| blob | ebaecc09512d8923c6d87f4e4bb54e204283edab |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
53 procedure Analyze_Contracts
57 -- Subsidiary to the one parameter version of Analyze_Contracts and routine
58 -- Analyze_Previous_Constracts. Analyze the contracts of all constructs in
59 -- the list L. If Freeze_Nod is set, then the analysis stops when the node
60 -- is reached. Freeze_Id is the entity of some related context which caused
61 -- freezing up to node Freeze_Nod.
64 -- Expand the contracts of a subprogram body and its correspoding spec (if
65 -- any). This routine processes all [refined] pre- and postconditions as
66 -- well as Contract_Cases, invariants and predicates. Body_Id denotes the
67 -- entity of the subprogram body.
69 -----------------------
70 -- Add_Contract_Item --
71 -----------------------
77 -- Prepend Prag to the list of classifications
80 -- Prepend Prag to the list of contract and test cases
83 -- Prepend Prag to the list of pre- and postconditions
85 ------------------------
86 -- Add_Classification --
87 ------------------------
90 begin
95 ----------------------------
96 -- Add_Contract_Test_Case --
97 ----------------------------
100 begin
105 ----------------------------
106 -- Add_Pre_Post_Condition --
107 ----------------------------
110 begin
115 -- Local variables
119 -- Start of processing for Add_Contract_Item
121 begin
122 -- A contract must contain only pragmas
127 -- Create a new contract when adding the first item
134 -- Constants, the applicable pragmas are:
135 -- Part_Of
139 Add_Classification;
141 -- The pragma is not a proper contract item
143 else
147 -- Entry bodies, the applicable pragmas are:
148 -- Refined_Depends
149 -- Refined_Global
150 -- Refined_Post
154 Add_Classification;
157 Add_Pre_Post_Condition;
159 -- The pragma is not a proper contract item
161 else
165 -- Entry or subprogram declarations, the applicable pragmas are:
166 -- Attach_Handler
167 -- Contract_Cases
168 -- Depends
169 -- Extensions_Visible
170 -- Global
171 -- Interrupt_Handler
172 -- Postcondition
173 -- Precondition
174 -- Test_Case
175 -- Volatile_Function
179 E_Generic_Function,
180 E_Generic_Procedure,
181 E_Procedure)
182 then
185 then
186 Add_Classification;
189 Name_Extensions_Visible,
190 Name_Global)
191 then
192 Add_Classification;
196 then
197 Add_Classification;
200 Add_Contract_Test_Case;
203 Add_Pre_Post_Condition;
205 -- The pragma is not a proper contract item
207 else
211 -- Packages or instantiations, the applicable pragmas are:
212 -- Abstract_States
213 -- Initial_Condition
214 -- Initializes
215 -- Part_Of (instantiation only)
219 Name_Initial_Condition,
220 Name_Initializes)
221 then
222 Add_Classification;
224 -- Indicator Part_Of must be associated with a package instantiation
227 Add_Classification;
229 -- The pragma is not a proper contract item
231 else
235 -- Package bodies, the applicable pragmas are:
236 -- Refined_States
240 Add_Classification;
242 -- The pragma is not a proper contract item
244 else
248 -- Protected units, the applicable pragmas are:
249 -- Part_Of
253 Add_Classification;
255 -- The pragma is not a proper contract item
257 else
261 -- Subprogram bodies, the applicable pragmas are:
262 -- Postcondition
263 -- Precondition
264 -- Refined_Depends
265 -- Refined_Global
266 -- Refined_Post
270 Add_Classification;
273 Name_Precondition,
274 Name_Refined_Post)
275 then
276 Add_Pre_Post_Condition;
278 -- The pragma is not a proper contract item
280 else
284 -- Task bodies, the applicable pragmas are:
285 -- Refined_Depends
286 -- Refined_Global
290 Add_Classification;
292 -- The pragma is not a proper contract item
294 else
298 -- Task units, the applicable pragmas are:
299 -- Depends
300 -- Global
301 -- Part_Of
305 Add_Classification;
307 -- The pragma is not a proper contract item
309 else
313 -- Variables, the applicable pragmas are:
314 -- Async_Readers
315 -- Async_Writers
316 -- Constant_After_Elaboration
317 -- Depends
318 -- Effective_Reads
319 -- Effective_Writes
320 -- Global
321 -- Part_Of
325 Name_Async_Writers,
326 Name_Constant_After_Elaboration,
327 Name_Depends,
328 Name_Effective_Reads,
329 Name_Effective_Writes,
330 Name_Global,
331 Name_Part_Of)
332 then
333 Add_Classification;
335 -- The pragma is not a proper contract item
337 else
343 -----------------------
344 -- Analyze_Contracts --
345 -----------------------
348 begin
352 procedure Analyze_Contracts
356 is
359 begin
363 -- The caller requests that the traversal stops at a particular node
364 -- that causes contract "freezing".
