| blob | 8a35b82f55e84c2211f2fbb2a7c563a059e83f2c |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2017, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
56 procedure Analyze_Contracts
60 -- Subsidiary to the one parameter version of Analyze_Contracts and routine
61 -- Analyze_Previous_Constracts. Analyze the contracts of all constructs in
62 -- the list L. If Freeze_Nod is set, then the analysis stops when the node
63 -- is reached. Freeze_Id is the entity of some related context which caused
64 -- freezing up to node Freeze_Nod.
67 -- (CodePeer): Subsidiary procedure to Analyze_Contracts which builds the
68 -- contract-only subprogram body of eligible subprograms found in L, adds
69 -- them to their corresponding list of declarations, and analyzes them.
72 -- Expand the contracts of a subprogram body and its correspoding spec (if
73 -- any). This routine processes all [refined] pre- and postconditions as
74 -- well as Contract_Cases, invariants and predicates. Body_Id denotes the
75 -- entity of the subprogram body.
77 -----------------------
78 -- Add_Contract_Item --
79 -----------------------
85 -- Prepend Prag to the list of classifications
88 -- Prepend Prag to the list of contract and test cases
91 -- Prepend Prag to the list of pre- and postconditions
93 ------------------------
94 -- Add_Classification --
95 ------------------------
98 begin
103 ----------------------------
104 -- Add_Contract_Test_Case --
105 ----------------------------
108 begin
113 ----------------------------
114 -- Add_Pre_Post_Condition --
115 ----------------------------
118 begin
123 -- Local variables
125 -- A contract must contain only pragmas
130 -- Start of processing for Add_Contract_Item
132 begin
133 -- Create a new contract when adding the first item
140 -- Constants, the applicable pragmas are:
141 -- Part_Of
145 Add_Classification;
147 -- The pragma is not a proper contract item
149 else
153 -- Entry bodies, the applicable pragmas are:
154 -- Refined_Depends
155 -- Refined_Global
156 -- Refined_Post
160 Add_Classification;
163 Add_Pre_Post_Condition;
165 -- The pragma is not a proper contract item
167 else
171 -- Entry or subprogram declarations, the applicable pragmas are:
172 -- Attach_Handler
173 -- Contract_Cases
174 -- Depends
175 -- Extensions_Visible
176 -- Global
177 -- Interrupt_Handler
178 -- Postcondition
179 -- Precondition
180 -- Test_Case
181 -- Volatile_Function
185 E_Generic_Function,
186 E_Generic_Procedure,
187 E_Procedure)
188 then
191 then
192 Add_Classification;
195 Name_Extensions_Visible,
196 Name_Global)
197 then
198 Add_Classification;
202 then
203 Add_Classification;
206 Add_Contract_Test_Case;
209 Add_Pre_Post_Condition;
211 -- The pragma is not a proper contract item
213 else
217 -- Packages or instantiations, the applicable pragmas are:
218 -- Abstract_States
219 -- Initial_Condition
220 -- Initializes
221 -- Part_Of (instantiation only)
225 Name_Initial_Condition,
226 Name_Initializes)
227 then
228 Add_Classification;
230 -- Indicator Part_Of must be associated with a package instantiation
233 Add_Classification;
235 -- The pragma is not a proper contract item
237 else
241 -- Package bodies, the applicable pragmas are:
242 -- Refined_States
246 Add_Classification;
248 -- The pragma is not a proper contract item
250 else
254 -- Protected units, the applicable pragmas are:
255 -- Part_Of
259 Add_Classification;
261 -- The pragma is not a proper contract item
263 else
267 -- Subprogram bodies, the applicable pragmas are:
268 -- Postcondition
269 -- Precondition
270 -- Refined_Depends
271 -- Refined_Global
272 -- Refined_Post
276 Add_Classification;
279 Name_Precondition,
280 Name_Refined_Post)
281 then
282 Add_Pre_Post_Condition;
284 -- The pragma is not a proper contract item
286 else
290 -- Task bodies, the applicable pragmas are:
291 -- Refined_Depends
292 -- Refined_Global
296 Add_Classification;
298 -- The pragma is not a proper contract item
300 else
304 -- Task units, the applicable pragmas are:
305 -- Depends
306 -- Global
307 -- Part_Of
311 Add_Classification;
313 -- The pragma is not a proper contract item
315 else
319 -- Variables, the applicable pragmas are:
320 -- Async_Readers
321 -- Async_Writers
322 -- Constant_After_Elaboration
323 -- Depends
324 -- Effective_Reads
325 -- Effective_Writes
326 -- Global
327 -- Part_Of
331 Name_Async_Writers,
332 Name_Constant_After_Elaboration,
333 Name_Depends,
334 Name_Effective_Reads,
335 Name_Effective_Writes,
336 Name_Global,
337 Name_Part_Of)
338 then
339 Add_Classification;
341 -- The pragma is not a proper contract item
343 else
349 -----------------------
350 -- Analyze_Contracts --
351 -----------------------
354 begin
362 procedure Analyze_Contracts
366 is
369 begin
373 -- The caller requests that the traversal stops at a particular node
374 -- that causes contract "freezing".
380 -- Entry or subprogram declarations
383 N_Entry_Declaration,
384 N_Generic_Subprogram_Declaration,
385 N_Subprogram_Declaration)
386 then
387 declare
390 begin
393 -- If analysis of a class-wide pre/postcondition indicates
394 -- that a class-wide clone is needed, analyze its declaration
395 -- now. Its body is created when the body of the original
396 -- operation is analyzed (and rewritten).
400 then
405 -- Entry or subprogram bodies
410 -- Objects
413 Analyze_Object_Contract
417 -- Protected units
420 N_Single_Protected_Declaration)
421 then
424 -- Subprogram body stubs
429 -- Task units
432 N_Task_Type_Declaration)
433 then
436 -- For type declarations, we need to do the pre-analysis of
437 -- Iterable aspect specifications.
438 -- Other type aspects need to be resolved here???
442 then
443 declare
446 begin
457 -----------------------------------------------
458 -- Analyze_Entry_Or_Subprogram_Body_Contract --
459 -----------------------------------------------
461 -- WARNING: This routine manages SPARK regions. Return statements must be
462 -- replaced by gotos which jump to the end of the routine and restore the
463 -- SPARK mode.
472 -- Save the SPARK_Mode-related data to restore on exit
474 begin
475 -- When a subprogram body declaration is illegal, its defining entity is
476 -- left unanalyzed. There is nothing left to do in this case because the
477 -- body lacks a contract, or even a proper Ekind.
482 -- Do not analyze a contract multiple times
487 else
492 -- Due to the timing of contract analysis, delayed pragmas may be
493 -- subject to the wrong SPARK_Mode, usually that of the enclosing
494 -- context. To remedy this, restore the original SPARK_Mode of the
495 -- related subprogram body.
499 -- Ensure that the contract cases or postconditions mention 'Result or
500 -- define a post-state.
504 -- A stand-alone nonvolatile function body cannot have an effectively
505 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
506 -- check is relevant only when SPARK_Mode is on, as it is not a standard
507 -- legality rule. The check is performed here because Volatile_Function
508 -- is processed after the analysis of the related subprogram body. The
509 -- check only applies to source subprograms and not to generated TSS
510 -- subprograms.
516 then
520 -- Restore the SPARK_Mode of the enclosing context after all delayed
521 -- pragmas have been analyzed.
525 -- Capture all global references in a generic subprogram body now that
526 -- the contract has been analyzed.
529 Save_Global_References_In_Contract
534 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
535 -- invariants and predicates associated with body and its spec. Do not
536 -- expand the contract of subprogram body stubs.
543 ------------------------------------------
544 -- Analyze_Entry_Or_Subprogram_Contract --
545 ------------------------------------------
547 -- WARNING: This routine manages SPARK regions. Return statements must be
548 -- replaced by gotos which jump to the end of the routine and restore the
549 -- SPARK mode.
551 procedure Analyze_Entry_Or_Subprogram_Contract
554 is
560 -- Save the SPARK_Mode-related data to restore on exit
564 and then not ASIS_Mode
572 begin
573 -- Do not analyze a contract multiple times
578 else
583 -- Due to the timing of contract analysis, delayed pragmas may be
584 -- subject to the wrong SPARK_Mode, usually that of the enclosing
585 -- context. To remedy this, restore the original SPARK_Mode of the
586 -- related subprogram body.
590 -- All subprograms carry a contract, but for some it is not significant
591 -- and should not be processed.
598 -- Do not analyze the pre/postconditions of an entry declaration
599 -- unless annotating the original tree for ASIS or GNATprove. The
600 -- real analysis occurs when the pre/postconditons are relocated to
601 -- the contract wrapper procedure (see Build_Contract_Wrapper).
606 -- Otherwise analyze the pre/postconditions
608 else
616 -- Analyze contract-cases and test-cases
624 -- Do not analyze the contract cases of an entry declaration
625 -- unless annotating the original tree for ASIS or GNATprove.
626 -- The real analysis occurs when the contract cases are moved
627 -- to the contract wrapper procedure (Build_Contract_Wrapper).
632 -- Otherwise analyze the contract cases
634 else
637 else
645 -- Analyze classification pragmas
661 -- Analyze Global first, as Depends may mention items classified in
662 -- the global categorization.
668 -- Depends must be analyzed after Global in order to see the modes of
669 -- all global items.
675 -- Ensure that the contract cases or postconditions mention 'Result
676 -- or define a post-state.
681 -- A nonvolatile function cannot have an effectively volatile formal
682 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
683 -- only when SPARK_Mode is on, as it is not a standard legality rule.
684 -- The check is performed here because pragma Volatile_Function is
685 -- processed after the analysis of the related subprogram declaration.
691 then
695 -- Restore the SPARK_Mode of the enclosing context after all delayed
696 -- pragmas have been analyzed.
700 -- Capture all global references in a generic subprogram now that the
701 -- contract has been analyzed.
704 Save_Global_References_In_Contract
710 -----------------------------
711 -- Analyze_Object_Contract --
712 -----------------------------
714 -- WARNING: This routine manages SPARK regions. Return statements must be
715 -- replaced by gotos which jump to the end of the routine and restore the
716 -- SPARK mode.
718 procedure Analyze_Object_Contract
721 is
726 -- Save the SPARK_Mode-related data to restore on exit
737 begin
738 -- The loop parameter in an element iterator over a formal container
739 -- is declared with an object declaration, but no contracts apply.
745 -- Do not analyze a contract multiple times
752 else
757 -- The anonymous object created for a single concurrent type inherits
758 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
759 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
760 -- of the enclosing context. To remedy this, restore the original mode
761 -- of the related anonymous object.
765 then
769 -- Constant-related checks
773 -- Analyze indicator Part_Of
777 -- Check whether the lack of indicator Part_Of agrees with the
778 -- placement of the constant with respect to the state space.
784 -- A constant cannot be effectively volatile (SPARK RM 7.1.3(4)).
785 -- This check is relevant only when SPARK_Mode is on, as it is not
786 -- a standard Ada legality rule. Internally-generated constants that
787 -- map generic formals to actuals in instantiations are allowed to
788 -- be volatile.
794 then
798 -- Variable-related checks
802 -- Analyze all external properties
832 -- Verify the mutual interaction of the various external properties
838 -- The anonymous object created for a single concurrent type carries
839 -- pragmas Depends and Globat of the type.
843 -- Analyze Global first, as Depends may mention items classified
844 -- in the global categorization.
852 -- Depends must be analyzed after Global in order to see the modes
853 -- of all global items.
864 -- Analyze indicator Part_Of
869 -- The variable is a constituent of a single protected/task type
870 -- and behaves as a component of the type. Verify that references
871 -- to the variable occur within the definition or body of the type
872 -- (SPARK RM 9.3).
875 and then Is_Single_Concurrent_Object
878 then
886 -- Otherwise check whether the lack of indicator Part_Of agrees with
887 -- the placement of the variable with respect to the state space.
889 else
893 -- The following checks are relevant only when SPARK_Mode is on, as
894 -- they are not standard Ada legality rules. Internally generated
895 -- temporaries are ignored.
900 -- The declaration of an effectively volatile object must
901 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
904 Error_Msg_N
906 Obj_Id);
908 -- An object of a discriminated type cannot be effectively
909 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
913 then
914 Error_Msg_N
918 -- The object is not effectively volatile
920 else
921 -- A non-effectively volatile object cannot have effectively
922 -- volatile components (SPARK RM 7.1.3(6)).
926 then
927 Error_Msg_N
929 Obj_Id);
935 -- Common checks
939 -- A Ghost object cannot be of a type that yields a synchronized
940 -- object (SPARK RM 6.9(19)).
945 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
946 -- SPARK RM 6.9(19)).
951 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
952 -- One exception to this is the object that represents the dispatch
953 -- table of a Ghost tagged type, as the symbol needs to be exported.
963 -- Restore the SPARK_Mode of the enclosing context after all delayed
964 -- pragmas have been analyzed.
969 -----------------------------------
970 -- Analyze_Package_Body_Contract --
971 -----------------------------------
973 -- WARNING: This routine manages SPARK regions. Return statements must be
974 -- replaced by gotos which jump to the end of the routine and restore the
975 -- SPARK mode.
977 procedure Analyze_Package_Body_Contract
980 is
987 -- Save the SPARK_Mode-related data to restore on exit
991 begin
992 -- Do not analyze a contract multiple times
997 else
1002 -- Due to the timing of contract analysis, delayed pragmas may be
1003 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1004 -- context. To remedy this, restore the original SPARK_Mode of the
1005 -- related package body.
1011 -- The analysis of pragma Refined_State detects whether the spec has
1012 -- abstract states available for refinement.
1018 -- Restore the SPARK_Mode of the enclosing context after all delayed
1019 -- pragmas have been analyzed.
1023 -- Capture all global references in a generic package body now that the
1024 -- contract has been analyzed.
1027 Save_Global_References_In_Contract
1033 ------------------------------
1034 -- Analyze_Package_Contract --
1035 ------------------------------
1037 -- WARNING: This routine manages SPARK regions. Return statements must be
1038 -- replaced by gotos which jump to the end of the routine and restore the
1039 -- SPARK mode.
1047 -- Save the SPARK_Mode-related data to restore on exit
1054 begin
1055 -- Do not analyze a contract multiple times
1060 else
1065 -- Due to the timing of contract analysis, delayed pragmas may be
1066 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1067 -- context. To remedy this, restore the original SPARK_Mode of the
1068 -- related package.
1074 -- Locate and store pragmas Initial_Condition and Initializes, since
1075 -- their order of analysis matters.
1091 -- Analyze the initialization-related pragmas. Initializes must come
1092 -- before Initial_Condition due to item dependencies.
1103 -- Check whether the lack of indicator Part_Of agrees with the placement
1104 -- of the package instantiation with respect to the state space.
1114 -- Restore the SPARK_Mode of the enclosing context after all delayed
1115 -- pragmas have been analyzed.
1119 -- Capture all global references in a generic package now that the
1120 -- contract has been analyzed.
1123 Save_Global_References_In_Contract
1129 --------------------------------
1130 -- Analyze_Previous_Contracts --
1131 --------------------------------
1139 begin
1140 -- A body that is in the process of being inlined appears from source,
1141 -- but carries name _parent. Such a body does not cause "freezing" of
1142 -- contracts.
1148 -- Climb the parent chain looking for an enclosing package body. Do not
1149 -- use the scope stack, as a body uses the entity of its corresponding
1150 -- spec.
1155 Analyze_Package_Body_Contract
1161 -- Do not look for an enclosing package body when the construct which
1162 -- causes freezing is a body generated for an expression function and
1163 -- it appears within a package spec. This ensures that the traversal
1164 -- will not reach too far up the parent chain and attempt to freeze a
1165 -- package body which should not be frozen.
1167 -- package body Enclosing_Body
1168 -- with Refined_State => (State => Var)
1169 -- is
1170 -- package Nested is
1171 -- type Some_Type is ...;
1172 -- function Cause_Freezing return ...;
1173 -- private
1174 -- function Cause_Freezing is (...);
1175 -- end Nested;
1176 --
1177 -- Var : Nested.Some_Type;
1181 then
1188 -- Analyze the contracts of all eligible construct up to the body which
1189 -- caused the "freezing".
1192 Analyze_Contracts
1199 --------------------------------
1200 -- Analyze_Protected_Contract --
1201 --------------------------------
1206 begin
1207 -- Do not analyze a contract multiple times
1212 else
1218 -------------------------------------------
1219 -- Analyze_Subprogram_Body_Stub_Contract --
1220 -------------------------------------------
1226 begin
1227 -- A subprogram body stub may act as its own spec or as the completion
1228 -- of a previous declaration. Depending on the context, the contract of
1229 -- the stub may contain two sets of pragmas.
1231 -- The stub is a completion, the applicable pragmas are:
1232 -- Refined_Depends
1233 -- Refined_Global
1238 -- The stub acts as its own spec, the applicable pragmas are:
1239 -- Contract_Cases
1240 -- Depends
1241 -- Global
1242 -- Postcondition
1243 -- Precondition
1244 -- Test_Case
1246 else
1251 ---------------------------
1252 -- Analyze_Task_Contract --
1253 ---------------------------
1255 -- WARNING: This routine manages SPARK regions. Return statements must be
1256 -- replaced by gotos which jump to the end of the routine and restore the
1257 -- SPARK mode.
1264 -- Save the SPARK_Mode-related data to restore on exit
1268 begin
1269 -- Do not analyze a contract multiple times
1274 else
1279 -- Due to the timing of contract analysis, delayed pragmas may be
1280 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1281 -- context. To remedy this, restore the original SPARK_Mode of the
1282 -- related task unit.
1286 -- Analyze Global first, as Depends may mention items classified in the
1287 -- global categorization.
1295 -- Depends must be analyzed after Global in order to see the modes of
1296 -- all global items.
1304 -- Restore the SPARK_Mode of the enclosing context after all delayed
1305 -- pragmas have been analyzed.
1310 -------------------------------------------------
1311 -- Build_And_Analyze_Contract_Only_Subprograms --
1312 -------------------------------------------------
1316 -- Analyze the contract-only subprograms of L
1319 -- Append the contract-only bodies of Subp_List to its declarations list
1322 -- If E is an entity for a non-imported subprogram specification with
1323 -- pre/postconditions and we are compiling with CodePeer mode, then
1324 -- this procedure will create a wrapper to help Gnat2scil process its
1325 -- contracts. Return Empty if the wrapper cannot be built.
1328 -- Build the contract-only subprograms of all eligible subprograms found
1329 -- in list L.
1332 -- Return True for package specs, task definitions, and protected type
1333 -- definitions whose list of private declarations is not empty.
1335 ---------------------------------------
1336 -- Analyze_Contract_Only_Subprograms --
1337 ---------------------------------------
1341 -- Analyze all the contract-only bodies of L
1343 ----------------------------------
1344 -- Analyze_Contract_Only_Bodies --
1345 ----------------------------------
1350 begin
1354 and then Is_Contract_Only_Body
1356 then
1364 -- Start of processing for Analyze_Contract_Only_Subprograms
1366 begin
1368 Analyze_Contract_Only_Bodies;
1370 else
1371 declare
1375 begin
1377 Analyze_Contract_Only_Bodies;
1379 -- For packages with private declarations, the contract-only
1380 -- bodies of subprograms defined in the visible part of the
1381 -- package are added to its private declarations (to ensure
1382 -- that they do not cause premature freezing of types and also
1383 -- that they are analyzed with proper visibility). Hence they
1384 -- will be analyzed later.
1390 Analyze_Contract_Only_Bodies;
1396 --------------------------------------
1397 -- Append_Contract_Only_Subprograms --
1398 --------------------------------------
1401 begin
1409 else
1410 declare
1414 begin
1418 -- If the package has private declarations then append them to
1419 -- its private declarations; they will be analyzed when the
1420 -- contracts of its private declarations are analyzed.
1422 else
1423 Append_List
1431 ------------------------------------
1432 -- Build_Contract_Only_Subprogram --
1433 ------------------------------------
1435 -- This procedure takes care of building a wrapper to generate better
1436 -- analysis results in the case of a call to a subprogram whose body
1437 -- is unavailable to CodePeer but whose specification includes Pre/Post
1438 -- conditions. The body might be unavailable for any of a number or
1439 -- reasons (it is imported, the .adb file is simply missing, or the
1440 -- subprogram might be subject to an Annotate (CodePeer, Skip_Analysis)
1441 -- pragma). The built subprogram has the following contents:
1442 -- * check preconditions
1443 -- * call the subprogram
1444 -- * check postconditions
1453 -- Build the declaration of the missing body subprogram and its
1454 -- corresponding pragma Import.
1457 -- Build the call to the missing body subprogram
1460 -- Return True for cases where the wrapper is not needed or we cannot
1461 -- build it.
1463 ------------------------------
1464 -- Build_Missing_Body_Decls --
1465 ------------------------------
1472 begin
1473 Decl :=
1477 Prag :=
1490 ----------------------------------------
1491 -- Build_Missing_Body_Subprogram_Call --
1492 ----------------------------------------
1498 begin
1501 -- Build parameter list that we need
1509 -- Build the call to the missing body subprogram
1512 return
1514 Expression =>
1516 Name =>
1520 else
1521 return
1523 Name =>
1529 -----------------------------------
1530 -- Skip_Contract_Only_Subprogram --
1531 -----------------------------------
1533 function Skip_Contract_Only_Subprogram
1535 is
1537 -- Return True if some formal of E (or its return type) are
1538 -- private types defined in an enclosing package.
1541 -- Return True if some enclosing package of the current scope has
1542 -- private declarations.
1544 ---------------------------------------
1545 -- Depends_On_Enclosing_Private_Type --
1546 ---------------------------------------
1549 function Defined_In_Enclosing_Package
1551 -- Return True if Typ is an entity defined in an enclosing
1552 -- package of the current scope.
1554 ----------------------------------
1555 -- Defined_In_Enclosing_Package --
1556 ----------------------------------
1558 function Defined_In_Enclosing_Package
1560 is
1563 begin
1566 loop
1573 -- Local variables
1578 -- Start of processing for Depends_On_Enclosing_Private_Type
1580 begin
1587 then
1594 return
1600 ----------------------------------------------
1601 -- Some_Enclosing_Package_Has_Private_Decls --
1602 ----------------------------------------------
1608 begin
1609 loop
1611 and then Has_Private_Declarations
1613 then
1624 -- Start of processing for Skip_Contract_Only_Subprogram
1626 begin
1627 if not CodePeer_Mode
1628 or else Inside_A_Generic
1636 then
1639 -- We do not support building the contract-only subprogram if E
1640 -- is a subprogram declared in a nested package that has some
1641 -- formal or return type depending on a private type defined in
1642 -- an enclosing package.
1645 and then Some_Enclosing_Package_Has_Private_Decls
1646 and then Depends_On_Enclosing_Private_Type
1647 then
1649 declare
1652 begin
1653 -- Warnings are disabled by default under CodePeer_Mode
1654 -- (see switch-c). Enable them temporarily.
1657 Error_Msg_N
1669 -- Start of processing for Build_Contract_Only_Subprogram
1671 begin
1672 -- Test cases where the wrapper is not needed and cases where we
1673 -- cannot build it.
1679 -- Note on calls to Copy_Separate_Tree. The trees we are copying
1680 -- here are fully analyzed, but we definitely want fully syntactic
1681 -- unanalyzed trees in the body we construct, so that the analysis
1682 -- generates the right visibility, and that is exactly what the
1683 -- calls to Copy_Separate_Tree give us.
1685 declare
1691 begin
1692 Bod :=
1694 Specification =>
1696 Declarations =>
1697 Build_Missing_Body_Decls,
1698 Handled_Statement_Sequence =>
1701 Build_Missing_Body_Subprogram_Call),
1706 -- Copy only the pre/postconditions of the original contract
1707 -- since it is what we need, but also because pragmas stored in
1708 -- the other fields have N_Pragmas with N_Aspect_Specifications
1709 -- that reference their associated pragma (thus causing an endless
1710 -- loop when trying to copy the subtree).
1712 declare
1715 begin
1721 -- Fix the name of this new subprogram and link the original
1722 -- subprogram with its Contract_Only_Body subprogram.
1732 -------------------------------------
1733 -- Build_Contract_Only_Subprograms --
1734 -------------------------------------
1742 begin
1764 ------------------------------
1765 -- Has_Private_Declarations --
1766 ------------------------------
1769 begin
1771 N_Protected_Definition,
1772 N_Task_Definition)
1773 then
1775 else
1776 return
1782 -- Local variables
1786 -- Start of processing for Build_And_Analyze_Contract_Only_Subprograms
1788 begin
1791 Analyze_Contract_Only_Subprograms;
1794 -----------------------------
1795 -- Create_Generic_Contract --
1796 -----------------------------
1803 -- Add a single contract-related source pragma Prag to the contract of
1804 -- generic template Templ_Id.
1806 ---------------------------------
1807 -- Add_Generic_Contract_Pragma --
1808 ---------------------------------
1813 begin
1814 -- Mark the pragma to prevent the premature capture of global
1815 -- references when capturing global references of the context
1816 -- (see Save_References_In_Pragma).
1820 -- Pragmas that apply to a generic subprogram declaration are not
1821 -- part of the semantic structure of the generic template:
1823 -- generic
1824 -- procedure Example (Formal : Integer);
1825 -- pragma Precondition (Formal > 0);
1827 -- Create a generic template for such pragmas and link the template
1828 -- of the pragma with the generic template.
1831 Rewrite
1838 -- Otherwise link the pragma with the generic template
1840 else
1845 -- Local variables
1850 -- Start of processing for Create_Generic_Contract
1852 begin
1853 -- A generic package declaration carries contract-related source pragmas
1854 -- in its visible declarations.
1863 -- A generic package body carries contract-related source pragmas in its
1864 -- declarations.
1873 -- Generic subprogram declaration
1878 else
1882 -- When the generic subprogram acts as a compilation unit, inspect
1883 -- the Pragmas_After list for contract-related source pragmas.
1888 then
1892 -- Otherwise inspect the successive declarations for contract-related
1893 -- source pragmas.
1895 else
1899 -- A generic subprogram body carries contract-related source pragmas in
1900 -- its declarations.
1910 -- Inspect the relevant declarations looking for contract-related source
1911 -- pragmas and add them to the contract of the generic unit.
1917 -- The source pragma is a contract annotation
1923 -- The region where a contract-related source pragma may appear
1924 -- ends with the first source non-pragma declaration or statement.
1926 else
1935 --------------------------------
1936 -- Expand_Subprogram_Contract --
1937 --------------------------------
1943 procedure Add_Invariant_And_Predicate_Checks
1947 -- Process the result of function Subp_Id (if applicable) and all its
1948 -- formals. Add invariant and predicate checks where applicable. The
1949 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
1950 -- function, Result contains the entity of parameter _Result, to be
1951 -- used in the creation of procedure _Postconditions.
1954 -- Append a node to a list. If there is no list, create a new one. When
1955 -- the item denotes a pragma, it is added to the list only when it is
1956 -- enabled.
1958 procedure Build_Postconditions_Procedure
1962 -- Create the body of procedure _Postconditions which handles various
1963 -- assertion actions on exit from subprogram Subp_Id. Stmts is the list
1964 -- of statements to be checked on exit. Parameter Result is the entity
1965 -- of parameter _Result when Subp_Id denotes a function.
1968 -- Process pragma Contract_Cases. This routine prepends items to the
1969 -- body declarations and appends items to list Stmts.
1972 -- Collect all [inherited] spec and body postconditions and accumulate
1973 -- their pragma Check equivalents in list Stmts.
1976 -- Collect all [inherited] spec and body preconditions and prepend their
1977 -- pragma Check equivalents to the declarations of the body.
1979 ----------------------------------------
1980 -- Add_Invariant_And_Predicate_Checks --
1981 ----------------------------------------
1983 procedure Add_Invariant_And_Predicate_Checks
1987 is
1989 -- Id denotes the return value of a function or a formal parameter.
1990 -- Add an invariant check if the type of Id is access to a type with
1991 -- invariants. The routine appends the generated code to Stmts.
1994 -- Determine whether type Typ can benefit from invariant checks. To
1995 -- qualify, the type must have a non-null invariant procedure and
1996 -- subprogram Subp_Id must appear visible from the point of view of
1997 -- the type.
1999 ---------------------------------
2000 -- Add_Invariant_Access_Checks --
2001 ---------------------------------
2008 begin
2015 Ref :=
2020 -- Generate:
2021 -- if <Id> /= null then
2022 -- <invariant_call (<Ref>)>
2023 -- end if;
2025 Append_Enabled_Item
2028 Condition =>
2039 -------------------------
2040 -- Invariant_Checks_OK --
2041 -------------------------
2045 -- Determine whether type Typ has public visibility of subprogram
2046 -- Subp_Id.
2048 -----------------------------------------
2049 -- Has_Public_Visibility_Of_Subprogram --
2050 -----------------------------------------
2055 begin
2056 -- An Initialization procedure must be considered visible even
2057 -- though it is internally generated.
2065 -- Internally generated code is never publicly visible except
2066 -- for a subprogram that is the implementation of an expression
2067 -- function. In that case the visibility is determined by the
2068 -- last check.
2071 and then
2073 or else not
2075 then
2078 -- Determine whether the subprogram is declared in the visible
2079 -- declarations of the package containing the type, or in the
2080 -- visible declaration of a child unit of that package.
2082 else
2083 declare
2090 begin
2091 return
2092 Decls = Visible_Declarations
2095 or else
2099 and then
2101 and then
2102 Decls = Visible_Declarations
2103 (Specification
2109 -- Start of processing for Invariant_Checks_OK
2111 begin
2112 return
2119 -- Local variables
2122 -- Source location of subprogram body contract
2127 -- Start of processing for Add_Invariant_And_Predicate_Checks
2129 begin
2132 -- Process the result of a function
2137 -- Generate _Result which is used in procedure _Postconditions to
2138 -- verify the return value.
2143 -- Add an invariant check when the return type has invariants and
2144 -- the related function is visible to the outside.
2147 Append_Enabled_Item
2153 -- Add an invariant check when the return type is an access to a
2154 -- type with invariants.
2159 -- Add invariant and predicates for all formals that qualify
2167 then
2169 Append_Enabled_Item
2177 -- Note: we used to add predicate checks for OUT and IN OUT
2178 -- formals here, but that was misguided, since such checks are
2179 -- performed on the caller side, based on the predicate of the
2180 -- actual, rather than the predicate of the formal.
2188 -------------------------
2189 -- Append_Enabled_Item --
2190 -------------------------
2193 begin
2194 -- Do not chain ignored or disabled pragmas
2198 then
2201 -- Otherwise, add the item
2203 else
2208 -- If the pragma is a conjunct in a composite postcondition, it
2209 -- has been processed in reverse order. In the postcondition body
2210 -- it must appear before the others.
2215 then
2217 else
2223 ------------------------------------
2224 -- Build_Postconditions_Procedure --
2225 ------------------------------------
2227 procedure Build_Postconditions_Procedure
2231 is
2233 -- Insert node Stmt before the first source declaration of the
2234 -- related subprogram's body. If no such declaration exists, Stmt
2235 -- becomes the last declaration.
2237 --------------------------------------------
2238 -- Insert_Before_First_Source_Declaration --
2239 --------------------------------------------
2245 begin
2246 -- Inspect the declarations of the related subprogram body looking
2247 -- for the first source declaration.
2260 -- If we get there, then the subprogram body lacks any source
2261 -- declarations. The body of _Postconditions now acts as the
2262 -- last declaration.
2266 -- Ensure that the body has a declaration list
2268 else
2273 -- Local variables
2282 -- Start of processing for Build_Postconditions_Procedure
2284 begin
2285 -- Nothing to do if there are no actions to check on exit
2295 -- Force the front-end inlining of _Postconditions when generating C
2296 -- code, since its body may have references to itypes defined in the
2297 -- enclosing subprogram, which would cause problems for unnesting
2298 -- routines in the absence of inlining.
2306 -- The related subprogram is a function: create the specification of
2307 -- parameter _Result.
2313 Parameter_Type =>
2317 Proc_Spec :=
2324 -- Insert _Postconditions before the first source declaration of the
2325 -- body. This ensures that the body will not cause any premature
2326 -- freezing, as it may mention types:
2328 -- procedure Proc (Obj : Array_Typ) is
2329 -- procedure _postconditions is
2330 -- begin
2331 -- ... Obj ...
2332 -- end _postconditions;
2334 -- subtype T is Array_Typ (Obj'First (1) .. Obj'Last (1));
2335 -- begin
2337 -- In the example above, Obj is of type T but the incorrect placement
2338 -- of _Postconditions will cause a crash in gigi due to an out-of-
2339 -- order reference. The body of _Postconditions must be placed after
2340 -- the declaration of Temp to preserve correct visibility.
2345 -- Set an explicit End_Label to override the sloc of the implicit
2346 -- RETURN statement, and prevent it from inheriting the sloc of one
2347 -- the postconditions: this would cause confusing debug info to be
2348 -- produced, interfering with coverage-analysis tools.
