Conversation
… into validatable
CachingCMM.dfy needs a bit more work
… into validatable
Horray for generic traits and traits on traits!
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| // TODO-RS: Better name? | ||
| twostate predicate ValidAndFresh() | ||
| reads this, Repr | ||
| ensures ValidAndFresh() ==> Valid() && fresh(Repr - old(Repr)) |
There was a problem hiding this comment.
Is there a benefit to writing ValidAndFresh() as opposed to Valid() && Fresh()? The former doesn't seem much more convenient, whereas the latter is easier to name (except perhaps for confusion between fresh() and Fresh()).
There was a problem hiding this comment.
It's questionable whether this is worth the trouble. I definitely DON'T think just "Fresh" is the right word anyway, so I'd rather come up with better or just drop this predicate. I'm more just observing this is a very common pattern.
RustanLeino
left a comment
RustanLeino
left a comment
There was a problem hiding this comment.
This is great, since it gives us a central place to talk about the standard dynamic-frames idiom. Two general questions I have are:
-
All members of trait
Validatableare ghost. Yet, I imagine that there will be some code generated (in C# and Java) that says a class implements this empty interface. Does that have any negative consequences? (If so, we could think of some compiler directive that would say to ignore traits with only ghost members.) -
I'm thinking there may be a better name than
Validable. Given theValidComponentmember, should the trait perhaps have a name likeComposite?
| // TODO-RS: The style guide actually implies this should be "repr", | ||
| // but the convention is well-established at this point. |
There was a problem hiding this comment.
I think we should update the style guide. I suggest it be updated to say that "public" fields (or, at least, public ghost fields) be capitalized, where "public" means "intended to be used and understood by clients".
There was a problem hiding this comment.
Should that also align with the set of symbols you export then?
|
|
||
| // Convenience predicate for when your object's validity depends on one | ||
| // or more other objects. | ||
| predicate ValidComponent(component: Validatable) |
There was a problem hiding this comment.
Having convenience predicates like this is fantastic!
| ensures ValidComponent(component) ==> ( | ||
| && component in Repr | ||
| && component.Repr <= Repr | ||
| && this !in component.Repr | ||
| && component.Valid()) |
There was a problem hiding this comment.
This postcondition is not necessary, since it just restates the body and functions are transparent (non-opaque) in Dafny (unless you limit visibility with an export clause, but you're not).
There was a problem hiding this comment.
I was convinced this was necessary for validation for some reason, perhaps it was confounded with whatever the real fix was. Will try removing.
| // TODO-RS: Better name? | ||
| twostate predicate ValidAndFresh() | ||
| reads this, Repr | ||
| ensures ValidAndFresh() ==> Valid() && fresh(Repr - old(Repr)) |
There was a problem hiding this comment.
Ditto. This postcondition is not necessary.
None that I can see. Empty "marker" interfaces are definitely already a thing (e.g. Java's
Agreed, although I think It's also worth noting that as defined, these kind of have to be "mutably validatable" because it forces If this is codifying the dynamic-frames idiom, should we call it |
On second thought that conflicts pretty badly with message body frames. :) |
|
Note that having this in a public Dafny standard library might help guide new users to use the idioms: dafny-lang/dafny#292 |
|
I've cut a standard library PR for this instead now, so it makes more sense to use that version if it gets in: dafny-lang/libraries#22 |
5 participants
Closes #319
See issue for motivation.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.