Re: Newbie question: SPARK verification condition on member of private record

comp.lang.ada
 help / color / mirror / Atom feed

From: JP Thornley <jpt@diphi.demon.co.uk>
Subject: Re: Newbie question: SPARK verification condition on member of private record
Date: Thu, 2 Apr 2009 16:22:01 +0100
Date: 2009-04-02T16:22:01+01:00	[thread overview]
Message-ID: <XQOei4CZgN1JJw9Y@diphi.demon.co.uk> (raw)
In-Reply-To: JKKdnWLcDdxDNUnUnZ2dnUVZ8sCWnZ2d@posted.plusnet

In article <JKKdnWLcDdxDNUnUnZ2dnUVZ8sCWnZ2d@posted.plusnet>, Tim Rowe 
<spamtrap@tgrowe.plus.net> writes
>That's giving me conclusions to prove like:
>H1:    get_order(this) < 5000 .
>H2:    1 - get_probability(this) >= event_conjunctions__get_probability(
>          conjunction) .
>H3:    fld_highest_valid_index(this) >= 1 .
>H4:    fld_highest_valid_index(this) <= 4999 .
>       ->
>C1:    get_order(upf_probability(upf_events(upf_highest_valid_index(this,
>          fld_highest_valid_index(this) + 1), update(fld_events(this), [
>          fld_highest_valid_index(this) + 1], conjunction)), 
>fld_probability(
>          this) + event_conjunctions__get_probability(conjunction))) =
>          get_order(this) + 1 .
>
>That's one of the easier ones. The point is that upf_probability, 
>upf_events and update can't affect the result of get_order. Knowing 
>that I can reduce the espression to
>       get_order(
>          upf_highest_valid_index
>          (
>             this, fld_highest_valid_index(this) + 1
>          )
>       ) = get_order(this) + 1
>
>which I can prove easily enough, but the process seems error prone (as 
>I say, this is one of the simpler ones). If I /could/ give the tools 
>some hints to reduce it it would be a big help. Maybe I /should/ make 
>the record public!
Well, it all depends on how much rigour you need.

For a fully rigorous proof you have to use the Proof Checker on the 
generated VC as this will only let you eliminate upf_/update's if it is 
valid to do so.

For a less rigorous proof you create one or more user rules that 
eliminate the upf_/updates and, if you feel the need, justify the rule 
by creating and proving the equivalent VC in the Proof Checker.

The usual recommendation for updating records is to assign an aggregate 
rather than individual components (this gets rid of all the 
upf_/update's), but the need to update an element of the array makes it 
more awkward in this case. If the record had any more components I would 
recommend separating out the array and its index to their own record 
type, but that is probably overkill here.

>
>
>If nothing else, I found an error in the postcondition by explaining 
>this ;-)

That's a lot easier than the usual way (banging head against desk until 
you eventually realise that it's not a problem with the tools).

Phil

-- 
JP Thornley

next prev parent reply	other threads:[~2009-04-02 15:22 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-01 19:38 Newbie question: SPARK verification condition on member of private record Tim Rowe
2009-04-01 21:04 ` JP Thornley
2009-04-01 23:50   ` Tim Rowe
2009-04-02  9:00     ` JP Thornley
2009-04-02 12:00       ` Tim Rowe
2009-04-02 15:22         ` JP Thornley [this message]
2009-04-02 18:09           ` roderick.chapman
2009-04-03 11:26             ` Tim Rowe
2009-04-02 23:58           ` Tim Rowe
2009-04-03 13:36             ` JP Thornley
2009-04-06 11:49               ` Tim Rowe

replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox