| blob | e26b28d832c8b8e0ff6ea2408449c9b29df68463 |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2016, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
54 procedure Analyze_Contracts
58 -- Subsidiary to the one parameter version of Analyze_Contracts and routine
59 -- Analyze_Previous_Constracts. Analyze the contracts of all constructs in
60 -- the list L. If Freeze_Nod is set, then the analysis stops when the node
61 -- is reached. Freeze_Id is the entity of some related context which caused
62 -- freezing up to node Freeze_Nod.
65 -- Expand the contracts of a subprogram body and its correspoding spec (if
66 -- any). This routine processes all [refined] pre- and postconditions as
67 -- well as Contract_Cases, invariants and predicates. Body_Id denotes the
68 -- entity of the subprogram body.
70 -----------------------
71 -- Add_Contract_Item --
72 -----------------------
78 -- Prepend Prag to the list of classifications
81 -- Prepend Prag to the list of contract and test cases
84 -- Prepend Prag to the list of pre- and postconditions
86 ------------------------
87 -- Add_Classification --
88 ------------------------
91 begin
96 ----------------------------
97 -- Add_Contract_Test_Case --
98 ----------------------------
101 begin
106 ----------------------------
107 -- Add_Pre_Post_Condition --
108 ----------------------------
111 begin
116 -- Local variables
120 -- Start of processing for Add_Contract_Item
122 begin
123 -- A contract must contain only pragmas
128 -- Create a new contract when adding the first item
135 -- Constants, the applicable pragmas are:
136 -- Part_Of
140 Add_Classification;
142 -- The pragma is not a proper contract item
144 else
148 -- Entry bodies, the applicable pragmas are:
149 -- Refined_Depends
150 -- Refined_Global
151 -- Refined_Post
155 Add_Classification;
158 Add_Pre_Post_Condition;
160 -- The pragma is not a proper contract item
162 else
166 -- Entry or subprogram declarations, the applicable pragmas are:
167 -- Attach_Handler
168 -- Contract_Cases
169 -- Depends
170 -- Extensions_Visible
171 -- Global
172 -- Interrupt_Handler
173 -- Postcondition
174 -- Precondition
175 -- Test_Case
176 -- Volatile_Function
180 E_Generic_Function,
181 E_Generic_Procedure,
182 E_Procedure)
183 then
186 then
187 Add_Classification;
190 Name_Extensions_Visible,
191 Name_Global)
192 then
193 Add_Classification;
197 then
198 Add_Classification;
201 Add_Contract_Test_Case;
204 Add_Pre_Post_Condition;
206 -- The pragma is not a proper contract item
208 else
212 -- Packages or instantiations, the applicable pragmas are:
213 -- Abstract_States
214 -- Initial_Condition
215 -- Initializes
216 -- Part_Of (instantiation only)
220 Name_Initial_Condition,
221 Name_Initializes)
222 then
223 Add_Classification;
225 -- Indicator Part_Of must be associated with a package instantiation
228 Add_Classification;
230 -- The pragma is not a proper contract item
232 else
236 -- Package bodies, the applicable pragmas are:
237 -- Refined_States
241 Add_Classification;
243 -- The pragma is not a proper contract item
245 else
249 -- Protected units, the applicable pragmas are:
250 -- Part_Of
254 Add_Classification;
256 -- The pragma is not a proper contract item
258 else
262 -- Subprogram bodies, the applicable pragmas are:
263 -- Postcondition
264 -- Precondition
265 -- Refined_Depends
266 -- Refined_Global
267 -- Refined_Post
271 Add_Classification;
274 Name_Precondition,
275 Name_Refined_Post)
276 then
277 Add_Pre_Post_Condition;
279 -- The pragma is not a proper contract item
281 else
285 -- Task bodies, the applicable pragmas are:
286 -- Refined_Depends
287 -- Refined_Global
291 Add_Classification;
293 -- The pragma is not a proper contract item
295 else
299 -- Task units, the applicable pragmas are:
300 -- Depends
301 -- Global
302 -- Part_Of
306 Add_Classification;
308 -- The pragma is not a proper contract item
310 else
314 -- Variables, the applicable pragmas are:
315 -- Async_Readers
316 -- Async_Writers
317 -- Constant_After_Elaboration
318 -- Depends
319 -- Effective_Reads
320 -- Effective_Writes
321 -- Global
322 -- Part_Of
326 Name_Async_Writers,
327 Name_Constant_After_Elaboration,
328 Name_Depends,
329 Name_Effective_Reads,
330 Name_Effective_Writes,
331 Name_Global,
332 Name_Part_Of)
333 then
334 Add_Classification;
336 -- The pragma is not a proper contract item
338 else
344 -----------------------
345 -- Analyze_Contracts --
346 -----------------------
349 begin
353 procedure Analyze_Contracts
357 is
360 begin
364 -- The caller requests that the traversal stops at a particular node
365 -- that causes contract "freezing".
371 -- Entry or subprogram declarations
374 N_Entry_Declaration,
375 N_Generic_Subprogram_Declaration,
376 N_Subprogram_Declaration)
377 then
378 Analyze_Entry_Or_Subprogram_Contract
382 -- Entry or subprogram bodies
387 -- Objects
390 Analyze_Object_Contract
394 -- Protected untis
397 N_Single_Protected_Declaration)
398 then
401 -- Subprogram body stubs
406 -- Task units
409 N_Task_Type_Declaration)
410 then
413 -- For type declarations, we need to do the pre-analysis of
414 -- Iterable aspect specifications.
415 -- Other type aspects need to be resolved here???
419 then
420 declare
423 begin
434 -----------------------------------------------
435 -- Analyze_Entry_Or_Subprogram_Body_Contract --
436 -----------------------------------------------
444 begin
445 -- When a subprogram body declaration is illegal, its defining entity is
446 -- left unanalyzed. There is nothing left to do in this case because the
447 -- body lacks a contract, or even a proper Ekind.
452 -- Do not analyze a contract multiple times
457 else
462 -- Due to the timing of contract analysis, delayed pragmas may be
463 -- subject to the wrong SPARK_Mode, usually that of the enclosing
464 -- context. To remedy this, restore the original SPARK_Mode of the
465 -- related subprogram body.
469 -- Ensure that the contract cases or postconditions mention 'Result or
470 -- define a post-state.
474 -- A stand-alone nonvolatile function body cannot have an effectively
475 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
476 -- check is relevant only when SPARK_Mode is on, as it is not a standard
477 -- legality rule. The check is performed here because Volatile_Function
478 -- is processed after the analysis of the related subprogram body.
483 then
487 -- Restore the SPARK_Mode of the enclosing context after all delayed
488 -- pragmas have been analyzed.
492 -- Capture all global references in a generic subprogram body now that
493 -- the contract has been analyzed.
496 Save_Global_References_In_Contract
501 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
502 -- invariants and predicates associated with body and its spec. Do not
503 -- expand the contract of subprogram body stubs.
510 ------------------------------------------
511 -- Analyze_Entry_Or_Subprogram_Contract --
512 ------------------------------------------
514 procedure Analyze_Entry_Or_Subprogram_Contract
517 is
523 and then not ASIS_Mode
532 begin
533 -- Do not analyze a contract multiple times
538 else
543 -- Due to the timing of contract analysis, delayed pragmas may be
544 -- subject to the wrong SPARK_Mode, usually that of the enclosing
545 -- context. To remedy this, restore the original SPARK_Mode of the
546 -- related subprogram body.
550 -- All subprograms carry a contract, but for some it is not significant
551 -- and should not be processed.
558 -- Do not analyze the pre/postconditions of an entry declaration
559 -- unless annotating the original tree for ASIS or GNATprove. The
560 -- real analysis occurs when the pre/postconditons are relocated to
561 -- the contract wrapper procedure (see Build_Contract_Wrapper).
566 -- Otherwise analyze the pre/postconditions
568 else
576 -- Analyze contract-cases and test-cases
584 -- Do not analyze the contract cases of an entry declaration
585 -- unless annotating the original tree for ASIS or GNATprove.
586 -- The real analysis occurs when the contract cases are moved
587 -- to the contract wrapper procedure (Build_Contract_Wrapper).
592 -- Otherwise analyze the contract cases
594 else
597 else
605 -- Analyze classification pragmas
621 -- Analyze Global first, as Depends may mention items classified in
622 -- the global categorization.
628 -- Depends must be analyzed after Global in order to see the modes of
629 -- all global items.
635 -- Ensure that the contract cases or postconditions mention 'Result
636 -- or define a post-state.
641 -- A nonvolatile function cannot have an effectively volatile formal
642 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
643 -- only when SPARK_Mode is on, as it is not a standard legality rule.
644 -- The check is performed here because pragma Volatile_Function is
645 -- processed after the analysis of the related subprogram declaration.
650 then
654 -- Restore the SPARK_Mode of the enclosing context after all delayed
655 -- pragmas have been analyzed.
659 -- Capture all global references in a generic subprogram now that the
660 -- contract has been analyzed.
663 Save_Global_References_In_Contract
669 -----------------------------
670 -- Analyze_Object_Contract --
671 -----------------------------
673 procedure Analyze_Object_Contract
676 is
689 begin
690 -- The loop parameter in an element iterator over a formal container
691 -- is declared with an object declaration, but no contracts apply.
697 -- Do not analyze a contract multiple times
704 else
709 -- The anonymous object created for a single concurrent type inherits
710 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
711 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
712 -- of the enclosing context. To remedy this, restore the original mode
713 -- of the related anonymous object.
717 then
722 -- Constant-related checks
726 -- Analyze indicator Part_Of
730 -- Check whether the lack of indicator Part_Of agrees with the
731 -- placement of the constant with respect to the state space.
737 -- A constant cannot be effectively volatile (SPARK RM 7.1.3(4)).
738 -- This check is relevant only when SPARK_Mode is on, as it is not
739 -- a standard Ada legality rule. Internally-generated constants that
740 -- map generic formals to actuals in instantiations are allowed to
741 -- be volatile.
747 then
751 -- Variable-related checks
755 -- Analyze all external properties
785 -- Verify the mutual interaction of the various external properties
791 -- The anonymous object created for a single concurrent type carries
792 -- pragmas Depends and Globat of the type.
796 -- Analyze Global first, as Depends may mention items classified
797 -- in the global categorization.
805 -- Depends must be analyzed after Global in order to see the modes
806 -- of all global items.
817 -- Analyze indicator Part_Of
822 -- The variable is a constituent of a single protected/task type
823 -- and behaves as a component of the type. Verify that references
824 -- to the variable occur within the definition or body of the type
825 -- (SPARK RM 9.3).
828 and then Is_Single_Concurrent_Object
831 then
839 -- Otherwise check whether the lack of indicator Part_Of agrees with
840 -- the placement of the variable with respect to the state space.
842 else
846 -- The following checks are relevant only when SPARK_Mode is on, as
847 -- they are not standard Ada legality rules. Internally generated
848 -- temporaries are ignored.
853 -- The declaration of an effectively volatile object must
854 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
857 Error_Msg_N
859 Obj_Id);
861 -- An object of a discriminated type cannot be effectively
862 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
866 then
867 Error_Msg_N
870 -- An object of a tagged type cannot be effectively volatile
871 -- (SPARK RM C.6(5)).
877 -- The object is not effectively volatile
879 else
880 -- A non-effectively volatile object cannot have effectively
881 -- volatile components (SPARK RM 7.1.3(6)).
885 then
886 Error_Msg_N
888 Obj_Id);
894 -- Common checks
898 -- A Ghost object cannot be of a type that yields a synchronized
899 -- object (SPARK RM 6.9(19)).
904 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
905 -- SPARK RM 6.9(19)).
910 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
911 -- One exception to this is the object that represents the dispatch
912 -- table of a Ghost tagged type, as the symbol needs to be exported.
922 -- Restore the SPARK_Mode of the enclosing context after all delayed
923 -- pragmas have been analyzed.
930 -----------------------------------
931 -- Analyze_Package_Body_Contract --
932 -----------------------------------
934 procedure Analyze_Package_Body_Contract
937 is
944 begin
945 -- Do not analyze a contract multiple times
950 else
955 -- Due to the timing of contract analysis, delayed pragmas may be
956 -- subject to the wrong SPARK_Mode, usually that of the enclosing
957 -- context. To remedy this, restore the original SPARK_Mode of the
958 -- related package body.
964 -- The analysis of pragma Refined_State detects whether the spec has
965 -- abstract states available for refinement.
971 -- Restore the SPARK_Mode of the enclosing context after all delayed
972 -- pragmas have been analyzed.
976 -- Capture all global references in a generic package body now that the
977 -- contract has been analyzed.
980 Save_Global_References_In_Contract
986 ------------------------------
987 -- Analyze_Package_Contract --
988 ------------------------------
999 begin
1000 -- Do not analyze a contract multiple times
1005 else
1010 -- Due to the timing of contract analysis, delayed pragmas may be
1011 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1012 -- context. To remedy this, restore the original SPARK_Mode of the
1013 -- related package.
1019 -- Locate and store pragmas Initial_Condition and Initializes, since
1020 -- their order of analysis matters.
1036 -- Analyze the initialization-related pragmas. Initializes must come
1037 -- before Initial_Condition due to item dependencies.
1048 -- Check whether the lack of indicator Part_Of agrees with the placement
1049 -- of the package instantiation with respect to the state space.
1059 -- Restore the SPARK_Mode of the enclosing context after all delayed
1060 -- pragmas have been analyzed.
1064 -- Capture all global references in a generic package now that the
1065 -- contract has been analyzed.
1068 Save_Global_References_In_Contract
1074 --------------------------------
1075 -- Analyze_Previous_Contracts --
1076 --------------------------------
1082 begin
1083 -- A body that is in the process of being inlined appears from source,
1084 -- but carries name _parent. Such a body does not cause "freezing" of
1085 -- contracts.
1091 -- Climb the parent chain looking for an enclosing package body. Do not
1092 -- use the scope stack, as a body uses the entity of its corresponding
1093 -- spec.
1098 Analyze_Package_Body_Contract
1108 -- Analyze the contracts of all eligible construct up to the body which
1109 -- caused the "freezing".
1112 Analyze_Contracts
1119 --------------------------------
1120 -- Analyze_Protected_Contract --
1121 --------------------------------
1126 begin
1127 -- Do not analyze a contract multiple times
1132 else
1138 -------------------------------------------
1139 -- Analyze_Subprogram_Body_Stub_Contract --
1140 -------------------------------------------
1146 begin
1147 -- A subprogram body stub may act as its own spec or as the completion
1148 -- of a previous declaration. Depending on the context, the contract of
1149 -- the stub may contain two sets of pragmas.
1151 -- The stub is a completion, the applicable pragmas are:
1152 -- Refined_Depends
1153 -- Refined_Global
1158 -- The stub acts as its own spec, the applicable pragmas are:
1159 -- Contract_Cases
1160 -- Depends
1161 -- Global
1162 -- Postcondition
1163 -- Precondition
1164 -- Test_Case
1166 else
1171 ---------------------------
1172 -- Analyze_Task_Contract --
1173 ---------------------------
1180 begin
1181 -- Do not analyze a contract multiple times
1186 else
1191 -- Due to the timing of contract analysis, delayed pragmas may be
1192 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1193 -- context. To remedy this, restore the original SPARK_Mode of the
1194 -- related task unit.
1198 -- Analyze Global first, as Depends may mention items classified in the
1199 -- global categorization.
1207 -- Depends must be analyzed after Global in order to see the modes of
1208 -- all global items.
1216 -- Restore the SPARK_Mode of the enclosing context after all delayed
1217 -- pragmas have been analyzed.
1222 -----------------------------
1223 -- Create_Generic_Contract --
1224 -----------------------------
1231 -- Add a single contract-related source pragma Prag to the contract of
1232 -- generic template Templ_Id.
1234 ---------------------------------
1235 -- Add_Generic_Contract_Pragma --
1236 ---------------------------------
1241 begin
1242 -- Mark the pragma to prevent the premature capture of global
1243 -- references when capturing global references of the context
1244 -- (see Save_References_In_Pragma).
1248 -- Pragmas that apply to a generic subprogram declaration are not
1249 -- part of the semantic structure of the generic template:
1251 -- generic
1252 -- procedure Example (Formal : Integer);
1253 -- pragma Precondition (Formal > 0);
1255 -- Create a generic template for such pragmas and link the template
1256 -- of the pragma with the generic template.
1259 Rewrite
1266 -- Otherwise link the pragma with the generic template
1268 else
1273 -- Local variables
1278 -- Start of processing for Create_Generic_Contract
1280 begin
1281 -- A generic package declaration carries contract-related source pragmas
1282 -- in its visible declarations.
1291 -- A generic package body carries contract-related source pragmas in its
1292 -- declarations.
1301 -- Generic subprogram declaration
1306 else
1310 -- When the generic subprogram acts as a compilation unit, inspect
1311 -- the Pragmas_After list for contract-related source pragmas.
1316 then
1320 -- Otherwise inspect the successive declarations for contract-related
1321 -- source pragmas.
1323 else
1327 -- A generic subprogram body carries contract-related source pragmas in
1328 -- its declarations.
1338 -- Inspect the relevant declarations looking for contract-related source
1339 -- pragmas and add them to the contract of the generic unit.
1345 -- The source pragma is a contract annotation
1351 -- The region where a contract-related source pragma may appear
1352 -- ends with the first source non-pragma declaration or statement.
1354 else
1363 --------------------------------
1364 -- Expand_Subprogram_Contract --
1365 --------------------------------
1371 procedure Add_Invariant_And_Predicate_Checks
1375 -- Process the result of function Subp_Id (if applicable) and all its
1376 -- formals. Add invariant and predicate checks where applicable. The
1377 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
1378 -- function, Result contains the entity of parameter _Result, to be
1379 -- used in the creation of procedure _Postconditions.
1382 -- Append a node to a list. If there is no list, create a new one. When
1383 -- the item denotes a pragma, it is added to the list only when it is
1384 -- enabled.
1386 procedure Build_Postconditions_Procedure
1390 -- Create the body of procedure _Postconditions which handles various
1391 -- assertion actions on exit from subprogram Subp_Id. Stmts is the list
1392 -- of statements to be checked on exit. Parameter Result is the entity
1393 -- of parameter _Result when Subp_Id denotes a function.
1396 -- Process pragma Contract_Cases. This routine prepends items to the
1397 -- body declarations and appends items to list Stmts.
1400 -- Collect all [inherited] spec and body postconditions and accumulate
1401 -- their pragma Check equivalents in list Stmts.
1404 -- Collect all [inherited] spec and body preconditions and prepend their
1405 -- pragma Check equivalents to the declarations of the body.
1407 ----------------------------------------
1408 -- Add_Invariant_And_Predicate_Checks --
1409 ----------------------------------------
1411 procedure Add_Invariant_And_Predicate_Checks
1415 is
1417 -- Id denotes the return value of a function or a formal parameter.
1418 -- Add an invariant check if the type of Id is access to a type with
1419 -- invariants. The routine appends the generated code to Stmts.
1422 -- Determine whether type Typ can benefit from invariant checks. To
1423 -- qualify, the type must have a non-null invariant procedure and
1424 -- subprogram Subp_Id must appear visible from the point of view of
1425 -- the type.
1427 ---------------------------------
1428 -- Add_Invariant_Access_Checks --
1429 ---------------------------------
1436 begin
1443 Ref :=
1448 -- Generate:
1449 -- if <Id> /= null then
1450 -- <invariant_call (<Ref>)>
1451 -- end if;
1453 Append_Enabled_Item
1456 Condition =>
1467 -------------------------
1468 -- Invariant_Checks_OK --
1469 -------------------------
1473 -- Determine whether type Typ has public visibility of subprogram
1474 -- Subp_Id.
1476 -----------------------------------------
1477 -- Has_Public_Visibility_Of_Subprogram --
1478 -----------------------------------------
1483 begin
1484 -- An Initialization procedure must be considered visible even
1485 -- though it is internally generated.
1493 -- Internally generated code is never publicly visible except
1494 -- for a subprogram that is the implementation of an expression
1495 -- function. In that case the visibility is determined by the
1496 -- last check.
1499 and then
1501 or else not
1503 then
1506 -- Determine whether the subprogram is declared in the visible
1507 -- declarations of the package containing the type.
1509 else
1511 Visible_Declarations
1516 -- Start of processing for Invariant_Checks_OK
1518 begin
1519 return
1526 -- Local variables
1529 -- Source location of subprogram body contract
1534 -- Start of processing for Add_Invariant_And_Predicate_Checks
1536 begin
1539 -- Process the result of a function
1544 -- Generate _Result which is used in procedure _Postconditions to
1545 -- verify the return value.
1550 -- Add an invariant check when the return type has invariants and
1551 -- the related function is visible to the outside.
1554 Append_Enabled_Item
1560 -- Add an invariant check when the return type is an access to a
1561 -- type with invariants.
1566 -- Add invariant and predicates for all formals that qualify
1574 then
1576 Append_Enabled_Item
1584 -- Note: we used to add predicate checks for OUT and IN OUT
1585 -- formals here, but that was misguided, since such checks are
1586 -- performed on the caller side, based on the predicate of the
1587 -- actual, rather than the predicate of the formal.
1595 -------------------------
1596 -- Append_Enabled_Item --
1597 -------------------------
1600 begin
1601 -- Do not chain ignored or disabled pragmas
1605 then
1608 -- Otherwise, add the item
1610 else
1615 -- If the pragma is a conjunct in a composite postcondition, it
1616 -- has been processed in reverse order. In the postcondition body
1617 -- it must appear before the others.
1622 then
1624 else
1630 ------------------------------------
1631 -- Build_Postconditions_Procedure --
1632 ------------------------------------
1634 procedure Build_Postconditions_Procedure
1638 is
1640 -- Insert node Stmt before the first source declaration of the
1641 -- related subprogram's body. If no such declaration exists, Stmt
1642 -- becomes the last declaration.
1644 --------------------------------------------
1645 -- Insert_Before_First_Source_Declaration --
1646 --------------------------------------------
1652 begin
1653 -- Inspect the declarations of the related subprogram body looking
1654 -- for the first source declaration.
1667 -- If we get there, then the subprogram body lacks any source
1668 -- declarations. The body of _Postconditions now acts as the
1669 -- last declaration.
1673 -- Ensure that the body has a declaration list
1675 else
1680 -- Local variables
1689 -- Start of processing for Build_Postconditions_Procedure
1691 begin
1692 -- Nothing to do if there are no actions to check on exit
1702 -- Force the front-end inlining of _Postconditions when generating C
1703 -- code, since its body may have references to itypes defined in the
1704 -- enclosing subprogram, which would cause problems for unnesting
1705 -- routines in the absence of inlining.
1713 -- The related subprogram is a function: create the specification of
1714 -- parameter _Result.
1720 Parameter_Type =>
1724 Proc_Spec :=
1731 -- Insert _Postconditions before the first source declaration of the
1732 -- body. This ensures that the body will not cause any premature
1733 -- freezing, as it may mention types:
1735 -- procedure Proc (Obj : Array_Typ) is
1736 -- procedure _postconditions is
1737 -- begin
1738 -- ... Obj ...
1739 -- end _postconditions;
1741 -- subtype T is Array_Typ (Obj'First (1) .. Obj'Last (1));
1742 -- begin
1744 -- In the example above, Obj is of type T but the incorrect placement
1745 -- of _Postconditions will cause a crash in gigi due to an out-of-
1746 -- order reference. The body of _Postconditions must be placed after
1747 -- the declaration of Temp to preserve correct visibility.
1752 -- Set an explicit End_Label to override the sloc of the implicit
1753 -- RETURN statement, and prevent it from inheriting the sloc of one
1754 -- the postconditions: this would cause confusing debug info to be
1755 -- produced, interfering with coverage-analysis tools.
1757 Proc_Bod :=
1759 Specification =>
1762 Handled_Statement_Sequence =>
1770 ----------------------------
1771 -- Process_Contract_Cases --
1772 ----------------------------
1776 -- Process pragma Contract_Cases for subprogram Subp_Id
1778 --------------------------------
1779 -- Process_Contract_Cases_For --
1780 --------------------------------
1786 begin
1791 Expand_Pragma_Contract_Cases
1803 -- Start of processing for Process_Contract_Cases
1805 begin
1813 ----------------------------
1814 -- Process_Postconditions --
1815 ----------------------------
1819 -- Collect all [refined] postconditions of a specific kind denoted
1820 -- by Post_Nam that belong to the body, and generate pragma Check
1821 -- equivalents in list Stmts.
1824 -- Collect all [inherited] postconditions of the spec, and generate
1825 -- pragma Check equivalents in list Stmts.
1827 ---------------------------------
1828 -- Process_Body_Postconditions --
1829 ---------------------------------
1837 begin
1838 -- Process the contract
1844 Append_Enabled_Item
1853 -- The subprogram body being processed is actually the proper body
1854 -- of a stub with a corresponding spec. The subprogram stub may
1855 -- carry a postcondition pragma, in which case it must be taken
1856 -- into account. The pragma appears after the stub.
1862 -- Note that non-matching pragmas are skipped
1866 Append_Enabled_Item
1871 -- Skip internally generated code
1876 -- Postcondition pragmas are usually grouped together. There
1877 -- is no need to inspect the whole declarative list.
1879 else
1888 ---------------------------------
1889 -- Process_Spec_Postconditions --
1890 ---------------------------------
1899 begin
1900 -- Process the contract
1908 Append_Enabled_Item
1917 -- Process the contracts of all inherited subprograms, looking for
1918 -- class-wide postconditions.
1929 then
1930 Append_Enabled_Item
1932 Build_Pragma_Check_Equivalent
1945 -- Start of processing for Process_Postconditions
1947 begin
1948 -- The processing of postconditions is done in reverse order (body
1949 -- first) to ensure the following arrangement:
1951 -- <refined postconditions from body>
1952 -- <postconditions from body>
1953 -- <postconditions from spec>
1954 -- <inherited postconditions>
1960 Process_Spec_Postconditions;
1964 ---------------------------
1965 -- Process_Preconditions --
1966 ---------------------------
1970 -- The sole [inherited] class-wide precondition pragma that applies
1971 -- to the subprogram.
1974 -- The insertion node after which all pragma Check equivalents are
1975 -- inserted.
1978 -- Determine whether arbitrary declaration Decl denotes a renaming of
1979 -- a discriminant or protection field _object.
1982 -- Merge two class-wide preconditions by "or else"-ing them. The
1983 -- changes are accumulated in parameter Into. Update the error
1984 -- message of Into.
1987 -- Prepend a single item to the declarations of the subprogram body
1990 -- Save a class-wide precondition into Class_Pre, or prepend a normal
1991 -- precondition to the declarations of the body and analyze it.
1994 -- Collect all inherited class-wide preconditions and merge them into
1995 -- one big precondition to be evaluated as pragma Check.
1998 -- Collect all preconditions of subprogram Subp_Id and prepend their
1999 -- pragma Check equivalents to the declarations of the body.
2001 --------------------------
2002 -- Is_Prologue_Renaming --
2003 --------------------------
2011 begin
2020 -- A discriminant renaming appears as
2021 -- Discr : constant ... := Prefix.Discr;
2027 then
2030 -- A protection field renaming appears as
2031 -- Prot : ... := _object._object;
2038 then
2047 -------------------------
2048 -- Merge_Preconditions --
2049 -------------------------
2053 -- Return the boolean expression argument of a precondition while
2054 -- updating its parentheses count for the subsequent merge.
2057 -- Return the message argument of a precondition
2059 --------------------
2060 -- Expression_Arg --
2061 --------------------
2067 begin
2075 -----------------
2076 -- Message_Arg --
2077 -----------------
2081 begin
2085 -- Local variables
2093 -- Start of processing for Merge_Preconditions
2095 begin
2096 -- Merge the two preconditions by "or else"-ing them
2103 -- Merge the two error messages to produce a single message of the
2104 -- form:
2106 -- failed precondition from ...
2107 -- also failed inherited precondition from ...
2119 ----------------------
2120 -- Prepend_To_Decls --
2121 ----------------------
2126 begin
2127 -- Ensure that the body has a declarative list
2137 ------------------------------
2138 -- Prepend_To_Decls_Or_Save --
2139 ------------------------------
2144 begin
2147 -- Save the sole class-wide precondition (if any) for the next
2148 -- step, where it will be merged with inherited preconditions.
2154 -- Accumulate the corresponding Check pragmas at the top of the
2155 -- declarations. Prepending the items ensures that they will be
2156 -- evaluated in their original order.
2158 else
2161 else
2169 -------------------------------------
2170 -- Process_Inherited_Preconditions --
2171 -------------------------------------
2181 begin
2182 -- Process the contracts of all inherited subprograms, looking for
2183 -- class-wide preconditions.
2194 then
2195 Check_Prag :=
2196 Build_Pragma_Check_Equivalent
2201 -- The spec of an inherited subprogram already yielded
2202 -- a class-wide precondition. Merge the existing
2203 -- precondition with the current one using "or else".
2207 else
2217 -- Add the merged class-wide preconditions
2225 -------------------------------
2226 -- Process_Preconditions_For --
2227 -------------------------------
2235 begin
2236 -- Process the contract
2249 -- The subprogram declaration being processed is actually a body
2250 -- stub. The stub may carry a precondition pragma, in which case
2251 -- it must be taken into account. The pragma appears after the
2252 -- stub.
2258 -- Inspect the declarations following the body stub
2263 -- Note that non-matching pragmas are skipped
2270 -- Skip internally generated code
2275 -- Preconditions are usually grouped together. There is no
2276 -- need to inspect the whole declarative list.
2278 else
2287 -- Local variables
2292 -- Start of processing for Process_Preconditions
2294 begin
2295 -- Find the proper insertion point for all pragma Check equivalents
2301 -- First source declaration terminates the search, because all
2302 -- preconditions must be evaluated prior to it, by definition.
2307 -- Certain internally generated object renamings such as those
2308 -- for discriminants and protection fields must be elaborated
2309 -- before the preconditions are evaluated, as their expressions
2310 -- may mention the discriminants.
2315 -- Otherwise the declaration does not come from source. This
2316 -- also terminates the search, because internal code may raise
2317 -- exceptions which should not preempt the preconditions.
2319 else
2327 -- The processing of preconditions is done in reverse order (body
2328 -- first), because each pragma Check equivalent is inserted at the
2329 -- top of the declarations. This ensures that the final order is
2330 -- consistent with following diagram:
2332 -- <inherited preconditions>
2333 -- <preconditions from spec>
2334 -- <preconditions from body>
2340 Process_Inherited_Preconditions;
2344 -- Local variables
2351 -- Start of processing for Expand_Subprogram_Contract
2353 begin
2354 -- Obtain the entity of the initial declaration
2358 else
2362 -- Do not perform expansion activity when it is not needed
2367 -- ASIS requires an unaltered tree
2372 -- GNATprove does not need the executable semantics of a contract
2377 -- The contract of a generic subprogram or one declared in a generic
2378 -- context is not expanded, as the corresponding instance will provide
2379 -- the executable semantics of the contract.
2384 -- All subprograms carry a contract, but for some it is not significant
2385 -- and should not be processed. This is a small optimization.
2390 -- The contract of an ignored Ghost subprogram does not need expansion,
2391 -- because the subprogram and all calls to it will be removed.
2397 -- Do not re-expand the same contract. This scenario occurs when a
2398 -- construct is rewritten into something else during its analysis
2399 -- (expression functions for instance).
2404 -- Otherwise mark the subprogram
2406 else
2410 -- Ensure that the formal parameters are visible when expanding all
2411 -- contract items.
2419 else
2424 -- The expansion of a subprogram contract involves the creation of Check
2425 -- pragmas to verify the contract assertions of the spec and body in a
2426 -- particular order. The order is as follows:
2428 -- function Example (...) return ... is
2429 -- procedure _Postconditions (...) is
2430 -- begin
2431 -- <refined postconditions from body>
2432 -- <postconditions from body>
2433 -- <postconditions from spec>
2434 -- <inherited postconditions>
2435 -- <contract case consequences>
2436 -- <invariant check of function result>
2437 -- <invariant and predicate checks of parameters>
2438 -- end _Postconditions;
2440 -- <inherited preconditions>
2441 -- <preconditions from spec>
2442 -- <preconditions from body>
2443 -- <contract case conditions>
2445 -- <source declarations>
2446 -- begin
2447 -- <source statements>
2449 -- _Preconditions (Result);
2450 -- return Result;
2451 -- end Example;
2453 -- Routine _Postconditions holds all contract assertions that must be
2454 -- verified on exit from the related subprogram.
2456 -- Step 1: Handle all preconditions. This action must come before the
2457 -- processing of pragma Contract_Cases because the pragma prepends items
2458 -- to the body declarations.
2460 Process_Preconditions;
2462 -- Step 2: Handle all postconditions. This action must come before the
2463 -- processing of pragma Contract_Cases because the pragma appends items
2464 -- to list Stmts.
2468 -- Step 3: Handle pragma Contract_Cases. This action must come before
2469 -- the processing of invariants and predicates because those append
2470 -- items to list Stmts.
2474 -- Step 4: Apply invariant and predicate checks on a function result and
2475 -- all formals. The resulting checks are accumulated in list Stmts.
2479 -- Step 5: Construct procedure _Postconditions
2484 End_Scope;
2488 ---------------------------------
2489 -- Inherit_Subprogram_Contract --
2490 ---------------------------------
2492 procedure Inherit_Subprogram_Contract
2495 is
2497 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
2498 -- Subp's contract.
2500 --------------------
2501 -- Inherit_Pragma --
2502 --------------------
2508 begin
2509 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
2510 -- chains, therefore the node must be replicated. The new pragma is
2511 -- flagged as inherited for distinction purposes.
2521 -- Start of processing for Inherit_Subprogram_Contract
2523 begin
2524 -- Inheritance is carried out only when both entities are subprograms
2525 -- with contracts.
2530 then
2535 -------------------------------------
2536 -- Instantiate_Subprogram_Contract --
2537 -------------------------------------
2541 -- Instantiate all contract-related source pragmas found in the list,
2542 -- starting with pragma First_Prag. Each instantiated pragma is added
2543 -- to list L.
2545 -------------------------
2546 -- Instantiate_Pragmas --
2547 -------------------------
2553 begin
2557 Inst_Prag :=
2568 -- Local variables
2572 -- Start of processing for Instantiate_Subprogram_Contract
2574 begin
2582 ----------------------------------------
2583 -- Save_Global_References_In_Contract --
2584 ----------------------------------------
2586 procedure Save_Global_References_In_Contract
2589 is
2591 -- Save all global references in contract-related source pragmas found
2592 -- in the list, starting with pragma First_Prag.
2594 ------------------------------------
2595 -- Save_Global_References_In_List --
2596 ------------------------------------
2601 begin
2612 -- Local variables
2616 -- Start of processing for Save_Global_References_In_Contract
2618 begin
2619 -- The entity of the analyzed generic copy must be on the scope stack
2620 -- to ensure proper detection of global references.
2626 then
2636 Pop_Scope;