From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!newsfeed.fsmpi.rwth-aachen.de!newsfeed.straub-nv.de!news-1.dfn.de!news.dfn.de!news.uni-weimar.de!medsec1.medien.uni-weimar.de!lucks From: Stefan.Lucks@uni-weimar.de Newsgroups: comp.lang.ada Subject: Re: Ada 2012 Constraints (WRT an Ada IR) Date: Sat, 17 Dec 2016 10:33:51 +0100 Organization: Bauhaus-Universitaet Weimar Message-ID: References: <999c67b0-4478-4d2b-8108-32ac48fe6316@googlegroups.com> NNTP-Posting-Host: medsec1.medien.uni-weimar.de Mime-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="8323329-1580691566-1481967232=:1039" X-Trace: pinkpiglet.scc.uni-weimar.de 1481967232 17250 141.54.178.228 (17 Dec 2016 09:33:52 GMT) X-Complaints-To: news@pinkpiglet.scc.uni-weimar.de NNTP-Posting-Date: Sat, 17 Dec 2016 09:33:52 +0000 (UTC) X-X-Sender: lucks@debian In-Reply-To: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) Xref: news.eternal-september.org comp.lang.ada:32900 Date: 2016-12-17T10:33:51+01:00 List-Id: --8323329-1580691566-1481967232=:1039 Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 16 Dec 2016, G.B. wrote: > no statement of the Ada block > > begin -- of Make > .... > end Make; > > will execute "raise Constraint_Error" announced in Pre. In fact, > RM 6.1.1(36/3) shows that Make cannot possibly raise the exception > from inside, because then, technically, it could handle it there, > contradicting the RM. > > So if "Post" means "After", then a contract violation may come > first and an Assertion_Error is raised after that, but the > execution of statements of Make will not have begun. So, in > contract based design, Make does what it is supposed to do and > does *not* check its Pre, just like proofs do not check their > premises. (Eiffel just attaches names to "require"'s Boolean > expressions, for reference.) Well, follosing the Eiffel lead and Bertrand Mayer's writings, the client= =20 will not care where, exactly, the exception is raised. The client is=20 calling the subprogram with certain values as parameters, and the client=20 will get some expected result, even if it is a specific exception. The else-clause still turns the Pre aspect into a postcondition. On the other hand, Randy's point is quite convincing: If we want to=20 introduce contracts -- and, specifically, preconditions -- into existing=20 libraries without breaking compatibility, then the else clause is exactly= =20 what is needed. So then the Pre-part of the contract essentially says: Don't call Make with First > Last! -- This is a proper precondition. but your legacy code, which has been written before we fixed this contract, does not need to be rewritten. -- This is about software which still expects no precondition, but -- the old postcondition. That makes sense! -------- I love the taste of Cryptanalysis in the morning! -------= - www.uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-luck= s ----Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universit=E4t Weimar, Germany-= --- --8323329-1580691566-1481967232=:1039--