From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,e58bb9b46b60f0fb X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news3.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!wns14feed!worldnet.att.net!attbi_s21.POSTED!53ab2750!not-for-mail From: "Jeffrey R. Carter" Organization: jrcarter at acm dot org User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060130 SeaMonkey/1.0 MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: subtypes and preconditions References: <489s9rFhkfqdU1@individual.net> In-Reply-To: <489s9rFhkfqdU1@individual.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Message-ID: NNTP-Posting-Host: 12.214.35.215 X-Complaints-To: abuse@mchsi.com X-Trace: attbi_s21 1142962954 12.214.35.215 (Tue, 21 Mar 2006 17:42:34 GMT) NNTP-Posting-Date: Tue, 21 Mar 2006 17:42:34 GMT Date: Tue, 21 Mar 2006 17:42:34 GMT Xref: g2news1.google.com comp.lang.ada:3526 Date: 2006-03-21T17:42:34+00:00 List-Id: Peter Amey wrote: > > I strongly agree. Thoughtful use of subtypes is one of the most useful > things to do in SPARK programs, it greatly assists with exception > freedom proofs. > > I suspect the latter form of your function arises because, many years > ago, the SPARK Examiner did not carry type information into verification > conditions. In those far-off days it wouldn't have known that A was >= > 0 even if the subype Natural was given. Since about the mid 90s the > Examiner makes full use of all the information deducible from type and > subtype ranges. Right. The 2 forms are equivalent when doing proofs. Yet I keep seeing examples that use preconditions rather than subtypes. For example, Barnes (2003) gives the example of Divide (p 70): procedure Divide (M, N : in Integer; Q, R : out Integer); --# derives Q, R from M, N; --# pre (M >= 0) and (N > 0); --# post (M = Q * N + R) and (R < N) and (R >= 0); rather than procedure Divide (Dividend : in Natural; Divisor : in Positive; Quotient : out Natural; Remainder : out Natural); --# derives Quotient, Remainder from Dividend, Divisor; --# post Dividend = Quotient * Divisor + Remainder and Remainder < Divisor; The "R >= 0" in the assertion also becomes unnecessary with appropriate subtypes. Similarly, he has (pp 77-78) procedure GCD (M, N : in Integer; G : out Integer); --# derives G from M, N; --# pre M >= 0 and N > 0 --# post G > 0 and (M rem G = 0) and (N rem G = 0); rather than procedure GCD (M : in Natural; N : in Positive; G : out Positive); --# derives G from M, N; --# post M rem G = 0 and N rem G = 0; -- Jeff Carter "You empty-headed animal-food-trough wiper." Monty Python & the Holy Grail 04