| blob | eb73d0354720453f6f4d040ce363a7426f845279 |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2016, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
56 procedure Analyze_Contracts
60 -- Subsidiary to the one parameter version of Analyze_Contracts and routine
61 -- Analyze_Previous_Constracts. Analyze the contracts of all constructs in
62 -- the list L. If Freeze_Nod is set, then the analysis stops when the node
63 -- is reached. Freeze_Id is the entity of some related context which caused
64 -- freezing up to node Freeze_Nod.
67 -- (CodePeer): Subsidiary procedure to Analyze_Contracts which builds the
68 -- contract-only subprogram body of eligible subprograms found in L, adds
69 -- them to their corresponding list of declarations, and analyzes them.
72 -- Expand the contracts of a subprogram body and its correspoding spec (if
73 -- any). This routine processes all [refined] pre- and postconditions as
74 -- well as Contract_Cases, invariants and predicates. Body_Id denotes the
75 -- entity of the subprogram body.
77 -----------------------
78 -- Add_Contract_Item --
79 -----------------------
85 -- Prepend Prag to the list of classifications
88 -- Prepend Prag to the list of contract and test cases
91 -- Prepend Prag to the list of pre- and postconditions
93 ------------------------
94 -- Add_Classification --
95 ------------------------
98 begin
103 ----------------------------
104 -- Add_Contract_Test_Case --
105 ----------------------------
108 begin
113 ----------------------------
114 -- Add_Pre_Post_Condition --
115 ----------------------------
118 begin
123 -- Local variables
125 -- A contract must contain only pragmas
130 -- Start of processing for Add_Contract_Item
132 begin
133 -- Create a new contract when adding the first item
140 -- Constants, the applicable pragmas are:
141 -- Part_Of
145 Add_Classification;
147 -- The pragma is not a proper contract item
149 else
153 -- Entry bodies, the applicable pragmas are:
154 -- Refined_Depends
155 -- Refined_Global
156 -- Refined_Post
160 Add_Classification;
163 Add_Pre_Post_Condition;
165 -- The pragma is not a proper contract item
167 else
171 -- Entry or subprogram declarations, the applicable pragmas are:
172 -- Attach_Handler
173 -- Contract_Cases
174 -- Depends
175 -- Extensions_Visible
176 -- Global
177 -- Interrupt_Handler
178 -- Postcondition
179 -- Precondition
180 -- Test_Case
181 -- Volatile_Function
185 E_Generic_Function,
186 E_Generic_Procedure,
187 E_Procedure)
188 then
191 then
192 Add_Classification;
195 Name_Extensions_Visible,
196 Name_Global)
197 then
198 Add_Classification;
202 then
203 Add_Classification;
206 Add_Contract_Test_Case;
209 Add_Pre_Post_Condition;
211 -- The pragma is not a proper contract item
213 else
217 -- Packages or instantiations, the applicable pragmas are:
218 -- Abstract_States
219 -- Initial_Condition
220 -- Initializes
221 -- Part_Of (instantiation only)
225 Name_Initial_Condition,
226 Name_Initializes)
227 then
228 Add_Classification;
230 -- Indicator Part_Of must be associated with a package instantiation
233 Add_Classification;
235 -- The pragma is not a proper contract item
237 else
241 -- Package bodies, the applicable pragmas are:
242 -- Refined_States
246 Add_Classification;
248 -- The pragma is not a proper contract item
250 else
254 -- Protected units, the applicable pragmas are:
255 -- Part_Of
259 Add_Classification;
261 -- The pragma is not a proper contract item
263 else
267 -- Subprogram bodies, the applicable pragmas are:
268 -- Postcondition
269 -- Precondition
270 -- Refined_Depends
271 -- Refined_Global
272 -- Refined_Post
276 Add_Classification;
279 Name_Precondition,
280 Name_Refined_Post)
281 then
282 Add_Pre_Post_Condition;
284 -- The pragma is not a proper contract item
286 else
290 -- Task bodies, the applicable pragmas are:
291 -- Refined_Depends
292 -- Refined_Global
296 Add_Classification;
298 -- The pragma is not a proper contract item
300 else
304 -- Task units, the applicable pragmas are:
305 -- Depends
306 -- Global
307 -- Part_Of
311 Add_Classification;
313 -- The pragma is not a proper contract item
315 else
319 -- Variables, the applicable pragmas are:
320 -- Async_Readers
321 -- Async_Writers
322 -- Constant_After_Elaboration
323 -- Depends
324 -- Effective_Reads
325 -- Effective_Writes
326 -- Global
327 -- Part_Of
331 Name_Async_Writers,
332 Name_Constant_After_Elaboration,
333 Name_Depends,
334 Name_Effective_Reads,
335 Name_Effective_Writes,
336 Name_Global,
337 Name_Part_Of)
338 then
339 Add_Classification;
341 -- The pragma is not a proper contract item
343 else
349 -----------------------
350 -- Analyze_Contracts --
351 -----------------------
354 begin
362 procedure Analyze_Contracts
366 is
369 begin
373 -- The caller requests that the traversal stops at a particular node
374 -- that causes contract "freezing".
380 -- Entry or subprogram declarations
383 N_Entry_Declaration,
384 N_Generic_Subprogram_Declaration,
385 N_Subprogram_Declaration)
386 then
387 Analyze_Entry_Or_Subprogram_Contract
391 -- Entry or subprogram bodies
396 -- Objects
399 Analyze_Object_Contract
403 -- Protected units
406 N_Single_Protected_Declaration)
407 then
410 -- Subprogram body stubs
415 -- Task units
418 N_Task_Type_Declaration)
419 then
422 -- For type declarations, we need to do the pre-analysis of
423 -- Iterable aspect specifications.
424 -- Other type aspects need to be resolved here???
428 then
429 declare
432 begin
443 -----------------------------------------------
444 -- Analyze_Entry_Or_Subprogram_Body_Contract --
445 -----------------------------------------------
453 begin
454 -- When a subprogram body declaration is illegal, its defining entity is
455 -- left unanalyzed. There is nothing left to do in this case because the
456 -- body lacks a contract, or even a proper Ekind.
461 -- Do not analyze a contract multiple times
466 else
471 -- Due to the timing of contract analysis, delayed pragmas may be
472 -- subject to the wrong SPARK_Mode, usually that of the enclosing
473 -- context. To remedy this, restore the original SPARK_Mode of the
474 -- related subprogram body.
478 -- Ensure that the contract cases or postconditions mention 'Result or
479 -- define a post-state.
483 -- A stand-alone nonvolatile function body cannot have an effectively
484 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
485 -- check is relevant only when SPARK_Mode is on, as it is not a standard
486 -- legality rule. The check is performed here because Volatile_Function
487 -- is processed after the analysis of the related subprogram body.
492 then
496 -- Restore the SPARK_Mode of the enclosing context after all delayed
497 -- pragmas have been analyzed.
501 -- Capture all global references in a generic subprogram body now that
502 -- the contract has been analyzed.
505 Save_Global_References_In_Contract
510 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
511 -- invariants and predicates associated with body and its spec. Do not
512 -- expand the contract of subprogram body stubs.
519 ------------------------------------------
520 -- Analyze_Entry_Or_Subprogram_Contract --
521 ------------------------------------------
523 procedure Analyze_Entry_Or_Subprogram_Contract
526 is
532 and then not ASIS_Mode
541 begin
542 -- Do not analyze a contract multiple times
547 else
552 -- Due to the timing of contract analysis, delayed pragmas may be
553 -- subject to the wrong SPARK_Mode, usually that of the enclosing
554 -- context. To remedy this, restore the original SPARK_Mode of the
555 -- related subprogram body.
559 -- All subprograms carry a contract, but for some it is not significant
560 -- and should not be processed.
567 -- Do not analyze the pre/postconditions of an entry declaration
568 -- unless annotating the original tree for ASIS or GNATprove. The
569 -- real analysis occurs when the pre/postconditons are relocated to
570 -- the contract wrapper procedure (see Build_Contract_Wrapper).
575 -- Otherwise analyze the pre/postconditions
577 else
585 -- Analyze contract-cases and test-cases
593 -- Do not analyze the contract cases of an entry declaration
594 -- unless annotating the original tree for ASIS or GNATprove.
595 -- The real analysis occurs when the contract cases are moved
596 -- to the contract wrapper procedure (Build_Contract_Wrapper).
601 -- Otherwise analyze the contract cases
603 else
606 else
614 -- Analyze classification pragmas
630 -- Analyze Global first, as Depends may mention items classified in
631 -- the global categorization.
637 -- Depends must be analyzed after Global in order to see the modes of
638 -- all global items.
644 -- Ensure that the contract cases or postconditions mention 'Result
645 -- or define a post-state.
650 -- A nonvolatile function cannot have an effectively volatile formal
651 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
652 -- only when SPARK_Mode is on, as it is not a standard legality rule.
653 -- The check is performed here because pragma Volatile_Function is
654 -- processed after the analysis of the related subprogram declaration.
659 then
663 -- Restore the SPARK_Mode of the enclosing context after all delayed
664 -- pragmas have been analyzed.
668 -- Capture all global references in a generic subprogram now that the
669 -- contract has been analyzed.
672 Save_Global_References_In_Contract
678 -----------------------------
679 -- Analyze_Object_Contract --
680 -----------------------------
682 procedure Analyze_Object_Contract
685 is
698 begin
699 -- The loop parameter in an element iterator over a formal container
700 -- is declared with an object declaration, but no contracts apply.
706 -- Do not analyze a contract multiple times
713 else
718 -- The anonymous object created for a single concurrent type inherits
719 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
720 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
721 -- of the enclosing context. To remedy this, restore the original mode
722 -- of the related anonymous object.
726 then
731 -- Constant-related checks
735 -- Analyze indicator Part_Of
739 -- Check whether the lack of indicator Part_Of agrees with the
740 -- placement of the constant with respect to the state space.
746 -- A constant cannot be effectively volatile (SPARK RM 7.1.3(4)).
747 -- This check is relevant only when SPARK_Mode is on, as it is not
748 -- a standard Ada legality rule. Internally-generated constants that
749 -- map generic formals to actuals in instantiations are allowed to
750 -- be volatile.
756 then
760 -- Variable-related checks
764 -- Analyze all external properties
794 -- Verify the mutual interaction of the various external properties
800 -- The anonymous object created for a single concurrent type carries
801 -- pragmas Depends and Globat of the type.
805 -- Analyze Global first, as Depends may mention items classified
806 -- in the global categorization.
814 -- Depends must be analyzed after Global in order to see the modes
815 -- of all global items.
826 -- Analyze indicator Part_Of
831 -- The variable is a constituent of a single protected/task type
832 -- and behaves as a component of the type. Verify that references
833 -- to the variable occur within the definition or body of the type
834 -- (SPARK RM 9.3).
837 and then Is_Single_Concurrent_Object
840 then
848 -- Otherwise check whether the lack of indicator Part_Of agrees with
849 -- the placement of the variable with respect to the state space.
851 else
855 -- The following checks are relevant only when SPARK_Mode is on, as
856 -- they are not standard Ada legality rules. Internally generated
857 -- temporaries are ignored.
862 -- The declaration of an effectively volatile object must
863 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
866 Error_Msg_N
868 Obj_Id);
870 -- An object of a discriminated type cannot be effectively
871 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
875 then
876 Error_Msg_N
879 -- An object of a tagged type cannot be effectively volatile
880 -- (SPARK RM C.6(5)).
886 -- The object is not effectively volatile
888 else
889 -- A non-effectively volatile object cannot have effectively
890 -- volatile components (SPARK RM 7.1.3(6)).
894 then
895 Error_Msg_N
897 Obj_Id);
903 -- Common checks
907 -- A Ghost object cannot be of a type that yields a synchronized
908 -- object (SPARK RM 6.9(19)).
913 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
914 -- SPARK RM 6.9(19)).
919 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
920 -- One exception to this is the object that represents the dispatch
921 -- table of a Ghost tagged type, as the symbol needs to be exported.
931 -- Restore the SPARK_Mode of the enclosing context after all delayed
932 -- pragmas have been analyzed.
939 -----------------------------------
940 -- Analyze_Package_Body_Contract --
941 -----------------------------------
943 procedure Analyze_Package_Body_Contract
946 is
953 begin
954 -- Do not analyze a contract multiple times
959 else
964 -- Due to the timing of contract analysis, delayed pragmas may be
965 -- subject to the wrong SPARK_Mode, usually that of the enclosing
966 -- context. To remedy this, restore the original SPARK_Mode of the
967 -- related package body.
973 -- The analysis of pragma Refined_State detects whether the spec has
974 -- abstract states available for refinement.
980 -- Restore the SPARK_Mode of the enclosing context after all delayed
981 -- pragmas have been analyzed.
985 -- Capture all global references in a generic package body now that the
986 -- contract has been analyzed.
989 Save_Global_References_In_Contract
995 ------------------------------
996 -- Analyze_Package_Contract --
997 ------------------------------
1008 begin
1009 -- Do not analyze a contract multiple times
1014 else
1019 -- Due to the timing of contract analysis, delayed pragmas may be
1020 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1021 -- context. To remedy this, restore the original SPARK_Mode of the
1022 -- related package.
1028 -- Locate and store pragmas Initial_Condition and Initializes, since
1029 -- their order of analysis matters.
1045 -- Analyze the initialization-related pragmas. Initializes must come
1046 -- before Initial_Condition due to item dependencies.
1057 -- Check whether the lack of indicator Part_Of agrees with the placement
1058 -- of the package instantiation with respect to the state space.
1068 -- Restore the SPARK_Mode of the enclosing context after all delayed
1069 -- pragmas have been analyzed.
1073 -- Capture all global references in a generic package now that the
1074 -- contract has been analyzed.
1077 Save_Global_References_In_Contract
1083 --------------------------------
1084 -- Analyze_Previous_Contracts --
1085 --------------------------------
1093 begin
1094 -- A body that is in the process of being inlined appears from source,
1095 -- but carries name _parent. Such a body does not cause "freezing" of
1096 -- contracts.
1102 -- Climb the parent chain looking for an enclosing package body. Do not
1103 -- use the scope stack, as a body uses the entity of its corresponding
1104 -- spec.
1109 Analyze_Package_Body_Contract
1115 -- Do not look for an enclosing package body when the construct which
1116 -- causes freezing is a body generated for an expression function and
1117 -- it appears within a package spec. This ensures that the traversal
1118 -- will not reach too far up the parent chain and attempt to freeze a
1119 -- package body which should not be frozen.
1121 -- package body Enclosing_Body
1122 -- with Refined_State => (State => Var)
1123 -- is
1124 -- package Nested is
1125 -- type Some_Type is ...;
1126 -- function Cause_Freezing return ...;
1127 -- private
1128 -- function Cause_Freezing is (...);
1129 -- end Nested;
1130 --
1131 -- Var : Nested.Some_Type;
1135 then
1142 -- Analyze the contracts of all eligible construct up to the body which
1143 -- caused the "freezing".
1146 Analyze_Contracts
1153 --------------------------------
1154 -- Analyze_Protected_Contract --
1155 --------------------------------
1160 begin
1161 -- Do not analyze a contract multiple times
1166 else
1172 -------------------------------------------
1173 -- Analyze_Subprogram_Body_Stub_Contract --
1174 -------------------------------------------
1180 begin
1181 -- A subprogram body stub may act as its own spec or as the completion
1182 -- of a previous declaration. Depending on the context, the contract of
1183 -- the stub may contain two sets of pragmas.
1185 -- The stub is a completion, the applicable pragmas are:
1186 -- Refined_Depends
1187 -- Refined_Global
1192 -- The stub acts as its own spec, the applicable pragmas are:
1193 -- Contract_Cases
1194 -- Depends
1195 -- Global
1196 -- Postcondition
1197 -- Precondition
1198 -- Test_Case
1200 else
1205 ---------------------------
1206 -- Analyze_Task_Contract --
1207 ---------------------------
1214 begin
1215 -- Do not analyze a contract multiple times
1220 else
1225 -- Due to the timing of contract analysis, delayed pragmas may be
1226 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1227 -- context. To remedy this, restore the original SPARK_Mode of the
1228 -- related task unit.
1232 -- Analyze Global first, as Depends may mention items classified in the
1233 -- global categorization.
1241 -- Depends must be analyzed after Global in order to see the modes of
1242 -- all global items.
1250 -- Restore the SPARK_Mode of the enclosing context after all delayed
1251 -- pragmas have been analyzed.
1256 -------------------------------------------------
1257 -- Build_And_Analyze_Contract_Only_Subprograms --
1258 -------------------------------------------------
1262 -- Analyze the contract-only subprograms of L
1265 -- Append the contract-only bodies of Subp_List to its declarations list
1268 -- If E is an entity for a non-imported subprogram specification with
1269 -- pre/postconditions and we are compiling with CodePeer mode, then
1270 -- this procedure will create a wrapper to help Gnat2scil process its
1271 -- contracts. Return Empty if the wrapper cannot be built.
1274 -- Build the contract-only subprograms of all eligible subprograms found
1275 -- in list L.
1278 -- Return True for package specs, task definitions, and protected type
1279 -- definitions whose list of private declarations is not empty.
1281 ---------------------------------------
1282 -- Analyze_Contract_Only_Subprograms --
1283 ---------------------------------------
1287 -- Analyze all the contract-only bodies of L
1289 ----------------------------------
1290 -- Analyze_Contract_Only_Bodies --
1291 ----------------------------------
1296 begin
1300 and then Is_Contract_Only_Body
1302 then
1310 -- Start of processing for Analyze_Contract_Only_Subprograms
1312 begin
1314 Analyze_Contract_Only_Bodies;
1316 else
1317 declare
1321 begin
1323 Analyze_Contract_Only_Bodies;
1325 -- For packages with private declarations, the contract-only
1326 -- bodies of subprograms defined in the visible part of the
1327 -- package are added to its private declarations (to ensure
1328 -- that they do not cause premature freezing of types and also
1329 -- that they are analyzed with proper visibility). Hence they
1330 -- will be analyzed later.
1336 Analyze_Contract_Only_Bodies;
1342 --------------------------------------
1343 -- Append_Contract_Only_Subprograms --
1344 --------------------------------------
1347 begin
1355 else
1356 declare
1360 begin
1364 -- If the package has private declarations then append them to
1365 -- its private declarations; they will be analyzed when the
1366 -- contracts of its private declarations are analyzed.
1368 else
1369 Append_List
1377 ------------------------------------
1378 -- Build_Contract_Only_Subprogram --
1379 ------------------------------------
1381 -- This procedure takes care of building a wrapper to generate better
1382 -- analysis results in the case of a call to a subprogram whose body
1383 -- is unavailable to CodePeer but whose specification includes Pre/Post
1384 -- conditions. The body might be unavailable for any of a number or
1385 -- reasons (it is imported, the .adb file is simply missing, or the
1386 -- subprogram might be subject to an Annotate (CodePeer, Skip_Analysis)
1387 -- pragma). The built subprogram has the following contents:
1388 -- * check preconditions
1389 -- * call the subprogram
1390 -- * check postconditions
1399 -- Build the declaration of the missing body subprogram and its
1400 -- corresponding pragma Import.
1403 -- Build the call to the missing body subprogram
1406 -- Return True for cases where the wrapper is not needed or we cannot
1407 -- build it.
1409 ------------------------------
1410 -- Build_Missing_Body_Decls --
1411 ------------------------------
1418 begin
1419 Decl :=
1423 Prag :=
1436 ----------------------------------------
1437 -- Build_Missing_Body_Subprogram_Call --
1438 ----------------------------------------
1444 begin
1447 -- Build parameter list that we need
1455 -- Build the call to the missing body subprogram
1458 return
1460 Expression =>
1462 Name =>
1466 else
1467 return
1469 Name =>
1475 -----------------------------------
1476 -- Skip_Contract_Only_Subprogram --
1477 -----------------------------------
1479 function Skip_Contract_Only_Subprogram
1481 is
1483 -- Return True if some formal of E (or its return type) are
1484 -- private types defined in an enclosing package.
1487 -- Return True if some enclosing package of the current scope has
1488 -- private declarations.
1490 ---------------------------------------
1491 -- Depends_On_Enclosing_Private_Type --
1492 ---------------------------------------
1495 function Defined_In_Enclosing_Package
1497 -- Return True if Typ is an entity defined in an enclosing
1498 -- package of the current scope.
1500 ----------------------------------
1501 -- Defined_In_Enclosing_Package --
1502 ----------------------------------
1504 function Defined_In_Enclosing_Package
1506 is
1509 begin
1512 loop
1519 -- Local variables
1524 -- Start of processing for Depends_On_Enclosing_Private_Type
1526 begin
1533 then
1540 return
1546 ----------------------------------------------
1547 -- Some_Enclosing_Package_Has_Private_Decls --
1548 ----------------------------------------------
1554 begin
1555 loop
1557 and then Has_Private_Declarations
1559 then
1570 -- Start of processing for Skip_Contract_Only_Subprogram
1572 begin
1573 if not CodePeer_Mode
1574 or else Inside_A_Generic
1582 then
1585 -- We do not support building the contract-only subprogram if E
1586 -- is a subprogram declared in a nested package that has some
1587 -- formal or return type depending on a private type defined in
1588 -- an enclosing package.
1591 and then Some_Enclosing_Package_Has_Private_Decls
1592 and then Depends_On_Enclosing_Private_Type
1593 then
1595 declare
1598 begin
1599 -- Warnings are disabled by default under CodePeer_Mode
1600 -- (see switch-c). Enable them temporarily.
1603 Error_Msg_N
1615 -- Start of processing for Build_Contract_Only_Subprogram
1617 begin
1618 -- Test cases where the wrapper is not needed and cases where we
1619 -- cannot build it.
1625 -- Note on calls to Copy_Separate_Tree. The trees we are copying
1626 -- here are fully analyzed, but we definitely want fully syntactic
1627 -- unanalyzed trees in the body we construct, so that the analysis
1628 -- generates the right visibility, and that is exactly what the
1629 -- calls to Copy_Separate_Tree give us.
1631 declare
1637 begin
1638 Bod :=
1640 Specification =>
1642 Declarations =>
1643 Build_Missing_Body_Decls,
1644 Handled_Statement_Sequence =>
1647 Build_Missing_Body_Subprogram_Call),
1652 -- Copy only the pre/postconditions of the original contract
1653 -- since it is what we need, but also because pragmas stored in
1654 -- the other fields have N_Pragmas with N_Aspect_Specifications
1655 -- that reference their associated pragma (thus causing an endless
1656 -- loop when trying to copy the subtree).
1658 declare
1661 begin
1667 -- Fix the name of this new subprogram and link the original
1668 -- subprogram with its Contract_Only_Body subprogram.
1678 -------------------------------------
1679 -- Build_Contract_Only_Subprograms --
1680 -------------------------------------
1688 begin
1710 ------------------------------
1711 -- Has_Private_Declarations --
1712 ------------------------------
1715 begin
1717 N_Protected_Definition,
1718 N_Task_Definition)
1719 then
1721 else
1722 return
1728 -- Local variables
1732 -- Start of processing for Build_And_Analyze_Contract_Only_Subprograms
1734 begin
1737 Analyze_Contract_Only_Subprograms;
1740 -----------------------------
1741 -- Create_Generic_Contract --
1742 -----------------------------
1749 -- Add a single contract-related source pragma Prag to the contract of
1750 -- generic template Templ_Id.
1752 ---------------------------------
1753 -- Add_Generic_Contract_Pragma --
1754 ---------------------------------
1759 begin
1760 -- Mark the pragma to prevent the premature capture of global
1761 -- references when capturing global references of the context
1762 -- (see Save_References_In_Pragma).
1766 -- Pragmas that apply to a generic subprogram declaration are not
1767 -- part of the semantic structure of the generic template:
1769 -- generic
1770 -- procedure Example (Formal : Integer);
1771 -- pragma Precondition (Formal > 0);
1773 -- Create a generic template for such pragmas and link the template
1774 -- of the pragma with the generic template.
1777 Rewrite
1784 -- Otherwise link the pragma with the generic template
1786 else
1791 -- Local variables
1796 -- Start of processing for Create_Generic_Contract
1798 begin
1799 -- A generic package declaration carries contract-related source pragmas
1800 -- in its visible declarations.
1809 -- A generic package body carries contract-related source pragmas in its
1810 -- declarations.
1819 -- Generic subprogram declaration
1824 else
1828 -- When the generic subprogram acts as a compilation unit, inspect
1829 -- the Pragmas_After list for contract-related source pragmas.
1834 then
1838 -- Otherwise inspect the successive declarations for contract-related
1839 -- source pragmas.
1841 else
1845 -- A generic subprogram body carries contract-related source pragmas in
1846 -- its declarations.
1856 -- Inspect the relevant declarations looking for contract-related source
1857 -- pragmas and add them to the contract of the generic unit.
1863 -- The source pragma is a contract annotation
1869 -- The region where a contract-related source pragma may appear
1870 -- ends with the first source non-pragma declaration or statement.
1872 else
1881 --------------------------------
1882 -- Expand_Subprogram_Contract --
1883 --------------------------------
1889 procedure Add_Invariant_And_Predicate_Checks
1893 -- Process the result of function Subp_Id (if applicable) and all its
1894 -- formals. Add invariant and predicate checks where applicable. The
1895 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
1896 -- function, Result contains the entity of parameter _Result, to be
1897 -- used in the creation of procedure _Postconditions.
1900 -- Append a node to a list. If there is no list, create a new one. When
1901 -- the item denotes a pragma, it is added to the list only when it is
1902 -- enabled.
1904 procedure Build_Postconditions_Procedure
1908 -- Create the body of procedure _Postconditions which handles various
1909 -- assertion actions on exit from subprogram Subp_Id. Stmts is the list
1910 -- of statements to be checked on exit. Parameter Result is the entity
1911 -- of parameter _Result when Subp_Id denotes a function.
1914 -- Process pragma Contract_Cases. This routine prepends items to the
1915 -- body declarations and appends items to list Stmts.
1918 -- Collect all [inherited] spec and body postconditions and accumulate
1919 -- their pragma Check equivalents in list Stmts.
1922 -- Collect all [inherited] spec and body preconditions and prepend their
1923 -- pragma Check equivalents to the declarations of the body.
1925 ----------------------------------------
1926 -- Add_Invariant_And_Predicate_Checks --
1927 ----------------------------------------
1929 procedure Add_Invariant_And_Predicate_Checks
1933 is
1935 -- Id denotes the return value of a function or a formal parameter.
1936 -- Add an invariant check if the type of Id is access to a type with
1937 -- invariants. The routine appends the generated code to Stmts.
1940 -- Determine whether type Typ can benefit from invariant checks. To
1941 -- qualify, the type must have a non-null invariant procedure and
1942 -- subprogram Subp_Id must appear visible from the point of view of
1943 -- the type.
1945 ---------------------------------
1946 -- Add_Invariant_Access_Checks --
1947 ---------------------------------
1954 begin
1961 Ref :=
1966 -- Generate:
1967 -- if <Id> /= null then
1968 -- <invariant_call (<Ref>)>
1969 -- end if;
1971 Append_Enabled_Item
1974 Condition =>
1985 -------------------------
1986 -- Invariant_Checks_OK --
1987 -------------------------
1991 -- Determine whether type Typ has public visibility of subprogram
1992 -- Subp_Id.
1994 -----------------------------------------
1995 -- Has_Public_Visibility_Of_Subprogram --
1996 -----------------------------------------
2001 begin
2002 -- An Initialization procedure must be considered visible even
2003 -- though it is internally generated.
2011 -- Internally generated code is never publicly visible except
2012 -- for a subprogram that is the implementation of an expression
2013 -- function. In that case the visibility is determined by the
2014 -- last check.
2017 and then
2019 or else not
2021 then
2024 -- Determine whether the subprogram is declared in the visible
2025 -- declarations of the package containing the type.
2027 else
2029 Visible_Declarations
2034 -- Start of processing for Invariant_Checks_OK
2036 begin
2037 return
2044 -- Local variables
2047 -- Source location of subprogram body contract
2052 -- Start of processing for Add_Invariant_And_Predicate_Checks
2054 begin
2057 -- Process the result of a function
2062 -- Generate _Result which is used in procedure _Postconditions to
2063 -- verify the return value.
2068 -- Add an invariant check when the return type has invariants and
2069 -- the related function is visible to the outside.
2072 Append_Enabled_Item
2078 -- Add an invariant check when the return type is an access to a
2079 -- type with invariants.
2084 -- Add invariant and predicates for all formals that qualify
2092 then
2094 Append_Enabled_Item
2102 -- Note: we used to add predicate checks for OUT and IN OUT
2103 -- formals here, but that was misguided, since such checks are
2104 -- performed on the caller side, based on the predicate of the
2105 -- actual, rather than the predicate of the formal.
2113 -------------------------
2114 -- Append_Enabled_Item --
2115 -------------------------
2118 begin
2119 -- Do not chain ignored or disabled pragmas
2123 then
2126 -- Otherwise, add the item
2128 else
2133 -- If the pragma is a conjunct in a composite postcondition, it
2134 -- has been processed in reverse order. In the postcondition body
2135 -- it must appear before the others.
2140 then
2142 else
2148 ------------------------------------
2149 -- Build_Postconditions_Procedure --
2150 ------------------------------------
2152 procedure Build_Postconditions_Procedure
2156 is
2158 -- Insert node Stmt before the first source declaration of the
2159 -- related subprogram's body. If no such declaration exists, Stmt
2160 -- becomes the last declaration.
2162 --------------------------------------------
2163 -- Insert_Before_First_Source_Declaration --
2164 --------------------------------------------
2170 begin
2171 -- Inspect the declarations of the related subprogram body looking
2172 -- for the first source declaration.
2185 -- If we get there, then the subprogram body lacks any source
2186 -- declarations. The body of _Postconditions now acts as the
2187 -- last declaration.
2191 -- Ensure that the body has a declaration list
2193 else
2198 -- Local variables
2207 -- Start of processing for Build_Postconditions_Procedure
2209 begin
2210 -- Nothing to do if there are no actions to check on exit
2220 -- Force the front-end inlining of _Postconditions when generating C
2221 -- code, since its body may have references to itypes defined in the
2222 -- enclosing subprogram, which would cause problems for unnesting
2223 -- routines in the absence of inlining.
2231 -- The related subprogram is a function: create the specification of
2232 -- parameter _Result.
2238 Parameter_Type =>
2242 Proc_Spec :=
2249 -- Insert _Postconditions before the first source declaration of the
2250 -- body. This ensures that the body will not cause any premature
2251 -- freezing, as it may mention types:
2253 -- procedure Proc (Obj : Array_Typ) is
2254 -- procedure _postconditions is
2255 -- begin
2256 -- ... Obj ...
2257 -- end _postconditions;
2259 -- subtype T is Array_Typ (Obj'First (1) .. Obj'Last (1));
2260 -- begin
2262 -- In the example above, Obj is of type T but the incorrect placement
2263 -- of _Postconditions will cause a crash in gigi due to an out-of-
2264 -- order reference. The body of _Postconditions must be placed after
2265 -- the declaration of Temp to preserve correct visibility.
2270 -- Set an explicit End_Label to override the sloc of the implicit
2271 -- RETURN statement, and prevent it from inheriting the sloc of one
2272 -- the postconditions: this would cause confusing debug info to be
2273 -- produced, interfering with coverage-analysis tools.
2275 Proc_Bod :=
2277 Specification =>
2280 Handled_Statement_Sequence =>
2288 ----------------------------
2289 -- Process_Contract_Cases --
2290 ----------------------------
2294 -- Process pragma Contract_Cases for subprogram Subp_Id
2296 --------------------------------
2297 -- Process_Contract_Cases_For --
2298 --------------------------------
2304 begin
2309 Expand_Pragma_Contract_Cases
2321 -- Start of processing for Process_Contract_Cases
2323 begin
2331 ----------------------------
2332 -- Process_Postconditions --
2333 ----------------------------
2337 -- Collect all [refined] postconditions of a specific kind denoted
2338 -- by Post_Nam that belong to the body, and generate pragma Check
2339 -- equivalents in list Stmts.
2342 -- Collect all [inherited] postconditions of the spec, and generate
2343 -- pragma Check equivalents in list Stmts.
2345 ---------------------------------
2346 -- Process_Body_Postconditions --
2347 ---------------------------------
2355 begin
2356 -- Process the contract
2362 Append_Enabled_Item
2371 -- The subprogram body being processed is actually the proper body
2372 -- of a stub with a corresponding spec. The subprogram stub may
2373 -- carry a postcondition pragma, in which case it must be taken
2374 -- into account. The pragma appears after the stub.
2380 -- Note that non-matching pragmas are skipped
2384 Append_Enabled_Item
2389 -- Skip internally generated code
2394 -- Postcondition pragmas are usually grouped together. There
2395 -- is no need to inspect the whole declarative list.
2397 else
2406 ---------------------------------
2407 -- Process_Spec_Postconditions --
2408 ---------------------------------
2417 begin
2418 -- Process the contract
2426 Append_Enabled_Item
2435 -- Process the contracts of all inherited subprograms, looking for
2436 -- class-wide postconditions.
2447 then
2448 Append_Enabled_Item
2450 Build_Pragma_Check_Equivalent
2463 -- Start of processing for Process_Postconditions
2465 begin
2466 -- The processing of postconditions is done in reverse order (body
2467 -- first) to ensure the following arrangement:
2469 -- <refined postconditions from body>
2470 -- <postconditions from body>
2471 -- <postconditions from spec>
2472 -- <inherited postconditions>
2478 Process_Spec_Postconditions;
2482 ---------------------------
2483 -- Process_Preconditions --
2484 ---------------------------
2488 -- The sole [inherited] class-wide precondition pragma that applies
2489 -- to the subprogram.
2492 -- The insertion node after which all pragma Check equivalents are
2493 -- inserted.
2496 -- Determine whether arbitrary declaration Decl denotes a renaming of
2497 -- a discriminant or protection field _object.
2500 -- Merge two class-wide preconditions by "or else"-ing them. The
2501 -- changes are accumulated in parameter Into. Update the error
2502 -- message of Into.
2505 -- Prepend a single item to the declarations of the subprogram body
2508 -- Save a class-wide precondition into Class_Pre, or prepend a normal
2509 -- precondition to the declarations of the body and analyze it.
2512 -- Collect all inherited class-wide preconditions and merge them into
2513 -- one big precondition to be evaluated as pragma Check.
2516 -- Collect all preconditions of subprogram Subp_Id and prepend their
2517 -- pragma Check equivalents to the declarations of the body.
2519 --------------------------
2520 -- Is_Prologue_Renaming --
2521 --------------------------
2529 begin
2538 -- A discriminant renaming appears as
2539 -- Discr : constant ... := Prefix.Discr;
2545 then
2548 -- A protection field renaming appears as
2549 -- Prot : ... := _object._object;
2551 -- A renamed private component is just a component of
2552 -- _object, with an arbitrary name.
2558 then
2567 -------------------------
2568 -- Merge_Preconditions --
2569 -------------------------
2573 -- Return the boolean expression argument of a precondition while
2574 -- updating its parentheses count for the subsequent merge.
2577 -- Return the message argument of a precondition
2579 --------------------
2580 -- Expression_Arg --
2581 --------------------
2587 begin
2595 -----------------
2596 -- Message_Arg --
2597 -----------------
2601 begin
2605 -- Local variables
2613 -- Start of processing for Merge_Preconditions
2615 begin
2616 -- Merge the two preconditions by "or else"-ing them
2623 -- Merge the two error messages to produce a single message of the
2624 -- form:
2626 -- failed precondition from ...
2627 -- also failed inherited precondition from ...
2639 ----------------------
2640 -- Prepend_To_Decls --
2641 ----------------------
2646 begin
2647 -- Ensure that the body has a declarative list
2657 ------------------------------
2658 -- Prepend_To_Decls_Or_Save --
2659 ------------------------------
2664 begin
2667 -- Save the sole class-wide precondition (if any) for the next
2668 -- step, where it will be merged with inherited preconditions.
2674 -- Accumulate the corresponding Check pragmas at the top of the
2675 -- declarations. Prepending the items ensures that they will be
2676 -- evaluated in their original order.
2678 else
2681 else
2689 -------------------------------------
2690 -- Process_Inherited_Preconditions --
2691 -------------------------------------
2701 begin
2702 -- Process the contracts of all inherited subprograms, looking for
2703 -- class-wide preconditions.
2714 then
2715 Check_Prag :=
2716 Build_Pragma_Check_Equivalent
2721 -- The spec of an inherited subprogram already yielded
2722 -- a class-wide precondition. Merge the existing
2723 -- precondition with the current one using "or else".
2727 else
2737 -- Add the merged class-wide preconditions
2745 -------------------------------
2746 -- Process_Preconditions_For --
2747 -------------------------------
2755 begin
2756 -- Process the contract
2769 -- The subprogram declaration being processed is actually a body
2770 -- stub. The stub may carry a precondition pragma, in which case
2771 -- it must be taken into account. The pragma appears after the
2772 -- stub.
2778 -- Inspect the declarations following the body stub
2783 -- Note that non-matching pragmas are skipped
2790 -- Skip internally generated code
2795 -- Preconditions are usually grouped together. There is no
2796 -- need to inspect the whole declarative list.
2798 else
2807 -- Local variables
2812 -- Start of processing for Process_Preconditions
2814 begin
2815 -- Find the proper insertion point for all pragma Check equivalents
2821 -- First source declaration terminates the search, because all
2822 -- preconditions must be evaluated prior to it, by definition.
2827 -- Certain internally generated object renamings such as those
2828 -- for discriminants and protection fields must be elaborated
2829 -- before the preconditions are evaluated, as their expressions
2830 -- may mention the discriminants. The renamings include those
2831 -- for private components so we need to find the last such.
2836 loop
2842 -- Otherwise the declaration does not come from source. This
2843 -- also terminates the search, because internal code may raise
2844 -- exceptions which should not preempt the preconditions.
2846 else
2854 -- The processing of preconditions is done in reverse order (body
2855 -- first), because each pragma Check equivalent is inserted at the
2856 -- top of the declarations. This ensures that the final order is
2857 -- consistent with following diagram:
2859 -- <inherited preconditions>
2860 -- <preconditions from spec>
2861 -- <preconditions from body>
2867 Process_Inherited_Preconditions;
2871 -- Local variables
2878 -- Start of processing for Expand_Subprogram_Contract
2880 begin
2881 -- Obtain the entity of the initial declaration
2885 else
2889 -- Do not perform expansion activity when it is not needed
2894 -- ASIS requires an unaltered tree
2899 -- GNATprove does not need the executable semantics of a contract
2904 -- The contract of a generic subprogram or one declared in a generic
2905 -- context is not expanded, as the corresponding instance will provide
2906 -- the executable semantics of the contract.
2911 -- All subprograms carry a contract, but for some it is not significant
2912 -- and should not be processed. This is a small optimization.
2917 -- The contract of an ignored Ghost subprogram does not need expansion,
2918 -- because the subprogram and all calls to it will be removed.
2924 -- Do not re-expand the same contract. This scenario occurs when a
2925 -- construct is rewritten into something else during its analysis
2926 -- (expression functions for instance).
2931 -- Otherwise mark the subprogram
2933 else
2937 -- Ensure that the formal parameters are visible when expanding all
2938 -- contract items.
2946 else
2951 -- The expansion of a subprogram contract involves the creation of Check
2952 -- pragmas to verify the contract assertions of the spec and body in a
2953 -- particular order. The order is as follows:
2955 -- function Example (...) return ... is
2956 -- procedure _Postconditions (...) is
2957 -- begin
2958 -- <refined postconditions from body>
2959 -- <postconditions from body>
2960 -- <postconditions from spec>
2961 -- <inherited postconditions>
2962 -- <contract case consequences>
2963 -- <invariant check of function result>
2964 -- <invariant and predicate checks of parameters>
2965 -- end _Postconditions;
2967 -- <inherited preconditions>
2968 -- <preconditions from spec>
2969 -- <preconditions from body>
2970 -- <contract case conditions>
2972 -- <source declarations>
2973 -- begin
2974 -- <source statements>
2976 -- _Preconditions (Result);
2977 -- return Result;
2978 -- end Example;
2980 -- Routine _Postconditions holds all contract assertions that must be
2981 -- verified on exit from the related subprogram.
2983 -- Step 1: Handle all preconditions. This action must come before the
2984 -- processing of pragma Contract_Cases because the pragma prepends items
2985 -- to the body declarations.
2987 Process_Preconditions;
2989 -- Step 2: Handle all postconditions. This action must come before the
2990 -- processing of pragma Contract_Cases because the pragma appends items
2991 -- to list Stmts.
2995 -- Step 3: Handle pragma Contract_Cases. This action must come before
2996 -- the processing of invariants and predicates because those append
2997 -- items to list Stmts.
3001 -- Step 4: Apply invariant and predicate checks on a function result and
3002 -- all formals. The resulting checks are accumulated in list Stmts.
3006 -- Step 5: Construct procedure _Postconditions
3011 End_Scope;
3015 ---------------------------------
3016 -- Inherit_Subprogram_Contract --
3017 ---------------------------------
3019 procedure Inherit_Subprogram_Contract
3022 is
3024 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
3025 -- Subp's contract.
3027 --------------------
3028 -- Inherit_Pragma --
3029 --------------------
3035 begin
3036 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
3037 -- chains, therefore the node must be replicated. The new pragma is
3038 -- flagged as inherited for distinction purposes.
3048 -- Start of processing for Inherit_Subprogram_Contract
3050 begin
3051 -- Inheritance is carried out only when both entities are subprograms
3052 -- with contracts.
3057 then
3062 -------------------------------------
3063 -- Instantiate_Subprogram_Contract --
3064 -------------------------------------
3068 -- Instantiate all contract-related source pragmas found in the list,
3069 -- starting with pragma First_Prag. Each instantiated pragma is added
3070 -- to list L.
3072 -------------------------
3073 -- Instantiate_Pragmas --
3074 -------------------------
3080 begin
3084 Inst_Prag :=
3095 -- Local variables
3099 -- Start of processing for Instantiate_Subprogram_Contract
3101 begin
3109 ----------------------------------------
3110 -- Save_Global_References_In_Contract --
3111 ----------------------------------------
3113 procedure Save_Global_References_In_Contract
3116 is
3118 -- Save all global references in contract-related source pragmas found
3119 -- in the list, starting with pragma First_Prag.
3121 ------------------------------------
3122 -- Save_Global_References_In_List --
3123 ------------------------------------
3128 begin
3139 -- Local variables
3143 -- Start of processing for Save_Global_References_In_Contract
3145 begin
3146 -- The entity of the analyzed generic copy must be on the scope stack
3147 -- to ensure proper detection of global references.
3153 then
3163 Pop_Scope;