0

I can understand the meaning and purpose of preconditions in this code but I have a problem in understanding the meaning and purpose of the postconditions. In Push I know that this part to increase pointer after pushing integer ( Pointer = Pointer~ +1 ). In Pop I understand this part to decrease pointer after popping integer (Pointer=Pointer~ - 1).

package Stack

  --# own S, Pointer;
  --# initializes S, Pointer;
   with SPARK_Mode
is
   pragma Elaborate_Body(Stack);  

   Stack_Size       : constant := 100;
   subtype Pointer_Range is Integer range 0 .. Stack_Size;
   subtype Index_Range is Pointer_Range range 1..Stack_Size;
   type Vector is array(Index_Range) of Integer;
   S                : Vector;
   Pointer          : Pointer_Range;

   function isEmpty return Boolean;
   --# global in Pointer;


   procedure Push(X : in Integer);
   --# global in out S, Pointer;
   --# derives S       from S, Pointer, X &
   --#         Pointer from Pointer;


   procedure Pop(X : out Integer);
   --# global in S; in out Pointer;
   --# derives Pointer from Pointer &
   --#         X       from S, Pointer;


   procedure Peek(X : out Integer);
   --# global in S, Pointer;
   --# derives X from S, Pointer;


   procedure Swap(OldLoc, NewLoc: in Pointer_Range);
   --# global in out S;
   --#        in Pointer;
   --# derives S from S, OldLoc, NewLoc, Pointer ;



end Stack;
Memo
  • 53
  • 6
  • 1
    I don't know Ada, but in general, I know "post-condition" to mean a constraint on the data returned by a function. The data a function returns must allow the post-condition to evaluate to true, or the function is behaving incorrectlly. – Carcigenicate Dec 05 '18 at 13:12
  • It looks like somebody have pushed much of the implementation details of a stack from the package body to the package specification. What will happen if somebody changes `Stack.Pointer`, without using one of the specified subprograms? – Jacob Sparre Andersen Dec 05 '18 at 13:57
  • @JacobSparreAndersen, I suspect they’re in the package body? – Simon Wright Dec 05 '18 at 15:49

3 Answers3

5

In general, a post-condition presents the promises from the implementor to the user of how the state of (a subset of) the system will be after a to the subprogram in question.

The specific post-conditions here seem to explain how the stack is implemented.

Jacob Sparre Andersen
  • 6,733
  • 17
  • 22
4

With postconditions, you have to define the new state in terms of the effect the subprogram should have had on the old state.

When the postcondition says post Pointer = Pointer~ +1, it means that the new value of Pointer should be the old value + 1; i.e. Variable~ means "the value of Variable on entry to the subprogram".

I’m afraid I don’t know what S~[Pointer=>X] means; perhaps "the Pointerth element of S is now X" (what about specifying that all the other elements of S are to be unchanged?).

A couple of points:

  • This is an unusual mixture of SPARK2014 notation (with SPARK_Mode;) and old-style annotations (--#). I wondered whether the new SPARK software (gnatprove) needs the first in order to recognise the second, but it looks more like this is an intermediate stage in a conversion from old to new.
  • Pointer is a silly name for something that is clearly an array index. Perhaps Top would be less misleading.
Simon Wright
  • 25,108
  • 2
  • 35
  • 62
0

Yet another high-level interpretation: preconditions are requirements to let the caller in, postconditions are checks on what happened inside

Álex
  • 1,587
  • 11
  • 17