From: Robert A Duff <bobduff@shell01.TheWorld.com>
Subject: Re: Float conversion
Date: Wed, 04 Aug 2010 08:52:40 -0400
Date: 2010-08-04T08:52:40-04:00 [thread overview]
Message-ID: <wcctynay1yf.fsf@shell01.TheWorld.com> (raw)
In-Reply-To: 82pqxyu9bw.fsf@stephe-leake.org
Stephen Leake <stephen_leake@stephe-leake.org> writes:
> Phil Clayton <phil.clayton@lineone.net> writes:
>
>> On Jul 31, 4:12�pm, Stephen Leake <stephen_le...@stephe-leake.org>
>> wrote:
>>> Clearly to cover all cases, you
>>> need A < B, A = B, A > B, A < C, etc.
>>
>> You make it sound easy...
>
> It is easy! This is a very small program; exhaustive testing is
> appropriate.
I wouldn't call that "exhaustive". To me, exhaustive testing means
testing every possible input. There are far more than 9.
You seem to be using some sort of coverage metric, not exhaustive
testing.
> According to the code, there are three important edge cases for each
> pair: A < B, A = B, A > B
I don't understand that. Phil Clayton's example was:
if A < B and A < C
then
Y := A;
elsif B < C and B < A
then
Y := B;
else
Y := C;
end if;
(Interesting example, by the way!)
There is no explicit test for A=B, nor B=C in that code.
So how did you know those should be tested?
And why not A=B-epsilon?
By the way, putting:
pragma Assert (C < B and C < A);
after "else" might have made the bug clearer. Or might not.
> What are you verifying, if not a specification?
You can't formally verify specifications. You can (sometimes) formally
verify that the code matches a specification.
> If the specification is rubbish, what is the point of verifying it?
The problem is, if we have a specification for something more
complicated than "min", we don't know whether it's rubbish,
and there's no formal way to prove it one way or the other.
Anyway, I didn't see any specification for "min" in this thread.
We just assume we all know what it means. But how do we know
for sure that min(1.0, 1.0, 99.0) is not supposed to return
99.0? "min" is a poor name for such a function, but what
if it were something more complicated?
And what is "min" supposed to do with NaNs? Probably there's
an implicit precondition that none of A,B,C are NaN.
- Bob
next prev parent reply other threads:[~2010-08-04 12:52 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-29 12:23 Float conversion Henrique
2010-07-29 12:44 ` Jacob Sparre Andersen
2010-07-29 12:46 ` Dmitry A. Kazakov
2010-07-29 15:08 ` Georg Bauhaus
2010-07-29 15:10 ` Georg Bauhaus
2010-07-29 15:35 ` Dmitry A. Kazakov
2010-07-29 18:21 ` Henrique
2010-07-29 19:08 ` Jeffrey R. Carter
2010-07-29 19:15 ` Dmitry A. Kazakov
2010-07-30 1:30 ` Phil Clayton
2010-07-30 8:43 ` Dmitry A. Kazakov
2010-07-30 13:14 ` Phil Clayton
2010-07-30 14:34 ` Dmitry A. Kazakov
2010-07-31 15:12 ` Stephen Leake
2010-08-03 1:07 ` Phil Clayton
2010-08-03 3:31 ` Shark8
2010-08-03 10:38 ` Georg Bauhaus
2010-08-04 7:27 ` Stephen Leake
2010-08-04 16:15 ` Georg Bauhaus
2010-08-04 16:32 ` Phil Clayton
2010-08-04 7:26 ` Stephen Leake
2010-08-04 12:52 ` Robert A Duff [this message]
2010-08-04 14:32 ` Dmitry A. Kazakov
2010-08-04 19:36 ` Simon Wright
2010-08-04 19:46 ` Dmitry A. Kazakov
2010-08-04 20:29 ` Georg Bauhaus
2010-08-05 12:05 ` Stephen Leake
2010-08-07 5:54 ` Shark8
2010-08-07 8:56 ` Georg Bauhaus
2010-08-07 13:49 ` Shark8
2010-08-05 10:20 ` Phil Clayton
2010-07-30 13:16 ` Henrique
2010-07-29 15:37 ` Warren
2010-07-29 14:56 ` Georg Bauhaus
2010-07-29 17:56 ` Jeffrey R. Carter
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox