From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,585fd78267abd80c X-Google-Attributes: gid103376,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news3.google.com!feeder.news-service.com!newsfeed0.kamp.net!newsfeed.kamp.net!newsfeed.freenet.de!npeer.de.kpn-eurorings.net!npeer-ng1.kpn.DE!newsfeed.arcor.de!newsspool3.arcor-online.net!news.arcor.de.POSTED!not-for-mail Date: Fri, 01 Aug 2008 01:06:42 +0200 From: Georg Bauhaus Reply-To: rm.tsoh+bauhaus@maps.futureapps.de User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: On pragma Precondition etc. References: <4889886d$0$18827$9b4e6d93@newsspool2.arcor-online.net> <6etsi6F8mbmbU2@mid.individual.net> <488efc8d$1@news.post.ch> <488f26e8$0$20705$9b4e6d93@newsspool4.arcor-online.net> <1668bcqbkwlun$.mzzrx5m5ug2t$.dlg@40tude.net> <488f3d67$0$20703$9b4e6d93@newsspool4.arcor-online.net> <13nqxvysv2w75.bpxxsup39g9u$.dlg@40tude.net> <48902f08$0$1064$9b4e6d93@newsspool3.arcor-online.net> <1lt840f6z5lva.8rilgn0ds47u$.dlg@40tude.net> <4890a8a0$0$11740$9b4e6d93@newsspool1.arcor-online.net> <13z82kclqrff3$.6ih7736s42ql$.dlg@40tude.net> In-Reply-To: <13z82kclqrff3$.6ih7736s42ql$.dlg@40tude.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Message-ID: <48924584$0$11730$9b4e6d93@newsspool1.arcor-online.net> Organization: Arcor NNTP-Posting-Date: 01 Aug 2008 01:06:44 CEST NNTP-Posting-Host: 553bfd51.newsspool1.arcor-online.net X-Trace: DXC=\WQ4Fo<]lROoR14nDHegD_]R5B44W4_cL`G0A:ho7QcPOV3m>CHHjcW026W^d[Omg\]`: X-Complaints-To: usenet-abuse@arcor.de Xref: g2news2.google.com comp.lang.ada:7127 Date: 2008-08-01T01:06:44+02:00 List-Id: Dmitry A. Kazakov wrote: >> Any preconditions are those that you specify, of course. >> They don't magically start to exist[*], > > Of course they do. If there is no explicit precondition specified for an > argument X of the type T, it still exists, and is: > > X in T [and true] OK. They usually say "silly argument" in DbC discussions. > when you hang some contracted constraints on the > parameters of a subprogram, you implicitly define a set of derived types > constrained to that. I could define artificial types so that Boolean expressions could become primitive Boolean functions of that artificial type. But I don't. What's the big gain? > [a liberal explanation of LSP skipped] > >> Seen in this light, range 1 ... 500 takes away values >> from Integer'range. (Not surprisingly, since it is a constraint.) >> >> subtype My_Integer is Integer range 1 .. 500; >> >> overriding >> procedure Bar(Item: My_Whatever; Num: My_Integer); >> >> With or without DbC, it seems reasonable to me to expect >> that Bar fails when it gets an argument for Num outside >> range 1 .. 500. Say it fails with a Constraint_Error. > > No, it fails at compile time, provided, 1 .. 500 goes into the contract, > because the result is not LSP-conform. An Ada compiler will compile the code, function Foo(X: My_Integer); pragma Precondition(X <= 500); Bound := 501; ... Foo(Bound); My compiler may warn that the program will raise a Constraint_Error, but the code is legal. The Precondition isn't checked at runtime because the constraint violation happens earlier, as this is Ada. > But the question was different. It was about composition of conditions in > presence of tuples of parameters. You consider each parameter and its > contracted constraints independently, this is wrong. In what frame of reference is it wrong to express a boolean relation between parameters? What is wrong with pragma Precondition? >> This exceptional behavior is already illustrating why the DbC >> idea of having a 'Constraint on a type makes sense. It is >> already working for subtypes now. > > Wrong. Ada constraints are not contracts. In the sense of Design by Contract Ada constraints add to a contract, even though it is a trivial one like X in My_Integer'range. (As I said, there might be variance problems because Ada subtypes are superclasses considering only the set of values. Writing Ada, you are always free to design variance problems using 'Class parameters. I don't see a reason why Ada-DbC cannot enhance this situation.) >> Many shrug when they >> are more busy with the practical benefits of DbC. > > I don't buy it. Practice unsupported by a sound theory is shamanism. DbC is about programming, in addition to being about programs. Is there a sound theory of programming? We do have some sound theories concerned with aspects of programs. These aspects can be extracted from just the program. Assertion checking in the Design(!) by Contract sense never looses sight of the process of programming. (Neither does the word "pragma" as in pragma Precondition.) Could you point to your definition of "contract"? It seems to differ from what everyone around Design by Contract understands it to be (and understands pragma Precondition as it is now). > ------ > BTW, we could drop the idea of making conditions []contracted[] a statically verifiable property of some hypothetic type system. > Instead of > that, we would consider constraints in the sense of Ada subtypes. Yes? > In that case it would be []all[] dynamic, run-time, as well as food for the compiler. > [Contracted constraints are more like SPARK model] But in any case the > problem would remain. We would have to introduce anonymous subtypes > of tuples of [sub]types. Checking a condition means calling a well defined functions at well defined times. > In both cases we need a [sub]type to associate the > constraint with. Why?