From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,583275b6950bf4e6 X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2003-05-28 01:21:58 PST Path: archiver1.google.com!news1.google.com!newsfeed.stanford.edu!headwall.stanford.edu!fu-berlin.de!uni-berlin.de!dialin-145-254-040-169.arcor-ip.NET!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: Quality systems (Was: Using Ada for device drivers? (Was: the Ada mandate, and why it collapsed and died)) Date: Wed, 28 May 2003 10:24:21 +0200 Organization: At home Message-ID: References: <3ec4b1c9$1@news.wineasy.se> <9fa75d42.0305161748.1735fc32@posting.google.com> <4W%xa.28765$cK5.11964@nwrdny02.gnilink.net> <1053353256.804734@master.nyc.kbcfp.com> <3ECFF541.1010705@attbi.com> <3ED0B820.5050603@noplace.com> <3ED2096F.3020800@noplace.com> <3ED353BE.40605@noplace.com> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: dialin-145-254-040-169.arcor-ip.net (145.254.40.169) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7Bit X-Trace: fu-berlin.de 1054110116 5042101 145.254.40.169 (16 [77047]) User-Agent: KNode/0.7.1 Xref: archiver1.google.com comp.lang.ada:37881 Date: 2003-05-28T10:24:21+02:00 List-Id: Marin David Condic wrote: > Pretty simple stuff. Suppose you had a type like: > > type Saturated_Integer is range -10..10 ; > > and an object of that type such as: > > X : Saturated_Integer := 9 ; > > and then: > > X := X + 4 ; > > would mean: > > (X = 10) > > and later you might do: > > X := X - 25 ; > > and you get > > (X = -10) > > I don't know of any hardware that would do this for either floating > point or integer numbers, so I'd suspect it would not be practical to do > anything but implement it in software. You'd probably want to do > whatever it is you do to check for an overflow on a subtype, but instead > of raising an exception, you plug it with the max value and continue to > run. > > The idea is that you're not exactly catching an error in the code - > presumably you should be building the code such that it doesn't compute > values outside of the valid range - but if there is such an error, it > lets the code continue to run uninterrupted and do something that might > be more sensible than halting with an exception or wrapping around to > the opposite end of the range. I'm sure there would be issues about > where the range checks would have to be performed, how efficient the > checks would be, the consequences of turning off checks and what it does > to your worst-case behavior if it takes the failure path. Still, it > seems like a useful feature for some kinds of jobs. Aha! There is a mathematical analogy of what you need. It is a finite set of numbers with two additional infinite elements ]-oo,T'First] and [T'Last,+oo[. Thus type Saturated_Integer is range -10..10; could be something like {]-oo,-10], -9, ..., 9, [10,+oo[} for all finite x, [10,+oo[ - x is defined as [10,+oo[. So (5 + 5) - 5 = [10,+oo[ while 5 + (5 - 5) = 5 Which reminds me horrors of PL/1! (:-)) To avoid this you have to define some Universal_Saturated with an infine domain set. This would require unlimited precision arithmetics at run-time. Shudder. Then [10,+oo[ - [10,+oo[ is of course undefined. Thus X := 9 + 4; X := X - X -- Constraint_Error! But X := X - 25 is either Constraint_Error or [10,+oo[ (with Universal_Saturated arithmetics). Both differ from the semantics you gave. Mixing saturated types will be full of surprizes: type T1 is range -10..10; type T2 is range -100..100; X : T1 := -10; Y : T2 := T2 (X); -- Results in -100! Ergo, I think it would be better to leave that for the realm of user-defined type. -- Regards, Dmitry A. Kazakov www.dmitry-kazakov.de