From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 108717,b761e94375940f9f
X-Google-Attributes: gid108717,public
X-Google-Thread: 103376,b761e94375940f9f
X-Google-Attributes: gid103376,public
X-Google-Thread: 115aec,b761e94375940f9f
X-Google-Attributes: gid115aec,public
X-Google-Thread: f43e6,b761e94375940f9f
X-Google-Attributes: gidf43e6,public
X-Google-ArrivalTime: 2002-07-13 11:27:01 PST
Path: 
 archiver1.google.com!news1.google.com!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!kibo.news.demon.net!news.demon.co.uk!demon!pogner.demon.co.uk!not-for-mail
From: Simon Wright <simon@pushface.org>
Newsgroups: comp.lang.ada,comp.realtime,comp.programming,comp.software-eng
Subject: Re: ANNOUNCE: SPARK toolset 6.1 now available
Date: 13 Jul 2002 19:11:20 +0100
Organization: Pushface
Sender: simon@smaug
Message-ID: <x7vznwvjy5z.fsf@pushface.org>
References: <ba18d5cb.0207102357.27f22745@posting.google.com>
 <4519e058.0207110604.62691233@posting.google.com>
 <ba18d5cb.0207120052.10747fd6@posting.google.com>
 <uiuecbr38qbc34@corp.supernews.com> <x7vd6tr4ulf.fsf@pushface.org>
 <wccwurzzpb7.fsf@shell01.TheWorld.com>
NNTP-Posting-Host: pogner.demon.co.uk
X-NNTP-Posting-Host: pogner.demon.co.uk:62.49.19.209
X-Trace: news.demon.co.uk 1026584806 nnrp-13:21295 NO-IDENT
 pogner.demon.co.uk:62.49.19.209
X-Complaints-To: abuse@demon.net
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Xref: archiver1.google.com comp.lang.ada:27059 comp.realtime:5843
 comp.programming:35115 comp.software-eng:12108
Date: 2002-07-13T19:11:20+01:00
List-Id: <comp.lang.ada>

Robert A Duff <bobduff@shell01.TheWorld.com> writes:

> Simon Wright <simon@pushface.org> writes:
> 
> > I would be _very_ surprised if SPARKada allowed T'Class
> > (uncertainty being something you don't want in safety-related
> > software).
> 
> If you have the entire program source code (which you should in a
> safety-critical context), then I don't see why a dispatching call is
> any more "uncertain" than a case statement.

I don't want to put words into Praxis's mouths, as it were, but a case
statement is very localised and less hard to reason about than a
dispatching call over an extended space.

Some of the reasoning for the position is probably practical: if you
have proof obligations to discharge and you can get machine help in
the proving, but only if you avoid Feature X (because -- for whatever
reason -- the tool doesn't do it), you probably will avoid Feature X
because the pain of doing the proof by hand is so much greater!