From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=unavailable autolearn_force=no version=3.4.4
X-Received: by 10.42.106.197 with SMTP id a5mr10131309icp.30.1431507633167;
        Wed, 13 May 2015 02:00:33 -0700 (PDT)
X-Received: by 10.140.29.119 with SMTP id a110mr279546qga.20.1431507632028;
 Wed, 13 May 2015 02:00:32 -0700 (PDT)
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!news.glorb.com!m20no4047928iga.0!news-out.google.com!k20ni2265qgd.0!nntp.google.com!j5no8015766qga.1!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail
Newsgroups: comp.lang.ada
Date: Wed, 13 May 2015 02:00:31 -0700 (PDT)
In-Reply-To: <alpine.CYG.2.11.1505121858080.4652@WIL414CHAPIN.vtc.vsc.edu>
Complaints-To: groups-abuse@google.com
Injection-Info: glegroupsg2000goo.googlegroups.com;
 posting-host=185.30.133.97;
 posting-account=hya6vwoAAADTA0O27Aq3u6Su3lQKpSMz
NNTP-Posting-Host: 185.30.133.97
References: <2430252d-52a1-4609-acef-684864e6ca0c@googlegroups.com>
 <AnYlw.957256$Rp.242412@fx23.iad>
 <0a718b39-ebd3-4ab5-912e-f1229679dacc@googlegroups.com>
 <wccoaqucn51.fsf@shell01.TheWorld.com>
 <9ee5e186-5aaa-4d07-9490-0f9fdbb5ca18@googlegroups.com>
 <alpine.CYG.2.11.1412231747100.4196@WIL414CHAPIN.vtc.vsc.edu>
 <wccegrpq2om.fsf@shell01.TheWorld.com>
 <87tww5296f.fsf@adaheads.sparre-andersen.dk>
 <871tj9dp5b.fsf@theworld.com>
 <ce4af31e-d491-479f-a5b3-0b3eedea2a68@googlegroups.com>
 <midvq5$2u3$1@loke.gir.dk> <alpine.DEB.2.11.1505071103310.14859@debian>
 <migc9a$jp8$1@loke.gir.dk> <alpine.DEB.2.11.1505072052570.16448@debian>
 <mijen0$1hj$1@loke.gir.dk> <alpine.DEB.2.11.1505111113020.12062@debian>
 <c6a5c672-9e37-4d2b-b313-1f2139fffc66@googlegroups.com>
 <alpine.CYG.2.11.1505111846520.5124@WIL414CHAPIN.vtc.vsc.edu>
 <ace0dcbe-c77c-4fa7-923d-e3f58c07ed78@googlegroups.com>
 <alpine.CYG.2.11.1505121858080.4652@WIL414CHAPIN.vtc.vsc.edu>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <7884ce8c-498a-4157-869f-e2d4921ba52b@googlegroups.com>
Subject: Re: {Pre,Post}conditions and side effects
From: vincent.diemunsch@gmail.com
Injection-Date: Wed, 13 May 2015 09:00:32 +0000
Content-Type: text/plain; charset=ISO-8859-1
Xref: news.eternal-september.org comp.lang.ada:25860
Date: 2015-05-13T02:00:31-07:00
List-Id: <comp.lang.ada>

Thanks Peter for your response,

> Yes, and yes. We do use Assume to describe the necessary mathematical 
> properties involved. In particular we Assume the array after swapping two 
> elements is a permutation of the original. Similarly we use Assume to 
> embody the idea that permutations are transitive: if B is a permutation of 
> A and C is a permtuation of B, then C is a permutation of A. This is 
> necessary to support a loop invariant asserting that the partially 
> processed array is always a permutation of the original.
> 
> In our example we leave the ghost functions unimplemented so the tools 
> can't learn anything about them other than what we describe in the 
> assertions associated with them. This also means the program won't link 
> unless it's compiled with an Assertion_Policy of Ignore.

That is a sound approach. Since one can then give a proof of the "Assume"
statements in an external document, that describes the matematical foundation
of the program. 

> 
> The ghost functions could potentially be implemented with actual code and 
> then one might hope the tools could learn enough from them to do without 
> some of the Assumes, for example via contextual analysis. However, some 
> caution is needed. You don't want to use the sorting procedure to 
> implement the permutation checker that you are using to prove the sorting 
> procedure!

I agree. I prefer rellying on an external proof checker than doing confused functional manipulations, as ML or OCaml tends to do. 

Regards,

Vincent