From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: border1.nntp.ams3.giganews.com!border1.nntp.ams2.giganews.com!border3.nntp.ams.giganews.com!border1.nntp.ams.giganews.com!nntp.giganews.com!proxad.net!feeder2-2.proxad.net!newsfeed.arcor.de!newsspool3.arcor-online.net!news.arcor.de.POSTED!not-for-mail Date: Thu, 11 Jul 2013 11:35:24 +0200 From: "G.B." User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: On contracts and implementations Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Message-ID: <51de7c5d$0$6566$9b4e6d93@newsspool3.arcor-online.net> Organization: Arcor NNTP-Posting-Date: 11 Jul 2013 11:35:25 CEST NNTP-Posting-Host: 301e8f40.newsspool3.arcor-online.net X-Trace: DXC=^TcSdKgfKDLX36K@\WTHGJMcF=Q^Z^V3H4Fo<]lROoRA8kFJLh>_cHTX3jMnFU; eegDcIE X-Complaints-To: usenet-abuse@arcor.de X-Original-Bytes: 2466 Xref: number.nntp.dca.giganews.com comp.lang.ada:182459 Date: 2013-07-11T11:35:25+02:00 List-Id: There is a claim that contracts of Ada 2012 are part of the implementation. They are not. Assuming that they are part of the implementation is a misconception about designing with contracts. The contract idea is, rather, to make engineers not program defensively, but to agree on a contract that states what is true. The word "Contract" as we know it: to call the post-hoc conditions of a program's state a "contract" would be a misnomer. Technically, contracts can be evaluated on separate hardware #2, controlling hardware #1. The following program is an example. "Subtract a non-negative number from a non-negative number" P0: LOAD Input, R1 LOAD Input, R2 $TRNSFR #2 BLT R1, 0, [T1] BLT R2, 0, [T1] BGE R1, 0, [P1] T1: $STOP #1 $STOP #2 P1: $TRNSFR #1 SUB R2, R1, R0 Hardware #2 gets a copy of the register words of #1, and a read-only copy of the program and its memory. Then, the program that harware #1 runs, is, essentially, P0: LOAD Input, R1 LOAD Input, R2 SUB R2, R1, R0 This is efficient, since defensive checking is gone: once the program has been shown to be correct, $TRNSFR may mean to just skip the tests. As always, if engineers decide to plant side effects into predicates, they are on their own. Sorry for the steam, but it is perhaps a good idea to state that it is the engineers who take responsibility for writing proper contracts, and then using them.