From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FORGED_GMAIL_RCVD, FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,c3f4071dbfa958f X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!postnews.google.com!q12g2000yqj.googlegroups.com!not-for-mail From: Phil Thornley Newsgroups: comp.lang.ada Subject: Re: Question about SPARK flow error. Date: Sat, 19 Jun 2010 16:28:08 -0700 (PDT) Organization: http://groups.google.com Message-ID: <78a3a0d8-9216-4c55-a586-162995f41046@q12g2000yqj.googlegroups.com> References: <4c1cf6a3$0$30803$4d3efbfe@news.sover.net> NNTP-Posting-Host: 80.177.171.182 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 X-Trace: posting.google.com 1276990088 12867 127.0.0.1 (19 Jun 2010 23:28:08 GMT) X-Complaints-To: groups-abuse@google.com NNTP-Posting-Date: Sat, 19 Jun 2010 23:28:08 +0000 (UTC) Complaints-To: groups-abuse@google.com Injection-Info: q12g2000yqj.googlegroups.com; posting-host=80.177.171.182; posting-account=Fz1-yAoAAACc1SDCr-Py2qBj8xQ-qC2q User-Agent: G2/1.0 X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0),gzip(gfe) Xref: g2news1.google.com comp.lang.ada:11826 Date: 2010-06-19T16:28:08-07:00 List-Id: On 19 June, 17:58, "Peter C. Chapin" wrote: [...] Well, I was also wrong about using the non-existence of an unprovable VC as evidence to support an accept annotation! Using your code, the Simplifier proves all the VCs - and it still does even if I remove either of the assignments to Index (and so create a genuine data flow error). The 'exit' VCs for a procedure are "trivially true" unless there is a post-condition. All exported values are assumed to be valid at this point because the RTC analysis ***assumes that there are no data-flow errors*** - i.e.: 1. all exports must have been assigned a value (otherwise there will be a data-flow error), and 2. all values assigned must be valid otherwise there will be an unprovable VC. So it seems to me that: The best way to deal with the error is an accept annotation. Such an annotation is a potential risk as it may hide a genuine data flow error (if not now then maybe when the code is changed at some point in the future). Consequently it makes sense to force a check on the relevant value by adding a check annotation. So, how about adding the following at the end of your procedure: --# accept F, 602, Index, Index, --# "The following check ensures that there is no actual error."; --# check Index in Index_Type; end Add_Item; This eliminates the reported flow error, and creates an unprovable VC if there is any genuine data flow error for Index. (It also needs a assertion in the loop: --# assert not Found;) HTH Phil