From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!gandalf.srv.welterde.de!news.jacob-sparre.dk!franka.jacob-sparre.dk!pnx.dk!.POSTED!not-for-mail
From: "Randy Brukardt" <randy@rrsoftware.com>
Newsgroups: comp.lang.ada
Subject: Re: Ada 2012 Constraints (WRT an Ada IR)
Date: Fri, 9 Dec 2016 15:46:53 -0600
Organization: JSA Research & Innovation
Message-ID: <o2f8od$ibj$1@franka.jacob-sparre.dk>
References: <c06ee4e6-d616-4e01-ba2e-cb111a81f6f6@googlegroups.com>
   <o1kpbo$rni$1@gioia.aioe.org>
 <b777d7e3-4779-4566-b741-8617a9501fd0@googlegroups.com>
 <o1kqk9$tmk$1@gioia.aioe.org>
 <e5adb2c3-f526-4152-9ec9-6e4182e18825@googlegroups.com>
 <o1m2oi$g8l$1@gioia.aioe.org>
 <03847fd7-5699-48de-bb3c-ef5512398f26@googlegroups.com>
 <o1ndod$14ke$1@gioia.aioe.org>
 <3ef819e8-55f7-4ef7-9f37-77e6abc33f98@googlegroups.com>
 <o1oohd$13nu$1@gioia.aioe.org> <o1q81b$9kc$1@franka.jacob-sparre.dk>
 <o1s71b$oi7$1@gioia.aioe.org> <o1sj6s$9vp$1@dont-email.me>
 <o1u6en$1igc$2@gioia.aioe.org> <o1uj70$qe2$1@dont-email.me>
 <o1uroj$jsj$1@gioia.aioe.org>
 <47366b42-c0a3-41bf-a44a-5241c109d60f@googlegroups.com>
 <alpine.DEB.2.20.1612050922450.22845@debian> <o23a8a$11e9$1@gioia.aioe.org>
 <o24om5$vfr$1@franka.jacob-sparre.dk> <o24phv$1ou6$1@gioia.aioe.org>
 <o27gpr$o8k$1@franka.jacob-sparre.dk> <o28non$1fn8$1@gioia.aioe.org>
 <o2a2ad$vnp$1@franka.jacob-sparre.dk> <o2b79r$1dit$1@gioia.aioe.org>
NNTP-Posting-Host: rrsoftware.com
X-Trace: franka.jacob-sparre.dk 1481320014 18803 24.196.82.226 (9 Dec 2016
 21:46:54 GMT)
X-Complaints-To: news@jacob-sparre.dk
NNTP-Posting-Date: Fri, 9 Dec 2016 21:46:54 +0000 (UTC)
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.5931
X-RFC2646: Format=Flowed; Response
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Xref: news.eternal-september.org comp.lang.ada:32703
Date: 2016-12-09T15:46:53-06:00
List-Id: <comp.lang.ada>

"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message 
news:o2b79r$1dit$1@gioia.aioe.org...
> On 07/12/2016 23:26, Randy Brukardt wrote:
>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> wrote in message
>> news:o28non$1fn8$1@gioia.aioe.org...
>>> On 07/12/2016 00:15, Randy Brukardt wrote:
>> ...
>>>> Moreover, most contracts (at least the ones I'd write) raise specific
>>>> exceptions (not Assertion_Error). Indeed, this is a far better way to
>>>> define
>>>> something that raises an exception than an English comment. (Which is 
>>>> the
>>>> only other alternative for the specification - and its the 
>>>> specification
>>>> that matters, not the body.)
>>>
>>> As I said in another post it is a bad idea. The list exceptions, their
>>> names, must tell the reader when they are to propagate. You could 
>>> specify
>>> the exact condition in a few very limited cases. In a real life scenario
>>> you cannot specify the Boolean expression guarding Disk_Error. Moreover,
>>> in most cases that would be an over-specification.
>>
>> I never meant the above to be exclusive. Sometimes, as you say, an 
>> exception
>> is raised by something external to the Ada program, and that is probably
>> besst described in English. I was just talking about exceptions that 
>> depend
>> only on the parameter values.
>
> That does not change much. In most cases you still cannot do that without 
> having the expression as complex as the body itself. Instead of one 
> implementation you have two and thus you double the opportunity for making 
> an error.

One surely hopes that you aren't repeating the preconditions in the body. 
That's madness.

>>> My point is that either you don't need the expression or else it 
>>> must/can
>>> be statically provable and thus become a proper pre-/post-condition with
>>> no exceptions involved.
>>
>> Not everything can be statically proven (think Unchecked_Conversion), and 
>> a
>> lot of stuff can only be proven in a full-program scenario, so I'm 
>> dubious
>> of the above in any case. But even if that turns out to be possible years
>> from now, I'm more interested in what I can do today -- especially if it 
>> is
>> likely to be helpful to present (i.e. Codepeer) and future provers.
>
> Right
>
>> A
>> dynamic check that can be proven (or better proven and eliminated by the
tested-------------------------^^^^^
>> compiler) helps more than specifications with no machine-processable
>> description.
>
> Wrong. The proper way to do this is elevate the check into the behavior 
> and contract an exception. Later, when proofs are mature, client could 
> prove absence of the exception. Nothing lost, everybody is happy.

That's precisely what Ada 2012 contracts do. You can't leave this sort of 
behavior hidden to clients, or mixed in with the rest of the body (unless 
you have abandoned the idea of separation of specification [what the caller 
needs to know] and body [what the caller does *not* need to know]).

                         Randy.