From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,df055ffdd469757d X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit X-Received: by 10.66.15.134 with SMTP id x6mr1175356pac.42.1361848981350; Mon, 25 Feb 2013 19:23:01 -0800 (PST) Path: ov8ni20804pbb.1!nntp.google.com!border1.nntp.dca.giganews.com!border1.nntp.ams.giganews.com!border4.nntp.ams.giganews.com!border2.nntp.ams.giganews.com!nntp.giganews.com!news.teledata-fn.de!weretis.net!feeder4.news.weretis.net!rt.uk.eu.org!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: Class wide preconditions: error in GNAT implementation? Date: Mon, 18 Feb 2013 20:27:49 +0100 Organization: cbb software GmbH Message-ID: <1d2fr74npgdwt$.mcfs4zhtbvg6$.dlg@40tude.net> References: <30edd381-7505-496a-99e5-f884faf33c33@googlegroups.com> <16s3mt7cm3n61$.8qu6fp1nglfq.dlg@40tude.net> <1a648dqoysnp4$.7l9zsp043d2e.dlg@40tude.net> <377a4b9b-eec8-4af9-af3f-fdeb008339e4@googlegroups.com> <1hjhzbhx5ryn7$.rst5open618c.dlg@40tude.net> <1r2tvdtl13at0.3nopie8tus4v.dlg@40tude.net> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: TNGw0NoNrWqwYmfxAaSXHQ.user.speranza.aioe.org Mime-Version: 1.0 X-Complaints-To: abuse@aioe.org User-Agent: 40tude_Dialog/2.0.15.1 X-Notice: Filtered by postfilter v. 0.8.2 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Date: 2013-02-18T20:27:49+01:00 List-Id: On Mon, 18 Feb 2013 18:04:53 +0000, Simon Wright wrote: > "Dmitry A. Kazakov" writes: > >> On Mon, 18 Feb 2013 09:17:57 +0000, Simon Wright wrote: >> >>> "Dmitry A. Kazakov" writes: >>> >>>> But then the precondition of B'Class is *required* to be true for an >>>> object which is in that class. The precondition of A'Class is weaker >>>> and need not to be checked if one for B'Class is satisfied. >>> >>> This is the wrong way round. A subclass can only _weaken_ the >>> precondition of the superclass. Anything else violates LSP. >> >> LSP is wrong in general. > > Is there a Kazakov Substitution Principle, then? (or someone else's ...) You can find it all around Ada. E.g. constants, in-parameters, subtypes are examples of subtypes violating LSP. Ada's substitutability principle is that anything is substitutable that is not rejected by the compiler. (:-)) Liskov's motivation was to coin subtyping in terms of substitutability. This is impossible to do without limiting the context of substitution. A type system cannot be based on LSP, unfortunately. >> Anyway, trivially, consider the following types: >> >> type A is ...; >> type B is new A with ...; >> >> The predicate P=x in A'Class is true for both A and B. The predicate >> Q=y in B'Class is true B and false for A. hence Q=>P, Q is stronger. > > If you allow code like this, how can you draw any conclusions about the > correctness of a call through a pointer to A'Class? Do you believe in correctness proofs without looking into the bodies? >> [Tag checks violate LSP] > > Don't understand. Because these could be used to construct predicates which would depend on the actual type. Absolute substitutability as required by "naive" interpretations of LSP is based on types being absolutely indistinguishable for the clients, which tags obviously defeat. >>> This new feature introduces a whole new opportunity for error: >>> getting the preconditions wrong. >> >> Yes, but the major crime here is mingling correctness with program >> semantics. The thing meant to be executed in the prologue of an >> operation has nothing to do with correctness, it is about operation >> composition upon inheritance and/or about object construction. > > The intention is (AIUI) to be able to extract {pre,post}conditions from > an Ada program and do static verification; how is what Ada2012 does > (dynamically) incompatible with that? Per observation that static /= dynamic. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de