From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Class wide preconditions: error in GNAT implementation?
Date: Mon, 18 Feb 2013 20:27:49 +0100
Date: 2013-02-18T20:27:49+01:00 [thread overview]
Message-ID: <1d2fr74npgdwt$.mcfs4zhtbvg6$.dlg@40tude.net> (raw)
In-Reply-To: lytxp9pkfu.fsf@pushface.org
On Mon, 18 Feb 2013 18:04:53 +0000, Simon Wright wrote:
> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>
>> On Mon, 18 Feb 2013 09:17:57 +0000, Simon Wright wrote:
>>
>>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>>
>>>> But then the precondition of B'Class is *required* to be true for an
>>>> object which is in that class. The precondition of A'Class is weaker
>>>> and need not to be checked if one for B'Class is satisfied.
>>>
>>> This is the wrong way round. A subclass can only _weaken_ the
>>> precondition of the superclass. Anything else violates LSP.
>>
>> LSP is wrong in general.
>
> Is there a Kazakov Substitution Principle, then? (or someone else's ...)
You can find it all around Ada. E.g. constants, in-parameters, subtypes are
examples of subtypes violating LSP.
Ada's substitutability principle is that anything is substitutable that is
not rejected by the compiler. (:-))
Liskov's motivation was to coin subtyping in terms of substitutability.
This is impossible to do without limiting the context of substitution. A
type system cannot be based on LSP, unfortunately.
>> Anyway, trivially, consider the following types:
>>
>> type A is ...;
>> type B is new A with ...;
>>
>> The predicate P=x in A'Class is true for both A and B. The predicate
>> Q=y in B'Class is true B and false for A. hence Q=>P, Q is stronger.
>
> If you allow code like this, how can you draw any conclusions about the
> correctness of a call through a pointer to A'Class?
Do you believe in correctness proofs without looking into the bodies?
>> [Tag checks violate LSP]
>
> Don't understand.
Because these could be used to construct predicates which would depend on
the actual type. Absolute substitutability as required by "naive"
interpretations of LSP is based on types being absolutely indistinguishable
for the clients, which tags obviously defeat.
>>> This new feature introduces a whole new opportunity for error:
>>> getting the preconditions wrong.
>>
>> Yes, but the major crime here is mingling correctness with program
>> semantics. The thing meant to be executed in the prologue of an
>> operation has nothing to do with correctness, it is about operation
>> composition upon inheritance and/or about object construction.
>
> The intention is (AIUI) to be able to extract {pre,post}conditions from
> an Ada program and do static verification; how is what Ada2012 does
> (dynamically) incompatible with that?
Per observation that static /= dynamic.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2013-02-18 19:27 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-15 3:55 Class wide preconditions: error in GNAT implementation? ytomino
2013-02-15 10:15 ` Georg Bauhaus
2013-02-15 13:16 ` ytomino
2013-02-16 1:01 ` Randy Brukardt
2013-02-16 2:50 ` ytomino
2013-02-16 9:28 ` Dmitry A. Kazakov
2013-02-16 13:13 ` ytomino
2013-02-16 16:35 ` Dmitry A. Kazakov
2013-02-16 19:55 ` ytomino
2013-02-16 20:34 ` ytomino
2013-02-18 8:30 ` Dmitry A. Kazakov
2013-02-18 9:17 ` Simon Wright
2013-02-18 14:25 ` Dmitry A. Kazakov
2013-02-18 18:04 ` Simon Wright
2013-02-18 19:27 ` Dmitry A. Kazakov [this message]
2013-02-18 20:42 ` Simon Wright
2013-02-19 9:07 ` Dmitry A. Kazakov
2013-02-18 19:02 ` ytomino
2013-02-18 19:44 ` Dmitry A. Kazakov
2013-02-16 15:16 ` Georg Bauhaus
2013-02-16 20:23 ` Simon Wright
2013-02-17 15:12 ` ytomino
2013-02-18 17:49 ` Simon Wright
2013-02-18 18:45 ` ytomino
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox