From: Stephen Leake <stephen_leake@stephe-leake.org>
Subject: Re: Postcondition on Strings.Maps.To_Sequence
Date: Wed, 01 Sep 2021 14:07:33 -0700 [thread overview]
Message-ID: <86r1e80zu2.fsf@stephe-leake.org> (raw)
In-Reply-To: 10e82e71-53f5-46d0-8960-46a7593b964dn@googlegroups.com
mockturtle <framefritti@gmail.com> writes:
> pragma Assert (Edge.On_Input /= Null_Set);
> pragma Assert (To_Sequence (Edge.On_Input)'Length > 0);
>
> where On_Input is a Character_Set (from Ada.Strings.Maps).
> SPARK accepts the first (that is, it can prove that On_Input is not
> empty), but complains that cannot prove the second (that is, that the
> same set converted to string can give an empty string).
<snip>
I have used Spark some, but am not an expert.
So just guessing; does Spark actually understand 'Length?
For example, can it prove "a"'Length = 1?
and then To_Sequence (To_Set ('a'))'Length = 1?
> My question is: is this problem due to just a "weak" contract of
> To_Sequence or can actually To_Sequence return the empty string for some
> non Null_Set input?
My guess is neither; Spark is simply not smart enough yet. You'll have
to add some additional intermediate assertions in the body of
To_Sequence, especially one that relates the size of On_Input to the
size of the result string.
--
-- Stephe
next prev parent reply other threads:[~2021-09-01 21:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-29 9:38 Postcondition on Strings.Maps.To_Sequence mockturtle
2021-09-01 21:07 ` Stephen Leake [this message]
2021-09-02 19:17 ` mockturtle
2021-09-03 11:46 ` Mark Wilson
2021-09-03 11:53 ` Mark Wilson
2021-09-03 12:05 ` Mark Wilson
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox