1 ------------------------------------------------------------------------------
3 -- GNAT COMPILER COMPONENTS --
5 -- S Y S T E M . V A L _ U T I L --
9 -- Copyright (C) 1992-2023, Free Software Foundation, Inc. --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. --
18 -- As a special exception under Section 7 of GPL version 3, you are granted --
19 -- additional permissions described in the GCC Runtime Library Exception, --
20 -- version 3.1, as published by the Free Software Foundation. --
22 -- You should have received a copy of the GNU General Public License and --
23 -- a copy of the GCC Runtime Library Exception along with this program; --
24 -- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see --
25 -- <http://www.gnu.org/licenses/>. --
27 -- GNAT was originally developed by the GNAT team at New York University. --
28 -- Extensive contributions were provided by Ada Core Technologies Inc. --
30 ------------------------------------------------------------------------------
32 -- Ghost code, loop invariants and assertions in this unit are meant for
33 -- analysis only, not for run-time checking, as it would be too costly
34 -- otherwise. This is enforced by setting the assertion policy to Ignore.
36 pragma Assertion_Policy
(Ghost
=> Ignore
,
37 Loop_Invariant
=> Ignore
,
40 with System
.Case_Util
; use System
.Case_Util
;
42 package body System
.Val_Util
50 procedure Bad_Value
(S
: String) is
51 pragma Annotate
(GNATprove
, Intentional
, "exception might be raised",
52 "Intentional exception from Bad_Value");
54 -- Bad_Value might be called with very long strings allocated on the
55 -- heap. Limit the size of the message so that we avoid creating a
56 -- Storage_Error during error handling.
57 if S
'Length > 127 then
58 raise Constraint_Error
with "bad input for 'Value: """
59 & S
(S
'First .. S
'First + 127) & "...""";
61 raise Constraint_Error
with "bad input for 'Value: """ & S
& '"';
65 ---------------------------
66 -- First_Non_Space_Ghost --
67 ---------------------------
69 function First_Non_Space_Ghost
71 From
, To
: Integer) return Positive
74 for J
in From
.. To
loop
79 pragma Loop_Invariant
(for all K
in From
.. J
=> S
(K
) = ' ');
83 end First_Non_Space_Ghost
;
85 -----------------------
86 -- Last_Number_Ghost --
87 -----------------------
89 function Last_Number_Ghost
(Str
: String) return Positive is
91 for J
in Str
'Range loop
92 if Str
(J
) not in '0' .. '9' |
'_' then
97 (for all K
in Str
'First .. J
=> Str
(K
) in '0' .. '9' |
'_');
101 end Last_Number_Ghost
;
103 ----------------------
104 -- Normalize_String --
105 ----------------------
107 procedure Normalize_String
115 -- Case of empty string
121 -- Scan for leading spaces
123 while F
< L
and then S
(F
) = ' ' loop
124 pragma Loop_Invariant
(F
in S
'First .. L
- 1);
125 pragma Loop_Invariant
(for all J
in S
'First .. F
=> S
(J
) = ' ');
126 pragma Loop_Variant
(Increases
=> F
);
130 -- Case of no nonspace characters found. Decrease L to ensure L < F
131 -- without risking an overflow if F is Integer'Last.
138 -- Scan for trailing spaces
140 while S
(L
) = ' ' loop
141 pragma Loop_Invariant
(L
in F
+ 1 .. S
'Last);
142 pragma Loop_Invariant
(for all J
in L
.. S
'Last => S
(J
) = ' ');
143 pragma Loop_Variant
(Decreases
=> L
);
147 -- Except in the case of a character literal, convert to upper case
151 S
(J
) := To_Upper
(S
(J
));
152 pragma Loop_Invariant
153 (for all K
in F
.. J
=> S
(K
) = To_Upper
(S
'Loop_Entry (K
)));
156 end Normalize_String
;
162 procedure Scan_Exponent
164 Ptr
: not null access Integer;
167 Real
: Boolean := False)
169 P
: Integer := Ptr
.all;
175 or else (Str
(P
) /= 'E' and then Str
(P
) /= 'e')
181 (CodePeer
, False_Positive
, "test always false",
182 "the slice might be empty or not start with an 'e'");
184 -- We have an E/e, see if sign follows
188 if Str
(P
) = '+' then
198 elsif Str
(P
) = '-' then
201 if P
> Max
or else not Real
then
212 if Str
(P
) not in '0' .. '9' then
217 -- Scan out the exponent value as an unsigned integer. Values larger
218 -- than (Integer'Last / 10) are simply considered large enough here.
