| blob | 29557eca54f0be543f2fb16f17ece20239b1a1fe |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2020, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
59 -- Analyze all delayed pragmas chained on the contract of package
60 -- instantiation Inst_Id as if they appear at the end of a declarative
61 -- region. The pragmas in question are:
62 --
63 -- Part_Of
65 procedure Check_Type_Or_Object_External_Properties
67 -- Perform checking of external properties pragmas that is common to both
68 -- type declarations and object declarations.
71 -- Expand the contracts of a subprogram body and its correspoding spec (if
72 -- any). This routine processes all [refined] pre- and postconditions as
73 -- well as Contract_Cases, Subprogram_Variant, invariants and predicates.
74 -- Body_Id denotes the entity of the subprogram body.
76 -----------------------
77 -- Add_Contract_Item --
78 -----------------------
84 -- Prepend Prag to the list of classifications
87 -- Prepend Prag to the list of contract and test cases
90 -- Prepend Prag to the list of pre- and postconditions
92 ------------------------
93 -- Add_Classification --
94 ------------------------
97 begin
102 ----------------------------
103 -- Add_Contract_Test_Case --
104 ----------------------------
107 begin
112 ----------------------------
113 -- Add_Pre_Post_Condition --
114 ----------------------------
117 begin
122 -- Local variables
124 -- A contract must contain only pragmas
129 -- Start of processing for Add_Contract_Item
131 begin
132 -- Create a new contract when adding the first item
139 -- Constants, the applicable pragmas are:
140 -- Part_Of
144 Add_Classification;
146 -- The pragma is not a proper contract item
148 else
152 -- Entry bodies, the applicable pragmas are:
153 -- Refined_Depends
154 -- Refined_Global
155 -- Refined_Post
159 Add_Classification;
162 Add_Pre_Post_Condition;
164 -- The pragma is not a proper contract item
166 else
170 -- Entry or subprogram declarations, the applicable pragmas are:
171 -- Attach_Handler
172 -- Contract_Cases
173 -- Depends
174 -- Extensions_Visible
175 -- Global
176 -- Interrupt_Handler
177 -- Postcondition
178 -- Precondition
179 -- Test_Case
180 -- Volatile_Function
184 | E_Generic_Function
185 | E_Generic_Procedure
186 | E_Procedure
187 then
190 then
191 Add_Classification;
194 | Name_Extensions_Visible
195 | Name_Global
196 then
197 Add_Classification;
201 then
202 Add_Classification;
205 | Name_Subprogram_Variant
206 | Name_Test_Case
207 then
208 Add_Contract_Test_Case;
211 Add_Pre_Post_Condition;
213 -- The pragma is not a proper contract item
215 else
219 -- Packages or instantiations, the applicable pragmas are:
220 -- Abstract_States
221 -- Initial_Condition
222 -- Initializes
223 -- Part_Of (instantiation only)
227 | Name_Initial_Condition
228 | Name_Initializes
229 then
230 Add_Classification;
232 -- Indicator Part_Of must be associated with a package instantiation
235 Add_Classification;
237 -- The pragma is not a proper contract item
239 else
243 -- Package bodies, the applicable pragmas are:
244 -- Refined_States
248 Add_Classification;
250 -- The pragma is not a proper contract item
252 else
256 -- The four volatility refinement pragmas are ok for all types.
257 -- Part_Of is ok for task types and protected types.
258 -- Depends and Global are ok for task types.
