From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
X-Received: by 10.200.37.179 with SMTP id e48mr435139qte.85.1495056107860;
        Wed, 17 May 2017 14:21:47 -0700 (PDT)
X-Received: by 10.157.31.68 with SMTP id x4mr22443otx.19.1495056107814; Wed,
 17 May 2017 14:21:47 -0700 (PDT)
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!2.eu.feeder.erje.net!feeder.erje.net!2.us.feeder.erje.net!newspeer1.nac.net!border2.nntp.dca1.giganews.com!border1.nntp.dca1.giganews.com!nntp.giganews.com!t26no159623qtg.1!news-out.google.com!v18ni1195ita.0!nntp.google.com!67no260583itx.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail
Newsgroups: comp.lang.ada
Date: Wed, 17 May 2017 14:21:47 -0700 (PDT)
In-Reply-To: <lyd1bahray.fsf@pushface.org>
Complaints-To: groups-abuse@google.com
Injection-Info: glegroupsg2000goo.googlegroups.com;
 posting-host=88.191.144.200;
 posting-account=T8VIJwoAAAA-IUorDdqOSpjmb16opbau
NNTP-Posting-Host: 88.191.144.200
References: <cf1c1eb7-61cf-4ee5-8837-d4a95f95a4ba@googlegroups.com>
 <of7t2m$pdb$1@dont-email.me> <lyd1bahray.fsf@pushface.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <b6445ff1-1708-4c92-b7b6-5e07144f887c@googlegroups.com>
Subject: Re: Rust's temporal safety for Ada/SPARK
From: moy@adacore.com
Injection-Date: Wed, 17 May 2017 21:21:47 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Xref: news.eternal-september.org comp.lang.ada:46806
Date: 2017-05-17T14:21:47-07:00
List-Id: <comp.lang.ada>

On Monday, May 15, 2017 at 9:07:49 PM UTC+2, Simon Wright wrote:
> (where we have alternate paths to the variable Dest); but SPARK is happy
> and the runtime check isn't triggered, so I suppose the ARM supports
> this (by copy-out?).

Hi Simon, SPARK is happy because there is no problematic aliasing with the =
code you posted. Since N is of scalar type, it is always passed by copy. Si=
nce N is also of mode 'in', it is only copied on entry, not copied back. So=
 the contract you wrote on Add is still valid even if you call it on Dest a=
nd Dest. But the postcondition only holds upon returning from Add, not afte=
r the call statement. Between these two, the value returned in parameter De=
st is copied back in local variable Dest. This is how both the GNAT compile=
r and the GNATprove analyzer understand it.

> Still, the usage shouldn't pass code review, I think.

I guess it depends on the meaning of the code. If the use of the same value=
 in different parameters is confusing, indeed not. Otherwise, there is noth=
ing wrong with that code.