From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!mx05.eternal-september.org!feeder.eternal-september.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Newsgroups: comp.lang.ada
Subject: Re: Seeking for papers about tagged types vs access to subprograms
Date: Mon, 13 May 2013 22:20:12 +0300
Organization: Tidorum Ltd
Message-ID: <avcsncFc6g6U1@mid.individual.net>
References: <op.wv8jh1c1ule2fv@cardamome>
 <19lrzzbgm77v6.1dzpgqckptaj6.dlg@40tude.net> <kmbohm$elb$1@loke.gir.dk>
 <p0pf97g5w6xg.jhca6ztjwpde$.dlg@40tude.net> <op.wwq9s4l6ule2fv@cardamome>
 <1bfhq7jo34xpi.p8n2vq6yjsea.dlg@40tude.net> <op.wwrefx1pule2fv@cardamome>
 <cps71yzogw24$.7ol98fxcaurj$.dlg@40tude.net> <op.wwriky0dule2fv@cardamome>
 <nd22gfeezrwf$.tlj4yyygrwq3$.dlg@40tude.net> <kmecg6$et4$1@loke.gir.dk>
 <12gn9wvv1gwfk.10ikfju4rzmnj.dlg@40tude.net> <kmh7d4$up3$1@loke.gir.dk>
 <op.wwumn3r2ule2fv@cardamome> <av4r5qFitfiU1@mid.individual.net>
 <kmk2on$tij$1@loke.gir.dk> <av7q6hF8evqU1@mid.individual.net>
 <op.wwykzzi9ule2fv@cardamome> <av912pFfve6U1@mid.individual.net>
 <kmooeh$ajj$1@dont-email.me> <avbbi7F16eaU1@mid.individual.net>
 <1y21fg5hvajvd.1femngelic1xp.dlg@40tude.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Trace: individual.net Kx4TREa26w/HCh+0QR5l0glAn9bsPE0p1iNtQBtjKmPHFpvrJp
Cancel-Lock: sha1:OYjsZ1YQ1AMguJTNUn9yDLJEGL0=
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
 rv:17.0) Gecko/20130328 Thunderbird/17.0.5
In-Reply-To: <1y21fg5hvajvd.1femngelic1xp.dlg@40tude.net>
Xref: news.eternal-september.org comp.lang.ada:15543
Date: 2013-05-13T22:20:12+03:00
List-Id: <comp.lang.ada>

On 13-05-13 10:22 , Dmitry A. Kazakov wrote:
> On Mon, 13 May 2013 08:21:14 +0300, Niklas Holsti wrote:
> 
>> The point of the example was to illustrate typestate analysis. For this
>> example, with only Open - (Read/Write)* - Close, your approach collapses
>> the example into a trivial one, where adherence to the operation
>> protocol is ensured by the necessity to declare a File_Info object
>> before it can be used. So it would no longer be a useful example.
> 
> It is still a useful example of a good software component design.

Hm. In this thread, I think this example is interesting only if it can
show us alternatives to typestate analysis, giving the same verification
power by other means. I don't think this Open-in-declaration approach
(essentially removing the Open and Close operations from the problem)
applies in the general case, so I don't find it interesting in this thread.

>> Your approach works in some cases, but it is problematic if you cannot
>> initialize the object to an "active" state in its declaration, for
>> example because the "activation" is conditional in some way, or must be
>> delayed.
> 
> This is rather a language problem. Most of such cases can be attributed to
> the lack or insufficient constructors. The notorious Ada's problem with
> task components is due to the lack of class-wide constructors, when
> Initialize tries to sit on two chairs struggling to be both a specific and
> a class-wide initialization.

The initialization step, which is just the first state transition of an
object, is only a small part of the problem for typestate analysis.

>> The "activation" must then be done in a statement, and the
>> declaration leaves the object in some inactive initial state.
> 
> That is not a problem so long this state is not exposed. The idea is that
> when you have an object which may transit from state to state (e.g. a
> connection object, when the connection can be lost), you should not expose
> this state.

Even if the state is hidden from the clients, it is present internally,
and must be considered in any analysis of correctness.

> You better make the object to maintain the state (e.g. by
> making the connection restored by the object automatically) and leave its
> interface free of the state (e.g. an operation on unconnected object would
> block or else raise Busy_Error etc).

Here "unconnected object" is analogous to "closed file". The state
exists, even if hidden from clients. In fact, from the point of view of
typestate analysis, the state is or should be visible, since it affects
the availability or success of operations on the object.

The goal of typestate analysis, even of client code, is to show if
operations can be illegally applied and thus fail, for example by
raising Busy_Error. For this, the analysis must include the
"unconnected" state.

>> Another limitation in your approach is that the opening and closing of
>> different files must be strictly nested: if you declare and open file A,
>> then declare and open file B, file B must be closed before file A is
>> closed (as long as it all happens in the same task). Such forced
>> constraints between the states of different object is often not wanted.
> 
> You can have a container, e.g. a bag, to handle this.

This introduces a new object -- the container -- with its own, perhaps
more complex state: whether or not it contains the object (e.g. a
File_Object) that is our real interest. Not a good idea, I think.

> Jeffrey's model translates this into the problem of object's scope
> (lifetime), which saves time and mental efforts.

Only in this special case, the "file" example, where the state structure
is so simple that after hiding the first state transition (Open) into
the construction of the object, and the last state transition (Close)
into the destruction, there is only one state left (Is_Open), which
makes typestate analysis trivial.

-- 
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
      .      @       .