From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Thread: 103376,699cc914522aa7c4 X-Google-Attributes: gid103376,public X-Google-Language: ENGLISH,ASCII-7-bit Path: g2news2.google.com!news3.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!newscon02.news.prodigy.net!prodigy.net!newsfeed-00.mathworks.com!nntp.TheWorld.com!not-for-mail From: Robert A Duff Newsgroups: comp.lang.ada Subject: Re: Structured exception information Date: Wed, 17 Jan 2007 18:46:49 -0500 Organization: The World Public Access UNIX, Brookline, MA Message-ID: References: <1168885771.30643.20.camel@localhost> <1168891576.30643.39.camel@localhost> <5NKdnTv2UZfVZTbYnZ2dnUVZ_vipnZ2d@megapath.net> <38z8yk9z1uxn$.1r6qpevwu2i7c.dlg@40tude.net> <1lpy2h06scx34.1i2k4dlbg0nfy.dlg@40tude.net> NNTP-Posting-Host: shell01.theworld.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: pcls6.std.com 1169077610 26484 192.74.137.71 (17 Jan 2007 23:46:50 GMT) X-Complaints-To: abuse@TheWorld.com NNTP-Posting-Date: Wed, 17 Jan 2007 23:46:50 +0000 (UTC) User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (irix) Cancel-Lock: sha1:8+MEl0qbXjjGy8rk03TkbV58jM4= Xref: g2news2.google.com comp.lang.ada:8241 Date: 2007-01-17T18:46:49-05:00 List-Id: "Randy Brukardt" writes: > "Jeffrey Carter" wrote in message > news:x2urh.309672$FQ1.158886@attbi_s71... >> Dmitry A. Kazakov wrote: >> > >> > I doubt that others could or should be called preconditions. >> >> > The point is that violated preconditions are non-states and cannot be >> > handled at all. Provided, that one understands precondition as a method > of >> > proving program correctness. Otherwise, it is something else. >> >> It's clear that you're locked into the concept of a precondition as part >> of correctness proofs. In that context, yes, you statically prove that >> preconditions are met, and do not need to dynamically test them. This is >> the case with SPARK, for example. > > Right. The problem is that you can't write much of anything interesting that > is statically provable for the full Ada language. ^^^^^^^^^^^^^^^^^^^ But note that "statically provable" is a moving target. It depends on how smart the prover is. My brain can prove a few things that SPARK can't. And vice-versa, of course. >... (If your willing to work > only in a subset of Ada, that's of course different.) Thus, I tend to think > mainly about dynamic preconditions, tested either as explicit tests or as > assertions. Those raise an exception if they fail. And part of the contract > of the operation is that an exception will be raised if the (dynamic) > preconditions fail. That seems like a reasonable point of view. And then if somebody hands you a tool that can prove many of those assertions true statically, you're happy. >... So, eventually we gave up in part because there wasn't much > existing practice for dynamic preconditions/postconditions, so we couldn't > be sure what we were doing was even useful. There's existing practice in Eiffel. It's a good start, but doesn't entirely solve the problem. - Bob