From: stefan-lucks@see-the.signature
Subject: Re: GNAT packages in Linux distributions
Date: Thu, 13 May 2010 02:37:37 +0200
Date: 2010-05-13T02:37:37+02:00 [thread overview]
Message-ID: <Pine.LNX.4.64.1005130120450.26871@medsec1.medien.uni-weimar.de> (raw)
In-Reply-To: <1aeof68v367bj$.1pps94zw5zmpd.dlg@40tude.net>
On Wed, 12 May 2010, Dmitry A. Kazakov wrote:
> On Wed, 12 May 2010 20:10:26 +0200, stefan-lucks@see-the.signature wrote:
>
> > In Eiffel, I'll either get an answer, or the program will tell that at
> > some point of time when computing, say, the factorial of 100, a certain
> > exception has been raised. (I didn't try out Eiffel, but that is what I
> > would expect.) But if I get an answer, I can be sure it is the right one.
> > That is partial correctness.
>
> 1. Wrong answer is no more/less incorrect as an exception.
We clearly disagree on this point.
Consider being new in a town, and asking how to go from, say, the railway
station to the market place. If we ask a guy who appears to be a local
person in our eyes, but is actually as foreing as we are, most people
would prefer an exception "sorry, I don't know the way" over the answer of
being directed into the wrong direction. If you think, the "sorry" is as
bad as the wrong direction, that is your problem, which I am not
interested in discussing any further.
Yes, there are some applications where the exception is just as bad as the
wrong answer. One such example could be the autopilot of a plane. The
plane may crash because the autopilot stops working, or because the
autopilot acts on wrong results. Crash is crash. But not all applications
have that severe requirments.
In fact, event he autopilot may benefit from checks -- if these are
performed when the plane is still on the ground, and if any failed test
prevents the plane from starting.
> 2. It is unrelated to error checks. The programmer did not use any. That
> Eiffel possibly checks for integer overflow and C does not is irrelevant to
> the issue.
The exception may just as well be raised when checking the postcondition.
> {Any Precondition}
> raise Program_Error;
> {Postcondition}
Yes, that program is partially correct.
Well, Hoare did originally not bother with exceptions, but the following
program is partially correct even in the old
we-do-not-know-about-exceptions sense:
{Any Precondition}
while false loop
null;
end loop;
{Postcondition}
> The problem is that Program_Error does not satisfy postcondition.
> His approach, which I greatly appreciate, is perfectly compatible with
> exceptions. Exception propagation is a part of the program behavior to be
> checked as anything else. E.g.
>
> pre : x = 1
> if x = 1 then
> raise Foo;
> end if;
> post : Foo propagating
>
> This program were be incorrect if it would not raise Foo.
Now I see what you mean. You are asking for contracts which include
exception propagation. Yes, that would be nice to have.
Then you should like Eiffel, because this is what Eiffel actually does. In
Eiffel, the formal postcondition
require P;
is a shortcut notation for the logical
Postcondition: P or else (Postcondition_Violation propagating);
(whatever the name of the exception is), which is the real postcondition
of an Eiffel program. If Eiffel checks P at the end of the program, and
raises that exception when the check fails, then
Eiffel-programs are always correct!
You don't even need to perform any static analysis to ensure their
correctness. (But you must not turn of the checks!)
Of course the catch is that you would rather want to specify
postconditions which exclude exception propagation. I.e., you would need
formal postconditions *without* the "or else propagate something" part. In
Eiffel, there is no way to enforce such postconditions. And how should
that be possible, without static analysis?
Perhaps, the difference between SPARK and Eiffel DbC can be summarised as
follows:
-> Eiffel is a very expressive programming language,
while SPARK is less expressive.
-> The language for contracts in SPARK is more expressive
than the language for contracts in Eiffel.
That doesn't mean that the contracts you can express in Eiffel are
invalid, however.
--
------ Stefan Lucks -- Bauhaus-University Weimar -- Germany ------
Stefan dot Lucks at uni minus weimar dot de
------ I love the taste of Cryptanalysis in the morning! ------
next prev parent reply other threads:[~2010-05-13 0:37 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-09 17:40 GNAT packages in Linux distributions Dmitry A. Kazakov
2010-05-09 18:16 ` Ludovic Brenta
2010-05-09 19:36 ` Dmitry A. Kazakov
2010-05-09 21:26 ` Ludovic Brenta
2010-05-09 21:34 ` Yannick Duchêne (Hibou57)
2010-05-10 1:20 ` Ludovic Brenta
2010-05-10 1:26 ` Ludovic Brenta
2010-05-25 20:40 ` Yannick Duchêne (Hibou57)
2010-05-10 9:41 ` Stephen Leake
2010-05-10 9:46 ` Ludovic Brenta
2010-05-10 14:29 ` sjw
2010-05-11 7:51 ` Ludovic Brenta
2010-05-11 9:33 ` sjw
2010-05-10 18:47 ` Yannick Duchêne (Hibou57)
2010-05-09 21:28 ` Yannick Duchêne (Hibou57)
2010-05-09 21:30 ` Yannick Duchêne (Hibou57)
2010-05-09 22:44 ` Simon Wright
2010-05-10 7:54 ` Dmitry A. Kazakov
2010-05-10 8:02 ` Dmitry A. Kazakov
2010-05-10 18:45 ` Yannick Duchêne (Hibou57)
2010-05-10 21:00 ` Ludovic Brenta
2010-05-10 22:17 ` Yannick Duchêne (Hibou57)
2010-05-11 6:56 ` Ludovic Brenta
2010-05-11 7:39 ` Dmitry A. Kazakov
2010-05-11 8:06 ` Yannick Duchêne (Hibou57)
2010-05-11 15:46 ` Pascal Obry
2010-05-11 16:05 ` Yannick Duchêne (Hibou57)
2010-05-11 16:09 ` Pascal Obry
2010-05-11 16:09 ` Pascal Obry
2010-05-11 17:08 ` stefan-lucks
2010-05-11 16:39 ` Yannick Duchêne (Hibou57)
2010-05-11 19:45 ` Yannick Duchêne (Hibou57)
2010-05-11 23:44 ` Yannick Duchêne (Hibou57)
2010-05-12 12:12 ` Mark Lorenzen
2010-05-12 14:55 ` Yannick Duchêne (Hibou57)
2010-05-11 17:35 ` Pascal Obry
2010-05-11 18:06 ` Yannick Duchêne (Hibou57)
2010-05-11 16:23 ` Yannick Duchêne (Hibou57)
2010-05-11 16:41 ` J-P. Rosen
2010-05-11 16:45 ` Dmitry A. Kazakov
2010-05-11 19:21 ` Yannick Duchêne (Hibou57)
2010-05-12 8:41 ` stefan-lucks
2010-05-12 14:52 ` Yannick Duchêne (Hibou57)
2010-05-12 15:59 ` Phil Thornley
2010-05-12 16:49 ` Yannick Duchêne (Hibou57)
2010-05-13 8:05 ` Phil Thornley
2010-05-12 15:37 ` Dmitry A. Kazakov
2010-05-12 16:06 ` Yannick Duchêne (Hibou57)
2010-05-12 17:24 ` Dmitry A. Kazakov
2010-05-12 18:09 ` Georg Bauhaus
2010-05-12 18:33 ` Dmitry A. Kazakov
2010-05-12 18:53 ` Georg Bauhaus
2010-05-12 21:57 ` Dmitry A. Kazakov
2010-05-13 2:03 ` Georg Bauhaus
2010-05-13 8:39 ` Dmitry A. Kazakov
2010-05-14 23:45 ` Georg Bauhaus
2010-05-15 9:30 ` Dmitry A. Kazakov
2010-05-15 18:39 ` Georg Bauhaus
2010-05-15 20:33 ` Dmitry A. Kazakov
2010-05-15 0:17 ` Robert A Duff
2010-05-15 9:40 ` Dmitry A. Kazakov
2010-05-12 18:15 ` Georg Bauhaus
2010-05-25 20:45 ` Yannick Duchêne (Hibou57)
2010-05-26 7:55 ` Dmitry A. Kazakov
2010-05-26 8:38 ` stefan-lucks
2010-05-26 8:01 ` Yannick Duchêne (Hibou57)
2010-05-26 11:25 ` Yannick Duchêne (Hibou57)
2010-05-26 13:02 ` stefan-lucks
2010-05-26 12:22 ` Yannick Duchêne (Hibou57)
2010-05-27 12:47 ` stefan-lucks
2010-05-27 12:26 ` Yannick Duchêne (Hibou57)
2010-05-26 13:06 ` (see below)
2010-05-27 12:41 ` stefan-lucks
2010-05-27 12:29 ` Yannick Duchêne (Hibou57)
2010-05-27 15:21 ` (see below)
2010-06-03 3:16 ` Yannick Duchêne (Hibou57)
2010-06-03 10:42 ` Brian Drummond
2010-06-03 21:14 ` (see below)
2010-06-03 22:00 ` Britt Snodgrass
2010-06-03 22:29 ` (see below)
2010-06-03 13:49 ` (see below)
2010-06-04 13:49 ` Georg Bauhaus
2010-06-04 13:53 ` Georg Bauhaus
2010-06-04 14:24 ` Yannick Duchêne (Hibou57)
2010-06-04 17:34 ` Georg Bauhaus
2010-06-04 15:29 ` (see below)
2010-05-12 18:10 ` stefan-lucks
2010-05-12 17:48 ` Dmitry A. Kazakov
2010-05-13 0:37 ` stefan-lucks [this message]
2010-05-13 9:09 ` Dmitry A. Kazakov
2010-05-13 0:33 ` Yannick Duchêne (Hibou57)
2010-05-10 14:15 ` GNAT Pro license (was: " Peter Hermann
2010-05-10 1:40 ` Björn Persson
2010-05-10 2:04 ` Yannick Duchêne (Hibou57)
2010-05-10 7:01 ` Ludovic Brenta
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox