Writing Bug-Free C/D Code
Reiner Pope
reiner at none.com
Thu Mar 22 22:46:37 PDT 2007
Dan wrote:
> What should then happen is this: The compiler should recognize that we only accept values such that x > y. Knowing that, it should then verify that in all cases where this function can be called, that the input to the function must have this condition.
Perhaps I'm misunderstanding what you say, but it seems like you are
saying that the compiler could *always* analyse programs to determine
whether the assert will ever be triggered. This is impossible for the
general case as it solves the halting problem (you can reduce all exit
conditions to x > y things).
> int doubleit(int x, int y)
> in {
> // note: you say if y is negative, make it positive twice and test <-y?
> // you then tested the original proposition ALSO!
> assert(x > y);
> }
> body {
> return x+x;
> }
> out(result) {
> assert( result == x*2, format("doubleit(%d): Weird Math Error", x) );
> }
...
> If you don't isolate the in/out tests from the body, a proof by induction couldn't know what needs to be proved to prove the code safe.
I agree with how you would code it here, although I wouldn't expect the
compiler to verify all my conditions at compile-time. To me, the point
about the 'in' contracts is that they will only ever trigger at a bug.
You hope not to have any of these when you release, so you are spending
unnecessary processing time checking things which should always be true
anyway.
If there is a bug, then either way you get a crash for the end user; an
assert failure isn't really so much more pleasant than a segmentation
violation for an end user.
> Walter, I'm not sure, but I think you were hoping (or did) make the Abstract Symbol Tree accessible? If so, it may be possible to start a dsource project to accomplish a proof by induction engine based on the current implementation of contract programming.
Such a program would surely be very useful, but I'm not convinced it
should be done through compile-time programming (automated theorem
proving takes a long time: you wouldn't want to run it *every time* you
compile, and you also wouldn't want to run it through CTFE, which is slow).
If anyone is interested, though, Sage (http://sage.soe.ucsc.edu/) and
Spec# (http://research.microsoft.com/specsharp/) are research languages
which attempt to statically verify as much in the contracts as possible.
Cheers,
Reiner
More information about the Digitalmars-d
mailing list