From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 border1.nntp.dca1.giganews.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!usenet.blueworldhosting.com!feeder01.blueworldhosting.com!feeder.erje.net!1.eu.feeder.erje.net!news-2.dfn.de!news.dfn.de!news.uni-weimar.de!medsec1.medien.uni-weimar.de!lucks
From: Stefan.Lucks@uni-weimar.de
Newsgroups: comp.lang.ada
Subject: Re: {Pre,Post}conditions and side effects
Date: Tue, 12 May 2015 13:25:52 +0200
Organization: Bauhaus-Universitaet Weimar
Message-ID: <alpine.DEB.2.11.1505121319240.25376@debian>
References: <2430252d-52a1-4609-acef-684864e6ca0c@googlegroups.com>
 <AnYlw.957256$Rp.242412@fx23.iad>
 <0a718b39-ebd3-4ab5-912e-f1229679dacc@googlegroups.com>
 <wccoaqucn51.fsf@shell01.TheWorld.com>
 <9ee5e186-5aaa-4d07-9490-0f9fdbb5ca18@googlegroups.com>
 <alpine.CYG.2.11.1412231747100.4196@WIL414CHAPIN.vtc.vsc.edu>
 <wccegrpq2om.fsf@shell01.TheWorld.com>
 <87tww5296f.fsf@adaheads.sparre-andersen.dk> <871tj9dp5b.fsf@theworld.com>
 <ce4af31e-d491-479f-a5b3-0b3eedea2a68@googlegroups.com>
 <midvq5$2u3$1@loke.gir.dk>
 <alpine.DEB.2.11.1505071103310.14859@debian> <migc9a$jp8$1@loke.gir.dk>
 <alpine.DEB.2.11.1505072052570.16448@debian> <mijen0$1hj$1@loke.gir.dk>
 <alpine.DEB.2.11.1505111113020.12062@debian> <mirjho$lqh$1@loke.gir.dk>
 <alpine.DEB.2.11.1505120951500.17718@debian>
NNTP-Posting-Host: medsec1.medien.uni-weimar.de
Mime-Version: 1.0
Content-Type: MULTIPART/Mixed; BOUNDARY="8323329-1906213066-1431419822=:17718"
X-Trace: pinkpiglet.scc.uni-weimar.de 1431430354 19498 141.54.178.228 (12 May
 2015 11:32:34 GMT)
X-Complaints-To: news@pinkpiglet.scc.uni-weimar.de
NNTP-Posting-Date: Tue, 12 May 2015 11:32:34 +0000 (UTC)
X-X-Sender: lucks@debian
In-Reply-To: <alpine.DEB.2.11.1505120951500.17718@debian>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
Content-ID: <alpine.DEB.2.11.1505121319241.25376@debian>
Xref: number.nntp.giganews.com comp.lang.ada:193143
Date: 2015-05-12T13:25:52+02:00
List-Id: <comp.lang.ada>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--8323329-1906213066-1431419822=:17718
Content-Type: TEXT/PLAIN; CHARSET=UTF-8; FORMAT=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.DEB.2.11.1505121319242.25376@debian>

On Tue, 12 May 2015, Stefan.Lucks@uni-weimar.de wrote:

>>> So the above specifies properly what I want to have. But this is also
>>> terribly slow.
> [...]
>>> I.e., this is a valid specification, but a useless test.
>>=20
>> Correct. If it hurts, don't write that. :-)

> Secondly, the compiler or prover may need need such "believe me, this is=
=20
> true" properties to verify other properties it *can* verify.

Oh, I forgot "thirdly".

Thirdly, even if it would be way too expensive to check this specification=
=20
at run time, it may be possible to verify it statically at run time. But I=
=20
can only find that out by writing the specification and then running my=20
tool (the compiler or whatever). Again, it would be a terrible idea for=20
the compiler to insert expensive checks just because the theorem prover=20
failed to prove the condition.

BTW, simple but run-time expensive conditions are more likely to be proven=
=20
by the tool (at least for SPARK) than equivalent faster algorithms. E.g.,=
=20
I'd prefer

   pre =3D> (for I in 2 .. N-1 =3D> (N mod I /=3D0))

over

   pre =3D> (for I in 2 .. SQRT(N) =3D> (N mod I /=3D0))

even though the second would be much faster if performed at run time.

Stefan


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=C3=A4t Weimar, Germany=
--

--8323329-1906213066-1431419822=:17718--