| blob | b6e756fbf77a5075599e25274dd0add4d31fb007 |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2023, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
66 -- This exception is raised by Add_Contract_Item when it is invoked on an
67 -- invalid pragma. Note that clients of the package must filter them out
68 -- before invoking Add_Contract_Item, so it should not escape the package.
71 -- Analyze all delayed pragmas chained on the contract of package
72 -- instantiation Inst_Id as if they appear at the end of a declarative
73 -- region. The pragmas in question are:
74 --
75 -- Part_Of
77 procedure Build_Subprogram_Contract_Wrapper
82 -- Generate a wrapper for a given subprogram body when the expansion of
83 -- postconditions require it by moving its declarations and statements
84 -- into a locally declared subprogram _Wrapped_Statements.
86 -- Postcondition and precondition checks then get inserted in place of
87 -- the original statements and declarations along with a call to
88 -- _Wrapped_Statements.
90 procedure Check_Class_Condition
95 -- Perform checking of class-wide pre/postcondition Cond inherited by Subp
96 -- from Par_Subp. Is_Precondition enables check specific for preconditions.
97 -- In SPARK_Mode, an inherited operation that is not overridden but has
98 -- inherited modified conditions pre/postconditions is illegal.
101 -- Determine whether arbitrary declaration Decl denotes a renaming of
102 -- a discriminant or protection field _object.
104 procedure Check_Type_Or_Object_External_Properties
106 -- Perform checking of external properties pragmas that is common to both
107 -- type declarations and object declarations.
110 -- Expand the contracts of a subprogram body and its correspoding spec (if
111 -- any). This routine processes all [refined] pre- and postconditions as
112 -- well as Always_Terminates, Contract_Cases, Exceptional_Cases,
113 -- Subprogram_Variant, invariants and predicates. Body_Id denotes the
114 -- entity of the subprogram body.
116 procedure Preanalyze_Condition
119 -- Preanalyze the class-wide condition Expr of Subp
121 procedure Set_Class_Condition
125 -- Set the class-wide Kind condition of Subp
127 -----------------------
128 -- Add_Contract_Item --
129 -----------------------
135 -- Prepend Prag to the list of classifications
138 -- Prepend Prag to the list of contract and test cases
141 -- Prepend Prag to the list of pre- and postconditions
143 ------------------------
144 -- Add_Classification --
145 ------------------------
148 begin
153 ----------------------------
154 -- Add_Contract_Test_Case --
155 ----------------------------
158 begin
163 ----------------------------
164 -- Add_Pre_Post_Condition --
165 ----------------------------
168 begin
173 -- Local variables
175 -- A contract must contain only pragmas
180 -- Start of processing for Add_Contract_Item
182 begin
183 -- Create a new contract when adding the first item
190 -- Constants, the applicable pragmas are:
191 -- Part_Of
195 | Name_Async_Writers
196 | Name_Effective_Reads
197 | Name_Effective_Writes
198 | Name_No_Caching
199 | Name_Part_Of
200 then
201 Add_Classification;
203 -- The pragma is not a proper contract item
205 else
209 -- Entry bodies, the applicable pragmas are:
210 -- Refined_Depends
211 -- Refined_Global
212 -- Refined_Post
216 Add_Classification;
219 Add_Pre_Post_Condition;
221 -- The pragma is not a proper contract item
223 else
227 -- Entry or subprogram declarations, the applicable pragmas are:
228 -- Always_Terminates
229 -- Attach_Handler
230 -- Contract_Cases
231 -- Depends
232 -- Exceptional_Cases
233 -- Extensions_Visible
234 -- Global
235 -- Interrupt_Handler
236 -- Postcondition
237 -- Precondition
238 -- Side_Effects
239 -- Subprogram_Variant
240 -- Test_Case
241 -- Volatile_Function
245 | E_Generic_Function
246 | E_Generic_Procedure
247 | E_Procedure
248 then
251 then
252 Add_Classification;
255 | Name_Extensions_Visible
256 | Name_Global
257 | Name_Side_Effects
258 then
259 Add_Classification;
263 then
264 Add_Classification;
267 | Name_Contract_Cases
268 | Name_Exceptional_Cases
269 | Name_Subprogram_Variant
270 | Name_Test_Case
271 then
272 Add_Contract_Test_Case;
275 Add_Pre_Post_Condition;
277 -- The pragma is not a proper contract item
279 else
283 -- Packages or instantiations, the applicable pragmas are:
284 -- Abstract_States
285 -- Initial_Condition
286 -- Initializes
287 -- Part_Of (instantiation only)
291 | Name_Initial_Condition
292 | Name_Initializes
293 then
294 Add_Classification;
296 -- Indicator Part_Of must be associated with a package instantiation
299 Add_Classification;
302 Add_Contract_Test_Case;
304 -- The pragma is not a proper contract item
306 else
310 -- Package bodies, the applicable pragmas are:
311 -- Refined_States
315 Add_Classification;
317 -- The pragma is not a proper contract item
319 else
323 -- The four volatility refinement pragmas are ok for all types.
324 -- Part_Of is ok for task types and protected types.
325 -- Depends and Global are ok for task types.
326 --
327 -- Precondition and Postcondition are added separately; they are allowed
328 -- for access-to-subprogram types.
331 declare
333 Prag_Nam in Name_Async_Readers
334 | Name_Async_Writers
335 | Name_Effective_Reads
336 | Name_Effective_Writes
337 | Name_No_Caching
340 | Name_Depends
341 | Name_Global)
345 begin
347 Add_Classification;
351 | Name_Postcondition
352 then
353 Add_Pre_Post_Condition;
354 else
356 -- The pragma is not a proper contract item
362 -- Subprogram bodies, the applicable pragmas are:
363 -- Postcondition
364 -- Precondition
365 -- Refined_Depends
366 -- Refined_Global
367 -- Refined_Post
371 Add_Classification;
374 | Name_Precondition
375 | Name_Refined_Post
376 then
377 Add_Pre_Post_Condition;
379 -- The pragma is not a proper contract item
381 else
385 -- Task bodies, the applicable pragmas are:
386 -- Refined_Depends
387 -- Refined_Global
391 Add_Classification;
393 -- The pragma is not a proper contract item
395 else
399 -- Task units, the applicable pragmas are:
400 -- Depends
401 -- Global
402 -- Part_Of
404 -- Variables, the applicable pragmas are:
405 -- Async_Readers
406 -- Async_Writers
407 -- Constant_After_Elaboration
408 -- Depends
409 -- Effective_Reads
410 -- Effective_Writes
411 -- Global
412 -- No_Caching
413 -- Part_Of
417 | Name_Async_Writers
418 | Name_Constant_After_Elaboration
419 | Name_Depends
420 | Name_Effective_Reads
421 | Name_Effective_Writes
422 | Name_Global
423 | Name_No_Caching
424 | Name_Part_Of
425 then
426 Add_Classification;
428 -- The pragma is not a proper contract item
430 else
434 else
439 -----------------------
440 -- Analyze_Contracts --
441 -----------------------
446 begin
450 -- Entry or subprogram declarations
453 | N_Entry_Declaration
454 | N_Generic_Subprogram_Declaration
455 | N_Subprogram_Declaration
456 then
459 -- Entry or subprogram bodies
464 -- Objects
469 -- Package instantiation
474 -- Protected units
477 | N_Single_Protected_Declaration
478 then
481 -- Subprogram body stubs
486 -- Task units
489 | N_Task_Type_Declaration
490 then
493 -- For type declarations, we need to do the preanalysis of Iterable
494 -- and the 3 Xxx_Literal aspect specifications.
496 -- Other type aspects need to be resolved here???
500 then
501 declare
511 begin
529 | N_Private_Type_Declaration
530 | N_Task_Type_Declaration
531 | N_Protected_Type_Declaration
532 | N_Formal_Type_Declaration
533 then
541 -------------------------------------
542 -- Analyze_Pragmas_In_Declarations --
543 -------------------------------------
548 begin
549 -- Move through the body's declarations analyzing all pragmas which
550 -- appear at the top of the declarations.
557 if Pragma_Significant_To_Subprograms
559 then
563 -- Skip the renamings of discriminants and protection fields
568 -- We have reached something which is not a pragma so we can be sure
569 -- there are no more contracts or pragmas which need to be taken into
570 -- account.
572 else
580 -----------------------------------------------
581 -- Analyze_Entry_Or_Subprogram_Body_Contract --
582 -----------------------------------------------
584 -- WARNING: This routine manages SPARK regions. Return statements must be
585 -- replaced by gotos which jump to the end of the routine and restore the
586 -- SPARK mode.
595 -- Save the SPARK_Mode-related data to restore on exit
597 begin
598 -- When a subprogram body declaration is illegal, its defining entity is
599 -- left unanalyzed. There is nothing left to do in this case because the
600 -- body lacks a contract, or even a proper Ekind.
605 -- Do not analyze a contract multiple times
610 else
614 -- When this is a subprogram body not coming from source, for example an
615 -- expression function, it does not cause freezing of previous contracts
616 -- (see Analyze_Subprogram_Body_Helper), in particular not of those on
617 -- its spec if it exists. In this case make sure they have been properly
618 -- analyzed before being expanded below, as we may be invoked during the
619 -- freezing of the subprogram in the middle of its enclosing declarative
620 -- part because the declarative part contains e.g. the declaration of a
621 -- variable initialized by means of a call to the subprogram.
627 then
631 -- Due to the timing of contract analysis, delayed pragmas may be
632 -- subject to the wrong SPARK_Mode, usually that of the enclosing
633 -- context. To remedy this, restore the original SPARK_Mode of the
634 -- related subprogram body.
638 -- Ensure that the contract cases or postconditions mention 'Result or
639 -- define a post-state.
643 -- A stand-alone nonvolatile function body cannot have an effectively
644 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
645 -- check is relevant only when SPARK_Mode is on, as it is not a standard
646 -- legality rule. The check is performed here because Volatile_Function
647 -- is processed after the analysis of the related subprogram body. The
648 -- check only applies to source subprograms and not to generated TSS
649 -- subprograms.
655 then
659 -- Restore the SPARK_Mode of the enclosing context after all delayed
660 -- pragmas have been analyzed.
664 -- Capture all global references in a generic subprogram body now that
665 -- the contract has been analyzed.
668 Save_Global_References_In_Contract
673 -- Deal with preconditions, [refined] postconditions, Always_Terminates,
674 -- Contract_Cases, Exceptional_Cases, Subprogram_Variant, invariants and
675 -- predicates associated with body and its spec. Do not expand the
676 -- contract of subprogram body stubs.
683 ------------------------------------------
684 -- Analyze_Entry_Or_Subprogram_Contract --
685 ------------------------------------------
687 -- WARNING: This routine manages SPARK regions. Return statements must be
688 -- replaced by gotos which jump to the end of the routine and restore the
689 -- SPARK mode.
691 procedure Analyze_Entry_Or_Subprogram_Contract
694 is
703 -- Save the SPARK_Mode-related data to restore on exit
713 begin
714 -- Do not analyze a contract multiple times
719 else
724 -- Due to the timing of contract analysis, delayed pragmas may be
725 -- subject to the wrong SPARK_Mode, usually that of the enclosing
726 -- context. To remedy this, restore the original SPARK_Mode of the
727 -- related subprogram body.
731 -- All subprograms carry a contract, but for some it is not significant
732 -- and should not be processed.
739 -- Do not analyze the pre/postconditions of an entry declaration
740 -- unless annotating the original tree for GNATprove. The
741 -- real analysis occurs when the pre/postconditons are relocated to
742 -- the contract wrapper procedure (see Build_Contract_Wrapper).
747 -- Otherwise analyze the pre/postconditions.
748 -- If these come from an aspect specification, their expressions
749 -- might include references to types that are not frozen yet, in the
750 -- case where the body is a rewritten expression function that is a
751 -- completion, so freeze all types within before constructing the
752 -- contract code.
754 else
755 declare
759 begin
768 then
775 if Freeze_Types
777 then
778 Freeze_Expr_Types
781 Expr =>
782 Expression
793 -- Analyze contract-cases, subprogram-variant and test-cases
804 -- Do not analyze the contract cases of an entry declaration
805 -- unless annotating the original tree for GNATprove.
806 -- The real analysis occurs when the contract cases are moved
807 -- to the contract wrapper procedure (Build_Contract_Wrapper).
812 -- Otherwise analyze the contract cases
814 else
824 else
832 -- Analyze classification pragmas
848 -- Analyze Global first, as Depends may mention items classified in
849 -- the global categorization.
855 -- Depends must be analyzed after Global in order to see the modes of
856 -- all global items.
862 -- Ensure that the contract cases or postconditions mention 'Result
863 -- or define a post-state.
868 -- A nonvolatile function cannot have an effectively volatile formal
869 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
870 -- only when SPARK_Mode is on, as it is not a standard legality rule.
871 -- The check is performed here because pragma Volatile_Function is
872 -- processed after the analysis of the related subprogram declaration.
878 then
882 -- Restore the SPARK_Mode of the enclosing context after all delayed
883 -- pragmas have been analyzed.
887 -- Capture all global references in a generic subprogram now that the
888 -- contract has been analyzed.
891 Save_Global_References_In_Contract
897 ----------------------------------------------
898 -- Check_Type_Or_Object_External_Properties --
899 ----------------------------------------------
901 procedure Check_Type_Or_Object_External_Properties
903 is
908 -- Local variables
919 -- Start of processing for Check_Type_Or_Object_External_Properties
921 begin
922 -- Analyze all external properties
927 -- If the parent type of a derived type is volatile
928 -- then the derived type inherits volatility-related flags.
931 declare
934 begin
943 else
950 declare
952 begin
956 Error_Msg_N
958 Prag);
966 declare
968 begin
972 Error_Msg_N
974 Prag);
982 declare
984 begin
988 Error_Msg_N
990 Prag);
998 declare
1000 begin
1004 Error_Msg_N
1006 Prag);
1011 -- Verify the mutual interaction of the various external properties.
1012 -- For types and variables for which No_Caching is enabled, it has been
1013 -- checked already that only False values for other external properties
1014 -- are allowed.
1016 if Seen
1018 then
1019 Check_External_Properties
1023 -- Analyze the non-external volatility property No_Caching
1031 -- The following checks are relevant only when SPARK_Mode is on, as
1032 -- they are not standard Ada legality rules. Internally generated
1033 -- temporaries are ignored, as well as return objects.
1038 then
1041 -- The declaration of an effectively volatile object or type must
1042 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
1046 Error_Msg_N
1048 & Decl_Kind
1050 Type_Or_Obj_Id);
1052 -- An object of a discriminated type cannot be effectively
1053 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
1057 then
1058 Error_Msg_N
1060 Type_Or_Obj_Id);
1063 -- An object decl shall be compatible with respect to volatility
1064 -- with its type (SPARK RM 7.1.3(2)).
1068 Check_Volatility_Compatibility
1074 -- A component of a composite type (in this case, the composite
1075 -- type is an array type) shall be compatible with respect to
1076 -- volatility with the composite type (SPARK RM 7.1.3(6)).
1079 Check_Volatility_Compatibility
1084 -- A component of a composite type (in this case, the composite
1085 -- type is a record type) shall be compatible with respect to
1086 -- volatility with the composite type (SPARK RM 7.1.3(6)).
1089 declare
1091 begin
1093 Check_Volatility_Compatibility
1103 -- The type or object is not effectively volatile
1105 else
1106 -- A non-effectively volatile type cannot have effectively
1107 -- volatile components (SPARK RM 7.1.3(6)).
1109 if Is_Type_Id
1112 then
1113 Error_Msg_N
1116 Type_Or_Obj_Id);
1122 -----------------------------
1123 -- Analyze_Object_Contract --
1124 -----------------------------
1126 -- WARNING: This routine manages SPARK regions. Return statements must be
1127 -- replaced by gotos which jump to the end of the routine and restore the
1128 -- SPARK mode.
1130 procedure Analyze_Object_Contract
1133 is
1138 -- Save the SPARK_Mode-related data to restore on exit
1144 begin
1145 -- The loop parameter in an element iterator over a formal container
1146 -- is declared with an object declaration, but no contracts apply.
1152 -- Do not analyze a contract multiple times
1159 else
1164 -- The anonymous object created for a single concurrent type inherits
1165 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
1166 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
1167 -- of the enclosing context. To remedy this, restore the original mode
1168 -- of the related anonymous object.
1172 then
1176 -- Checks related to external properties, same for constants and
1177 -- variables.
1181 -- Constant-related checks
1185 -- Analyze indicator Part_Of
1189 -- Check whether the lack of indicator Part_Of agrees with the
1190 -- placement of the constant with respect to the state space.
1196 -- Variable-related checks
1200 -- The anonymous object created for a single task type carries
1201 -- pragmas Depends and Global of the type.
1205 -- Analyze Global first, as Depends may mention items classified
1206 -- in the global categorization.
1214 -- Depends must be analyzed after Global in order to see the modes
1215 -- of all global items.
1226 -- Analyze indicator Part_Of
1231 -- The variable is a constituent of a single protected/task type
1232 -- and behaves as a component of the type. Verify that references
1233 -- to the variable occur within the definition or body of the type
1234 -- (SPARK RM 9.3).
1237 and then Is_Single_Concurrent_Object
1240 then
1248 -- Otherwise check whether the lack of indicator Part_Of agrees with
1249 -- the placement of the variable with respect to the state space.
1251 else
1256 -- Common checks
1260 -- A Ghost object cannot be of a type that yields a synchronized
1261 -- object (SPARK RM 6.9(19)).
1266 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
1267 -- SPARK RM 6.9(19)).
1272 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
1273 -- One exception to this is the object that represents the dispatch
1274 -- table of a Ghost tagged type, as the symbol needs to be exported.
1284 -- Restore the SPARK_Mode of the enclosing context after all delayed
1285 -- pragmas have been analyzed.
1290 -----------------------------------
1291 -- Analyze_Package_Body_Contract --
1292 -----------------------------------
1294 -- WARNING: This routine manages SPARK regions. Return statements must be
1295 -- replaced by gotos which jump to the end of the routine and restore the
1296 -- SPARK mode.
1298 procedure Analyze_Package_Body_Contract
1301 is
1308 -- Save the SPARK_Mode-related data to restore on exit
1312 begin
1313 -- Do not analyze a contract multiple times
1318 else
1323 -- Due to the timing of contract analysis, delayed pragmas may be
1324 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1325 -- context. To remedy this, restore the original SPARK_Mode of the
1326 -- related package body.
1332 -- The analysis of pragma Refined_State detects whether the spec has
1333 -- abstract states available for refinement.
1339 -- Restore the SPARK_Mode of the enclosing context after all delayed
1340 -- pragmas have been analyzed.
1344 -- Capture all global references in a generic package body now that the
1345 -- contract has been analyzed.
1348 Save_Global_References_In_Contract
1354 ------------------------------
1355 -- Analyze_Package_Contract --
1356 ------------------------------
1358 -- WARNING: This routine manages SPARK regions. Return statements must be
1359 -- replaced by gotos which jump to the end of the routine and restore the
1360 -- SPARK mode.
1368 -- Save the SPARK_Mode-related data to restore on exit
1375 begin
1376 -- Do not analyze a contract multiple times
1382 -- Do not analyze the contract of the internal package
1383 -- created to check conformance of an actual package.
1384 -- Such an internal package is removed from the tree after
1385 -- legality checks are completed, and it does not contain
1386 -- the declarations of all local entities of the generic.
1390 then
1393 else
1398 -- Due to the timing of contract analysis, delayed pragmas may be
1399 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1400 -- context. To remedy this, restore the original SPARK_Mode of the
1401 -- related package.
1407 -- Locate and store pragmas Initial_Condition and Initializes, since
1408 -- their order of analysis matters.
1424 -- Analyze the initialization-related pragmas. Initializes must come
1425 -- before Initial_Condition due to item dependencies.
1436 -- Restore the SPARK_Mode of the enclosing context after all delayed
1437 -- pragmas have been analyzed.
1441 -- Capture all global references in a generic package now that the
1442 -- contract has been analyzed.
1445 Save_Global_References_In_Contract
1451 --------------------------------------------
1452 -- Analyze_Package_Instantiation_Contract --
1453 --------------------------------------------
1455 -- WARNING: This routine manages SPARK regions. Return statements must be
1456 -- replaced by gotos which jump to the end of the routine and restore the
1457 -- SPARK mode.
1465 -- Save the SPARK_Mode-related data to restore on exit
1470 begin
1471 -- Nothing to do when the package instantiation is erroneous or left
1472 -- partially decorated.
1481 -- Due to the timing of contract analysis, delayed pragmas may be
1482 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1483 -- context. To remedy this, restore the original SPARK_Mode of the
1484 -- related package.
1488 -- Check whether the lack of indicator Part_Of agrees with the placement
1489 -- of the package instantiation with respect to the state space. Nested
1490 -- package instantiations do not need to be checked because they inherit
1491 -- Part_Of indicator of the outermost package instantiation (see routine
1492 -- Propagate_Part_Of in Sem_Prag).
1501 -- Restore the SPARK_Mode of the enclosing context after all delayed
1502 -- pragmas have been analyzed.
1507 --------------------------------
1508 -- Analyze_Protected_Contract --
1509 --------------------------------
1514 begin
1515 -- Do not analyze a contract multiple times
1520 else
1526 -------------------------------------------
1527 -- Analyze_Subprogram_Body_Stub_Contract --
1528 -------------------------------------------
1534 begin
1535 -- A subprogram body stub may act as its own spec or as the completion
1536 -- of a previous declaration. Depending on the context, the contract of
1537 -- the stub may contain two sets of pragmas.
1539 -- The stub is a completion, the applicable pragmas are:
1540 -- Refined_Depends
1541 -- Refined_Global
1546 -- The stub acts as its own spec, the applicable pragmas are:
1547 -- Always_Terminates
1548 -- Contract_Cases
1549 -- Depends
1550 -- Exceptional_Cases
1551 -- Global
1552 -- Postcondition
1553 -- Precondition
1554 -- Subprogram_Variant
1555 -- Test_Case
1557 else
1562 ---------------------------
1563 -- Analyze_Task_Contract --
1564 ---------------------------
1566 -- WARNING: This routine manages SPARK regions. Return statements must be
1567 -- replaced by gotos which jump to the end of the routine and restore the
1568 -- SPARK mode.
1575 -- Save the SPARK_Mode-related data to restore on exit
1579 begin
1580 -- Do not analyze a contract multiple times
1585 else
1590 -- Due to the timing of contract analysis, delayed pragmas may be
1591 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1592 -- context. To remedy this, restore the original SPARK_Mode of the
1593 -- related task unit.
1597 -- Analyze Global first, as Depends may mention items classified in the
1598 -- global categorization.
1606 -- Depends must be analyzed after Global in order to see the modes of
1607 -- all global items.
1615 -- Restore the SPARK_Mode of the enclosing context after all delayed
1616 -- pragmas have been analyzed.
1621 ---------------------------
1622 -- Analyze_Type_Contract --
1623 ---------------------------
1626 begin
1627 Check_Type_Or_Object_External_Properties
1630 -- Analyze Pre/Post on access-to-subprogram type
1633 Analyze_Entry_Or_Subprogram_Contract
1638 ---------------------------------------
1639 -- Build_Subprogram_Contract_Wrapper --
1640 ---------------------------------------
1642 procedure Build_Subprogram_Contract_Wrapper
1647 is
1658 begin
1659 -- When there are no postcondition statements we do not need to
1660 -- generate a wrapper.
1666 -- Obtain the related subprogram id from the body id.
1670 else
1675 -- Generate the contracts wrapper by moving the original declarations
1676 -- and statements within a local subprogram, calling it and possibly
1677 -- preserving the result for the purpose of evaluating postconditions,
1678 -- contracts, type invariants, etc.
1680 -- In the case of a function, generate:
1681 --
1682 -- function Original_Func (X : in out Integer) return Typ is
1683 -- <prologue renamings>
1684 -- <preconditions>
1685 --
1686 -- function _Wrapped_Statements return Typ is
1687 -- <original declarations>
1688 -- begin
1689 -- <original statements>
1690 -- end;
1691 --
1692 -- begin
1693 -- return
1694 -- Result_Obj : constant Typ := _Wrapped_Statements
1695 -- do
1696 -- <postconditions statements>
1697 -- end return;
1698 -- end;
1700 -- Or else, in the case of a procedure, generate:
1701 --
1702 -- procedure Original_Proc (X : in out Integer) is
1703 -- <prologue renamings>
1704 -- <preconditions>
1705 --
1706 -- procedure _Wrapped_Statements is
1707 -- <original declarations>
1708 -- begin
1709 -- <original statements>
1710 -- end;
1711 --
1712 -- begin
1713 -- _Wrapped_Statements;
1714 -- <postconditions statements>
1715 -- end;
1717 -- Create Identifier
1724 Set_Has_Pragma_Inline_Always
1727 -- Create specification and declaration for the wrapper
1730 Wrapper_Spec :=
1733 else
1734 Wrapper_Spec :=
1740 -- Create the wrapper body using Body_Id's statements and declarations
1742 Wrapper_Body :=
1746 Handled_Statement_Sequence =>
1755 -- Prepend a call to the wrapper when the subprogram is a procedure
1761 Set_Statements
1764 -- Generate the post-execution statements and the extended return
1765 -- when the subprogram being wrapped is a function.
1767 else
1774 Object_Definition =>
1776 Expression =>
1778 Name =>
1780 Handled_Statement_Sequence =>
1786 ----------------------------------
1787 -- Build_Entry_Contract_Wrapper --
1788 ----------------------------------
1794 procedure Add_Discriminant_Renamings
1797 -- Add renaming declarations for all discriminants of concurrent type
1798 -- Conc_Typ. Obj_Id is the entity of the wrapper formal parameter which
1799 -- represents the concurrent object.
1801 procedure Add_Matching_Formals
1804 -- Add formal parameters that match those of entry E to list Formals.
1805 -- The routine also adds matching actuals for the new formals to list
1806 -- Actuals.
1809 -- Relocate pragma Prag to list To. The routine creates a new list if
1810 -- To does not exist.
1812 --------------------------------
1813 -- Add_Discriminant_Renamings --
1814 --------------------------------
1816 procedure Add_Discriminant_Renamings
1819 is
1823 begin
1824 -- Inspect the discriminants of the concurrent type and generate a
1825 -- renaming for each one.
1830 Renaming_Decl :=
1832 Defining_Identifier =>
1834 Subtype_Mark =>
1836 Name =>
1839 Selector_Name =>
1849 --------------------------
1850 -- Add_Matching_Formals --
1851 --------------------------
1853 procedure Add_Matching_Formals
1856 is
1860 begin
1861 -- Inspect the formal parameters of the entry and generate a new
1862 -- matching formal with the same name for the wrapper. A reference
1863 -- to the new formal becomes an actual in the entry call.
1873 Parameter_Type =>
1885 ---------------------
1886 -- Transfer_Pragma --
1887 ---------------------
1892 begin
1903 -- Local variables
1917 -- Start of processing for Build_Entry_Contract_Wrapper
1919 begin
1920 -- This routine generates a specialized wrapper for a protected or task
1921 -- entry [family] which implements precondition/postcondition semantics.
1922 -- Preconditions and case guards of contract cases are checked before
1923 -- the protected action or rendezvous takes place.
1925 -- procedure Wrapper
1926 -- (Obj_Id : Conc_Typ; -- concurrent object
1927 -- [Index : Index_Typ;] -- index of entry family
1928 -- [Formal_1 : ...; -- parameters of original entry
1929 -- Formal_N : ...])
1930 -- is
1931 -- [Discr_1 : ... renames Obj_Id.Discr_1; -- discriminant
1932 -- Discr_N : ... renames Obj_Id.Discr_N;] -- renamings
1934 -- <contracts pragmas>
1935 -- <case guard checks>
1937 -- begin
1938 -- Entry_Call (Obj_Id, [Index,] [Formal_1, Formal_N]);
1939 -- end Wrapper;
1941 -- Create the wrapper only when the entry has at least one executable
1942 -- contract item such as contract cases, precondition or postcondition.
1946 -- Inspect the list of pre/postconditions and transfer all available
1947 -- pragmas to the declarative list of the wrapper.
1952 | Name_Precondition
1954 then
1962 -- Inspect the list of test/contract cases and transfer only contract
1963 -- cases pragmas to the declarative part of the wrapper.
1969 then
1978 -- The entry lacks executable contract items and a wrapper is not needed
1984 -- Create the profile of the wrapper. The first formal parameter is the
1985 -- concurrent object.
1987 Obj_Id :=
1998 -- Construct the call to the original entry. The call will be gradually
1999 -- augmented with an optional entry index and extra parameters.
2001 Call_Nam :=
2006 -- When creating a wrapper for an entry family, the second formal is the
2007 -- entry index.
2015 Parameter_Type =>
2018 -- The call to the original entry becomes an indexed component to
2019 -- accommodate the entry index.
2021 Call_Nam :=
2027 -- Add formal parameters to match those of the entry and build actuals
2028 -- for the entry call.
2032 Call :=
2037 -- Add renaming declarations for the discriminants of the enclosing type
2038 -- as the various contract items may reference them.
2042 Wrapper_Id :=
2047 -- The wrapper body is analyzed when the enclosing type is frozen
2051 Specification =>
2056 Handled_Statement_Sequence =>
2061 ---------------------------
2062 -- Check_Class_Condition --
2063 ---------------------------
2065 procedure Check_Class_Condition
2070 is
2072 -- Check reference to formal of inherited operation or to primitive
2073 -- operation of root type.
2075 ------------------
2076 -- Check_Entity --
2077 ------------------
2083 begin
2086 and then
2088 and then
2091 then
2092 -- These checks do not apply to dispatching calls within the
2093 -- condition, but only to calls whose static tag is that of
2094 -- the parent type.
2099 then
2103 -- Determine whether entity has a renaming
2110 -- AI12-0166: A precondition for a protected operation
2111 -- cannot include an internal call to a protected function
2112 -- of the type. In the case of an inherited condition for an
2113 -- overriding operation, both the operation and the function
2114 -- are given by primitive wrappers.
2116 if Is_Precondition
2121 then
2123 Error_Msg_NE
2130 -- Check that there are no calls left to abstract operations if
2131 -- the current subprogram is not abstract.
2136 then
2139 then
2144 Error_Msg_NE
2147 else
2148 Error_Msg_NE
2153 -- In SPARK mode, report error on inherited condition for an
2154 -- inherited operation if it contains a call to an overriding
2155 -- operation, because this implies that the pre/postconditions
2156 -- of the inherited operation have changed silently.
2159 and then Warn_On_Suspicious_Contract
2163 then
2164 Error_Msg_N
2169 Error_Msg_NE
2182 -- Start of processing for Check_Class_Condition
2184 begin
2185 -- No check required if the subprograms match
2196 -----------------------------
2197 -- Create_Generic_Contract --
2198 -----------------------------
2205 -- Add a single contract-related source pragma Prag to the contract of
2206 -- generic template Templ_Id.
2208 ---------------------------------
2209 -- Add_Generic_Contract_Pragma --
2210 ---------------------------------
2215 begin
2216 -- Mark the pragma to prevent the premature capture of global
2217 -- references when capturing global references of the context
2218 -- (see Save_References_In_Pragma).
2222 -- Pragmas that apply to a generic subprogram declaration are not
2223 -- part of the semantic structure of the generic template:
2225 -- generic
2226 -- procedure Example (Formal : Integer);
2227 -- pragma Precondition (Formal > 0);
2229 -- Create a generic template for such pragmas and link the template
2230 -- of the pragma with the generic template.
2233 Rewrite
2240 -- Otherwise link the pragma with the generic template
2242 else
2246 exception
2247 -- We do not stop the compilation at this point in the case of an
2248 -- invalid pragma because it will be properly diagnosed afterward.
2253 -- Local variables
2258 -- Start of processing for Create_Generic_Contract
2260 begin
2261 -- A generic package declaration carries contract-related source pragmas
2262 -- in its visible declarations.
2271 -- A generic package body carries contract-related source pragmas in its
2272 -- declarations.
2281 -- Generic subprogram declaration
2286 else
2290 -- When the generic subprogram acts as a compilation unit, inspect
2291 -- the Pragmas_After list for contract-related source pragmas.
2296 then
2300 -- Otherwise inspect the successive declarations for contract-related
2301 -- source pragmas.
2303 else
2307 -- A generic subprogram body carries contract-related source pragmas in
2308 -- its declarations.
2318 -- Inspect the relevant declarations looking for contract-related source
2319 -- pragmas and add them to the contract of the generic unit.
2325 -- The source pragma is a contract annotation
2331 -- The region where a contract-related source pragma may appear
2332 -- ends with the first source non-pragma declaration or statement.
2334 else
2343 --------------------------------
2344 -- Expand_Subprogram_Contract --
2345 --------------------------------
2351 procedure Add_Invariant_And_Predicate_Checks
2355 -- Process the result of function Subp_Id (if applicable) and all its
2356 -- formals. Add invariant and predicate checks where applicable. The
2357 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
2358 -- function, Result contains the entity of parameter _Result, to be
2359 -- used in the creation of procedure _Postconditions.
2361 procedure Add_Stable_Property_Contracts
2363 -- Augment postcondition contracts to reflect Stable_Property aspect
2364 -- (if Class_Present = False) or Stable_Property'Class aspect (if
2365 -- Class_Present = True).
2368 -- Append a node to a list. If there is no list, create a new one. When
2369 -- the item denotes a pragma, it is added to the list only when it is
2370 -- enabled.
2372 procedure Process_Contract_Cases
2375 -- Process pragma Contract_Cases. This routine prepends items to the
2376 -- body declarations and appends items to list Stmts.
2379 -- Collect all [inherited] spec and body postconditions and accumulate
2380 -- their pragma Check equivalents in list Stmts.
2383 -- Collect all [inherited] spec and body preconditions and prepend their
2384 -- pragma Check equivalents to the declarations of the body.
2386 ----------------------------------------
2387 -- Add_Invariant_And_Predicate_Checks --
2388 ----------------------------------------
2390 procedure Add_Invariant_And_Predicate_Checks
2394 is
2396 -- Id denotes the return value of a function or a formal parameter.
2397 -- Add an invariant check if the type of Id is access to a type with
2398 -- invariants. The routine appends the generated code to Stmts.
2401 -- Determine whether type Typ can benefit from invariant checks. To
2402 -- qualify, the type must have a non-null invariant procedure and
2403 -- subprogram Subp_Id must appear visible from the point of view of
2404 -- the type.
2406 ---------------------------------
2407 -- Add_Invariant_Access_Checks --
2408 ---------------------------------
2415 begin
2422 Ref :=
2427 -- Generate:
2428 -- if <Id> /= null then
2429 -- <invariant_call (<Ref>)>
2430 -- end if;
2432 Append_Enabled_Item
2435 Condition =>
2446 -------------------------
2447 -- Invariant_Checks_OK --
2448 -------------------------
2452 -- Determine whether type Typ has public visibility of subprogram
2453 -- Subp_Id.
2455 -----------------------------------------
2456 -- Has_Public_Visibility_Of_Subprogram --
2457 -----------------------------------------
2462 begin
2463 -- An Initialization procedure must be considered visible even
2464 -- though it is internally generated.
2472 -- Internally generated code is never publicly visible except
2473 -- for a subprogram that is the implementation of an expression
2474 -- function. In that case the visibility is determined by the
2475 -- last check.
2478 and then
2480 or else not
2482 then
2485 -- Determine whether the subprogram is declared in the visible
2486 -- declarations of the package containing the type, or in the
2487 -- visible declaration of a child unit of that package.
2490 declare
2497 begin
2498 return
2499 Decls = Visible_Declarations
2502 or else
2506 and then
2508 and then
2509 Decls = Visible_Declarations
2510 (Specification
2514 -- Determine whether the subprogram is a child subprogram of
2515 -- of the package containing the type.
2517 else
2518 pragma Assert
2521 declare
2526 begin
2527 return
2529 and then
2531 or else
2533 and then Is_Ancestor_Package
2539 -- Start of processing for Invariant_Checks_OK
2541 begin
2542 return
2549 -- Local variables
2552 -- Source location of subprogram body contract
2557 -- Start of processing for Add_Invariant_And_Predicate_Checks
2559 begin
2562 -- Process the result of a function
2567 -- Generate _Result which is used in procedure _Postconditions to
2568 -- verify the return value.
2573 -- Add an invariant check when the return type has invariants and
2574 -- the related function is visible to the outside.
2577 Append_Enabled_Item
2583 -- Add an invariant check when the return type is an access to a
2584 -- type with invariants.
2589 -- Add invariant checks for all formals that qualify (see AI05-0289
2590 -- and AI12-0044).
2599 then
2601 Append_Enabled_Item
2609 -- Note: we used to add predicate checks for OUT and IN OUT
2610 -- formals here, but that was misguided, since such checks are
2611 -- performed on the caller side, based on the predicate of the
2612 -- actual, rather than the predicate of the formal.
2620 -----------------------------------
2621 -- Add_Stable_Property_Contracts --
2622 -----------------------------------
2624 procedure Add_Stable_Property_Contracts
2626 is
2629 procedure Insert_Stable_Property_Check
2631 -- Build the pragma for one check and insert it in the tree.
2633 function Make_Stable_Property_Condition
2635 -- Builds tree for "Func (Formal) = Func (Formal)'Old" expression.
2637 function Stable_Properties
2640 -- If no aspect specified, then returns length-zero result.
2641 -- Negated indicates that reserved word NOT was specified.
2643 ----------------------------------
2644 -- Insert_Stable_Property_Check --
2645 ----------------------------------
2647 procedure Insert_Stable_Property_Check
2651 New_List
2652 (Make_Pragma_Argument_Association
2654 Expression =>
2655 Make_Stable_Property_Condition
2658 Make_Pragma_Argument_Association
2660 Expression =>
2661 Make_String_Literal
2663 Strval =>
2664 "failed stable property check at "
2672 )));
2676 Pragma_Identifier =>
2682 begin
2683 -- Enclosing_Declaration may return, for example,
2684 -- a N_Procedure_Specification node. Cope with this.
2685 loop
2695 ------------------------------------
2696 -- Make_Stable_Property_Condition --
2697 ------------------------------------
2699 function Make_Stable_Property_Condition
2701 is
2703 (Make_Function_Call
2705 Name =>
2707 Parameter_Associations =>
2709 begin
2710 return Make_Op_Eq
2712 Call_Property_Function,
2713 Make_Attribute_Reference
2719 -----------------------
2720 -- Stable_Properties --
2721 -----------------------
2723 function Stable_Properties
2725 return Subprogram_List
2726 is
2728 Find_Value_Of_Aspect
2731 begin
2732 -- ??? For a derived type, we wish Find_Value_Of_Aspect
2733 -- somehow knew that this aspect is not inherited.
2734 -- But it doesn't, so we cope with that here.
2735 --
2736 -- There are probably issues here with inheritance from
2737 -- interface types, where just looking for the one parent type
2738 -- isn't enough. But this is far from the only work needed for
2739 -- Stable_Properties'Class for interface types.
2742 declare
2745 begin
2747 Find_Value_Of_Aspect
2750 then
2751 -- prevent inheritance
2759 -- This is a little bit subtle.
2760 -- We need to assign True in the Subp_Id case in order to
2761 -- distinguish between no aspect spec at all vs. an
2762 -- explicitly specified "with S_P => []" empty list.
2763 -- In both cases Stable_Properties will return a length-0
2764 -- array, but the two cases are not equivalent.
2765 -- Very roughly speaking the lack of an S_P aspect spec for
2766 -- a subprogram would be equivalent to something like
2767 -- "with S_P => [not]", where we apply the "not" modifier to
2768 -- an empty set of subprograms, if such a construct existed.
2769 -- We could just assign True here, but it seems untidy to
2770 -- return True in the case of an aspect spec for a type
2771 -- (since negation is only allowed for subp S_P aspects).
2774 else
2775 return Parse_Aspect_Stable_Properties
2787 -- start of processing for Add_Stable_Property_Contracts
2789 begin
2791 then
2803 then
2804 -- ??? Need to filter out checks for SPFs that are
2805 -- mentioned explicitly in the postcondition of
2806 -- Subp_Id.
2808 Insert_Stable_Property_Check
2814 declare
2820 function Excluded_By_Aspect_Spec_Of_Subp
2822 -- Examine Subp_Properties to determine whether SPF should
2823 -- be excluded.
2825 -------------------------------------
2826 -- Excluded_By_Aspect_Spec_Of_Subp --
2827 -------------------------------------
2829 function Excluded_By_Aspect_Spec_Of_Subp
2831 begin
2833 -- Look through renames for equality test here ???
2837 -- Look through renames for equality test here ???
2840 begin
2844 -- ??? Need to filter out checks for SPFs that are
2845 -- mentioned explicitly in the postcondition of
2846 -- Subp_Id.
2847 Insert_Stable_Property_Check
2858 -------------------------
2859 -- Append_Enabled_Item --
2860 -------------------------
2863 begin
2864 -- Do not chain ignored or disabled pragmas
2868 then
2871 -- Otherwise, add the item
2873 else
2878 -- If the pragma is a conjunct in a composite postcondition, it
2879 -- has been processed in reverse order. In the postcondition body
2880 -- it must appear before the others.
2885 then
2887 else
2893 ----------------------------
2894 -- Process_Contract_Cases --
2895 ----------------------------
2897 procedure Process_Contract_Cases
2900 is
2902 -- Process pragma Contract_Cases for subprogram Subp_Id
2904 --------------------------------
2905 -- Process_Contract_Cases_For --
2906 --------------------------------
2912 begin
2921 Expand_Pragma_Contract_Cases
2931 Expand_Pragma_Subprogram_Variant
2943 -- Start of processing for Process_Contract_Cases
2945 begin
2953 ----------------------------
2954 -- Process_Postconditions --
2955 ----------------------------
2959 -- Collect all [refined] postconditions of a specific kind denoted
2960 -- by Post_Nam that belong to the body, and generate pragma Check
2961 -- equivalents in list Stmts.
2964 -- Collect all [inherited] postconditions of the spec, and generate
2965 -- pragma Check equivalents in list Stmts.
2967 ---------------------------------
2968 -- Process_Body_Postconditions --
2969 ---------------------------------
2977 begin
2978 -- Process the contract
2985 then
2986 Append_Enabled_Item
2995 -- The subprogram body being processed is actually the proper body
2996 -- of a stub with a corresponding spec. The subprogram stub may
2997 -- carry a postcondition pragma, in which case it must be taken
2998 -- into account. The pragma appears after the stub.
3004 -- Note that non-matching pragmas are skipped
3009 then
3010 Append_Enabled_Item
3015 -- Skip internally generated code
3020 -- Postcondition pragmas are usually grouped together. There
3021 -- is no need to inspect the whole declarative list.
3023 else
3032 ---------------------------------
3033 -- Process_Spec_Postconditions --
3034 ---------------------------------
3042 -- Return True if the contract of subprogram Subp_Id has been
3043 -- processed.
3045 ---------------
3046 -- Seen_Subp --
3047 ---------------
3050 begin
3060 -- Local variables
3067 -- Start of processing for Process_Spec_Postconditions
3069 begin
3070 -- Process the contract
3079 then
3080 Append_Enabled_Item
3089 -- Process the contracts of all inherited subprograms, looking for
3090 -- class-wide postconditions.
3099 -- Wrappers of class-wide pre/postconditions reference the
3100 -- parent primitive that has the inherited contract.
3104 then
3117 then
3118 Item :=
3119 Build_Pragma_Check_Equivalent
3124 -- The pragma Check equivalent of the class-wide
3125 -- postcondition is still created even though the
3126 -- pragma may be ignored because the equivalent
3127 -- performs semantic checks.
3141 -- Stmts is passed as IN OUT to signal that the list can be updated,
3142 -- even if the corresponding integer value representing the list does
3143 -- not change.
3145 -- Start of processing for Process_Postconditions
3147 begin
3148 -- The processing of postconditions is done in reverse order (body
3149 -- first) to ensure the following arrangement:
3151 -- <refined postconditions from body>
3152 -- <postconditions from body>
3153 -- <postconditions from spec>
3154 -- <inherited postconditions>
3160 Process_Spec_Postconditions;
3164 ---------------------------
3165 -- Process_Preconditions --
3166 ---------------------------
3170 -- The insertion node after which all pragma Check equivalents are
3171 -- inserted.
3174 -- Prepend a single item to the declarations of the subprogram body
3177 -- Prepend a normal precondition to the declarations of the body and
3178 -- analyze it.
3181 -- Collect all preconditions of subprogram Subp_Id and prepend their
3182 -- pragma Check equivalents to the declarations of the body.
3184 ----------------------
3185 -- Prepend_To_Decls --
3186 ----------------------
3189 begin
3190 -- Ensure that the body has a declarative list
3200 -----------------------------
3201 -- Prepend_Pragma_To_Decls --
3202 -----------------------------
3207 begin
3208 -- Skip the sole class-wide precondition (if any) since it is
3209 -- processed by Merge_Class_Conditions.
3214 -- Accumulate the corresponding Check pragmas at the top of the
3215 -- declarations. Prepending the items ensures that they will be
3216 -- evaluated in their original order.
3218 else
3225 -------------------------------
3226 -- Process_Preconditions_For --
3227 -------------------------------
3236 begin
3237 -- Process the contract. If the body is an expression function
3238 -- that is a completion, freeze types within, because this may
3239 -- not have been done yet, when the subprogram declaration and
3240 -- its completion by an expression function appear in distinct
3241 -- declarative lists of the same unit (visible and private).
3243 Freeze_T :=
3254 then
3255 if Freeze_T
3257 then
3258 Freeze_Expr_Types
3261 Expr =>
3262 Expression
3274 -- The subprogram declaration being processed is actually a body
3275 -- stub. The stub may carry a precondition pragma, in which case
3276 -- it must be taken into account. The pragma appears after the
3277 -- stub.
3281 -- Inspect the declarations following the body stub
3286 -- Note that non-matching pragmas are skipped
3291 then
3295 -- Skip internally generated code
3300 -- Preconditions are usually grouped together. There is no
3301 -- need to inspect the whole declarative list.
3303 else
3312 -- Local variables
3318 -- Start of processing for Process_Preconditions
3320 begin
3321 -- Find the proper insertion point for all pragma Check equivalents
3327 -- First source declaration terminates the search, because all
3328 -- preconditions must be evaluated prior to it, by definition.
3333 -- Certain internally generated object renamings such as those
3334 -- for discriminants and protection fields must be elaborated
3335 -- before the preconditions are evaluated, as their expressions
3336 -- may mention the discriminants. The renamings include those
3337 -- for private components so we need to find the last such.
3342 loop
3348 -- Otherwise the declaration does not come from source. This
3349 -- also terminates the search, because internal code may raise
3350 -- exceptions which should not preempt the preconditions.
3352 else
3359 -- The processing of preconditions is done in reverse order (body
3360 -- first), because each pragma Check equivalent is inserted at the
3361 -- top of the declarations. This ensures that the final order is
3362 -- consistent with following diagram:
3364 -- <inherited preconditions>
3365 -- <preconditions from spec>
3366 -- <preconditions from body>
3370 -- Move the generated entry-call prologue renamings into the
3371 -- outer declarations for use in the preconditions.
3389 -- Local variables
3397 -- Start of processing for Expand_Subprogram_Contract
3399 begin
3400 -- Obtain the entity of the initial declaration
3404 else
3408 -- Do not perform expansion activity when it is not needed
3413 -- GNATprove does not need the executable semantics of a contract
3418 -- The contract of a generic subprogram or one declared in a generic
3419 -- context is not expanded, as the corresponding instance will provide
3420 -- the executable semantics of the contract.
3425 -- All subprograms carry a contract, but for some it is not significant
3426 -- and should not be processed. This is a small optimization.
3431 -- The contract of an ignored Ghost subprogram does not need expansion,
3432 -- because the subprogram and all calls to it will be removed.
3437 -- No action needed for helpers and indirect-call wrapper built to
3438 -- support class-wide preconditions.
3443 -- Do not re-expand the same contract. This scenario occurs when a
3444 -- construct is rewritten into something else during its analysis
3445 -- (expression functions for instance).
3451 -- Prevent multiple expansion attempts of the same contract
3455 -- Ensure that the formal parameters are visible when expanding all
3456 -- contract items.
3464 else
3469 -- The expansion of a subprogram contract involves the creation of Check
3470 -- pragmas to verify the contract assertions of the spec and body in a
3471 -- particular order. The order is as follows:
3473 -- function Original_Code (...) return ... is
3474 -- <prologue renamings>
3475 -- <inherited preconditions>
3476 -- <preconditions from spec>
3477 -- <preconditions from body>
3478 -- <contract case conditions>
3480 -- function _Wrapped_Statements (...) return ... is
3481 -- <source declarations>
3482 -- begin
3483 -- <source statements>
3484 -- end _Wrapped_Statements;
3486 -- begin
3487 -- return Result : constant ... := _Wrapped_Statements do
3488 -- <refined postconditions from body>
3489 -- <postconditions from body>
3490 -- <postconditions from spec>
3491 -- <inherited postconditions>
3492 -- <contract case consequences>
3493 -- <invariant check of function result>
3494 -- <invariant and predicate checks of parameters
3495 -- end return;
3496 -- end Original_Code;
3498 -- Step 1: augment contracts list with postconditions associated with
3499 -- Stable_Properties and Stable_Properties'Class aspects. This must
3500 -- precede Process_Postconditions.
3503 Add_Stable_Property_Contracts
3507 -- Step 2: Handle all preconditions. This action must come before the
3508 -- processing of pragma Contract_Cases because the pragma prepends items
3509 -- to the body declarations.
3513 -- Step 3: Handle all postconditions. This action must come before the
3514 -- processing of pragma Contract_Cases because the pragma appends items
3515 -- to list Stmts.
3519 -- Step 4: Handle pragma Contract_Cases. This action must come before
3520 -- the processing of invariants and predicates because those append
3521 -- items to list Stmts.
3525 -- Step 5: Apply invariant and predicate checks on a function result and
3526 -- all formals. The resulting checks are accumulated in list Stmts.
3530 -- Step 6: Construct subprogram _wrapped_statements
3532 -- When no statements are present we still need to insert contract
3533 -- related declarations.
3538 -- Otherwise, we need a wrapper
3540 else
3545 End_Scope;
3549 -------------------------------
3550 -- Freeze_Previous_Contracts --
3551 -------------------------------
3556 -- Determine whether arbitrary node N causes contract freezing. This is
3557 -- used as an assertion for the current body declaration that caused
3558 -- contract freezing, and as a condition to detect body declaration that
3559 -- already caused contract freezing before.
3563 -- Freeze the contracts of all eligible constructs which precede body
3564 -- Body_Decl.
3568 -- Freeze the contract of the nearest package body (if any) which
3569 -- encloses body Body_Decl.
3571 ------------------------------
3572 -- Causes_Contract_Freezing --
3573 ------------------------------
3576 begin
3577 -- The following condition matches guards for calls to
3578 -- Freeze_Previous_Contracts from routines that analyze various body
3579 -- declarations. In particular, it detects expression functions, as
3580 -- described in the call from Analyze_Subprogram_Body_Helper.
3582 return
3584 and then
3586 N_Entry_Body | N_Package_Body | N_Protected_Body |
3587 N_Subprogram_Body | N_Subprogram_Body_Stub | N_Task_Body;
3590 ----------------------
3591 -- Freeze_Contracts --
3592 ----------------------
3598 begin
3599 -- Nothing to do when the body which causes freezing does not appear
3600 -- in a declarative list because there cannot possibly be constructs
3601 -- with contracts.
3607 -- Inspect the declarations preceding the body, and freeze individual
3608 -- contracts of eligible constructs.
3613 -- Stop the traversal when a preceding construct that causes
3614 -- freezing is encountered as there is no point in refreezing
3615 -- the already frozen constructs.
3620 -- Entry or subprogram declarations
3623 | N_Entry_Declaration
3624 | N_Generic_Subprogram_Declaration
3625 | N_Subprogram_Declaration
3626 then
3627 Analyze_Entry_Or_Subprogram_Contract
3631 -- Objects
3634 Analyze_Object_Contract
3638 -- Protected units
3641 | N_Single_Protected_Declaration
3642 then
3645 -- Subprogram body stubs
3650 -- Task units
3653 | N_Task_Type_Declaration
3654 then
3659 | N_Private_Type_Declaration
3660 | N_Task_Type_Declaration
3661 | N_Protected_Type_Declaration
3662 | N_Formal_Type_Declaration
3663 then
3671 -----------------------------------
3672 -- Freeze_Enclosing_Package_Body --
3673 -----------------------------------
3679 begin
3680 -- Climb the parent chain looking for an enclosing package body. Do
3681 -- not use the scope stack, because a body utilizes the entity of its
3682 -- corresponding spec.
3687 Analyze_Package_Body_Contract
3693 -- Do not look for an enclosing package body when the construct
3694 -- which causes freezing is a body generated for an expression
3695 -- function and it appears within a package spec. This ensures
3696 -- that the traversal will not reach too far up the parent chain
3697 -- and attempt to freeze a package body which must not be frozen.
3699 -- package body Enclosing_Body
3700 -- with Refined_State => (State => Var)
3701 -- is
3702 -- package Nested is
3703 -- type Some_Type is ...;
3704 -- function Cause_Freezing return ...;
3705 -- private
3706 -- function Cause_Freezing is (...);
3707 -- end Nested;
3708 --
3709 -- Var : Nested.Some_Type;
3713 then
3716 -- Prevent the search from going too far
3726 -- Local variables
3730 -- Start of processing for Freeze_Previous_Contracts
3732 begin
3735 -- A body that is in the process of being inlined appears from source,
3736 -- but carries name _parent. Such a body does not cause freezing of
3737 -- contracts.
3743 Freeze_Enclosing_Package_Body;
3744 Freeze_Contracts;
3747 ---------------------------------
3748 -- Inherit_Subprogram_Contract --
3749 ---------------------------------
3751 procedure Inherit_Subprogram_Contract
3754 is
3756 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
3757 -- Subp's contract.
3759 --------------------
3760 -- Inherit_Pragma --
3761 --------------------
3767 begin
3768 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
3769 -- chains, therefore the node must be replicated. The new pragma is
3770 -- flagged as inherited for distinction purposes.
3780 -- Start of processing for Inherit_Subprogram_Contract
3782 begin
3783 -- Inheritance is carried out only when both entities are subprograms
3784 -- with contracts.
3789 then
3795 -------------------------------------
3796 -- Instantiate_Subprogram_Contract --
3797 -------------------------------------
3801 -- Instantiate all contract-related source pragmas found in the list,
3802 -- starting with pragma First_Prag. Each instantiated pragma is added
3803 -- to list L.
3805 -------------------------
3806 -- Instantiate_Pragmas --
3807 -------------------------
3813 begin
3817 Inst_Prag :=
3828 -- Local variables
3832 -- Start of processing for Instantiate_Subprogram_Contract
3834 begin
3842 --------------------------
3843 -- Is_Prologue_Renaming --
3844 --------------------------
3846 -- This should be turned into a flag and set during the expansion of
3847 -- task and protected types when the renamings get generated ???
3855 begin
3858 then
3863 -- Analyze the renaming declaration so we can further examine it
3872 -- A discriminant renaming appears as
3873 -- Discr : constant ... := Prefix.Discr;
3879 then
3882 -- A protection field renaming appears as
3883 -- Prot : ... := _object._object;
3885 -- A renamed private component is just a component of
3886 -- _object, with an arbitrary name.
3892 then
3901 -----------------------------------
3902 -- Make_Class_Precondition_Subps --
3903 -----------------------------------
3905 procedure Make_Class_Precondition_Subps
3908 is
3913 -- Build the indirect-call wrapper and append it to the freezing actions
3914 -- of Tagged_Type.
3916 procedure Add_Call_Helper
3919 -- Factorizes code for building a call helper with the given identifier
3920 -- and append it to the freezing actions of Tagged_Type. Is_Dynamic
3921 -- controls building the static or dynamic version of the helper.
3924 -- Build an unique new name adding suffix to Subp_Id name (plus its
3925 -- homonym number for values bigger than 1).
3927 -------------------------------
3928 -- Add_Indirect_Call_Wrapper --
3929 -------------------------------
3934 -- Build the body of the indirect call wrapper
3937 -- Build the declaration of the indirect call wrapper
3939 --------------------
3940 -- Build_ICW_Body --
3941 --------------------
3950 begin
3953 -- Build call to wrapped subprogram
3955 declare
3959 begin
3960 -- Build parameter association & call
3964 New_Occurrence_Of
3970 Call :=
3974 else
3975 Call :=
3977 Expression =>
3984 ICW_Body :=
3988 Handled_Statement_Sequence =>
3992 -- The new operation is internal and overriding indicators do not
3993 -- apply.
4000 --------------------
4001 -- Build_ICW_Decl --
4002 --------------------
4011 begin
4019 -- The indirect call wrapper is commonly used for indirect calls
4020 -- but inlined for direct calls performed from the DTW.
4030 -- Link original subprogram to indirect wrapper and vice versa
4035 -- Inherit debug info flag to allow debugging the wrapper
4044 -- Local Variables
4049 -- Start of processing for Add_Indirect_Call_Wrapper
4051 begin
4062 -- We cannot defer the analysis of this ICW wrapper when it is
4063 -- built as a consequence of building its partner DTW wrapper
4064 -- at the freezing point of the tagged type.
4071 ---------------------
4072 -- Add_Call_Helper --
4073 ---------------------
4075 procedure Add_Call_Helper
4078 is
4080 -- Build the body of a call helper
4083 -- Build the declaration of a call helper
4086 -- Build the specification of the helper
4088 ----------------------------
4089 -- Build_Call_Helper_Body --
4090 ----------------------------
4094 function Copy_And_Update_References
4096 -- Copy Expr updating references to formals of Helper_Id; update
4097 -- also references to loop identifiers of quantified expressions.
4099 --------------------------------
4100 -- Copy_And_Update_References --
4101 --------------------------------
4103 function Copy_And_Update_References
4105 is
4109 -- Traverse Expr and append to Assoc_List the mapping of loop
4110 -- identifers of quantified expressions with its new copy.
4112 ------------------------------------------------
4113 -- Map_Quantified_Expression_Loop_Identifiers --
4114 ------------------------------------------------
4118 -- Append to Assoc_List the mapping of loop identifers of
4119 -- quantified expressions with its new copy.
4121 --------------------
4122 -- Map_Loop_Param --
4123 --------------------
4126 is
4127 begin
4130 then
4131 declare
4134 begin
4146 begin
4150 -- Local variables
4155 -- Start of processing for Copy_And_Update_References
4157 begin
4166 Map_Quantified_Expression_Loop_Identifiers;
4171 -- Local variables
4180 -- Start of processing for Build_Call_Helper_Body
4182 begin
4193 -- Evaluate the expression if we are building a dynamic helper
4194 -- or we are building a static helper for a non-abstract tagged
4195 -- type; for abstract tagged types the helper just returns True
4196 -- since it is called by the indirect call wrapper (ICW).
4197 and then
4198 (Is_Dynamic
4199 or else
4201 then
4202 Return_Expr :=
4205 -- When the subprogram is compiled with assertions disabled the
4206 -- helper just returns True; done to avoid reporting errors at
4207 -- link time since a unit may be compiled with assertions disabled
4208 -- and another (which depends on it) compiled with assertions
4209 -- enabled.
4211 else
4217 Body_Stmts :=
4222 Helper_Body :=
4231 ----------------------------
4232 -- Build_Call_Helper_Decl --
4233 ----------------------------
4239 begin
4248 -- Inherit debug info flag from Subp_Id to Helper_Id to allow
4249 -- debugging of the helper subprogram.
4258 ----------------------------
4259 -- Build_Call_Helper_Spec --
4260 ----------------------------
4263 is
4273 begin
4274 -- Create a list of formal parameters with the same types as the
4275 -- original subprogram but changing the controlling formal.
4284 = N_Access_Definition
4285 then
4286 Param_Type :=
4293 else
4294 Param_Type :=
4299 else
4305 Defining_Identifier =>
4309 Null_Exclusion_Present => Null_Exclusion_Present
4317 return
4321 Result_Definition =>
4325 -- Local variables
4330 -- Start of processing for Add_Call_Helper
4332 begin
4336 -- Add the helper to the freezing actions of the tagged type
4344 -- If this helper is built as part of building the DTW at the
4345 -- freezing point of its tagged type then we cannot defer
4346 -- its analysis.
4354 -----------------------
4355 -- Build_Unique_Name --
4356 -----------------------
4359 begin
4360 -- Append the homonym number. Strip the leading space character in
4361 -- the image of natural numbers. Also do not add the homonym value
4362 -- of 1.
4365 declare
4368 begin
4377 -- Local variables
4381 -- Start of processing for Make_Class_Precondition_Subps
4383 begin
4386 then
4387 pragma Assert
4393 -- Build and add to the freezing actions of Tagged_Type its
4394 -- dynamic-call helper.
4396 Helper_Id :=
4401 -- Link original subprogram to helper and vice versa
4409 then
4410 -- Build and add to the freezing actions of Tagged_Type its
4411 -- static-call helper.
4413 Helper_Id :=
4419 -- Link original subprogram to helper and vice versa
4424 -- Build and add to the freezing actions of Tagged_Type the
4425 -- indirect-call wrapper.
4427 Add_Indirect_Call_Wrapper;
4432 ----------------------------------------------
4433 -- Process_Class_Conditions_At_Freeze_Point --
4434 ----------------------------------------------
4439 -- Check class-wide pre/postconditions of Spec_Id
4441 function Has_Class_Postconditions_Subprogram
4443 -- Return True if Spec_Id has (or inherits) a postconditions subprogram.
4445 function Has_Class_Preconditions_Subprogram
4447 -- Return True if Spec_Id has (or inherits) a preconditions subprogram.
