From: "Stuart" <stuart@0.0>
Subject: Re: Code safety and information hiding
Date: Wed, 16 Aug 2006 12:18:07 +0100
Date: 2006-08-16T12:18:07+01:00 [thread overview]
Message-ID: <44e2fc24$1_1@glkas0286.greenlnk.net> (raw)
In-Reply-To: 1155718392.684202.17080@p79g2000cwp.googlegroups.com
To follow up on what Rod has said in reply to:
"Maciej Sobczak" <no.spam@no.spam.com> wrote in message
news:ebuj47$bal$1@sunnews.cern.ch...
<roderick.chapman@googlemail.com> wrote in message
news:1155718392.684202.17080@p79g2000cwp.googlegroups.com...
>> The issue with this example is the apparent strong coupling between the
>> specification of Rand (of the whole package, in fact) and the
>> implementation details that pop up in specs in terms of the Seed name
>> used in annotations.
>
> SPARK promotes the hiding of _detail_, but not the hiding of
> _information_.
>
> The package spec you cite _does_ need to announce the existance of
> "Seed" (but not its type, structure, or anything else). You are also
> correct to identify that choosing the name "Seed" is crucial, since
> changing it later can have a non-trivial impact on clients of this
> package.
An important point identified by the SPARK annotation is that you have
chosen to implement it as an Abstract State Machine (single instance shared
by all clients), rather than an Abstract Data Type that can have multiple
independent instances (with the Seed as a parameter).
As to the choice of name - I thought that SPARK's data refinement rules
allowed you to change the view (effectively including the names used)
between package specification and package body.
>> I don't find the above to be particularly disturbing, but I'm tempted to
>> conclude that in SPARK increased code safety has the price of reduced
>> information hiding, which itself was always considered to be a good
>> engineering practice.
Rod's distinction between detail and information is a good one. It should
also be remembered that the objective of SPARK is to allow you to reason
about what your program will do. Often, in less rigorous design processes,
you might assume that a subprogram you use has no unexpected consequences
(e.g. side-effects). SPARK is much more rigorous - it makes sure that
subprograms have no side-effects: the consequence is that _all_ effects of a
subprogram must be recorded (e.g. updating the Seed in the Random number
example).
Regards
--
Stuart Palin
next prev parent reply other threads:[~2006-08-16 11:18 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-16 7:56 [SPARK] Code safety and information hiding Maciej Sobczak
2006-08-16 8:53 ` roderick.chapman
2006-08-16 11:18 ` Stuart [this message]
2006-08-16 13:23 ` Maciej Sobczak
2006-08-16 19:49 ` [SPARK] " Jeffrey R. Carter
2006-08-17 7:01 ` Maciej Sobczak
2006-08-17 18:08 ` Jeffrey R. Carter
2006-08-17 20:00 ` Björn Persson
2006-08-18 1:22 ` Jeffrey R. Carter
2006-08-18 19:39 ` Björn Persson
2006-08-19 5:35 ` Jeffrey R. Carter
2006-08-19 12:47 ` Björn Persson
2006-08-20 3:58 ` Jeffrey R. Carter
2006-08-20 11:35 ` Björn Persson
2006-08-18 23:02 ` Robert A Duff
2006-08-19 5:40 ` Jeffrey R. Carter
2006-08-19 9:49 ` Stephen Leake
2006-08-20 3:52 ` Jeffrey R. Carter
2006-08-20 19:06 ` Stephen Leake
2006-08-21 1:07 ` Jeffrey R. Carter
2006-08-21 7:25 ` Maciej Sobczak
2006-08-21 19:31 ` Jeffrey R. Carter
2006-08-21 19:58 ` Dmitry A. Kazakov
2006-08-21 21:06 ` Björn Persson
2006-08-22 7:16 ` Maciej Sobczak
2006-08-22 9:45 ` Björn Persson
2006-08-22 12:42 ` Maciej Sobczak
2006-08-22 7:27 ` Dmitry A. Kazakov
2006-08-21 11:30 ` Colin Paul Gloster
2006-08-22 10:51 ` Stephen Leake
2006-08-23 9:44 ` Peter Amey
2006-08-23 22:37 ` Jeffrey R. Carter
2006-08-24 10:55 ` Peter Amey
2006-08-24 23:33 ` Jeffrey R. Carter
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox