From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,cd5c71f09395807a
X-Google-Attributes: gid103376,public
From: dewar@merv.cs.nyu.edu (Robert Dewar)
Subject: Re: Assertions in Ada
Date: 1997/08/22
Message-ID: <dewar.872256570@merv>#1/1
X-Deja-AN: 267993222
References: <adaworksEF8qn5.I15@netcom.com>
 <EF9nDu.EIK.0.-s@inmet.camb.inmet.com>
 <Pine.SGI.3.95.970821182126.24493A-100000@shellx.best.com>
Organization: New York University
Newsgroups: comp.lang.ada
Date: 1997-08-22T00:00:00+00:00
List-Id: <comp.lang.ada>


Brian says

<<This decision seems exactly right to me, though for a different reason. It
isn't clear to me that there is enough consensus on formal (in the sense of
"mathematically formal") programming methodologies to consider choosing a
set of constructs to put in the language proper. It makes more sense to
let people experiment with tools/notations/methods like Anna, Larch, Z, B,
and others. So IMO, Ada got this right, and Eiffel got it wrong, just like
Eiffel got modules wrong.>>

I basically agree. I think it useful to have the simple minded Assert
that is provided in GNAT (and several other compilers have copied this,
as Tuck notes). This assert is not some kind of wonderful silver bullet
that will make all Ariane-like problems disappear, but it is a useful
tool, as has been well known by programmers for longer than I can
remember. The GNAT compiler itself for instance is full of assertions,
and they have been invaluable in 

   (a) avoiding silent generation of wrong code, the most heinous
       crime a compiler can commit.

   (b) speeding up the tracking of errors

GNAT is now at the point where it is stable enough that it makes sense
to turn off these assertions for the production version, and we intend
to do this in version 3.11 of GNAT -- our experiments show that (a) is
no longer a significant concern, and we will still keep the assertions
around to help with (b) -- one of the handy things about the pragma
Assert is that it can be externally activated (the -gnata switch in GNAT).

But I agree that putting in anything formal or elaborate would have been
premature. What would be nice to see is people experimenting with possible
interesting annotations, etc with GNAT. 

(by the way, if you want to experiment with the fast version of GNAT, with
assertions off, you can do it yourself, by rebuilding the compiler with
the -gnatn switch on and the -gnata switch omitted :-)