From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: Ada 2012 Constraints (WRT an Ada IR) Date: Wed, 7 Dec 2016 11:03:35 +0100 Organization: Aioe.org NNTP Server Message-ID: References: <92ed75e9-baae-455c-9e34-53348dc6eaef@googlegroups.com> <03847fd7-5699-48de-bb3c-ef5512398f26@googlegroups.com> <3ef819e8-55f7-4ef7-9f37-77e6abc33f98@googlegroups.com> <47366b42-c0a3-41bf-a44a-5241c109d60f@googlegroups.com> NNTP-Posting-Host: vZYCW951TbFitc4GdEwQJg.user.gioia.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: abuse@aioe.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 X-Notice: Filtered by postfilter v. 0.8.2 Xref: news.eternal-september.org comp.lang.ada:32648 Date: 2016-12-07T11:03:35+01:00 List-Id: On 07/12/2016 00:09, Randy Brukardt wrote: > "Dmitry A. Kazakov" wrote in message > news:o24of4$1n05$1@gioia.aioe.org... >> On 2016-12-05 12:09, Simon Wright wrote: > ... >>> Just as bad a thing as Constraint_Error. >> >> Not at all. Constraint_Error is defined and *desired* behavior. Exceptions >> from pre-/post-conditions is undefined behavior. > > Why? > > Consider (part of) the procedure Delete in the Map container: > > procedure Delete (Container : in out Map; > Position : in out Cursor); > -- If Position equals No_Element, then Constraint_Error is propagated. > > As you say, this is defined and desired behavior. > > Now, consider a better (IMHO) definition of this definition: > > procedure Delete (Container : in out Map; > Position : in out Cursor) > with Pre => (if not Has_Element (Position) then raise Constraint_Error); Sure, except that: 1. This is not a precondition. Delete still *can* be called when Pre is false. A true precondition here is that Container is Map. You cannot call Delete if Container is Long_Float. 2. This is a mixture of two independent things: 2.a an exception contract. Delete can raise Constraint_Error 2.b implementation. Delete must raise Constraint_Error at least when Has_Element (Position) is false and in who knows which other cases and it may raise Constraint_Error but not required to in some other undefined cases... 2.b is BAD because it brings implementation in. Unless you cannot prove that Constraint_Error is raised when Has_Element (Position) is false you may not contract it. 1 and 2 put together. If you can prove exceptions raised and not raised, then it can be a contract, but then it must be a *post-condition*, not a precondition (imaginary syntax): procedure Delete (Container : in out Map; Position : in out Cursor) with Post => Constraint_Error when not Has_Element (Position); This is a contract that burdens the callee's implementation. Precondition would be a contract that does all potential callers, not a very good thing to do, really. -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de