0

  1. Please can you tell me whether or not the parameters (in or out or in out) and the depends clause, are correct for the rest of the program.

  2. Question: I am unsure if the loop invariant can 'use' a parameter in order to make it an in parameter (or initialise one to make it an out).

For example if this line was missing Aux : Integer := X; would x be made an in parameter here:

Loop Invariant (Z = X + Aux - Y) ?

Also does Z depend on X because of the loop invariant? I am just unsure if the loop invariant works like pre and post conditions or if it is actually part of the program where parameters can be used etc..

Here is the ads file:

pragma SPARK MODE;
procedure Myproc (X : in Integer; Y : in Integer; Z : out Integer)
with Depends => (Z => (Y,Z)),
     Post => (Z = X - Y);

here is the adb file:

pragma SPARK MODE;
procedure Myproc (X : in Integer; Y : in Integer; Z : out Integer) is
    Aux : Integer := X;
begin
    Z := Y;
    loop
        pragma Loop Invariant (Z = X + Aux - Y);
        exit when Aux = 0;
        Aux := Aux - 1;
        Z := Z - 2;
    end loop;
end Myproc;

I tried in Gnat studio and am now unsure

Primo4151
  • 53
  • 5
  • How do you ensure Aux will ever equal 0? X, which is an Integer parameter, is negative and Aux is initialized to X then decrementing Aux will never result in 0. Perhaps you should declare the parameter X to be of the Natural subtype. Your loop invariant cannot be proven because Z only depends on Y and Z. It does not depend on X or Aux. – Jim Rogers Jan 08 '23 at 22:34
  • If you want Z to depend on X then you must change your Depends aspect to be (Z => (X, Y, Z)). Since Z is an out parameter its final value cannot depend upon itself. Thus the correct dependency is (Z => (X, Y)) – Jim Rogers Jan 08 '23 at 22:36
  • the question asks me to correct the parameters whether they are in out or in out and the depends clause. So I think I did that wrong, I am asking what the correct parameters and depends should be so that the rest of the program is correct. @JimRogers – Primo4151 Jan 08 '23 at 22:41
  • X should be of the subtype Natural. The Depends clause should be (X => (X, Y)). Aux will never decrement to 0 if it starts at a value less than 0. Z only depends upon X and Y. Z is an out parameter and therefore cannot depend upon its value when the parameter is passed. It must be treated as an uninitialized parameter which must be assigned a value within the procedure. – Jim Rogers Jan 08 '23 at 22:45
  • No you misunderstood. I guess the precondition such that x was positive was missing but the question asks me to correct the program and the only things I am allowed to change are the depends and whether the X,Y and Z are in or out or in out. I am meant to change only those things to fit what the rest of the code already is. @JimRogers . So where I put Z : out Integer. I may have done that wrong and it should be in out, that is what I am asking please. – Primo4151 Jan 08 '23 at 22:58
  • You were correct in making it an out parameter. – Jim Rogers Jan 08 '23 at 23:50
  • Thanks. Also what about the X in and Y in and the depends? Should Z also depend on X because it depends on Aux via exit condition and Aux depends on X? @JimRogers – Primo4151 Jan 09 '23 at 01:09
  • Yes, it should depend on X. – Jim Rogers Jan 09 '23 at 03:38
  • Thanks. Does Z also depend on Z or not? because Z:= Z - 2, doesn't it mean it does? @JimRogers – Primo4151 Jan 09 '23 at 16:34
  • No. The initial value of Z depends only on Y. – Jim Rogers Jan 09 '23 at 21:41
  • ah ok now I understand. Thank you Jim – Primo4151 Jan 10 '23 at 01:47

0 Answers0