From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: about the new Ada 2012 pre/post conditions
Date: Mon, 25 Jun 2012 16:36:09 +0200
Date: 2012-06-25T16:36:09+02:00 [thread overview]
Message-ID: <1i1mp8xs3vtl2.1oc4m66qtfgzq.dlg@40tude.net> (raw)
In-Reply-To: Pine.LNX.4.64.1206251438390.12735@medsec1.medien.uni-weimar.de
On Mon, 25 Jun 2012 16:08:01 +0200, stefan-lucks@see-the.signature wrote:
> I am not sure if I can cool down this heated discussion, but I'll give it
> a try.
>
> On Mon, 25 Jun 2012, Dmitry A. Kazakov wrote:
>
>> On Mon, 25 Jun 2012 12:17:14 +0200, Georg Bauhaus wrote:
>>
>>> Indeed, it helps to remember that logicians and mathematicians
>>> have learned that logic and mathematics cannot justify themselves.
>>
>> No, they never ever did that. From very beginning mathematicians used
>> axiomatic approach instead. What they did, was constructing frameworks
>> within which one could not deduce both A and not A.
>
> A bit off topic -- but this is not quite true.
>
> Firstly, the axiomatic approach has become mathematical mainstream only
> since about the times of David Hilbert. The "very beginning" of
> Mathematics and Logic are quite a bit earlier. ;-)
Euclid
> Secondly, Hilbert's program was to construct frameworks being both
> complete (all correct conclusions should be deducible) and one should not
> be able to deduce both A and not A. Kurt Goedel eventually showed that
> this is *logically* impossible.
Hilbert's program by no means was intended to justify logic or mathematics
themselves. This is outright wrong.
>> Is SPARK nothing? Is strong typing nothing?
>>
>> But you seemingly did not read what I wrote earlier. There is either #1 or
>> #2.
>
> This the axiom that *you* choose to start with. Starting from there, your
> reasoning may be logically correct.
If Ada precondition is neither implementation (#1) nor
specification/contract (#2) then what is it? Since nobody ever came with
#3, I considered only #1 and #2.
> *Firstly*, you don't seem to separate between syntax and semantic.
I said nothing about the syntax. It could be better, but syntax is always
the most difficult part.
> *Secondly*, you seem to overlook that there are three semantical options,
> rather than the two you mention:
>
> 1 ignore the conditions
>
> 2 check them dynamically at run time
>
> 3 prove them statically at compile time
I didn't:
Assuming #1, only no.2 is possible. #1 <=> no.2
Assuming #2, you have only choice between no.1 and no.3. #2 <=> no.1 or
no.2.
One *cannot* mix no.1/3 with no.2, that is what upsets me.
> Even SPARK may soon support the Ada 2012 syntax for its annotations.
That is OK to me, however, considering syntax I wished a clearer separation
of pre-/post-conditions from other declarations. But since GPS rules, I
suppose it would not be much difficult to have a view cutting
pre-/post-conditions off and displaying them in a side-by-side window
scrolled upon mouse hovering etc.
> *Thirdly*, you seem to assume that a tool that can be used in a
> destructive way cannot also be used properly.
In this particular case (#2 + no.3) we wave a very strong evidence:
accessibility checks. It was a disaster.
> The support for the second option is such a tool. I agree with you, any
> program that claims some preconditions, postconditions and invariants
> should stop and must be fixed when any such check fails. Silently handling
> the exception and then continuing is
>
> - a logical contradiction in itself, and also
>
> - the result from some lousy programming practice.
>
> There is no justification for handling the exception instead of fixing the
> flaw!
>
> But the same tool can properly be used for debugging and testing -- if any
> assertion fails, and you detect this at run time, write all relevant
> details into a log file, stop the program, and fix the bug.
No objection whatsoever. I covered this case earlier. It is OK to check
dynamically under the condition that the checker is an *independent*
program. A debugger, checker, reasonably protected Ada run-time verifying
preconditions and *handling* failed checks is perfectly consistent and
advisable.
