From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!newsfeed.fsmpi.rwth-aachen.de!newsfeed.straub-nv.de!news-1.dfn.de!news.dfn.de!news.uni-weimar.de!medsec1.medien.uni-weimar.de!lucks
From: Stefan.Lucks@uni-weimar.de
Newsgroups: comp.lang.ada
Subject: Re: {Pre,Post}conditions and side effects
Date: Thu, 7 May 2015 12:06:29 +0200
Organization: Bauhaus-Universitaet Weimar
Message-ID: <alpine.DEB.2.11.1505071103310.14859@debian>
References: <2430252d-52a1-4609-acef-684864e6ca0c@googlegroups.com>
 <AnYlw.957256$Rp.242412@fx23.iad>
 <0a718b39-ebd3-4ab5-912e-f1229679dacc@googlegroups.com>
 <wccoaqucn51.fsf@shell01.TheWorld.com>
 <9ee5e186-5aaa-4d07-9490-0f9fdbb5ca18@googlegroups.com>
 <alpine.CYG.2.11.1412231747100.4196@WIL414CHAPIN.vtc.vsc.edu>
 <wccegrpq2om.fsf@shell01.TheWorld.com>
 <87tww5296f.fsf@adaheads.sparre-andersen.dk> <871tj9dp5b.fsf@theworld.com>
 <ce4af31e-d491-479f-a5b3-0b3eedea2a68@googlegroups.com>
 <midvq5$2u3$1@loke.gir.dk>
NNTP-Posting-Host: medsec1.medien.uni-weimar.de
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="8323329-812318031-1430993190=:14859"
X-Trace: pinkpiglet.scc.uni-weimar.de 1430993582 14572 141.54.178.228 (7 May
 2015 10:13:02 GMT)
X-Complaints-To: news@pinkpiglet.scc.uni-weimar.de
NNTP-Posting-Date: Thu, 7 May 2015 10:13:02 +0000 (UTC)
X-X-Sender: lucks@debian
In-Reply-To: <midvq5$2u3$1@loke.gir.dk>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
Xref: news.eternal-september.org comp.lang.ada:25754
Date: 2015-05-07T12:06:29+02:00
List-Id: <comp.lang.ada>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--8323329-812318031-1430993190=:14859
Content-Type: TEXT/PLAIN; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Wed, 6 May 2015, Randy Brukardt wrote:

> If that's all Ada is going to be used for, it's completely irrelevant wha=
t
> features it has. I would never have used Ada personally if that was the
> case. Ada (IMHO) is a language to write (more) correct programs, no matte=
r
> what kind of programs you write.

Good point!

> The basic idea behind the preconditions in Ada 2012 is to give a way for
> people (and implementations and tools as well) to ease into using additio=
nal
> checking and proof.

Actually, the first thing is to ease writing and maintaining proper=20
specifications, disregarding either run-time checks or proofs. One could=20
see them as enhanced comments. Quite often I have seen something like

   function Divide(Dividend, Divisor: Numeric_Type) return Numeric_Type;
   -- requires Y /=3D 0.0

This is a simplistic example, where one can easily guess that someone has=
=20
changed the name of the parameter "Y" into "Divisor". But in reality, this=
=20
is not always so obvious.

> Almost no one is willing to submit to the horrors of complete=20
> description of entities as required by SPARK.

Actually, you don't need *complete* descriptions for SPARK. Often,=20
verifying incomplete descriptions can be useful. Of course, the static=20
verification will only verify the properties you describe.

> But (almost?) everyone using Ada would be interested in improving the=20
> correctness of their programs, one assertion at a time.

That is the point.

> By extending those mechanisms (via predicates and preconditions) to
> arbitrary expressions, we allow much more such error detection to occur.

Agreed!

> I don't believe that checks in Ada (of any kind) should ever be turned of=
f.

Here, I heavily disagree. Often, checking relevant properties is much to=20
expensive to perform the checks them in production code.

A simple example is binary search over a sorted array. The precondition=20
requires the array to be sorted. If the compiler succeeds in optimising=20
the test away, it is equivalent to a static program verifier proving the=20
precondition holds when the binary search is called. If the compiler fails=
=20
to optimise the check away, the execution time goes up from logarithmic to=
=20
linear. If you can live with that, you don't need binary search!

Actually, one thing I am missing from Ada 2012 is a convenient and=20
fine-grained way to tell the compiler which pre- and postconditions and=20
invariants are to be checked, and which checks are to be skipped.

Most urgently, I would expect an option to skip checking ordinary pre- and=
=20
postconditions, without skipping those that explicitly raise some=20
exceptions. The point is, these two forms of precondition are semantically=
=20
totally different:

The semantic of a plain precondition is essentially:

   * If I a True, the postcondition will hold.
     Never call the subprogram if I am false!!!
     Otherwise, the subprogram might do anything.

This is a precondition in the "Design by Contract" sense.

A typical example for this would be "the array is sorted" when calling=20
binary search. If you call a binary search routine with an unsorted array,
you will likely get false results. And you deserve the blame!

The semantic of a precondition with something like "else raise=20
This_Exception" is

   * If I am True, the postcondition will hold
     when the subprogram terminates.
     If I am False, the subprogram will not do anything,
     except for raising This_Exception.

A typical example for this kind of precondition would be "the file exists"=
=20
when trying to open a file. (BTW, I would prefer a phrase different from=20
"precondition" for this kind of thing, but that appears to be too late for=
=20
Ada, now.)

Maybe, Ada 202X could include something like

   with Pre =3D> ... -- plain precondition, can be turned off
        Pre'Check =3D> ... -- must be checked at run time

> I also don't believe in separate proof tools. That's something that shoul=
d
> be a basic part of the compiler (it has to be to do optimization, check
> elimination, and the like anyway). The difficult question is how to feed
> information about those things (particular checks known to fail) back to =
the
> programmer (as optimization phases tend to run without messages, and the
> messages that they do give are rather non-specific). In order for proof t=
o
> be part of the compiler, the proof language has to be part of the languag=
e.

Did you try out SPARK 2014? The proof language is part of the language,=20
and with a proper usage of gnat project files, calling the prover becomes=
=20
as much part of the compilation process as calling the syntax checker.

Stefan


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=E4t Weimar, Germany--

--8323329-812318031-1430993190=:14859--