From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: about the new Ada 2012 pre/post conditions
Date: Sat, 23 Jun 2012 01:08:09 +0200
Date: 2012-06-23T01:08:09+02:00 [thread overview]
Message-ID: <1oih2rok18dmt.avbwrres5k12.dlg@40tude.net> (raw)
In-Reply-To: js2hq5$9fj$1@munin.nbi.dk
On Fri, 22 Jun 2012 14:41:55 -0500, Randy Brukardt wrote:
> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message
> news:1jvy3elqtnd1j.1sjbk32evhp1f$.dlg@40tude.net...
>> On Thu, 21 Jun 2012 15:32:21 -0500, Randy Brukardt wrote:
>>
>>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message
>>> news:npdjip6ohqlt$.1x6bxc9jsaago$.dlg@40tude.net...
>>> ...
>>>> This is what constitutes the core inconsistency about dynamic
>>>> pre-/post-conditions. If they #1 implement behavior (e.g the stack
>>>> contract
>>>> to raise something when full), then they cannot be suppressed and do not
>>>> describe the contract. If they do describe the contract #2, they may not
>>>> implement it and thus shall have no run-time effect.
>>>
>>> You're right, but I don't see any inconsistency. They are clearly #1, and
>>> that includes all of the existing Ada checks as well.
>>
>> If you take a stance on #1, then checking stack full is no more evaluation
>> of the precondition, which does not depend on the stack state anymore, as
>> it of course should be. So the "true" precondition is just: True.
>
> Huh? This makes no sense whatsoever.
>
> We can't require static detection of precondition failures any more than we
> can demand static detection of range violations.
You seem to imply that value in the range is a precondition of the
operation constrained to that range. This is wrong. If S is a subtype of T
then the precondition is
X in T
The postcondition is
(X in S and <something>) or (X not in S and Constraint_Error propagated)
> And Ada *always* has had dynamic preconditions:
>
> procedure New_Line (Spacing : in Positive_Count := 1);
The precondition here is Spacing in Positive_Count'Base because the
behavior of New_Line is *defined* when Spacing is not in
Positive_Count'Range.
New_Line(0)
is a *legal* Ada program.
>> And implementations leaking into declarations is certainly a very bad
>> idea.
>
> This is NOT implementation; it's part of the contract.
OK, you switched from #1 to #2.
>> Neither #1 nor #2 is defendable.
>
> Nothing you say on this topic makes any sense, at least from an Ada
> perspective. Here you are saying that Ada's entire design and reason for
> existing is "not defendable"
Why entire? Dynamic correctness checks are not defendable, as demonstrated
on numerous examples.
> (that's the separation of specification from implementation).
On the contrary, it is #1 which breaks that separation. #2 it is just flat
wrong.
> How your ideal language might work is irrelevevant in this forum.
It is not mine language. It is a methodology of defining and proving
program correctness as introduced by Dijkstra. It applies to all languages
without exemption.
> Please talk about Ada, not impossible theory.
The only impossible theory here is about meaning of dynamically checked
preconditions, e.g. #1 or #2? That is indeed impossible, because
inconsistent. Otherwise Dijkstra's approach works pretty well with any
language, e.g. SPARK does for Ada.
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2012-06-22 23:08 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-20 13:39 about the new Ada 2012 pre/post conditions Nasser M. Abbasi
2012-06-20 14:02 ` Georg Bauhaus
2012-06-20 14:13 ` Dmitry A. Kazakov
2012-06-20 14:24 ` Nasser M. Abbasi
2012-06-20 14:37 ` Dmitry A. Kazakov
2012-06-20 17:02 ` Georg Bauhaus
2012-06-20 18:28 ` Dmitry A. Kazakov
2012-06-21 20:32 ` Randy Brukardt
2012-06-22 7:23 ` Dmitry A. Kazakov
2012-06-22 11:54 ` Georg Bauhaus
2012-06-22 12:39 ` Georg Bauhaus
2012-06-22 12:43 ` Dmitry A. Kazakov
2012-06-22 14:30 ` Georg Bauhaus
2012-06-22 14:36 ` Georg Bauhaus
2012-06-22 15:05 ` Dmitry A. Kazakov
2012-06-22 15:52 ` Georg Bauhaus
2012-06-22 16:35 ` Dmitry A. Kazakov
2012-06-22 16:53 ` Georg Bauhaus
2012-06-22 16:45 ` Georg Bauhaus
2012-06-22 17:24 ` Dmitry A. Kazakov
2012-06-22 19:41 ` Randy Brukardt
2012-06-22 23:08 ` Dmitry A. Kazakov [this message]
2012-06-23 10:46 ` Georg Bauhaus
2012-06-23 11:01 ` Dmitry A. Kazakov
2012-06-23 17:46 ` AdaMagica
2012-06-23 19:23 ` Dmitry A. Kazakov
2012-06-24 14:59 ` Georg Bauhaus
2012-06-24 16:06 ` Dmitry A. Kazakov
2012-06-24 19:51 ` Georg Bauhaus
2012-06-25 7:48 ` Dmitry A. Kazakov
2012-06-25 10:10 ` Georg Bauhaus
2012-06-25 8:08 ` Dmitry A. Kazakov
2012-06-25 10:17 ` Georg Bauhaus
2012-06-25 11:54 ` Dmitry A. Kazakov
2012-06-25 12:39 ` Georg Bauhaus
2012-06-25 12:51 ` Georg Bauhaus
2012-06-25 13:19 ` Dmitry A. Kazakov
2012-06-25 16:43 ` Georg Bauhaus
2012-06-25 14:08 ` stefan-lucks
2012-06-25 14:36 ` Dmitry A. Kazakov
2012-06-25 14:37 ` Dmitry A. Kazakov
2012-06-25 16:26 ` stefan-lucks
2012-06-25 19:42 ` Dmitry A. Kazakov
2012-06-26 11:50 ` stefan-lucks
2012-06-26 13:07 ` Dmitry A. Kazakov
2012-06-26 13:49 ` Georg Bauhaus
2012-06-26 14:45 ` Dmitry A. Kazakov
2012-06-26 16:48 ` Georg Bauhaus
2012-06-26 19:43 ` Dmitry A. Kazakov
2012-06-27 8:23 ` Georg Bauhaus
2012-06-27 8:52 ` Dmitry A. Kazakov
2012-06-27 10:30 ` Georg Bauhaus
2012-06-27 12:19 ` Dmitry A. Kazakov
2012-06-27 13:41 ` Nasser M. Abbasi
2012-06-28 7:00 ` Georg Bauhaus
2012-06-27 15:08 ` Georg Bauhaus
2012-06-29 21:03 ` Shark8
2012-06-30 8:26 ` Dmitry A. Kazakov
2012-06-30 12:54 ` Niklas Holsti
2012-07-05 2:58 ` Shark8
2012-07-05 7:24 ` Dmitry A. Kazakov
2012-07-06 6:23 ` Shark8
2012-07-06 7:57 ` Dmitry A. Kazakov
2012-07-07 1:09 ` Randy Brukardt
2012-07-07 8:44 ` Dmitry A. Kazakov
2012-06-26 14:54 ` stefan-lucks
2012-06-26 15:14 ` Dmitry A. Kazakov
2012-07-03 5:28 ` Randy Brukardt
2012-07-03 12:53 ` Dmitry A. Kazakov
2012-07-03 13:48 ` Georg Bauhaus
2012-07-03 14:06 ` Dmitry A. Kazakov
2012-07-03 16:12 ` Georg Bauhaus
2012-07-03 16:45 ` Georg Bauhaus
2012-07-05 1:45 ` Randy Brukardt
2012-07-05 7:48 ` Dmitry A. Kazakov
2012-07-05 19:11 ` Adam Beneschan
2012-07-05 19:55 ` Dmitry A. Kazakov
2012-07-06 7:41 ` Georg Bauhaus
2012-07-06 7:47 ` Georg Bauhaus
2012-07-06 8:05 ` Dmitry A. Kazakov
2012-07-06 8:30 ` Georg Bauhaus
2012-07-06 9:01 ` Dmitry A. Kazakov
2012-07-06 11:33 ` Simon Wright
2012-07-06 13:25 ` Dmitry A. Kazakov
2012-07-06 12:07 ` Georg Bauhaus
2012-07-06 13:37 ` Dmitry A. Kazakov
2012-07-06 16:17 ` Georg Bauhaus
2012-07-06 16:34 ` Georg Bauhaus
2012-07-06 19:18 ` Dmitry A. Kazakov
2012-07-07 1:24 ` Randy Brukardt
2012-07-07 9:09 ` Dmitry A. Kazakov
2012-07-07 1:18 ` Randy Brukardt
2012-07-07 9:14 ` Dmitry A. Kazakov
2012-07-07 12:06 ` Georg Bauhaus
2012-07-07 12:54 ` Dmitry A. Kazakov
2012-07-07 13:31 ` Georg Bauhaus
2012-07-03 5:10 ` Randy Brukardt
2012-07-03 4:51 ` Randy Brukardt
2012-07-03 12:46 ` Dmitry A. Kazakov
2012-07-05 2:18 ` Randy Brukardt
2012-07-05 8:48 ` Dmitry A. Kazakov
2012-07-05 12:07 ` Georg Bauhaus
2012-07-05 12:13 ` Georg Bauhaus
2012-07-05 12:31 ` Dmitry A. Kazakov
2012-07-05 18:16 ` Georg Bauhaus
2012-07-05 19:57 ` Dmitry A. Kazakov
2012-07-06 6:53 ` Georg Bauhaus
2012-07-07 0:43 ` Randy Brukardt
2012-07-07 8:06 ` Dmitry A. Kazakov
2012-07-07 11:17 ` Georg Bauhaus
2012-07-07 11:31 ` Dmitry A. Kazakov
2012-07-07 12:21 ` Georg Bauhaus
2012-07-07 13:03 ` Dmitry A. Kazakov
2012-06-20 19:18 ` Anh Vo
2012-06-20 20:16 ` Jeffrey R. Carter
2012-06-20 20:21 ` Jeffrey R. Carter
2012-06-20 20:51 ` Maciej Sobczak
2012-06-20 21:04 ` Dmitry A. Kazakov
2012-06-20 22:19 ` Robert A Duff
2012-06-21 6:32 ` Georg Bauhaus
2012-06-21 20:37 ` Randy Brukardt
2012-06-21 20:55 ` Jeffrey Carter
2012-06-22 19:15 ` Randy Brukardt
2012-06-21 20:23 ` Randy Brukardt
2012-06-22 7:34 ` Martin
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox