From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: about the new Ada 2012 pre/post conditions
Date: Mon, 25 Jun 2012 21:42:11 +0200
Date: 2012-06-25T21:42:11+02:00 [thread overview]
Message-ID: <bdpvyb9h7rvt.zbq0kbiq72wj.dlg@40tude.net> (raw)
In-Reply-To: Pine.LNX.4.64.1206251734140.12735@medsec1.medien.uni-weimar.de
On Mon, 25 Jun 2012 18:26:18 +0200, stefan-lucks@see-the.signature wrote:
> On Mon, 25 Jun 2012, Dmitry A. Kazakov wrote:
>
>> Hilbert's program by no means was intended to justify logic or mathematics
>> themselves. This is outright wrong.
>
> Hilbert's program was an attempt to re-build the very foundations of
> Mathematics. No more, no less. See
> <http://en.wikipedia.org/wiki/Hilbert%27s_program>.
Right, and this had nothing to do with justification either logic or
mathematics by means of themselves. Such an epic task would rather be a job
for baron Muenchausen. Just scroll through the Hilbert's program list of
problems:
http://en.wikipedia.org/wiki/Hilbert_problems
>> If Ada precondition is neither implementation (#1) nor
>> specification/contract (#2) then what is it?
>
> A syntax for specifications.
Syntax only?
>>> *Secondly*, you seem to overlook that there are three semantical options,
>>> rather than the two you mention:
>>>
>>> 1 ignore the conditions
>>>
>>> 2 check them dynamically at run time
>>>
>>> 3 prove them statically at compile time
>>
>> I didn't:
>>
>> Assuming #1, only no.2 is possible. #1 <=> no.2
>>
>> Assuming #2, you have only choice between no.1 and no.3. #2 <=> no.1 or
>> no.2.
>>
>> One *cannot* mix no.1/3 with no.2, that is what upsets me.
>
> But you are not locked into either option 1, 2, or 3, you can choose,
> without having to change the language, or to rewrite a single character
> of your program source.
Same syntax for things which are far more apart than just semantically
different. What a bizzare idea! You would be switching between contract
specification and implementation per compiler switch! Is this C
preprocessor or Ada?
>> That clearly precludes no.2: handling is within the checker, checker is
>> outside the testee.
>
> Well, this separation is ideal. But most of the time, a testee that
> discovers itself being in a faulty state (and that is, what a failed
> dynamic check actually reveals), the testee is still able to write some
> information to a log file. Sure, you can construct or find the odd
> counterexample -- but in practice almost all the time this approach works.
> (OK, I am assuming your system allows to write some log output at all.)
Tracing is OK, but what happens afterwards? If continuation is possible,
that requires some cleanup, rollback, retry etc, which has the goal of
putting the system into some definite state. This is not over before over.
>> And, very importantly, we want to contract exceptions some day, don't we?
>
> Sure! So what?
How are going to marry exceptions propagating from contracts with contracts
on exceptions? Some exceptions are more exceptional than others? Aren't we
fed up with Program_Error?
> Ada.Assertions.Assertion_Error is one exception like Constraint_Error or
> the like. Either, you prove that this or that exception will not be
> raised. Or you claim that such an exception is not raised. If it is
> actually raised this is a violation of the contract. Which is a big deal
> for, say, Constraint_Error, but not for Ada.Assertions.Assertion_Error ...
> the exception that indicates the violation of a contract, anyway. (Assuming
> that Ada.Assertions.Assertion_Error is not raised manually -- but no sane
> programmer would do that.)
>
> Actually, there is one exception that is difficult to specify. It is our
> old fellow
>
> Storage_Error.
>
> On the level of source code analysis, you
> actually cannot prove that this exception will not be raised.
Firstly, you if you don't want to prove anything about a certain exception,
you would add this exception to all contracts involved and take care about
exceptions of interest.
Secondly, you would rather prove conditionals, like: Storage_Error is not
propagated when given amount of memory is available in the specified pools.
This is good enough for most cases, which are not about any exact bound,
but about existence of such bound, i.e. about memory leak detection.
Thirdly, you would be able to provide axioms. E.g. for some complex
recursive operation, you could just specify the upper memory consumption
bound known to you from other sources, and let the prover to go with that
(the oracle).
I think conservative Storage_Errror proof is pretty doable. If you move the
upper bound a pair Kbytes upward it would eliminate most of problems.
We certainly could learn from Java mistakes rather than repeating them
(e.g. interfaces).
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2012-06-25 19:42 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-20 13:39 about the new Ada 2012 pre/post conditions Nasser M. Abbasi
2012-06-20 14:02 ` Georg Bauhaus
2012-06-20 14:13 ` Dmitry A. Kazakov
2012-06-20 14:24 ` Nasser M. Abbasi
2012-06-20 14:37 ` Dmitry A. Kazakov
2012-06-20 17:02 ` Georg Bauhaus
2012-06-20 18:28 ` Dmitry A. Kazakov
2012-06-21 20:32 ` Randy Brukardt
2012-06-22 7:23 ` Dmitry A. Kazakov
2012-06-22 11:54 ` Georg Bauhaus
2012-06-22 12:39 ` Georg Bauhaus
2012-06-22 12:43 ` Dmitry A. Kazakov
2012-06-22 14:30 ` Georg Bauhaus
2012-06-22 14:36 ` Georg Bauhaus
2012-06-22 15:05 ` Dmitry A. Kazakov
2012-06-22 15:52 ` Georg Bauhaus
2012-06-22 16:35 ` Dmitry A. Kazakov
2012-06-22 16:53 ` Georg Bauhaus
2012-06-22 16:45 ` Georg Bauhaus
2012-06-22 17:24 ` Dmitry A. Kazakov
2012-06-22 19:41 ` Randy Brukardt
2012-06-22 23:08 ` Dmitry A. Kazakov
2012-06-23 10:46 ` Georg Bauhaus
2012-06-23 11:01 ` Dmitry A. Kazakov
2012-06-23 17:46 ` AdaMagica
2012-06-23 19:23 ` Dmitry A. Kazakov
2012-06-24 14:59 ` Georg Bauhaus
2012-06-24 16:06 ` Dmitry A. Kazakov
2012-06-24 19:51 ` Georg Bauhaus
2012-06-25 7:48 ` Dmitry A. Kazakov
2012-06-25 10:10 ` Georg Bauhaus
2012-06-25 8:08 ` Dmitry A. Kazakov
2012-06-25 10:17 ` Georg Bauhaus
2012-06-25 11:54 ` Dmitry A. Kazakov
2012-06-25 12:39 ` Georg Bauhaus
2012-06-25 12:51 ` Georg Bauhaus
2012-06-25 13:19 ` Dmitry A. Kazakov
2012-06-25 16:43 ` Georg Bauhaus
2012-06-25 14:08 ` stefan-lucks
2012-06-25 14:36 ` Dmitry A. Kazakov
2012-06-25 14:37 ` Dmitry A. Kazakov
2012-06-25 16:26 ` stefan-lucks
2012-06-25 19:42 ` Dmitry A. Kazakov [this message]
2012-06-26 11:50 ` stefan-lucks
2012-06-26 13:07 ` Dmitry A. Kazakov
2012-06-26 13:49 ` Georg Bauhaus
2012-06-26 14:45 ` Dmitry A. Kazakov
2012-06-26 16:48 ` Georg Bauhaus
2012-06-26 19:43 ` Dmitry A. Kazakov
2012-06-27 8:23 ` Georg Bauhaus
2012-06-27 8:52 ` Dmitry A. Kazakov
2012-06-27 10:30 ` Georg Bauhaus
2012-06-27 12:19 ` Dmitry A. Kazakov
2012-06-27 13:41 ` Nasser M. Abbasi
2012-06-28 7:00 ` Georg Bauhaus
2012-06-27 15:08 ` Georg Bauhaus
2012-06-29 21:03 ` Shark8
2012-06-30 8:26 ` Dmitry A. Kazakov
2012-06-30 12:54 ` Niklas Holsti
2012-07-05 2:58 ` Shark8
2012-07-05 7:24 ` Dmitry A. Kazakov
2012-07-06 6:23 ` Shark8
2012-07-06 7:57 ` Dmitry A. Kazakov
2012-07-07 1:09 ` Randy Brukardt
2012-07-07 8:44 ` Dmitry A. Kazakov
2012-06-26 14:54 ` stefan-lucks
2012-06-26 15:14 ` Dmitry A. Kazakov
2012-07-03 5:28 ` Randy Brukardt
2012-07-03 12:53 ` Dmitry A. Kazakov
2012-07-03 13:48 ` Georg Bauhaus
2012-07-03 14:06 ` Dmitry A. Kazakov
2012-07-03 16:12 ` Georg Bauhaus
2012-07-03 16:45 ` Georg Bauhaus
2012-07-05 1:45 ` Randy Brukardt
2012-07-05 7:48 ` Dmitry A. Kazakov
2012-07-05 19:11 ` Adam Beneschan
2012-07-05 19:55 ` Dmitry A. Kazakov
2012-07-06 7:41 ` Georg Bauhaus
2012-07-06 7:47 ` Georg Bauhaus
2012-07-06 8:05 ` Dmitry A. Kazakov
2012-07-06 8:30 ` Georg Bauhaus
2012-07-06 9:01 ` Dmitry A. Kazakov
2012-07-06 11:33 ` Simon Wright
2012-07-06 13:25 ` Dmitry A. Kazakov
2012-07-06 12:07 ` Georg Bauhaus
2012-07-06 13:37 ` Dmitry A. Kazakov
2012-07-06 16:17 ` Georg Bauhaus
2012-07-06 16:34 ` Georg Bauhaus
2012-07-06 19:18 ` Dmitry A. Kazakov
2012-07-07 1:24 ` Randy Brukardt
2012-07-07 9:09 ` Dmitry A. Kazakov
2012-07-07 1:18 ` Randy Brukardt
2012-07-07 9:14 ` Dmitry A. Kazakov
2012-07-07 12:06 ` Georg Bauhaus
2012-07-07 12:54 ` Dmitry A. Kazakov
2012-07-07 13:31 ` Georg Bauhaus
2012-07-03 5:10 ` Randy Brukardt
2012-07-03 4:51 ` Randy Brukardt
2012-07-03 12:46 ` Dmitry A. Kazakov
2012-07-05 2:18 ` Randy Brukardt
2012-07-05 8:48 ` Dmitry A. Kazakov
2012-07-05 12:07 ` Georg Bauhaus
2012-07-05 12:13 ` Georg Bauhaus
2012-07-05 12:31 ` Dmitry A. Kazakov
2012-07-05 18:16 ` Georg Bauhaus
2012-07-05 19:57 ` Dmitry A. Kazakov
2012-07-06 6:53 ` Georg Bauhaus
2012-07-07 0:43 ` Randy Brukardt
2012-07-07 8:06 ` Dmitry A. Kazakov
2012-07-07 11:17 ` Georg Bauhaus
2012-07-07 11:31 ` Dmitry A. Kazakov
2012-07-07 12:21 ` Georg Bauhaus
2012-07-07 13:03 ` Dmitry A. Kazakov
2012-06-20 19:18 ` Anh Vo
2012-06-20 20:16 ` Jeffrey R. Carter
2012-06-20 20:21 ` Jeffrey R. Carter
2012-06-20 20:51 ` Maciej Sobczak
2012-06-20 21:04 ` Dmitry A. Kazakov
2012-06-20 22:19 ` Robert A Duff
2012-06-21 6:32 ` Georg Bauhaus
2012-06-21 20:37 ` Randy Brukardt
2012-06-21 20:55 ` Jeffrey Carter
2012-06-22 19:15 ` Randy Brukardt
2012-06-21 20:23 ` Randy Brukardt
2012-06-22 7:34 ` Martin
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox