From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FORGED_GMAIL_RCVD,
	FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4
X-Google-Thread: a07f3367d7,48e1a3c594fb62e8
X-Google-Attributes: gida07f3367d7,public,usenet
X-Google-NewGroupId: yes
X-Google-Language: ENGLISH,UTF8
Path: 
 g2news2.google.com!news1.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!novia!news-out.readnews.com!postnews3.readnews.com!not-for-mail
Message-Id: <4bf034bd$0$2417$4d3efbfe@news.sover.net>
From: "Peter C. Chapin" <pcc482719@gmail.com>
Subject: Re: SPARK
Newsgroups: comp.lang.ada
Date: Sun, 16 May 2010 14:13:27 -0400
References: <op.vcl6900wule2fv@garhos> <op.vcq9yrdhule2fv@garhos>
 <op.vcrd9tj5ule2fv@garhos> <op.vcrgrrqcule2fv@garhos>
 <op.vcrj9hbsule2fv@garhos>
User-Agent: KNode/0.10.9
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8Bit
Organization: SoVerNet (sover.net)
NNTP-Posting-Host: 1d5ced67.news.sover.net
X-Trace: 
 DXC=Lf4nYInebmQjd]HcGf^j7[K6_LM2JZB_Sco^i^To2iaS:WUUlR<856_SiTSo2GXi3RlJeIJS51XF]
X-Complaints-To: abuse@sover.net
Xref: g2news2.google.com comp.lang.ada:11661
Date: 2010-05-16T14:13:27-04:00
List-Id: <comp.lang.ada>

Yannick Duchêne (Hibou57) wrote:

> Is that this “cut point” which makes Simplifier to forget about previous  
> hypotheses when “assert” is used ? (if that's really similar to Prolog's  
> cut, then indeed, it likely to make the prover loose memory)
> 
> About one of the most worthy thing with proving : what's the better way to  
> give hints to the prover ? Is it “assert” or “check” ? This example  
> suggest the best way is “check”. Is this example representative of most  
> cases or a just a special case ?

My understanding is that assert prevents the simplifier from using previous
material as hypotheses in following verification conditions---as you noticed
in your experiments. John Barnes talks about this in his book a little.
Mostly I think assert is intended for use in loops. Without it, SPARK needs
to consider each loop iteration as a spearate path which is clearly a problem
(since loops iterate a dynamic number of times). The assert "cuts" the loop
and reduces the problem to just

1. The path into the loop for the first time to the assert.
2. The path around the loop from assert to assert.
3. The path from the assert to whatever follows the loop.

It is necessary, I think, for SPARK to forget about previous "stuff" when
handling the assert since otherwise it would have to consider all the
previous loop iterations.

The check annotation asks SPARK to prove the check and then it can *add* that
information to the hypotheses of the following verification conditions rather
than start from scratch.

So to summarize perhaps a good rule might be to use assert to express loop
invariants and check for everything else. I welcome other comments on this.
I'm learning as well.

Peter