From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Niklas Holsti Newsgroups: comp.lang.ada Subject: Re: Preconditions which anyway would be caught? Date: Sun, 10 Aug 2014 23:58:14 +0300 Organization: Tidorum Ltd Message-ID: References: <7vydnShDldsh6XvO4p2dnAA@giganews.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: individual.net u5wBk7Pm5mcNzO69DngcDgLkwuprajjLHVRHmGDl2piahf26S3 Cancel-Lock: sha1:nhvKPMfkGbzhUasTfpdZqHNQvBM= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 In-Reply-To: Xref: news.eternal-september.org comp.lang.ada:21646 Date: 2014-08-10T23:58:14+03:00 List-Id: On 14-08-10 01:57 , Peter Chapin wrote: > On 2014-08-09 17:04, Niklas Holsti wrote: > >> Just to be a pedant: shouldn't that have some decimals on the literals: >> >> function Inverse(X : Float) return Float >> with Pre => (X /= 0.0) is >> begin >> return 1.0/X; >> end; >> >> In addition, is it really true that all Float numbers /= 0.0 can be >> inverted without error? What if X is a denormalized number which has >> suffered gradual underflow... won't its inverse overflow, because there >> is no concept of "gradual overflow" in IEEE floats? > > I wondered about that also, in fact. > > I just tried it with your corrections so it actually *does* compile. > Without any precondition SPARK 2014 complains that > > overflow check might fail > divide by zero check might fail > > With the precondition of X /= 0.0 SPARK says > > overflow check might fail > > However, this proves fine: > > function Inverse(X : Float) return Float > with Pre => not(-1.0E-35 < X and X < +1.0E-35) is > begin > return 1.0/X; > end; > > I didn't experiment to see how close to zero I could make the bounds in > the precondition but clearly your concern is a valid one. I think the actual precondition and function were only examples to illustrate the OP's question, so we are off-topic, too bad. But to continue: I wrote a program that initializes X to 1.0 and repeatedly divides by 2.0 until X is zero, printing X and 1.0/X each time. The break is here: X = 1.17549E-38, 1.0/X = 8.50706E+37 X = 5.87747E-39, 1.0/X = 1.70141E+38 X = 2.93874E-39, 1.0/X = +Inf******* X = 1.46937E-39, 1.0/X = +Inf******* and the last non-zero value is X = 1.40130E-45, 1.0/X = +Inf******* This is with an unconstrained X : Float. Float'Machine_Overflows is False. If I assign 1.0 / X to a variable Y of the subtype "Float range Float'Range" I of course get a Constraint_Error instead of the +Inf. Computing 1.0 / Float'Last gives 2.93874E-39, and a compile-time (!) warning from GNAT that "gradual underflow causes loss of precision". Neat. -- Niklas Holsti Tidorum Ltd niklas holsti tidorum fi . @ .