From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Thread: a07f3367d7,dbbbb21ed7f581b
X-Google-Attributes: gida07f3367d7,public,usenet
X-Google-NewGroupId: yes
X-Google-Language: ENGLISH,ASCII-7-bit
Path: 
 g2news1.google.com!news3.google.com!feeder.news-service.com!feeder2.cambriumusenet.nl!feed.tweaknews.nl!195.14.215.230.MISMATCH!news.netcologne.de!newsfeed-hp2.netcologne.de!newsfeed.arcor.de!newsspool4.arcor-online.net!news.arcor.de.POSTED!not-for-mail
From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Operation can be dispatching in only one type
Newsgroups: comp.lang.ada
User-Agent: 40tude_Dialog/2.0.15.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Reply-To: mailbox@dmitry-kazakov.de
Organization: cbb software GmbH
References: 
 <025105f2-5571-400e-a66f-ef1c3dc9ef32@g27g2000yqn.googlegroups.com>
 <wcc8wdn697e.fsf@shell01.TheWorld.com>
 <4b150869$0$6732$9b4e6d93@newsspool2.arcor-online.net>
 <18vlg095bomhd.8bp1o9yysctg$.dlg@40tude.net>
 <4b152ffe$0$7615$9b4e6d93@newsspool1.arcor-online.net>
 <19nhib6rmun1x$.13vgcbhlh0og9$.dlg@40tude.net>
 <4b1557d0$0$7623$9b4e6d93@newsspool1.arcor-online.net>
 <wof0ewwkyzy0$.13398rnn8cmje$.dlg@40tude.net>
 <4b15bf2b$0$7623$9b4e6d93@newsspool1.arcor-online.net>
 <1jcbtmi5rztyp$.norvlhez9i9$.dlg@40tude.net> <hf7icf$ffm$1@munin.nbi.dk>
 <4b179ffb$0$6591$9b4e6d93@newsspool3.arcor-online.net>
 <hf9gcj$oog$1@munin.nbi.dk> <qchmzfxola9n$.1owojhwd91cbc.dlg@40tude.net>
 <hfchg1$mtd$1@munin.nbi.dk> <1gcigitaii0u0.1psu2vj52e66g$.dlg@40tude.net>
 <hfk624$ej8$1@munin.nbi.dk> <1wv3of2u7rbx8.4a6yeffk4uf3.dlg@40tude.net>
 <4b1e253f$0$6725$9b4e6d93@newsspool2.arcor-online.net>
 <qfb4wvp9d01t$.1hennmwa19x4i.dlg@40tude.net>
 <4b1e2b75$0$6732$9b4e6d93@newsspool2.arcor-online.net>
Date: Tue, 8 Dec 2009 11:49:21 +0100
Message-ID: <14b9m5vc93pw3$.17meyeuqpwoz7$.dlg@40tude.net>
NNTP-Posting-Date: 08 Dec 2009 11:49:21 CET
NNTP-Posting-Host: 8186c4b7.newsspool4.arcor-online.net
X-Trace: 
 DXC=5jE89BUm4nD74okIm;?DS@4IUK<Cl32<A4Fo<]lROoRA8kF<OcfhCOKDQUX2H;?^^G[6LHn;2LCVN7enW;^6ZC`DIXm65S@:3>OHH^hGAQoQnK
X-Complaints-To: usenet-abuse@arcor.de
Xref: g2news1.google.com comp.lang.ada:8351
Date: 2009-12-08T11:49:21+01:00
List-Id: <comp.lang.ada>

On Tue, 08 Dec 2009 11:33:25 +0100, Georg Bauhaus wrote:

> Dmitry A. Kazakov schrieb:
>> On Tue, 08 Dec 2009 11:06:54 +0100, Georg Bauhaus wrote:
>> 
>>> Dmitry A. Kazakov schrieb:
>>>> In my view pre-/postconditions and
>>>> invariants should be static, used strictly for program correctness proofs.
>>>> Subtypes should complement them for dynamic run-time checks (recoverable
>>>> faults).
>>> Hm. What would be your subtype based expression for
>>>
>>>   generic
>>>      type E is private;
>>>   package Stacks  is
>>>
>>>     type Stack is private;
>>>
>>>     procedure push (Modified_Stack : in out Stack;
>>>                     Another : Element)
>>>          with pre => not Full (Modified_Stack),
>>>               post => Size (Modified_Stack'Exit) = Size (Modified_Stack);
>>>
>>>     procedure pop (Modified_Stack : in out Stack)
>>>          with pre => not Empty (Modified_Stack),
>>>               post => Empty (Modified_Stack);
>> 
>> None. The above is wrong. You cannot implement this contract (if we deduced
>> one from the given pre- and postconditions). Proof:
>> 
>>    loop
>>       Push (Stack, X);
>>    end loop;
>> 
>> q.e.d.
>> 
>> Therefore the contract of a stack must always contain ideals, e.g.
>> 
>> 1. exceptions, like Full_Error, Empty_Error;
> 
> I understand that exceptions are implied by Eiffel style
> conditions.

No, in that case the conditions should be:

pre  => true
post => Size (Modified_Stack'Exit) = Size (Modified_Stack); or Full_Error

Actually, the second part is more elaborated, it should also state that the
stack was not modified, but you've got the idea. Ideals are postcondition
things. 

>> 2. blocked states, like holding the caller until the stack state is changed
>> from another task.
> 
> Would you want this to be possible with Ada, or with SPARK? ;-)

In what sense? Of course it is possible to implement in Ada using a
protected object or a monitor task.

>> Pre- and psotconditions are to be used to prove a contract to hold. They
>> themselves are no contract.
> 
> In Eiffel, pre post and inv are used to write a contract.
> The proof obligation rests on the programmer.

Yes, this is the core of the disagreement. If that rests on the programmer,
then *-conditions are THE program.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de