>
>> 1. exceptions, like Full_Error, Empty_Error;
>
> I understand that exceptions are implied by Eiffel style
> conditions.
No, in that case the conditions should be:
pre => true
post => Size (Modified_Stack'Exit) = Size (Modified_Stack); or Full_Error
Actually, the second part is more elaborated, it should also state that the
stack was not modified, but you've got the idea. Ideals are postcondition
things.
>> 2. blocked states, like holding the caller until the stack state is changed
>> from another task.
>
> Would you want this to be possible with Ada, or with SPARK? ;-)
In what sense? Of course it is possible to implement in Ada using a
protected object or a monitor task.
>> Pre- and psotconditions are to be used to prove a contract to hold. They
>> themselves are no contract.
>
> In Eiffel, pre post and inv are used to write a contract.
> The proof obligation rests on the programmer.
Yes, this is the core of the disagreement. If that rests on the programmer,
then *-conditions are THE program.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2009-12-08 10:49 UTC|newest]
Thread overview: 132+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-13 20:12 Operation can be dispatching in only one type xorque
2009-11-13 20:34 ` Dmitry A. Kazakov
2009-11-13 20:43 ` xorque
2009-11-13 21:14 ` Dmitry A. Kazakov
2009-11-13 20:44 ` xorque
2009-11-16 17:43 ` Adam Beneschan
2009-11-16 20:28 ` Dmitry A. Kazakov
2009-11-16 20:32 ` Dmitry A. Kazakov
2009-11-16 21:35 ` Adam Beneschan
2009-11-16 22:28 ` Dmitry A. Kazakov
2009-11-17 22:10 ` Adam Beneschan
2009-11-18 9:46 ` Dmitry A. Kazakov
2009-11-18 16:39 ` Adam Beneschan
2009-11-18 19:21 ` Dmitry A. Kazakov
2009-11-19 0:27 ` Randy Brukardt
2009-11-19 2:11 ` Robert A Duff
2009-11-19 15:57 ` Adam Beneschan
2009-11-19 19:39 ` Robert A Duff
2009-11-19 23:43 ` Randy Brukardt
2009-11-19 8:50 ` Dmitry A. Kazakov
2009-11-19 23:54 ` Randy Brukardt
2009-11-20 8:34 ` Dmitry A. Kazakov
2009-11-20 10:58 ` Jean-Pierre Rosen
2009-11-21 6:02 ` Randy Brukardt
2009-11-21 13:07 ` Dmitry A. Kazakov
2009-11-22 5:45 ` xorque
2009-11-22 11:25 ` Georg Bauhaus
2009-11-22 11:30 ` xorque
2009-11-22 16:25 ` Dmitry A. Kazakov
2009-11-22 16:27 ` xorque
2009-11-22 16:42 ` Dmitry A. Kazakov
2009-11-22 16:52 ` xorque
2009-11-22 17:41 ` Dmitry A. Kazakov
2009-11-22 18:03 ` xorque
2009-11-22 18:08 ` xorque
2009-11-22 18:28 ` Dmitry A. Kazakov
2009-11-22 18:41 ` xorque
2009-11-22 21:47 ` Robert A Duff
2009-11-23 3:42 ` stefan-lucks
2009-11-30 20:36 ` Robert A Duff
2009-11-30 23:54 ` (see below)
2009-12-01 12:13 ` Georg Bauhaus
2009-12-01 12:23 ` Georg Bauhaus
2009-12-01 12:44 ` Georg Bauhaus
2009-12-01 13:48 ` Dmitry A. Kazakov
2009-12-01 15:02 ` Georg Bauhaus
2009-12-01 16:18 ` Dmitry A. Kazakov
2009-12-01 17:52 ` Georg Bauhaus
2009-12-01 18:47 ` Dmitry A. Kazakov
2009-12-01 21:53 ` John B. Matthews
2009-12-02 0:32 ` Georg Bauhaus
2009-12-02 11:18 ` John B. Matthews
2009-12-02 14:29 ` Jean-Pierre Rosen
2009-12-02 15:35 ` Georg Bauhaus
2009-12-02 1:13 ` Georg Bauhaus
2009-12-02 9:07 ` Dmitry A. Kazakov
2009-12-02 12:35 ` John B. Matthews
2009-12-02 13:35 ` Dmitry A. Kazakov
2009-12-03 5:23 ` Randy Brukardt
2009-12-03 20:21 ` John B. Matthews
2009-12-03 5:29 ` Randy Brukardt
2009-12-03 11:24 ` Georg Bauhaus
2009-12-03 23:08 ` Randy Brukardt
2009-12-04 8:52 ` Dmitry A. Kazakov
2009-12-05 2:45 ` Randy Brukardt
2009-12-05 10:32 ` Dmitry A. Kazakov
2009-12-08 0:19 ` Randy Brukardt
2009-12-08 4:30 ` stefan-lucks
2009-12-08 9:12 ` Dmitry A. Kazakov
2009-12-10 4:09 ` Randy Brukardt
2009-12-11 0:10 ` Robert A Duff
2009-12-08 9:22 ` Dmitry A. Kazakov
2009-12-08 10:06 ` Georg Bauhaus
2009-12-08 10:23 ` Dmitry A. Kazakov
2009-12-08 10:33 ` Georg Bauhaus
2009-12-08 10:49 ` Dmitry A. Kazakov [this message]
2009-12-01 23:51 ` Randy Brukardt
2009-11-23 8:52 ` Dmitry A. Kazakov
2009-11-30 20:43 ` Robert A Duff
2009-12-01 9:00 ` Dmitry A. Kazakov
2009-12-01 5:45 ` stefan-lucks
2009-12-01 11:12 ` Dmitry A. Kazakov
2009-12-01 8:01 ` stefan-lucks
2009-12-01 13:37 ` Dmitry A. Kazakov
2009-12-15 23:54 ` Robert A Duff
2009-11-23 7:48 ` Georg Bauhaus
2009-11-23 7:58 ` Georg Bauhaus
2009-11-19 16:04 ` Adam Beneschan
2009-11-19 2:23 ` tmoran
2009-11-19 8:32 ` Dmitry A. Kazakov
-- strict thread matches above, loose matches on Subject: below --
2015-11-23 10:23 operation " Serge Robyns
2015-11-23 11:29 ` Dmitry A. Kazakov
2015-11-23 13:05 ` Serge Robyns
2015-11-23 13:48 ` Dmitry A. Kazakov
2015-11-23 14:16 ` Serge Robyns
2015-11-23 14:59 ` G.B.
2015-11-23 15:52 ` Dmitry A. Kazakov
2015-11-23 17:40 ` Jeffrey R. Carter
2015-11-24 9:08 ` Serge Robyns
2015-11-24 16:44 ` AdaMagica
2015-11-24 17:09 ` Jeffrey R. Carter
2015-11-24 18:37 ` Serge Robyns
2015-11-24 20:18 ` Jeffrey R. Carter
2015-11-24 20:40 ` Serge Robyns
2015-11-24 20:25 ` Niklas Holsti
2015-11-24 21:48 ` Jeffrey R. Carter
2015-11-25 8:24 ` Dmitry A. Kazakov
2015-11-25 11:22 ` Serge Robyns
2015-11-25 17:38 ` Dmitry A. Kazakov
2015-11-26 11:30 ` Serge Robyns
2015-11-26 13:14 ` Dmitry A. Kazakov
2015-11-26 14:27 ` Serge Robyns
2015-11-26 15:16 ` J-P. Rosen
2015-11-26 18:27 ` Serge Robyns
2015-11-26 21:20 ` J-P. Rosen
2015-11-27 8:37 ` Dmitry A. Kazakov
2015-11-27 12:58 ` J-P. Rosen
2015-11-27 13:39 ` Dmitry A. Kazakov
2015-11-30 22:22 ` Randy Brukardt
2015-12-01 8:46 ` Dmitry A. Kazakov
2015-12-01 11:19 ` G.B.
2015-12-01 13:56 ` Dmitry A. Kazakov
2015-12-01 16:05 ` G.B.
2015-12-01 17:58 ` Dmitry A. Kazakov
2015-12-02 13:06 ` G.B.
2015-12-02 13:31 ` Dmitry A. Kazakov
2015-12-02 19:33 ` Randy Brukardt
2015-12-02 19:27 ` Randy Brukardt
2015-11-29 17:59 ` Jacob Sparre Andersen
2015-11-30 22:29 ` Randy Brukardt
2015-11-25 12:27 ` G.B.
2015-11-25 17:25 ` Dmitry A. Kazakov
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox