From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 2002:a37:b646:: with SMTP id g67mr77074040qkf.92.1564532302528; Tue, 30 Jul 2019 17:18:22 -0700 (PDT) X-Received: by 2002:a05:6808:b02:: with SMTP id s2mr56740507oij.155.1564532302190; Tue, 30 Jul 2019 17:18:22 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!feeder.eternal-september.org!weretis.net!feeder6.news.weretis.net!feeder.usenetexpress.com!feeder-in1.iad1.usenetexpress.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!b26no8082336qtq.0!news-out.google.com!e17ni2093qtg.1!nntp.google.com!b26no8082325qtq.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Tue, 30 Jul 2019 17:18:21 -0700 (PDT) In-Reply-To: <28e4ac2e-311b-40c4-ad81-42f55129ccd1@googlegroups.com> Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=149.32.224.35; posting-account=Qh2kiQoAAADpCLlhT_KTYoGO8dU3n4I6 NNTP-Posting-Host: 149.32.224.35 References: <28e4ac2e-311b-40c4-ad81-42f55129ccd1@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: <65396646-c996-4a0a-b698-3ff990467583@googlegroups.com> Subject: Re: SPARK prooving an array of Positives. From: Anh Vo Injection-Date: Wed, 31 Jul 2019 00:18:22 +0000 Content-Type: text/plain; charset="UTF-8" Xref: reader01.eternal-september.org comp.lang.ada:56984 Date: 2019-07-30T17:18:21-07:00 List-Id: On Tuesday, July 30, 2019 at 9:35:54 AM UTC-7, Shark8 wrote: > I have a bit of a problem getting the SPARK provers to accept that a postcondition cannot fail. Given the following in a spec file: > > Type Axis_Count is range 0..999 with Size => 10; > Type Axis_Dimensions is Array (Axis_Count range <>) of Positive > with Default_Component_Value => 1; > Subtype Primary_Data_Array is Axis_Dimensions(1..999); > Subtype Random_Groups_Data is Axis_Dimensions(1..998); > > Function EF( Item : FITS.Axis_Dimensions ) return Interfaces.Unsigned_64; > > and the following in the implementation: > > Function EF( Item : FITS.Axis_Dimensions ) return Interfaces.Unsigned_64 is > Max : Constant := Positive'Last; > Function First return Interfaces.Unsigned_64 is > ( Interfaces.Unsigned_64( Item( Item'First ) ) ) > with Inline, Pre => Item'Length > 0, Post => First'Result <= Max; > Function Last return Interfaces.Unsigned_64 is > ( Interfaces.Unsigned_64( Item( Item'Last ) ) ) > with Inline, Pre => Item'Length > 0, Post => Last'Result <= Max; > use all type Interfaces.Unsigned_64; > Begin > case Item'Length is > when 0 => return 1; > when 1 => return First; > when 2 => return First * Last; > when others => > Declare > Middle : Constant Axis_Count := Item'Length/2 + Item'First; > Subtype Head is Axis_Count range Item'First..Middle; > Subtype Tail is Axis_Count range Axis_Count'Succ(Middle)..Item'Last; > Begin > Return EF(Item(Head)) * EF(Item(Tail)); > End; > end case; > End EF; > > the SPARK prover is issuing warnings that the postconditions might fail. > "medium: postcondition might fail, cannot prove First'Result <= Max (e.g. when First'Result = 0)" > But this is impossible given that the element-type is Positive and the precondition states there is at least one element. Does anyone know why this is happening? (And how to fix it?) Assuming you are using gnat-2019-community version, increase the level of proof by setting --level=n (n = 0 to 4) to see if it works. Anh Vo