From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,494ac732c5488b7f X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII Path: g2news2.google.com!postnews.google.com!a20g2000vbc.googlegroups.com!not-for-mail From: Phil Thornley Newsgroups: comp.lang.ada Subject: Re: SPARK: What does it prove? Date: Mon, 31 May 2010 06:05:04 -0700 (PDT) Organization: http://groups.google.com Message-ID: <51c53914-e2f1-406c-8fc2-d0ebf46ec728@a20g2000vbc.googlegroups.com> References: <4bffc379$0$2374$4d3efbfe@news.sover.net> NNTP-Posting-Host: 80.177.171.182 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: posting.google.com 1275311105 18128 127.0.0.1 (31 May 2010 13:05:05 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Mon, 31 May 2010 13:05:05 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: a20g2000vbc.googlegroups.com; posting-host=80.177.171.182; posting-account=Fz1-yAoAAACc1SDCr-Py2qBj8xQ-qC2q User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0),gzip(gfe) Xref: g2news2.google.com comp.lang.ada:12166 Date: 2010-05-31T06:05:04-07:00 List-Id: On 31 May, 02:17, Yannick Duch=EAne (Hibou57) wrote: [...] > Another things also : sometime, it is better to make proof on an abstract= =A0 > algorithm, which not efficient, and it is too much difficult to the same = =A0 > proof (prove postconditions from preconditions and the algorithm) with th= e =A0 > efficient version. However, it would be more easy to demonstrate than the= =A0 > efficient algorithm is an equivalent transformation of the more abstract = =A0 > non-efficient one. > > I mean, prove something on function F, demonstrate function G is =A0 > equivalent to function F, so as legally assert the postconditions of F ar= e =A0 > also prove on G, because there was on F and G is equivalent to F. > > This is another kind of thing SPARK cannot express or talk/say about. How about using proof abstraction? Put one set of post-conditions (for the inefficient version) on the spec and the other set (for the efficient version) on the body. Then the post-conditions on the body are proved from the code and the post-conditions on the spec are proved by a user rule that is justified by the 'offline' proof of equivalence of the two algorithms. *** BUT *** the current GPL version (8.1.1) sometimes gets that post- condition refinement VC wrong. This only seems to happen when there is a refined pre and post-condition on the body but no refined state data, eg for private types, which is where I came across the problem. (Notified to report@gnat.com on 9th February). Cheers, Phil