| blob | c85b650d66b19584bd1bfbacb3bb0fd5fa43fb8c |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2016, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
53 procedure Analyze_Contracts
57 -- Subsidiary to the one parameter version of Analyze_Contracts and routine
58 -- Analyze_Previous_Constracts. Analyze the contracts of all constructs in
59 -- the list L. If Freeze_Nod is set, then the analysis stops when the node
60 -- is reached. Freeze_Id is the entity of some related context which caused
61 -- freezing up to node Freeze_Nod.
64 -- Expand the contracts of a subprogram body and its correspoding spec (if
65 -- any). This routine processes all [refined] pre- and postconditions as
66 -- well as Contract_Cases, invariants and predicates. Body_Id denotes the
67 -- entity of the subprogram body.
69 -----------------------
70 -- Add_Contract_Item --
71 -----------------------
77 -- Prepend Prag to the list of classifications
80 -- Prepend Prag to the list of contract and test cases
83 -- Prepend Prag to the list of pre- and postconditions
85 ------------------------
86 -- Add_Classification --
87 ------------------------
90 begin
95 ----------------------------
96 -- Add_Contract_Test_Case --
97 ----------------------------
100 begin
105 ----------------------------
106 -- Add_Pre_Post_Condition --
107 ----------------------------
110 begin
115 -- Local variables
119 -- Start of processing for Add_Contract_Item
121 begin
122 -- A contract must contain only pragmas
127 -- Create a new contract when adding the first item
134 -- Constants, the applicable pragmas are:
135 -- Part_Of
139 Add_Classification;
141 -- The pragma is not a proper contract item
143 else
147 -- Entry bodies, the applicable pragmas are:
148 -- Refined_Depends
149 -- Refined_Global
150 -- Refined_Post
154 Add_Classification;
157 Add_Pre_Post_Condition;
159 -- The pragma is not a proper contract item
161 else
165 -- Entry or subprogram declarations, the applicable pragmas are:
166 -- Attach_Handler
167 -- Contract_Cases
168 -- Depends
169 -- Extensions_Visible
170 -- Global
171 -- Interrupt_Handler
172 -- Postcondition
173 -- Precondition
174 -- Test_Case
175 -- Volatile_Function
179 E_Generic_Function,
180 E_Generic_Procedure,
181 E_Procedure)
182 then
185 then
186 Add_Classification;
189 Name_Extensions_Visible,
190 Name_Global)
191 then
192 Add_Classification;
196 then
197 Add_Classification;
200 Add_Contract_Test_Case;
203 Add_Pre_Post_Condition;
205 -- The pragma is not a proper contract item
207 else
211 -- Packages or instantiations, the applicable pragmas are:
212 -- Abstract_States
213 -- Initial_Condition
214 -- Initializes
215 -- Part_Of (instantiation only)
219 Name_Initial_Condition,
220 Name_Initializes)
221 then
222 Add_Classification;
224 -- Indicator Part_Of must be associated with a package instantiation
227 Add_Classification;
229 -- The pragma is not a proper contract item
231 else
235 -- Package bodies, the applicable pragmas are:
236 -- Refined_States
240 Add_Classification;
242 -- The pragma is not a proper contract item
244 else
248 -- Protected units, the applicable pragmas are:
249 -- Part_Of
253 Add_Classification;
255 -- The pragma is not a proper contract item
257 else
261 -- Subprogram bodies, the applicable pragmas are:
262 -- Postcondition
263 -- Precondition
264 -- Refined_Depends
265 -- Refined_Global
266 -- Refined_Post
270 Add_Classification;
273 Name_Precondition,
274 Name_Refined_Post)
275 then
276 Add_Pre_Post_Condition;
278 -- The pragma is not a proper contract item
280 else
284 -- Task bodies, the applicable pragmas are:
285 -- Refined_Depends
286 -- Refined_Global
290 Add_Classification;
292 -- The pragma is not a proper contract item
294 else
298 -- Task units, the applicable pragmas are:
299 -- Depends
300 -- Global
301 -- Part_Of
305 Add_Classification;
307 -- The pragma is not a proper contract item
309 else
313 -- Variables, the applicable pragmas are:
314 -- Async_Readers
315 -- Async_Writers
316 -- Constant_After_Elaboration
317 -- Depends
318 -- Effective_Reads
319 -- Effective_Writes
320 -- Global
321 -- Part_Of
325 Name_Async_Writers,
326 Name_Constant_After_Elaboration,
327 Name_Depends,
328 Name_Effective_Reads,
329 Name_Effective_Writes,
330 Name_Global,
331 Name_Part_Of)
332 then
333 Add_Classification;
335 -- The pragma is not a proper contract item
337 else
343 -----------------------
344 -- Analyze_Contracts --
345 -----------------------
348 begin
352 procedure Analyze_Contracts
356 is
359 begin
363 -- The caller requests that the traversal stops at a particular node
364 -- that causes contract "freezing".
370 -- Entry or subprogram declarations
373 N_Entry_Declaration,
374 N_Generic_Subprogram_Declaration,
375 N_Subprogram_Declaration)
376 then
377 Analyze_Entry_Or_Subprogram_Contract
381 -- Entry or subprogram bodies
386 -- Objects
389 Analyze_Object_Contract
393 -- Protected untis
396 N_Single_Protected_Declaration)
397 then
400 -- Subprogram body stubs
405 -- Task units
408 N_Task_Type_Declaration)
409 then
417 -----------------------------------------------
418 -- Analyze_Entry_Or_Subprogram_Body_Contract --
419 -----------------------------------------------
427 begin
428 -- When a subprogram body declaration is illegal, its defining entity is
429 -- left unanalyzed. There is nothing left to do in this case because the
430 -- body lacks a contract, or even a proper Ekind.
435 -- Do not analyze a contract multiple times
440 else
445 -- Due to the timing of contract analysis, delayed pragmas may be
446 -- subject to the wrong SPARK_Mode, usually that of the enclosing
447 -- context. To remedy this, restore the original SPARK_Mode of the
448 -- related subprogram body.
452 -- Ensure that the contract cases or postconditions mention 'Result or
453 -- define a post-state.
457 -- A stand-alone nonvolatile function body cannot have an effectively
458 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
459 -- check is relevant only when SPARK_Mode is on, as it is not a standard
460 -- legality rule. The check is performed here because Volatile_Function
461 -- is processed after the analysis of the related subprogram body.
466 then
470 -- Restore the SPARK_Mode of the enclosing context after all delayed
471 -- pragmas have been analyzed.
475 -- Capture all global references in a generic subprogram body now that
476 -- the contract has been analyzed.
479 Save_Global_References_In_Contract
484 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
485 -- invariants and predicates associated with body and its spec. Do not
486 -- expand the contract of subprogram body stubs.
493 ------------------------------------------
494 -- Analyze_Entry_Or_Subprogram_Contract --
495 ------------------------------------------
497 procedure Analyze_Entry_Or_Subprogram_Contract
500 is
506 and then not ASIS_Mode
515 begin
516 -- Do not analyze a contract multiple times
521 else
526 -- Due to the timing of contract analysis, delayed pragmas may be
527 -- subject to the wrong SPARK_Mode, usually that of the enclosing
528 -- context. To remedy this, restore the original SPARK_Mode of the
529 -- related subprogram body.
533 -- All subprograms carry a contract, but for some it is not significant
534 -- and should not be processed.
541 -- Do not analyze the pre/postconditions of an entry declaration
542 -- unless annotating the original tree for ASIS or GNATprove. The
543 -- real analysis occurs when the pre/postconditons are relocated to
544 -- the contract wrapper procedure (see Build_Contract_Wrapper).
549 -- Otherwise analyze the pre/postconditions
551 else
559 -- Analyze contract-cases and test-cases
567 -- Do not analyze the contract cases of an entry declaration
568 -- unless annotating the original tree for ASIS or GNATprove.
569 -- The real analysis occurs when the contract cases are moved
570 -- to the contract wrapper procedure (Build_Contract_Wrapper).
575 -- Otherwise analyze the contract cases
577 else
580 else
588 -- Analyze classification pragmas
604 -- Analyze Global first, as Depends may mention items classified in
605 -- the global categorization.
611 -- Depends must be analyzed after Global in order to see the modes of
612 -- all global items.
618 -- Ensure that the contract cases or postconditions mention 'Result
619 -- or define a post-state.
624 -- A nonvolatile function cannot have an effectively volatile formal
625 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
626 -- only when SPARK_Mode is on, as it is not a standard legality rule.
627 -- The check is performed here because pragma Volatile_Function is
628 -- processed after the analysis of the related subprogram declaration.
633 then
637 -- Restore the SPARK_Mode of the enclosing context after all delayed
638 -- pragmas have been analyzed.
642 -- Capture all global references in a generic subprogram now that the
643 -- contract has been analyzed.
646 Save_Global_References_In_Contract
652 -----------------------------
653 -- Analyze_Object_Contract --
654 -----------------------------
656 procedure Analyze_Object_Contract
659 is
672 begin
673 -- The loop parameter in an element iterator over a formal container
674 -- is declared with an object declaration, but no contracts apply.
680 -- Do not analyze a contract multiple times
687 else
692 -- The anonymous object created for a single concurrent type inherits
693 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
694 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
695 -- of the enclosing context. To remedy this, restore the original mode
696 -- of the related anonymous object.
700 then
705 -- Constant-related checks
709 -- Analyze indicator Part_Of
713 -- Check whether the lack of indicator Part_Of agrees with the
714 -- placement of the constant with respect to the state space.
720 -- A constant cannot be effectively volatile (SPARK RM 7.1.3(4)).
721 -- This check is relevant only when SPARK_Mode is on, as it is not
722 -- a standard Ada legality rule. Internally-generated constants that
723 -- map generic formals to actuals in instantiations are allowed to
724 -- be volatile.
730 then
734 -- Variable-related checks
738 -- Analyze all external properties
768 -- Verify the mutual interaction of the various external properties
774 -- The anonymous object created for a single concurrent type carries
775 -- pragmas Depends and Globat of the type.
779 -- Analyze Global first, as Depends may mention items classified
780 -- in the global categorization.
788 -- Depends must be analyzed after Global in order to see the modes
789 -- of all global items.
800 -- Analyze indicator Part_Of
805 -- The variable is a constituent of a single protected/task type
806 -- and behaves as a component of the type. Verify that references
807 -- to the variable occur within the definition or body of the type
808 -- (SPARK RM 9.3).
811 and then Is_Single_Concurrent_Object
814 then
822 -- Otherwise check whether the lack of indicator Part_Of agrees with
823 -- the placement of the variable with respect to the state space.
825 else
829 -- The following checks are relevant only when SPARK_Mode is on, as
830 -- they are not standard Ada legality rules. Internally generated
831 -- temporaries are ignored.
836 -- The declaration of an effectively volatile object must
837 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
840 Error_Msg_N
842 Obj_Id);
844 -- An object of a discriminated type cannot be effectively
845 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
849 then
850 Error_Msg_N
853 -- An object of a tagged type cannot be effectively volatile
854 -- (SPARK RM C.6(5)).
860 -- The object is not effectively volatile
862 else
863 -- A non-effectively volatile object cannot have effectively
864 -- volatile components (SPARK RM 7.1.3(6)).
868 then
869 Error_Msg_N
871 Obj_Id);
877 -- Common checks
881 -- A Ghost object cannot be of a type that yields a synchronized
882 -- object (SPARK RM 6.9(19)).
887 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
888 -- SPARK RM 6.9(19)).
893 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
894 -- One exception to this is the object that represents the dispatch
895 -- table of a Ghost tagged type, as the symbol needs to be exported.
905 -- Restore the SPARK_Mode of the enclosing context after all delayed
906 -- pragmas have been analyzed.
913 -----------------------------------
914 -- Analyze_Package_Body_Contract --
915 -----------------------------------
917 procedure Analyze_Package_Body_Contract
920 is
927 begin
928 -- Do not analyze a contract multiple times
933 else
938 -- Due to the timing of contract analysis, delayed pragmas may be
939 -- subject to the wrong SPARK_Mode, usually that of the enclosing
940 -- context. To remedy this, restore the original SPARK_Mode of the
941 -- related package body.
947 -- The analysis of pragma Refined_State detects whether the spec has
948 -- abstract states available for refinement.
954 -- Restore the SPARK_Mode of the enclosing context after all delayed
955 -- pragmas have been analyzed.
959 -- Capture all global references in a generic package body now that the
960 -- contract has been analyzed.
963 Save_Global_References_In_Contract
969 ------------------------------
970 -- Analyze_Package_Contract --
971 ------------------------------
982 begin
983 -- Do not analyze a contract multiple times
988 else
993 -- Due to the timing of contract analysis, delayed pragmas may be
994 -- subject to the wrong SPARK_Mode, usually that of the enclosing
995 -- context. To remedy this, restore the original SPARK_Mode of the
996 -- related package.
1002 -- Locate and store pragmas Initial_Condition and Initializes, since
1003 -- their order of analysis matters.
1019 -- Analyze the initialization-related pragmas. Initializes must come
1020 -- before Initial_Condition due to item dependencies.
1031 -- Check whether the lack of indicator Part_Of agrees with the placement
1032 -- of the package instantiation with respect to the state space.
1042 -- Restore the SPARK_Mode of the enclosing context after all delayed
1043 -- pragmas have been analyzed.
1047 -- Capture all global references in a generic package now that the
1048 -- contract has been analyzed.
1051 Save_Global_References_In_Contract
1057 --------------------------------
1058 -- Analyze_Previous_Contracts --
1059 --------------------------------
1065 begin
1066 -- A body that is in the process of being inlined appears from source,
1067 -- but carries name _parent. Such a body does not cause "freezing" of
1068 -- contracts.
1074 -- Climb the parent chain looking for an enclosing package body. Do not
1075 -- use the scope stack, as a body uses the entity of its corresponding
1076 -- spec.
1081 Analyze_Package_Body_Contract
1091 -- Analyze the contracts of all eligible construct up to the body which
1092 -- caused the "freezing".
1095 Analyze_Contracts
1102 --------------------------------
1103 -- Analyze_Protected_Contract --
1104 --------------------------------
1109 begin
1110 -- Do not analyze a contract multiple times
1115 else
1121 -------------------------------------------
1122 -- Analyze_Subprogram_Body_Stub_Contract --
1123 -------------------------------------------
1129 begin
1130 -- A subprogram body stub may act as its own spec or as the completion
1131 -- of a previous declaration. Depending on the context, the contract of
1132 -- the stub may contain two sets of pragmas.
1134 -- The stub is a completion, the applicable pragmas are:
1135 -- Refined_Depends
1136 -- Refined_Global
1141 -- The stub acts as its own spec, the applicable pragmas are:
1142 -- Contract_Cases
1143 -- Depends
1144 -- Global
1145 -- Postcondition
1146 -- Precondition
1147 -- Test_Case
1149 else
1154 ---------------------------
1155 -- Analyze_Task_Contract --
1156 ---------------------------
1163 begin
1164 -- Do not analyze a contract multiple times
1169 else
1174 -- Due to the timing of contract analysis, delayed pragmas may be
1175 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1176 -- context. To remedy this, restore the original SPARK_Mode of the
1177 -- related task unit.
1181 -- Analyze Global first, as Depends may mention items classified in the
1182 -- global categorization.
1190 -- Depends must be analyzed after Global in order to see the modes of
1191 -- all global items.
1199 -- Restore the SPARK_Mode of the enclosing context after all delayed
1200 -- pragmas have been analyzed.
1205 -----------------------------
1206 -- Create_Generic_Contract --
1207 -----------------------------
1214 -- Add a single contract-related source pragma Prag to the contract of
1215 -- generic template Templ_Id.
1217 ---------------------------------
1218 -- Add_Generic_Contract_Pragma --
1219 ---------------------------------
1224 begin
1225 -- Mark the pragma to prevent the premature capture of global
1226 -- references when capturing global references of the context
1227 -- (see Save_References_In_Pragma).
1231 -- Pragmas that apply to a generic subprogram declaration are not
1232 -- part of the semantic structure of the generic template:
1234 -- generic
1235 -- procedure Example (Formal : Integer);
1236 -- pragma Precondition (Formal > 0);
1238 -- Create a generic template for such pragmas and link the template
1239 -- of the pragma with the generic template.
1242 Rewrite
1249 -- Otherwise link the pragma with the generic template
1251 else
1256 -- Local variables
1261 -- Start of processing for Create_Generic_Contract
1263 begin
1264 -- A generic package declaration carries contract-related source pragmas
1265 -- in its visible declarations.
1274 -- A generic package body carries contract-related source pragmas in its
1275 -- declarations.
1284 -- Generic subprogram declaration
1289 else
1293 -- When the generic subprogram acts as a compilation unit, inspect
1294 -- the Pragmas_After list for contract-related source pragmas.
1299 then
1303 -- Otherwise inspect the successive declarations for contract-related
1304 -- source pragmas.
1306 else
1310 -- A generic subprogram body carries contract-related source pragmas in
1311 -- its declarations.
1321 -- Inspect the relevant declarations looking for contract-related source
1322 -- pragmas and add them to the contract of the generic unit.
1328 -- The source pragma is a contract annotation
1334 -- The region where a contract-related source pragma may appear
1335 -- ends with the first source non-pragma declaration or statement.
1337 else
1346 --------------------------------
1347 -- Expand_Subprogram_Contract --
1348 --------------------------------
1354 procedure Add_Invariant_And_Predicate_Checks
1358 -- Process the result of function Subp_Id (if applicable) and all its
1359 -- formals. Add invariant and predicate checks where applicable. The
1360 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
1361 -- function, Result contains the entity of parameter _Result, to be
1362 -- used in the creation of procedure _Postconditions.
1365 -- Append a node to a list. If there is no list, create a new one. When
1366 -- the item denotes a pragma, it is added to the list only when it is
1367 -- enabled.
1369 procedure Build_Postconditions_Procedure
1373 -- Create the body of procedure _Postconditions which handles various
1374 -- assertion actions on exit from subprogram Subp_Id. Stmts is the list
1375 -- of statements to be checked on exit. Parameter Result is the entity
1376 -- of parameter _Result when Subp_Id denotes a function.
1379 -- Process pragma Contract_Cases. This routine prepends items to the
1380 -- body declarations and appends items to list Stmts.
1383 -- Collect all [inherited] spec and body postconditions and accumulate
1384 -- their pragma Check equivalents in list Stmts.
1387 -- Collect all [inherited] spec and body preconditions and prepend their
1388 -- pragma Check equivalents to the declarations of the body.
1390 ----------------------------------------
1391 -- Add_Invariant_And_Predicate_Checks --
1392 ----------------------------------------
1394 procedure Add_Invariant_And_Predicate_Checks
1398 is
1400 -- Id denotes the return value of a function or a formal parameter.
1401 -- Add an invariant check if the type of Id is access to a type with
1402 -- invariants. The routine appends the generated code to Stmts.
1405 -- Determine whether type Typ can benefit from invariant checks. To
1406 -- qualify, the type must have a non-null invariant procedure and
1407 -- subprogram Subp_Id must appear visible from the point of view of
1408 -- the type.
1410 ---------------------------------
1411 -- Add_Invariant_Access_Checks --
1412 ---------------------------------
1419 begin
1426 Ref :=
1431 -- Generate:
1432 -- if <Id> /= null then
1433 -- <invariant_call (<Ref>)>
1434 -- end if;
1436 Append_Enabled_Item
1439 Condition =>
1450 -------------------------
1451 -- Invariant_Checks_OK --
1452 -------------------------
1456 -- Determine whether type Typ has public visibility of subprogram
1457 -- Subp_Id.
1459 -----------------------------------------
1460 -- Has_Public_Visibility_Of_Subprogram --
1461 -----------------------------------------
1466 begin
1467 -- An Initialization procedure must be considered visible even
1468 -- though it is internally generated.
1476 -- Internally generated code is never publicly visible except
1477 -- for a subprogram that is the implementation of an expression
1478 -- function. In that case the visibility is determined by the
1479 -- last check.
1482 and then
1484 or else not
1486 then
1489 -- Determine whether the subprogram is declared in the visible
1490 -- declarations of the package containing the type.
1492 else
1494 Visible_Declarations
1499 -- Start of processing for Invariant_Checks_OK
1501 begin
1502 return
1509 -- Local variables
1512 -- Source location of subprogram body contract
1517 -- Start of processing for Add_Invariant_And_Predicate_Checks
1519 begin
1522 -- Process the result of a function
1527 -- Generate _Result which is used in procedure _Postconditions to
1528 -- verify the return value.
1533 -- Add an invariant check when the return type has invariants and
1534 -- the related function is visible to the outside.
1537 Append_Enabled_Item
1543 -- Add an invariant check when the return type is an access to a
1544 -- type with invariants.
1549 -- Add invariant and predicates for all formals that qualify
1557 then
1559 Append_Enabled_Item
1567 -- Note: we used to add predicate checks for OUT and IN OUT
1568 -- formals here, but that was misguided, since such checks are
1569 -- performed on the caller side, based on the predicate of the
1570 -- actual, rather than the predicate of the formal.
1578 -------------------------
1579 -- Append_Enabled_Item --
1580 -------------------------
1583 begin
1584 -- Do not chain ignored or disabled pragmas
1588 then
1591 -- Otherwise, add the item
1593 else
1598 -- If the pragma is a conjunct in a composite postcondition, it
1599 -- has been processed in reverse order. In the postcondition body
1600 -- it must appear before the others.
1605 then
1607 else
1613 ------------------------------------
1614 -- Build_Postconditions_Procedure --
1615 ------------------------------------
1617 procedure Build_Postconditions_Procedure
1621 is
1623 -- Insert node Stmt before the first source declaration of the
1624 -- related subprogram's body. If no such declaration exists, Stmt
1625 -- becomes the last declaration.
1627 --------------------------------------------
1628 -- Insert_Before_First_Source_Declaration --
1629 --------------------------------------------
1635 begin
1636 -- Inspect the declarations of the related subprogram body looking
1637 -- for the first source declaration.
1650 -- If we get there, then the subprogram body lacks any source
1651 -- declarations. The body of _Postconditions now acts as the
1652 -- last declaration.
1656 -- Ensure that the body has a declaration list
1658 else
1663 -- Local variables
1672 -- Start of processing for Build_Postconditions_Procedure
1674 begin
1675 -- Nothing to do if there are no actions to check on exit
1685 -- Force the front-end inlining of _Postconditions when generating C
1686 -- code, since its body may have references to itypes defined in the
1687 -- enclosing subprogram, which would cause problems for unnesting
1688 -- routines in the absence of inlining.
1696 -- The related subprogram is a function: create the specification of
1697 -- parameter _Result.
1703 Parameter_Type =>
1707 Proc_Spec :=
1714 -- Insert _Postconditions before the first source declaration of the
1715 -- body. This ensures that the body will not cause any premature
1716 -- freezing, as it may mention types:
1718 -- procedure Proc (Obj : Array_Typ) is
1719 -- procedure _postconditions is
1720 -- begin
1721 -- ... Obj ...
1722 -- end _postconditions;
1724 -- subtype T is Array_Typ (Obj'First (1) .. Obj'Last (1));
1725 -- begin
1727 -- In the example above, Obj is of type T but the incorrect placement
1728 -- of _Postconditions will cause a crash in gigi due to an out-of-
1729 -- order reference. The body of _Postconditions must be placed after
1730 -- the declaration of Temp to preserve correct visibility.
1735 -- Set an explicit End_Label to override the sloc of the implicit
1736 -- RETURN statement, and prevent it from inheriting the sloc of one
1737 -- the postconditions: this would cause confusing debug info to be
1738 -- produced, interfering with coverage-analysis tools.
1740 Proc_Bod :=
1742 Specification =>
1745 Handled_Statement_Sequence =>
1753 ----------------------------
1754 -- Process_Contract_Cases --
1755 ----------------------------
1759 -- Process pragma Contract_Cases for subprogram Subp_Id
1761 --------------------------------
1762 -- Process_Contract_Cases_For --
1763 --------------------------------
1769 begin
1774 Expand_Pragma_Contract_Cases
1786 -- Start of processing for Process_Contract_Cases
1788 begin
1796 ----------------------------
1797 -- Process_Postconditions --
1798 ----------------------------
1802 -- Collect all [refined] postconditions of a specific kind denoted
1803 -- by Post_Nam that belong to the body, and generate pragma Check
1804 -- equivalents in list Stmts.
1807 -- Collect all [inherited] postconditions of the spec, and generate
1808 -- pragma Check equivalents in list Stmts.
1810 ---------------------------------
1811 -- Process_Body_Postconditions --
1812 ---------------------------------
1820 begin
1821 -- Process the contract
1827 Append_Enabled_Item
1836 -- The subprogram body being processed is actually the proper body
1837 -- of a stub with a corresponding spec. The subprogram stub may
1838 -- carry a postcondition pragma, in which case it must be taken
1839 -- into account. The pragma appears after the stub.
1845 -- Note that non-matching pragmas are skipped
1849 Append_Enabled_Item
1854 -- Skip internally generated code
1859 -- Postcondition pragmas are usually grouped together. There
1860 -- is no need to inspect the whole declarative list.
1862 else
1871 ---------------------------------
1872 -- Process_Spec_Postconditions --
1873 ---------------------------------
1882 begin
1883 -- Process the contract
1891 Append_Enabled_Item
1900 -- Process the contracts of all inherited subprograms, looking for
1901 -- class-wide postconditions.
1912 then
1913 Append_Enabled_Item
1915 Build_Pragma_Check_Equivalent
1928 -- Start of processing for Process_Postconditions
1930 begin
1931 -- The processing of postconditions is done in reverse order (body
1932 -- first) to ensure the following arrangement:
1934 -- <refined postconditions from body>
1935 -- <postconditions from body>
1936 -- <postconditions from spec>
1937 -- <inherited postconditions>
1943 Process_Spec_Postconditions;
1947 ---------------------------
1948 -- Process_Preconditions --
1949 ---------------------------
1953 -- The sole [inherited] class-wide precondition pragma that applies
1954 -- to the subprogram.
1957 -- The insertion node after which all pragma Check equivalents are
1958 -- inserted.
1961 -- Determine whether arbitrary declaration Decl denotes a renaming of
1962 -- a discriminant or protection field _object.
1965 -- Merge two class-wide preconditions by "or else"-ing them. The
1966 -- changes are accumulated in parameter Into. Update the error
1967 -- message of Into.
1970 -- Prepend a single item to the declarations of the subprogram body
1973 -- Save a class-wide precondition into Class_Pre, or prepend a normal
1974 -- precondition to the declarations of the body and analyze it.
1977 -- Collect all inherited class-wide preconditions and merge them into
1978 -- one big precondition to be evaluated as pragma Check.
1981 -- Collect all preconditions of subprogram Subp_Id and prepend their
1982 -- pragma Check equivalents to the declarations of the body.
1984 --------------------------
1985 -- Is_Prologue_Renaming --
1986 --------------------------
1994 begin
2003 -- A discriminant renaming appears as
2004 -- Discr : constant ... := Prefix.Discr;
2010 then
2013 -- A protection field renaming appears as
2014 -- Prot : ... := _object._object;
2021 then
2030 -------------------------
2031 -- Merge_Preconditions --
2032 -------------------------
2036 -- Return the boolean expression argument of a precondition while
2037 -- updating its parentheses count for the subsequent merge.
2040 -- Return the message argument of a precondition
2042 --------------------
2043 -- Expression_Arg --
2044 --------------------
2050 begin
2058 -----------------
2059 -- Message_Arg --
2060 -----------------
2064 begin
2068 -- Local variables
2076 -- Start of processing for Merge_Preconditions
2078 begin
2079 -- Merge the two preconditions by "or else"-ing them
2086 -- Merge the two error messages to produce a single message of the
2087 -- form:
2089 -- failed precondition from ...
2090 -- also failed inherited precondition from ...
2102 ----------------------
2103 -- Prepend_To_Decls --
2104 ----------------------
2109 begin
2110 -- Ensure that the body has a declarative list
2120 ------------------------------
2121 -- Prepend_To_Decls_Or_Save --
2122 ------------------------------
2127 begin
2130 -- Save the sole class-wide precondition (if any) for the next
2131 -- step, where it will be merged with inherited preconditions.
2137 -- Accumulate the corresponding Check pragmas at the top of the
2138 -- declarations. Prepending the items ensures that they will be
2139 -- evaluated in their original order.
2141 else
2144 else
2152 -------------------------------------
2153 -- Process_Inherited_Preconditions --
2154 -------------------------------------
2164 begin
2165 -- Process the contracts of all inherited subprograms, looking for
2166 -- class-wide preconditions.
2177 then
2178 Check_Prag :=
2179 Build_Pragma_Check_Equivalent
2184 -- The spec of an inherited subprogram already yielded
2185 -- a class-wide precondition. Merge the existing
2186 -- precondition with the current one using "or else".
2190 else
2200 -- Add the merged class-wide preconditions
2208 -------------------------------
2209 -- Process_Preconditions_For --
2210 -------------------------------
2218 begin
2219 -- Process the contract
2232 -- The subprogram declaration being processed is actually a body
2233 -- stub. The stub may carry a precondition pragma, in which case
2234 -- it must be taken into account. The pragma appears after the
2235 -- stub.
2241 -- Inspect the declarations following the body stub
2246 -- Note that non-matching pragmas are skipped
2253 -- Skip internally generated code
2258 -- Preconditions are usually grouped together. There is no
2259 -- need to inspect the whole declarative list.
2261 else
2270 -- Local variables
2275 -- Start of processing for Process_Preconditions
2277 begin
2278 -- Find the proper insertion point for all pragma Check equivalents
2284 -- First source declaration terminates the search, because all
2285 -- preconditions must be evaluated prior to it, by definition.
2290 -- Certain internally generated object renamings such as those
2291 -- for discriminants and protection fields must be elaborated
2292 -- before the preconditions are evaluated, as their expressions
2293 -- may mention the discriminants.
2298 -- Otherwise the declaration does not come from source. This
2299 -- also terminates the search, because internal code may raise
2300 -- exceptions which should not preempt the preconditions.
2302 else
2310 -- The processing of preconditions is done in reverse order (body
2311 -- first), because each pragma Check equivalent is inserted at the
2312 -- top of the declarations. This ensures that the final order is
2313 -- consistent with following diagram:
2315 -- <inherited preconditions>
2316 -- <preconditions from spec>
2317 -- <preconditions from body>
2323 Process_Inherited_Preconditions;
2327 -- Local variables
2334 -- Start of processing for Expand_Subprogram_Contract
2336 begin
2337 -- Obtain the entity of the initial declaration
2341 else
2345 -- Do not perform expansion activity when it is not needed
2350 -- ASIS requires an unaltered tree
2355 -- GNATprove does not need the executable semantics of a contract
2360 -- The contract of a generic subprogram or one declared in a generic
2361 -- context is not expanded, as the corresponding instance will provide
2362 -- the executable semantics of the contract.
2367 -- All subprograms carry a contract, but for some it is not significant
2368 -- and should not be processed. This is a small optimization.
2373 -- The contract of an ignored Ghost subprogram does not need expansion,
2374 -- because the subprogram and all calls to it will be removed.
2380 -- Do not re-expand the same contract. This scenario occurs when a
2381 -- construct is rewritten into something else during its analysis
2382 -- (expression functions for instance).
2387 -- Otherwise mark the subprogram
2389 else
2393 -- Ensure that the formal parameters are visible when expanding all
2394 -- contract items.
2402 else
2407 -- The expansion of a subprogram contract involves the creation of Check
2408 -- pragmas to verify the contract assertions of the spec and body in a
2409 -- particular order. The order is as follows:
2411 -- function Example (...) return ... is
2412 -- procedure _Postconditions (...) is
2413 -- begin
2414 -- <refined postconditions from body>
2415 -- <postconditions from body>
2416 -- <postconditions from spec>
2417 -- <inherited postconditions>
2418 -- <contract case consequences>
2419 -- <invariant check of function result>
2420 -- <invariant and predicate checks of parameters>
2421 -- end _Postconditions;
2423 -- <inherited preconditions>
2424 -- <preconditions from spec>
2425 -- <preconditions from body>
2426 -- <contract case conditions>
2428 -- <source declarations>
2429 -- begin
2430 -- <source statements>
2432 -- _Preconditions (Result);
2433 -- return Result;
2434 -- end Example;
2436 -- Routine _Postconditions holds all contract assertions that must be
2437 -- verified on exit from the related subprogram.
2439 -- Step 1: Handle all preconditions. This action must come before the
2440 -- processing of pragma Contract_Cases because the pragma prepends items
2441 -- to the body declarations.
2443 Process_Preconditions;
2445 -- Step 2: Handle all postconditions. This action must come before the
2446 -- processing of pragma Contract_Cases because the pragma appends items
2447 -- to list Stmts.
2451 -- Step 3: Handle pragma Contract_Cases. This action must come before
2452 -- the processing of invariants and predicates because those append
2453 -- items to list Stmts.
2457 -- Step 4: Apply invariant and predicate checks on a function result and
2458 -- all formals. The resulting checks are accumulated in list Stmts.
2462 -- Step 5: Construct procedure _Postconditions
2467 End_Scope;
2471 ---------------------------------
2472 -- Inherit_Subprogram_Contract --
2473 ---------------------------------
2475 procedure Inherit_Subprogram_Contract
2478 is
2480 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
2481 -- Subp's contract.
2483 --------------------
2484 -- Inherit_Pragma --
2485 --------------------
2491 begin
2492 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
2493 -- chains, therefore the node must be replicated. The new pragma is
2494 -- flagged as inherited for distinction purposes.
2504 -- Start of processing for Inherit_Subprogram_Contract
2506 begin
2507 -- Inheritance is carried out only when both entities are subprograms
2508 -- with contracts.
2513 then
2518 -------------------------------------
2519 -- Instantiate_Subprogram_Contract --
2520 -------------------------------------
2524 -- Instantiate all contract-related source pragmas found in the list,
2525 -- starting with pragma First_Prag. Each instantiated pragma is added
2526 -- to list L.
2528 -------------------------
2529 -- Instantiate_Pragmas --
2530 -------------------------
2536 begin
2540 Inst_Prag :=
2551 -- Local variables
2555 -- Start of processing for Instantiate_Subprogram_Contract
2557 begin
2565 ----------------------------------------
2566 -- Save_Global_References_In_Contract --
2567 ----------------------------------------
2569 procedure Save_Global_References_In_Contract
2572 is
2574 -- Save all global references in contract-related source pragmas found
2575 -- in the list, starting with pragma First_Prag.
2577 ------------------------------------
2578 -- Save_Global_References_In_List --
2579 ------------------------------------
2584 begin
2595 -- Local variables
2599 -- Start of processing for Save_Global_References_In_Contract
2601 begin
2602 -- The entity of the analyzed generic copy must be on the scope stack
2603 -- to ensure proper detection of global references.
2609 then
2619 Pop_Scope;