From: stefan-lucks@see-the.signature
Subject: Re: Silly and stupid post‑condition or not ?
Date: Wed, 1 Feb 2012 11:37:31 +0100
Date: 2012-02-01T11:37:31+01:00 [thread overview]
Message-ID: <Pine.LNX.4.64.1202011054270.26654@medsec1.medien.uni-weimar.de> (raw)
In-Reply-To: <1wn5azarpihb1.13g4tvu7fddve.dlg@40tude.net>
On Wed, 1 Feb 2012, Dmitry A. Kazakov wrote:
> But that seems not bad enough. To make the disaster complete, it should
> become undefined as well. Right?
This doesn't need to be a disaster.
1. For the purpose of proving program correctness, you don't necessarily
need complete postconditions. As a trivial example, consider
function F(X: Natural) return Natural
with Post => (if (X mod 2) = 1 then ...);
We don't have any precondition. For even X, we don't even have a
postcondition. But using the partial postcondition we have, we can
completely define the semantic behavior of
Y := F(X) * (F(X) mod 2);
If that is all what we need F for, why should we bother with any
postcondition or even X?
2. Sometimes, it may hard to prove the entire contract. So we will try to
prove the "important" requirements in the contract, and try to convince
ourselves by conventional means (testing, code review, ...) that other
requirements are also satisfied. E.g., for a database with confidential
and non-confidential data, we be very happy to prove that any response
to a query from an unauthorized entity will be derived from
non-confidential data only. You have proven your system to be secure!
A system may be secure but still be not quite functional. E.g., you may
further like to prove that the response to a query from an authorized
entity will be derived from all data, the confidential and the
non-confidential ones. If you can, fine! Otherwise, apply conventional
means ...
In fact, some relevant contract requirements may actually be hard to
specify. What is the "correct" answer in some informational retrieval
setting (e.g., when you google for "Dmitry A. Kazakov")? Do you really
propose not to formally specify anything, just because we cannot specify
everything?
This is pretty much the same in the real world. When you go to a
restaurant and order a meal, you expect a tasty meal. But the end,
being "tasty" is ... a matter of taste. If you have no other complaints
than "it wasn't to my taste", you still have to pay the bill. Thus,
being "tasty" is expected by the customer, but not part of the
postcondition. On the other hand, certain hygienic standards are
defined binding laws for all restaurants (in a given country or state).
This is actually a postcondition, inherited from the abstract class of
"all restaurants in my country". Would you claim that hygienic
standards are useless, because you cannot define tasty Ness?
Back to the original poster's question:
>> function Parsed (S : String) return Parsed_Type
>> with Post =>
>> (if S'Length not in Image_Length_Type then
>> Parsed'Result.Status = Format_Error);
>> -- There may be other failure conditions.
What is special about that specific failure condition that singles it out
from all other failure conditions?
--
---- Stefan.Lucks (at) uni-weimar.de, University of Weimar, Germany ----
<http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
------ I love the taste of Cryptanalysis in the morning! ------
next prev parent reply other threads:[~2012-02-01 10:35 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-30 23:11 Silly and stupid post‑condition or not ? Yannick Duchêne (Hibou57)
2012-01-31 6:47 ` J-P. Rosen
2012-01-31 18:48 ` Jeffrey Carter
2012-01-31 22:02 ` Yannick Duchêne (Hibou57)
2012-01-31 8:54 ` Dmitry A. Kazakov
2012-01-31 9:35 ` Georg Bauhaus
2012-01-31 10:22 ` Dmitry A. Kazakov
2012-01-31 12:33 ` Georg Bauhaus
2012-01-31 13:52 ` Dmitry A. Kazakov
2012-01-31 15:34 ` Georg Bauhaus
2012-01-31 16:24 ` Dmitry A. Kazakov
2012-01-31 19:44 ` Georg Bauhaus
2012-02-01 8:41 ` Dmitry A. Kazakov
2012-02-01 10:37 ` stefan-lucks [this message]
2012-02-01 10:51 ` Yannick Duchêne (Hibou57)
2012-02-01 13:49 ` Yannick Duchêne (Hibou57)
2012-02-01 13:49 ` Dmitry A. Kazakov
2012-02-01 16:37 ` stefan-lucks
2012-02-02 1:50 ` Silly and stupid post�?'condition " Randy Brukardt
2012-02-02 1:56 ` Silly and stupid postâ?'condition or not ? Yannick Duchêne (Hibou57)
2012-02-03 2:45 ` Silly and stupid post�?'condition or not ? Randy Brukardt
2012-02-02 8:25 ` Silly and stupid post‑condition " Dmitry A. Kazakov
2012-02-02 9:01 ` stefan-lucks
2012-02-02 9:18 ` stefan-lucks
2012-02-02 10:04 ` Dmitry A. Kazakov
2012-01-31 22:08 ` Yannick Duchêne (Hibou57)
2012-01-31 17:28 ` Dmitry A. Kazakov
2012-01-31 22:12 ` Yannick Duchêne (Hibou57)
2012-02-01 8:49 ` Dmitry A. Kazakov
2012-02-01 8:36 ` Stephen Leake
2012-02-01 16:30 ` Silly and stupid post-condition " Adam Beneschan
2012-02-02 9:40 ` Stephen Leake
2012-02-02 13:20 ` Georg Bauhaus
2012-02-02 13:35 ` Yannick Duchêne (Hibou57)
2012-02-03 3:13 ` Randy Brukardt
2012-02-03 3:33 ` Yannick Duchêne (Hibou57)
2012-02-03 8:12 ` Simon Wright
2012-02-07 2:29 ` BrianG
2012-02-07 10:43 ` Simon Wright
2012-02-08 2:25 ` BrianG
2012-02-07 21:15 ` Robert A Duff
2012-02-03 9:11 ` Dmitry A. Kazakov
2012-02-04 3:27 ` Randy Brukardt
2012-02-04 10:15 ` Dmitry A. Kazakov
2012-02-03 12:25 ` Phil Thornley
2012-02-04 9:30 ` Phil Thornley
2012-02-04 12:02 ` Phil Thornley
2012-02-05 6:18 ` Randy Brukardt
2012-02-05 10:23 ` Phil Thornley
2012-02-05 10:55 ` Yannick Duchêne (Hibou57)
2012-02-05 15:03 ` Robert A Duff
2012-02-05 18:04 ` Phil Thornley
2012-02-05 21:27 ` Robert A Duff
2012-02-05 23:09 ` Phil Thornley
2012-02-07 2:05 ` Randy Brukardt
2012-02-07 9:38 ` Dmitry A. Kazakov
2012-02-05 11:31 ` Yannick Duchêne (Hibou57)
2012-02-05 14:50 ` Robert A Duff
2012-02-07 2:11 ` Randy Brukardt
2012-02-07 2:34 ` BrianG
2012-02-07 4:38 ` Yannick Duchêne (Hibou57)
2012-02-09 3:10 ` Randy Brukardt
2012-02-04 23:07 ` Stephen Leake
2012-02-05 2:49 ` Yannick Duchêne (Hibou57)
2012-02-05 6:29 ` Randy Brukardt
2012-02-05 11:40 ` Yannick Duchêne (Hibou57)
2012-02-07 1:36 ` Randy Brukardt
2012-02-05 15:16 ` Robert A Duff
2012-02-06 4:56 ` Yannick Duchêne (Hibou57)
2012-02-06 14:39 ` Robert A Duff
2012-02-06 16:12 ` Yannick Duchêne (Hibou57)
2012-02-07 1:46 ` Randy Brukardt
2012-02-07 17:24 ` Robert A Duff
2012-02-03 6:26 ` J-P. Rosen
2012-02-03 9:12 ` Dmitry A. Kazakov
2012-02-03 9:48 ` Yannick Duchêne (Hibou57)
2012-02-03 11:09 ` Dmitry A. Kazakov
2012-02-03 11:40 ` Yannick Duchêne (Hibou57)
2012-02-03 13:18 ` Dmitry A. Kazakov
2012-02-03 14:14 ` Yannick Duchêne (Hibou57)
2012-02-03 14:45 ` Dmitry A. Kazakov
2012-02-04 3:16 ` Randy Brukardt
2012-02-04 6:27 ` Yannick Duchêne (Hibou57)
2012-02-04 10:47 ` Dmitry A. Kazakov
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox