From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 X-Received: by 10.42.153.135 with SMTP id m7mr28066539icw.4.1427238216366; Tue, 24 Mar 2015 16:03:36 -0700 (PDT) X-Received: by 10.140.41.104 with SMTP id y95mr110328qgy.7.1427238216238; Tue, 24 Mar 2015 16:03:36 -0700 (PDT) Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!mx02.eternal-september.org!feeder.eternal-september.org!news.glorb.com!z20no4492134igj.0!news-out.google.com!q90ni527qgd.1!nntp.google.com!h3no4622308qgf.1!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Tue, 24 Mar 2015 16:03:36 -0700 (PDT) In-Reply-To: <00de73ba-0430-4528-9f10-cf664a70fa02@googlegroups.com> Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=213.205.194.187; posting-account=v7gx3AoAAABfjb9m5b7l_Lt2KVEgQBIe NNTP-Posting-Host: 213.205.194.187 References: <56938449-64e8-4e9c-89ef-8d7fa914c9eb@googlegroups.com> <00de73ba-0430-4528-9f10-cf664a70fa02@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: Subject: Re: SPARK problem with unconstrained arrays From: phil.clayton@lineone.net Injection-Date: Tue, 24 Mar 2015 23:03:36 +0000 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Xref: news.eternal-september.org comp.lang.ada:25243 Date: 2015-03-24T16:03:36-07:00 List-Id: On Tuesday, 3 March 2015 09:41:35 UTC, Maciej Sobczak wrote: > After some exploration I can answer my own question: empty slices. >=20 > Solution: add precondition to the Find_Min procedure: >=20 > procedure Find_Min (A : in My_Array; I : out Index) > with Pre =3D> A'First <=3D A'Last, > -- ... Interestingly, this precondition was known to be necessary before your pack= age body even existed: in the postcondition, there is no way that the predi= cate I in A'Range could be satisfied if A is empty (and A does not change because it is an 'i= n' parameter). There is a theoretical method for determining a 'minimum' precondition of a= specification - that is, the condition under which the specification is ac= hievable. Just existentially quantify over the 'changed' variables, in you= r case I: =E2=88=83 I : Index =E2=A6=81 I =E2=88=88 A'Range =E2=88=A7 (=E2=88=80 J : A'Range =E2=A6=81 A (I) =E2=89=A4 A (J))=20 That's a predicate whose only free variable is A, so it says something abou= t A. Unfortunately, it's not obvious what. That's probably equivalent to = A is not empty in the context of A : My_Array. In one direction the proof = is trivial but in the other, you probably have to start by showing that a n= on-empty set of integers has a least element... It's this sort of thing th= at gave formal methods a bad name. Phil