From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,7fd5a5da28dace78
X-Google-Attributes: gid103376,public
From: Rod Chapman <rod@praxis-cs.co.uk>
Subject: Re: Renaming Fixed Point Mutiplicative operator in Ada 95
Date: 1998/05/22
Message-ID: <356536FD.87A2B0A@praxis-cs.co.uk>#1/1
X-Deja-AN: 355490917
Content-Transfer-Encoding: 7bit
References: <3561F32B.2F0B@innotts.co.uk>
 <matthew_heaney-ya023680001905982254370001@news.ni.net>
 <dewar.895707841@merv>
 <matthew_heaney-ya023680002005981908570001@news.ni.net>
 <01bd84c3$47215d60$440029a1@m00rq900> <dewar.895785693@merv>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Organization: Praxis plc, U.K.
Newsgroups: comp.lang.ada
Date: 1998-05-22T00:00:00+00:00
List-Id: <comp.lang.ada>


Robert Dewar wrote:

> Incidentally, in a critical system, I would jolly well hope that EITHER
>
>  a) you prove that division by zero cannot happen
>

We've done that (for all exceptions) for several non-trivial SPARK programs.
It's actually a useful exercise too!

Most programs we think are exception-free aren't when we attempt the proofs,
and so
in doing so we learn alot about the program (and Ada semantics :-) ) in
addition to
improving the program itself.

Having done so, we can then _justifiably_ turn off run-time checks in the
generated code, which
gives me a nice warm feeling...
 - Rod Chapman
   Praxis Critical Systems