From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!feeder.eternal-september.org!aioe.org!.POSTED!not-for-mail From: "Dmitry A. Kazakov" Newsgroups: comp.lang.ada Subject: Re: Ada 2012 Constraints (WRT an Ada IR) Date: Fri, 16 Dec 2016 11:04:13 +0100 Organization: Aioe.org NNTP Server Message-ID: References: <999c67b0-4478-4d2b-8108-32ac48fe6316@googlegroups.com> NNTP-Posting-Host: vZYCW951TbFitc4GdEwQJg.user.gioia.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: abuse@aioe.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 X-Mozilla-News-Host: news://news.aioe.org X-Notice: Filtered by postfilter v. 0.8.2 Xref: news.eternal-september.org comp.lang.ada:32875 Date: 2016-12-16T11:04:13+01:00 List-Id: On 2016-12-15 20:50, G.B. wrote: > On 15/12/2016 14:17, Dmitry A. Kazakov wrote: >> On 15/12/2016 11:31, G.B. wrote: >>> On 15/12/2016 09:41, Dmitry A. Kazakov wrote: >>>> In Ada type declarations must be there, so it is not a tool, but an >>>> integral part of the language. This is why "pre"-aspects is a >>>> non-starter even ignoring their semantic consistency issues. You can >>>> do things with or without them. Psychologically it won't work. >>> >>> Problem statement: >>> Devise a type that represents an ordered pair of linearly >>> ordered numbers, such that programmers can create objects that >>> have the two elements in proper order. >> >> It is a good illustration of what is wrong with ideas you promote. You >> are thinking in terms of implementations. > > Am I? ;-) > > In any case, I wasn't thinking of arithmetic at all. Maybe graphs' > edges. But certainly I had the simple concept of an order pair in mind. > > Trying to follow your advice, though, with Post for emphasis, > lets see how well the type works without Pre. > > type Immutable_Ordered_Pair (<>) is private; > > function Make (First, Second: POT) return Immutable_Ordered_Pair > with > --Pre => First <= Second, -- (*) > Post => Make'Result in Immutable_Ordered_Pair; -- or raise Right, no precondition > function First (Pair : Immutable_Ordered_Pair) return POT; > function Second (Pair : Immutable_Ordered_Pair) return POT; > > Type POT has "<=", its name suggesting a partially ordered set. > The full view of Immutable_Ordered_Pair carries a hidden > > Type_Invariant => First <= Second; > > naming obvious components, and it is hidden in the private part > as requested. > > Now what will (*) yield if uncommented, thus ignoring your advice? > First, this is what Make could do without a Pre aspect: > > - raise some X_E if "<=" can raise X_E; > > - handle X_E and reorder the parameters ("At your service!") > and retry, noting the attempt and raise X_E if "<=" does it > again, otherwise return a pair made form the parameters reversed; > > - an unnecessary check in case the programmer passes First and > Second properly ordered, i.e. (First <= Second) = True. > > Now give the programmer Pre as it follows from {Post, Type_Invariant}, > and you are designing by contract: No. Pre does not follow from Post. The one that does is different: First >= Second or else Constraint_Error is propagating The key difference is that Constraint_Error must be *already* underway when First < Second. Precondition is an obligation for the caller: if First >= Second then X := Make (First, Second); else raise Constraint_Error; X := Make (First, Second); -- Not going into end if; -- Regards, Dmitry A. Kazakov http://www.dmitry-kazakov.de