From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!feeder.eternal-september.org!news.uzoreto.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Niklas Holsti Newsgroups: comp.lang.ada Subject: Re: Implicit actions & program correctness Date: Mon, 25 May 2020 23:36:31 +0300 Organization: Tidorum Ltd Message-ID: References: <3c545096-d000-4d09-b3fe-ad8530632457@googlegroups.com> <871rnk97ew.fsf@nightsong.com> <14afb70d-cb70-4ca2-bd24-f9d9664ee103@googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Trace: individual.net iGx51d/0t2RHqxE6jdC0qgR5xW17DU6rvwP+eb54f+E9TsvcSw Cancel-Lock: sha1:spJWz6WT+U2U6PuKpK1CE9NzbTI= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 In-Reply-To: <14afb70d-cb70-4ca2-bd24-f9d9664ee103@googlegroups.com> Content-Language: en-US Xref: reader01.eternal-september.org comp.lang.ada:58788 Date: 2020-05-25T23:36:31+03:00 List-Id: On 2020-05-25 23:15, deadhacker wrote: > On Friday, May 15, 2020 at 3:10:02 PM UTC-7, Paul Rubin wrote: >> You might like this article (not Ada specific): >> >> http://blog.tmorris.net/posts/understanding-practical-api-design-static-typing-and-functional-programming/ > >> > Paul, thank you so much for the link. It's good reading. > > To me, seems that his third requirement is the tough one. (Quoting > it here: "If I call move on a tic-tac-toe board, but the game has > finished, I should get a compile-time type-error. In other words, > calling move on inappropriate game states (i.e. move doesn’t make > sense) is disallowed by the types.") > > It seems that if I have a Move subprogram that operates on a Game, it > & produces another Game, I don't see how it could sometimes return a > FinishedGame that can be detected at compile-time. (It could return > a Game that could be checked for Finished at run-time.) > > Sadly, his Java API is no longer available, so I can't see how he > solved it. > > Do you (or anyone else here) know how it could be solved with Ada? Checking such things was (and is) the goal of "typestate analysis", https://en.wikipedia.org/wiki/Typestate_analysis. In Ada, it could be done statically with the precondition/postcondition system, plus some program proof. The Move operation would have a precondition "not Finished (Game)", and the prover would check that the program flow after any call of Move always ensures this precondition before Move is called again. Presumably this would be done by the program inspecting Finished (Game) in a control-flow condition, and allowing flow to a new Move call only in the "not finished" case. Making this check "at compile-time" would of course require that the prover is always executed in or after any compilation. -- Niklas Holsti niklas holsti tidorum fi . @ .