D enters Tiobe top 20
Doc Andrew
x at x.com
Tue Nov 12 04:25:57 UTC 2019
On Monday, 11 November 2019 at 22:30:18 UTC, Timon Gehr wrote:
> On 11.11.19 11:39, Walter Bright wrote:
>>
>> The distinction between assert and assume has come up before,
>> and I've argued that in D they are the same.
>
> Which I have argued is complete insanity. I'm getting pretty
> angry here. Not sure what to do about it.
I'd expect a FV DIP to hash this out and get everybody on the
same page. Different languages, different textbooks, different
mathematicians all use slightly different vocabularies for this
stuff, so it can get confusing.
Other languages are pretty clear on the distinction between
assumptions and assertions. F* ("assume" -
https://www.riseforfun.com/FStar/tutorialcontent/guide#h24) &
SPARK ("pragma Assume" -
https://docs.adacore.com/spark2014-docs/html/ug/en/source/assertion_pragmas.html) both make clear that assumptions are treated like axioms in their provers, and must be used with caution. The Boogie IVL ("assume" - http://chrisposkitt.com/files/teaching/SV-2015-AutoActiveVerification.pdf) works the same way.
Coq has no "assume" keyword, but the "assumption" tactic takes a
hypothesis/premise and if it matches the goal (thing you're
trying to prove/assert), then it solves the goal).
Frama-C/ANSI C Specification Language ("assumes" clause -
https://frama-c.com/download/acsl-1.14.pdf) just treats
assumptions as hypotheses/premises that imply some conclusion, so
pre-conditions, as far as I can tell. This might be where Walter
is coming from in saying that Asserts and Assumes would be the
same in D. This is the only example I could find that uses
"assume" like this, but there may be others.
I think _most_ people consider Assert vs Assume the way SPARK and
F* do - as seen here:
https://blogs.msdn.microsoft.com/francesco/2014/09/03/faq-1-what-is-the-difference-between-assert-and-assume/
But hey, as Frama-C shows, it's not the only way to interpret
those keywords. The English language gets in our way sometimes.
Inflammable = flammable, and all that.
If "assume" is taken to mean an "assert" which is a
pre-condition, then fine, we could always point to Frama-C/ACSL
to show that D isn't some insane outlier and that we aren't a
bunch of backwards idiots. It wouldn't be the way _I_ would do
it, but that's just one man's opinion, and I'm biased by my use
of SPARK where pragma Assume has a clear meaning and works fine.
Given that we already have assert() in in{} contracts, to me the
assume() keyword (in Walter's reckoning of the meaning) is
redundant, and could be used for the axiomatic meaning.
If in{} and out{} contracts ever disappeared from the language, I
think an external solver would need something like
assume()/require() to distinguish preconditions from normal
assertions.
Having said all that, we probably need to use a little more
mathematical rigor with how we define these regardless of the
words we choose to describe the concepts.
It would also mean we'd need another keyword/UDA to use for an
axiom, like, uh, @axiom. But then we're getting into weird math
terms that scare people off. So that's probably why "assume" is
preferred by some of the others.
-Doc
More information about the Digitalmars-d
mailing list