From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=ham autolearn_force=no version=3.4.4
X-Google-Thread: 103376,ad06d2d7cb045687
X-Google-NewGroupId: yes
X-Google-Attributes: gida07f3367d7,domainid0,public,usenet
X-Google-Language: ENGLISH,UTF8
Received: by 10.68.222.71 with SMTP id qk7mr8841595pbc.1.1328442004215;
        Sun, 05 Feb 2012 03:40:04 -0800 (PST)
Path: 
 lh20ni262996pbb.0!nntp.google.com!news2.google.com!goblin2!goblin.stu.neva.ru!aioe.org!.POSTED!not-for-mail
From: =?utf-8?Q?Yannick_Duch=C3=AAne_=28Hibou57?=
 =?utf-8?Q?=29?=
 <yannick_duchene@yahoo.fr>
Newsgroups: comp.lang.ada
Subject: Re: Silly and stupid post-condition or not ?
Date: Sun, 05 Feb 2012 12:40:01 +0100
Organization: Ada @ Home
Message-ID: <op.v87eozlaule2fv@douda-yannick>
References: <op.v8w6ptk5ule2fv@douda-yannick>
 <82wr86fzos.fsf@stephe-leake.org>
 <5af407fc-2868-44ca-84d2-c51a2a64104d@o4g2000pbc.googlegroups.com>
 <82k445fu9n.fsf@stephe-leake.org> <jgfjc4$u4b$1@munin.nbi.dk>
 <82ty36urik.fsf@stephe-leake.org> <jgl7k6$lp1$1@munin.nbi.dk>
NNTP-Posting-Host: kM9tie64fStpd0TGMCE/dQ.user.speranza.aioe.org
Mime-Version: 1.0
X-Complaints-To: abuse@aioe.org
User-Agent: Opera Mail/11.61 (Linux)
X-Notice: Filtered by postfilter v. 0.8.2
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: Quoted-Printable
Date: 2012-02-05T12:40:01+01:00
List-Id: <comp.lang.ada>

Le Sun, 05 Feb 2012 07:29:21 +0100, Randy Brukardt <randy@rrsoftware.com=
>  =

a =C3=A9crit:
> A large part of the problem that I see with proof tools is that they  =

> often
> require peeking into the body to verify calls. This is just plain wron=
g,
> because it means that the proof has to be redone if the body changes. =
 =

> And it
> also means that the body has to exist (and in a near-final form) befor=
e  =

> the proof can be valuable.

Seems strange assertion.

With SPARK, you prove the implementation is conforming to its  =

specification. So, obviously, if the implementation changes, then you ha=
ve  =

to prove it again, but just like you have to recompile it again.

No implementation is required to refer to a signature. SPARK will relies=
  =

on the annotations associated with the signature every where a given  =

subprogram is invoked. Just like Janus/Ada seems to compile, after what =
 =

you explained elsewhere.

Or else I did not understand what you meant.

Were you thinking about automated and =C3=A0=E2=80=91posteriori analysis=
 tools? This  =

are not proof=E2=80=91tools.

-- =

=E2=80=9CSyntactic sugar causes cancer of the semi-colons.=E2=80=9D [1]
=E2=80=9CStructured Programming supports the law of the excluded muddle.=
=E2=80=9D [1]
[1]: Epigrams on Programming =E2=80=94 Alan J. =E2=80=94 P. Yale Univers=
ity