From: Georg Bauhaus <rm.dash-bauhaus@futureapps.de>
Subject: Re: Generic-Package Elaboration Question / Possible GNAT Bug.
Date: Thu, 24 Nov 2011 11:49:30 +0100
Date: 2011-11-24T11:49:30+01:00 [thread overview]
Message-ID: <4ece213a$0$6629$9b4e6d93@newsspool2.arcor-online.net> (raw)
In-Reply-To: <chddc4qlhlcy.1qfrvu7yd7hoa.dlg@40tude.net>
On 24.11.11 10:27, Dmitry A. Kazakov wrote:
> On Thu, 24 Nov 2011 08:07:45 +0000, Simon Wright wrote:
>
>> To take Georg's example of the stack, I don't see how you're going to
>> express the fact that its capacity is bounded other than by comments
>> about constraint errors or by preconditions.
>
> The point is that when this behavior can be expressed
I hate to go on when we have a summary by Stefan Lucks but two
more issues:
Maybe there isn't that much of a disagreement, if we can fake
the choice by replacing it with a choice of style; notably,
a project may require that
pre => True
post => May_Raise
be the only conditionals allowed. Then, programmers of clients
should be ready to handle failures. This choice still doesn't
restrict Ada contracts to get all the flexibility of statically
checked expressions, but is closer to exceptions only, I'd think.
The notions are not ones of behavior, just like debugging
statements, but rather more simple, and specifically intended
to be only guiding the creation of behavioral aspects of the
program proper: Like in the example given in [1], programmers
are supposed to write bodies so that the conditionals given
in pre/post/inv are meaningful. This is their contractual obligation.
A precondition of the form T'Valid (Some_Input) is inappropriate
if the body doesn't actually implement its meaning, since
assertions do *not* count as program behavior. Note that I am
saying "they do not count", and not saying "they do not result
in behavior": it does not matter that in some circumstances
they are supposed to result in behavior, for example, during
testing.
The capacity of a stack can be a trivial Type_Invariant if the
size is a type constraint. There will be less silly scenarios
than these, but nevertheless:
procedure Stacking (N: Positive) is
type T is (One, Two, Three);
package Local_Stacks is
type Stack (Capacity : Natural) is tagged private
with Type_Invariant => (Stack.Capacity = N
and True); -- etc.
private
...
end Local_Stacks;
package body Local_Stacks is separate;
S1 : Local_Stacks.Stack (N); -- o.K.
S2 : Local_Stacks.Stack (42);
-- raises when 42 /= N and pramga Assertion_Policy (Check);
begin
null;
end Stacking;
> A dynamic precondition does not express anything,
Well, frankly, any expression demonstrably expresses something,
because an Ada compiler can and will assign meaning to all
constituent parts of the expression. The expression does not
necessarily have a Boolean value at compile time, but it
certainly isn't void of meaning. As per intent.
Programmers also assign meaning to expressions in assertions
of the contract.
> SPARK does it right, Eiffel and now Ada do it wrong.
>
> If correctness cannot be proved
> statically, then the requirement expressed by the precondition must be
> considered as not satisfied.
We may state our assumptions and have them checked, or we may
state our assumptions and perform the checks ourselves, before
runtime, statically.
Like when showing that for a stack object, the sequence
(not Is_Full, Push, Pop) is a safe sequence, ceteris paribus.
That is, safe in terms of the contract, ignoring hardware failures,
ignoring a breach of contract in the stack's bodies. Since,
normally, any of these can be true, one may prepare for failure.
But! There is no need for the sequence of calls to be changed
in order to handle failures! Is is a correct sequence.
This style just seems more expressive than "raise Constraint_Error"
without indication of possible causes, when some are in fact known,
and expressed as assertions, before compile time! I am not so sure that
programmers are fooling themselves into thinking that adding
descriptive assertions somehow makes a program automatically correct.
It only helps with this effort.
__
[1] http://www2.adacore.com/wp-content/uploads/2006/03/Ada2012_Rational_Introducion.pdf
Page 2, on the right.
next prev parent reply other threads:[~2011-11-24 10:49 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-19 21:14 Generic-Package Elaboration Question / Possible GNAT Bug Shark8
2011-11-19 22:12 ` Robert A Duff
2011-11-19 23:36 ` Shark8
2011-11-20 9:55 ` Dmitry A. Kazakov
2011-11-21 7:25 ` AdaMagica
2011-11-21 8:43 ` Dmitry A. Kazakov
2011-11-21 10:25 ` AdaMagica
2011-11-21 13:08 ` Robert A Duff
2011-11-21 13:50 ` Dmitry A. Kazakov
2011-11-21 19:41 ` Robert A Duff
2011-11-22 8:21 ` Dmitry A. Kazakov
2011-11-21 20:40 ` J-P. Rosen
2011-11-22 8:29 ` Dmitry A. Kazakov
2011-11-22 10:25 ` Georg Bauhaus
2011-11-22 14:32 ` Dmitry A. Kazakov
2011-11-22 15:02 ` Georg Bauhaus
2011-11-22 16:23 ` Dmitry A. Kazakov
2011-11-22 17:46 ` Georg Bauhaus
2011-11-22 19:15 ` Dmitry A. Kazakov
2011-11-22 21:03 ` Randy Brukardt
2011-11-22 21:26 ` Dmitry A. Kazakov
2011-11-23 0:07 ` Georg Bauhaus
2011-11-23 8:44 ` Dmitry A. Kazakov
2011-11-23 9:32 ` Simon Wright
2011-11-23 9:56 ` Dmitry A. Kazakov
2011-11-23 11:03 ` Georg Bauhaus
2011-11-23 11:13 ` Dmitry A. Kazakov
2011-11-23 11:25 ` Georg Bauhaus
2011-11-23 13:14 ` Dmitry A. Kazakov
2011-11-23 13:59 ` Georg Bauhaus
2011-11-23 14:43 ` Dmitry A. Kazakov
2011-11-23 16:10 ` Georg Bauhaus
2011-11-23 19:51 ` Dmitry A. Kazakov
2011-11-24 0:59 ` Georg Bauhaus
2011-11-24 9:14 ` Dmitry A. Kazakov
2011-11-23 15:12 ` Simon Wright
2011-11-23 19:53 ` Dmitry A. Kazakov
2011-11-24 8:07 ` Simon Wright
2011-11-24 9:27 ` Dmitry A. Kazakov
2011-11-24 10:49 ` Georg Bauhaus [this message]
2011-11-24 13:14 ` Dmitry A. Kazakov
2011-11-24 14:31 ` Georg Bauhaus
2011-11-24 16:32 ` Dmitry A. Kazakov
2011-11-24 11:15 ` Brian Drummond
2011-11-24 18:12 ` Simon Wright
2011-11-24 23:52 ` Brian Drummond
2011-11-23 10:35 ` Brian Drummond
2011-11-23 9:54 ` Georg Bauhaus
2011-11-23 10:30 ` Dmitry A. Kazakov
2011-11-23 4:08 ` Yannick Duchêne (Hibou57)
2011-11-23 4:11 ` Yannick Duchêne (Hibou57)
2011-11-22 23:52 ` Georg Bauhaus
2011-11-23 9:04 ` Dmitry A. Kazakov
2011-11-23 11:15 ` Georg Bauhaus
2011-11-23 13:30 ` Dmitry A. Kazakov
2011-11-23 14:42 ` Georg Bauhaus
2011-11-23 19:48 ` Dmitry A. Kazakov
2011-11-24 1:36 ` Georg Bauhaus
2011-11-24 10:52 ` Dmitry A. Kazakov
2011-11-24 11:30 ` Georg Bauhaus
2011-11-24 12:52 ` Dmitry A. Kazakov
2011-11-24 14:45 ` Georg Bauhaus
2011-11-25 9:54 ` Dmitry A. Kazakov
2011-11-24 7:46 ` stefan-lucks
2011-11-24 3:07 ` Shark8
2011-11-24 6:07 ` Yannick Duchêne (Hibou57)
2011-11-24 10:10 ` Dmitry A. Kazakov
2011-11-24 11:15 ` Georg Bauhaus
2011-11-24 22:48 ` Shark8
2011-11-25 9:25 ` Yannick Duchêne (Hibou57)
2011-11-26 21:59 ` Shark8
2011-11-25 9:47 ` Dmitry A. Kazakov
2011-11-25 10:15 ` Georg Bauhaus
2011-11-25 10:51 ` Yannick Duchêne (Hibou57)
2011-11-25 15:45 ` Georg Bauhaus
2011-11-25 16:05 ` Yannick Duchêne (Hibou57)
2011-11-25 16:19 ` Yannick Duchêne (Hibou57)
2011-11-23 3:49 ` Yannick Duchêne (Hibou57)
2011-11-23 8:50 ` Georg Bauhaus
2011-11-23 9:45 ` Yannick Duchêne (Hibou57)
2011-11-23 10:55 ` Georg Bauhaus
2011-11-23 3:20 ` Yannick Duchêne (Hibou57)
2011-11-23 15:05 ` Robert A Duff
2011-11-21 17:00 ` Adam Beneschan
2011-11-23 3:13 ` Yannick Duchêne (Hibou57)
2011-11-24 3:47 ` Shark8
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox