From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 border2.nntp.dca1.giganews.com!nntp.giganews.com!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!feeder.erje.net!1.eu.feeder.erje.net!news.swapon.de!eternal-september.org!feeder.eternal-september.org!mx02.eternal-september.org!.POSTED!not-for-mail
From: Bob Duff <bobduff@theworld.com>
Newsgroups: comp.lang.ada
Subject: Re: {Pre,Post}conditions and side effects
Date: Tue, 12 May 2015 10:21:41 -0400
Organization: A noiseless patient Spider
Message-ID: <87egml511m.fsf@theworld.com>
References: <2430252d-52a1-4609-acef-684864e6ca0c@googlegroups.com>
 <AnYlw.957256$Rp.242412@fx23.iad>
 <0a718b39-ebd3-4ab5-912e-f1229679dacc@googlegroups.com>
 <wccoaqucn51.fsf@shell01.TheWorld.com>
 <9ee5e186-5aaa-4d07-9490-0f9fdbb5ca18@googlegroups.com>
 <alpine.CYG.2.11.1412231747100.4196@WIL414CHAPIN.vtc.vsc.edu>
 <wccegrpq2om.fsf@shell01.TheWorld.com>
 <87tww5296f.fsf@adaheads.sparre-andersen.dk>
 <871tj9dp5b.fsf@theworld.com>
 <ce4af31e-d491-479f-a5b3-0b3eedea2a68@googlegroups.com>
 <midvq5$2u3$1@loke.gir.dk>
 <alpine.DEB.2.11.1505071103310.14859@debian>
 <migc9a$jp8$1@loke.gir.dk>
 <alpine.DEB.2.11.1505072052570.16448@debian>
 <mijen0$1hj$1@loke.gir.dk>
 <alpine.DEB.2.11.1505111113020.12062@debian>
 <mirjho$lqh$1@loke.gir.dk>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: mx02.eternal-september.org;
 posting-host="ceb420dd1bf21db35c08843b2dddf408";
 logging-data="16348"; mail-complaints-to="abuse@eternal-september.org";
 posting-account="U2FsdGVkX1+b7gUhGD7kayHKZwE2u9Kn"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
Cancel-Lock: sha1:C5R/wnHw0FXtZfcGQTmkZhpWJac=
 sha1:WY9ecsWnMI1M6NYUVvm+RxZFxGs=
Xref: number.nntp.giganews.com comp.lang.ada:193149
Date: 2015-05-12T10:21:41-04:00
List-Id: <comp.lang.ada>

"Randy Brukardt" <randy@rrsoftware.com> writes:

> I can see that are some cases where the properties are too expensive to 
> verify at runtime. It would be nice if there was a way to turn off those 
> (AND ONLY THOSE) properties. But Ada doesn't have that sort of granularity, 

Sure it does.  If Is_Sorted is too slow for production use, you can say:

    ... with Predicate => (if Slow_Mode then Is_Sorted(...))

and set the Slow_Mode flag to True for testing.  Also set it to True
when running proof tools.

Alternatively, you can say something like:

    function Sort(X: My_Array) return My_Array with
        Post => (if X'Length <= 20 then Is_Sorted(Sort'Result));

Now calls to Sort can be O(log N) instead of O(N).  And if Sort doesn't
do anything special for arrays longer than 20, the postcondition is
likely to catch any bugs in Sort.

> Correct. If it hurts, don't write that. :-) I don't begin to believe that 
> all program properties can be proved.

Yes, that's obviously true.  Here's a property of GNAT:

    Compared to most compilers (for any language), GNAT usually gives
    better error messages.

Anybody who has used GNAT and a lot of other compilers knows that
property is true.  But nobody can prove it in a mathematical sense,
because there's no way to formalize it.

- Bob