From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!newsfeed.fsmpi.rwth-aachen.de!newsfeed.straub-nv.de!news-1.dfn.de!news.dfn.de!news.uni-weimar.de!medsec1.medien.uni-weimar.de!lucks From: Stefan.Lucks@uni-weimar.de Newsgroups: comp.lang.ada Subject: Re: SPARK: missing case value Date: Fri, 9 Oct 2015 14:28:21 +0200 Organization: Bauhaus-Universitaet Weimar Message-ID: References: NNTP-Posting-Host: medsec1.medien.uni-weimar.de Mime-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="8323329-281700817-1444393656=:23852" X-Trace: pinkpiglet.scc.uni-weimar.de 1444394356 15499 141.54.178.228 (9 Oct 2015 12:39:16 GMT) X-Complaints-To: news@pinkpiglet.scc.uni-weimar.de NNTP-Posting-Date: Fri, 9 Oct 2015 12:39:16 +0000 (UTC) X-X-Sender: lucks@debian In-Reply-To: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) Content-ID: Xref: news.eternal-september.org comp.lang.ada:27946 Date: 2015-10-09T14:28:21+02:00 List-Id: --8323329-281700817-1444393656=:23852 Content-Type: text/plain; CHARSET=ISO-8859-15; FORMAT=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: On Fri, 9 Oct 2015, Maciej Sobczak wrote: > type Enum is (A, B, C); > > procedure Test (E : in Enum) > with Pre =3D> E /=3D C > is > begin case Thingsome(Something(E)) is -- this was "case E is" > when A =3D> null; > when B =3D> null; > end case; > end Test; with some functions Thingsome and Something (X: Enum) return Enum. > The Pre contract says that C is never used as a value for E. Still,=20 > GNATProve complains about missing case value C in the case statement.=20 > The compiler complains, too. Well, your example is a triviality to prove. But if Ada where required to deal with your example, why should it not=20 also be required to deal with my example? On the other hand, assume the program is technically correct. I.e., for=20 all E /=3D C, the property Thingsome(Something(E)) /=3DC actually holds. Do you really expect the Ada compiler to prove this? SPARK should prove this, in principle. But, for sufficiently complicated=20 functions Something and Thingsome, SPARKs success on proving this may=20 depend on your settings (which theorem provers and how much time for=20 proving you set). The legality of an Ada program should never depend on=20 such settings. Everything else would kill portability. And allowing SPARK to compile formally illegal Ada programs would very=20 regrettably break the compability between SPARK and Ada -- even if there=20 acutally where any "pure-SPARK-compilers" at all. So long Stefan -------- I love the taste of Cryptanalysis in the morning! -------= - www.uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-luck= s ----Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=E4t Weimar, Germany-= --- --8323329-281700817-1444393656=:23852--