From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=BAYES_00,FORGED_MUA_MOZILLA autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,b78c363353551702 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.68.223.40 with SMTP id qr8mr20395694pbc.0.1340809739369; Wed, 27 Jun 2012 08:08:59 -0700 (PDT) Path: l9ni26128pbj.0!nntp.google.com!news1.google.com!goblin3!goblin.stu.neva.ru!news.tu-darmstadt.de!news.internetdienste.de!noris.net!newsfeed.arcor.de!newsspool2.arcor-online.net!news.arcor.de.POSTED!not-for-mail Date: Wed, 27 Jun 2012 17:08:57 +0200 From: Georg Bauhaus User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: about the new Ada 2012 pre/post conditions References: <4fe76fad$0$9507$9b4e6d93@newsspool1.arcor-online.net> <1jt8vhzxfrv2i.eohce4d3rwx1$.dlg@40tude.net> <4fe83aaa$0$6624$9b4e6d93@newsspool2.arcor-online.net> <1pkfv0tiod3rn$.onx6dmaa3if9$.dlg@40tude.net> <1i1mp8xs3vtl2.1oc4m66qtfgzq.dlg@40tude.net> <4fe9bde5$0$6566$9b4e6d93@newsspool4.arcor-online.net> <4fe9e7c5$0$6567$9b4e6d93@newsspool4.arcor-online.net> <4feac313$0$9504$9b4e6d93@newsspool1.arcor-online.net> <1et105d0sks1i.pcgog9ym17ym.dlg@40tude.net> <4feae0d1$0$6568$9b4e6d93@newsspool3.arcor-online.net> <2klq69d4qqsp$.veefi8i6jnwa.dlg@40tude.net> In-Reply-To: <2klq69d4qqsp$.veefi8i6jnwa.dlg@40tude.net> Message-ID: <4feb220a$0$6580$9b4e6d93@newsspool3.arcor-online.net> Organization: Arcor NNTP-Posting-Date: 27 Jun 2012 17:08:58 CEST NNTP-Posting-Host: ce466d1d.newsspool3.arcor-online.net X-Trace: DXC=@88abUOP?=X[7Non7UCi8UMcF=Q^Z^V3X4Fo<]lROoRQ8kFZLh>_cHTX3j]M`5O= On 27.06.12 14:19, Dmitry A. Kazakov wrote: >> A and B can be shown to both be implementations of the behavior >> that some contract stipulates. > > This is wrong on multiple accounts: > > 1. It cannot be shown: if Pre (HALT (p)) then ... else ... end if; For run time parameters P1 and P2, and for static or dynamic K: if P1 + P2 < K then ... else ... end if; The client programmer sees Pre (P1 + P2 < K) in a spec. She or he will make sure that all values passed as parameters will satisfy P1 + P2 < K, QED. If one programmer can write Pre (HALT (p)) then no programmer should be able to read or write Pre (P1 + P2 < K)? This seems overly restrictive because it prevents *working* towards a man made proof. > 2. For any program there exist an infinite set of contracts satisfied by; For any Ada 2012 program there exists just one relevant contract, which is the contract explicitly stated using Ada with Pre/Post/Inv. Any program satisfying this contract is fine. > 3. It is irrelevant to whether both pieces are equivalent. Equivalence of programs in terms of a given contract can be the goal. I have given an example of a stack that shows essentially the same behavior with checks on or off. That is, if Pre (...) then Stmnts; else raise ... vs Stmnts; The difference was in the quality of the error reports. The "essential sameness" was that the same stack operations would result in the same stacks. >From a business point of view, the programs fulfill the necessary conditions of equivalence. > I don't know what "essentially same effect" is, but whatever formal > definition of essential you took you would have to prove that two programs > are equivalent according to the definition. That will require proving that > the exception is not propagated or else handled to an "essentially" same > result. Good luck with that. Wow, finally. ;-) With the addition of having the exception stop the program according to Assertion_Policy, this is DbC, a human activity that includes a proof obligation.