From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,14da4c08f1736a33 X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news2.google.com!goblin1!goblin.stu.neva.ru!eternal-september.org!feeder.eternal-september.org!.POSTED!not-for-mail From: Alexander Senier Newsgroups: comp.lang.ada Subject: Re: Array initialization in SPARK Date: Thu, 28 Oct 2010 18:26:01 +0200 Organization: A noiseless patient Spider Message-ID: <20101028182601.058336d9@senier-offen> References: <03b3b80e-9313-45b8-939a-7dde7780288c@y23g2000yqd.googlegroups.com> <3c36d3ba-6748-4aa9-9304-a219b11415bb@30g2000yql.googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Injection-Info: mx03.eternal-september.org; posting-host="XCWK5aQJ+ZBh2gl6Xv47Zg"; logging-data="22114"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18YFA/E/Qt+SbE01DUVElHE" X-Newsreader: Claws Mail 3.7.6 (GTK+ 2.22.0; i486-pc-linux-gnu) Cancel-Lock: sha1:gfG+ApvQRPt1L0TBAIHrfTOyLsE= Xref: g2news1.google.com comp.lang.ada:14898 Date: 2010-10-28T18:26:01+02:00 List-Id: On Thu, 28 Oct 2010 08:23:19 -0700 (PDT) "Peter C. Chapin" wrote: > My understanding is that SPARK assumes there are no flow errors when > creating verification conditions. Thus, in general, if one accepts > certain flow errors would there be a danger that one might > subsequently prove a VC that is not really relevant to the program? In Section 7.1 (and particularly in 7.1.1 "Array initialization in a loop") of the SPARK Proof manual this issue is discussed. When generating RTCs the Examiner *assumes* that all elements of an array are defined and within their subtype ranges. The best way to ensure that indeed is making the Examiner to show the absence of data flow errors. If you must initialize arrays in a loop (as in your example), you have to accept the flow errors and review the code to initialize all array elements correctly. You definitely want to be very careful with those accept statements and really simplify your other initialization functions to make that as obvious as possible. It may be benificial to restrict the initialization to simple patterns that could be verified (semi-)automatically in the future. E.g. have a for loop over the complete array index and only use its loop variable to index into the array on the left-hand side of an assignment. If the array is not referenced on the right-hand side (or only indices smaller than the current value of the loop variable), all array elements should be valid after execution of that loop. But your problem may not fit into that pattern... Regards, Alex