370 -- Entry or subprogram declarations
373 N_Entry_Declaration,
374 N_Generic_Subprogram_Declaration,
375 N_Subprogram_Declaration)
376 then
377 Analyze_Entry_Or_Subprogram_Contract
381 -- Entry or subprogram bodies
386 -- Objects
389 Analyze_Object_Contract
393 -- Protected untis
396 N_Single_Protected_Declaration)
397 then
400 -- Subprogram body stubs
405 -- Task units
408 N_Task_Type_Declaration)
409 then
417 -----------------------------------------------
418 -- Analyze_Entry_Or_Subprogram_Body_Contract --
419 -----------------------------------------------
427 begin
428 -- When a subprogram body declaration is illegal, its defining entity is
429 -- left unanalyzed. There is nothing left to do in this case because the
430 -- body lacks a contract, or even a proper Ekind.
435 -- Do not analyze a contract multiple times
440 else
445 -- Due to the timing of contract analysis, delayed pragmas may be
446 -- subject to the wrong SPARK_Mode, usually that of the enclosing
447 -- context. To remedy this, restore the original SPARK_Mode of the
448 -- related subprogram body.
452 -- Ensure that the contract cases or postconditions mention 'Result or
453 -- define a post-state.
457 -- A stand-alone nonvolatile function body cannot have an effectively
458 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
459 -- check is relevant only when SPARK_Mode is on, as it is not a standard
460 -- legality rule. The check is performed here because Volatile_Function
461 -- is processed after the analysis of the related subprogram body.
466 then
470 -- Restore the SPARK_Mode of the enclosing context after all delayed
471 -- pragmas have been analyzed.
475 -- Capture all global references in a generic subprogram body now that
476 -- the contract has been analyzed.
479 Save_Global_References_In_Contract
484 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
485 -- invariants and predicates associated with body and its spec. Do not
486 -- expand the contract of subprogram body stubs.
493 ------------------------------------------
494 -- Analyze_Entry_Or_Subprogram_Contract --
495 ------------------------------------------
497 procedure Analyze_Entry_Or_Subprogram_Contract
500 is
506 and then not ASIS_Mode
515 begin
516 -- Do not analyze a contract multiple times
521 else
526 -- Due to the timing of contract analysis, delayed pragmas may be
527 -- subject to the wrong SPARK_Mode, usually that of the enclosing
528 -- context. To remedy this, restore the original SPARK_Mode of the
529 -- related subprogram body.
533 -- All subprograms carry a contract, but for some it is not significant
534 -- and should not be processed.
541 -- Do not analyze the pre/postconditions of an entry declaration
542 -- unless annotating the original tree for ASIS or GNATprove. The
543 -- real analysis occurs when the pre/postconditons are relocated to
544 -- the contract wrapper procedure (see Build_Contract_Wrapper).
549 -- Otherwise analyze the pre/postconditions
551 else
559 -- Analyze contract-cases and test-cases
567 -- Do not analyze the contract cases of an entry declaration
568 -- unless annotating the original tree for ASIS or GNATprove.
569 -- The real analysis occurs when the contract cases are moved
570 -- to the contract wrapper procedure (Build_Contract_Wrapper).
575 -- Otherwise analyze the contract cases
577 else
580 else
588 -- Analyze classification pragmas
604 -- Analyze Global first, as Depends may mention items classified in
605 -- the global categorization.
611 -- Depends must be analyzed after Global in order to see the modes of
612 -- all global items.
618 -- Ensure that the contract cases or postconditions mention 'Result
619 -- or define a post-state.
624 -- A nonvolatile function cannot have an effectively volatile formal
625 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
626 -- only when SPARK_Mode is on, as it is not a standard legality rule.
627 -- The check is performed here because pragma Volatile_Function is
628 -- processed after the analysis of the related subprogram declaration.
633 then
637 -- Restore the SPARK_Mode of the enclosing context after all delayed
638 -- pragmas have been analyzed.
642 -- Capture all global references in a generic subprogram now that the
643 -- contract has been analyzed.
646 Save_Global_References_In_Contract
652 -----------------------------
653 -- Analyze_Object_Contract --
654 -----------------------------
656 procedure Analyze_Object_Contract
659 is
673 begin
674 -- The loop parameter in an element iterator over a formal container
675 -- is declared with an object declaration, but no contracts apply.
681 -- Do not analyze a contract multiple times
688 else
693 -- The anonymous object created for a single concurrent type inherits
694 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
695 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
696 -- of the enclosing context. To remedy this, restore the original mode
697 -- of the related anonymous object.
701 then
706 -- Constant-related checks
710 -- Analyze indicator Part_Of
714 -- Check whether the lack of indicator Part_Of agrees with the
715 -- placement of the constant with respect to the state space.
721 -- A constant cannot be effectively volatile (SPARK RM 7.1.3(4)).
722 -- This check is relevant only when SPARK_Mode is on, as it is not
723 -- a standard Ada legality rule. Internally-generated constants that
724 -- map generic formals to actuals in instantiations are allowed to
725 -- be volatile.
731 then
735 -- Variable-related checks
739 -- Analyze all external properties
769 -- Verify the mutual interaction of the various external properties
775 -- The anonymous object created for a single concurrent type carries
776 -- pragmas Depends and Globat of the type.
780 -- Analyze Global first, as Depends may mention items classified
781 -- in the global categorization.
789 -- Depends must be analyzed after Global in order to see the modes
790 -- of all global items.
801 -- Analyze indicator Part_Of
806 -- The variable is a constituent of a single protected/task type
807 -- and behaves as a component of the type. Verify that references
808 -- to the variable occur within the definition or body of the type
809 -- (SPARK RM 9.3).
812 and then Is_Single_Concurrent_Object
815 then
823 -- Otherwise check whether the lack of indicator Part_Of agrees with
824 -- the placement of the variable with respect to the state space.
826 else
830 -- The following checks are relevant only when SPARK_Mode is on, as
831 -- they are not standard Ada legality rules. Internally generated
832 -- temporaries are ignored.
837 -- The declaration of an effectively volatile object must
838 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
841 Error_Msg_N
843 Obj_Id);
845 -- An object of a discriminated type cannot be effectively
846 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
850 then
851 Error_Msg_N
854 -- An object of a tagged type cannot be effectively volatile
855 -- (SPARK RM C.6(5)).
861 -- The object is not effectively volatile
863 else
864 -- A non-effectively volatile object cannot have effectively
865 -- volatile components (SPARK RM 7.1.3(6)).
869 then
870 Error_Msg_N
872 Obj_Id);
876 -- A variable whose Part_Of pragma specifies a single concurrent
877 -- type as encapsulator must be (SPARK RM 9.4):
878 -- * Of a type that defines full default initialization, or
879 -- * Declared with a default value, or
880 -- * Imported
889 then
893 Error_Msg_N
900 -- Common checks
904 -- A Ghost object cannot be of a type that yields a synchronized
905 -- object (SPARK RM 6.9(19)).
910 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(8) and
911 -- SPARK RM 6.9(19)).
916 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(8)).
917 -- One exception to this is the object that represents the dispatch
918 -- table of a Ghost tagged type, as the symbol needs to be exported.
928 -- Restore the SPARK_Mode of the enclosing context after all delayed
929 -- pragmas have been analyzed.
936 -----------------------------------
937 -- Analyze_Package_Body_Contract --
938 -----------------------------------
940 procedure Analyze_Package_Body_Contract
943 is
950 begin
951 -- Do not analyze a contract multiple times
956 else
961 -- Due to the timing of contract analysis, delayed pragmas may be
962 -- subject to the wrong SPARK_Mode, usually that of the enclosing
963 -- context. To remedy this, restore the original SPARK_Mode of the
964 -- related package body.
970 -- The analysis of pragma Refined_State detects whether the spec has
971 -- abstract states available for refinement.
976 -- State refinement is required when the package declaration defines at
977 -- least one abstract state. Null states are not considered. Refinement
978 -- is not enforced when SPARK checks are turned off.
982 then
986 -- Restore the SPARK_Mode of the enclosing context after all delayed
987 -- pragmas have been analyzed.
991 -- Capture all global references in a generic package body now that the
992 -- contract has been analyzed.
995 Save_Global_References_In_Contract
1001 ------------------------------
1002 -- Analyze_Package_Contract --
1003 ------------------------------
1014 begin
1015 -- Do not analyze a contract multiple times
1020 else
1025 -- Due to the timing of contract analysis, delayed pragmas may be
1026 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1027 -- context. To remedy this, restore the original SPARK_Mode of the
1028 -- related package.
1034 -- Locate and store pragmas Initial_Condition and Initializes, since
1035 -- their order of analysis matters.
1051 -- Analyze the initialization-related pragmas. Initializes must come
1052 -- before Initial_Condition due to item dependencies.
1063 -- Check whether the lack of indicator Part_Of agrees with the placement
1064 -- of the package instantiation with respect to the state space.
1074 -- Restore the SPARK_Mode of the enclosing context after all delayed
1075 -- pragmas have been analyzed.
1079 -- Capture all global references in a generic package now that the
1080 -- contract has been analyzed.
1083 Save_Global_References_In_Contract
1089 --------------------------------
1090 -- Analyze_Previous_Contracts --
1091 --------------------------------
1097 begin
1098 -- A body that is in the process of being inlined appears from source,
1099 -- but carries name _parent. Such a body does not cause "freezing" of
1100 -- contracts.
1106 -- Climb the parent chain looking for an enclosing package body. Do not
1107 -- use the scope stack, as a body uses the entity of its corresponding
1108 -- spec.
1113 Analyze_Package_Body_Contract
1123 -- Analyze the contracts of all eligible construct up to the body which
1124 -- caused the "freezing".
1127 Analyze_Contracts
1134 --------------------------------
1135 -- Analyze_Protected_Contract --
1136 --------------------------------
1142 begin
1143 -- Do not analyze a contract multiple times
1148 else
1153 -- Due to the timing of contract analysis, delayed pragmas may be
1154 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1155 -- context. To remedy this, restore the original SPARK_Mode of the
1156 -- related protected unit.
1160 -- A protected type must define full default initialization
1161 -- (SPARK RM 9.4). This check is relevant only when SPARK_Mode is on as
1162 -- it is not a standard Ada legality rule.
1166 then
1167 Error_Msg_N
1169 Prot_Id);
1172 -- Restore the SPARK_Mode of the enclosing context after all delayed
1173 -- pragmas have been analyzed.
1178 -------------------------------------------
1179 -- Analyze_Subprogram_Body_Stub_Contract --
1180 -------------------------------------------
1186 begin
1187 -- A subprogram body stub may act as its own spec or as the completion
1188 -- of a previous declaration. Depending on the context, the contract of
1189 -- the stub may contain two sets of pragmas.
1191 -- The stub is a completion, the applicable pragmas are:
1192 -- Refined_Depends
1193 -- Refined_Global
1198 -- The stub acts as its own spec, the applicable pragmas are:
1199 -- Contract_Cases
1200 -- Depends
1201 -- Global
1202 -- Postcondition
1203 -- Precondition
1204 -- Test_Case
1206 else
1211 ---------------------------
1212 -- Analyze_Task_Contract --
1213 ---------------------------
1220 begin
1221 -- Do not analyze a contract multiple times
1226 else
1231 -- Due to the timing of contract analysis, delayed pragmas may be
1232 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1233 -- context. To remedy this, restore the original SPARK_Mode of the
1234 -- related task unit.
1238 -- Analyze Global first, as Depends may mention items classified in the
1239 -- global categorization.
1247 -- Depends must be analyzed after Global in order to see the modes of
1248 -- all global items.
1256 -- Restore the SPARK_Mode of the enclosing context after all delayed
1257 -- pragmas have been analyzed.
1262 -----------------------------
1263 -- Create_Generic_Contract --
1264 -----------------------------
1271 -- Add a single contract-related source pragma Prag to the contract of
1272 -- generic template Templ_Id.
1274 ---------------------------------
1275 -- Add_Generic_Contract_Pragma --
1276 ---------------------------------
1281 begin
1282 -- Mark the pragma to prevent the premature capture of global
1283 -- references when capturing global references of the context
1284 -- (see Save_References_In_Pragma).
1288 -- Pragmas that apply to a generic subprogram declaration are not
1289 -- part of the semantic structure of the generic template:
1291 -- generic
1292 -- procedure Example (Formal : Integer);
1293 -- pragma Precondition (Formal > 0);
1295 -- Create a generic template for such pragmas and link the template
1296 -- of the pragma with the generic template.
1299 Rewrite
1306 -- Otherwise link the pragma with the generic template
1308 else
1313 -- Local variables
1318 -- Start of processing for Create_Generic_Contract
1320 begin
1321 -- A generic package declaration carries contract-related source pragmas
1322 -- in its visible declarations.
1331 -- A generic package body carries contract-related source pragmas in its
1332 -- declarations.
1341 -- Generic subprogram declaration
1346 else
1350 -- When the generic subprogram acts as a compilation unit, inspect
1351 -- the Pragmas_After list for contract-related source pragmas.
1356 then
1360 -- Otherwise inspect the successive declarations for contract-related
1361 -- source pragmas.
1363 else
1367 -- A generic subprogram body carries contract-related source pragmas in
1368 -- its declarations.
1378 -- Inspect the relevant declarations looking for contract-related source
1379 -- pragmas and add them to the contract of the generic unit.
1385 -- The source pragma is a contract annotation
1391 -- The region where a contract-related source pragma may appear
1392 -- ends with the first source non-pragma declaration or statement.
1394 else
1403 --------------------------------
1404 -- Expand_Subprogram_Contract --
1405 --------------------------------
1411 procedure Add_Invariant_And_Predicate_Checks
1415 -- Process the result of function Subp_Id (if applicable) and all its
1416 -- formals. Add invariant and predicate checks where applicable. The
1417 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
1418 -- function, Result contains the entity of parameter _Result, to be
1419 -- used in the creation of procedure _Postconditions.
1422 -- Append a node to a list. If there is no list, create a new one. When
1423 -- the item denotes a pragma, it is added to the list only when it is
1424 -- enabled.
1426 procedure Build_Postconditions_Procedure
1430 -- Create the body of procedure _Postconditions which handles various
1431 -- assertion actions on exit from subprogram Subp_Id. Stmts is the list
1432 -- of statements to be checked on exit. Parameter Result is the entity
1433 -- of parameter _Result when Subp_Id denotes a function.
1435 function Build_Pragma_Check_Equivalent
1439 -- Transform a [refined] pre- or postcondition denoted by Prag into an
1440 -- equivalent pragma Check. When the pre- or postcondition is inherited,
1441 -- the routine corrects the references of all formals of Inher_Id to
1442 -- point to the formals of Subp_Id.
1445 -- Process pragma Contract_Cases. This routine prepends items to the
1446 -- body declarations and appends items to list Stmts.
1449 -- Collect all [inherited] spec and body postconditions and accumulate
1450 -- their pragma Check equivalents in list Stmts.
1453 -- Collect all [inherited] spec and body preconditions and prepend their
1454 -- pragma Check equivalents to the declarations of the body.
1456 ----------------------------------------
1457 -- Add_Invariant_And_Predicate_Checks --
1458 ----------------------------------------
1460 procedure Add_Invariant_And_Predicate_Checks
1464 is
1466 -- Id denotes the return value of a function or a formal parameter.
1467 -- Add an invariant check if the type of Id is access to a type with
1468 -- invariants. The routine appends the generated code to Stmts.
1471 -- Determine whether type Typ can benefit from invariant checks. To
1472 -- qualify, the type must have a non-null invariant procedure and
1473 -- subprogram Subp_Id must appear visible from the point of view of
1474 -- the type.
1476 ---------------------------------
1477 -- Add_Invariant_Access_Checks --
1478 ---------------------------------
1485 begin
1492 Ref :=
1497 -- Generate:
1498 -- if <Id> /= null then
1499 -- <invariant_call (<Ref>)>
1500 -- end if;
1502 Append_Enabled_Item
1505 Condition =>
1516 -------------------------
1517 -- Invariant_Checks_OK --
1518 -------------------------
1522 -- Determine whether the body of procedure Proc_Id contains a sole
1523 -- null statement, possibly followed by an optional return.
1526 -- Determine whether type Typ has public visibility of subprogram
1527 -- Subp_Id.
1529 -------------------
1530 -- Has_Null_Body --
1531 -------------------
1540 begin
1544 -- Retrieve the entity of the invariant procedure body
1548 then
1551 -- The body acts as a spec
1553 else
1557 -- The body will be generated later
1566 pragma Assert
1572 -- Look for a null statement followed by an optional return
1573 -- statement.
1580 else
1588 -----------------------------------------
1589 -- Has_Public_Visibility_Of_Subprogram --
1590 -----------------------------------------
1595 begin
1596 -- An Initialization procedure must be considered visible even
1597 -- though it is internally generated.
1605 -- Internally generated code is never publicly visible except
1606 -- for a subprogram that is the implementation of an expression
1607 -- function. In that case the visibility is determined by the
1608 -- last check.
1611 and then
1613 or else not
1615 then
1618 -- Determine whether the subprogram is declared in the visible
1619 -- declarations of the package containing the type.
1621 else
1623 Visible_Declarations
1628 -- Start of processing for Invariant_Checks_OK
1630 begin
1631 return
1638 -- Local variables
1641 -- Source location of subprogram body contract
1646 -- Start of processing for Add_Invariant_And_Predicate_Checks
1648 begin
1651 -- Process the result of a function
1656 -- Generate _Result which is used in procedure _Postconditions to
1657 -- verify the return value.
1662 -- Add an invariant check when the return type has invariants and
1663 -- the related function is visible to the outside.
1666 Append_Enabled_Item
1672 -- Add an invariant check when the return type is an access to a
1673 -- type with invariants.
1678 -- Add invariant and predicates for all formals that qualify
1686 then
1688 Append_Enabled_Item
1696 -- Note: we used to add predicate checks for OUT and IN OUT
1697 -- formals here, but that was misguided, since such checks are
1698 -- performed on the caller side, based on the predicate of the
1699 -- actual, rather than the predicate of the formal.
1707 -------------------------
1708 -- Append_Enabled_Item --
1709 -------------------------
1712 begin
1713 -- Do not chain ignored or disabled pragmas
1717 then
1720 -- Otherwise, add the item
1722 else
1727 -- If the pragma is a conjunct in a composite postcondition, it
1728 -- has been processed in reverse order. In the postcondition body
1729 -- it must appear before the others.
1734 then
1736 else
1742 ------------------------------------
1743 -- Build_Postconditions_Procedure --
1744 ------------------------------------
1746 procedure Build_Postconditions_Procedure
1750 is
1752 -- Insert node Stmt before the first source declaration of the
1753 -- related subprogram's body. If no such declaration exists, Stmt
1754 -- becomes the last declaration.
1756 --------------------------------------------
1757 -- Insert_Before_First_Source_Declaration --
1758 --------------------------------------------
1764 begin
1765 -- Inspect the declarations of the related subprogram body looking
1766 -- for the first source declaration.
1779 -- If we get there, then the subprogram body lacks any source
1780 -- declarations. The body of _Postconditions now acts as the
1781 -- last declaration.
1785 -- Ensure that the body has a declaration list
1787 else
1792 -- Local variables
1799 -- Start of processing for Build_Postconditions_Procedure
1801 begin
1802 -- Nothing to do if there are no actions to check on exit
1812 -- The related subprogram is a function: create the specification of
1813 -- parameter _Result.
1819 Parameter_Type =>
1823 -- Insert _Postconditions before the first source declaration of the
1824 -- body. This ensures that the body will not cause any premature
1825 -- freezing, as it may mention types:
1827 -- procedure Proc (Obj : Array_Typ) is
1828 -- procedure _postconditions is
1829 -- begin
1830 -- ... Obj ...
1831 -- end _postconditions;
1833 -- subtype T is Array_Typ (Obj'First (1) .. Obj'Last (1));
1834 -- begin
1836 -- In the example above, Obj is of type T but the incorrect placement
1837 -- of _Postconditions will cause a crash in gigi due to an out-of-
1838 -- order reference. The body of _Postconditions must be placed after
1839 -- the declaration of Temp to preserve correct visibility.
1841 -- Set an explicit End_Label to override the sloc of the implicit
1842 -- RETURN statement, and prevent it from inheriting the sloc of one
1843 -- the postconditions: this would cause confusing debug info to be
1844 -- produced, interfering with coverage-analysis tools.
1846 Proc_Bod :=
1848 Specification =>
1854 Handled_Statement_Sequence =>
1863 -----------------------------------
1864 -- Build_Pragma_Check_Equivalent --
1865 -----------------------------------
1867 function Build_Pragma_Check_Equivalent
1871 is
1873 -- Detect whether node N references a formal parameter subject to
1874 -- pragma Unreferenced. If this is the case, set Comes_From_Source
1875 -- to False to suppress the generation of a reference when analyzing
1876 -- N later on.
1878 ------------------------
1879 -- Suppress_Reference --
1880 ------------------------
1885 begin
1889 -- The formal parameter is subject to pragma Unreferenced.
1890 -- Prevent the generation of a reference by resetting the
1891 -- Comes_From_Source flag.
1895 then
1906 -- Local variables
1917 -- Start of processing for Build_Pragma_Check_Equivalent
1919 begin
1922 -- When the pre- or postcondition is inherited, map the formals of
1923 -- the inherited subprogram to those of the current subprogram.
1930 -- Create a relation <inherited formal> => <subprogram formal>
1943 -- Copy the original pragma while performing substitutions (if
1944 -- applicable).
1946 Check_Prag :=
1947 New_Copy_Tree
1952 -- Mark the pragma as being internally generated and reset the
1953 -- Analyzed flag.
1958 -- The tree of the original pragma may contain references to the
1959 -- formal parameters of the related subprogram. At the same time
1960 -- the corresponding body may mark the formals as unreferenced:
1962 -- procedure Proc (Formal : ...)
1963 -- with Pre => Formal ...;
1965 -- procedure Proc (Formal : ...) is
1966 -- pragma Unreferenced (Formal);
1967 -- ...
1969 -- This creates problems because all pragma Check equivalents are
1970 -- analyzed at the end of the body declarations. Since all source
1971 -- references have already been accounted for, reset any references
1972 -- to such formals in the generated pragma Check equivalent.
1978 else
1982 -- Convert the copy into pragma Check by correcting the name and
1983 -- adding a check_kind argument.
1985 Set_Pragma_Identifier
1992 -- Update the error message when the pragma is inherited
2000 -- Insert "inherited" to improve the error message
2012 ----------------------------
2013 -- Process_Contract_Cases --
2014 ----------------------------
2018 -- Process pragma Contract_Cases for subprogram Subp_Id
2020 --------------------------------
2021 -- Process_Contract_Cases_For --
2022 --------------------------------
2028 begin
2033 Expand_Pragma_Contract_Cases
2045 -- Start of processing for Process_Contract_Cases
2047 begin
2055 ----------------------------
2056 -- Process_Postconditions --
2057 ----------------------------
2061 -- Collect all [refined] postconditions of a specific kind denoted
2062 -- by Post_Nam that belong to the body, and generate pragma Check
2063 -- equivalents in list Stmts.
2066 -- Collect all [inherited] postconditions of the spec, and generate
2067 -- pragma Check equivalents in list Stmts.
2069 ---------------------------------
2070 -- Process_Body_Postconditions --
2071 ---------------------------------
2079 begin
2080 -- Process the contract
2086 Append_Enabled_Item
2095 -- The subprogram body being processed is actually the proper body
2096 -- of a stub with a corresponding spec. The subprogram stub may
2097 -- carry a postcondition pragma, in which case it must be taken
2098 -- into account. The pragma appears after the stub.
2104 -- Note that non-matching pragmas are skipped
2108 Append_Enabled_Item
2113 -- Skip internally generated code
2118 -- Postcondition pragmas are usually grouped together. There
2119 -- is no need to inspect the whole declarative list.
2121 else
2130 ---------------------------------
2131 -- Process_Spec_Postconditions --
2132 ---------------------------------
2141 begin
2142 -- Process the contract
2150 Append_Enabled_Item
2159 -- Process the contracts of all inherited subprograms, looking for
2160 -- class-wide postconditions.
2171 then
2172 Append_Enabled_Item
2174 Build_Pragma_Check_Equivalent
2187 -- Start of processing for Process_Postconditions
2189 begin
2190 -- The processing of postconditions is done in reverse order (body
2191 -- first) to ensure the following arrangement:
2193 -- <refined postconditions from body>
2194 -- <postconditions from body>
2195 -- <postconditions from spec>
2196 -- <inherited postconditions>
2202 Process_Spec_Postconditions;
2206 ---------------------------
2207 -- Process_Preconditions --
2208 ---------------------------
2212 -- The sole [inherited] class-wide precondition pragma that applies
2213 -- to the subprogram.
2216 -- The insertion node after which all pragma Check equivalents are
2217 -- inserted.
2220 -- Merge two class-wide preconditions by "or else"-ing them. The
2221 -- changes are accumulated in parameter Into. Update the error
2222 -- message of Into.
2225 -- Prepend a single item to the declarations of the subprogram body
2228 -- Save a class-wide precondition into Class_Pre, or prepend a normal
2229 -- precondition to the declarations of the body and analyze it.
2232 -- Collect all inherited class-wide preconditions and merge them into
2233 -- one big precondition to be evaluated as pragma Check.
2236 -- Collect all preconditions of subprogram Subp_Id and prepend their
2237 -- pragma Check equivalents to the declarations of the body.
2239 -------------------------
2240 -- Merge_Preconditions --
2241 -------------------------
2245 -- Return the boolean expression argument of a precondition while
2246 -- updating its parentheses count for the subsequent merge.
2249 -- Return the message argument of a precondition
2251 --------------------
2252 -- Expression_Arg --
2253 --------------------
2259 begin
2267 -----------------
2268 -- Message_Arg --
2269 -----------------
2273 begin
2277 -- Local variables
2285 -- Start of processing for Merge_Preconditions
2287 begin
2288 -- Merge the two preconditions by "or else"-ing them
2295 -- Merge the two error messages to produce a single message of the
2296 -- form:
2298 -- failed precondition from ...
2299 -- also failed inherited precondition from ...
2311 ----------------------
2312 -- Prepend_To_Decls --
2313 ----------------------
2318 begin
2319 -- Ensure that the body has a declarative list
2329 ------------------------------
2330 -- Prepend_To_Decls_Or_Save --
2331 ------------------------------
2336 begin
2339 -- Save the sole class-wide precondition (if any) for the next
2340 -- step, where it will be merged with inherited preconditions.
2346 -- Accumulate the corresponding Check pragmas at the top of the
2347 -- declarations. Prepending the items ensures that they will be
2348 -- evaluated in their original order.
2350 else
2353 else
2361 -------------------------------------
2362 -- Process_Inherited_Preconditions --
2363 -------------------------------------
2373 begin
2374 -- Process the contracts of all inherited subprograms, looking for
2375 -- class-wide preconditions.
2386 then
2387 Check_Prag :=
2388 Build_Pragma_Check_Equivalent
2393 -- The spec of an inherited subprogram already yielded
2394 -- a class-wide precondition. Merge the existing
2395 -- precondition with the current one using "or else".
2399 else
2409 -- Add the merged class-wide preconditions
2417 -------------------------------
2418 -- Process_Preconditions_For --
2419 -------------------------------
2427 begin
2428 -- Process the contract
2441 -- The subprogram declaration being processed is actually a body
2442 -- stub. The stub may carry a precondition pragma, in which case
2443 -- it must be taken into account. The pragma appears after the
2444 -- stub.
2450 -- Inspect the declarations following the body stub
2455 -- Note that non-matching pragmas are skipped
2462 -- Skip internally generated code
2467 -- Preconditions are usually grouped together. There is no
2468 -- need to inspect the whole declarative list.
2470 else
2479 -- Local variables
2484 -- Start of processing for Process_Preconditions
2486 begin
2487 -- Find the last internally generated declaration, starting from the
2488 -- top of the body declarations. This ensures that discriminals and
2489 -- subtypes are properly visible to the pragma Check equivalents.
2500 -- The processing of preconditions is done in reverse order (body
2501 -- first), because each pragma Check equivalent is inserted at the
2502 -- top of the declarations. This ensures that the final order is
2503 -- consistent with following diagram:
2505 -- <inherited preconditions>
2506 -- <preconditions from spec>
2507 -- <preconditions from body>
2513 Process_Inherited_Preconditions;
2517 -- Local variables
2524 -- Start of processing for Expand_Subprogram_Contract
2526 begin
2527 -- Obtain the entity of the initial declaration
2531 else
2535 -- Do not perform expansion activity when it is not needed
2540 -- ASIS requires an unaltered tree
2545 -- GNATprove does not need the executable semantics of a contract
2550 -- The contract of a generic subprogram or one declared in a generic
2551 -- context is not expanded, as the corresponding instance will provide
2552 -- the executable semantics of the contract.
2557 -- All subprograms carry a contract, but for some it is not significant
2558 -- and should not be processed. This is a small optimization.
2563 -- The contract of an ignored Ghost subprogram does not need expansion,
2564 -- because the subprogram and all calls to it will be removed.
2570 -- Do not re-expand the same contract. This scenario occurs when a
2571 -- construct is rewritten into something else during its analysis
2572 -- (expression functions for instance).
2577 -- Otherwise mark the subprogram
2579 else
2583 -- Ensure that the formal parameters are visible when expanding all
2584 -- contract items.
2592 else
2597 -- The expansion of a subprogram contract involves the creation of Check
2598 -- pragmas to verify the contract assertions of the spec and body in a
2599 -- particular order. The order is as follows:
2601 -- function Example (...) return ... is
2602 -- procedure _Postconditions (...) is
2603 -- begin
2604 -- <refined postconditions from body>
2605 -- <postconditions from body>
2606 -- <postconditions from spec>
2607 -- <inherited postconditions>
2608 -- <contract case consequences>
2609 -- <invariant check of function result>
2610 -- <invariant and predicate checks of parameters>
2611 -- end _Postconditions;
2613 -- <inherited preconditions>
2614 -- <preconditions from spec>
2615 -- <preconditions from body>
2616 -- <contract case conditions>
2618 -- <source declarations>
2619 -- begin
2620 -- <source statements>
2622 -- _Preconditions (Result);
2623 -- return Result;
2624 -- end Example;
2626 -- Routine _Postconditions holds all contract assertions that must be
2627 -- verified on exit from the related subprogram.
2629 -- Step 1: Handle all preconditions. This action must come before the
2630 -- processing of pragma Contract_Cases because the pragma prepends items
2631 -- to the body declarations.
2633 Process_Preconditions;
2635 -- Step 2: Handle all postconditions. This action must come before the
2636 -- processing of pragma Contract_Cases because the pragma appends items
2637 -- to list Stmts.
2641 -- Step 3: Handle pragma Contract_Cases. This action must come before
2642 -- the processing of invariants and predicates because those append
2643 -- items to list Stmts.
2647 -- Step 4: Apply invariant and predicate checks on a function result and
2648 -- all formals. The resulting checks are accumulated in list Stmts.
2652 -- Step 5: Construct procedure _Postconditions
2657 End_Scope;
2661 ---------------------------------
2662 -- Inherit_Subprogram_Contract --
2663 ---------------------------------
2665 procedure Inherit_Subprogram_Contract
2668 is
2670 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
2671 -- Subp's contract.
2673 --------------------
2674 -- Inherit_Pragma --
2675 --------------------
2681 begin
2682 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
2683 -- chains, therefore the node must be replicated. The new pragma is
2684 -- flagged as inherited for distinction purposes.
2694 -- Start of processing for Inherit_Subprogram_Contract
2696 begin
2697 -- Inheritance is carried out only when both entities are subprograms
2698 -- with contracts.
2703 then
2708 -------------------------------------
2709 -- Instantiate_Subprogram_Contract --
2710 -------------------------------------
2714 -- Instantiate all contract-related source pragmas found in the list,
2715 -- starting with pragma First_Prag. Each instantiated pragma is added
2716 -- to list L.
2718 -------------------------
2719 -- Instantiate_Pragmas --
2720 -------------------------
2726 begin
2730 Inst_Prag :=
2741 -- Local variables
2745 -- Start of processing for Instantiate_Subprogram_Contract
2747 begin
2755 ----------------------------------------
2756 -- Save_Global_References_In_Contract --
2757 ----------------------------------------
2759 procedure Save_Global_References_In_Contract
2762 is
2764 -- Save all global references in contract-related source pragmas found
2765 -- in the list, starting with pragma First_Prag.
2767 ------------------------------------
2768 -- Save_Global_References_In_List --
2769 ------------------------------------
2774 begin
2785 -- Local variables
2789 -- Start of processing for Save_Global_References_In_Contract
2791 begin
2792 -- The entity of the analyzed generic copy must be on the scope stack
2793 -- to ensure proper detection of global references.
2799 then
2809 Pop_Scope;