4449 ----------------------------
4450 -- Check_Class_Conditions --
4451 ----------------------------
4456 begin
4461 Check_Class_Condition
4466 | Class_Precondition);
4471 -----------------------------------------
4472 -- Has_Class_Postconditions_Subprogram --
4473 -----------------------------------------
4475 function Has_Class_Postconditions_Subprogram
4477 begin
4478 return
4479 Present (Nearest_Class_Condition_Subprogram
4482 or else
4483 Present (Nearest_Class_Condition_Subprogram
4488 ----------------------------------------
4489 -- Has_Class_Preconditions_Subprogram --
4490 ----------------------------------------
4492 function Has_Class_Preconditions_Subprogram
4494 begin
4495 return
4496 Present (Nearest_Class_Condition_Subprogram
4499 or else
4500 Present (Nearest_Class_Condition_Subprogram
4505 -- Local variables
4510 -- Start of processing for Process_Class_Conditions_At_Freeze_Point
4512 begin
4518 then
4524 -- Handle wrapper of protected operation
4529 -- Check inherited class-wide conditions, excluding internal
4530 -- entities built for mapping of interface primitives.
4535 then
4544 ----------------------------
4545 -- Merge_Class_Conditions --
4546 ----------------------------
4551 -- Collect all inherited class-wide conditions of Spec_Id and merge
4552 -- them into one big condition.
4554 ----------------------------------
4555 -- Process_Inherited_Conditions --
4556 ----------------------------------
4563 function Inherit_Condition
4566 -- Inherit the class-wide condition from Par_Subp to Subp and adjust
4567 -- all the references to formals in the inherited condition.
4570 -- Merge two class-wide preconditions or postconditions (the former
4571 -- are merged using "or else", and the latter are merged using "and-
4572 -- then"). The changes are accumulated in parameter Into.
4575 -- Return True if the contract of subprogram Id has been processed
4577 -----------------------
4578 -- Inherit_Condition --
4579 -----------------------
4581 function Inherit_Condition
4584 is
4586 -- Used in assertion to check that Expr has no reference to the
4587 -- formals of Par_Subp.
4589 ---------------------
4590 -- Check_Condition --
4591 ---------------------
4597 -- Check occurrence of Par_Formal_Id
4599 ------------------
4600 -- Check_Entity --
4601 ------------------
4604 begin
4608 then
4617 -- Start of processing for Check_Condition
4619 begin
4633 -- Local variables
4640 begin
4649 -- Check that Parent field of all the nodes have their correct
4650 -- decoration; required because otherwise mapped nodes with
4651 -- wrong Parent field are left unmodified in the copied tree
4652 -- and cause reporting wrong errors at later stages.
4654 pragma Assert
4657 New_Condition :=
4658 New_Copy_Tree
4662 -- Ensure that the inherited condition has no reference to the
4663 -- formals of the parent subprogram.
4670 ----------------------
4671 -- Merge_Conditions --
4672 ----------------------
4676 -- Return the boolean expression argument of a condition while
4677 -- updating its parentheses count for the subsequent merge.
4679 --------------------
4680 -- Expression_Arg --
4681 --------------------
4684 begin
4692 -- Local variables
4698 -- Start of processing for Merge_Conditions
4700 begin
4703 -- Merge the two preconditions by "or else"-ing them
4705 when Ignored_Class_Precondition
4706 | Class_Precondition
4707 =>
4713 -- Merge the two postconditions by "and then"-ing them
4715 when Ignored_Class_Postcondition
4716 | Class_Postcondition
4717 =>
4725 ---------------
4726 -- Seen_Subp --
4727 ---------------
4730 begin
4740 -- Local variables
4748 -- Start of processing for Process_Inherited_Conditions
4750 begin
4753 -- Process parent primitives looking for nearest ancestor with
4754 -- class-wide conditions.
4761 then
4766 -- Wrappers of class-wide pre/postconditions reference the
4767 -- parent primitive that has the inherited contract and help
4768 -- us to climb fast.
4772 then
4778 then
4783 Cond := Inherit_Condition
4789 else
4793 Check_Class_Condition
4798 | Class_Precondition);
4799 Build_Class_Wide_Expression
4805 -- We are done as soon as we process the nearest ancestor
4812 -- Process the contract of interface primitives not covered by
4813 -- the nearest ancestor.
4826 then
4829 Cond := Inherit_Condition
4833 Check_Class_Condition
4838 | Class_Precondition);
4839 Build_Class_Wide_Expression
4847 else
4857 -- Local variables
4861 -- Start of processing for Merge_Class_Conditions
4863 begin
4867 -- If this subprogram has class-wide conditions then preanalyze
4868 -- them before processing inherited conditions since conditions
4869 -- are checked and merged from right to left.
4877 -- Preanalyze merged inherited conditions
4886 ---------------------------------
4887 -- Preanalyze_Class_Conditions --
4888 ---------------------------------
4893 begin
4903 --------------------------
4904 -- Preanalyze_Condition --
4905 --------------------------
4907 procedure Preanalyze_Condition
4910 is
4912 -- Clear unset references on formals of Subp since preanalysis
4913 -- occurs in a place unrelated to the actual code.
4916 -- Traverse Expr and clear the Controlling_Argument of calls to
4917 -- nonabstract functions.
4920 -- Traverse Expr searching for dispatching calls to functions whose
4921 -- original node was a selected component, and replace them with
4922 -- their original node.
4924 ----------------------------
4925 -- Clear_Unset_References --
4926 ----------------------------
4931 begin
4938 ----------------------------------
4939 -- Remove_Controlling_Arguments --
4940 ----------------------------------
4944 -- Reset the Controlling_Argument of calls to nonabstract
4945 -- function calls.
4947 ---------------------
4948 -- Remove_Ctrl_Arg --
4949 ---------------------
4952 begin
4956 then
4964 begin
4968 -----------------------------------------
4969 -- Restore_Original_Selected_Component --
4970 -----------------------------------------
4976 -- Traverse the subtree of N fixing the Parent field of all the
4977 -- nodes.
4980 -- Process dispatching calls to functions whose original node was
4981 -- a selected component, and replace them with their original
4982 -- node. Restored nodes are stored in the Restored_Nodes_List
4983 -- to fix the parent fields of their subtrees in a separate
4984 -- tree traversal.
4986 -----------------
4987 -- Fix_Parents --
4988 -----------------
4992 function Fix_Parent
4995 -- Process a single node
4997 ----------------
4998 -- Fix_Parent --
4999 ----------------
5001 function Fix_Parent
5004 is
5007 begin
5011 else
5022 begin
5026 ------------------
5027 -- Restore_Node --
5028 ------------------
5031 begin
5035 then
5039 -- Save the restored node in the Restored_Nodes_List to fix
5040 -- the parent fields of their subtrees in a separate tree
5041 -- traversal.
5051 -- Start of processing for Restore_Original_Selected_Component
5053 begin
5056 -- After restoring the original node we must fix the decoration
5057 -- of the Parent attribute to ensure tree consistency; required
5058 -- because when the class-wide condition is inherited, calls to
5059 -- New_Copy_Tree will perform copies of this subtree, and formal
5060 -- occurrences with wrong Parent field cannot be mapped to the
5061 -- new formals.
5064 declare
5067 begin
5076 -- Start of processing for Preanalyze_Condition
5078 begin
5089 End_Scope;
5091 -- If this preanalyzed condition has occurrences of dispatching calls
5092 -- using the Object.Operation notation, during preanalysis such calls
5093 -- are rewritten as dispatching function calls; if at later stages
5094 -- this condition is inherited we must have restored the original
5095 -- selected-component node to ensure that the preanalysis of the
5096 -- inherited condition rewrites these dispatching calls in the
5097 -- correct context to avoid reporting spurious errors.
5099 Restore_Original_Selected_Component;
5101 -- Traverse Expr and clear the Controlling_Argument of calls to
5102 -- nonabstract functions. Required since the preanalyzed condition
5103 -- is not yet installed on its definite context and will be cloned
5104 -- and extended in derivations with additional conditions.
5106 Remove_Controlling_Arguments;
5108 -- Clear also attribute Unset_Reference; again because preanalysis
5109 -- occurs in a place unrelated to the actual code.
5111 Clear_Unset_References;
5114 ----------------------------------------
5115 -- Save_Global_References_In_Contract --
5116 ----------------------------------------
5118 procedure Save_Global_References_In_Contract
5121 is
5123 -- Save all global references in contract-related source pragmas found
5124 -- in the list, starting with pragma First_Prag.
5126 ------------------------------------
5127 -- Save_Global_References_In_List --
5128 ------------------------------------
5133 begin
5143 -- Local variables
5147 -- Start of processing for Save_Global_References_In_Contract
5149 begin
5150 -- The entity of the analyzed generic copy must be on the scope stack
5151 -- to ensure proper detection of global references.
5157 then
5167 Pop_Scope;
5170 -------------------------
5171 -- Set_Class_Condition --
5172 -------------------------
5174 procedure Set_Class_Condition
5178 is
5179 begin