From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FORGED_GMAIL_RCVD, FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,ad06d2d7cb045687 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.68.227.40 with SMTP id rx8mr8727908pbc.5.1328437387297; Sun, 05 Feb 2012 02:23:07 -0800 (PST) Path: lh20ni262806pbb.0!nntp.google.com!news2.google.com!goblin1!goblin2!goblin.stu.neva.ru!newsfeed.xs4all.nl!newsfeed5.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!news2.euro.net!multikabel.net!newsfeed20.multikabel.net!dedekind.zen.co.uk!zen.net.uk!hamilton.zen.co.uk!prichard.zen.co.uk.POSTED!not-for-mail From: Phil Thornley Newsgroups: comp.lang.ada Subject: Re: Silly and stupid post-condition or not ? Date: Sun, 5 Feb 2012 10:23:06 -0000 Message-ID: References: <82wr86fzos.fsf@stephe-leake.org> <5af407fc-2868-44ca-84d2-c51a2a64104d@o4g2000pbc.googlegroups.com> <82k445fu9n.fsf@stephe-leake.org> MIME-Version: 1.0 User-Agent: MicroPlanet-Gravity/3.0.4 Organization: Zen Internet NNTP-Posting-Host: ea226169.news.zen.co.uk X-Trace: DXC=8`baeW]Wj`PX;`6<91B3PZ0g@SS;SF6nWR9OH0:RnENTX7Dn9X`? In article , randy@rrsoftware.com says... > > "Phil Thornley" wrote in message > news:MPG.29972ec7befb6ae9989682@news.zen.co.uk... > > ... > > It would be interesting to have some examples of what you have in mind > > here. > > People forget that Ada uses "access types" rather than "pointers", and the > reason for that is that access types are type-safe (in the absence of > erroneous execution, anyway). When you have type-safety, you know a lot > about what an individual access value can and (more importantly) cannot > point at. That can be used in a compiler optimizer to prove > non-interference, among other things. I'd be surprised if similar > information couldn't be used in proof systems. The original SPARK Rationale says: "All Ada features which require dynamic storage allocation were ruled out, for several reasons. The specification and modelling of access type manipulations, which can involve aliasing, is extremely difficult; for programs using access types it may also be very difficult to achieve security ..., let alone verification." Remember that everything in a SPARK program must have a name, and that it is quite easy to implement dynamic storage for a single type by a simple array (access value <-> array index). Furthermore when dealing with dynamically sized data structures the invariant typically needs to include predicates for the storage space that is not currently in use as well as the storage that is. > > Another area is similar: the profile and contract of a subprogram. Even when > subprograms are dynamically selected (with access-to-subprogram values or > dynamic dispatching), many of the details of the called subprogram are > known. Strengthen that contract even further, and it should be possible to > prove most properties of both sides of the call without knowing anything > significant about exactly *what* subprogram is actually called. (If all of > the subprograms have been proven to conform to the contract, and all > existing calls have been proven to conform to the contract, then dynamic > calls (dispatching and access values) are safe. I guess here that the issue is complexity of implementation versus gain in expressibility. All that the SPARK programmer has to do is to create the appropriate case statement. Yes, this does create an additional maintenance task, but No, it does not (have to) spoil the clarity of the calling code. (A common SPARK idiom is to use locally defined parameterless subprograms - since accessing data globally is no different to access via a parameter - so you just hide the case statement away in one of these.) > > Finally, it's perfectly reasonable to prove useful things about exceptions. > I've heard people say that's impossible because you get a combinational > explosion. But I know that's not really true; a compiler optimizer has to > deal with this and its just adding a single edge to each basic block. And it > could even be simplified more for a program improvement tool by detecting > and rejecting programs that violate the 11.6 rules for use of objects after > an exception. Such programs aren't portable anyway, so they should be > detected and eliminated anyway. Ada compilers can't do this, of course (such > programs being legal but ill-defined; we still have to produce something for > any legal program). The SPARK Rationale says: "Exceptions, designed for dealing with errors or other exceptional situations, might at first sight seem very desirable for safety-critical programming. However, it is easier and more satisfactory to write a program which is exception-free, and prove it to be so, than to prove that the corrective action performed by exception-handlers would be appropriate under all possible circumstances; if checks with recovery actions are required in a program, these can be introduced without resorting to exception handlers, and in general the embedded code will be easier to verify. Since exception-handling also seriously complicates the formal definition of even the sequential part of Ada we believe it should be omitted." There is a huge advantage in compiling a program with all checks suppressed - because the validation must deal with all executable paths in the object code, not just the source code. Support for user defined exceptions is probably one of the enhancements I would most like to have in SPARK - to eliminate all those "Success" parameters that you otherwise need. > > Of course, everything I've talked about requires knowing that there is no > erroneousness and no 11.6 violations. This it probably the hard part, but it > seems to be the first job necessary to make a truly usable proof system > (detect and reject all programs that contain any erroneousness or other > problems). Again, this is not something that an Ada compiler can do, since > such programs are legal but not portable. > > One imagines that you'd have to eliminate a few Ada features from > consideration (abort and it's cousin ATC come to mind), and possible require > the use of storage pools that detect dangling pointers (Ada 2012 gives a > program the possibility of preventing use of the standard storage pool, so > using an alternative is safer). > > Anyway, I know that there is a lot that can be done that hasn't. Of course, > none of this is easy (if it was, it all would have been done years ago by > some hobbyest :-). A final quote from the Rationale: "Of course, the extent to which Ada must be simplified for high- integrity programming will be a matter of opinion: our preoccupation with simplicity is based on experience of what can be achieved with a high degree of confidence in practice, rather than what can be proved in principle. Pedagogical considerations also suggest to us that drastic simplifications must be made. Safety-critical work demands complete mastery of a programming language, so that the programmer can concentrate on what he or she wants to say rather than struggle with the means of expression." Cheers, Phil