From: JP Thornley <jpt@diphi.demon.co.uk>
Subject: Re: Newbie question: SPARK verification condition on member of private record
Date: Thu, 2 Apr 2009 16:22:01 +0100
Date: 2009-04-02T16:22:01+01:00 [thread overview]
Message-ID: <XQOei4CZgN1JJw9Y@diphi.demon.co.uk> (raw)
In-Reply-To: JKKdnWLcDdxDNUnUnZ2dnUVZ8sCWnZ2d@posted.plusnet
In article <JKKdnWLcDdxDNUnUnZ2dnUVZ8sCWnZ2d@posted.plusnet>, Tim Rowe
<spamtrap@tgrowe.plus.net> writes
>That's giving me conclusions to prove like:
>H1: get_order(this) < 5000 .
>H2: 1 - get_probability(this) >= event_conjunctions__get_probability(
> conjunction) .
>H3: fld_highest_valid_index(this) >= 1 .
>H4: fld_highest_valid_index(this) <= 4999 .
> ->
>C1: get_order(upf_probability(upf_events(upf_highest_valid_index(this,
> fld_highest_valid_index(this) + 1), update(fld_events(this), [
> fld_highest_valid_index(this) + 1], conjunction)),
>fld_probability(
> this) + event_conjunctions__get_probability(conjunction))) =
> get_order(this) + 1 .
>
>That's one of the easier ones. The point is that upf_probability,
>upf_events and update can't affect the result of get_order. Knowing
>that I can reduce the espression to
> get_order(
> upf_highest_valid_index
> (
> this, fld_highest_valid_index(this) + 1
> )
> ) = get_order(this) + 1
>
>which I can prove easily enough, but the process seems error prone (as
>I say, this is one of the simpler ones). If I /could/ give the tools
>some hints to reduce it it would be a big help. Maybe I /should/ make
>the record public!
Well, it all depends on how much rigour you need.
For a fully rigorous proof you have to use the Proof Checker on the
generated VC as this will only let you eliminate upf_/update's if it is
valid to do so.
For a less rigorous proof you create one or more user rules that
eliminate the upf_/updates and, if you feel the need, justify the rule
by creating and proving the equivalent VC in the Proof Checker.
The usual recommendation for updating records is to assign an aggregate
rather than individual components (this gets rid of all the
upf_/update's), but the need to update an element of the array makes it
more awkward in this case. If the record had any more components I would
recommend separating out the array and its index to their own record
type, but that is probably overkill here.
>
>
>If nothing else, I found an error in the postcondition by explaining
>this ;-)
That's a lot easier than the usual way (banging head against desk until
you eventually realise that it's not a problem with the tools).
Phil
--
JP Thornley
next prev parent reply other threads:[~2009-04-02 15:22 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-01 19:38 Newbie question: SPARK verification condition on member of private record Tim Rowe
2009-04-01 21:04 ` JP Thornley
2009-04-01 23:50 ` Tim Rowe
2009-04-02 9:00 ` JP Thornley
2009-04-02 12:00 ` Tim Rowe
2009-04-02 15:22 ` JP Thornley [this message]
2009-04-02 18:09 ` roderick.chapman
2009-04-03 11:26 ` Tim Rowe
2009-04-02 23:58 ` Tim Rowe
2009-04-03 13:36 ` JP Thornley
2009-04-06 11:49 ` Tim Rowe
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox