From: Phil Thornley <phil.jpthornley@gmail.com>
Subject: Re: SPARK loop VCs that go "one beyond" the loop?
Date: Sun, 25 Mar 2012 15:14:23 +0100
Date: 2012-03-25T15:14:23+01:00 [thread overview]
Message-ID: <MPG.29d9387697c7d9dc989697@news.zen.co.uk> (raw)
In-Reply-To: YridnaJ19_2RZ_PS4p2dnAA@giganews.com
In article <YridnaJ19_2RZ_PS4p2dnAA@giganews.com>, PChapin@vtc.vsc.edu
says...
> Thanks for your comments. They are helpful, as always. The problem I'm
> having, in general (no longer related to any specific VC), is that if
> the loop assertion mentions the loop index variable there is a tendency
> for SPARK to generate an unprovable VC of the form
>
> Hx: loop__1__i <= some_array__index__subtype__1__last
> ...
> Cy: loop__1__i + 1 <= some_array__index__subtype__1__last
>
> This is for the path from the assertion to the assertion and it's trying
> to show that the loop index variable is always in bounds of some
> array... even *after* the last iteration. This generally isn't true, but
> it doesn't matter because there is no "next" iteration in that case.
>
> If I write a loop assertion that doesn't mention the loop index variable
> this problem doesn't arise, naturally. However, I can avoid it anyway by
> doing... something... with that loop assertion. My problem is that I
> haven't quite figured out what triggers VCs like the one above so I have
> to kind of guess my way around how to avoid them.
I don't believe that the Examiner generates a path *to* the loop
iteration for the last iteration - I can only imagine that there is
something you are not seeing.
It's quite true that any VC that references the loop index will have
your Hx above - because the loop index is within the bounds of its
subtype at the start of the path.
However, for all paths from the assertion to the assertion, the Examiner
will certainly generate a hypothesis that the loop index is strictly
less than the final value of the loop range (assuming absence of
'reverse' of course).
Therefore you have to look at what you know about the relative values of
the last loop index value and 'Last of the array index subtype.
This is one part of what was required for the code in in your original
post (Event_Array(I).Description_Size <= Description'Length) and you
provided the other part.
This undoubtedly gets more involved when the last loop index value is an
expression referencing one or more variables, but this shouldn't make
any fundamental difference. (In this case it's sometimes helpful to
temporarily introduce a local variable for the upper bound of the loop
range.)
Cheers,
Phil
prev parent reply other threads:[~2012-03-25 14:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-04 16:11 SPARK loop VCs that go "one beyond" the loop? Peter C. Chapin
2012-03-04 18:43 ` Phil Thornley
2012-03-04 19:44 ` Peter C. Chapin
2012-03-06 10:17 ` mark.lorenzen
2012-03-20 18:18 ` Phil Thornley
2012-03-25 10:57 ` Peter C. Chapin
2012-03-25 14:14 ` Phil Thornley [this message]
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox