From: Brian Drummond <brian@shapes.demon.co.uk>
Subject: Re: Generic-Package Elaboration Question / Possible GNAT Bug.
Date: Thu, 24 Nov 2011 11:15:35 +0000 (UTC)
Date: 2011-11-24T11:15:35+00:00 [thread overview]
Message-ID: <jal90n$c4u$1@dont-email.me> (raw)
In-Reply-To: m28vn67xke.fsf@pushface.org
On Thu, 24 Nov 2011 08:07:45 +0000, Simon Wright wrote:
> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>
>> Should it mean that you don't care about separation of implementation
>> and interface?
>
> What I think I was trying to say was that it doesn't seem to me to make
> a lot of difference whether the pre/post-conditions are dynamic.
> Providing, of course, I've understood your point.
I think it does.
> To take Georg's example of the stack, I don't see how you're going to
> express the fact that its capacity is bounded other than by comments
> about constraint errors or by preconditions.
>
> I seem to be tempted into speculations about SPARK at this point. Stacks
> seem to be a rather dangerous construct from the point of view of
> proving correctness, logic not being very good at counting.
Indeed. But if you also prohibit recursion, maximum stack use is provable.
Spark is interesting in that some implementation facts (but not really
details) do leak into the annotations (contracts) in the specification,
though not into the Ada code for the specification.
It has strategies to hide the details (this procedure modifies the state
in that package, via an accessor) which are "refined" internally in the
package implementation (the accessor modifies stack contents, stack
pointer).
But the state of the art seems to be that for contracts to be statically
determinable, you must restrict how you program, compared to full Ada.
In this world, I come down on the side of: dynamically determinable
contracts may not be perfect, but they are a lot better than nothing. I
would use them and try to create tests to catch them out.
Ada is full of such implicit contracts, though they may have other names;
some statically determinable...
for i in my_array'range loop -- I is contracted to be in range
and some dynamically determinable
a * 1000000 -- raises Constraint_Error if violated
and I don't see any objections to these (maybe from C programmers!)
so I think only good can come of the ability to create additional
contracts.
Unless perhaps the programmer gains a false sense of security from having
written contracts. But how is that any different from using the implicit
ones?
Perhaps the best that can be hoped for is an assessment of each contract
by the compiler (or proof tool), and a "WARNING: may raise exception" for
the not-proven, to minimise such complacency.
- Brian
next prev parent reply other threads:[~2011-11-24 11:15 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-19 21:14 Generic-Package Elaboration Question / Possible GNAT Bug Shark8
2011-11-19 22:12 ` Robert A Duff
2011-11-19 23:36 ` Shark8
2011-11-20 9:55 ` Dmitry A. Kazakov
2011-11-21 7:25 ` AdaMagica
2011-11-21 8:43 ` Dmitry A. Kazakov
2011-11-21 10:25 ` AdaMagica
2011-11-21 13:08 ` Robert A Duff
2011-11-21 13:50 ` Dmitry A. Kazakov
2011-11-21 19:41 ` Robert A Duff
2011-11-22 8:21 ` Dmitry A. Kazakov
2011-11-21 20:40 ` J-P. Rosen
2011-11-22 8:29 ` Dmitry A. Kazakov
2011-11-22 10:25 ` Georg Bauhaus
2011-11-22 14:32 ` Dmitry A. Kazakov
2011-11-22 15:02 ` Georg Bauhaus
2011-11-22 16:23 ` Dmitry A. Kazakov
2011-11-22 17:46 ` Georg Bauhaus
2011-11-22 19:15 ` Dmitry A. Kazakov
2011-11-22 21:03 ` Randy Brukardt
2011-11-22 21:26 ` Dmitry A. Kazakov
2011-11-23 0:07 ` Georg Bauhaus
2011-11-23 8:44 ` Dmitry A. Kazakov
2011-11-23 9:32 ` Simon Wright
2011-11-23 9:56 ` Dmitry A. Kazakov
2011-11-23 11:03 ` Georg Bauhaus
2011-11-23 11:13 ` Dmitry A. Kazakov
2011-11-23 11:25 ` Georg Bauhaus
2011-11-23 13:14 ` Dmitry A. Kazakov
2011-11-23 13:59 ` Georg Bauhaus
2011-11-23 14:43 ` Dmitry A. Kazakov
2011-11-23 16:10 ` Georg Bauhaus
2011-11-23 19:51 ` Dmitry A. Kazakov
2011-11-24 0:59 ` Georg Bauhaus
2011-11-24 9:14 ` Dmitry A. Kazakov
2011-11-23 15:12 ` Simon Wright
2011-11-23 19:53 ` Dmitry A. Kazakov
2011-11-24 8:07 ` Simon Wright
2011-11-24 9:27 ` Dmitry A. Kazakov
2011-11-24 10:49 ` Georg Bauhaus
2011-11-24 13:14 ` Dmitry A. Kazakov
2011-11-24 14:31 ` Georg Bauhaus
2011-11-24 16:32 ` Dmitry A. Kazakov
2011-11-24 11:15 ` Brian Drummond [this message]
2011-11-24 18:12 ` Simon Wright
2011-11-24 23:52 ` Brian Drummond
2011-11-23 10:35 ` Brian Drummond
2011-11-23 9:54 ` Georg Bauhaus
2011-11-23 10:30 ` Dmitry A. Kazakov
2011-11-23 4:08 ` Yannick Duchêne (Hibou57)
2011-11-23 4:11 ` Yannick Duchêne (Hibou57)
2011-11-22 23:52 ` Georg Bauhaus
2011-11-23 9:04 ` Dmitry A. Kazakov
2011-11-23 11:15 ` Georg Bauhaus
2011-11-23 13:30 ` Dmitry A. Kazakov
2011-11-23 14:42 ` Georg Bauhaus
2011-11-23 19:48 ` Dmitry A. Kazakov
2011-11-24 1:36 ` Georg Bauhaus
2011-11-24 10:52 ` Dmitry A. Kazakov
2011-11-24 11:30 ` Georg Bauhaus
2011-11-24 12:52 ` Dmitry A. Kazakov
2011-11-24 14:45 ` Georg Bauhaus
2011-11-25 9:54 ` Dmitry A. Kazakov
2011-11-24 7:46 ` stefan-lucks
2011-11-24 3:07 ` Shark8
2011-11-24 6:07 ` Yannick Duchêne (Hibou57)
2011-11-24 10:10 ` Dmitry A. Kazakov
2011-11-24 11:15 ` Georg Bauhaus
2011-11-24 22:48 ` Shark8
2011-11-25 9:25 ` Yannick Duchêne (Hibou57)
2011-11-26 21:59 ` Shark8
2011-11-25 9:47 ` Dmitry A. Kazakov
2011-11-25 10:15 ` Georg Bauhaus
2011-11-25 10:51 ` Yannick Duchêne (Hibou57)
2011-11-25 15:45 ` Georg Bauhaus
2011-11-25 16:05 ` Yannick Duchêne (Hibou57)
2011-11-25 16:19 ` Yannick Duchêne (Hibou57)
2011-11-23 3:49 ` Yannick Duchêne (Hibou57)
2011-11-23 8:50 ` Georg Bauhaus
2011-11-23 9:45 ` Yannick Duchêne (Hibou57)
2011-11-23 10:55 ` Georg Bauhaus
2011-11-23 3:20 ` Yannick Duchêne (Hibou57)
2011-11-23 15:05 ` Robert A Duff
2011-11-21 17:00 ` Adam Beneschan
2011-11-23 3:13 ` Yannick Duchêne (Hibou57)
2011-11-24 3:47 ` Shark8
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox