From: vincent.diemunsch@gmail.com
Subject: Re: {Pre,Post}conditions and side effects
Date: Sat, 25 Apr 2015 05:08:32 -0700 (PDT)
Date: 2015-04-25T05:08:32-07:00 [thread overview]
Message-ID: <ce4af31e-d491-479f-a5b3-0b3eedea2a68@googlegroups.com> (raw)
In-Reply-To: <871tj9dp5b.fsf@theworld.com>
Le samedi 25 avril 2015 02:31:57 UTC+2, Bob Duff a écrit :
> Same reason we put comments in the code. Comments are not "essential
> program logic" in the sense defined above -- if you delete all the
> comments, the program will still work. But we still want comments.
> Likewise, one should normally write assertions (like Pre and Predicate)
> so the program still works if they are deleted.
>
> Assertions are like comments, except we have a higher confidence
> that they are actually true.
>
I agree. Assertions express logical properties of the program. One can have a high
confidence in them for two reasons :
1. mathematical correctness according to a given theory
2. proof that the code is coherent with the assertion, using a tool.
But Assertions should stay as comments, for they are not code but logical formula expressed
in a mathematical langage. They were comments in Spark 05 and it is still the case in Frama-C
or many formal proof systems. Hoare logic is supposed to give "correctness by construction" :
which is the ability to never fail on a runtime test. This is required in safety critical systems.
But what Ada and SPARK 2014 are doing is "design by contract", as Bertrand Meyer
called it. This makes a confusion between a precondition and a runtime test. It may
look appealing in the beginning but it is nothing else than a test harness put around
a subprogram. With all the problems related to it : how to debug it ? Should it raise
exceptions ? It breaks the separation between specification and implementation etc.
Therefore, I don't think that it is the right choice for a langage that is mainly used in
safety critical systems.
https://groups.google.com/forum/#!searchin/comp.lang.ada/future$20of$20spark/comp.lang.ada/klr0i37j0uk/5IeGMdlh7PYJ
Kind regards,
Vincent
next prev parent reply other threads:[~2015-04-25 12:08 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-22 16:22 {Pre,Post}conditions and side effects Jean François Martinez
2014-12-22 17:18 ` Brad Moore
2014-12-23 8:22 ` Jean François Martinez
2014-12-23 17:05 ` Robert A Duff
2014-12-23 21:09 ` Jean François Martinez
2014-12-23 21:35 ` Robert A Duff
2014-12-23 23:02 ` Peter Chapin
2014-12-24 1:03 ` Robert A Duff
2015-04-24 8:59 ` Jacob Sparre Andersen
2015-04-24 9:18 ` J-P. Rosen
2015-04-24 23:39 ` Randy Brukardt
2015-04-24 12:10 ` G.B.
2015-04-24 14:40 ` Jacob Sparre Andersen
2015-04-24 16:29 ` G.B.
2015-04-24 23:46 ` Randy Brukardt
2015-04-24 22:26 ` Peter Chapin
2015-04-25 0:13 ` Randy Brukardt
2015-04-25 1:01 ` Peter Chapin
2015-04-25 5:51 ` Dmitry A. Kazakov
2015-04-25 0:31 ` Bob Duff
2015-04-25 12:08 ` vincent.diemunsch [this message]
2015-04-25 16:37 ` Georg Bauhaus
2015-05-06 21:07 ` Randy Brukardt
2015-05-06 22:10 ` Paul Rubin
2015-05-07 9:01 ` Georg Bauhaus
2015-05-07 9:12 ` Dmitry A. Kazakov
2015-05-07 9:29 ` Georg Bauhaus
2015-05-07 9:31 ` Georg Bauhaus
2015-05-07 18:32 ` Randy Brukardt
2015-05-08 7:50 ` Dmitry A. Kazakov
2015-05-08 23:31 ` Randy Brukardt
2015-05-09 6:16 ` Dmitry A. Kazakov
2015-05-12 0:28 ` Randy Brukardt
2015-05-12 8:04 ` Dmitry A. Kazakov
2015-05-07 10:06 ` Stefan.Lucks
2015-05-07 12:16 ` Dmitry A. Kazakov
2015-05-07 18:00 ` Stefan.Lucks
2015-05-07 19:01 ` Randy Brukardt
2015-05-07 19:29 ` Niklas Holsti
2015-05-08 23:16 ` Randy Brukardt
2015-05-09 5:18 ` Niklas Holsti
2015-05-12 0:15 ` Randy Brukardt
2015-05-07 19:55 ` Dmitry A. Kazakov
2015-05-08 23:24 ` Randy Brukardt
2015-05-09 5:47 ` Dmitry A. Kazakov
2015-05-07 18:52 ` Randy Brukardt
2015-05-07 19:40 ` Stefan.Lucks
2015-05-08 7:28 ` Dmitry A. Kazakov
2015-05-08 22:58 ` Randy Brukardt
2015-05-08 22:52 ` Randy Brukardt
2015-05-09 0:14 ` Paul Rubin
2015-05-12 0:30 ` Randy Brukardt
2015-05-12 18:10 ` Paul Rubin
2015-05-12 22:01 ` Randy Brukardt
2015-05-13 9:35 ` Dmitry A. Kazakov
2015-05-13 11:53 ` G.B.
2015-05-13 12:47 ` Dmitry A. Kazakov
2015-05-13 14:06 ` G.B.
2015-05-13 14:21 ` Dmitry A. Kazakov
2015-05-13 16:33 ` G.B.
2015-05-13 19:15 ` Dmitry A. Kazakov
2015-05-14 1:36 ` Randy Brukardt
2015-05-14 7:10 ` Dmitry A. Kazakov
2015-05-14 1:32 ` Randy Brukardt
2015-05-14 7:19 ` Dmitry A. Kazakov
2015-05-12 0:36 ` Randy Brukardt
2015-05-11 10:35 ` Stefan.Lucks
2015-05-11 21:49 ` vincent.diemunsch
2015-05-11 22:49 ` Peter Chapin
2015-05-12 4:49 ` vincent.diemunsch
2015-05-12 23:25 ` Peter Chapin
2015-05-13 9:00 ` vincent.diemunsch
2015-05-12 4:42 ` vincent.diemunsch
2015-05-12 14:53 ` johnscpg
2015-05-13 9:14 ` vincent.diemunsch
2015-05-12 1:03 ` Randy Brukardt
2015-05-12 7:21 ` Georg Bauhaus
2015-05-12 22:08 ` Randy Brukardt
2015-05-12 8:02 ` Georg Bauhaus
2015-05-12 22:14 ` Randy Brukardt
2015-05-12 8:37 ` Stefan.Lucks
2015-05-12 11:25 ` Stefan.Lucks
2015-05-12 18:44 ` Paul Rubin
2015-05-12 20:52 ` Stefan.Lucks
2015-05-18 9:49 ` Jacob Sparre Andersen
2015-05-18 12:10 ` Stefan.Lucks
2015-05-19 7:46 ` Jacob Sparre Andersen
2015-06-09 7:55 ` Stefan.Lucks
2015-06-09 12:02 ` G.B.
2015-06-09 17:16 ` Stefan.Lucks
2015-05-12 18:39 ` Paul Rubin
2015-05-12 20:51 ` Stefan.Lucks
2015-05-12 14:21 ` Bob Duff
2015-05-12 22:37 ` Randy Brukardt
2015-05-13 6:58 ` Georg Bauhaus
2015-05-14 1:21 ` Randy Brukardt
2015-05-07 21:29 ` Georg Bauhaus
2015-05-08 23:11 ` Randy Brukardt
2015-05-08 23:19 ` tmoran
2014-12-23 21:53 ` Florian Weimer
2014-12-24 11:41 ` Brad Moore
2014-12-22 19:38 ` sbelmont700
2014-12-22 19:59 ` Brad Moore
2014-12-22 23:46 ` Randy Brukardt
2014-12-23 10:41 ` Georg Bauhaus
2014-12-22 23:32 ` Randy Brukardt
2015-04-24 17:59 ` Shark8
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox