From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_00,MSGID_RANDY autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,cbd507df3efa824b X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-02-01 01:50:14 PST Path: supernews.google.com!sn-xit-02!supernews.com!news.gv.tsc.tdk.com!newsfeed.berkeley.edu!ucberkeley!blanket.mitre.org!newsfeed.mathworks.com!news.maxwell.syr.edu!nntp2.deja.com!nnrp1.deja.com!not-for-mail From: Rod Chapman Newsgroups: comp.lang.ada Subject: Re: Help with Atomic_Components and whole array assignment Date: Thu, 01 Feb 2001 09:42:24 GMT Organization: Deja.com Message-ID: <95bb20$7jb$1@nnrp1.deja.com> References: <94h55t$9a1$1@nnrp1.deja.com> <94hml1$o64$1@nnrp1.deja.com> <94hno6$p8s$1@nnrp1.deja.com> <3A76E455.AABF2490@averstar.com> <958o8f$vem$1@nnrp1.deja.com> <3A7886A7.F1BB5513@averstar.com> NNTP-Posting-Host: 193.114.91.187 X-Article-Creation-Date: Thu Feb 01 09:42:24 2001 GMT X-Http-User-Agent: Mozilla/4.73 [en] (WinNT; U) X-Http-Proxy: 1.0 PROXY, 1.0 x59.deja.com:80 (Squid/1.1.22) for client 193.114.91.187 X-MyDeja-Info: XMYDJUIDr_c_chapman Xref: supernews.google.com comp.lang.ada:4809 Date: 2001-02-01T09:42:24+00:00 List-Id: In article <3A7886A7.F1BB5513@averstar.com>, Tucker Taft wrote: > Rod Chapman wrote: > > The compound statement > > for I in A'Range loop > > A(I) := 0; > > end loop; > > has information flow "derives A from A", which is significantly > > different. > > I don't understand why this derives A from A. Is this just > a limitation of SPARK? Clearly, we are assigning a new > value to every component of A, making no use of the original > values. This is what we call the "array update anomaly" in SPARK. Consider the simple assignment statement A(1) := 0; This has information flow "derives A from A" since 1 element of A is changed and all the others are preserved, and "0" is a literal constant. The info. flow for a loop is formed (see the maths in Barnes or in the Bergeretti/Carre ACM TOPLAS paper) from the transitive closure of the info. flow for its body, so the loop above does indeed have info. flow "derives A from A". In _general_, the Examiner is not capable of determining that all the elements of an array just happen to have been updated by a sequence or loop of such statements, and the Examiner does not attempt to spot any such special cases. (Such as analysis _is_ possible for record fields, though...) Consider an array A with only 2 elements, and the statements A(I) := 0 A(J) := 1; where I and J are variables. Have we updated all the elements of A? Don't know, so we have to be conservative. (Flow analysis is essentially syntax driven - we do not attempt to solve proof problems during flow analysis!) In real life, if we really need a loop to initialise, then we'd do procedure Init ( A : out A_Type ); --# derives A from ; procedure Init ( A : out A_Type ) is --# hide Init; begin ... -- as before... end Init; instructing the Examiner to believe the spec. and to ignore the body. - Rod Sent via Deja.com http://www.deja.com/