| blob | 77578dacc189921cab797aaf4993c4f17ce21799 |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2023, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
66 -- This exception is raised by Add_Contract_Item when it is invoked on an
67 -- invalid pragma. Note that clients of the package must filter them out
68 -- before invoking Add_Contract_Item, so it should not escape the package.
71 -- Analyze all delayed pragmas chained on the contract of package
72 -- instantiation Inst_Id as if they appear at the end of a declarative
73 -- region. The pragmas in question are:
74 --
75 -- Part_Of
77 procedure Build_Subprogram_Contract_Wrapper
82 -- Generate a wrapper for a given subprogram body when the expansion of
83 -- postconditions require it by moving its declarations and statements
84 -- into a locally declared subprogram _Wrapped_Statements.
86 -- Postcondition and precondition checks then get inserted in place of
87 -- the original statements and declarations along with a call to
88 -- _Wrapped_Statements.
90 procedure Check_Class_Condition
95 -- Perform checking of class-wide pre/postcondition Cond inherited by Subp
96 -- from Par_Subp. Is_Precondition enables check specific for preconditions.
97 -- In SPARK_Mode, an inherited operation that is not overridden but has
98 -- inherited modified conditions pre/postconditions is illegal.
101 -- Determine whether arbitrary declaration Decl denotes a renaming of
102 -- a discriminant or protection field _object.
104 procedure Check_Type_Or_Object_External_Properties
106 -- Perform checking of external properties pragmas that is common to both
107 -- type declarations and object declarations.
110 -- Expand the contracts of a subprogram body and its correspoding spec (if
111 -- any). This routine processes all [refined] pre- and postconditions as
112 -- well as Always_Terminates, Contract_Cases, Exceptional_Cases,
113 -- Subprogram_Variant, invariants and predicates. Body_Id denotes the
114 -- entity of the subprogram body.
116 procedure Preanalyze_Condition
119 -- Preanalyze the class-wide condition Expr of Subp
121 procedure Set_Class_Condition
125 -- Set the class-wide Kind condition of Subp
127 -----------------------
128 -- Add_Contract_Item --
129 -----------------------
135 -- Prepend Prag to the list of classifications
138 -- Prepend Prag to the list of contract and test cases
141 -- Prepend Prag to the list of pre- and postconditions
143 ------------------------
144 -- Add_Classification --
145 ------------------------
148 begin
153 ----------------------------
154 -- Add_Contract_Test_Case --
155 ----------------------------
158 begin
163 ----------------------------
164 -- Add_Pre_Post_Condition --
165 ----------------------------
168 begin
173 -- Local variables
175 -- A contract must contain only pragmas
180 -- Start of processing for Add_Contract_Item
182 begin
183 -- Create a new contract when adding the first item
190 -- Constants, the applicable pragmas are:
191 -- Part_Of
195 | Name_Async_Writers
196 | Name_Effective_Reads
197 | Name_Effective_Writes
198 | Name_No_Caching
199 | Name_Part_Of
200 then
201 Add_Classification;
203 -- The pragma is not a proper contract item
205 else
209 -- Entry bodies, the applicable pragmas are:
210 -- Refined_Depends
211 -- Refined_Global
212 -- Refined_Post
216 Add_Classification;
219 Add_Pre_Post_Condition;
221 -- The pragma is not a proper contract item
223 else
227 -- Entry or subprogram declarations, the applicable pragmas are:
228 -- Always_Terminates
229 -- Attach_Handler
230 -- Contract_Cases
231 -- Depends
232 -- Exceptional_Cases
233 -- Extensions_Visible
234 -- Global
235 -- Interrupt_Handler
236 -- Postcondition
237 -- Precondition
238 -- Subprogram_Variant
239 -- Test_Case
240 -- Volatile_Function
244 | E_Generic_Function
245 | E_Generic_Procedure
246 | E_Procedure
247 then
250 then
251 Add_Classification;
254 | Name_Extensions_Visible
255 | Name_Global
256 then
257 Add_Classification;
261 then
262 Add_Classification;
265 | Name_Contract_Cases
266 | Name_Exceptional_Cases
267 | Name_Subprogram_Variant
268 | Name_Test_Case
269 then
270 Add_Contract_Test_Case;
273 Add_Pre_Post_Condition;
275 -- The pragma is not a proper contract item
277 else
281 -- Packages or instantiations, the applicable pragmas are:
282 -- Abstract_States
283 -- Initial_Condition
284 -- Initializes
285 -- Part_Of (instantiation only)
289 | Name_Initial_Condition
290 | Name_Initializes
291 then
292 Add_Classification;
294 -- Indicator Part_Of must be associated with a package instantiation
297 Add_Classification;
300 Add_Contract_Test_Case;
302 -- The pragma is not a proper contract item
304 else
308 -- Package bodies, the applicable pragmas are:
309 -- Refined_States
313 Add_Classification;
315 -- The pragma is not a proper contract item
317 else
321 -- The four volatility refinement pragmas are ok for all types.
322 -- Part_Of is ok for task types and protected types.
323 -- Depends and Global are ok for task types.
324 --
325 -- Precondition and Postcondition are added separately; they are allowed
326 -- for access-to-subprogram types.
329 declare
331 Prag_Nam in Name_Async_Readers
332 | Name_Async_Writers
333 | Name_Effective_Reads
334 | Name_Effective_Writes
335 | Name_No_Caching
338 | Name_Depends
339 | Name_Global)
343 begin
345 Add_Classification;
349 | Name_Postcondition
350 then
351 Add_Pre_Post_Condition;
352 else
354 -- The pragma is not a proper contract item
360 -- Subprogram bodies, the applicable pragmas are:
361 -- Postcondition
362 -- Precondition
363 -- Refined_Depends
364 -- Refined_Global
365 -- Refined_Post
369 Add_Classification;
372 | Name_Precondition
373 | Name_Refined_Post
374 then
375 Add_Pre_Post_Condition;
377 -- The pragma is not a proper contract item
379 else
383 -- Task bodies, the applicable pragmas are:
384 -- Refined_Depends
385 -- Refined_Global
389 Add_Classification;
391 -- The pragma is not a proper contract item
393 else
397 -- Task units, the applicable pragmas are:
398 -- Depends
399 -- Global
400 -- Part_Of
402 -- Variables, the applicable pragmas are:
403 -- Async_Readers
404 -- Async_Writers
405 -- Constant_After_Elaboration
406 -- Depends
407 -- Effective_Reads
408 -- Effective_Writes
409 -- Global
410 -- No_Caching
411 -- Part_Of
415 | Name_Async_Writers
416 | Name_Constant_After_Elaboration
417 | Name_Depends
418 | Name_Effective_Reads
419 | Name_Effective_Writes
420 | Name_Global
421 | Name_No_Caching
422 | Name_Part_Of
423 then
424 Add_Classification;
426 -- The pragma is not a proper contract item
428 else
432 else
437 -----------------------
438 -- Analyze_Contracts --
439 -----------------------
444 begin
448 -- Entry or subprogram declarations
451 | N_Entry_Declaration
452 | N_Generic_Subprogram_Declaration
453 | N_Subprogram_Declaration
454 then
457 -- Entry or subprogram bodies
462 -- Objects
467 -- Package instantiation
472 -- Protected units
475 | N_Single_Protected_Declaration
476 then
479 -- Subprogram body stubs
484 -- Task units
487 | N_Task_Type_Declaration
488 then
491 -- For type declarations, we need to do the preanalysis of Iterable
492 -- and the 3 Xxx_Literal aspect specifications.
494 -- Other type aspects need to be resolved here???
498 then
499 declare
509 begin
527 | N_Private_Type_Declaration
528 | N_Task_Type_Declaration
529 | N_Protected_Type_Declaration
530 | N_Formal_Type_Declaration
531 then
539 -------------------------------------
540 -- Analyze_Pragmas_In_Declarations --
541 -------------------------------------
546 begin
547 -- Move through the body's declarations analyzing all pragmas which
548 -- appear at the top of the declarations.
555 if Pragma_Significant_To_Subprograms
557 then
561 -- Skip the renamings of discriminants and protection fields
566 -- We have reached something which is not a pragma so we can be sure
567 -- there are no more contracts or pragmas which need to be taken into
568 -- account.
570 else
578 -----------------------------------------------
579 -- Analyze_Entry_Or_Subprogram_Body_Contract --
580 -----------------------------------------------
582 -- WARNING: This routine manages SPARK regions. Return statements must be
583 -- replaced by gotos which jump to the end of the routine and restore the
584 -- SPARK mode.
593 -- Save the SPARK_Mode-related data to restore on exit
595 begin
596 -- When a subprogram body declaration is illegal, its defining entity is
597 -- left unanalyzed. There is nothing left to do in this case because the
598 -- body lacks a contract, or even a proper Ekind.
603 -- Do not analyze a contract multiple times
608 else
612 -- When this is a subprogram body not coming from source, for example an
613 -- expression function, it does not cause freezing of previous contracts
614 -- (see Analyze_Subprogram_Body_Helper), in particular not of those on
615 -- its spec if it exists. In this case make sure they have been properly
616 -- analyzed before being expanded below, as we may be invoked during the
617 -- freezing of the subprogram in the middle of its enclosing declarative
618 -- part because the declarative part contains e.g. the declaration of a
619 -- variable initialized by means of a call to the subprogram.
625 then
629 -- Due to the timing of contract analysis, delayed pragmas may be
630 -- subject to the wrong SPARK_Mode, usually that of the enclosing
631 -- context. To remedy this, restore the original SPARK_Mode of the
632 -- related subprogram body.
636 -- Ensure that the contract cases or postconditions mention 'Result or
637 -- define a post-state.
641 -- A stand-alone nonvolatile function body cannot have an effectively
642 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
643 -- check is relevant only when SPARK_Mode is on, as it is not a standard
644 -- legality rule. The check is performed here because Volatile_Function
645 -- is processed after the analysis of the related subprogram body. The
646 -- check only applies to source subprograms and not to generated TSS
647 -- subprograms.
653 then
657 -- Restore the SPARK_Mode of the enclosing context after all delayed
658 -- pragmas have been analyzed.
662 -- Capture all global references in a generic subprogram body now that
663 -- the contract has been analyzed.
666 Save_Global_References_In_Contract
671 -- Deal with preconditions, [refined] postconditions, Always_Terminates,
672 -- Contract_Cases, Exceptional_Cases, Subprogram_Variant, invariants and
673 -- predicates associated with body and its spec. Do not expand the
674 -- contract of subprogram body stubs.
681 ------------------------------------------
682 -- Analyze_Entry_Or_Subprogram_Contract --
683 ------------------------------------------
685 -- WARNING: This routine manages SPARK regions. Return statements must be
686 -- replaced by gotos which jump to the end of the routine and restore the
687 -- SPARK mode.
689 procedure Analyze_Entry_Or_Subprogram_Contract
692 is
701 -- Save the SPARK_Mode-related data to restore on exit
711 begin
712 -- Do not analyze a contract multiple times
717 else
722 -- Due to the timing of contract analysis, delayed pragmas may be
723 -- subject to the wrong SPARK_Mode, usually that of the enclosing
724 -- context. To remedy this, restore the original SPARK_Mode of the
725 -- related subprogram body.
729 -- All subprograms carry a contract, but for some it is not significant
730 -- and should not be processed.
737 -- Do not analyze the pre/postconditions of an entry declaration
738 -- unless annotating the original tree for GNATprove. The
739 -- real analysis occurs when the pre/postconditons are relocated to
740 -- the contract wrapper procedure (see Build_Contract_Wrapper).
745 -- Otherwise analyze the pre/postconditions.
746 -- If these come from an aspect specification, their expressions
747 -- might include references to types that are not frozen yet, in the
748 -- case where the body is a rewritten expression function that is a
749 -- completion, so freeze all types within before constructing the
750 -- contract code.
752 else
753 declare
757 begin
766 then
773 if Freeze_Types
775 then
776 Freeze_Expr_Types
779 Expr =>
780 Expression
791 -- Analyze contract-cases, subprogram-variant and test-cases
802 -- Do not analyze the contract cases of an entry declaration
803 -- unless annotating the original tree for GNATprove.
804 -- The real analysis occurs when the contract cases are moved
805 -- to the contract wrapper procedure (Build_Contract_Wrapper).
810 -- Otherwise analyze the contract cases
812 else
822 else
830 -- Analyze classification pragmas
846 -- Analyze Global first, as Depends may mention items classified in
847 -- the global categorization.
853 -- Depends must be analyzed after Global in order to see the modes of
854 -- all global items.
860 -- Ensure that the contract cases or postconditions mention 'Result
861 -- or define a post-state.
866 -- A nonvolatile function cannot have an effectively volatile formal
867 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
868 -- only when SPARK_Mode is on, as it is not a standard legality rule.
869 -- The check is performed here because pragma Volatile_Function is
870 -- processed after the analysis of the related subprogram declaration.
876 then
880 -- Restore the SPARK_Mode of the enclosing context after all delayed
881 -- pragmas have been analyzed.
885 -- Capture all global references in a generic subprogram now that the
886 -- contract has been analyzed.
889 Save_Global_References_In_Contract
895 ----------------------------------------------
896 -- Check_Type_Or_Object_External_Properties --
897 ----------------------------------------------
899 procedure Check_Type_Or_Object_External_Properties
901 is
906 -- Local variables
917 -- Start of processing for Check_Type_Or_Object_External_Properties
919 begin
920 -- Analyze all external properties
925 -- If the parent type of a derived type is volatile
926 -- then the derived type inherits volatility-related flags.
929 declare
932 begin
941 else
948 declare
950 begin
954 Error_Msg_N
956 Prag);
964 declare
966 begin
970 Error_Msg_N
972 Prag);
980 declare
982 begin
986 Error_Msg_N
988 Prag);
996 declare
998 begin
1002 Error_Msg_N
1004 Prag);
1009 -- Verify the mutual interaction of the various external properties.
1010 -- For types and variables for which No_Caching is enabled, it has been
1011 -- checked already that only False values for other external properties
1012 -- are allowed.
1014 if Seen
1016 then
1017 Check_External_Properties
1021 -- Analyze the non-external volatility property No_Caching
1029 -- The following checks are relevant only when SPARK_Mode is on, as
1030 -- they are not standard Ada legality rules. Internally generated
1031 -- temporaries are ignored, as well as return objects.
1036 then
1039 -- The declaration of an effectively volatile object or type must
1040 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
1044 Error_Msg_N
1046 & Decl_Kind
1048 Type_Or_Obj_Id);
1050 -- An object of a discriminated type cannot be effectively
1051 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
1055 then
1056 Error_Msg_N
1058 Type_Or_Obj_Id);
1061 -- An object decl shall be compatible with respect to volatility
1062 -- with its type (SPARK RM 7.1.3(2)).
1066 Check_Volatility_Compatibility
1072 -- A component of a composite type (in this case, the composite
1073 -- type is an array type) shall be compatible with respect to
1074 -- volatility with the composite type (SPARK RM 7.1.3(6)).
1077 Check_Volatility_Compatibility
1082 -- A component of a composite type (in this case, the composite
1083 -- type is a record type) shall be compatible with respect to
1084 -- volatility with the composite type (SPARK RM 7.1.3(6)).
1087 declare
1089 begin
1091 Check_Volatility_Compatibility
1101 -- The type or object is not effectively volatile
1103 else
1104 -- A non-effectively volatile type cannot have effectively
1105 -- volatile components (SPARK RM 7.1.3(6)).
1107 if Is_Type_Id
1110 then
1111 Error_Msg_N
1114 Type_Or_Obj_Id);
1120 -----------------------------
1121 -- Analyze_Object_Contract --
1122 -----------------------------
1124 -- WARNING: This routine manages SPARK regions. Return statements must be
1125 -- replaced by gotos which jump to the end of the routine and restore the
1126 -- SPARK mode.
1128 procedure Analyze_Object_Contract
1131 is
1136 -- Save the SPARK_Mode-related data to restore on exit
1142 begin
1143 -- The loop parameter in an element iterator over a formal container
1144 -- is declared with an object declaration, but no contracts apply.
1150 -- Do not analyze a contract multiple times
1157 else
1162 -- The anonymous object created for a single concurrent type inherits
1163 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
1164 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
1165 -- of the enclosing context. To remedy this, restore the original mode
1166 -- of the related anonymous object.
1170 then
1174 -- Checks related to external properties, same for constants and
1175 -- variables.
1179 -- Constant-related checks
1183 -- Analyze indicator Part_Of
1187 -- Check whether the lack of indicator Part_Of agrees with the
1188 -- placement of the constant with respect to the state space.
1194 -- Variable-related checks
1198 -- The anonymous object created for a single task type carries
1199 -- pragmas Depends and Global of the type.
1203 -- Analyze Global first, as Depends may mention items classified
1204 -- in the global categorization.
1212 -- Depends must be analyzed after Global in order to see the modes
1213 -- of all global items.
1224 -- Analyze indicator Part_Of
1229 -- The variable is a constituent of a single protected/task type
1230 -- and behaves as a component of the type. Verify that references
1231 -- to the variable occur within the definition or body of the type
1232 -- (SPARK RM 9.3).
1235 and then Is_Single_Concurrent_Object
1238 then
1246 -- Otherwise check whether the lack of indicator Part_Of agrees with
1247 -- the placement of the variable with respect to the state space.
1249 else
1254 -- Common checks
1258 -- A Ghost object cannot be of a type that yields a synchronized
1259 -- object (SPARK RM 6.9(19)).
1264 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
1265 -- SPARK RM 6.9(19)).
1270 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
1271 -- One exception to this is the object that represents the dispatch
1272 -- table of a Ghost tagged type, as the symbol needs to be exported.
1282 -- Restore the SPARK_Mode of the enclosing context after all delayed
1283 -- pragmas have been analyzed.
