Min/Max attribute makes promises it can't keep

Min/Max attribute makes promises it can't keep

[Alex Mentis]

I'm disappointed with some allowed syntax that seems a little error-
prone.  Consider the following code:

with Ada.Integer_Text_Io; use Ada.Integer_Text_Io;

procedure Main is

   Nat : constant Natural := 0;
   Pos : Positive;

begin

   Get (Pos);
   Put (Positive'Min(Nat, Pos)); -- Ada does not require the Min
attribute to enforce a Positive result

end Main;

This program happily outputs that the minimum of (0 and whatever
positive value you enter) is 0.  Now, I concede that the program is
working exactly as the ARM specifies.  The Min (and Max) attribute
functions accept and return types of S'Base, in this case
Positive'Base.  But doesn't it seem like a bit of a tease to allow a
programmer to specify S'Min if the compiler is allowed to ignore the
type of S in the function's parameter list and the program does not
raise a Constraint_Error at run-time if it returns a value outside the
range of type S?

If it's too hard to enforce strictly then maybe the functions should
be named Unchecked_Min/Unchecked_Max.  Or maybe the programmer should
be constrained to using the attributes with only a base type.  Or, at
the very least, can't the compiler generate a warning about this?  I
turned on all warnings in GPS and got nothing.

Things that make you go hmmm...

Alex

Re: Min/Max attribute makes promises it can't keep

[Martin]

On Apr 27, 8:34 pm, Alex Mentis <asmen...@gmail.com> wrote:
> I'm disappointed with some allowed syntax that seems a little error-
> prone.  Consider the following code:
>
> with Ada.Integer_Text_Io; use Ada.Integer_Text_Io;
>
> procedure Main is
>
>    Nat : constant Natural := 0;
>    Pos : Positive;
>
> begin
>
>    Get (Pos);
>    Put (Positive'Min(Nat, Pos)); -- Ada does not require the Min
> attribute to enforce a Positive result
>
> end Main;
>
> This program happily outputs that the minimum of (0 and whatever
> positive value you enter) is 0.  Now, I concede that the program is
> working exactly as the ARM specifies.  The Min (and Max) attribute
> functions accept and return types of S'Base, in this case
> Positive'Base.  But doesn't it seem like a bit of a tease to allow a
> programmer to specify S'Min if the compiler is allowed to ignore the
> type of S in the function's parameter list and the program does not
> raise a Constraint_Error at run-time if it returns a value outside the
> range of type S?
>
> If it's too hard to enforce strictly then maybe the functions should
> be named Unchecked_Min/Unchecked_Max.  Or maybe the programmer should
> be constrained to using the attributes with only a base type.  Or, at
> the very least, can't the compiler generate a warning about this?  I
> turned on all warnings in GPS and got nothing.
>
> Things that make you go hmmm...
>
> Alex

If you want the check, this should do:

begin
   Get (Pos);
   Put (Positive (Positive'Min(Nat, Pos)));
end ...

-- Martin

Re: Min/Max attribute makes promises it can't keep

[Robert A Duff]

Martin <martin.dowie@btopenworld.com> writes:

>    Put (Positive (Positive'Min(Nat, Pos)));

That works, but I think a qualified expression is better:

   Put (Positive'(Positive'Min(Nat, Pos)));

By the way, there are lots of attributes that work
like this (use the base subtype).  It's not just Min
and Max.

- Bob

Re: Min/Max attribute makes promises it can't keep

[Randy Brukardt]

"Robert A Duff" <bobduff@shell01.TheWorld.com> wrote in message 
news:wcczl0o7g13.fsf@shell01.TheWorld.com...
> Martin <martin.dowie@btopenworld.com> writes:
>
>>    Put (Positive (Positive'Min(Nat, Pos)));
>
> That works, but I think a qualified expression is better:
>
>   Put (Positive'(Positive'Min(Nat, Pos)));
>
> By the way, there are lots of attributes that work
> like this (use the base subtype).  It's not just Min
> and Max.

Right. Attributes mostly type-related, not subtype-related. The name in the 
prefix serves to identify the type, not the subtype (there are no named 
types in Ada, only named subtypes).

All of 'Succ, 'Pred, 'Val, and 'Value work this way, and there are probably 
many, many more. Even 'First and 'Last technically work this way (although 
it doesn't matter in that case).

                           Randy.

Re: Min/Max attribute makes promises it can't keep

[Alex Mentis]

On Apr 27, 5:16 pm, Robert A Duff <bobd...@shell01.TheWorld.com>
wrote:
> Martin <martin.do...@btopenworld.com> writes:
> >    Put (Positive (Positive'Min(Nat, Pos)));
>
> That works, but I think a qualified expression is better:
>
>    Put (Positive'(Positive'Min(Nat, Pos)));
>
> By the way, there are lots of attributes that work
> like this (use the base subtype).  It's not just Min
> and Max.
>
> - Bob

I think you all missed my point: allowing the programmer to specify a
constraint in situations where the constraint will not be enforced
could cause confusion/error for someone who doesn't have the entire
ARM memorized....

Yes, I know there are ways to force Ada to do the check, like explicit
type conversion and qualified expressions.  That's pretty ugly,
though.  If I already have to put the type in front of the attribute,
why should I have to put the type in front of that again?  As long as
we're posting work-arounds, though, I suppose I would use the
following:

with Ada.Integer_Text_Io; use Ada.Integer_Text_Io;

procedure Main is

   function Min(Value_1, Value_2 : Integer) return Integer renames
Integer'Min;

   Nat : constant Natural := 0;
   Pos : Positive;

begin

   Get (Pos);
   Put (Positive'(Min(Nat, Pos))); -- return a Positive result from
renamed Min else raise a Constraint_Error

end Main;

Re: Min/Max attribute makes promises it can't keep

[AdaMagica]

> I think you all missed my point: allowing the programmer to specify a
> constraint in situations where the constraint will not be enforced

But the prefix of an attribute reference does not specify a
constraint.

Integer'Min, Positive'Min, Natural'Min are all the same.

Re: Min/Max attribute makes promises it can't keep

[Gautier write-only]

On 28 Apr., 12:58, AdaMagica <christoph.gr...@eurocopter.com> wrote:
> > I think you all missed my point: allowing the programmer to specify a
> > constraint in situations where the constraint will not be enforced
>
> But the prefix of an attribute reference does not specify a
> constraint.
>
> Integer'Min, Positive'Min, Natural'Min are all the same.

But it should, at least in the case of Min/Max.
Integer'Min, Positive'Min, Natural'Min being all the same breaches the
spirit of the Ada language (what you see is what it means).
A topic for Ada 201z...
______________________________________________________________
Gautier's Ada programming -- http://gautiersblog.blogspot.com/
NB: For a direct answer, e-mail address on the following web site:
http://www.fechtenafz.ethz.ch/wm_email.htm

Re: Min/Max attribute makes promises it can't keep

[AdaMagica]

> > But the prefix of an attribute reference does not specify a
> > constraint.
>
> > Integer'Min, Positive'Min, Natural'Min are all the same.
>
> But it should, at least in the case of Min/Max.
> Integer'Min, Positive'Min, Natural'Min being all the same breaches the
> spirit of the Ada language (what you see is what it means).
> A topic for Ada 201z...

We could have had is thus and unconstrained Min as Positive'Base'Min
when Min was introduced...

But it is as it is, and your proposal would be a severe
incompatibility, so it won't fly.

Re: Min/Max attribute makes promises it can't keep

[Martin]

On Apr 28, 12:47 pm, AdaMagica <christoph.gr...@eurocopter.com> wrote:
> > > But the prefix of an attribute reference does not specify a
> > > constraint.
>
> > > Integer'Min, Positive'Min, Natural'Min are all the same.
>
> > But it should, at least in the case of Min/Max.
> > Integer'Min, Positive'Min, Natural'Min being all the same breaches the
> > spirit of the Ada language (what you see is what it means).
> > A topic for Ada 201z...
>
> We could have had is thus and unconstrained Min as Positive'Base'Min
> when Min was introduced...
>
> But it is as it is, and your proposal would be a severe
> incompatibility, so it won't fly.

How about new attributes 'Safe_Min / ''Safe_Max?

