Re: Lost in translation (with SPARK user rules)

["Yannick Duchêne (Hibou57)" <yannick_duchene@yahoo.fr>]

Le Wed, 26 May 2010 22:14:48 +0200, Dmitry A. Kazakov  
<mailbox@dmitry-kazakov.de> a écrit:
> No run time checks, but an option to tell more about the contract, with
> enforced static checks, that this indeed hold. If you have no time, no
> guts, or when the algorithm does not allow certain proofs, you just do  
> not
> make promises you cannot keep and go further.
OK, I see : you mean interfacing between Ada and SPARK ? Is that the idea ?

Indeed, would be nice if Ada compiler could fee SPARK Examiner with  
required condition (provided I've understood your words).

> I think it should be more than just two levels. But yes, each language
> construct and each library operation shall have a contract.
Goes the same way as the above (OK)

>> Actually, how can you test an compiler
>> compliance with SPARK ? I feel you can do it only for full Ada.
>
> Likely yes, because there exist legal Ada programs, such that no Ada
> compiler could compile.
So this could be one added good reason to have a test suit targeting the  
SPARK subset only.

> Rather by refining the contracts. When you feel that the implementation  
> is
> mature, you can add more promises to the contract of and see if they hold
> (=provable). If they don't you could try to re-implement some parts of  
> it.
> When you feel that it takes too much time, is impossible to prove, you  
> can
> drop the idea to do it formally. You will sill have a gain of deeper
> understanding how the thing works and could document why do you think it  
> is
> correct, even if that is not formally provable.
This seems to mean something similar to one of my previous message, about  
the fact I was perhaps targeting too much at first sight. Having different  
levels in mind seems indeed a requirement if one don't want to be too much  
discouraged.


-- 
There is even better than a pragma Assert: a SPARK --# check.