How to use Assert and loop_invariants Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Data science time! April 2019 and salary with experience The Ask Question Wizard is Live!Initialization array bounds in AdaAda- attempting to remove blank spaces from a string?GNATprove: “postcondition might fail” in simple functionInconclusive Assertion in Synopsys VC FormalFurther termination check in agda, now with an indexed relationAda deferred constant finalized using complicated calculation; where to put the code?How to prove a Ada/SPARK precondition on a function embedded in a double loopHow to prove a SPARK.Text_IO procedure precondition will hold“Assertion might Fail” and Precondition doesn't solve itProving Floor_Log2 in Spark
Does a random sequence of vectors span a Hilbert space?
How does TikZ render an arc?
Marquee sign letters
The test team as an enemy of development? And how can this be avoided?
One-one communication
Table formatting with tabularx?
Did John Wesley plagiarize Matthew Henry...?
Why do C and C++ allow the expression (int) + 4?
How do Java 8 default methods hеlp with lambdas?
Random body shuffle every night—can we still function?
"Destructive power" carried by a B-52?
First paper to introduce the "principal-agent problem"
Relating to the President and obstruction, were Mueller's conclusions preordained?
How do you write "wild blueberries flavored"?
Are there any irrational/transcendental numbers for which the distribution of decimal digits is not uniform?
Noise in Eigenvalues plot
Why BitLocker does not use RSA
Pointing to problems without suggesting solutions
Did any compiler fully use 80-bit floating point?
Fit odd number of triplets in a measure?
Weaponising the Grasp-at-a-Distance spell
.bashrc alias for a command with fixed second parameter
Determine whether an integer is a palindrome
Is this Kuo-toa homebrew race balanced?
How to use Assert and loop_invariants
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Data science time! April 2019 and salary with experience
The Ask Question Wizard is Live!Initialization array bounds in AdaAda- attempting to remove blank spaces from a string?GNATprove: “postcondition might fail” in simple functionInconclusive Assertion in Synopsys VC FormalFurther termination check in agda, now with an indexed relationAda deferred constant finalized using complicated calculation; where to put the code?How to prove a Ada/SPARK precondition on a function embedded in a double loopHow to prove a SPARK.Text_IO procedure precondition will hold“Assertion might Fail” and Precondition doesn't solve itProving Floor_Log2 in Spark
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Specification:
package PolyPack with SPARK_Mode is
type Vector is array (Natural range <>) of Integer;
function RuleHorner (X: Integer; A : Vector) return Integer
with
Pre => A'Length > 0 and A'Last < Integer'Last;
end PolyPack ;
I want to write body of PolyPack package with Assert and loop_invariants that the gnatprove program can prove my function RuleHorner correctness.
I write my function Horner but I don;t know how put assertions and loop_invariants in this program to prove its corectness :
with Ada.Integer_Text_IO;
package body PolyPack with SPARK_Mode is
function RuleHorner (X: Integer; A : Vector) return Integer is
Y : Integer := 0;
begin
for I in 0 .. A'Length - 1 loop
Y := (Y*X) + A(A'Last - I);
end loop;
return Y;
end RuleHorner ;
end PolyPack ;
gnatprove :
overflow check might fail (e.g. when X = 2 and Y = -2)
overflow check might fail
overflow check are for line Y := (Y*X) + A(A'Last - I);
Can someone help me how remove overflow check with loop_invariants
ada formal-verification spark-ada spark-2014
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
asked Mar 9 at 0:33
PoliteManPoliteMan
234
add a comment |
Specification:
package PolyPack with SPARK_Mode is
type Vector is array (Natural range <>) of Integer;
function RuleHorner (X: Integer; A : Vector) return Integer
with
Pre => A'Length > 0 and A'Last < Integer'Last;
end PolyPack ;
I want to write body of PolyPack package with Assert and loop_invariants that the gnatprove program can prove my function RuleHorner correctness.
I write my function Horner but I don;t know how put assertions and loop_invariants in this program to prove its corectness :
with Ada.Integer_Text_IO;
package body PolyPack with SPARK_Mode is
function RuleHorner (X: Integer; A : Vector) return Integer is
Y : Integer := 0;
begin
for I in 0 .. A'Length - 1 loop
Y := (Y*X) + A(A'Last - I);
end loop;
return Y;
end RuleHorner ;
end PolyPack ;
gnatprove :
overflow check might fail (e.g. when X = 2 and Y = -2)
overflow check might fail
overflow check are for line Y := (Y*X) + A(A'Last - I);
Can someone help me how remove overflow check with loop_invariants
ada formal-verification spark-ada spark-2014
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
asked Mar 9 at 0:33
PoliteManPoliteMan
234
1
Try runningRulehorner (1, (Integer'Last, Integer'Last)); it gives aConstraint_Error.
– Simon Wright
Mar 9 at 17:00
@Simon Wright Have you any idea how improve specification and body horner_rule with spark to prove all assert?