219 -- This assumption is correct for all machines we know of (e.g. in the
220 -- case of 16 bit integers it allows exponents up to 3276, which is
221 -- large enough for the largest floating types in base 2.)
226 Rest
: constant String := Str
(P
.. Max
) with Ghost
;
227 Last
: constant Natural := Last_Number_Ghost
(Rest
) with Ghost
;
230 pragma Assert
(Is_Natural_Format_Ghost
(Rest
));
233 pragma Assert
(Str
(P
) in '0' .. '9');
235 if X
< (Integer'Last / 10) then
236 X
:= X
* 10 + (Character'Pos (Str
(P
)) - Character'Pos ('0'));
239 pragma Loop_Invariant
(X
>= 0);
240 pragma Loop_Invariant
(P
in Rest
'First .. Last
);
241 pragma Loop_Invariant
(Str
(P
) in '0' .. '9');
242 pragma Loop_Invariant
243 (Scan_Natural_Ghost
(Rest
, Rest
'First, 0)
244 = Scan_Natural_Ghost
(Rest
, P
+ 1, X
));
250 if Str
(P
) = '_' then
251 Scan_Underscore
(Str
, P
, Ptr
, Max
, False);
253 exit when Str
(P
) not in '0' .. '9';
257 pragma Assert
(P
= Last
+ 1);
272 procedure Scan_Plus_Sign
274 Ptr
: not null access Integer;
276 Start
: out Positive)
278 P
: Integer := Ptr
.all;
285 -- Scan past initial blanks
287 while Str
(P
) = ' ' loop
290 pragma Loop_Invariant
(Ptr
.all = Ptr
.all'Loop_Entry);
291 pragma Loop_Invariant
(P
in Ptr
.all .. Max
);
292 pragma Loop_Invariant
(for some J
in P
.. Max
=> Str
(J
) /= ' ');
293 pragma Loop_Invariant
294 (for all J
in Ptr
.all .. P
- 1 => Str
(J
) = ' ');
304 pragma Assert
(Start
= First_Non_Space_Ghost
(Str
, Ptr
.all, Max
));
306 -- Skip past an initial plus sign
308 if Str
(P
) = '+' then
326 Ptr
: not null access Integer;
329 Start
: out Positive)
331 P
: Integer := Ptr
.all;
334 -- Deal with case of null string (all blanks). As per spec, we raise
335 -- constraint error, with Ptr unchanged, and thus > Max.
341 -- Scan past initial blanks
343 while Str
(P
) = ' ' loop
346 pragma Loop_Invariant
(Ptr
.all = Ptr
.all'Loop_Entry);
347 pragma Loop_Invariant
(P
in Ptr
.all .. Max
);
348 pragma Loop_Invariant
(for some J
in P
.. Max
=> Str
(J
) /= ' ');
349 pragma Loop_Invariant
350 (for all J
in Ptr
.all .. P
- 1 => Str
(J
) = ' ');
360 pragma Assert
(Start
= First_Non_Space_Ghost
(Str
, Ptr
.all, Max
));
362 -- Remember an initial minus sign
364 if Str
(P
) = '-' then
373 -- Skip past an initial plus sign
375 elsif Str
(P
) = '+' then
391 --------------------------
392 -- Scan_Trailing_Blanks --
393 --------------------------
395 procedure Scan_Trailing_Blanks
(Str
: String; P
: Positive) is
397 for J
in P
.. Str
'Last loop
398 if Str
(J
) /= ' ' then
402 pragma Loop_Invariant
(for all K
in P
.. J
=> Str
(K
) = ' ');
404 end Scan_Trailing_Blanks
;
406 ---------------------
407 -- Scan_Underscore --
408 ---------------------
410 procedure Scan_Underscore
413 Ptr
: not null access Integer;
422 -- If underscore is at the end of string, then this is an error and we
423 -- raise Constraint_Error, leaving the pointer past the underscore. This
424 -- seems a bit strange. It means e.g. that if the field is:
428 -- that Constraint_Error is raised. You might think that the RM in this
429 -- case would scan out the 345 as a valid integer, leaving the pointer
430 -- at the underscore, but the ACVC suite clearly requires an error in
431 -- this situation (see for example CE3704M).
438 -- Similarly, if no digit follows the underscore raise an error. This
439 -- also catches the case of double underscore which is also an error.
444 or else (Ext
and then (C
in 'A' .. 'F' or else C
in 'a' .. 'f'))