From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,b78c363353551702 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.68.190.104 with SMTP id gp8mr15809370pbc.4.1341652154793; Sat, 07 Jul 2012 02:09:14 -0700 (PDT) Path: l9ni11068pbj.0!nntp.google.com!news1.google.com!goblin1!goblin2!goblin.stu.neva.ru!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: about the new Ada 2012 pre/post conditions Date: Sat, 7 Jul 2012 11:09:04 +0200 Organization: cbb software GmbH Message-ID: <17gu8ut6gqmxz.1umu8nudqyggi$.dlg@40tude.net> References: <1i1mp8xs3vtl2.1oc4m66qtfgzq.dlg@40tude.net> <33crfw5vkxoh$.kz5mq75s36ee.dlg@40tude.net> <43e4637c-3337-4d99-be45-20e054e5a203@googlegroups.com> <6ua1uo9zmkjn$.1tmqyzmetx71u$.dlg@40tude.net> <4ff6969e$0$9514$9b4e6d93@newsspool1.arcor-online.net> <1xkiqefb6watw.10fvt344m3c4g$.dlg@40tude.net> <4ff6a20a$0$9525$9b4e6d93@newsspool1.arcor-online.net> <1l7pg7ihwb9vn$.kq6k3ypjwl07.dlg@40tude.net> <4ff6d51a$0$9514$9b4e6d93@newsspool1.arcor-online.net> <7xnkuta2d94n$.1815f9iev4s7r$.dlg@40tude.net> <4ff7139f$0$9522$9b4e6d93@newsspool1.arcor-online.net> <80rid9aui8jv$.wg3phwexxdfy$.dlg@40tude.net> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: 9A8bJrx4NhDLcSmbrb6AdA.user.speranza.aioe.org Mime-Version: 1.0 X-Complaints-To: abuse@aioe.org User-Agent: 40tude_Dialog/2.0.15.1 X-Notice: Filtered by postfilter v. 0.8.2 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Date: 2012-07-07T11:09:04+02:00 List-Id: On Fri, 6 Jul 2012 20:24:39 -0500, Randy Brukardt wrote: > "Dmitry A. Kazakov" wrote in message > news:80rid9aui8jv$.wg3phwexxdfy$.dlg@40tude.net... > ... >>> but (2) we cannot really see from sqrt's specification what to do in >>> order to avoid them, >> >> 2. Wrong, it is clearly seen from the post-condition > > It was clear as mud to me. > > Pre => (if A < 0.0 then raise Constraint_Error); > > is a *lot* clearer to me. Precondition is a predicate. Predicate is a Boolean valued function per definition. http://en.wikipedia.org/wiki/Predicate_%28mathematical_logic%29 It cannot raise anything. The formula above is meaningless, shows how damaging if-operator stuff could become. The proper precondition of sqrt that does not raise [we hope that it would not, but for "practical reasons" take that it does not] is: Pre => A >= 0.0 (and A'Valid) The precondition of sqrt that does raise is: Pre => True The postcondiion is also a predicate, which could only state that Constraint_Error is underway, e.g.: Post => ... (A < 0.0 and Constraint_Error RAISED) ...; If exception will ever be contracted, you would never see them in preconditions. >From the proof POV, there is no difference. Both are equivalently difficult or simple to prove, because it is essentially A < 0.0. >>> and (3) we cannot have an efficient sqrt because Ada's sqrt forces >>> a test on us that is quite unnecessary once we know, i.e. have shown, >>> that x >= 0.0 is always true before calling sqrt. >> >> 3. Wrong. There is no whatsoever difference to dynamic check in that >> respect. The implementation is same. That is BTW why there is no such thing >> as "dynamic check." And surely the second part of the postcondition can be >> ignored if proven that X > 0.0, which would let the optimizing compiler to >> deploy a modified body without check. > > Definitely wrong. Any decent compiler will completely eliminate the dynamic > check on the precondition given above (presuming the actual value allows > that). This is what I wrote. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de