– PoliteMan
Mar 19 at 23:00
What I’m saying is that you cannot prove freedom from exceptions as things stand, because there are inputs for which this function will raise exceptions! It’s your function, you could help yourself by stating what it’s supposed to do, preferably in the form of better preconditions and a postcondition. In English would be a start; I have no idea.
– Simon Wright
Mar 20 at 7:55
add a comment |
Specification:
package PolyPack with SPARK_Mode is
type Vector is array (Natural range <>) of Integer;
function RuleHorner (X: Integer; A : Vector) return Integer
with
Pre => A'Length > 0 and A'Last < Integer'Last;
end PolyPack ;
I want to write body of PolyPack package with Assert and loop_invariants that the gnatprove program can prove my function RuleHorner correctness.
I write my function Horner but I don;t know how put assertions and loop_invariants in this program to prove its corectness :
with Ada.Integer_Text_IO;
package body PolyPack with SPARK_Mode is
function RuleHorner (X: Integer; A : Vector) return Integer is
Y : Integer := 0;
begin
for I in 0 .. A'Length - 1 loop
Y := (Y*X) + A(A'Last - I);
end loop;
return Y;
end RuleHorner ;
end PolyPack ;
gnatprove :
overflow check might fail (e.g. when X = 2 and Y = -2)
overflow check might fail
overflow check are for line Y := (Y*X) + A(A'Last - I);
Can someone help me how remove overflow check with loop_invariants
ada formal-verification spark-ada spark-2014
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
asked Mar 9 at 0:33
PoliteManPoliteMan
234
Specification:
package PolyPack with SPARK_Mode is
type Vector is array (Natural range <>) of Integer;
function RuleHorner (X: Integer; A : Vector) return Integer
with
Pre => A'Length > 0 and A'Last < Integer'Last;
end PolyPack ;
I want to write body of PolyPack package with Assert and loop_invariants that the gnatprove program can prove my function RuleHorner correctness.
I write my function Horner but I don;t know how put assertions and loop_invariants in this program to prove its corectness :
with Ada.Integer_Text_IO;
package body PolyPack with SPARK_Mode is
function RuleHorner (X: Integer; A : Vector) return Integer is
Y : Integer := 0;
begin
for I in 0 .. A'Length - 1 loop
Y := (Y*X) + A(A'Last - I);
end loop;
return Y;
end RuleHorner ;
end PolyPack ;
gnatprove :
overflow check might fail (e.g. when X = 2 and Y = -2)
overflow check might fail
overflow check are for line Y := (Y*X) + A(A'Last - I);
Can someone help me how remove overflow check with loop_invariants
ada formal-verification spark-ada spark-2014
ada formal-verification spark-ada spark-2014
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
asked Mar 9 at 0:33
PoliteManPoliteMan
234
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
asked Mar 9 at 0:33
PoliteManPoliteMan
234
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
edited Mar 19 at 5:42
Daniel Widdis
2,05421525
2,05421525
asked Mar 9 at 0:33
PoliteManPoliteMan
234
asked Mar 9 at 0:33
PoliteManPoliteMan
234
asked Mar 9 at 0:33
PoliteManPoliteMan
234
234
1
Try runningRulehorner (1, (Integer'Last, Integer'Last)); it gives aConstraint_Error.
– Simon Wright
Mar 9 at 17:00
@Simon Wright Have you any idea how improve specification and body horner_rule with spark to prove all assert?
– PoliteMan
Mar 19 at 23:00
What I’m saying is that you cannot prove freedom from exceptions as things stand, because there are inputs for which this function will raise exceptions! It’s your function, you could help yourself by stating what it’s supposed to do, preferably in the form of better preconditions and a postcondition. In English would be a start; I have no idea.
– Simon Wright
Mar 20 at 7:55
add a comment |
1
Try runningRulehorner (1, (Integer'Last, Integer'Last)); it gives aConstraint_Error.
– Simon Wright
Mar 9 at 17:00
@Simon Wright Have you any idea how improve specification and body horner_rule with spark to prove all assert?
– PoliteMan
Mar 19 at 23:00
What I’m saying is that you cannot prove freedom from exceptions as things stand, because there are inputs for which this function will raise exceptions! It’s your function, you could help yourself by stating what it’s supposed to do, preferably in the form of better preconditions and a postcondition. In English would be a start; I have no idea.
– Simon Wright
Mar 20 at 7:55
1
1
Try running
Rulehorner (1, (Integer'Last, Integer'Last)); it gives a Constraint_Error.– Simon Wright
Mar 9 at 17:00
Try running
Rulehorner (1, (Integer'Last, Integer'Last)); it gives a Constraint_Error.– Simon Wright
Mar 9 at 17:00
@Simon Wright Have you any idea how improve specification and body horner_rule with spark to prove all assert?
– PoliteMan
Mar 19 at 23:00
@Simon Wright Have you any idea how improve specification and body horner_rule with spark to prove all assert?
– PoliteMan
Mar 19 at 23:00
What I’m saying is that you cannot prove freedom from exceptions as things stand, because there are inputs for which this function will raise exceptions! It’s your function, you could help yourself by stating what it’s supposed to do, preferably in the form of better preconditions and a postcondition. In English would be a start; I have no idea.
– Simon Wright
Mar 20 at 7:55
What I’m saying is that you cannot prove freedom from exceptions as things stand, because there are inputs for which this function will raise exceptions! It’s your function, you could help yourself by stating what it’s supposed to do, preferably in the form of better preconditions and a postcondition. In English would be a start; I have no idea.
– Simon Wright
Mar 20 at 7:55
add a comment |
1 Answer
1
active
oldest
votes
The analysis is correct. The element type for type Vector is Integer. When X = 2, Y = -2, and A(A'Last - I) is less than Integer'First + 4 an underflow will occur. How do you think this should be handled in your program? Loop invariants will not work here because you cannot prove that an overflow or underflow cannot occur.
Is there a way you can design your types and/or subtypes used within Vector and for variables X and Y to prevent Y from overflowing or underflowing?
I am also curious why you want to ignore the last value in your Vector. Are you trying to walk through the array in reverse? If so simply use the following for loop syntax:
for I in reverse A'Range loop
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55072833%2fhow-to-use-assert-and-loop-invariants%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The analysis is correct. The element type for type Vector is Integer. When X = 2, Y = -2, and A(A'Last - I) is less than Integer'First + 4 an underflow will occur. How do you think this should be handled in your program? Loop invariants will not work here because you cannot prove that an overflow or underflow cannot occur.
Is there a way you can design your types and/or subtypes used within Vector and for variables X and Y to prevent Y from overflowing or underflowing?
I am also curious why you want to ignore the last value in your Vector. Are you trying to walk through the array in reverse? If so simply use the following for loop syntax:
for I in reverse A'Range loop
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
add a comment |
The analysis is correct. The element type for type Vector is Integer. When X = 2, Y = -2, and A(A'Last - I) is less than Integer'First + 4 an underflow will occur. How do you think this should be handled in your program? Loop invariants will not work here because you cannot prove that an overflow or underflow cannot occur.
Is there a way you can design your types and/or subtypes used within Vector and for variables X and Y to prevent Y from overflowing or underflowing?
I am also curious why you want to ignore the last value in your Vector. Are you trying to walk through the array in reverse? If so simply use the following for loop syntax:
for I in reverse A'Range loop
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
add a comment |
The analysis is correct. The element type for type Vector is Integer. When X = 2, Y = -2, and A(A'Last - I) is less than Integer'First + 4 an underflow will occur. How do you think this should be handled in your program? Loop invariants will not work here because you cannot prove that an overflow or underflow cannot occur.
Is there a way you can design your types and/or subtypes used within Vector and for variables X and Y to prevent Y from overflowing or underflowing?
I am also curious why you want to ignore the last value in your Vector. Are you trying to walk through the array in reverse? If so simply use the following for loop syntax:
for I in reverse A'Range loop
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
The analysis is correct. The element type for type Vector is Integer. When X = 2, Y = -2, and A(A'Last - I) is less than Integer'First + 4 an underflow will occur. How do you think this should be handled in your program? Loop invariants will not work here because you cannot prove that an overflow or underflow cannot occur.
Is there a way you can design your types and/or subtypes used within Vector and for variables X and Y to prevent Y from overflowing or underflowing?
I am also curious why you want to ignore the last value in your Vector. Are you trying to walk through the array in reverse? If so simply use the following for loop syntax:
for I in reverse A'Range loop
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
answered Mar 9 at 4:56
Jim RogersJim Rogers
1,371516
1,371516
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
add a comment |
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
Quite why gnatprove says that X * Y might overflow when X is 2 and Y is -2" I don’t understand.
– Simon Wright
Mar 9 at 16:58
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
I don't ignore the last value because it iterates from 0.
– PoliteMan
Mar 19 at 14:21
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
@PoliteMan I think Jim is trying to help you simplify your for loop down to something like For E of reverse A loop Y := Y * X + E; end loop; Though he was suggesting the index version of for I in reverse A'Range loop Y := Y * X +A(I); end loop;
– Jere
Mar 20 at 10:53
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55072833%2fhow-to-use-assert-and-loop-invariants%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Try running
Rulehorner (1, (Integer'Last, Integer'Last)); it gives aConstraint_Error.– Simon Wright
Mar 9 at 17:00
@Simon Wright Have you any idea how improve specification and body horner_rule with spark to prove all assert?
– PoliteMan
Mar 19 at 23:00
What I’m saying is that you cannot prove freedom from exceptions as things stand, because there are inputs for which this function will raise exceptions! It’s your function, you could help yourself by stating what it’s supposed to do, preferably in the form of better preconditions and a postcondition. In English would be a start; I have no idea.
– Simon Wright
Mar 20 at 7:55