From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: function Is_Open (File : File_Type) return Boolean; :Text_io Date: Fri, 30 Oct 2015 09:39:27 +0100 Organization: cbb software GmbH Message-ID: <2qwfwnugm5q5.ajan0n5midql$.dlg@40tude.net> References: <87twpd2qlo.fsf@theworld.com> <1pj15r7pul7f1.15qgdyrc8k133$.dlg@40tude.net> <87pp0030c1.fsf@theworld.com> <135hiczk56x02.1xixcme8btbl4.dlg@40tude.net> <1dzlgoh4u2j7t$.1un3dfy0oeigd$.dlg@40tude.net> <190shqocxd87d$.1d68ghgqgbvfs$.dlg@40tude.net> <19ihs115mzocg$.20s63jo0q2gf.dlg@40tude.net> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: TWQ9mg4k1m/sph/eQ+zHLA.user.speranza.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Complaints-To: abuse@aioe.org User-Agent: 40tude_Dialog/2.0.15.1 X-Notice: Filtered by postfilter v. 0.8.2 Xref: news.eternal-september.org comp.lang.ada:28123 Date: 2015-10-30T09:39:27+01:00 List-Id: On Fri, 30 Oct 2015 02:06:43 +0100, Georg Bauhaus wrote: > On 29.10.15 15:00, Dmitry A. Kazakov wrote: > >> Contracts may have no effect on program execution. > > (Must have no effect?) > > Did I miss why? Because contracts describe programs. > I saw picking a universe that suffers from failure > to respond usefully to some runs of programs failing, even in some > expected way. Yes, and the salary is far too low, did I even mention weather? Horrible! > Naturally, contracts will have no effect at run-time when tools and > brains are capable of demonstrating that all assertions will always > be true. For me, this is just a dream. Only because you call contracts things which are not. Naming is no problem, which is that any usefulness of contracts is based on clear distinction to the program itself. Once you confuse them you have no contracts, just poorly designed implementations. Poorly because considering them non-behavior, you don't pay attention to what they cause (and they surely do) at run-time. It is just a lazy self-indulgent way of design, not much different from C's approach. >> Consider this: >> >> program describes execution >> contract describes program(s) >> documentation describes anything > > Yes, the definitions look like the rattling machinery of clean room > program analysis and fully informed decision making. > > HOMER: (stands up) "Boring!" Universe is an extremely boring place, if you look at it. > I think the third line (documentation describing *anything*) is troublesome, > in part because the generality might lead to a paradox, and because it > remains unclear to me if documentation describes program(s) or execution. It does not because documentation is informal. Things you can describe formal, you do. The rest goes into documentation. > Also how, if not using either the contract or the program. As an old saying say: if nothing else helps read the documentation. >>> Even so, I think that an implementation of Ada could "outsource" >>> assertion checking to some read-only copy of the program that >>> is running on a twin processor, suitably connected, so as to >>> reduce run-time effects of assertion checking. >> >> We discussed that earlier. You can have program A asserting program B. You >> never can do this in a single program. That is inconsistent. > > There is no program A, as A is a template. Instances (for runs) are > created when choosing an Assertion_Policy, or levels of optimization, > say. If levels of optimization may change formal semantics (11.6 IIUC), > then why is optimization o.K., but controlling assertion checking is not? > Just because of some thin, formal, logical concern that contracts pushing > us into the morass of recursion is as problematical as most programming? The concern is safe design. If B has bugs it cannot be relied on to determine if it has them. > Anyway, if a Rational R-1000 did perform checks on a coprocessor, Checks are not necessarily correctness checks. There is nothing incorrect in subscript error or zero divide without further assumptions about the problem space array or number is used to model. > perhaps we just need another word? So that we could say > "formal description of program(s)" "formal description of program" is the program itself. A programming language is a formal one. A sentence in this language is a description of a program (meaning: set of actions) to execute. > when we mean it and use "contract" > instead for what seems to be its "other" meaning? "contract" is a formal description of a *set* of programs or their parts. It specifies desired properties of shared by all these programs, the properties other programs can rely on. E.g. Dynamic Is_Open predicate is not a contract, because you cannot rely on it. It is just a part of the program itself, misplaced in the declarative region. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de