That clearly precludes no.2: handling is within the checker, checker is
outside the testee.
And, very importantly, we want to contract exceptions some day, don't we?
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2012-06-25 14:36 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-20 13:39 about the new Ada 2012 pre/post conditions Nasser M. Abbasi
2012-06-20 14:02 ` Georg Bauhaus
2012-06-20 14:13 ` Dmitry A. Kazakov
2012-06-20 14:24 ` Nasser M. Abbasi
2012-06-20 14:37 ` Dmitry A. Kazakov
2012-06-20 17:02 ` Georg Bauhaus
2012-06-20 18:28 ` Dmitry A. Kazakov
2012-06-21 20:32 ` Randy Brukardt
2012-06-22 7:23 ` Dmitry A. Kazakov
2012-06-22 11:54 ` Georg Bauhaus
2012-06-22 12:39 ` Georg Bauhaus
2012-06-22 12:43 ` Dmitry A. Kazakov
2012-06-22 14:30 ` Georg Bauhaus
2012-06-22 14:36 ` Georg Bauhaus
2012-06-22 15:05 ` Dmitry A. Kazakov
2012-06-22 15:52 ` Georg Bauhaus
2012-06-22 16:35 ` Dmitry A. Kazakov
2012-06-22 16:53 ` Georg Bauhaus
2012-06-22 16:45 ` Georg Bauhaus
2012-06-22 17:24 ` Dmitry A. Kazakov
2012-06-22 19:41 ` Randy Brukardt
2012-06-22 23:08 ` Dmitry A. Kazakov
2012-06-23 10:46 ` Georg Bauhaus
2012-06-23 11:01 ` Dmitry A. Kazakov
2012-06-23 17:46 ` AdaMagica
2012-06-23 19:23 ` Dmitry A. Kazakov
2012-06-24 14:59 ` Georg Bauhaus
2012-06-24 16:06 ` Dmitry A. Kazakov
2012-06-24 19:51 ` Georg Bauhaus
2012-06-25 7:48 ` Dmitry A. Kazakov
2012-06-25 10:10 ` Georg Bauhaus
2012-06-25 8:08 ` Dmitry A. Kazakov
2012-06-25 10:17 ` Georg Bauhaus
2012-06-25 11:54 ` Dmitry A. Kazakov
2012-06-25 12:39 ` Georg Bauhaus
2012-06-25 12:51 ` Georg Bauhaus
2012-06-25 13:19 ` Dmitry A. Kazakov
2012-06-25 16:43 ` Georg Bauhaus
2012-06-25 14:08 ` stefan-lucks
2012-06-25 14:36 ` Dmitry A. Kazakov [this message]
2012-06-25 14:37 ` Dmitry A. Kazakov
2012-06-25 16:26 ` stefan-lucks
2012-06-25 19:42 ` Dmitry A. Kazakov
2012-06-26 11:50 ` stefan-lucks
2012-06-26 13:07 ` Dmitry A. Kazakov
2012-06-26 13:49 ` Georg Bauhaus
2012-06-26 14:45 ` Dmitry A. Kazakov
2012-06-26 16:48 ` Georg Bauhaus
2012-06-26 19:43 ` Dmitry A. Kazakov
2012-06-27 8:23 ` Georg Bauhaus
2012-06-27 8:52 ` Dmitry A. Kazakov
2012-06-27 10:30 ` Georg Bauhaus
2012-06-27 12:19 ` Dmitry A. Kazakov
2012-06-27 13:41 ` Nasser M. Abbasi
2012-06-28 7:00 ` Georg Bauhaus
2012-06-27 15:08 ` Georg Bauhaus
2012-06-29 21:03 ` Shark8
2012-06-30 8:26 ` Dmitry A. Kazakov
2012-06-30 12:54 ` Niklas Holsti
2012-07-05 2:58 ` Shark8
2012-07-05 7:24 ` Dmitry A. Kazakov
2012-07-06 6:23 ` Shark8
2012-07-06 7:57 ` Dmitry A. Kazakov
2012-07-07 1:09 ` Randy Brukardt
2012-07-07 8:44 ` Dmitry A. Kazakov
2012-06-26 14:54 ` stefan-lucks
2012-06-26 15:14 ` Dmitry A. Kazakov
2012-07-03 5:28 ` Randy Brukardt
2012-07-03 12:53 ` Dmitry A. Kazakov
2012-07-03 13:48 ` Georg Bauhaus
2012-07-03 14:06 ` Dmitry A. Kazakov
2012-07-03 16:12 ` Georg Bauhaus
2012-07-03 16:45 ` Georg Bauhaus
2012-07-05 1:45 ` Randy Brukardt
2012-07-05 7:48 ` Dmitry A. Kazakov
2012-07-05 19:11 ` Adam Beneschan
2012-07-05 19:55 ` Dmitry A. Kazakov
2012-07-06 7:41 ` Georg Bauhaus
2012-07-06 7:47 ` Georg Bauhaus
2012-07-06 8:05 ` Dmitry A. Kazakov
2012-07-06 8:30 ` Georg Bauhaus
2012-07-06 9:01 ` Dmitry A. Kazakov
2012-07-06 11:33 ` Simon Wright
2012-07-06 13:25 ` Dmitry A. Kazakov
2012-07-06 12:07 ` Georg Bauhaus
2012-07-06 13:37 ` Dmitry A. Kazakov
2012-07-06 16:17 ` Georg Bauhaus
2012-07-06 16:34 ` Georg Bauhaus
2012-07-06 19:18 ` Dmitry A. Kazakov
2012-07-07 1:24 ` Randy Brukardt
2012-07-07 9:09 ` Dmitry A. Kazakov
2012-07-07 1:18 ` Randy Brukardt
2012-07-07 9:14 ` Dmitry A. Kazakov
2012-07-07 12:06 ` Georg Bauhaus
2012-07-07 12:54 ` Dmitry A. Kazakov
2012-07-07 13:31 ` Georg Bauhaus
2012-07-03 5:10 ` Randy Brukardt
2012-07-03 4:51 ` Randy Brukardt
2012-07-03 12:46 ` Dmitry A. Kazakov
2012-07-05 2:18 ` Randy Brukardt
2012-07-05 8:48 ` Dmitry A. Kazakov
2012-07-05 12:07 ` Georg Bauhaus
2012-07-05 12:13 ` Georg Bauhaus
2012-07-05 12:31 ` Dmitry A. Kazakov
2012-07-05 18:16 ` Georg Bauhaus
2012-07-05 19:57 ` Dmitry A. Kazakov
2012-07-06 6:53 ` Georg Bauhaus
2012-07-07 0:43 ` Randy Brukardt
2012-07-07 8:06 ` Dmitry A. Kazakov
2012-07-07 11:17 ` Georg Bauhaus
2012-07-07 11:31 ` Dmitry A. Kazakov
2012-07-07 12:21 ` Georg Bauhaus
2012-07-07 13:03 ` Dmitry A. Kazakov
2012-06-20 19:18 ` Anh Vo
2012-06-20 20:16 ` Jeffrey R. Carter
2012-06-20 20:21 ` Jeffrey R. Carter
2012-06-20 20:51 ` Maciej Sobczak
2012-06-20 21:04 ` Dmitry A. Kazakov
2012-06-20 22:19 ` Robert A Duff
2012-06-21 6:32 ` Georg Bauhaus
2012-06-21 20:37 ` Randy Brukardt
2012-06-21 20:55 ` Jeffrey Carter
2012-06-22 19:15 ` Randy Brukardt
2012-06-21 20:23 ` Randy Brukardt
2012-06-22 7:34 ` Martin
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox