From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=ham autolearn_force=no version=3.4.4
X-Google-Thread: 103376,b36bbdc1595d0665
X-Google-NewGroupId: yes
X-Google-Attributes: gida07f3367d7,domainid0,public,usenet
X-Google-Language: ENGLISH,ASCII
Path: 
 g2news1.google.com!news4.google.com!feeder2.cambriumusenet.nl!feed.tweaknews.nl!193.201.147.71.MISMATCH!xlned.com!feeder3.xlned.com!feeder.news-service.com!proxad.net!feeder1-2.proxad.net!usenet-fr.net!gegeweb.org!aioe.org!not-for-mail
From: =?iso-8859-15?Q?Yannick_Duch=EAne_=28Hibou57=29?=
 <yannick_duchene@yahoo.fr>
Newsgroups: comp.lang.ada
Subject: Re: SPARK code samples
Date: Thu, 12 Aug 2010 04:39:25 +0200
Organization: Ada At Home
Message-ID: <op.vha0bzhexmjfy8@garhos>
References: <1iq8kg021bo4v$.s51i2enx3fzo.dlg@40tude.net>
 <op.vg945ry9xmjfy8@garhos> <1lvyv3r0md69x.1cz8ylwiupqva$.dlg@40tude.net>
NNTP-Posting-Host: wRBcePl7nU3x+PaBbkDMVA.user.speranza.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
Content-Transfer-Encoding: Quoted-Printable
X-Complaints-To: abuse@aioe.org
X-Notice: Filtered by postfilter v. 0.8.2
User-Agent: Opera Mail/10.60 (Win32)
Xref: g2news1.google.com comp.lang.ada:13151
Date: 2010-08-12T04:39:25+02:00
List-Id: <comp.lang.ada>

Le Wed, 11 Aug 2010 19:33:48 +0200, Dmitry A. Kazakov  =

<mailbox@dmitry-kazakov.de> a =E9crit:
> http://rosettacode.org/wiki/Category:Programming_Tasks
>
> (the first 200 (:-))
>
> Pick any you wish.
Ok. I choose a first one, the one named A+B:
http://rosettacode.org/wiki/A%2BB#Ada

I felt it was interesting because it deals with a case of simple I/O,  =

which is a first-time issue with SPARK, and because there was the  =

opportunity to expose a simple case of validity check.

However, I don't want to post it there straight away, as I came to two  =

dirty questions. First the implementation I end up with, then the two  =

questions.


--------------------------------------------------------------------

with SPARK_IO;
--# inherit SPARK_IO;

--# main_program;

procedure A_Plus_B
--# global in out
--#    SPARK_IO.Inputs,
--#    SPARK_IO.Outputs;
--# derives
--#    SPARK_IO.Inputs from
--#       SPARK_IO.Inputs &
--#    SPARK_IO.Outputs from
--#       SPARK_IO.Inputs,
--#       SPARK_IO.Outputs;
is
    A   : Integer;
    B   : Integer;
    Sum : Integer;

    Process_Is_Valid : Boolean;
    Input_Is_OK      : Boolean;
    A_And_B_Sumable  : Boolean;

begin
    Process_Is_Valid :=3D True;

    -- Attempt to Read A from Standard Input.

    SPARK_IO.Get_Integer
      (File  =3D> SPARK_IO.Standard_Input,
       Item  =3D> A,
       Width =3D> 0,
       Read  =3D> Input_Is_OK);

    if not Input_Is_Ok then
       Process_Is_Valid :=3D False;
    end if;

    -- Attempt to Read B from Standard Input.

    B :=3D 0;

    if Process_Is_Valid then
       SPARK_IO.Get_Integer
         (File  =3D> SPARK_IO.Standard_Input,
          Item  =3D> B,
          Width =3D> 0,
          Read  =3D> Input_Is_OK);

       if not Input_Is_Ok then
          Process_Is_Valid :=3D False;
       end if;
    end if;

    -- Get A + B checking the sum is valid in the while.

    Sum :=3D 0;

    if Process_Is_Valid then
       A_And_B_Sumable :=3D False;

       if A >=3D 0 and B >=3D 0 then
          if (Integer'Last - A) >=3D B then
             Sum :=3D A + B;
             A_And_B_Sumable :=3D True;
          end if;
       elsif A >=3D 0 and B < 0 then
          -- Always valid as the sum is
          -- in range A..B
          Sum :=3D A + B;
          A_And_B_Sumable :=3D True;
       elsif A < 0 and B >=3D 0 then
          -- Always valid as the sum is
          -- in range A..B
          Sum :=3D A + B;
          A_And_B_Sumable :=3D True;
       elsif A < 0 and B < 0 then
          if (Integer'First - A) <=3D B then
             Sum :=3D A + B;
             A_And_B_Sumable :=3D True;
          end if;
       end if;

       if not A_And_B_Sumable then
          Process_Is_Valid :=3D False;
       end if;
    end if;

    -- Write A + B.

    if Process_Is_Valid then
       SPARK_IO.Put_Integer
         (File  =3D> SPARK_IO.Standard_Output,
          Item  =3D> Sum,
          Width =3D> 0,
          Base  =3D> 10);
    else
       SPARK_IO.Put_Line
         (File =3D> SPARK_IO.Standard_Output,
          Item =3D> "Either the input or the sum was invalid.",
          Stop =3D> 0); -- 0 means no extra spaces will be written.
    end if;

end A_Plus_B;

--------------------------------------------------------------------


Questions:

* The page says the input of both A and B is supposed to be in range  =

-1000..+1000. Obviously there is no way to assert this, so I simply  =

dropped the assumption. Are you OK ?

* I could have made a test to ensure inputs of A and B is in -1000..+100=
0,  =

while this would not avoid the need to check for the sum validity, as  =

formally speaking there is no way to assert anything on Integer range.  =

Second reason to dropped this assumption. OK ?

This case apart, I was thinking giving SPARK examples there, we may not =
 =

rely on user defined rules nor on the checker. Things should be provable=
  =

as-is.


-- =

There is even better than a pragma Assert: a SPARK --# check.
--# check C and WhoKnowWhat and YouKnowWho;
--# assert Ada;
--  i.e. forget about previous premises which leads to conclusion
--  and start with new conclusion as premise.