Is there a simple way of asking Spark/gnatprove to tell me if a particular procedure has not been ran exactly once before returning?
E.g,
Register at start
De-register called exactly once on all paths?
Maybe I could abuse an unitialised variable but not sure if that would be problematic 
Here is a stupid ideaâŚ
But maybe the procedure could change a value to True (for example Proc_Ran := True;) and then you can require that SPARK prove that for all exit conditions of a function or whatever, Proc_Ran = True
Thank you. That may be a good option though it might complain about it not being used. Also wondering if the Ada double begin trick or the gnat extension would work. My runtime doesnât have finalization.
Update: The begin trick works with exceptions but seemingly not with return. The finally extension might work but not sure I want to use experimental.
Enter Ghost Code.
IIUC, this is exactly the sort of stuff ghost code was intended for.
I havenât used it, but Iâd assume that you would just throw Ghost aspect on a Natural, increment that variable in all the functions that are required-but-mutually-exclusive, and then put the Post => Operation_Count = 1 annotation on your âmainâ subprogram.
(Note: With GNAT, you can have an ads file for your âmainâ, and then you prove SPARK there.)
3 Likes
I did something similar but without ghost code but youâre absolutely right. Time to read up on Ghost code.
This didnât really work out as I want it at library level and covering a corner case would be a bit clunky. I shall just wait for finally to land, apparently potentially with Gnat 16.