-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC/Final Parameters #18
base: master
Are you sure you want to change the base?
Conversation
Right, so have implemented the checking algorithm. It looks like almost all of the benchmarks are affected in some way (examples below). This makes the decision pretty difficult. 008_scc
009_lz77
010_sort
011_codejam
|
David
I think this change is an excellent idea - it is nice that it simplifies the semantics a bit, and it will also simplify the Boogie translator slightly (Boogie does not allow assignments to parameters, so I had to work around that by copying those parameters).
And well done on getting the Dutch National Flag to verify!
I must try that with Boogie and see how it goes...
Cheers
Mark
PS. My translator log messages reckon that there are 68 occurrences of parameters that are mutated in tests/valid/*.whiley.
$ grep -i input OUT54.txt
MUTATED INPUT x : arr
MUTATED INPUT xs : int[]
MUTATED INPUT b : byte
MUTATED INPUT b : byte
MUTATED INPUT i : int
MUTATED INPUT b : byte
MUTATED INPUT i : int
MUTATED INPUT b : byte
MUTATED INPUT i : int
MUTATED INPUT b : byte
MUTATED INPUT i : int
MUTATED INPUT tree : BTree
MUTATED INPUT tree : BTree
MUTATED INPUT tree : BTree
MUTATED INPUT xs : int[]
MUTATED INPUT items : int[]
MUTATED INPUT xs : nat[]
MUTATED INPUT list : nat[]
MUTATED INPUT x : int
MUTATED INPUT x : int
MUTATED INPUT x : int
MUTATED INPUT x : int
MUTATED INPUT y : int
MUTATED INPUT v : char
MUTATED INPUT state : BufferState
MUTATED INPUT v : char
MUTATED INPUT state : BufferState
MUTATED INPUT p : &a:int
MUTATED INPUT q : &a:int
MUTATED INPUT x : &a:int
MUTATED INPUT y : &b:int
MUTATED INPUT b : byte
MUTATED INPUT a : int[]
MUTATED INPUT xs : int[][]
MUTATED INPUT ls : int[][]
MUTATED INPUT list : nint[][]
MUTATED INPUT list : nint[][]
MUTATED INPUT _this : Sum
MUTATED INPUT _this : Sum
MUTATED INPUT _this : Ptype
MUTATED INPUT _this : Ptype
MUTATED INPUT _this : pState
MUTATED INPUT _this : &Queue
MUTATED INPUT _this : MyProc
MUTATED INPUT _this : MyProc2
MUTATED INPUT _this : &MyProc2
MUTATED INPUT _this : &Queue
MUTATED INPUT _this : Ptype
MUTATED INPUT x : rec
MUTATED INPUT r : rec2
MUTATED INPUT x_ptr : &int
MUTATED INPUT y_ptr : &int
MUTATED INPUT x : &&int
MUTATED INPUT x : &int
MUTATED INPUT str : int[]
MUTATED INPUT e : expr
MUTATED INPUT x : (int|null)
MUTATED INPUT l : list
MUTATED INPUT v1 : int[]
MUTATED INPUT list : LinkedList
MUTATED INPUT src : nat[]
MUTATED INPUT offset : nat
MUTATED INPUT l : LinkedList
MUTATED INPUT items : int[]
MUTATED INPUT xs : int[]
MUTATED INPUT items : int[]
MUTATED INPUT n : int
MUTATED INPUT n : int
…________________________________
Dr Mark Utting
Senior Lecturer, ICT
School of Business | Faculty of Arts, Business and Law
University of the Sunshine Coast
Tel: +61 7 5459 4495 | Email: utting@usc.edu.au
________________________________
From: David Pearce <notifications@github.com>
Sent: 18 October 2017 07:37:23
To: Whiley/RFCs
Cc: Mark Utting; Mention
Subject: Re: [Whiley/RFCs] RFC/Final Parameters (#18)
Right, so have implemented the checking algorithm. It looks like almost all of the benchmarks are affected in some way (examples below). In fact, the Dutch National Flag benchmark was affected, and I correct it in the version I sent around.
Code Examples:
008_scc
function addEdge(Digraph g, nat from, nat to) -> Digraph:
// First, ensure enough capacity
int max = math::max(from,to)
g = resize(g,max+1)
// Second, add the actual edge
g[from] = array::append(g[from],to)
// Done
return g
009_lz77
function match(byte[] data, nat offset, nat end) -> (int length)
// Position to search from within sliding window
requires (end - offset) <= 255
// Returned match size cannot exceed sliding window
ensures 0 <= length && length <= 255:
//
nat pos = end
u8 len = 0
//
while offset < pos && pos < |data| && data[offset] == data[pos] && len < 255:
//
offset = offset + 1
pos = pos + 1
len = len + 1
//
return len
010_sort
function sort(int[] items, int start, int end) -> sortedList:
if (start+1) < end:
int pivot = (end + start) / 2
int[] lhs = sort(items,start,pivot)
int[] rhs = sort(items,pivot,end)
int l = start
int r = pivot
int i = start
while i < end && l < pivot && r < end where l >= 0 && r >= 0 && i >= 0:
if lhs[l] <= rhs[r]:
items[i] = lhs[l]
l=l+1
else:
items[i] = rhs[r]
r=r+1
i=i+1> ...
============================================================================
011_codejam
============================================================================> function parseJobs(nat pos, ascii::string input) -> (Job[] jobs, nat npos):
//
int|null nitems
//
pos = parser::skipWhiteSpace(pos,input)
nitems,pos = parser::parseInt(pos,input)
if nitems is nat:
return parseNumJobs(nitems,pos,input)
else:
return [EMPTY_JOB;0],pos
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#18 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AJcDjqCcEuMZnCSUajoSQz7OASgKLQF9ks5stR4TgaJpZM4P7gL0>.
USC, Locked Bag 4, Maroochydore DC, Queensland, 4558 Australia.
CRICOS Provider No: 01595D
Please consider the environment before printing this email.
This email is confidential. If received in error, please delete it from your system.
|
Thanks Mark --- that's a vote for "do it" then! Anyone else? @zmthy I think you're on the "go for it" side as well? |
Yeah, it's clearly the right thing to do. I initially thought that it was strange that you couldn't update the attributes of the parameters as well but that's more a consequence of your use of Java array syntax for immutable lists. I'm not sure about the change to references in postconditions. The |
David and everyone
I agree with Timothy that changing ' to mean the *initial* state seems unfortunate.
Primed variables are used for the final state in Z and UTP, and giving them the opposite meaning is likely to increase confusion when people start using Whiley.
Is there an alternative character (like ^) that could be used for the initial state?
Or perhaps even the more explicit *\old{x}?
Cheers
Mark
…________________________________
Dr Mark Utting
Senior Lecturer, ICT
School of Business | Faculty of Arts, Business and Law
University of the Sunshine Coast
Tel: +61 7 5459 4495 | Email: utting@usc.edu.au
________________________________
From: Timothy Jones <notifications@github.com>
Sent: 19 October 2017 08:58:36
To: Whiley/RFCs
Cc: Mark Utting; Mention
Subject: Re: [Whiley/RFCs] RFC/Final Parameters (#18)
Yeah, it's clearly the right thing to do. I initially thought that it was strange that you couldn't update the attributes of the parameters as well but that's more a consequence of your use of Java array syntax for immutable lists.
I'm not sure about the change to references in postconditions. The ' character is typically used to represent the 'next' state rather than the 'old' state.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#18 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AJcDjoivrHR-mrU6FTAkZ1zbHqQTBQLmks5stoKcgaJpZM4P7gL0>.
USC, Locked Bag 4, Maroochydore DC, Queensland, 4558 Australia.
CRICOS Provider No: 01595D
Please consider the environment before printing this email.
This email is confidential. If received in error, please delete it from your system.
|
Hey Folks, Ok, well, that seems pretty clear then. I just need to talk with Lindsay about whether or not he's happy for me to roll it out now. Regarding the |
@klapaukh thoughts? |
I've always thought that read-only should be the default for parameters. I've discussed this with C-style programmers before and one cultural objection is that it can sometimes be convenient to normalize the parameter before using it (e.g. turning it into something canonical). But I don't think that is a very good argument against it… e.g. they want to do:
Whereas creating a new variable could lead to mistakes in larger functions:
But I guess it can be fixed later on with an annotation like:
|
Right, I have now updated an initial batch of the failing test cases to work with this RFC. However, I have to confess, that final parameters make things ugly at times. Also, I realised the benefits compared with an explicit Some example transformations: Good
becomes:
I like that. Likewise, this:
becomes this
UglyThis, on the other hand, I don't like:
which becomes:
There is a general pattern where you end up assigning the parameter to the result at the beginning, which is just ugly. Another example of this:
becomes:
Hmmmmmmm, thoughts needed. CloningRegarding the clone optimisation I referred to in the RFC, the problem is that you now cannot distinguish between the case of a mutable versus immutable parameter. That is, when the This distinction may sound insignificant, but in the end its not. Consider these two implementations:
The question is: what is the calling convention here? If we have a The issue of ownership affects what the caller will do in different situations. Consider this call:
Now, either What's a good solution here? Well, yes, we could introduce a The other option is simply to say that this:
Only holds when |
Also a thought on immutable parameters. If you are worried about student confusion then I think the shallow nature of the immutability still allows for the same confusion. Because you might still want to say something about *x in the precondition, where x is a parameter, but *x is still mutable, even with this. |
Rendered: https://github.com/DavePearce/RFCs/blob/f891303bed73ea61171a4818be0ff7aeecea5461/text/0000-final-parameter.md
@bambinella @zmthy @utting: interested in your thoughts on this.