From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 2002:ac8:3933:: with SMTP id s48mr94531923qtb.232.1564704161912; Thu, 01 Aug 2019 17:02:41 -0700 (PDT) X-Received: by 2002:a05:6830:15cd:: with SMTP id j13mr15688675otr.110.1564704161680; Thu, 01 Aug 2019 17:02:41 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!feeder.eternal-september.org!news.dns-netz.com!news.freedyn.net!newsreader4.netcologne.de!news.netcologne.de!peer03.ams1!peer.ams1.xlned.com!news.xlned.com!peer03.am4!peer.am4.highwinds-media.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!b26no3622444qtq.0!news-out.google.com!e17ni2300qtg.1!nntp.google.com!b26no3622436qtq.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Thu, 1 Aug 2019 17:02:41 -0700 (PDT) In-Reply-To: <28e4ac2e-311b-40c4-ad81-42f55129ccd1@googlegroups.com> Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=47.185.223.245; posting-account=zwxLlwoAAAChLBU7oraRzNDnqQYkYbpo NNTP-Posting-Host: 47.185.223.245 References: <28e4ac2e-311b-40c4-ad81-42f55129ccd1@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: <6b8f72b9-27f1-4590-896f-173b7a540a14@googlegroups.com> Subject: Re: SPARK prooving an array of Positives. From: Optikos Injection-Date: Fri, 02 Aug 2019 00:02:41 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Received-Bytes: 4384 X-Received-Body-CRC: 3824841053 Xref: reader01.eternal-september.org comp.lang.ada:56986 Date: 2019-08-01T17:02:41-07:00 List-Id: On Tuesday, July 30, 2019 at 11:35:54 AM UTC-5, Shark8 wrote: > I have a bit of a problem getting the SPARK provers to accept that a post= condition cannot fail. Given the following in a spec file: >=20 > Type Axis_Count is range 0..999 with Size =3D> 10; > Type Axis_Dimensions is Array (Axis_Count range <>) of Positive > with Default_Component_Value =3D> 1; > Subtype Primary_Data_Array is Axis_Dimensions(1..999); > Subtype Random_Groups_Data is Axis_Dimensions(1..998); >=20 > Function EF( Item : FITS.Axis_Dimensions ) return Interfaces.Unsigned= _64; >=20 > and the following in the implementation: >=20 > Function EF( Item : FITS.Axis_Dimensions ) return Interfaces.Unsigned= _64 is > Max : Constant :=3D Positive'Last; > Function First return Interfaces.Unsigned_64 is > ( Interfaces.Unsigned_64( Item( Item'First ) ) ) > with Inline, Pre =3D> Item'Length > 0, Post =3D> First'Result <= =3D Max; > Function Last return Interfaces.Unsigned_64 is > ( Interfaces.Unsigned_64( Item( Item'Last ) ) ) > with Inline, Pre =3D> Item'Length > 0, Post =3D> Last'Result <= =3D Max; > use all type Interfaces.Unsigned_64; > Begin > case Item'Length is > when 0 =3D> return 1; > when 1 =3D> return First; > when 2 =3D> return First * Last; As per the Axis_Value restriction to 32-bit modular-arithmetic integer port= ion of Brad Moore's more elaborate rewrite in his reply, the when-2 clause = in Shark8's version could pessimistically be construed to be as much as a 1= 28-bit integer when multiplying two Interfaces.Unsigned_64 modular-arithmet= ic integers together. I suspect that that overt revelation to SPARK regard= ing 32-bit multiplicands is the main corrective act among Brad Moore's mult= iple edits. I do admire how SPARK automatedly figured out (apparently via = term replacement) in Brad Moore's variant that > when 2 =3D> return Result_Value (First) * Result_Value (Last); could be rewritten equivalently as when 2 =3D> return Result_Value (First * Last); in order to make obvious the logical deduction of lack-of-overflow-of-64-bi= t-unsigneds-due-to-multiplying-two-mere-32-bit-unsigneds possible in this p= roof. > when others =3D> > Declare > Middle : Constant Axis_Count :=3D Item'Length/2 + Item'First; > Subtype Head is Axis_Count range Item'First..Middle; > Subtype Tail is Axis_Count range Axis_Count'Succ(Middle)..Item'Last; > Begin > Return EF(Item(Head)) * EF(Item(Tail)); > End; > end case; > End EF; >=20 > the SPARK prover is issuing warnings that the postconditions might fail. > "medium: postcondition might fail, cannot prove First'Result <=3D Max (e.= g. when First'Result =3D 0)" > But this is impossible given that the element-type is Positive and the pr= econdition states there is at least one element. Does anyone know why this = is happening? (And how to fix it?)