2350 Proc_Bod :=
2352 Specification =>
2355 Handled_Statement_Sequence =>
2363 ----------------------------
2364 -- Process_Contract_Cases --
2365 ----------------------------
2369 -- Process pragma Contract_Cases for subprogram Subp_Id
2371 --------------------------------
2372 -- Process_Contract_Cases_For --
2373 --------------------------------
2379 begin
2384 Expand_Pragma_Contract_Cases
2396 -- Start of processing for Process_Contract_Cases
2398 begin
2406 ----------------------------
2407 -- Process_Postconditions --
2408 ----------------------------
2412 -- Collect all [refined] postconditions of a specific kind denoted
2413 -- by Post_Nam that belong to the body, and generate pragma Check
2414 -- equivalents in list Stmts.
2417 -- Collect all [inherited] postconditions of the spec, and generate
2418 -- pragma Check equivalents in list Stmts.
2420 ---------------------------------
2421 -- Process_Body_Postconditions --
2422 ---------------------------------
2430 begin
2431 -- Process the contract
2437 Append_Enabled_Item
2446 -- The subprogram body being processed is actually the proper body
2447 -- of a stub with a corresponding spec. The subprogram stub may
2448 -- carry a postcondition pragma, in which case it must be taken
2449 -- into account. The pragma appears after the stub.
2455 -- Note that non-matching pragmas are skipped
2459 Append_Enabled_Item
2464 -- Skip internally generated code
2469 -- Postcondition pragmas are usually grouped together. There
2470 -- is no need to inspect the whole declarative list.
2472 else
2481 ---------------------------------
2482 -- Process_Spec_Postconditions --
2483 ---------------------------------
2492 begin
2493 -- Process the contract
2501 Append_Enabled_Item
2510 -- Process the contracts of all inherited subprograms, looking for
2511 -- class-wide postconditions.
2522 then
2523 Append_Enabled_Item
2525 Build_Pragma_Check_Equivalent
2538 -- Start of processing for Process_Postconditions
2540 begin
2541 -- The processing of postconditions is done in reverse order (body
2542 -- first) to ensure the following arrangement:
2544 -- <refined postconditions from body>
2545 -- <postconditions from body>
2546 -- <postconditions from spec>
2547 -- <inherited postconditions>
2553 Process_Spec_Postconditions;
2557 ---------------------------
2558 -- Process_Preconditions --
2559 ---------------------------
2563 -- The sole [inherited] class-wide precondition pragma that applies
2564 -- to the subprogram.
2567 -- The insertion node after which all pragma Check equivalents are
2568 -- inserted.
2571 -- Determine whether arbitrary declaration Decl denotes a renaming of
2572 -- a discriminant or protection field _object.
2575 -- Merge two class-wide preconditions by "or else"-ing them. The
2576 -- changes are accumulated in parameter Into. Update the error
2577 -- message of Into.
2580 -- Prepend a single item to the declarations of the subprogram body
2583 -- Save a class-wide precondition into Class_Pre, or prepend a normal
2584 -- precondition to the declarations of the body and analyze it.
2587 -- Collect all inherited class-wide preconditions and merge them into
2588 -- one big precondition to be evaluated as pragma Check.
2591 -- Collect all preconditions of subprogram Subp_Id and prepend their
2592 -- pragma Check equivalents to the declarations of the body.
2594 --------------------------
2595 -- Is_Prologue_Renaming --
2596 --------------------------
2604 begin
2613 -- A discriminant renaming appears as
2614 -- Discr : constant ... := Prefix.Discr;
2620 then
2623 -- A protection field renaming appears as
2624 -- Prot : ... := _object._object;
2626 -- A renamed private component is just a component of
2627 -- _object, with an arbitrary name.
2633 then
2642 -------------------------
2643 -- Merge_Preconditions --
2644 -------------------------
2648 -- Return the boolean expression argument of a precondition while
2649 -- updating its parentheses count for the subsequent merge.
2652 -- Return the message argument of a precondition
2654 --------------------
2655 -- Expression_Arg --
2656 --------------------
2662 begin
2670 -----------------
2671 -- Message_Arg --
2672 -----------------
2676 begin
2680 -- Local variables
2688 -- Start of processing for Merge_Preconditions
2690 begin
2691 -- Merge the two preconditions by "or else"-ing them
2698 -- Merge the two error messages to produce a single message of the
2699 -- form:
2701 -- failed precondition from ...
2702 -- also failed inherited precondition from ...
2714 ----------------------
2715 -- Prepend_To_Decls --
2716 ----------------------
2721 begin
2722 -- Ensure that the body has a declarative list
2732 ------------------------------
2733 -- Prepend_To_Decls_Or_Save --
2734 ------------------------------
2739 begin
2742 -- Save the sole class-wide precondition (if any) for the next
2743 -- step, where it will be merged with inherited preconditions.
2749 -- Accumulate the corresponding Check pragmas at the top of the
2750 -- declarations. Prepending the items ensures that they will be
2751 -- evaluated in their original order.
2753 else
2756 else
2764 -------------------------------------
2765 -- Process_Inherited_Preconditions --
2766 -------------------------------------
2776 begin
2777 -- Process the contracts of all inherited subprograms, looking for
2778 -- class-wide preconditions.
2789 then
2790 Check_Prag :=
2791 Build_Pragma_Check_Equivalent
2796 -- The spec of an inherited subprogram already yielded
2797 -- a class-wide precondition. Merge the existing
2798 -- precondition with the current one using "or else".
2802 else
2812 -- Add the merged class-wide preconditions
2820 -------------------------------
2821 -- Process_Preconditions_For --
2822 -------------------------------
2830 begin
2831 -- Process the contract
2844 -- The subprogram declaration being processed is actually a body
2845 -- stub. The stub may carry a precondition pragma, in which case
2846 -- it must be taken into account. The pragma appears after the
2847 -- stub.
2853 -- Inspect the declarations following the body stub
2858 -- Note that non-matching pragmas are skipped
2865 -- Skip internally generated code
2870 -- Preconditions are usually grouped together. There is no
2871 -- need to inspect the whole declarative list.