261 declare
263 Prag_Nam in Name_Async_Readers
264 | Name_Async_Writers
265 | Name_Effective_Reads
266 | Name_Effective_Writes
269 | Name_Depends
270 | Name_Global)
273 begin
275 Add_Classification;
276 else
278 -- The pragma is not a proper contract item
284 -- Subprogram bodies, the applicable pragmas are:
285 -- Postcondition
286 -- Precondition
287 -- Refined_Depends
288 -- Refined_Global
289 -- Refined_Post
293 Add_Classification;
296 | Name_Precondition
297 | Name_Refined_Post
298 then
299 Add_Pre_Post_Condition;
301 -- The pragma is not a proper contract item
303 else
307 -- Task bodies, the applicable pragmas are:
308 -- Refined_Depends
309 -- Refined_Global
313 Add_Classification;
315 -- The pragma is not a proper contract item
317 else
321 -- Task units, the applicable pragmas are:
322 -- Depends
323 -- Global
324 -- Part_Of
326 -- Variables, the applicable pragmas are:
327 -- Async_Readers
328 -- Async_Writers
329 -- Constant_After_Elaboration
330 -- Depends
331 -- Effective_Reads
332 -- Effective_Writes
333 -- Global
334 -- No_Caching
335 -- Part_Of
339 | Name_Async_Writers
340 | Name_Constant_After_Elaboration
341 | Name_Depends
342 | Name_Effective_Reads
343 | Name_Effective_Writes
344 | Name_Global
345 | Name_No_Caching
346 | Name_Part_Of
347 then
348 Add_Classification;
350 -- The pragma is not a proper contract item
352 else
356 else
361 -----------------------
362 -- Analyze_Contracts --
363 -----------------------
368 begin
372 -- Entry or subprogram declarations
375 | N_Entry_Declaration
376 | N_Generic_Subprogram_Declaration
377 | N_Subprogram_Declaration
378 then
379 declare
382 begin
385 -- If analysis of a class-wide pre/postcondition indicates
386 -- that a class-wide clone is needed, analyze its declaration
387 -- now. Its body is created when the body of the original
388 -- operation is analyzed (and rewritten).
392 then
397 -- Entry or subprogram bodies
402 -- Objects
407 -- Package instantiation
412 -- Protected units
415 | N_Single_Protected_Declaration
416 then
419 -- Subprogram body stubs
424 -- Task units
427 | N_Task_Type_Declaration
428 then
431 -- For type declarations, we need to do the preanalysis of Iterable
432 -- and the 3 Xxx_Literal aspect specifications.
434 -- Other type aspects need to be resolved here???
438 then
439 declare
449 begin
467 | N_Private_Type_Declaration
468 | N_Task_Type_Declaration
469 | N_Protected_Type_Declaration
470 | N_Formal_Type_Declaration
471 then
479 -----------------------------------------------
480 -- Analyze_Entry_Or_Subprogram_Body_Contract --
481 -----------------------------------------------
483 -- WARNING: This routine manages SPARK regions. Return statements must be
484 -- replaced by gotos which jump to the end of the routine and restore the
485 -- SPARK mode.
494 -- Save the SPARK_Mode-related data to restore on exit
496 begin
497 -- When a subprogram body declaration is illegal, its defining entity is
498 -- left unanalyzed. There is nothing left to do in this case because the
499 -- body lacks a contract, or even a proper Ekind.
504 -- Do not analyze a contract multiple times
509 else
514 -- Due to the timing of contract analysis, delayed pragmas may be
515 -- subject to the wrong SPARK_Mode, usually that of the enclosing
516 -- context. To remedy this, restore the original SPARK_Mode of the
517 -- related subprogram body.
521 -- Ensure that the contract cases or postconditions mention 'Result or
522 -- define a post-state.
526 -- A stand-alone nonvolatile function body cannot have an effectively
527 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
528 -- check is relevant only when SPARK_Mode is on, as it is not a standard
529 -- legality rule. The check is performed here because Volatile_Function
530 -- is processed after the analysis of the related subprogram body. The
531 -- check only applies to source subprograms and not to generated TSS
532 -- subprograms.
538 then
542 -- Restore the SPARK_Mode of the enclosing context after all delayed
543 -- pragmas have been analyzed.
547 -- Capture all global references in a generic subprogram body now that
548 -- the contract has been analyzed.
551 Save_Global_References_In_Contract
556 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
557 -- Subprogram_Variant, invariants and predicates associated with body
558 -- and its spec. Do not expand the contract of subprogram body stubs.
565 ------------------------------------------
566 -- Analyze_Entry_Or_Subprogram_Contract --
567 ------------------------------------------
569 -- WARNING: This routine manages SPARK regions. Return statements must be
570 -- replaced by gotos which jump to the end of the routine and restore the
571 -- SPARK mode.
573 procedure Analyze_Entry_Or_Subprogram_Contract
576 is
582 -- Save the SPARK_Mode-related data to restore on exit
592 begin
593 -- Do not analyze a contract multiple times
598 else
603 -- Due to the timing of contract analysis, delayed pragmas may be
604 -- subject to the wrong SPARK_Mode, usually that of the enclosing
605 -- context. To remedy this, restore the original SPARK_Mode of the
606 -- related subprogram body.
610 -- All subprograms carry a contract, but for some it is not significant
611 -- and should not be processed.
618 -- Do not analyze the pre/postconditions of an entry declaration
619 -- unless annotating the original tree for GNATprove. The
620 -- real analysis occurs when the pre/postconditons are relocated to
621 -- the contract wrapper procedure (see Build_Contract_Wrapper).
626 -- Otherwise analyze the pre/postconditions.
627 -- If these come from an aspect specification, their expressions
628 -- might include references to types that are not frozen yet, in the
629 -- case where the body is a rewritten expression function that is a
630 -- completion, so freeze all types within before constructing the
631 -- contract code.
633 else
634 declare
638 begin
647 then
654 if Freeze_Types
656 then
657 Freeze_Expr_Types
660 Expr =>
661 Expression
672 -- Analyze contract-cases, subprogram-variant and test-cases
680 -- Do not analyze the contract cases of an entry declaration
681 -- unless annotating the original tree for GNATprove.
682 -- The real analysis occurs when the contract cases are moved
683 -- to the contract wrapper procedure (Build_Contract_Wrapper).
688 -- Otherwise analyze the contract cases
690 else
697 else
705 -- Analyze classification pragmas
721 -- Analyze Global first, as Depends may mention items classified in
722 -- the global categorization.
728 -- Depends must be analyzed after Global in order to see the modes of
729 -- all global items.
735 -- Ensure that the contract cases or postconditions mention 'Result
736 -- or define a post-state.
741 -- A nonvolatile function cannot have an effectively volatile formal
742 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
743 -- only when SPARK_Mode is on, as it is not a standard legality rule.
744 -- The check is performed here because pragma Volatile_Function is
745 -- processed after the analysis of the related subprogram declaration.
751 then
755 -- Restore the SPARK_Mode of the enclosing context after all delayed
756 -- pragmas have been analyzed.
760 -- Capture all global references in a generic subprogram now that the
761 -- contract has been analyzed.
764 Save_Global_References_In_Contract
770 ----------------------------------------------
771 -- Check_Type_Or_Object_External_Properties --
772 ----------------------------------------------
774 procedure Check_Type_Or_Object_External_Properties
776 is
779 -- Returns "type" or Object_Kind, depending on Is_Type
781 ---------------
782 -- Decl_Kind --
783 ---------------
787 begin
790 else
797 -- Local variables
807 -- Start of processing for Check_Type_Or_Object_External_Properties
809 begin
810 -- Analyze all external properties
815 -- If the parent type of a derived type is volatile
816 -- then the derived type inherits volatility-related flags.
819 declare
822 begin
831 else
838 declare
840 begin
844 Error_Msg_N
846 Prag);
854 declare
856 begin
860 Error_Msg_N
862 Prag);
870 declare
872 begin
876 Error_Msg_N
878 Prag);
886 declare
888 begin
892 Error_Msg_N
894 Prag);
899 -- Verify the mutual interaction of the various external properties
902 Check_External_Properties
906 -- The following checks are relevant only when SPARK_Mode is on, as
907 -- they are not standard Ada legality rules. Internally generated
908 -- temporaries are ignored, as well as return objects.
