From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,FORGED_GMAIL_RCVD, FREEMAIL_FROM autolearn=no autolearn_force=no version=3.4.4 X-Received: by 2002:a5e:a913:: with SMTP id c19mr19527269iod.32.1545281654994; Wed, 19 Dec 2018 20:54:14 -0800 (PST) X-Received: by 2002:aca:308d:: with SMTP id w135mr85598oiw.0.1545280454299; Wed, 19 Dec 2018 20:34:14 -0800 (PST) Path: eternal-september.org!reader01.eternal-september.org!feeder.eternal-september.org!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!209.85.166.215.MISMATCH!k10no9028itk.0!news-out.google.com!v71ni45ita.0!nntp.google.com!q69no8884itb.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.lang.ada Date: Wed, 19 Dec 2018 20:34:13 -0800 (PST) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=50.66.161.135; posting-account=lzqe5AoAAADHhp_gregSufVhvwu22fBS NNTP-Posting-Host: 50.66.161.135 References: <6f00bf64-d501-487c-b3cb-17e97346e801@googlegroups.com> <8bd49bc7-ea3e-4e8c-9292-c37fd2e54e54@googlegroups.com> User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: Subject: Re: New to Spark, working an example From: Brad Moore Injection-Date: Thu, 20 Dec 2018 04:54:14 +0000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xref: reader01.eternal-september.org comp.lang.ada:55082 Date: 2018-12-19T20:34:13-08:00 List-Id: On Wednesday, December 19, 2018 at 9:58:44 AM UTC-7, Simon Wright wrote: > Brad Moore writes: >=20 > > On Sunday, December 16, 2018 at 2:48:19 AM UTC-7, Simon Wright wrote: >=20 > >> util.ads:3:16: medium: overflow check might fail (e.g. when > >> Floor_Log2'Result =3D 0) >=20 > > As an aside, it appears the version of gnatprove in GNAT CE 2018 does > > have a pretty good understanding of exponentiation, given that I was > > able to get the following proven. >=20 > Apparently so. But the part of gnatprove that gives examples of when the > assertion might fail is quite misleading: for example, >=20 > util.ads:7:14: medium: postcondition might fail, cannot prove 2 ** > Floor_Log2'Result <=3D X (e.g. when Floor_Log2'Result =3D 0 and X =3D = 0) >=20 > *when X is Positive* !! and >=20 > util.adb:19:15: medium: overflow check might fail (e.g. when I =3D 0) >=20 > l.18 for I in 1 .. Log_Result'Last loop > l.19 if 2 ** I > X then I agree that the error messages are misleading, as I was getting similar me= ssages when when I was working on this. While the values "0" mentioned in t= he error messages were confusing to me, I think the messages were helpful a= t least in suggesting the sort of tests the prover was trying to prove, whi= ch ultimately helped me figure out the assertions that were needed to get t= his to pass. The values given can be a bit of a red herring sometimes, but = I think the underlying test described by the message is more helpful. This = is my second problem that I attempted to prove in SPARK, so I didn't know i= f I would succeed, or know much about how to approach this. Its kind of a r= ewarding feeling when you get the prover to pass. One suggestion I have to prove post conditions, is to state the post condit= ion as an assert before returning from the subprogram, and work backwards f= rom there. Brad