From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,585fd78267abd80c X-Google-Attributes: gid103376,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news1.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!newsfeed00.sul.t-online.de!t-online.de!newsfeed.freenet.de!news.osn.de!diablo2.news.osn.de!proxad.net!feeder2-2.proxad.net!newsfeed.arcor.de!newsspool3.arcor-online.net!news.arcor.de.POSTED!not-for-mail From: "Dmitry A. Kazakov" Subject: Re: On pragma Precondition etc. Newsgroups: comp.lang.ada User-Agent: 40tude_Dialog/2.0.15.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Reply-To: mailbox@dmitry-kazakov.de Organization: cbb software GmbH References: <4889886d$0$18827$9b4e6d93@newsspool2.arcor-online.net> <6etsi6F8mbmbU2@mid.individual.net> <488efc8d$1@news.post.ch> <488f26e8$0$20705$9b4e6d93@newsspool4.arcor-online.net> <1668bcqbkwlun$.mzzrx5m5ug2t$.dlg@40tude.net> <488f3d67$0$20703$9b4e6d93@newsspool4.arcor-online.net> <13nqxvysv2w75.bpxxsup39g9u$.dlg@40tude.net> <48902f08$0$1064$9b4e6d93@newsspool3.arcor-online.net> <1lt840f6z5lva.8rilgn0ds47u$.dlg@40tude.net> <4890a8a0$0$11740$9b4e6d93@newsspool1.arcor-online.net> <13z82kclqrff3$.6ih7736s42ql$.dlg@40tude.net> <48924584$0$11730$9b4e6d93@newsspool1.arcor-online.net> Date: Fri, 1 Aug 2008 10:40:59 +0200 Message-ID: <2iz8aa20wfxj$.107ew8pbgi6bt.dlg@40tude.net> NNTP-Posting-Date: 01 Aug 2008 10:40:59 CEST NNTP-Posting-Host: bd080d80.newsspool3.arcor-online.net X-Trace: DXC=[=?T;FB0DhbIkjb;<8iR=aMcF=Q^Z^V3h4Fo<]lROoRa4nDHegD_]Reo;AeMbPdSjn[6LHn;2LCVn7enW;^6ZC`dIXm65S@:3>o@An3OVdmV4c X-Complaints-To: usenet-abuse@arcor.de Xref: g2news2.google.com comp.lang.ada:7132 Date: 2008-08-01T10:40:59+02:00 List-Id: On Fri, 01 Aug 2008 01:06:42 +0200, Georg Bauhaus wrote: > Dmitry A. Kazakov wrote: > >> when you hang some contracted constraints on the >> parameters of a subprogram, you implicitly define a set of derived types >> constrained to that. > > I could define artificial types so that Boolean expressions > could become primitive Boolean functions of that artificial type. > But I don't. What's the big gain? To have it typed. When you just sow arbitrary conditions here and there, you cannot reuse or reason about them generally. It is uninteresting and there is pragma Assert for that. (possibility #1) >> [a liberal explanation of LSP skipped] >> >>> Seen in this light, range 1 ... 500 takes away values >>> from Integer'range. (Not surprisingly, since it is a constraint.) >>> >>> subtype My_Integer is Integer range 1 .. 500; >>> >>> overriding >>> procedure Bar(Item: My_Whatever; Num: My_Integer); >>> >>> With or without DbC, it seems reasonable to me to expect >>> that Bar fails when it gets an argument for Num outside >>> range 1 .. 500. Say it fails with a Constraint_Error. >> >> No, it fails at compile time, provided, 1 .. 500 goes into the contract, >> because the result is not LSP-conform. > > An Ada compiler will compile the code, > > function Foo(X: My_Integer); > pragma Precondition(X <= 500); > > Bound := 501; > ... > Foo(Bound); > > My compiler may warn that the program will raise a Constraint_Error, > but the code is legal. See, it is not a contract. If it were a contract you would not be able to pass Bound to Foo due to a contract violation. pragma Precondition did not change the contract of Foo. >> But the question was different. It was about composition of conditions in >> presence of tuples of parameters. You consider each parameter and its >> contracted constraints independently, this is wrong. > > In what frame of reference is it wrong to express a boolean relation > between parameters? What is the semantics of the relation? #1? > What is wrong with pragma Precondition? 1. Untyped, not reusable, cannot handle polymorphism, non-composable (and other more or less equivalent statements) 2. Changes the program semantics (in general case cannot be ignored, and undecidable if it could be) 3. Statically uncheckable >>> This exceptional behavior is already illustrating why the DbC >>> idea of having a 'Constraint on a type makes sense. It is >>> already working for subtypes now. >> >> Wrong. Ada constraints are not contracts. > > In the sense of Design by Contract Ada constraints add to a contract, > even though it is a trivial one like X in My_Integer'range. No, it adds nothing. When you create an Ada subtype the contract of the result is not changed. It is still "X in T, and Constraint_Error may be propagated." > (As I said, there might be variance problems because Ada subtypes are > superclasses considering only the set of values. Hmm, I don't know what you mean under "superclasse" in this context. >>> Many shrug when they >>> are more busy with the practical benefits of DbC. >> >> I don't buy it. Practice unsupported by a sound theory is shamanism. > > DbC is about programming, in addition to being about programs. > Is there a sound theory of programming? We do have some sound > theories concerned with aspects of programs. These aspects > can be extracted from just the program. Assertion checking > in the Design(!) by Contract sense never looses sight of the process > of programming. (Neither does the word "pragma" as in > pragma Precondition.) I don't get the point. Is it that assertions and preconditions are merely comments for a well-disposed reader? Under "sound theory" I understand at least a comprehensible definition of the semantics of conditions. Is pragma Precondition (X); intended to be an abbreviation for horribly long: if not X then raise Assert_Error; end if; That's one possible interpretation (#1). I don't think people would enjoy it much. But it is still better than vague references to "practical benefits." If you want to move beyond #1 you will face problems. > Could you point to your definition of "contract"? A restriction put on multiple parties (like callee/caller) identically true in a correct program. >> ------ >> BTW, we could drop the idea of making conditions []contracted[] > a statically verifiable property of some hypothetic type > system. Sure (I read "hypothetic" as "strongly typed") >> Instead of >> that, we would consider constraints in the sense of Ada subtypes. > > Yes? Yes. It would allow interesting so things. For example, one could define subtypes of odd numbers, integers without zero, dimensioned values, etc. >> In that case it would be []all[] dynamic, run-time, > as well as food for the compiler. Rather useless food. The compiler may not reject the program because constraints would not influence the program semantics. [Unless exceptions would become contracted.] >> [Contracted constraints are more like SPARK model] But in any case the >> problem would remain. We would have to introduce anonymous subtypes >> of tuples of [sub]types. > > Checking a condition means calling a well defined functions at > well defined times. (??) >> In both cases we need a [sub]type to associate the >> constraint with. > > Why? Because there is no other vehicle. Constraints are put on subtypes. If you want to put constraints on sets of, which is implied by mixing multiple parameters in one expression, then you need subtypes of tuples of types. Of course, if you don't consider it as #1 above. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de