-- Martin

Re: Min/Max attribute makes promises it can't keep

[Dmitry A. Kazakov]

On Wed, 28 Apr 2010 04:47:42 -0700 (PDT), AdaMagica wrote:

>>> But the prefix of an attribute reference does not specify a
>>> constraint.
>>
>>> Integer'Min, Positive'Min, Natural'Min are all the same.
>>
>> But it should, at least in the case of Min/Max.
>> Integer'Min, Positive'Min, Natural'Min being all the same breaches the
>> spirit of the Ada language (what you see is what it means).
>> A topic for Ada 201z...
> 
> We could have had is thus and unconstrained Min as Positive'Base'Min
> when Min was introduced...
> 
> But it is as it is, and your proposal would be a severe
> incompatibility, so it won't fly.

Well, the proposal might be to fix rather the issue of the superfluous
subtype specification. Obviously Max (and many other attributes) are
primitive operations and need no subtype to specify. So:

    X'Succ, X'Pred, X'Image

Specifically max and min should be a dyadic operations:

   function "max" (Left, Right : T) return T'Base;

(and, please, no new reserved keywords!)

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: Min/Max attribute makes promises it can't keep

[Georg Bauhaus]

On 28.04.10 15:41, Dmitry A. Kazakov wrote:

> Well, the proposal might be to fix rather the issue of the superfluous
> subtype specification. Obviously Max (and many other attributes) are
> primitive operations and need no subtype to specify. So:
> 
>     X'Succ, X'Pred, X'Image

That'll be fun:

C'Succ'Succ

'C'&'&''Succ

''''Succ

(M + N)'Succ


.-)

Re: Min/Max attribute makes promises it can't keep

[Dmitry A. Kazakov]

On Wed, 28 Apr 2010 16:10:46 +0200, Georg Bauhaus wrote:

> On 28.04.10 15:41, Dmitry A. Kazakov wrote:
> 
>> Well, the proposal might be to fix rather the issue of the superfluous
>> subtype specification. Obviously Max (and many other attributes) are
>> primitive operations and need no subtype to specify. So:
>> 
>>     X'Succ, X'Pred, X'Image
> 
> That'll be fun:
> 
> C'Succ'Succ
> 
> 'C'&'&''Succ
> 
> ''''Succ
> 
> (M + N)'Succ

This is a slightly different design flaw. Things like "abc"'Length,
"abc"'First are illegal in Ada. No fun!

BTW, if you prefer dotted notation it could be

   X.Succ

as well.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: Min/Max attribute makes promises it can't keep

[Randy Brukardt]

"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message 
news:1t4extnm6iluj.r4x652cntogc$.dlg@40tude.net...
> On Wed, 28 Apr 2010 16:10:46 +0200, Georg Bauhaus wrote:
>
>> On 28.04.10 15:41, Dmitry A. Kazakov wrote:
>>
>>> Well, the proposal might be to fix rather the issue of the superfluous
>>> subtype specification. Obviously Max (and many other attributes) are
>>> primitive operations and need no subtype to specify. So:
>>>
>>>     X'Succ, X'Pred, X'Image
>>
>> That'll be fun:
>>
>> C'Succ'Succ
>>
>> 'C'&'&''Succ
>>
>> ''''Succ
>>
>> (M + N)'Succ
>
> This is a slightly different design flaw. Things like "abc"'Length,
> "abc"'First are illegal in Ada. No fun!

That's not a real problem. Ada 2012 will allow

    String'("abc")'Length

As a qualified expression can be used as a name (it's considered constant).

If you think this is weird, Tucker points out that you can already write:

   String(String'("abc"))'Length

in Ada 95, as a type conversion is a name. We did wonder if any compilers 
could actually handle it, but given that this long-winded locution is 
already legal, the shorter one might was well be legal as well.

As for the initial concern about giving a subtype name, in the case of 
literals you have to give one somewhere (since a literal can be of many 
different types, and the results can vary depending on the type used -- not 
for 'Length, but for 'Last and most other properties).

We did talk a bit about object attributes like suggested back a few messages 
for Ada 2012. We didn't get much consensus, mainly because I think people 
were looking at the wrong questions.

                            Randy.

Re: Min/Max attribute makes promises it can't keep

[Dmitry A. Kazakov]

On Wed, 28 Apr 2010 16:07:24 -0500, Randy Brukardt wrote:

> As for the initial concern about giving a subtype name, in the case of 
> literals you have to give one somewhere (since a literal can be of many 
> different types, and the results can vary depending on the type used -- not 
> for 'Length, but for 'Last and most other properties).

No problem, Ada supports overloading in the result type. E.g. abs (-1) is
OK.

(I have an impression that many weird Ada rules rooted in an attempt to
express them at the grammar level.)

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: Min/Max attribute makes promises it can't keep

[AdaMagica]

On 28 Apr., 23:07, "Randy Brukardt" <ra...@rrsoftware.com> wrote:
> That's not a real problem. Ada 2012 will allow
>
>     String'("abc")'Length
>
> As a qualified expression can be used as a name (it's considered constant).

This whole discussion begs the question "What is an attribute?". I
think the Ada 83 design idea was that the basic scalar types only have
operators as functions. (See package Standard, there you find only
operators (except for the fact that enumeration literals are also
functions).) Everything else (like 'Image) was defined as an
attribute.

Thus Min, if it had existed in Ada 83 as an operator (it hadn't even
as an attribute), would have had to be a reserved word like abs, not,
rem, mod.

I think Ada 95 kept this design issue and thus had to define it as an
attribute.

Re: Min/Max attribute makes promises it can't keep

[Randy Brukardt]

"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message 
news:1p28brlj9yc3k$.1nv0ey1aadvoi$.dlg@40tude.net...
> On Wed, 28 Apr 2010 16:07:24 -0500, Randy Brukardt wrote:
>
>> As for the initial concern about giving a subtype name, in the case of
>> literals you have to give one somewhere (since a literal can be of many
>> different types, and the results can vary depending on the type used --  
>> not
>> for 'Length, but for 'Last and most other properties).
>
> No problem, Ada supports overloading in the result type. E.g. abs (-1) is
> OK.

That doesn't help. Consider:

    type My_String is array (Natural range <>) of Character;

Now, if you wrote:

    "ABC"'First

The answer depends on whether the type of the prefix is String or My_String, 
but the type is Integer'Base in both cases. No amount of overloading will 
help.

The language does not want the compiler to have to list out all of the 
possible types for a string literal, figure out the appropriate bounds for 
all of them, take all of the ones with the appropriate index type, and then 
allow the attribute if the answer is the same. (Recall that *every* Ada 
program has at least three string types available.)

Similar rules are used for aggregates, the operand of a type conversion, and 
other places. No context can be used as figuring out an answer if it could 
is just too difficult. (There are a couple of exceptions for attribute 
prefixes, particularly 'Access, as we found that the typical rule is too 
limiting, but those are tightly bounded.)

                            Randy.

Re: Min/Max attribute makes promises it can't keep

[Dmitry A. Kazakov]

On Sat, 1 May 2010 00:42:53 -0500, Randy Brukardt wrote:

> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message 
> news:1p28brlj9yc3k$.1nv0ey1aadvoi$.dlg@40tude.net...
>> On Wed, 28 Apr 2010 16:07:24 -0500, Randy Brukardt wrote:
>>
>>> As for the initial concern about giving a subtype name, in the case of
>>> literals you have to give one somewhere (since a literal can be of many
>>> different types, and the results can vary depending on the type used --  
>>> not
>>> for 'Length, but for 'Last and most other properties).
>>
>> No problem, Ada supports overloading in the result type. E.g. abs (-1) is
>> OK.
> 
> That doesn't help. Consider:
> 
>     type My_String is array (Natural range <>) of Character;
> 
> Now, if you wrote:
> 
>     "ABC"'First
> 
> The answer depends on whether the type of the prefix is String or My_String, 
> but the type is Integer'Base in both cases. No amount of overloading will 
> help.

How is that different to:

   package P is
      function ABC return String;
   end P;
   package Q is
      type My_String is array (Natural range <>) of Character;
      function ABC return My_String;
   end Q;
   use P,Q;
   ...
   ABC'First; -- Ambiguous

> The language does not want the compiler to have to list out all of the 
> possible types for a string literal, figure out the appropriate bounds for 
> all of them, take all of the ones with the appropriate index type, and then 
> allow the attribute if the answer is the same.

That would be silly, of course. But it is not what I meant. Attribute
should be an overloaded operation as any other. If the expression happens
to be ambiguous there are language means to specify what it is.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de