From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,
	REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4
X-Google-Thread: a07f3367d7,23c0de5a42cf667e
X-Google-Attributes: gida07f3367d7,public,usenet
X-Google-NewGroupId: yes
X-Google-Language: ENGLISH,ASCII-7-bit
Path: 
 g2news2.google.com!news4.google.com!feeder.news-service.com!border1.nntp.ams.giganews.com!nntp.giganews.com!news.teledata-fn.de!newsfeed.arcor.de!newsspool2.arcor-online.net!news.arcor.de.POSTED!not-for-mail
From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: GNAT packages in Linux distributions
Newsgroups: comp.lang.ada
User-Agent: 40tude_Dialog/2.0.15.1
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Reply-To: mailbox@dmitry-kazakov.de
Organization: cbb software GmbH
References: <j5e1x31qvn1b$.11ywrjmshtauz$.dlg@40tude.net>
 <87mxw9x7no.fsf@ludovic-brenta.org>
 <t8liq7w6ffnm$.19yq5hkq6tdto$.dlg@40tude.net> <op.vcgi9oqzule2fv@garhos>
 <w1q9e75h9kzi.4p81vh3kannn$.dlg@40tude.net> <op.vch6dsqmxmjfy8@garhos>
 <16bz9kvbqa8y9$.155ntpwpwl29d.dlg@40tude.net>
 <4be97bea$0$2966$ba4acef3@reader.news.orange.fr> <op.vcjtnsp5xmjfy8@garhos>
 <quqkqeas8pu2$.1w5pelct29juv.dlg@40tude.net>
 <Pine.LNX.4.64.1005121017020.21749@medsec1.medien.uni-weimar.de>
 <1p87qdlnjbufg.127laayhrw9x3$.dlg@40tude.net>
 <Pine.LNX.4.64.1005121920570.24222@medsec1.medien.uni-weimar.de>
Date: Wed, 12 May 2010 19:48:28 +0200
Message-ID: <1aeof68v367bj$.1pps94zw5zmpd.dlg@40tude.net>
NNTP-Posting-Date: 12 May 2010 19:48:24 CEST
NNTP-Posting-Host: dcd60cde.newsspool1.arcor-online.net
X-Trace: 
 DXC=8UgbW@IV0B=^cW`WBF>WQ<ic==]BZ:af>4Fo<]lROoR1<`=YMgDjhg2kkLKTNdlU26[6LHn;2LCV>[<mhadbfdU;?7_1kYR6bb=2>C9Xa@;Sk8
X-Complaints-To: usenet-abuse@arcor.de
Xref: g2news2.google.com comp.lang.ada:11564
Date: 2010-05-12T19:48:24+02:00
List-Id: <comp.lang.ada>

On Wed, 12 May 2010 20:10:26 +0200, stefan-lucks@see-the.signature wrote:

> On Wed, 12 May 2010, Dmitry A. Kazakov wrote:
> 
>> Any program is partially correct, if otherwise has not been observed. I
>> fail to see how Eiffel is different from C or Assembler in that respect.
> 
> In C, if I try to compute the factorial of a (natural) number, I'll always 
> get an answer (assuming a decent program, which can be written by a 
> first-year computer science student, and a normal C-compiler).
> may be right or wrong. If the input is too large, the answer actually is 
> wrong (our first-year student stores the result in an int variable, and 
> 100! is too large). But I still get an answer, even if it is wrong. 
>  
> In Eiffel, I'll either get an answer, or the program will tell that at 
> some point of time when computing, say, the factorial of 100, a certain 
> exception has been raised. (I didn't try out Eiffel, but that is what I 
> would expect.) But if I get an answer, I can be sure it is the right one. 
> That is partial correctness. 

1. Wrong answer is no more/less incorrect as an exception. Otherwise you
have to introduce some scale of correctness, which is called accuracy. A
program can yield more or less accurate results staying correct.

2. It is unrelated to error checks. The programmer did not use any. That
Eiffel possibly checks for integer overflow and C does not is irrelevant to
the issue.

>> The point is that run-time checks contribute nothing to correctness either
>> partial or not. Because a partially incorrect program remains partially
>> incorrect independently on whether you check that or not: 
> 
> Technically, any program of the form
> 
>   {Any Precondition}
>   Statements;
>   if not Postcondition then 
>     raise Program_Error; 
>   end if;
>   {Postcondition}
> 
> is partially correct, even if "Statements;" are semantic nonsense (as long 
> as the whole thing compiles at all), regardless of "{Any Precondition}".

No. If Statements were irrelevant, you could take this:

   {Any Precondition}
    raise Program_Error; 
   {Postcondition}

The problem is that Program_Error does not satisfy postcondition.

> Perhaps you don't like raising an exception? 

I don't like any action upon a failed check, if that was a check. To self
checks are clearly infeasible.

> OK, we can stick with the original approach from Hoare from 1969, who 
> didn't know (or didn't care) about exceptions.

His approach, which I greatly appreciate, is perfectly compatible with
exceptions. Exception propagation is a part of the program behavior to be
checked as anything else. E.g.

   pre : x = 1
   if x = 1 then
      raise Foo;
   end if;
   post : Foo propagating

This program were be incorrect if it would not raise Foo.

> The following program is 
> partially correct, regardless of the "Statements;" and "{Any 
> Precondition}":
> 
>   {Any Precondition}
>   Statements;
>   while not Postcondition loop 
>     null; 
>   end loop;
>   {Postcondition}

Hmm, I would consider it totally incorrect => not partially incorrect,
because in no state it satisfies the postcondition.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de