From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Exceptions and out procedure arguments (using GNAT GPL)
Date: Fri, 22 Jun 2007 21:45:20 +0200
Date: 2007-06-22T21:44:58+02:00 [thread overview]
Message-ID: <15wdv3qz51cqd$.pl6zy4m98ojn$.dlg@40tude.net> (raw)
In-Reply-To: 467c10e5$0$14879$9b4e6d93@newsspool4.arcor-online.net
On Fri, 22 Jun 2007 20:15:02 +0200, Georg Bauhaus wrote:
> Dmitry A. Kazakov wrote:
>>
>> I didn't talk about formal correctness or pre-/postconditions, but if you
>> bring this topic in. What is so difficult in:
>
> I had this in mind:
> "Actually I think that boils down to your [Adam Beneschan's] stand point
> on exceptions vs. program correctness. Mine is that any exception shall
> be a valid (correct) outcome.
>
> "In other words, exceptions are a subject of DbC, they aren't a vehicle of. "
>
> How, exactly, can exception be made a subject of DbC (other than
> banning them)?
By having contracted exceptions, obviously.
Heck, I am not an employee of Praxis, you know, so you'd better ask them.
But if I were at their place, I would introduce the predicate
propagated(e). For each e, exception, propagated(e) is true when e is being
propagated. Trivially, each Ada statement has in its precondition
forall e not propagated (e)
except for the first statement of an exception handler:
exception
when Constraint_Error =>
require propagated(Constraint_Error) and
not (...other exceptions...);
For built-in operations like "+" we could have:
function "+" (Left, Right : Integer) return Integer;
ensure
(Left + Right not in Integer'Range and propagated(Constraint_Error))
or
(Left + Right in Integer'Range and Result = Left + Right)
[and not propagated (Program_Error) and not propagated (Data_Error) ...)]
For raise:
raise e;
ensure propagated(e) [and not ...]
P.S. Robert Duff said on many occasions that Storage_Error could be
propagated almost anywhere. That's better to change and he mentioned some
ideas of how to do this. But Storage_Error is not a catastrophe for
provability. Just don't mention it in the contracts, and *consequently*
don't handle it because you could not.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2007-06-22 19:45 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-16 1:05 Exceptions and out procedure arguments (using GNAT GPL) Fionn Mac Cumhaill
2007-06-16 1:53 ` Anh Vo
2007-06-16 2:50 ` Brian May
2007-06-16 3:08 ` Randy Brukardt
2007-06-16 6:55 ` Dmitry A. Kazakov
2007-06-18 15:44 ` Adam Beneschan
2007-06-19 5:23 ` Fionn Mac Cumhaill
2007-06-19 7:34 ` Maciej Sobczak
2007-06-19 15:21 ` Adam Beneschan
2007-06-19 20:07 ` Dmitry A. Kazakov
2007-06-19 21:20 ` Adam Beneschan
2007-06-20 6:16 ` Georg Bauhaus
2007-06-20 8:01 ` Dmitry A. Kazakov
2007-06-20 8:45 ` Georg Bauhaus
2007-06-20 9:29 ` Dmitry A. Kazakov
2007-06-20 6:21 ` Georg Bauhaus
2007-06-20 8:02 ` Dmitry A. Kazakov
2007-06-20 8:46 ` Georg Bauhaus
2007-06-20 9:29 ` Dmitry A. Kazakov
2007-06-20 10:13 ` Georg Bauhaus
2007-06-20 12:58 ` Dmitry A. Kazakov
2007-06-20 14:16 ` Georg Bauhaus
2007-06-20 18:22 ` Dmitry A. Kazakov
2007-06-20 19:16 ` Georg Bauhaus
2007-06-20 20:40 ` Dmitry A. Kazakov
2007-06-21 9:52 ` Georg Bauhaus
2007-06-21 13:48 ` Dmitry A. Kazakov
2007-06-22 18:15 ` Georg Bauhaus
2007-06-22 19:45 ` Dmitry A. Kazakov [this message]
2007-06-20 15:15 ` Fionn Mac Cumhaill
2007-06-19 21:40 ` Randy Brukardt
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox