From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: "G.B." Newsgroups: comp.lang.ada Subject: Re: Ada 2012 Constraints (WRT an Ada IR) Date: Sun, 11 Dec 2016 12:21:35 +0100 Organization: A noiseless patient Spider Message-ID: References: <03847fd7-5699-48de-bb3c-ef5512398f26@googlegroups.com> <3ef819e8-55f7-4ef7-9f37-77e6abc33f98@googlegroups.com> <47366b42-c0a3-41bf-a44a-5241c109d60f@googlegroups.com> Reply-To: nonlegitur@notmyhomepage.de Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Sun, 11 Dec 2016 11:20:13 -0000 (UTC) Injection-Info: mx02.eternal-september.org; posting-host="985f538a19ae66c848ab6227f8a3b828"; logging-data="7353"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/3jbIbtmrMutFZrATCKT11csJ4tcOeBJ0=" User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 In-Reply-To: Cancel-Lock: sha1:tef7j0UpHkPoIhG8MbzIhWumkWs= Xref: news.eternal-september.org comp.lang.ada:32715 Date: 2016-12-11T12:21:35+01:00 List-Id: On 09/12/2016 10:38, Dmitry A. Kazakov wrote: > On 08/12/2016 19:35, G.B. wrote: >> So, the following function will also just announce that >> it can raise Constraint_Error? >> >> function Plus_Too (A, B: Standard.Integer) >> return Standard.Integer is >> begin >> return A + B; >> end Plus_Too; > > At least. Contracts have different precision of the post-condition: > > 1. Constraint_Error > or none > > 2. Constraint_Error when combination of argument values > or none > > 3. Constraint_Error when combination of argument values > or 0 when combination of argument values > or 1 when combination of argument values > ... So, what is it, and (not?) elevated to implementation in this case of Plus_Too? McJones and Stepanov show an example which, I think, is related[1,2]. Note the precondition. T remainder(T a, T b) { // precondition a ≥ b > 0 if (a - b >= b) { a = remainder(a, b + b); if (a < b) return a; } return a - b; } "... requires thinking." They move towards Correctness, introducing, IIUC, a (finite) semi-group of integers with both a 1 and Archimedes' axiom, < total, ... T a QuotientType (I won't guess what the latter is, but will guess that some here might know that). And, a precondition is stated as a comment, but the caller doesn't know it unless he or she studies the body! Not the specification. Granted, the programming language they use is a small language made for a book, and the precondition is given on the first line. But if the language were based on Ada, shouldn't it become a Pre aspect, so that the caller knows what to do about a and b and the implementation of `remainder` can assume it's been done? function Remainder (A, B : T) return T with Pre => A >= B and B > 0, ...; Taken from near 28:20 in any of [1]: https://itunes.apple.com/de/podcast/3.-elements-programming-november/id414065199 [2]: https://www.youtube.com/watch?v=Ih9gpJga4Vc