2873 else
2882 -- Local variables
2887 -- Start of processing for Process_Preconditions
2889 begin
2890 -- Find the proper insertion point for all pragma Check equivalents
2896 -- First source declaration terminates the search, because all
2897 -- preconditions must be evaluated prior to it, by definition.
2902 -- Certain internally generated object renamings such as those
2903 -- for discriminants and protection fields must be elaborated
2904 -- before the preconditions are evaluated, as their expressions
2905 -- may mention the discriminants. The renamings include those
2906 -- for private components so we need to find the last such.
2911 loop
2917 -- Otherwise the declaration does not come from source. This
2918 -- also terminates the search, because internal code may raise
2919 -- exceptions which should not preempt the preconditions.
2921 else
2929 -- The processing of preconditions is done in reverse order (body
2930 -- first), because each pragma Check equivalent is inserted at the
2931 -- top of the declarations. This ensures that the final order is
2932 -- consistent with following diagram:
2934 -- <inherited preconditions>
2935 -- <preconditions from spec>
2936 -- <preconditions from body>
2942 Process_Inherited_Preconditions;
2946 -- Local variables
2953 -- Start of processing for Expand_Subprogram_Contract
2955 begin
2956 -- Obtain the entity of the initial declaration
2960 else
2964 -- Do not perform expansion activity when it is not needed
2969 -- ASIS requires an unaltered tree
2974 -- GNATprove does not need the executable semantics of a contract
2979 -- The contract of a generic subprogram or one declared in a generic
2980 -- context is not expanded, as the corresponding instance will provide
2981 -- the executable semantics of the contract.
2986 -- All subprograms carry a contract, but for some it is not significant
2987 -- and should not be processed. This is a small optimization.
2992 -- The contract of an ignored Ghost subprogram does not need expansion,
2993 -- because the subprogram and all calls to it will be removed.
2999 -- Do not re-expand the same contract. This scenario occurs when a
3000 -- construct is rewritten into something else during its analysis
3001 -- (expression functions for instance).
3006 -- Otherwise mark the subprogram
3008 else
3012 -- Ensure that the formal parameters are visible when expanding all
3013 -- contract items.
3021 else
3026 -- The expansion of a subprogram contract involves the creation of Check
3027 -- pragmas to verify the contract assertions of the spec and body in a
3028 -- particular order. The order is as follows:
3030 -- function Example (...) return ... is
3031 -- procedure _Postconditions (...) is
3032 -- begin
3033 -- <refined postconditions from body>
3034 -- <postconditions from body>
3035 -- <postconditions from spec>
3036 -- <inherited postconditions>
3037 -- <contract case consequences>
3038 -- <invariant check of function result>
3039 -- <invariant and predicate checks of parameters>
3040 -- end _Postconditions;
3042 -- <inherited preconditions>
3043 -- <preconditions from spec>
3044 -- <preconditions from body>
3045 -- <contract case conditions>
3047 -- <source declarations>
3048 -- begin
3049 -- <source statements>
3051 -- _Preconditions (Result);
3052 -- return Result;
3053 -- end Example;
3055 -- Routine _Postconditions holds all contract assertions that must be
3056 -- verified on exit from the related subprogram.
3058 -- Step 1: Handle all preconditions. This action must come before the
3059 -- processing of pragma Contract_Cases because the pragma prepends items
3060 -- to the body declarations.
3062 Process_Preconditions;
3064 -- Step 2: Handle all postconditions. This action must come before the
3065 -- processing of pragma Contract_Cases because the pragma appends items
3066 -- to list Stmts.
3070 -- Step 3: Handle pragma Contract_Cases. This action must come before
3071 -- the processing of invariants and predicates because those append
3072 -- items to list Stmts.
3076 -- Step 4: Apply invariant and predicate checks on a function result and
3077 -- all formals. The resulting checks are accumulated in list Stmts.
3081 -- Step 5: Construct procedure _Postconditions
3086 End_Scope;
3090 ---------------------------------
3091 -- Inherit_Subprogram_Contract --
3092 ---------------------------------
3094 procedure Inherit_Subprogram_Contract
3097 is
3099 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
3100 -- Subp's contract.
3102 --------------------
3103 -- Inherit_Pragma --
3104 --------------------
3110 begin
3111 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
3112 -- chains, therefore the node must be replicated. The new pragma is
3113 -- flagged as inherited for distinction purposes.
3123 -- Start of processing for Inherit_Subprogram_Contract
3125 begin
3126 -- Inheritance is carried out only when both entities are subprograms
3127 -- with contracts.
3132 then
3137 -------------------------------------
3138 -- Instantiate_Subprogram_Contract --
3139 -------------------------------------
3143 -- Instantiate all contract-related source pragmas found in the list,
3144 -- starting with pragma First_Prag. Each instantiated pragma is added
3145 -- to list L.
3147 -------------------------
3148 -- Instantiate_Pragmas --
3149 -------------------------
3155 begin
3159 Inst_Prag :=
3170 -- Local variables
3174 -- Start of processing for Instantiate_Subprogram_Contract
3176 begin
3184 ----------------------------------------
3185 -- Save_Global_References_In_Contract --
3186 ----------------------------------------
3188 procedure Save_Global_References_In_Contract
3191 is
3193 -- Save all global references in contract-related source pragmas found
3194 -- in the list, starting with pragma First_Prag.
3196 ------------------------------------
3197 -- Save_Global_References_In_List --
3198 ------------------------------------
3203 begin
3214 -- Local variables
3218 -- Start of processing for Save_Global_References_In_Contract
3220 begin
3221 -- The entity of the analyzed generic copy must be on the scope stack
3222 -- to ensure proper detection of global references.
3228 then
3238 Pop_Scope;