From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FORGED_GMAIL_RCVD, FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,ec6f74e58e86b38b X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!postnews.google.com!a20g2000vbc.googlegroups.com!not-for-mail From: Mark Lorenzen Newsgroups: comp.lang.ada Subject: Re: Lost in translation (with SPARK user rules) Date: Thu, 27 May 2010 05:32:09 -0700 (PDT) Organization: http://groups.google.com Message-ID: <2f8fb594-6742-4025-af77-d1ef1caad29e@a20g2000vbc.googlegroups.com> References: <0466e131-cc80-4db4-b080-eec9aefcb1c7@z17g2000vbd.googlegroups.com> <4bfd2d05$0$27598$ba4acef3@reader.news.orange.fr> <1jo6gjejsy828$.e9dx6txqbazd$.dlg@40tude.net> <4bfd998c$0$2359$4d3efbfe@news.sover.net> NNTP-Posting-Host: 193.163.1.105 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Trace: posting.google.com 1274963529 14598 127.0.0.1 (27 May 2010 12:32:09 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Thu, 27 May 2010 12:32:09 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: a20g2000vbc.googlegroups.com; posting-host=193.163.1.105; posting-account=Srm5lQoAAAAEMX9rv2ilEKR6FDPapmSq User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; da; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3,gzip(gfe) Xref: g2news2.google.com comp.lang.ada:12080 Date: 2010-05-27T05:32:09-07:00 List-Id: On 27 Maj, 00:01, "Peter C. Chapin" wrote: > > Next I was able to prove the code free of runtime errors. This worked out > quite easily in this case. After changing two declarations to use properly > constrainted subtypes (rather than just Natural as I had originally... my > bad), the SPARK simplifier was able to discharge 96% of the VCs "out of the > box." The remaining ones were not hard to fix. I felt lucky! > > Now I hope to encode some useful and interesting information about the > intended functionality of the subprograms in SPARK annotations (#pre, #post, > etc), and see if I can still get the proofs to go through. Somewhere around > now I will also start building my test program. One thing that I like about > SPARK is that you can do a lot of useful things with it without worrying > about stubbing out a zillion supporting packages for purposes of creating a > test program. I would like to suggest that you always use the mandatory annotations (of course) *and also* the #pre annotation. The use of preconditions can drastically improve the Simplifier's ability to discharge VCs. You already discovered that effect when you introduced constrained subtypes. Furthermore you don't have to think about ways to make your subprograms total by using "nil" values or error flags, which also relieves the calling subprogram from checking for such "nil" values and error flags. Then, if you are bold, you can start to think about writing postconditions. *However*, if the criticality of your program *requires* the use of postconditions, I suggest that you introduce them from the beginning on as their introduction they may require some reworking (often simplification) of your code. - Mark L