From: "Randy Brukardt" <randy@rrsoftware.com>
Subject: Re: Pure function aspect?...
Date: Thu, 12 Jan 2012 18:00:05 -0600
Date: 2012-01-12T18:00:05-06:00 [thread overview]
Message-ID: <jens6a$3fb$1@munin.nbi.dk> (raw)
In-Reply-To: 1d74a186-2599-4de5-af49-ffca2529ea96@do4g2000vbb.googlegroups.com
"Martin" <martin@thedowies.com> wrote in message
news:1d74a186-2599-4de5-af49-ffca2529ea96@do4g2000vbb.googlegroups.com...
> Now Ada has bitten the bullet and allowed "in out" mode parameters in
> functions, is it time to allow users to contract the other extreme and
> allow a function to be declared Pure (no state changes, not even
> hidden ones)? e.g.
>
> package P is
> type T is tagged private;
> function Pure_F (Self : T) return Integer
> with Pure;
> function Impure_F (Self : T) return Integer;
> private
> type T is tagged record
> I : Integer := 0;
> end record;
> end P;
>
>
> Functions with a Pure contract would be allowed to call other
> functions with pure contracts, read values/parameters but promise to
> change nothing (not even via 'tricks' a la random number generator!!).
We've argued this for a long time within the ARG, and we haven't been able
to get a real consensus. This discussion goes back to Ada 79 (which is even
before I got involved in Ada) -- early drafts of Ada had both functions
(which were what we now call pure) and value-returning procedures (which
were not). The concern was that there was not a clear line between them, and
moreover there are many sorts of functions that are "logically" pure but
still do change things (the "memo function" being the banner carrier for
that idea).
Personally, I would be happy to have strong checks on such functions, and I
don't much care about what gets left out (it's not that important, and any
such functions are not task-safe anyway, so it is already a good idea to
avoid them in Ada code). But not everyone agrees. We just had another
version of this discussion in Denver; we ended up adopting an undetectable
bounded error for this case (in the case of assertions, including
preconditions, et. al.).
I had tried an alternative approach for Ada 2012, by suggesting the addition
of checked global in/out contracts to subprograms. Eventually, this was
dropped from Ada 2012 as being insufficiently mature. My understanding is
that AdaCore is experimenting with a version of it in their formal methods
research, so it isn't necessarily gone forever (which is good, considering
the amount of time I put in on it). You can see the last proposal at
http://www.ada-auth.org/cgi-bin/cvsweb.cgi/ai05s/ai05-0186-1.txt.
Randy.
next prev parent reply other threads:[~2012-01-13 0:00 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-12 10:44 Pure function aspect? Martin
2012-01-13 0:00 ` Randy Brukardt [this message]
2012-01-13 8:45 ` Dmitry A. Kazakov
2012-01-13 11:01 ` Martin
2012-01-13 17:12 ` Dmitry A. Kazakov
2012-01-13 10:48 ` stefan-lucks
2012-01-14 0:00 ` Randy Brukardt
2012-01-16 10:48 ` Martin
2012-01-19 1:17 ` Randy Brukardt
2012-01-19 10:09 ` Dmitry A. Kazakov
2012-01-13 10:55 ` Martin
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox