Re: Lost in translation (with SPARK user rules)

["Yannick Duchêne (Hibou57)" <yannick_duchene@yahoo.fr>]

A little test I did right a few seconds ago.

Let a rule be of the form:

    C1 may_be_deduced_from [C2, V].

Which is so that this one is valid too:

    C2 may_be_deduced_from [C1, V].

So finally, C1 and C2 and both either conclusion or condition.

This may *logically* (not by pattern) match three other things:

    C1  -> C2 may_be_deduced_from [V].
    C2  -> C1 may_be_deduced_from [V].
    C1 <-> C2 may_be_deduced_from [V].

Although only one would be required, which is

    C1 <-> C2 may_be_deduced_from [V].

Instead one need to have (and write) all of:

    C1 may_be_deduced_from [C2, V].
    C2 may_be_deduced_from [C1, V].
    C1  -> C2 may_be_deduced_from [V].
    C2  -> C1 may_be_deduced_from [V].
    C1 <-> C2 may_be_deduced_from [V].

Five rules instead of one, where one logical rule would be sufficient.

I wanted to get ride of this, with these generic rules, which I hoped will  
help and solve this recurrent trick:

    A may_be_deduced_from [B, B -> A].
    A may_be_deduced_from [B, B <-> A].
    B may_be_deduced_from [A, B <-> A].
    B -> A may_be_deduced_from [B <-> A].
    A -> B may_be_deduced_from [B <-> A].

I though this would ends to exact matches, and I would have only to write  
rules of the form

    C1 <-> C2 may_be_deduced_from [V].
    ... <-> ... may_be_deduced_from [...].

or of the form

    C1 -> C2 may_be_deduced_from [V].
    ... -> ... may_be_deduced_from [...].

and expected I would have to write only this, avoiding duplications of  
multiple equivalent forms (I expected these equivalent forms would be  
deduced via the above generic rules). Unfortunately, and although this  
looks like there should be exact matches after instantiations, this does  
not work (rules does not match in Simplifier).

Now I really see why there is the restriction of user rules which are to  
be defined on package or subprogram basis (while I still don't enjoy this)  
: this test clearly demonstrate there is no way to write general rules,  
these are always specifics to a VC or a set of VC for a given package or  
subprogram. Or else, all logical equivalences need to be written  
explicitly (which in turn requires great care when one want to review  
rules, as duplication -- I know it after experiences -- does not help  
safety and help to miss weakness).

Note: SPARK is still useful ;) with these words, I don't wanted to say it  
is not good


-- 
There is even better than a pragma Assert: a SPARK --# check.
--# check C and WhoKnowWhat and YouKnowWho;
--# assert Ada;
--  i.e. forget about previous premises which leads to conclusion
--  and start with new conclusion as premise.