1288 -----------------------------------
1289 -- Analyze_Package_Body_Contract --
1290 -----------------------------------
1292 -- WARNING: This routine manages SPARK regions. Return statements must be
1293 -- replaced by gotos which jump to the end of the routine and restore the
1294 -- SPARK mode.
1296 procedure Analyze_Package_Body_Contract
1299 is
1306 -- Save the SPARK_Mode-related data to restore on exit
1310 begin
1311 -- Do not analyze a contract multiple times
1316 else
1321 -- Due to the timing of contract analysis, delayed pragmas may be
1322 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1323 -- context. To remedy this, restore the original SPARK_Mode of the
1324 -- related package body.
1330 -- The analysis of pragma Refined_State detects whether the spec has
1331 -- abstract states available for refinement.
1337 -- Restore the SPARK_Mode of the enclosing context after all delayed
1338 -- pragmas have been analyzed.
1342 -- Capture all global references in a generic package body now that the
1343 -- contract has been analyzed.
1346 Save_Global_References_In_Contract
1352 ------------------------------
1353 -- Analyze_Package_Contract --
1354 ------------------------------
1356 -- WARNING: This routine manages SPARK regions. Return statements must be
1357 -- replaced by gotos which jump to the end of the routine and restore the
1358 -- SPARK mode.
1366 -- Save the SPARK_Mode-related data to restore on exit
1373 begin
1374 -- Do not analyze a contract multiple times
1380 -- Do not analyze the contract of the internal package
1381 -- created to check conformance of an actual package.
1382 -- Such an internal package is removed from the tree after
1383 -- legality checks are completed, and it does not contain
1384 -- the declarations of all local entities of the generic.
1388 then
1391 else
1396 -- Due to the timing of contract analysis, delayed pragmas may be
1397 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1398 -- context. To remedy this, restore the original SPARK_Mode of the
1399 -- related package.
1405 -- Locate and store pragmas Initial_Condition and Initializes, since
1406 -- their order of analysis matters.
1422 -- Analyze the initialization-related pragmas. Initializes must come
1423 -- before Initial_Condition due to item dependencies.
1434 -- Restore the SPARK_Mode of the enclosing context after all delayed
1435 -- pragmas have been analyzed.
1439 -- Capture all global references in a generic package now that the
1440 -- contract has been analyzed.
1443 Save_Global_References_In_Contract
1449 --------------------------------------------
1450 -- Analyze_Package_Instantiation_Contract --
1451 --------------------------------------------
1453 -- WARNING: This routine manages SPARK regions. Return statements must be
1454 -- replaced by gotos which jump to the end of the routine and restore the
1455 -- SPARK mode.
1463 -- Save the SPARK_Mode-related data to restore on exit
1468 begin
1469 -- Nothing to do when the package instantiation is erroneous or left
1470 -- partially decorated.
1479 -- Due to the timing of contract analysis, delayed pragmas may be
1480 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1481 -- context. To remedy this, restore the original SPARK_Mode of the
1482 -- related package.
1486 -- Check whether the lack of indicator Part_Of agrees with the placement
1487 -- of the package instantiation with respect to the state space. Nested
1488 -- package instantiations do not need to be checked because they inherit
1489 -- Part_Of indicator of the outermost package instantiation (see routine
1490 -- Propagate_Part_Of in Sem_Prag).
1499 -- Restore the SPARK_Mode of the enclosing context after all delayed
1500 -- pragmas have been analyzed.
1505 --------------------------------
1506 -- Analyze_Protected_Contract --
1507 --------------------------------
1512 begin
1513 -- Do not analyze a contract multiple times
1518 else
1524 -------------------------------------------
1525 -- Analyze_Subprogram_Body_Stub_Contract --
1526 -------------------------------------------
1532 begin
1533 -- A subprogram body stub may act as its own spec or as the completion
1534 -- of a previous declaration. Depending on the context, the contract of
1535 -- the stub may contain two sets of pragmas.
1537 -- The stub is a completion, the applicable pragmas are:
1538 -- Refined_Depends
1539 -- Refined_Global
1544 -- The stub acts as its own spec, the applicable pragmas are:
1545 -- Always_Terminates
1546 -- Contract_Cases
1547 -- Depends
1548 -- Exceptional_Cases
1549 -- Global
1550 -- Postcondition
1551 -- Precondition
1552 -- Subprogram_Variant
1553 -- Test_Case
1555 else
1560 ---------------------------
1561 -- Analyze_Task_Contract --
1562 ---------------------------
1564 -- WARNING: This routine manages SPARK regions. Return statements must be
1565 -- replaced by gotos which jump to the end of the routine and restore the
1566 -- SPARK mode.
1573 -- Save the SPARK_Mode-related data to restore on exit
1577 begin
1578 -- Do not analyze a contract multiple times
1583 else
1588 -- Due to the timing of contract analysis, delayed pragmas may be
1589 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1590 -- context. To remedy this, restore the original SPARK_Mode of the
1591 -- related task unit.
1595 -- Analyze Global first, as Depends may mention items classified in the
1596 -- global categorization.
1604 -- Depends must be analyzed after Global in order to see the modes of
1605 -- all global items.
1613 -- Restore the SPARK_Mode of the enclosing context after all delayed
1614 -- pragmas have been analyzed.
1619 ---------------------------
1620 -- Analyze_Type_Contract --
1621 ---------------------------
1624 begin
1625 Check_Type_Or_Object_External_Properties
1628 -- Analyze Pre/Post on access-to-subprogram type
1631 Analyze_Entry_Or_Subprogram_Contract
1636 ---------------------------------------
1637 -- Build_Subprogram_Contract_Wrapper --
1638 ---------------------------------------
1640 procedure Build_Subprogram_Contract_Wrapper
1645 is
1656 begin
1657 -- When there are no postcondition statements we do not need to
1658 -- generate a wrapper.
1664 -- Obtain the related subprogram id from the body id.
1668 else
1673 -- Generate the contracts wrapper by moving the original declarations
1674 -- and statements within a local subprogram, calling it and possibly
1675 -- preserving the result for the purpose of evaluating postconditions,
1676 -- contracts, type invariants, etc.
1678 -- In the case of a function, generate:
1679 --
1680 -- function Original_Func (X : in out Integer) return Typ is
1681 -- <prologue renamings>
1682 -- <preconditions>
1683 --
1684 -- function _Wrapped_Statements return Typ is
1685 -- <original declarations>
1686 -- begin
1687 -- <original statements>
1688 -- end;
1689 --
1690 -- begin
1691 -- return
1692 -- Result_Obj : constant Typ := _Wrapped_Statements
1693 -- do
1694 -- <postconditions statements>
1695 -- end return;
1696 -- end;
1698 -- Or else, in the case of a procedure, generate:
1699 --
1700 -- procedure Original_Proc (X : in out Integer) is
1701 -- <prologue renamings>
1702 -- <preconditions>
1703 --
1704 -- procedure _Wrapped_Statements is
1705 -- <original declarations>
1706 -- begin
1707 -- <original statements>
1708 -- end;
1709 --
1710 -- begin
1711 -- _Wrapped_Statements;
1712 -- <postconditions statements>
1713 -- end;
1715 -- Create Identifier
1722 Set_Has_Pragma_Inline_Always
1725 -- Create specification and declaration for the wrapper
1728 Wrapper_Spec :=
1731 else
1732 Wrapper_Spec :=
1738 -- Create the wrapper body using Body_Id's statements and declarations
1740 Wrapper_Body :=
1744 Handled_Statement_Sequence =>
1753 -- Prepend a call to the wrapper when the subprogram is a procedure
1759 Set_Statements
1762 -- Generate the post-execution statements and the extended return
1763 -- when the subprogram being wrapped is a function.
1765 else
1772 Object_Definition =>
1774 Expression =>
1776 Name =>
1778 Handled_Statement_Sequence =>
1784 ----------------------------------
1785 -- Build_Entry_Contract_Wrapper --
1786 ----------------------------------
1792 procedure Add_Discriminant_Renamings
1795 -- Add renaming declarations for all discriminants of concurrent type
1796 -- Conc_Typ. Obj_Id is the entity of the wrapper formal parameter which
1797 -- represents the concurrent object.
1799 procedure Add_Matching_Formals
1802 -- Add formal parameters that match those of entry E to list Formals.
1803 -- The routine also adds matching actuals for the new formals to list
1804 -- Actuals.
1807 -- Relocate pragma Prag to list To. The routine creates a new list if
1808 -- To does not exist.
1810 --------------------------------
1811 -- Add_Discriminant_Renamings --
1812 --------------------------------
1814 procedure Add_Discriminant_Renamings
1817 is
1821 begin
1822 -- Inspect the discriminants of the concurrent type and generate a
1823 -- renaming for each one.
1828 Renaming_Decl :=
1830 Defining_Identifier =>
1832 Subtype_Mark =>
1834 Name =>
1837 Selector_Name =>
1847 --------------------------
1848 -- Add_Matching_Formals --
1849 --------------------------
1851 procedure Add_Matching_Formals
1854 is
1858 begin
1859 -- Inspect the formal parameters of the entry and generate a new
1860 -- matching formal with the same name for the wrapper. A reference
1861 -- to the new formal becomes an actual in the entry call.
1871 Parameter_Type =>
1883 ---------------------
1884 -- Transfer_Pragma --
1885 ---------------------
1890 begin
1901 -- Local variables
1915 -- Start of processing for Build_Entry_Contract_Wrapper
1917 begin
1918 -- This routine generates a specialized wrapper for a protected or task
1919 -- entry [family] which implements precondition/postcondition semantics.
1920 -- Preconditions and case guards of contract cases are checked before
1921 -- the protected action or rendezvous takes place.
1923 -- procedure Wrapper
1924 -- (Obj_Id : Conc_Typ; -- concurrent object
1925 -- [Index : Index_Typ;] -- index of entry family
1926 -- [Formal_1 : ...; -- parameters of original entry
1927 -- Formal_N : ...])
1928 -- is
1929 -- [Discr_1 : ... renames Obj_Id.Discr_1; -- discriminant
1930 -- Discr_N : ... renames Obj_Id.Discr_N;] -- renamings
1932 -- <contracts pragmas>
1933 -- <case guard checks>
1935 -- begin
1936 -- Entry_Call (Obj_Id, [Index,] [Formal_1, Formal_N]);
1937 -- end Wrapper;
1939 -- Create the wrapper only when the entry has at least one executable
1940 -- contract item such as contract cases, precondition or postcondition.
1944 -- Inspect the list of pre/postconditions and transfer all available
1945 -- pragmas to the declarative list of the wrapper.
1950 | Name_Precondition
1952 then
1960 -- Inspect the list of test/contract cases and transfer only contract
1961 -- cases pragmas to the declarative part of the wrapper.
1967 then
1976 -- The entry lacks executable contract items and a wrapper is not needed
1982 -- Create the profile of the wrapper. The first formal parameter is the
1983 -- concurrent object.
1985 Obj_Id :=
1996 -- Construct the call to the original entry. The call will be gradually
1997 -- augmented with an optional entry index and extra parameters.
1999 Call_Nam :=
2004 -- When creating a wrapper for an entry family, the second formal is the
2005 -- entry index.
2013 Parameter_Type =>
2016 -- The call to the original entry becomes an indexed component to
2017 -- accommodate the entry index.
2019 Call_Nam :=
2025 -- Add formal parameters to match those of the entry and build actuals
2026 -- for the entry call.
2030 Call :=
2035 -- Add renaming declarations for the discriminants of the enclosing type
2036 -- as the various contract items may reference them.
2040 Wrapper_Id :=
2045 -- The wrapper body is analyzed when the enclosing type is frozen
2049 Specification =>
2054 Handled_Statement_Sequence =>
2059 ---------------------------
2060 -- Check_Class_Condition --
2061 ---------------------------
2063 procedure Check_Class_Condition
2068 is
2070 -- Check reference to formal of inherited operation or to primitive
2071 -- operation of root type.
2073 ------------------
2074 -- Check_Entity --
2075 ------------------
2081 begin
2084 and then
2086 and then
2089 then
2090 -- These checks do not apply to dispatching calls within the
2091 -- condition, but only to calls whose static tag is that of
2092 -- the parent type.
2097 then
2101 -- Determine whether entity has a renaming
2108 -- AI12-0166: A precondition for a protected operation
2109 -- cannot include an internal call to a protected function
2110 -- of the type. In the case of an inherited condition for an
2111 -- overriding operation, both the operation and the function
2112 -- are given by primitive wrappers.
2114 if Is_Precondition
2119 then
2121 Error_Msg_NE
2128 -- Check that there are no calls left to abstract operations if
2129 -- the current subprogram is not abstract.
2134 then
2137 then
2142 Error_Msg_NE
2145 else
2146 Error_Msg_NE
2151 -- In SPARK mode, report error on inherited condition for an
2152 -- inherited operation if it contains a call to an overriding
2153 -- operation, because this implies that the pre/postconditions
2154 -- of the inherited operation have changed silently.
2157 and then Warn_On_Suspicious_Contract
2161 then
2162 Error_Msg_N
2167 Error_Msg_NE
2180 -- Start of processing for Check_Class_Condition
2182 begin
2183 -- No check required if the subprograms match
2194 -----------------------------
2195 -- Create_Generic_Contract --
2196 -----------------------------
2203 -- Add a single contract-related source pragma Prag to the contract of
2204 -- generic template Templ_Id.
2206 ---------------------------------
2207 -- Add_Generic_Contract_Pragma --
2208 ---------------------------------
2213 begin
2214 -- Mark the pragma to prevent the premature capture of global
2215 -- references when capturing global references of the context
2216 -- (see Save_References_In_Pragma).
2220 -- Pragmas that apply to a generic subprogram declaration are not
2221 -- part of the semantic structure of the generic template:
2223 -- generic
2224 -- procedure Example (Formal : Integer);
2225 -- pragma Precondition (Formal > 0);
2227 -- Create a generic template for such pragmas and link the template
2228 -- of the pragma with the generic template.
2231 Rewrite
2238 -- Otherwise link the pragma with the generic template
2240 else
2244 exception
2245 -- We do not stop the compilation at this point in the case of an
2246 -- invalid pragma because it will be properly diagnosed afterward.
2251 -- Local variables
2256 -- Start of processing for Create_Generic_Contract
2258 begin
2259 -- A generic package declaration carries contract-related source pragmas
2260 -- in its visible declarations.
2269 -- A generic package body carries contract-related source pragmas in its
2270 -- declarations.
2279 -- Generic subprogram declaration
2284 else
2288 -- When the generic subprogram acts as a compilation unit, inspect
2289 -- the Pragmas_After list for contract-related source pragmas.
2294 then
2298 -- Otherwise inspect the successive declarations for contract-related
2299 -- source pragmas.
2301 else
2305 -- A generic subprogram body carries contract-related source pragmas in
2306 -- its declarations.
2316 -- Inspect the relevant declarations looking for contract-related source
2317 -- pragmas and add them to the contract of the generic unit.
2323 -- The source pragma is a contract annotation
2329 -- The region where a contract-related source pragma may appear
2330 -- ends with the first source non-pragma declaration or statement.
2332 else
2341 --------------------------------
2342 -- Expand_Subprogram_Contract --
2343 --------------------------------
2349 procedure Add_Invariant_And_Predicate_Checks
2353 -- Process the result of function Subp_Id (if applicable) and all its
2354 -- formals. Add invariant and predicate checks where applicable. The
2355 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
2356 -- function, Result contains the entity of parameter _Result, to be
2357 -- used in the creation of procedure _Postconditions.
2359 procedure Add_Stable_Property_Contracts
2361 -- Augment postcondition contracts to reflect Stable_Property aspect
2362 -- (if Class_Present = False) or Stable_Property'Class aspect (if
2363 -- Class_Present = True).
2366 -- Append a node to a list. If there is no list, create a new one. When
2367 -- the item denotes a pragma, it is added to the list only when it is
2368 -- enabled.
2370 procedure Process_Contract_Cases
2373 -- Process pragma Contract_Cases. This routine prepends items to the
2374 -- body declarations and appends items to list Stmts.
2377 -- Collect all [inherited] spec and body postconditions and accumulate
2378 -- their pragma Check equivalents in list Stmts.
2381 -- Collect all [inherited] spec and body preconditions and prepend their
2382 -- pragma Check equivalents to the declarations of the body.
2384 ----------------------------------------
2385 -- Add_Invariant_And_Predicate_Checks --
2386 ----------------------------------------
2388 procedure Add_Invariant_And_Predicate_Checks
2392 is
2394 -- Id denotes the return value of a function or a formal parameter.
2395 -- Add an invariant check if the type of Id is access to a type with
2396 -- invariants. The routine appends the generated code to Stmts.
2399 -- Determine whether type Typ can benefit from invariant checks. To
2400 -- qualify, the type must have a non-null invariant procedure and
2401 -- subprogram Subp_Id must appear visible from the point of view of
2402 -- the type.
2404 ---------------------------------
2405 -- Add_Invariant_Access_Checks --
2406 ---------------------------------
2413 begin
2420 Ref :=
2425 -- Generate:
2426 -- if <Id> /= null then
2427 -- <invariant_call (<Ref>)>
2428 -- end if;
2430 Append_Enabled_Item
2433 Condition =>
2444 -------------------------
2445 -- Invariant_Checks_OK --
2446 -------------------------
2450 -- Determine whether type Typ has public visibility of subprogram
2451 -- Subp_Id.
2453 -----------------------------------------
2454 -- Has_Public_Visibility_Of_Subprogram --
2455 -----------------------------------------
2460 begin
2461 -- An Initialization procedure must be considered visible even
2462 -- though it is internally generated.
2470 -- Internally generated code is never publicly visible except
2471 -- for a subprogram that is the implementation of an expression
2472 -- function. In that case the visibility is determined by the
2473 -- last check.
2476 and then
2478 or else not
2480 then
2483 -- Determine whether the subprogram is declared in the visible
2484 -- declarations of the package containing the type, or in the
2485 -- visible declaration of a child unit of that package.
2487 else
2488 declare
2495 begin
2496 return
2497 Decls = Visible_Declarations
2500 or else
2504 and then
2506 and then
2507 Decls = Visible_Declarations
2508 (Specification
2514 -- Start of processing for Invariant_Checks_OK
2516 begin
2517 return
2524 -- Local variables
2527 -- Source location of subprogram body contract
2532 -- Start of processing for Add_Invariant_And_Predicate_Checks
2534 begin
2537 -- Process the result of a function
2542 -- Generate _Result which is used in procedure _Postconditions to
2543 -- verify the return value.
2548 -- Add an invariant check when the return type has invariants and
2549 -- the related function is visible to the outside.
2552 Append_Enabled_Item
2558 -- Add an invariant check when the return type is an access to a
2559 -- type with invariants.
2564 -- Add invariant checks for all formals that qualify (see AI05-0289
2565 -- and AI12-0044).
2574 then
2576 Append_Enabled_Item
2584 -- Note: we used to add predicate checks for OUT and IN OUT
2585 -- formals here, but that was misguided, since such checks are
2586 -- performed on the caller side, based on the predicate of the
2587 -- actual, rather than the predicate of the formal.
2595 -----------------------------------
2596 -- Add_Stable_Property_Contracts --
2597 -----------------------------------
2599 procedure Add_Stable_Property_Contracts
2601 is
2604 procedure Insert_Stable_Property_Check
2606 -- Build the pragma for one check and insert it in the tree.
2608 function Make_Stable_Property_Condition
2610 -- Builds tree for "Func (Formal) = Func (Formal)'Old" expression.
2612 function Stable_Properties
2615 -- If no aspect specified, then returns length-zero result.
2616 -- Negated indicates that reserved word NOT was specified.
2618 ----------------------------------
2619 -- Insert_Stable_Property_Check --
2620 ----------------------------------
2622 procedure Insert_Stable_Property_Check
2626 New_List
2627 (Make_Pragma_Argument_Association
2629 Expression =>
2630 Make_Stable_Property_Condition
2633 Make_Pragma_Argument_Association
2635 Expression =>
2636 Make_String_Literal
2638 Strval =>
2639 "failed stable property check at "
2647 )));
2651 Pragma_Identifier =>
2657 begin
2658 -- Enclosing_Declaration may return, for example,
2659 -- a N_Procedure_Specification node. Cope with this.
2660 loop
2670 ------------------------------------
2671 -- Make_Stable_Property_Condition --
2672 ------------------------------------
2674 function Make_Stable_Property_Condition
2676 is
2678 (Make_Function_Call
2680 Name =>
2682 Parameter_Associations =>
2684 begin
2685 return Make_Op_Eq
2687 Call_Property_Function,
2688 Make_Attribute_Reference
2694 -----------------------
2695 -- Stable_Properties --
2696 -----------------------
2698 function Stable_Properties
2700 return Subprogram_List
2701 is
2703 Find_Value_Of_Aspect
2706 begin
2707 -- ??? For a derived type, we wish Find_Value_Of_Aspect
2708 -- somehow knew that this aspect is not inherited.
2709 -- But it doesn't, so we cope with that here.
2710 --
2711 -- There are probably issues here with inheritance from
2712 -- interface types, where just looking for the one parent type
2713 -- isn't enough. But this is far from the only work needed for
2714 -- Stable_Properties'Class for interface types.
2717 declare
2720 begin
2722 Find_Value_Of_Aspect
2725 then
2726 -- prevent inheritance
2734 -- This is a little bit subtle.
2735 -- We need to assign True in the Subp_Id case in order to
2736 -- distinguish between no aspect spec at all vs. an
2737 -- explicitly specified "with S_P => []" empty list.
2738 -- In both cases Stable_Properties will return a length-0
2739 -- array, but the two cases are not equivalent.
2740 -- Very roughly speaking the lack of an S_P aspect spec for
2741 -- a subprogram would be equivalent to something like
2742 -- "with S_P => [not]", where we apply the "not" modifier to
2743 -- an empty set of subprograms, if such a construct existed.
2744 -- We could just assign True here, but it seems untidy to
2745 -- return True in the case of an aspect spec for a type
2746 -- (since negation is only allowed for subp S_P aspects).
2749 else
2750 return Parse_Aspect_Stable_Properties
2762 -- start of processing for Add_Stable_Property_Contracts
2764 begin
2766 then
2778 then
2779 -- ??? Need to filter out checks for SPFs that are
2780 -- mentioned explicitly in the postcondition of
2781 -- Subp_Id.
2783 Insert_Stable_Property_Check
2789 declare
2795 function Excluded_By_Aspect_Spec_Of_Subp
2797 -- Examine Subp_Properties to determine whether SPF should
2798 -- be excluded.
2800 -------------------------------------
2801 -- Excluded_By_Aspect_Spec_Of_Subp --
2802 -------------------------------------
2804 function Excluded_By_Aspect_Spec_Of_Subp
2806 begin
2808 -- Look through renames for equality test here ???
2812 -- Look through renames for equality test here ???
2815 begin
2819 -- ??? Need to filter out checks for SPFs that are
2820 -- mentioned explicitly in the postcondition of
2821 -- Subp_Id.
2822 Insert_Stable_Property_Check
2833 -------------------------
2834 -- Append_Enabled_Item --
2835 -------------------------
2838 begin
2839 -- Do not chain ignored or disabled pragmas
2843 then
2846 -- Otherwise, add the item
2848 else
2853 -- If the pragma is a conjunct in a composite postcondition, it
2854 -- has been processed in reverse order. In the postcondition body
2855 -- it must appear before the others.
2860 then
2862 else
2868 ----------------------------
2869 -- Process_Contract_Cases --
2870 ----------------------------
2872 procedure Process_Contract_Cases
2875 is
2877 -- Process pragma Contract_Cases for subprogram Subp_Id
2879 --------------------------------
2880 -- Process_Contract_Cases_For --
2881 --------------------------------
2887 begin
2896 Expand_Pragma_Contract_Cases
2906 Expand_Pragma_Subprogram_Variant
2918 -- Start of processing for Process_Contract_Cases
2920 begin
2928 ----------------------------
2929 -- Process_Postconditions --
2930 ----------------------------
2934 -- Collect all [refined] postconditions of a specific kind denoted
2935 -- by Post_Nam that belong to the body, and generate pragma Check
2936 -- equivalents in list Stmts.
2939 -- Collect all [inherited] postconditions of the spec, and generate
2940 -- pragma Check equivalents in list Stmts.
2942 ---------------------------------
2943 -- Process_Body_Postconditions --
2944 ---------------------------------
2952 begin
2953 -- Process the contract
2960 then
2961 Append_Enabled_Item
2970 -- The subprogram body being processed is actually the proper body
2971 -- of a stub with a corresponding spec. The subprogram stub may
2972 -- carry a postcondition pragma, in which case it must be taken
2973 -- into account. The pragma appears after the stub.
2979 -- Note that non-matching pragmas are skipped
2984 then
2985 Append_Enabled_Item
2990 -- Skip internally generated code
2995 -- Postcondition pragmas are usually grouped together. There
2996 -- is no need to inspect the whole declarative list.
2998 else
3007 ---------------------------------
3008 -- Process_Spec_Postconditions --
3009 ---------------------------------
3017 -- Return True if the contract of subprogram Subp_Id has been
3018 -- processed.
3020 ---------------
3021 -- Seen_Subp --
3022 ---------------
3025 begin
3035 -- Local variables
3042 -- Start of processing for Process_Spec_Postconditions
3044 begin
3045 -- Process the contract
3054 then
3055 Append_Enabled_Item
3064 -- Process the contracts of all inherited subprograms, looking for
3065 -- class-wide postconditions.
3074 -- Wrappers of class-wide pre/postconditions reference the
3075 -- parent primitive that has the inherited contract.
3079 then
3092 then
3093 Item :=
3094 Build_Pragma_Check_Equivalent
3099 -- The pragma Check equivalent of the class-wide
3100 -- postcondition is still created even though the
3101 -- pragma may be ignored because the equivalent
3102 -- performs semantic checks.
3116 -- Stmts is passed as IN OUT to signal that the list can be updated,
3117 -- even if the corresponding integer value representing the list does
3118 -- not change.
3120 -- Start of processing for Process_Postconditions
3122 begin
3123 -- The processing of postconditions is done in reverse order (body
3124 -- first) to ensure the following arrangement:
3126 -- <refined postconditions from body>
3127 -- <postconditions from body>
3128 -- <postconditions from spec>
3129 -- <inherited postconditions>
3135 Process_Spec_Postconditions;
3139 ---------------------------
3140 -- Process_Preconditions --
3141 ---------------------------
3145 -- The insertion node after which all pragma Check equivalents are
3146 -- inserted.
3149 -- Prepend a single item to the declarations of the subprogram body
3152 -- Prepend a normal precondition to the declarations of the body and
3153 -- analyze it.
3156 -- Collect all preconditions of subprogram Subp_Id and prepend their
3157 -- pragma Check equivalents to the declarations of the body.
3159 ----------------------
3160 -- Prepend_To_Decls --
3161 ----------------------
3164 begin
3165 -- Ensure that the body has a declarative list
3175 -----------------------------
3176 -- Prepend_Pragma_To_Decls --
3177 -----------------------------
3182 begin
3183 -- Skip the sole class-wide precondition (if any) since it is
3184 -- processed by Merge_Class_Conditions.
3189 -- Accumulate the corresponding Check pragmas at the top of the
3190 -- declarations. Prepending the items ensures that they will be
3191 -- evaluated in their original order.
3193 else
3200 -------------------------------
3201 -- Process_Preconditions_For --
3202 -------------------------------
3211 begin
3212 -- Process the contract. If the body is an expression function
3213 -- that is a completion, freeze types within, because this may
3214 -- not have been done yet, when the subprogram declaration and
3215 -- its completion by an expression function appear in distinct
3216 -- declarative lists of the same unit (visible and private).
3218 Freeze_T :=
3229 then
3230 if Freeze_T
3232 then
3233 Freeze_Expr_Types
3236 Expr =>
3237 Expression
3249 -- The subprogram declaration being processed is actually a body
3250 -- stub. The stub may carry a precondition pragma, in which case
3251 -- it must be taken into account. The pragma appears after the
3252 -- stub.
3256 -- Inspect the declarations following the body stub
3261 -- Note that non-matching pragmas are skipped
3266 then
3270 -- Skip internally generated code
3275 -- Preconditions are usually grouped together. There is no
3276 -- need to inspect the whole declarative list.
3278 else
3287 -- Local variables
3293 -- Start of processing for Process_Preconditions
3295 begin
3296 -- Find the proper insertion point for all pragma Check equivalents
3302 -- First source declaration terminates the search, because all
3303 -- preconditions must be evaluated prior to it, by definition.
3308 -- Certain internally generated object renamings such as those
3309 -- for discriminants and protection fields must be elaborated
3310 -- before the preconditions are evaluated, as their expressions
3311 -- may mention the discriminants. The renamings include those
3312 -- for private components so we need to find the last such.
3317 loop
3323 -- Otherwise the declaration does not come from source. This
3324 -- also terminates the search, because internal code may raise
3325 -- exceptions which should not preempt the preconditions.
3327 else
3334 -- The processing of preconditions is done in reverse order (body
3335 -- first), because each pragma Check equivalent is inserted at the
3336 -- top of the declarations. This ensures that the final order is
3337 -- consistent with following diagram:
3339 -- <inherited preconditions>
3340 -- <preconditions from spec>
3341 -- <preconditions from body>
3345 -- Move the generated entry-call prologue renamings into the
3346 -- outer declarations for use in the preconditions.
3364 -- Local variables
3372 -- Start of processing for Expand_Subprogram_Contract
3374 begin
3375 -- Obtain the entity of the initial declaration
3379 else
3383 -- Do not perform expansion activity when it is not needed
3388 -- GNATprove does not need the executable semantics of a contract
3393 -- The contract of a generic subprogram or one declared in a generic
3394 -- context is not expanded, as the corresponding instance will provide
3395 -- the executable semantics of the contract.
3400 -- All subprograms carry a contract, but for some it is not significant
3401 -- and should not be processed. This is a small optimization.
3406 -- The contract of an ignored Ghost subprogram does not need expansion,
3407 -- because the subprogram and all calls to it will be removed.
3412 -- No action needed for helpers and indirect-call wrapper built to
3413 -- support class-wide preconditions.
3418 -- Do not re-expand the same contract. This scenario occurs when a
3419 -- construct is rewritten into something else during its analysis
3420 -- (expression functions for instance).
3426 -- Prevent multiple expansion attempts of the same contract
3430 -- Ensure that the formal parameters are visible when expanding all
3431 -- contract items.
3439 else
3444 -- The expansion of a subprogram contract involves the creation of Check
3445 -- pragmas to verify the contract assertions of the spec and body in a
3446 -- particular order. The order is as follows:
3448 -- function Original_Code (...) return ... is
3449 -- <prologue renamings>
3450 -- <inherited preconditions>
3451 -- <preconditions from spec>
3452 -- <preconditions from body>
3453 -- <contract case conditions>
3455 -- function _Wrapped_Statements (...) return ... is
3456 -- <source declarations>
3457 -- begin
3458 -- <source statements>
3459 -- end _Wrapped_Statements;
3461 -- begin
3462 -- return Result : constant ... := _Wrapped_Statements do
3463 -- <refined postconditions from body>
3464 -- <postconditions from body>
3465 -- <postconditions from spec>
3466 -- <inherited postconditions>
3467 -- <contract case consequences>
3468 -- <invariant check of function result>
3469 -- <invariant and predicate checks of parameters
3470 -- end return;
3471 -- end Original_Code;
3473 -- Step 1: augment contracts list with postconditions associated with
3474 -- Stable_Properties and Stable_Properties'Class aspects. This must
3475 -- precede Process_Postconditions.
3478 Add_Stable_Property_Contracts
3482 -- Step 2: Handle all preconditions. This action must come before the
3483 -- processing of pragma Contract_Cases because the pragma prepends items
3484 -- to the body declarations.
3488 -- Step 3: Handle all postconditions. This action must come before the
3489 -- processing of pragma Contract_Cases because the pragma appends items
3490 -- to list Stmts.
3494 -- Step 4: Handle pragma Contract_Cases. This action must come before
3495 -- the processing of invariants and predicates because those append
3496 -- items to list Stmts.
3500 -- Step 5: Apply invariant and predicate checks on a function result and
3501 -- all formals. The resulting checks are accumulated in list Stmts.
3505 -- Step 6: Construct subprogram _wrapped_statements
3507 -- When no statements are present we still need to insert contract
3508 -- related declarations.
3513 -- Otherwise, we need a wrapper
3515 else
3520 End_Scope;
3524 -------------------------------
3525 -- Freeze_Previous_Contracts --
3526 -------------------------------
3531 -- Determine whether arbitrary node N causes contract freezing. This is
3532 -- used as an assertion for the current body declaration that caused
3533 -- contract freezing, and as a condition to detect body declaration that
3534 -- already caused contract freezing before.
3538 -- Freeze the contracts of all eligible constructs which precede body
3539 -- Body_Decl.
3543 -- Freeze the contract of the nearest package body (if any) which
3544 -- encloses body Body_Decl.
3546 ------------------------------
3547 -- Causes_Contract_Freezing --
3548 ------------------------------
3551 begin
3552 -- The following condition matches guards for calls to
3553 -- Freeze_Previous_Contracts from routines that analyze various body
3554 -- declarations. In particular, it detects expression functions, as
3555 -- described in the call from Analyze_Subprogram_Body_Helper.
3557 return
3559 and then
3561 N_Entry_Body | N_Package_Body | N_Protected_Body |
3562 N_Subprogram_Body | N_Subprogram_Body_Stub | N_Task_Body;
3565 ----------------------
3566 -- Freeze_Contracts --
3567 ----------------------
3573 begin
3574 -- Nothing to do when the body which causes freezing does not appear
3575 -- in a declarative list because there cannot possibly be constructs
3576 -- with contracts.
3582 -- Inspect the declarations preceding the body, and freeze individual
3583 -- contracts of eligible constructs.
3588 -- Stop the traversal when a preceding construct that causes
3589 -- freezing is encountered as there is no point in refreezing
3590 -- the already frozen constructs.
3595 -- Entry or subprogram declarations
3598 | N_Entry_Declaration
3599 | N_Generic_Subprogram_Declaration
3600 | N_Subprogram_Declaration
3601 then
3602 Analyze_Entry_Or_Subprogram_Contract
3606 -- Objects
3609 Analyze_Object_Contract
3613 -- Protected units
3616 | N_Single_Protected_Declaration
3617 then
3620 -- Subprogram body stubs
3625 -- Task units
3628 | N_Task_Type_Declaration
3629 then
3634 | N_Private_Type_Declaration
3635 | N_Task_Type_Declaration
3636 | N_Protected_Type_Declaration
3637 | N_Formal_Type_Declaration
3638 then
3646 -----------------------------------
3647 -- Freeze_Enclosing_Package_Body --
3648 -----------------------------------
3654 begin
3655 -- Climb the parent chain looking for an enclosing package body. Do
3656 -- not use the scope stack, because a body utilizes the entity of its
3657 -- corresponding spec.
3662 Analyze_Package_Body_Contract
3668 -- Do not look for an enclosing package body when the construct
3669 -- which causes freezing is a body generated for an expression
3670 -- function and it appears within a package spec. This ensures
3671 -- that the traversal will not reach too far up the parent chain
3672 -- and attempt to freeze a package body which must not be frozen.
3674 -- package body Enclosing_Body
3675 -- with Refined_State => (State => Var)
3676 -- is
3677 -- package Nested is
3678 -- type Some_Type is ...;
3679 -- function Cause_Freezing return ...;
3680 -- private
3681 -- function Cause_Freezing is (...);
3682 -- end Nested;
3683 --
3684 -- Var : Nested.Some_Type;
3688 then
3691 -- Prevent the search from going too far
3701 -- Local variables
3705 -- Start of processing for Freeze_Previous_Contracts
3707 begin
3710 -- A body that is in the process of being inlined appears from source,
3711 -- but carries name _parent. Such a body does not cause freezing of
3712 -- contracts.
3718 Freeze_Enclosing_Package_Body;
3719 Freeze_Contracts;
3722 ---------------------------------
3723 -- Inherit_Subprogram_Contract --
3724 ---------------------------------
3726 procedure Inherit_Subprogram_Contract
3729 is
3731 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
3732 -- Subp's contract.
3734 --------------------
3735 -- Inherit_Pragma --
3736 --------------------
3742 begin
3743 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
3744 -- chains, therefore the node must be replicated. The new pragma is
3745 -- flagged as inherited for distinction purposes.
3755 -- Start of processing for Inherit_Subprogram_Contract
3757 begin
3758 -- Inheritance is carried out only when both entities are subprograms
3759 -- with contracts.
3764 then
3769 -------------------------------------
3770 -- Instantiate_Subprogram_Contract --
3771 -------------------------------------
3775 -- Instantiate all contract-related source pragmas found in the list,
3776 -- starting with pragma First_Prag. Each instantiated pragma is added
3777 -- to list L.
3779 -------------------------
3780 -- Instantiate_Pragmas --
3781 -------------------------
3787 begin
3791 Inst_Prag :=
3802 -- Local variables
3806 -- Start of processing for Instantiate_Subprogram_Contract
3808 begin
3816 --------------------------
3817 -- Is_Prologue_Renaming --
3818 --------------------------
3820 -- This should be turned into a flag and set during the expansion of
3821 -- task and protected types when the renamings get generated ???
3829 begin
3832 then
3837 -- Analyze the renaming declaration so we can further examine it
3846 -- A discriminant renaming appears as
3847 -- Discr : constant ... := Prefix.Discr;
3853 then
3856 -- A protection field renaming appears as
3857 -- Prot : ... := _object._object;
3859 -- A renamed private component is just a component of
3860 -- _object, with an arbitrary name.
3866 then
3875 -----------------------------------
3876 -- Make_Class_Precondition_Subps --
3877 -----------------------------------
3879 procedure Make_Class_Precondition_Subps
3882 is
3887 -- Build the indirect-call wrapper and append it to the freezing actions
3888 -- of Tagged_Type.
3890 procedure Add_Call_Helper
3893 -- Factorizes code for building a call helper with the given identifier
3894 -- and append it to the freezing actions of Tagged_Type. Is_Dynamic
3895 -- controls building the static or dynamic version of the helper.
3898 -- Build an unique new name adding suffix to Subp_Id name (plus its
3899 -- homonym number for values bigger than 1).
3901 -------------------------------
3902 -- Add_Indirect_Call_Wrapper --
3903 -------------------------------
3908 -- Build the body of the indirect call wrapper
3911 -- Build the declaration of the indirect call wrapper
3913 --------------------
3914 -- Build_ICW_Body --
3915 --------------------
3924 begin
3927 -- Build call to wrapped subprogram
3929 declare
3933 begin
3934 -- Build parameter association & call
3938 New_Occurrence_Of
3944 Call :=
3948 else
3949 Call :=
3951 Expression =>
3958 ICW_Body :=
3962 Handled_Statement_Sequence =>
3966 -- The new operation is internal and overriding indicators do not
3967 -- apply.
3974 --------------------
3975 -- Build_ICW_Decl --
3976 --------------------
3985 begin
3993 -- The indirect call wrapper is commonly used for indirect calls
3994 -- but inlined for direct calls performed from the DTW.
4004 -- Link original subprogram to indirect wrapper and vice versa
4009 -- Inherit debug info flag to allow debugging the wrapper
4018 -- Local Variables
4023 -- Start of processing for Add_Indirect_Call_Wrapper
4025 begin
4036 -- We cannot defer the analysis of this ICW wrapper when it is
4037 -- built as a consequence of building its partner DTW wrapper
4038 -- at the freezing point of the tagged type.
4045 ---------------------
4046 -- Add_Call_Helper --
4047 ---------------------
4049 procedure Add_Call_Helper
4052 is
4054 -- Build the body of a call helper
4057 -- Build the declaration of a call helper
4060 -- Build the specification of the helper
4062 ----------------------------
4063 -- Build_Call_Helper_Body --
4064 ----------------------------
4068 function Copy_And_Update_References
4070 -- Copy Expr updating references to formals of Helper_Id; update
4071 -- also references to loop identifiers of quantified expressions.
4073 --------------------------------
4074 -- Copy_And_Update_References --
4075 --------------------------------
4077 function Copy_And_Update_References
4079 is
4083 -- Traverse Expr and append to Assoc_List the mapping of loop
4084 -- identifers of quantified expressions with its new copy.
4086 ------------------------------------------------
4087 -- Map_Quantified_Expression_Loop_Identifiers --
4088 ------------------------------------------------
4092 -- Append to Assoc_List the mapping of loop identifers of
4093 -- quantified expressions with its new copy.
4095 --------------------
4096 -- Map_Loop_Param --
4097 --------------------
4100 is
4101 begin
4104 then
4105 declare
4108 begin
4120 begin
4124 -- Local variables
4129 -- Start of processing for Copy_And_Update_References
4131 begin
4140 Map_Quantified_Expression_Loop_Identifiers;
4145 -- Local variables
4154 -- Start of processing for Build_Call_Helper_Body
4156 begin
4167 -- Evaluate the expression if we are building a dynamic helper
4168 -- or we are building a static helper for a non-abstract tagged
4169 -- type; for abstract tagged types the helper just returns True
4170 -- since it is called by the indirect call wrapper (ICW).
4171 and then
4172 (Is_Dynamic
4173 or else
4175 then
4176 Return_Expr :=
4179 -- When the subprogram is compiled with assertions disabled the
4180 -- helper just returns True; done to avoid reporting errors at
4181 -- link time since a unit may be compiled with assertions disabled
4182 -- and another (which depends on it) compiled with assertions
4183 -- enabled.
4185 else
4191 Body_Stmts :=
4196 Helper_Body :=
4205 ----------------------------
4206 -- Build_Call_Helper_Decl --
4207 ----------------------------
4213 begin
4222 -- Inherit debug info flag from Subp_Id to Helper_Id to allow
4223 -- debugging of the helper subprogram.
4232 ----------------------------
4233 -- Build_Call_Helper_Spec --
4234 ----------------------------
4237 is
4247 begin
4248 -- Create a list of formal parameters with the same types as the
4249 -- original subprogram but changing the controlling formal.
4258 = N_Access_Definition
4259 then
4260 Param_Type :=
4267 else
4268 Param_Type :=
4273 else
4279 Defining_Identifier =>
4283 Null_Exclusion_Present => Null_Exclusion_Present
4291 return
4295 Result_Definition =>
4299 -- Local variables
4304 -- Start of processing for Add_Call_Helper
4306 begin
4310 -- Add the helper to the freezing actions of the tagged type
4318 -- If this helper is built as part of building the DTW at the
4319 -- freezing point of its tagged type then we cannot defer
4320 -- its analysis.
4328 -----------------------
4329 -- Build_Unique_Name --
4330 -----------------------
4333 begin
4334 -- Append the homonym number. Strip the leading space character in
4335 -- the image of natural numbers. Also do not add the homonym value
4336 -- of 1.
4339 declare
4342 begin
4351 -- Local variables
4355 -- Start of processing for Make_Class_Precondition_Subps
4357 begin
4360 then
4361 pragma Assert
4367 -- Build and add to the freezing actions of Tagged_Type its
4368 -- dynamic-call helper.
4370 Helper_Id :=
4375 -- Link original subprogram to helper and vice versa
4383 then
4384 -- Build and add to the freezing actions of Tagged_Type its
4385 -- static-call helper.
4387 Helper_Id :=
4393 -- Link original subprogram to helper and vice versa
4398 -- Build and add to the freezing actions of Tagged_Type the
4399 -- indirect-call wrapper.
4401 Add_Indirect_Call_Wrapper;
4406 ----------------------------------------------
4407 -- Process_Class_Conditions_At_Freeze_Point --
4408 ----------------------------------------------
4413 -- Check class-wide pre/postconditions of Spec_Id
4415 function Has_Class_Postconditions_Subprogram
4417 -- Return True if Spec_Id has (or inherits) a postconditions subprogram.
4419 function Has_Class_Preconditions_Subprogram
4421 -- Return True if Spec_Id has (or inherits) a preconditions subprogram.
4423 ----------------------------
4424 -- Check_Class_Conditions --
4425 ----------------------------
4430 begin
4435 Check_Class_Condition
4440 | Class_Precondition);
4445 -----------------------------------------
4446 -- Has_Class_Postconditions_Subprogram --
4447 -----------------------------------------
4449 function Has_Class_Postconditions_Subprogram
4451 begin
4452 return
4453 Present (Nearest_Class_Condition_Subprogram
4456 or else
4457 Present (Nearest_Class_Condition_Subprogram
4462 ----------------------------------------
4463 -- Has_Class_Preconditions_Subprogram --
4464 ----------------------------------------
4466 function Has_Class_Preconditions_Subprogram
4468 begin
4469 return
4470 Present (Nearest_Class_Condition_Subprogram
4473 or else
4474 Present (Nearest_Class_Condition_Subprogram
4479 -- Local variables
4484 -- Start of processing for Process_Class_Conditions_At_Freeze_Point
4486 begin
4492 then
4498 -- Handle wrapper of protected operation
4503 -- Check inherited class-wide conditions, excluding internal
4504 -- entities built for mapping of interface primitives.
4509 then
4518 ----------------------------
4519 -- Merge_Class_Conditions --
4520 ----------------------------
4525 -- Collect all inherited class-wide conditions of Spec_Id and merge
4526 -- them into one big condition.
4528 ----------------------------------
4529 -- Process_Inherited_Conditions --
4530 ----------------------------------
4537 function Inherit_Condition
4540 -- Inherit the class-wide condition from Par_Subp to Subp and adjust
4541 -- all the references to formals in the inherited condition.
4544 -- Merge two class-wide preconditions or postconditions (the former
4545 -- are merged using "or else", and the latter are merged using "and-
4546 -- then"). The changes are accumulated in parameter Into.
4549 -- Return True if the contract of subprogram Id has been processed
4551 -----------------------
4552 -- Inherit_Condition --
4553 -----------------------
4555 function Inherit_Condition
4558 is
4560 -- Used in assertion to check that Expr has no reference to the
4561 -- formals of Par_Subp.
4563 ---------------------
4564 -- Check_Condition --
4565 ---------------------
4571 -- Check occurrence of Par_Formal_Id
4573 ------------------
4574 -- Check_Entity --
4575 ------------------
4578 begin
4582 then
4591 -- Start of processing for Check_Condition
4593 begin
4607 -- Local variables
4614 begin
4623 -- Check that Parent field of all the nodes have their correct
4624 -- decoration; required because otherwise mapped nodes with
4625 -- wrong Parent field are left unmodified in the copied tree
4626 -- and cause reporting wrong errors at later stages.
4628 pragma Assert
4631 New_Condition :=
4632 New_Copy_Tree
4636 -- Ensure that the inherited condition has no reference to the
4637 -- formals of the parent subprogram.
4644 ----------------------
4645 -- Merge_Conditions --
4646 ----------------------
4650 -- Return the boolean expression argument of a condition while
4651 -- updating its parentheses count for the subsequent merge.
4653 --------------------
4654 -- Expression_Arg --
4655 --------------------
4658 begin
4666 -- Local variables
4672 -- Start of processing for Merge_Conditions
4674 begin
4677 -- Merge the two preconditions by "or else"-ing them
4679 when Ignored_Class_Precondition
4680 | Class_Precondition
4681 =>
4687 -- Merge the two postconditions by "and then"-ing them
4689 when Ignored_Class_Postcondition
4690 | Class_Postcondition
4691 =>
4699 ---------------
4700 -- Seen_Subp --
4701 ---------------
4704 begin
4714 -- Local variables
4722 -- Start of processing for Process_Inherited_Conditions
4724 begin
4727 -- Process parent primitives looking for nearest ancestor with
4728 -- class-wide conditions.
4735 then
4740 -- Wrappers of class-wide pre/postconditions reference the
4741 -- parent primitive that has the inherited contract and help
4742 -- us to climb fast.
4746 then
4752 then
4757 Cond := Inherit_Condition
4763 else
4767 Check_Class_Condition
4772 | Class_Precondition);
4773 Build_Class_Wide_Expression
4779 -- We are done as soon as we process the nearest ancestor
4786 -- Process the contract of interface primitives not covered by
4787 -- the nearest ancestor.
4800 then
4803 Cond := Inherit_Condition
4807 Check_Class_Condition
4812 | Class_Precondition);
4813 Build_Class_Wide_Expression
4821 else
4831 -- Local variables
4835 -- Start of processing for Merge_Class_Conditions
4837 begin
4841 -- If this subprogram has class-wide conditions then preanalyze
4842 -- them before processing inherited conditions since conditions
4843 -- are checked and merged from right to left.
4851 -- Preanalyze merged inherited conditions
4860 ---------------------------------
4861 -- Preanalyze_Class_Conditions --
4862 ---------------------------------
4867 begin
4877 --------------------------
4878 -- Preanalyze_Condition --
4879 --------------------------
4881 procedure Preanalyze_Condition
4884 is
4886 -- Clear unset references on formals of Subp since preanalysis
4887 -- occurs in a place unrelated to the actual code.
4890 -- Traverse Expr and clear the Controlling_Argument of calls to
4891 -- nonabstract functions.
4894 -- Traverse Expr searching for dispatching calls to functions whose
4895 -- original node was a selected component, and replace them with
4896 -- their original node.
4898 ----------------------------
4899 -- Clear_Unset_References --
4900 ----------------------------
4905 begin
4912 ----------------------------------
4913 -- Remove_Controlling_Arguments --
4914 ----------------------------------
4918 -- Reset the Controlling_Argument of calls to nonabstract
4919 -- function calls.
4921 ---------------------
4922 -- Remove_Ctrl_Arg --
4923 ---------------------
4926 begin
4930 then
4938 begin
4942 -----------------------------------------
4943 -- Restore_Original_Selected_Component --
4944 -----------------------------------------
4950 -- Traverse the subtree of N fixing the Parent field of all the
4951 -- nodes.
4954 -- Process dispatching calls to functions whose original node was
4955 -- a selected component, and replace them with their original
4956 -- node. Restored nodes are stored in the Restored_Nodes_List
4957 -- to fix the parent fields of their subtrees in a separate
4958 -- tree traversal.
4960 -----------------
4961 -- Fix_Parents --
4962 -----------------
4966 function Fix_Parent
4969 -- Process a single node
4971 ----------------
4972 -- Fix_Parent --
4973 ----------------
4975 function Fix_Parent
4978 is
4981 begin
4985 else
4996 begin
5000 ------------------
5001 -- Restore_Node --
5002 ------------------
5005 begin
5009 then
5013 -- Save the restored node in the Restored_Nodes_List to fix
5014 -- the parent fields of their subtrees in a separate tree
5015 -- traversal.
5025 -- Start of processing for Restore_Original_Selected_Component
5027 begin
5030 -- After restoring the original node we must fix the decoration
5031 -- of the Parent attribute to ensure tree consistency; required
5032 -- because when the class-wide condition is inherited, calls to
5033 -- New_Copy_Tree will perform copies of this subtree, and formal
5034 -- occurrences with wrong Parent field cannot be mapped to the
5035 -- new formals.
5038 declare
5041 begin
5050 -- Start of processing for Preanalyze_Condition
5052 begin
5063 End_Scope;
5065 -- If this preanalyzed condition has occurrences of dispatching calls
5066 -- using the Object.Operation notation, during preanalysis such calls
5067 -- are rewritten as dispatching function calls; if at later stages
5068 -- this condition is inherited we must have restored the original
5069 -- selected-component node to ensure that the preanalysis of the
5070 -- inherited condition rewrites these dispatching calls in the
5071 -- correct context to avoid reporting spurious errors.
5073 Restore_Original_Selected_Component;
5075 -- Traverse Expr and clear the Controlling_Argument of calls to
5076 -- nonabstract functions. Required since the preanalyzed condition
5077 -- is not yet installed on its definite context and will be cloned
5078 -- and extended in derivations with additional conditions.
5080 Remove_Controlling_Arguments;
5082 -- Clear also attribute Unset_Reference; again because preanalysis
5083 -- occurs in a place unrelated to the actual code.
5085 Clear_Unset_References;
5088 ----------------------------------------
5089 -- Save_Global_References_In_Contract --
5090 ----------------------------------------
5092 procedure Save_Global_References_In_Contract
5095 is
5097 -- Save all global references in contract-related source pragmas found
5098 -- in the list, starting with pragma First_Prag.
5100 ------------------------------------
5101 -- Save_Global_References_In_List --
5102 ------------------------------------
5107 begin
5117 -- Local variables
5121 -- Start of processing for Save_Global_References_In_Contract
5123 begin
5124 -- The entity of the analyzed generic copy must be on the scope stack
5125 -- to ensure proper detection of global references.
5131 then
5141 Pop_Scope;
5144 -------------------------
5145 -- Set_Class_Condition --
5146 -------------------------
5148 procedure Set_Class_Condition
5152 is
5153 begin