913 then
916 -- The declaration of an effectively volatile object or type must
917 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
920 Error_Msg_N
927 -- An object of a discriminated type cannot be effectively
928 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
932 then
933 Error_Msg_N
938 Type_Or_Obj_Id);
941 -- An object decl shall be compatible with respect to volatility
942 -- with its type (SPARK RM 7.1.3(2)).
946 Check_Volatility_Compatibility
952 -- A component of a composite type (in this case, the composite
953 -- type is an array type) shall be compatible with respect to
954 -- volatility with the composite type (SPARK RM 7.1.3(6)).
957 Check_Volatility_Compatibility
962 -- A component of a composite type (in this case, the composite
963 -- type is a record type) shall be compatible with respect to
964 -- volatility with the composite type (SPARK RM 7.1.3(6)).
967 declare
969 begin
971 Check_Volatility_Compatibility
981 -- The type or object is not effectively volatile
983 else
984 -- A non-effectively volatile type cannot have effectively
985 -- volatile components (SPARK RM 7.1.3(6)).
987 if Is_Type_Id
990 then
991 Error_Msg_N
994 Type_Or_Obj_Id);
1000 -----------------------------
1001 -- Analyze_Object_Contract --
1002 -----------------------------
1004 -- WARNING: This routine manages SPARK regions. Return statements must be
1005 -- replaced by gotos which jump to the end of the routine and restore the
1006 -- SPARK mode.
1008 procedure Analyze_Object_Contract
1011 is
1016 -- Save the SPARK_Mode-related data to restore on exit
1023 begin
1024 -- The loop parameter in an element iterator over a formal container
1025 -- is declared with an object declaration, but no contracts apply.
1031 -- Do not analyze a contract multiple times
1038 else
1043 -- The anonymous object created for a single concurrent type inherits
1044 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
1045 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
1046 -- of the enclosing context. To remedy this, restore the original mode
1047 -- of the related anonymous object.
1051 then
1055 -- Constant-related checks
1059 -- Analyze indicator Part_Of
1063 -- Check whether the lack of indicator Part_Of agrees with the
1064 -- placement of the constant with respect to the state space.
1070 -- A constant cannot be effectively volatile (SPARK RM 7.1.3(4)).
1071 -- This check is relevant only when SPARK_Mode is on, as it is not
1072 -- a standard Ada legality rule. Internally-generated constants that
1073 -- map generic formals to actuals in instantiations are allowed to
1074 -- be volatile.
1080 then
1084 -- Variable-related checks
1088 Check_Type_Or_Object_External_Properties
1091 -- Analyze the non-external volatility property No_Caching
1099 -- The anonymous object created for a single task type carries
1100 -- pragmas Depends and Global of the type.
1104 -- Analyze Global first, as Depends may mention items classified
1105 -- in the global categorization.
1113 -- Depends must be analyzed after Global in order to see the modes
1114 -- of all global items.
1125 -- Analyze indicator Part_Of
1130 -- The variable is a constituent of a single protected/task type
1131 -- and behaves as a component of the type. Verify that references
1132 -- to the variable occur within the definition or body of the type
1133 -- (SPARK RM 9.3).
1136 and then Is_Single_Concurrent_Object
1139 then
1147 -- Otherwise check whether the lack of indicator Part_Of agrees with
1148 -- the placement of the variable with respect to the state space.
1150 else
1155 -- Common checks
1159 -- A Ghost object cannot be of a type that yields a synchronized
1160 -- object (SPARK RM 6.9(19)).
1165 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
1166 -- SPARK RM 6.9(19)).
1171 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
1172 -- One exception to this is the object that represents the dispatch
1173 -- table of a Ghost tagged type, as the symbol needs to be exported.
1183 -- Restore the SPARK_Mode of the enclosing context after all delayed
1184 -- pragmas have been analyzed.
1189 -----------------------------------
1190 -- Analyze_Package_Body_Contract --
1191 -----------------------------------
1193 -- WARNING: This routine manages SPARK regions. Return statements must be
1194 -- replaced by gotos which jump to the end of the routine and restore the
1195 -- SPARK mode.
1197 procedure Analyze_Package_Body_Contract
1200 is
1207 -- Save the SPARK_Mode-related data to restore on exit
1211 begin
1212 -- Do not analyze a contract multiple times
1217 else
1222 -- Due to the timing of contract analysis, delayed pragmas may be
1223 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1224 -- context. To remedy this, restore the original SPARK_Mode of the
1225 -- related package body.
1231 -- The analysis of pragma Refined_State detects whether the spec has
1232 -- abstract states available for refinement.
1238 -- Restore the SPARK_Mode of the enclosing context after all delayed
1239 -- pragmas have been analyzed.
1243 -- Capture all global references in a generic package body now that the
1244 -- contract has been analyzed.
1247 Save_Global_References_In_Contract
1253 ------------------------------
1254 -- Analyze_Package_Contract --
1255 ------------------------------
1257 -- WARNING: This routine manages SPARK regions. Return statements must be
1258 -- replaced by gotos which jump to the end of the routine and restore the
1259 -- SPARK mode.
1267 -- Save the SPARK_Mode-related data to restore on exit
1274 begin
1275 -- Do not analyze a contract multiple times
1280 else
1285 -- Due to the timing of contract analysis, delayed pragmas may be
1286 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1287 -- context. To remedy this, restore the original SPARK_Mode of the
1288 -- related package.
1294 -- Locate and store pragmas Initial_Condition and Initializes, since
1295 -- their order of analysis matters.
1311 -- Analyze the initialization-related pragmas. Initializes must come
1312 -- before Initial_Condition due to item dependencies.
1323 -- Restore the SPARK_Mode of the enclosing context after all delayed
1324 -- pragmas have been analyzed.
1328 -- Capture all global references in a generic package now that the
1329 -- contract has been analyzed.
1332 Save_Global_References_In_Contract
1338 --------------------------------------------
1339 -- Analyze_Package_Instantiation_Contract --
1340 --------------------------------------------
1342 -- WARNING: This routine manages SPARK regions. Return statements must be
1343 -- replaced by gotos which jump to the end of the routine and restore the
1344 -- SPARK mode.
1352 -- Save the SPARK_Mode-related data to restore on exit
1357 begin
1358 -- Nothing to do when the package instantiation is erroneous or left
1359 -- partially decorated.
1368 -- Due to the timing of contract analysis, delayed pragmas may be
1369 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1370 -- context. To remedy this, restore the original SPARK_Mode of the
1371 -- related package.
1375 -- Check whether the lack of indicator Part_Of agrees with the placement
1376 -- of the package instantiation with respect to the state space. Nested
1377 -- package instantiations do not need to be checked because they inherit
1378 -- Part_Of indicator of the outermost package instantiation (see routine
1379 -- Propagate_Part_Of in Sem_Prag).
1388 -- Restore the SPARK_Mode of the enclosing context after all delayed
1389 -- pragmas have been analyzed.
1394 --------------------------------
1395 -- Analyze_Protected_Contract --
1396 --------------------------------
1401 begin
1402 -- Do not analyze a contract multiple times
1407 else
1413 -------------------------------------------
1414 -- Analyze_Subprogram_Body_Stub_Contract --
1415 -------------------------------------------
1421 begin
1422 -- A subprogram body stub may act as its own spec or as the completion
1423 -- of a previous declaration. Depending on the context, the contract of
1424 -- the stub may contain two sets of pragmas.
1426 -- The stub is a completion, the applicable pragmas are:
1427 -- Refined_Depends
1428 -- Refined_Global
1433 -- The stub acts as its own spec, the applicable pragmas are:
1434 -- Contract_Cases
1435 -- Depends
1436 -- Global
1437 -- Postcondition
1438 -- Precondition
1439 -- Subprogram_Variant
1440 -- Test_Case
1442 else
1447 ---------------------------
1448 -- Analyze_Task_Contract --
1449 ---------------------------
1451 -- WARNING: This routine manages SPARK regions. Return statements must be
1452 -- replaced by gotos which jump to the end of the routine and restore the
1453 -- SPARK mode.
