From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Safety of unprotected concurrent operations on constant objects
Date: Fri, 9 May 2014 21:00:36 +0200
Date: 2014-05-09T21:00:36+02:00 [thread overview]
Message-ID: <1i6pyg077xlrv.vnwotzzgb0ut$.dlg@40tude.net> (raw)
In-Reply-To: zv4bv.5236$pa5.5140@fx23.iad
On Fri, 09 May 2014 07:14:09 -0600, Brad Moore wrote:
> On 08/05/2014 2:20 AM, Dmitry A. Kazakov wrote:
>> To me description that does not prescribe is a lie.
>
> It is true that the Task_Safe aspect would be prescribing some
> restrictions that are meant to enforce the intent as best as possible,
> but it also documents the intent of the programmer. So to be more
> precise, the Task_Safe mechanism doesn't prescribe a specific
> implementation for the programmer. It only prescribes that whatever
> implementation the programmer chooses, it should be task safe.
In other words is a comment. I prefer old -- -style comments.
>>> it seems
>>> like a large hole that there is no way to specify the task safety in the
>>> contract as well, so I am wondering about what can be done to improve
>>> that situation.
>>
>> From the program correctness POV, yes, it is fine to provide some axioms
>> for the prover which would use them.
>
> Not just for provers, but also for human readers of the source code. It
> conveys the intent of the programmer to the reader, which might be
> another programmer who wants to use that abstraction.
No. It is not the intent. Intent to me is about program semantics, the
meaning of the program, what the program is supposed to do. Safety or
unsafety is a usage constraint, how you should use the program in order to
retain its meaning. Safety is a constraint which, differently to
preconditions, interfaces, types of entities etc, has a nasty nature that
makes it impossible to spell in a language of Turing-complete power.
>> But this is not the case here. In fact, proving "safety" of an operation is
>> easier than proving safety of a combination of "safe" operations.
>>
>> And you are not going to prove it to hold, as a contract must do. Not even
>> to check it at run-time, to annoy the programmer, as Ada 2012 "contracts"
>> do.
>
> I think it could be a static check, done at compile time, so it'd be
> similar to a Static_Predicate check, which is another form of contract.
> And like a type invariant, which is another form of contract, it doesn't
> "prove" that the invariant can never be false, but it would do
> a reasonable amount of checking to catch hopefully most problems, and it
> captures the intent of the programmer.
No.
Ada 2012 "dynamic invariant" (which is not an invariant, but an arbitrary
expression) is *computable*.
Invariant proper is *provable*.
Task safety is neither computable nor provable. The only way of ensuring
task safety is per construction, when you would prove, usually using more
powerful apparatus than machine prover (i.e. with pen and paper) that given
method of construction yields safety under specified conditions.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2014-05-09 19:00 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 8:42 Safety of unprotected concurrent operations on constant objects Natasha Kerensikova
2014-05-03 13:43 ` sbelmont700
2014-05-03 20:54 ` Natasha Kerensikova
2014-05-03 21:40 ` Simon Wright
2014-05-04 0:28 ` Jeffrey Carter
2014-05-04 7:46 ` Natasha Kerensikova
2014-05-04 8:06 ` Dmitry A. Kazakov
2014-05-04 15:18 ` sbelmont700
2014-05-04 15:57 ` Natasha Kerensikova
2014-05-04 18:30 ` sbelmont700
2014-05-04 19:34 ` Dmitry A. Kazakov
2014-05-05 19:04 ` Brad Moore
2014-05-05 21:23 ` Brad Moore
2014-05-04 21:44 ` Shark8
2014-05-05 8:39 ` Simon Wright
2014-05-05 15:11 ` Brad Moore
2014-05-05 16:36 ` Dmitry A. Kazakov
2014-05-06 6:00 ` Brad Moore
2014-05-06 8:11 ` Dmitry A. Kazakov
2014-05-06 8:48 ` Alejandro R. Mosteo
2014-05-06 9:49 ` G.B.
2014-05-06 12:19 ` Dmitry A. Kazakov
2014-05-06 12:58 ` G.B.
2014-05-06 15:00 ` Dmitry A. Kazakov
2014-05-06 16:24 ` G.B.
2014-05-06 19:14 ` Dmitry A. Kazakov
2014-05-07 6:49 ` Georg Bauhaus
2014-05-07 7:40 ` Dmitry A. Kazakov
2014-05-07 11:25 ` G.B.
2014-05-07 12:14 ` Dmitry A. Kazakov
2014-05-07 13:45 ` G.B.
2014-05-07 14:08 ` Dmitry A. Kazakov
2014-05-07 17:45 ` Simon Wright
2014-05-07 18:28 ` Georg Bauhaus
2014-05-07 4:59 ` J-P. Rosen
2014-05-07 7:30 ` Dmitry A. Kazakov
2014-05-07 8:26 ` J-P. Rosen
2014-05-07 9:09 ` Dmitry A. Kazakov
2014-05-07 11:29 ` J-P. Rosen
2014-05-07 12:36 ` Safety of unprotected concurrent operations on constant objects (was: Safety of unprotected concurrent operations on constant objects) Dmitry A. Kazakov
2014-05-07 14:04 ` Safety of unprotected concurrent operations on constant objects G.B.
2014-05-08 4:12 ` Brad Moore
2014-05-08 8:20 ` Dmitry A. Kazakov
2014-05-08 10:30 ` G.B.
2014-05-09 13:14 ` Brad Moore
2014-05-09 19:00 ` Dmitry A. Kazakov [this message]
2014-05-10 12:30 ` Brad Moore
2014-05-10 20:27 ` Dmitry A. Kazakov
2014-05-11 6:56 ` Brad Moore
2014-05-11 18:01 ` Brad Moore
2014-05-12 8:13 ` Dmitry A. Kazakov
2014-05-13 4:50 ` Brad Moore
2014-05-13 8:56 ` Dmitry A. Kazakov
2014-05-13 15:01 ` Brad Moore
2014-05-13 15:38 ` Brad Moore
2014-05-13 16:46 ` Simon Wright
2014-05-13 19:15 ` Dmitry A. Kazakov
2014-05-13 16:08 ` Dmitry A. Kazakov
2014-05-13 20:27 ` Randy Brukardt
2014-05-14 4:30 ` Shark8
2014-05-14 21:37 ` Randy Brukardt
2014-05-14 21:56 ` Robert A Duff
2014-05-15 1:21 ` Shark8
2014-05-14 14:30 ` Brad Moore
2014-05-15 8:03 ` Dmitry A. Kazakov
2014-05-15 13:21 ` Robert A Duff
2014-05-15 14:27 ` Dmitry A. Kazakov
2014-05-15 15:53 ` Robert A Duff
2014-05-15 16:30 ` Dmitry A. Kazakov
2014-10-26 17:11 ` Jacob Sparre Andersen
2014-05-08 19:52 ` Randy Brukardt
2014-05-06 16:22 ` Robert A Duff
2014-05-06 19:07 ` Dmitry A. Kazakov
2014-05-08 5:03 ` Brad Moore
2014-05-08 12:03 ` Brad Moore
2014-05-08 19:57 ` Randy Brukardt
2014-05-09 2:58 ` Brad Moore
2014-05-05 20:29 ` Natasha Kerensikova
2014-05-08 3:41 ` Randy Brukardt
2014-05-08 9:07 ` Natasha Kerensikova
2014-05-08 19:35 ` Randy Brukardt
2014-05-08 3:12 ` Randy Brukardt
2014-05-05 22:30 ` Brad Moore
2014-05-04 16:04 ` Peter Chapin
2014-05-04 18:07 ` Natasha Kerensikova
2014-05-04 18:55 ` Jeffrey Carter
2014-05-04 19:36 ` Simon Wright
2014-05-04 20:29 ` Jeffrey Carter
2014-05-05 22:46 ` Brad Moore
2014-05-04 20:25 ` Shark8
2014-05-04 23:33 ` sbelmont700
2014-05-05 7:38 ` Dmitry A. Kazakov
2014-05-08 3:45 ` Randy Brukardt
2014-05-08 3:19 ` Randy Brukardt
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox