From: "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de>
Subject: Re: Silly and stupid post‑condition or not ?
Date: Thu, 2 Feb 2012 09:25:00 +0100
Date: 2012-02-02T09:25:00+01:00 [thread overview]
Message-ID: <oxvm5rgonh77$.135nqc7uxq9wr$.dlg@40tude.net> (raw)
In-Reply-To: Pine.LNX.4.64.1202011604270.29918@medsec1.medien.uni-weimar.de
On Wed, 1 Feb 2012 17:37:28 +0100, stefan-lucks@see-the.signature wrote:
> On Wed, 1 Feb 2012, Dmitry A. Kazakov wrote:
>
>> On Wed, 1 Feb 2012 11:37:31 +0100, stefan-lucks@see-the.signature wrote:
>>
>>> 1. For the purpose of proving program correctness,
>>
>> Proving incorrectness, you mean, since the thing is partial.
>
> With apologies to you and all the c.l.a readers, there was a really bad
> typo in my example. So here is the correct example
>
> function F(X: Natural) return Natural
> with Post => (if (X mod 2) = 1 then ...);
>
> So any program, which's correctness depends on a statement such as
>
> Y := F(X) * (X mod 2); -- not "F(X) * (F(X) mod 2)", as I wrote before
>
> may be proven correct (there is nothing "partial" here), in spite of the
> incomplete postcondition for F.
You could it have much simpler. Consider programs which do not call F at
all. That does the trick too.
The idea of pre-/postcondition is that it tells something about a set of
programs, of all legal programs actually. If you wanted to narrow that set,
then, well, you should at least specify that set.
>>> 2. Sometimes, it may hard to prove the entire contract. So we will try to
>>> prove the "important" requirements in the contract, and try to convince
>>> ourselves by conventional means (testing, code review, ...) that other
>>> requirements are also satisfied.
>> [...]
>>
>> No. In that case, and this was my point, the thing must be designed in a
>> way which clearly distinguished the provable/specified/defined part from
>> the rest. I proposed to introduce Length_Error to indicate a contracted
>> error case.
>
> I see. However, I would claim that an incomplete postcondition actually
> "distinguishes the provable/specified/defined part from the rest", as you
> put it.
It is a cart before the horse. In Ada we believe that specifications come
first. Yes, for each given program there exists a specification wich would
fit it. Bad design.
> procedure Ask_Database(U: User; Q: Query; R: out Response)
> with post(if (not Authorized(U)) and (Asks_For_Secret_Stuff(Q))
> then R=Empty_Response);
BTW, contracts to be stated in terms of equivalence rather than
implications. I.e.
R=Empty_Response <=> not Authorized(U)) or ...
--
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de
next prev parent reply other threads:[~2012-02-02 8:25 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-30 23:11 Silly and stupid post‑condition or not ? Yannick Duchêne (Hibou57)
2012-01-31 6:47 ` J-P. Rosen
2012-01-31 18:48 ` Jeffrey Carter
2012-01-31 22:02 ` Yannick Duchêne (Hibou57)
2012-01-31 8:54 ` Dmitry A. Kazakov
2012-01-31 9:35 ` Georg Bauhaus
2012-01-31 10:22 ` Dmitry A. Kazakov
2012-01-31 12:33 ` Georg Bauhaus
2012-01-31 13:52 ` Dmitry A. Kazakov
2012-01-31 15:34 ` Georg Bauhaus
2012-01-31 16:24 ` Dmitry A. Kazakov
2012-01-31 19:44 ` Georg Bauhaus
2012-02-01 8:41 ` Dmitry A. Kazakov
2012-02-01 10:37 ` stefan-lucks
2012-02-01 10:51 ` Yannick Duchêne (Hibou57)
2012-02-01 13:49 ` Yannick Duchêne (Hibou57)
2012-02-01 13:49 ` Dmitry A. Kazakov
2012-02-01 16:37 ` stefan-lucks
2012-02-02 1:50 ` Silly and stupid post�?'condition " Randy Brukardt
2012-02-02 1:56 ` Silly and stupid postâ?'condition or not ? Yannick Duchêne (Hibou57)
2012-02-03 2:45 ` Silly and stupid post�?'condition or not ? Randy Brukardt
2012-02-02 8:25 ` Dmitry A. Kazakov [this message]
2012-02-02 9:01 ` Silly and stupid post‑condition " stefan-lucks
2012-02-02 9:18 ` stefan-lucks
2012-02-02 10:04 ` Dmitry A. Kazakov
2012-01-31 22:08 ` Yannick Duchêne (Hibou57)
2012-01-31 17:28 ` Dmitry A. Kazakov
2012-01-31 22:12 ` Yannick Duchêne (Hibou57)
2012-02-01 8:49 ` Dmitry A. Kazakov
2012-02-01 8:36 ` Stephen Leake
2012-02-01 16:30 ` Silly and stupid post-condition " Adam Beneschan
2012-02-02 9:40 ` Stephen Leake
2012-02-02 13:20 ` Georg Bauhaus
2012-02-02 13:35 ` Yannick Duchêne (Hibou57)
2012-02-03 3:13 ` Randy Brukardt
2012-02-03 3:33 ` Yannick Duchêne (Hibou57)
2012-02-03 8:12 ` Simon Wright
2012-02-07 2:29 ` BrianG
2012-02-07 10:43 ` Simon Wright
2012-02-08 2:25 ` BrianG
2012-02-07 21:15 ` Robert A Duff
2012-02-03 9:11 ` Dmitry A. Kazakov
2012-02-04 3:27 ` Randy Brukardt
2012-02-04 10:15 ` Dmitry A. Kazakov
2012-02-03 12:25 ` Phil Thornley
2012-02-04 9:30 ` Phil Thornley
2012-02-04 12:02 ` Phil Thornley
2012-02-05 6:18 ` Randy Brukardt
2012-02-05 10:23 ` Phil Thornley
2012-02-05 10:55 ` Yannick Duchêne (Hibou57)
2012-02-05 15:03 ` Robert A Duff
2012-02-05 18:04 ` Phil Thornley
2012-02-05 21:27 ` Robert A Duff
2012-02-05 23:09 ` Phil Thornley
2012-02-07 2:05 ` Randy Brukardt
2012-02-07 9:38 ` Dmitry A. Kazakov
2012-02-05 11:31 ` Yannick Duchêne (Hibou57)
2012-02-05 14:50 ` Robert A Duff
2012-02-07 2:11 ` Randy Brukardt
2012-02-07 2:34 ` BrianG
2012-02-07 4:38 ` Yannick Duchêne (Hibou57)
2012-02-09 3:10 ` Randy Brukardt
2012-02-04 23:07 ` Stephen Leake
2012-02-05 2:49 ` Yannick Duchêne (Hibou57)
2012-02-05 6:29 ` Randy Brukardt
2012-02-05 11:40 ` Yannick Duchêne (Hibou57)
2012-02-07 1:36 ` Randy Brukardt
2012-02-05 15:16 ` Robert A Duff
2012-02-06 4:56 ` Yannick Duchêne (Hibou57)
2012-02-06 14:39 ` Robert A Duff
2012-02-06 16:12 ` Yannick Duchêne (Hibou57)
2012-02-07 1:46 ` Randy Brukardt
2012-02-07 17:24 ` Robert A Duff
2012-02-03 6:26 ` J-P. Rosen
2012-02-03 9:12 ` Dmitry A. Kazakov
2012-02-03 9:48 ` Yannick Duchêne (Hibou57)
2012-02-03 11:09 ` Dmitry A. Kazakov
2012-02-03 11:40 ` Yannick Duchêne (Hibou57)
2012-02-03 13:18 ` Dmitry A. Kazakov
2012-02-03 14:14 ` Yannick Duchêne (Hibou57)
2012-02-03 14:45 ` Dmitry A. Kazakov
2012-02-04 3:16 ` Randy Brukardt
2012-02-04 6:27 ` Yannick Duchêne (Hibou57)
2012-02-04 10:47 ` Dmitry A. Kazakov
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox