On Tuesday, 29 July 2014 at 20:52:28 UTC, Walter Bright wrote:
I've read yours and Ola's explanations of the difference, and I
still can't discern any difference, other than the spelling.
Here is the difference:
action1(cmd){
assert( !lowercase( cmd )); //wrong theorem
if(cmd=='format') format_harddisk()
}
action2(cmd){
assume( !lowercase( cmd )); //wrong theorem
if(cmd=='format') format_harddisk()
}
release:
action1(cmd){
if(cmd=='format') format_harddisk()
}
action2(cmd){
format_harddisk()
}
I still have problems convincing people that assert is not to
be used to validate user input.
Has nothing to do with user input. From a correctness perspective
there is no such thing as user input. You only get valid input.
What you almost always have is a mismatch between specification
and implementation. The best you can hope to have is partial
correctness. Even with a system for formal verification.
