From: Rod Chapman <r_c_chapman@my-deja.com>
Subject: Re: Help with Atomic_Components and whole array assignment
Date: Thu, 01 Feb 2001 09:42:24 GMT
Date: 2001-02-01T09:42:24+00:00 [thread overview]
Message-ID: <95bb20$7jb$1@nnrp1.deja.com> (raw)
In-Reply-To: 3A7886A7.F1BB5513@averstar.com
In article <3A7886A7.F1BB5513@averstar.com>,
Tucker Taft <stt@averstar.com> wrote:
> Rod Chapman wrote:
> > The compound statement
> > for I in A'Range loop
> > A(I) := 0;
> > end loop;
> > has information flow "derives A from A", which is significantly
> > different.
>
> I don't understand why this derives A from A. Is this just
> a limitation of SPARK? Clearly, we are assigning a new
> value to every component of A, making no use of the original
> values.
This is what we call the "array update anomaly" in SPARK. Consider
the simple assignment statement
A(1) := 0;
This has information flow "derives A from A" since
1 element of A is changed and all the others are preserved, and
"0" is a literal constant.
The info. flow for a loop is formed (see the maths in Barnes
or in the Bergeretti/Carre ACM TOPLAS paper) from the transitive
closure of the info. flow for its body, so the loop above does
indeed have info. flow "derives A from A".
In _general_, the Examiner is not capable of determining that
all the elements of an array just happen to have been updated
by a sequence or loop of such statements, and the Examiner
does not attempt to spot any such special cases.
(Such as analysis _is_ possible for record fields, though...)
Consider an array A with only 2 elements, and the statements
A(I) := 0
A(J) := 1;
where I and J are variables.
Have we updated all the elements of A? Don't know, so we have
to be conservative. (Flow analysis is essentially syntax driven -
we do not attempt to solve proof problems during flow analysis!)
In real life, if we really need a loop to initialise, then we'd
do
procedure Init ( A : out A_Type );
--# derives A from ;
procedure Init ( A : out A_Type )
is
--# hide Init;
begin
... -- as before...
end Init;
instructing the Examiner to believe the spec. and to ignore the
body.
- Rod
Sent via Deja.com
http://www.deja.com/
next prev parent reply other threads:[~2001-02-01 9:42 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-01-22 11:22 Help with Atomic_Components and whole array assignment r_c_chapman
2001-01-22 12:51 ` Stuart Palin
2001-01-22 14:16 ` mark_lundquist
2001-01-22 16:09 ` Pat Rogers
2001-01-22 16:29 ` Robert Dewar
2001-01-22 19:52 ` Mark Lundquist
2001-01-30 15:54 ` Tucker Taft
2001-01-30 18:20 ` Robert Dewar
2001-01-31 5:08 ` DuckE
2001-01-31 5:57 ` Robert Dewar
2001-02-01 3:31 ` DuckE
2001-02-02 21:38 ` Mark Lundquist
2001-02-02 23:08 ` Robert Dewar
2001-02-03 1:39 ` tmoran
2001-01-22 16:21 ` Robert Dewar
2001-01-22 16:39 ` r_c_chapman
2001-01-30 15:57 ` Tucker Taft
2001-01-30 18:26 ` Robert Dewar
2001-01-30 21:30 ` Simon Wright
2001-02-01 6:11 ` Robert Dewar
2001-02-06 0:32 ` Richard Kenner
2001-02-06 3:15 ` Robert Dewar
2001-01-31 10:09 ` Rod Chapman
2001-01-31 21:41 ` Tucker Taft
2001-02-01 5:33 ` Robert Dewar
2001-02-01 9:42 ` Rod Chapman [this message]
2001-02-01 18:10 ` Robert Dewar
2001-02-01 13:14 ` SPARK flow analysis (was Help with Atomic_Components and whole array assignment) Stuart Palin
2001-02-01 23:38 ` Help with Atomic_Components and whole array assignment Nick Roberts
2001-02-02 3:45 ` Robert Dewar
2001-02-07 21:40 ` Nick Williams
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox