From: "Jeffrey R. Carter" <spam.not.jrcarter@acm.not.spam.org>
Subject: Re: [SPARK] Code safety and information hiding
Date: Wed, 16 Aug 2006 19:49:32 GMT
Date: 2006-08-16T19:49:32+00:00 [thread overview]
Message-ID: <gFKEg.138542$1i1.49988@attbi_s72> (raw)
In-Reply-To: <ebuj47$bal$1@sunnews.cern.ch>
Maciej Sobczak wrote:
> Consider the following simple SPARK example:
>
> package Random_Numbers is --# own Seed
You need to terminate this with ';'.
> type Seed_Type is private;
This is never referenced, so may be removed.
> procedure Rand(X out Float); --# global Seed
This should probably be
--# global in out Seed;
> --# derives Seed from Seed & X from Seed;
>
> private -- ...
No private part needed, since we've removed Seed_Type.
> end Random_Numbers;
>
> The issue with this example is the apparent strong coupling between
> the specification of Rand (of the whole package, in fact) and the
> implementation details that pop up in specs in terms of the Seed name
> used in annotations.
>
> It looks that the dependency between the body and spec is no longer
> one-way, as it logically should be, but the coupling is stronger - I
> cannot even change the name of the own Seed object, because it will
> force me to update the annotations in the specs; which in turn will
> force other packages (which should not depend on what name I use for
> Seed) that depend on these specs to recompile.
No such coupling need exist. Suppose you decide during implementation
that the name of the state variable should really be Fred. This probably
means that you need to revisit the design decisions that lead to
choosing the name Seed, but maybe Seed is a good name for the clients of
the package, but not for the implementation. In that case, the body can
contain
--# own Seed is Fred;
The idea is that the spec contains the minimum information needed to
reason formally about the behavior of the package. The existence and
manipulation of the Seed is necessary for such reasoning.
[Aside: I really don't like the use of the term "global" for state
variables. True global variables (in package specs) should be illegal;
state variables are a different cup of fish and should not be tainted by
the "global" label.]
--
Jeff Carter
"This trial is a travesty. It's a travesty of a mockery of a
sham of a mockery of a travesty of two mockeries of a sham. ...
Do you realize there's not a single homosexual on that jury?"
Bananas
27
next prev parent reply other threads:[~2006-08-16 19:49 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-16 7:56 [SPARK] Code safety and information hiding Maciej Sobczak
2006-08-16 8:53 ` roderick.chapman
2006-08-16 11:18 ` Stuart
2006-08-16 13:23 ` Maciej Sobczak
2006-08-16 19:49 ` Jeffrey R. Carter [this message]
2006-08-17 7:01 ` [SPARK] " Maciej Sobczak
2006-08-17 18:08 ` Jeffrey R. Carter
2006-08-17 20:00 ` Björn Persson
2006-08-18 1:22 ` Jeffrey R. Carter
2006-08-18 19:39 ` Björn Persson
2006-08-19 5:35 ` Jeffrey R. Carter
2006-08-19 12:47 ` Björn Persson
2006-08-20 3:58 ` Jeffrey R. Carter
2006-08-20 11:35 ` Björn Persson
2006-08-18 23:02 ` Robert A Duff
2006-08-19 5:40 ` Jeffrey R. Carter
2006-08-19 9:49 ` Stephen Leake
2006-08-20 3:52 ` Jeffrey R. Carter
2006-08-20 19:06 ` Stephen Leake
2006-08-21 1:07 ` Jeffrey R. Carter
2006-08-21 7:25 ` Maciej Sobczak
2006-08-21 19:31 ` Jeffrey R. Carter
2006-08-21 19:58 ` Dmitry A. Kazakov
2006-08-21 21:06 ` Björn Persson
2006-08-22 7:16 ` Maciej Sobczak
2006-08-22 9:45 ` Björn Persson
2006-08-22 12:42 ` Maciej Sobczak
2006-08-22 7:27 ` Dmitry A. Kazakov
2006-08-21 11:30 ` Colin Paul Gloster
2006-08-22 10:51 ` Stephen Leake
2006-08-23 9:44 ` Peter Amey
2006-08-23 22:37 ` Jeffrey R. Carter
2006-08-24 10:55 ` Peter Amey
2006-08-24 23:33 ` Jeffrey R. Carter
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox