From: "Yannick Duchêne (Hibou57)" <yannick_duchene@yahoo.fr>
Subject: Re: SPARK: What does it prove?
Date: Mon, 31 May 2010 03:17:32 +0200
Date: 2010-05-31T03:17:32+02:00 [thread overview]
Message-ID: <op.vdjpviayule2fv@garhos> (raw)
In-Reply-To: 4bffc379$0$2374$4d3efbfe@news.sover.net
Le Fri, 28 May 2010 15:25:50 +0200, Peter C. Chapin <pcc482719@gmail.com>
a écrit:
> It is common to talk about SPARK proofs but of course what the
> Simplifier is
> actually proving are the verification conditions generated by the
> Examiner.
> Formally this leaves open the question of if those verification
> conditions
> have anything to do with reality or not.
The question, “what does it prove ?”, raise another corollary question,
which is “what can it says ?” or “what can it talks about ?”.
I'm currently trying to make proofs on some binary stuffs, which has
always seems obvious to me, and at the time of trying to prove it, I see I
can't even prove the third of the initial postcondition I wanted my
functions to have, because there are some I can't prove at all (I'm not
talking about RTC, rather about postcondition expressing properties, and
it is far less easy than proving RTC conditions).
If is funny to note that these difficulty are a consequence of SPARK tied
to Ada. An example : Ada has modular type, but can't see modular types has
polynomials, and the relevant modal, which could help, would be this one :
polynomial. Has Ada don't has this, SPARK doesn't too.
Another things also : sometime, it is better to make proof on an abstract
algorithm, which not efficient, and it is too much difficult to the same
proof (prove postconditions from preconditions and the algorithm) with the
efficient version. However, it would be more easy to demonstrate than the
efficient algorithm is an equivalent transformation of the more abstract
non-efficient one.
I mean, prove something on function F, demonstrate function G is
equivalent to function F, so as legally assert the postconditions of F are
also prove on G, because there was on F and G is equivalent to F.
This is another kind of thing SPARK cannot express or talk/say about.
This may be the start of some answers to the question “what can it proves
?” or “what can't it proves ?”, which are similar questions.
--
There is even better than a pragma Assert: a SPARK --# check.
--# check C and WhoKnowWhat and YouKnowWho;
--# assert Ada;
-- i.e. forget about previous premises which leads to conclusion
-- and start with new conclusion as premise.
next prev parent reply other threads:[~2010-05-31 1:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-28 13:25 SPARK: What does it prove? Peter C. Chapin
2010-05-28 13:55 ` Rod Chapman
2010-05-28 15:58 ` Peter C. Chapin
2010-05-29 14:42 ` Marco
2010-05-29 19:02 ` mockturtle
2010-05-30 1:06 ` BrianG
2010-05-30 13:06 ` Yannick Duchêne (Hibou57)
2010-05-31 1:17 ` Yannick Duchêne (Hibou57) [this message]
2010-05-31 1:21 ` Yannick Duchêne (Hibou57)
2010-05-31 13:05 ` Phil Thornley
2010-05-31 23:36 ` Jeffrey R. Carter
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox