From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: 103376,b78c363353551702 X-Google-NewGroupId: yes X-Google-Attributes: gida07f3367d7,domainid0,public,usenet X-Google-Language: ENGLISH,ASCII-7-bit Received: by 10.68.227.67 with SMTP id ry3mr10492086pbc.8.1340653333613; Mon, 25 Jun 2012 12:42:13 -0700 (PDT) Path: l9ni19298pbj.0!nntp.google.com!news2.google.com!volia.net!news2.volia.net!feed-A.news.volia.net!newsfeed.utanet.at!newsfeed.tele2net.at!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: about the new Ada 2012 pre/post conditions Date: Mon, 25 Jun 2012 21:42:11 +0200 Organization: cbb software GmbH Message-ID: References: <1hgo6aks03zy.by4pq4xbjsgf$.dlg@40tude.net> <1jvy3elqtnd1j.1sjbk32evhp1f$.dlg@40tude.net> <1oih2rok18dmt.avbwrres5k12.dlg@40tude.net> <4fe59ea0$0$9502$9b4e6d93@newsspool1.arcor-online.net> <1mkp7fzlk1b0y.1ueinfjn48fcy$.dlg@40tude.net> <4fe72b6b$0$9504$9b4e6d93@newsspool1.arcor-online.net> <1bbvp3ghpjb5s.1go1s1qvcmagh$.dlg@40tude.net> <4fe76fad$0$9507$9b4e6d93@newsspool1.arcor-online.net> <1jt8vhzxfrv2i.eohce4d3rwx1$.dlg@40tude.net> <4fe83aaa$0$6624$9b4e6d93@newsspool2.arcor-online.net> <1pkfv0tiod3rn$.onx6dmaa3if9$.dlg@40tude.net> <1i1mp8xs3vtl2.1oc4m66qtfgzq.dlg@40tude.net> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: q1gJPV1SC/KP9ydRbYoWiw.user.speranza.aioe.org Mime-Version: 1.0 X-Complaints-To: abuse@aioe.org User-Agent: 40tude_Dialog/2.0.15.1 X-Notice: Filtered by postfilter v. 0.8.2 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Date: 2012-06-25T21:42:11+02:00 List-Id: On Mon, 25 Jun 2012 18:26:18 +0200, stefan-lucks@see-the.signature wrote: > On Mon, 25 Jun 2012, Dmitry A. Kazakov wrote: > >> Hilbert's program by no means was intended to justify logic or mathematics >> themselves. This is outright wrong. > > Hilbert's program was an attempt to re-build the very foundations of > Mathematics. No more, no less. See > . Right, and this had nothing to do with justification either logic or mathematics by means of themselves. Such an epic task would rather be a job for baron Muenchausen. Just scroll through the Hilbert's program list of problems: http://en.wikipedia.org/wiki/Hilbert_problems >> If Ada precondition is neither implementation (#1) nor >> specification/contract (#2) then what is it? > > A syntax for specifications. Syntax only? >>> *Secondly*, you seem to overlook that there are three semantical options, >>> rather than the two you mention: >>> >>> 1 ignore the conditions >>> >>> 2 check them dynamically at run time >>> >>> 3 prove them statically at compile time >> >> I didn't: >> >> Assuming #1, only no.2 is possible. #1 <=> no.2 >> >> Assuming #2, you have only choice between no.1 and no.3. #2 <=> no.1 or >> no.2. >> >> One *cannot* mix no.1/3 with no.2, that is what upsets me. > > But you are not locked into either option 1, 2, or 3, you can choose, > without having to change the language, or to rewrite a single character > of your program source. Same syntax for things which are far more apart than just semantically different. What a bizzare idea! You would be switching between contract specification and implementation per compiler switch! Is this C preprocessor or Ada? >> That clearly precludes no.2: handling is within the checker, checker is >> outside the testee. > > Well, this separation is ideal. But most of the time, a testee that > discovers itself being in a faulty state (and that is, what a failed > dynamic check actually reveals), the testee is still able to write some > information to a log file. Sure, you can construct or find the odd > counterexample -- but in practice almost all the time this approach works. > (OK, I am assuming your system allows to write some log output at all.) Tracing is OK, but what happens afterwards? If continuation is possible, that requires some cleanup, rollback, retry etc, which has the goal of putting the system into some definite state. This is not over before over. >> And, very importantly, we want to contract exceptions some day, don't we? > > Sure! So what? How are going to marry exceptions propagating from contracts with contracts on exceptions? Some exceptions are more exceptional than others? Aren't we fed up with Program_Error? > Ada.Assertions.Assertion_Error is one exception like Constraint_Error or > the like. Either, you prove that this or that exception will not be > raised. Or you claim that such an exception is not raised. If it is > actually raised this is a violation of the contract. Which is a big deal > for, say, Constraint_Error, but not for Ada.Assertions.Assertion_Error ... > the exception that indicates the violation of a contract, anyway. (Assuming > that Ada.Assertions.Assertion_Error is not raised manually -- but no sane > programmer would do that.) > > Actually, there is one exception that is difficult to specify. It is our > old fellow > > Storage_Error. > > On the level of source code analysis, you > actually cannot prove that this exception will not be raised. Firstly, you if you don't want to prove anything about a certain exception, you would add this exception to all contracts involved and take care about exceptions of interest. Secondly, you would rather prove conditionals, like: Storage_Error is not propagated when given amount of memory is available in the specified pools. This is good enough for most cases, which are not about any exact bound, but about existence of such bound, i.e. about memory leak detection. Thirdly, you would be able to provide axioms. E.g. for some complex recursive operation, you could just specify the upper memory consumption bound known to you from other sources, and let the prover to go with that (the oracle). I think conservative Storage_Errror proof is pretty doable. If you move the upper bound a pair Kbytes upward it would eliminate most of problems. We certainly could learn from Java mistakes rather than repeating them (e.g. interfaces). -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de