Re: getting started with Spark; generic queue package

[Stephen Leake <stephen_leake@stephe-leake.org>]

On Friday, July 5, 2019 at 5:51:29 PM UTC-7, Stephen Leake wrote:
> I'm finally getting around to trying Spark, mostly because it finally has some support for access types. For now, I'm using GNAT Community 2018; I'll upgrade to 2019 soon.
> 
> To start, I'm trying to add contracts to an existing bounded queue package:
> 
> generic
>    type Item_Type is private;
> package SAL.Gen_Bounded_Definite_Queues
>   with Spark_Mode
> is
>    pragma Pure;
> 
>    type Queue_Type (Size : Positive) is tagged private;
>    --  Size is maximum number of items in the queue.
>    --  Tagged to allow Object.Method syntax.
> 
>    function Get_Overflow_Handling (Queue : in Queue_Type) return Overflow_Action_Type;
>    procedure Set_Overflow_Handling (Queue : in out Queue_Type; Handling : in Overflow_Action_Type);
>    --  See Add for meaning of Overflow_Handling. Default is Error.
> 
>    procedure Clear (Queue : in out Queue_Type)
>    with Post => Queue.Count = 0;
>    --  Empty Queue of all items.
> 
>    function Count (Queue : in Queue_Type) return Natural;
>    --  Returns count of items in the Queue
> 
>    function Is_Empty (Queue : in Queue_Type) return Boolean
>    with Post => (if Is_Empty'Result then Queue.Count = 0);
>    --  Returns true if no items are in Queue.
> 
>    function Is_Full (Queue : in Queue_Type) return Boolean
>    with Post => (if Is_Full'Result then Queue.Count = Queue.Size);
>    --  Returns true if Queue is full.
> 
>    function Remove (Queue : in out Queue_Type) return Item_Type with
>      Pre => Queue.Count > 0,
>      Post => Queue.Count = Queue.Count'Old - 1;
>    --  Remove head item from Queue, return it.
>    --
>    --  Raises Container_Empty if Is_Empty.
> 
>    --  other stuff deleted
> private
> 
>    type Item_Array_Type is array (Positive range <>) of Item_Type;
> 
>    type Queue_Type (Size : Positive) is tagged record
>       Overflow_Handling : Overflow_Action_Type := Error;
> 
>       Head  : Natural := 0;
>       Tail  : Natural := 0;
>       Count : Natural := 0;
>       Data  : Item_Array_Type (1 .. Size);
>       --  Add at Tail + 1, remove at Head. Count is current count;
>       --  easier to keep track of that than to compute Is_Empty for
>       --  each Add and Remove.
>    end record;
> 
> end SAL.Gen_Bounded_Definite_Queues;
> 
> 
> with SAL.Gen_Bounded_Definite_Queues;
> package Prove_Integer_Queues is new SAL.Gen_Bounded_Definite_Queues (Integer);
> 
> 
> Running gnatprove on this gives info messages like:
> 
> prove_integer_queues.ads:2:01: info: in instantiation at sal-gen_bounded_definite_queues.ads:36
> prove_integer_queues.ads:2:01: info: implicit function contract not available for proof ("Count" might not return)
> 
> Is there any way to turn those off? I don't see such an option in 'gnatprove -help', nor in the Spark 2014 user guide (not I have read every page yet; I did go thru the tutorial).
> 
> Worse, in the gnatprove.out file, it says:
> 
>   Prove_Integer_Queues.Add at sal-gen_bounded_definite_queues.ads:66, instantiated at prove_integer_queues.ads:2 skipped
> 
> and so on, for every subprogram.
> 

Upgrading to GNAT Community 2019 improved this; it only skips the subprograms that don't have pre and post conditions. Back to experimenting.