From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Thread: a07f3367d7,146d9a693430fff2 X-Google-Attributes: gida07f3367d7,public,usenet X-Google-NewGroupId: yes X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news1.google.com!news2.google.com!npeer03.iad.highwinds-media.com!news.highwinds-media.com!feed-me.highwinds-media.com!nx02.iad01.newshosting.com!newshosting.com!news2.euro.net!feeder.news-service.com!94.75.214.39.MISMATCH!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: Ada2012 Invariants and obaque types Date: Tue, 21 Jun 2011 16:42:05 +0200 Organization: cbb software GmbH Message-ID: References: <239a78ad-0937-4a7a-8163-231430fd5ffe@k27g2000yqn.googlegroups.com> <17t4afbmsrbm4.7llaajq91zz3.dlg@40tude.net> <4e008bc8$0$6568$9b4e6d93@newsspool3.arcor-online.net> <12jyfk40laprz.1mxczd0ze0dr7.dlg@40tude.net> <4e009cb2$0$6582$9b4e6d93@newsspool3.arcor-online.net> Reply-To: mailbox@dmitry-kazakov.de NNTP-Posting-Host: FbOMkhMtVLVmu7IwBnt1tw.user.speranza.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Complaints-To: abuse@aioe.org User-Agent: 40tude_Dialog/2.0.15.1 X-Notice: Filtered by postfilter v. 0.8.2 Xref: g2news1.google.com comp.lang.ada:19989 Date: 2011-06-21T16:42:05+02:00 List-Id: On Tue, 21 Jun 2011 15:29:22 +0200, Georg Bauhaus wrote: > On 21.06.11 14:31, Dmitry A. Kazakov wrote: > >>> In another theory, the invariant may express things >>> such as >>> Num_Green_Lights (T1) >= 3; >>> or >>> 'Length < State_of_Things (T1) * 2; >>> where Num_Green_Lights is a publicly visible function whose >>> result is somehow computed. These predicates would be informative, >>> and formal. >> >> That is not an invariant, but a constraint. > > I don't see bounds in the above. Constraint could be any, not only bounds. It is not the formula, but the meaning of: S = { x | x in T and P (x) } here P is a constraint, which produces S. x in S => Q (x) here Q is an invariant of S. It might happen that Q (x) <=> P (x). Then you could define S using Q, that would make Q constraint and P invariant. > That is, if the (theoretical) assertion is "at least, > no matter what, under all circumstances, in each implementation", > isn't this an invariant? 1. Different implementations of the same specification may have different invariants. That are the predicates which cannot be derived from the specification. 2. When a predicate can be derived from the specification that does not yet imply its equivalence to the specification. Invariant does not necessarily defines the type. 3. The difference is the intent. The specification defines the [sub]type. Invariant merely is a predicate provable true for the given implementation of the specification. (Properly constructed invariants can be used in construction of implementations, e.g. Dijkstra's approach to programming, loop invariants etc) 4. You cannot distinguish predicates used in definitions from ones used in proofs by just looking at them. It is the language's task to do this by syntax means. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de