From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: buffer1.nntp.dca1.giganews.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!feeder.erje.net!1.eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!news.uni-weimar.de!medsec1.medien.uni-weimar.de!lucks From: Stefan.Lucks@uni-weimar.de Newsgroups: comp.lang.ada Subject: Re: {Pre,Post}conditions and side effects Date: Thu, 7 May 2015 21:40:27 +0200 Organization: Bauhaus-Universitaet Weimar Message-ID: References: <2430252d-52a1-4609-acef-684864e6ca0c@googlegroups.com> <0a718b39-ebd3-4ab5-912e-f1229679dacc@googlegroups.com> <9ee5e186-5aaa-4d07-9490-0f9fdbb5ca18@googlegroups.com> <87tww5296f.fsf@adaheads.sparre-andersen.dk> <871tj9dp5b.fsf@theworld.com> NNTP-Posting-Host: medsec1.medien.uni-weimar.de Mime-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323329-1868662217-1431027627=:16448" X-Trace: pinkpiglet.scc.uni-weimar.de 1431028019 21861 141.54.178.228 (7 May 2015 19:46:59 GMT) X-Complaints-To: news@pinkpiglet.scc.uni-weimar.de NNTP-Posting-Date: Thu, 7 May 2015 19:46:59 +0000 (UTC) X-X-Sender: lucks@debian In-Reply-To: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) Xref: number.nntp.giganews.com comp.lang.ada:193072 Date: 2015-05-07T21:40:27+02:00 List-Id: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1868662217-1431027627=:16448 Content-Type: TEXT/PLAIN; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Thu, 7 May 2015, Randy Brukardt wrote: > If the compiler fails to optimize the check away, your program is wrong i= n > some sense, and you should have gotten an error or warning (depending on = the > compiler mode and exception contracts) to that effect. I am a big fan of correctness proofs, where they are applicable. But=20 logically, Not(Proven_Correct) /=3D Proven(Incorrect) Furthermore, automatic theorem proving can only go so far. I may actually= =20 know my program to be correct -- and maybe I can even prove it manually.=20 Why should the compiler reject my program, or insert useless checks, just= =20 because it fails to find the proof? Warning or not I would consider a compiler (or a language) which generates= =20 linear-time code for binary search badly broken. Rejecting the program=20 would be the lesser evil. Which would turn Ada into a new SPARK. But then, the Ada standard would have to define the underlying theorem=20 prover, for compatibility reasons. Else, the same program may be proven=20 correct by one prover, where another prover fails. > You ought to fix your > program (probably by adding an appropriate predicate) so that the check > *can* be eliminated (or pushed to somewhere where the cost is irrelevant)= =2E Why do I need to fix the program, if I know it is correct? Just because=20 the compiler isn't good enough at theorem proving? >> Turning off the checks just hides the problem. *IF* there is a problem at all. Stefan ------ I love the taste of Cryptanalysis in the morning! ------ uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks --Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=E4t Weimar, Germany-- --8323329-1868662217-1431027627=:16448--