From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=0.2 required=5.0 tests=BAYES_00,FROM_ADDR_WS,
	INVALID_MSGID,REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no
	version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,fb1663c3ca80b502
X-Google-Attributes: gid103376,public
X-Google-Thread: fac41,e01bd86884246855
X-Google-Attributes: gidfac41,public
From: "Joachim Durchholz" <joachim dot durchholz@halstenbach.com>
Subject: Re: Interresting thread in comp.lang.eiffel
Date: 2000/07/13
Message-ID: <8kl22p$2os00$1@ID-9852.news.cis.dfn.de>#1/1
X-Deja-AN: 646007010
References: <8ipvnj$inc$1@wanadoo.fr> <8j67p8$afd$1@nnrp1.deja.com>
 <slrn8leffq.ebq.gisle@spurv.ii.uib.no>
  <395886DA.CCE008D2@deepthought.com.au> <3958B07B.18A5BB8C@acm.com>
  <y1d65.620$7%3.33446@news.flash.net> <395A0ECA.940560D1@acm.com>
  <8jd4bb$na7$1@toralf.uib.no> <8jfabb$1d8$1@nnrp1.deja.com>
 <8jhq0m$30u5$1@toralf.uib.no> <8jt4j7$19hpk$1@ID-9852.news.cis.dfn.de>
 <3963CDDE.3E8FB644@earthlink.net> <3963DEBF.79C40BF1@eiffel.com>
 <396502D2.BD8A42E7@earthlink.net> <RSsa5.11075$7%3.784507@news.flash.net>
 <6aHa5.113$6E.23141@ptah.visi.com> <396B4A68.458FA3BC@maths.unine.ch>
 <u6hp4i16$GA.283@cpmsnbbsa07> <VVMa5.12642$7%3.843780@news.flash.net>
 <396C24B1.F632039B@praxis-cs.co.uk>
X-Priority: 3
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
X-Trace: fu-berlin.de 963513241 2912256 195.190.10.210 (16 [9852])
X-MSMail-Priority: Normal
Reply-To: "Joachim Durchholz" <joachim.durchholz@halstenbach.com>
Newsgroups: comp.lang.ada,comp.lang.eiffel
Date: 2000-07-13T00:00:00+00:00
List-Id: <comp.lang.ada>

Peter Amey <pna@praxis-cs.co.uk> wrote:
>
> Proof:
>   1. Has greater flexibility over _where_ you enforce the contract.
>   2. Requires no run time overhead for checking constraints.
>   3. Has no need for error handling code to deal with breeches of
> contract you have proved can't occur (and which will therefore turn
out
> to be untestable).
>   4. Can express properties not directly visible according to the
> programming language rules at the point of check. (e.g. in SPARK we
> might define a proof function "NotFull(S : StackType) return Boolean;"
> which we can use for proof purposes even if the stack package does not
> export an Ada function which can tell us if the stack is full or not).

Fully agreed. I'd love to see a prover for Eiffel.

Regards,
Joachim
--
This is not an official statement from my employer or from NICE.
Reply-to address changed to discourage unsolicited advertisements.