From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 10.140.150.206 with SMTP id 197mr4296423qhw.0.1444853090710; Wed, 14 Oct 2015 13:04:50 -0700 (PDT) X-Received: by 10.182.246.163 with SMTP id xx3mr56070obc.10.1444853090644; Wed, 14 Oct 2015 13:04:50 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!peer01.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!5no1173935qgg.0!news-out.google.com!z4ni21033ign.0!nntp.google.com!kq10no18581263igb.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Wed, 14 Oct 2015 13:04:50 -0700 (PDT) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=2.29.35.210; posting-account=9gDAAwoAAACNb2IeoWuUI1mQDA83utl6 NNTP-Posting-Host: 2.29.35.210 References: User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: <4187f92b-770a-4d76-85c0-14f2eba2dee8@googlegroups.com> Subject: Re: Issue with SPARK 2014 From: Stuart Injection-Date: Wed, 14 Oct 2015 20:04:50 +0000 Content-Type: text/plain; charset=ISO-8859-1 X-Received-Bytes: 2691 X-Received-Body-CRC: 2113763868 Xref: news.eternal-september.org comp.lang.ada:27979 Date: 2015-10-14T13:04:50-07:00 List-Id: On Tuesday, 13 October 2015 18:37:08 UTC+1, Serge Robyns wrote: > I'm trying to use SPARK on a little game, so far only one error remains and I've no clue on how to fix this. I've been trying various approaches. > Here is the code snippet (hopefully complete enough). ... > medium: loop invariant might fail after first iteration, requires Count1 <= Columns'pred - 1 > medium: loop invariant might fail after first iteration, requires Count2 < Number_Of_Columns It has been a while (and a few versions of SPARK) since I played with this, but I think the problem is that your loop invariants are not strong enough - they don't carry enough information around the loop. IIRC the loop invariant acts as a cut point, and it is only information in the invariant that is carried around the loop, earlier knowledge derived from the modelling of the code and the pre-conditions is lost (unless it is embedded in the loop invariant). In your first case the only knowledge carried around the loop is that: Count1 was <= Integer (Columns'Pred (Column) - Columns'First) and you incremented it. Consequently, at the next iteration SPARK warns you that the Invariant might fail, because if it was equal to Integer (Columns'Pred (Column) - Columns'First) before, it will now (because of the increment) be greater!! Unfortunately I do not have access to a copy of SPARK or the manuals here to help you resolve it (I expect an expert will be along in a while), but I would guess that you need to strengthen the invariant to an equality statement that remains true.