1460 -- Save the SPARK_Mode-related data to restore on exit
1464 begin
1465 -- Do not analyze a contract multiple times
1470 else
1475 -- Due to the timing of contract analysis, delayed pragmas may be
1476 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1477 -- context. To remedy this, restore the original SPARK_Mode of the
1478 -- related task unit.
1482 -- Analyze Global first, as Depends may mention items classified in the
1483 -- global categorization.
1491 -- Depends must be analyzed after Global in order to see the modes of
1492 -- all global items.
1500 -- Restore the SPARK_Mode of the enclosing context after all delayed
1501 -- pragmas have been analyzed.
1506 ---------------------------
1507 -- Analyze_Type_Contract --
1508 ---------------------------
1511 begin
1512 Check_Type_Or_Object_External_Properties
1516 -----------------------------
1517 -- Create_Generic_Contract --
1518 -----------------------------
1525 -- Add a single contract-related source pragma Prag to the contract of
1526 -- generic template Templ_Id.
1528 ---------------------------------
1529 -- Add_Generic_Contract_Pragma --
1530 ---------------------------------
1535 begin
1536 -- Mark the pragma to prevent the premature capture of global
1537 -- references when capturing global references of the context
1538 -- (see Save_References_In_Pragma).
1542 -- Pragmas that apply to a generic subprogram declaration are not
1543 -- part of the semantic structure of the generic template:
1545 -- generic
1546 -- procedure Example (Formal : Integer);
1547 -- pragma Precondition (Formal > 0);
1549 -- Create a generic template for such pragmas and link the template
1550 -- of the pragma with the generic template.
1553 Rewrite
1560 -- Otherwise link the pragma with the generic template
1562 else
1567 -- Local variables
1572 -- Start of processing for Create_Generic_Contract
1574 begin
1575 -- A generic package declaration carries contract-related source pragmas
1576 -- in its visible declarations.
1585 -- A generic package body carries contract-related source pragmas in its
1586 -- declarations.
1595 -- Generic subprogram declaration
1600 else
1604 -- When the generic subprogram acts as a compilation unit, inspect
1605 -- the Pragmas_After list for contract-related source pragmas.
1610 then
1614 -- Otherwise inspect the successive declarations for contract-related
1615 -- source pragmas.
1617 else
1621 -- A generic subprogram body carries contract-related source pragmas in
1622 -- its declarations.
1632 -- Inspect the relevant declarations looking for contract-related source
1633 -- pragmas and add them to the contract of the generic unit.
1639 -- The source pragma is a contract annotation
1645 -- The region where a contract-related source pragma may appear
1646 -- ends with the first source non-pragma declaration or statement.
1648 else
1657 --------------------------------
1658 -- Expand_Subprogram_Contract --
1659 --------------------------------
1665 procedure Add_Invariant_And_Predicate_Checks
1669 -- Process the result of function Subp_Id (if applicable) and all its
1670 -- formals. Add invariant and predicate checks where applicable. The
1671 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
1672 -- function, Result contains the entity of parameter _Result, to be
1673 -- used in the creation of procedure _Postconditions.
1675 procedure Add_Stable_Property_Contracts
1677 -- Augment postcondition contracts to reflect Stable_Property aspect
1678 -- (if Class_Present = False) or Stable_Property'Class aspect (if
1679 -- Class_Present = True).
1682 -- Append a node to a list. If there is no list, create a new one. When
1683 -- the item denotes a pragma, it is added to the list only when it is
1684 -- enabled.
1686 procedure Build_Postconditions_Procedure
1690 -- Create the body of procedure _Postconditions which handles various
1691 -- assertion actions on exit from subprogram Subp_Id. Stmts is the list
1692 -- of statements to be checked on exit. Parameter Result is the entity
1693 -- of parameter _Result when Subp_Id denotes a function.
1696 -- Process pragma Contract_Cases. This routine prepends items to the
1697 -- body declarations and appends items to list Stmts.
1700 -- Collect all [inherited] spec and body postconditions and accumulate
1701 -- their pragma Check equivalents in list Stmts.
1704 -- Collect all [inherited] spec and body preconditions and prepend their
1705 -- pragma Check equivalents to the declarations of the body.
1707 ----------------------------------------
1708 -- Add_Invariant_And_Predicate_Checks --
1709 ----------------------------------------
1711 procedure Add_Invariant_And_Predicate_Checks
1715 is
1717 -- Id denotes the return value of a function or a formal parameter.
1718 -- Add an invariant check if the type of Id is access to a type with
1719 -- invariants. The routine appends the generated code to Stmts.
1722 -- Determine whether type Typ can benefit from invariant checks. To
1723 -- qualify, the type must have a non-null invariant procedure and
1724 -- subprogram Subp_Id must appear visible from the point of view of
1725 -- the type.
1727 ---------------------------------
1728 -- Add_Invariant_Access_Checks --
1729 ---------------------------------
1736 begin
1743 Ref :=
1748 -- Generate:
1749 -- if <Id> /= null then
1750 -- <invariant_call (<Ref>)>
1751 -- end if;
1753 Append_Enabled_Item
1756 Condition =>
1767 -------------------------
1768 -- Invariant_Checks_OK --
1769 -------------------------
1773 -- Determine whether type Typ has public visibility of subprogram
1774 -- Subp_Id.
1776 -----------------------------------------
1777 -- Has_Public_Visibility_Of_Subprogram --
1778 -----------------------------------------
1783 begin
1784 -- An Initialization procedure must be considered visible even
1785 -- though it is internally generated.
1793 -- Internally generated code is never publicly visible except
1794 -- for a subprogram that is the implementation of an expression
1795 -- function. In that case the visibility is determined by the
1796 -- last check.
1799 and then
1801 or else not
1803 then
1806 -- Determine whether the subprogram is declared in the visible
1807 -- declarations of the package containing the type, or in the
1808 -- visible declaration of a child unit of that package.
1810 else
1811 declare
1818 begin
1819 return
1820 Decls = Visible_Declarations
1823 or else
1827 and then
1829 and then
1830 Decls = Visible_Declarations
1831 (Specification
1837 -- Start of processing for Invariant_Checks_OK
1839 begin
1840 return
1847 -- Local variables
1850 -- Source location of subprogram body contract
1855 -- Start of processing for Add_Invariant_And_Predicate_Checks
1857 begin
1860 -- Process the result of a function
1865 -- Generate _Result which is used in procedure _Postconditions to
1866 -- verify the return value.
1871 -- Add an invariant check when the return type has invariants and
1872 -- the related function is visible to the outside.
1875 Append_Enabled_Item
1881 -- Add an invariant check when the return type is an access to a
1882 -- type with invariants.
1887 -- Add invariant checks for all formals that qualify (see AI05-0289
1888 -- and AI12-0044).
1897 then
1899 Append_Enabled_Item
1907 -- Note: we used to add predicate checks for OUT and IN OUT
1908 -- formals here, but that was misguided, since such checks are
1909 -- performed on the caller side, based on the predicate of the
1910 -- actual, rather than the predicate of the formal.
1918 -----------------------------------
1919 -- Add_Stable_Property_Contracts --
1920 -----------------------------------
1922 procedure Add_Stable_Property_Contracts
1924 is
1927 procedure Insert_Stable_Property_Check
1929 -- Build the pragma for one check and insert it in the tree.
1931 function Make_Stable_Property_Condition
1933 -- Builds tree for "Func (Formal) = Func (Formal)'Old" expression.
1935 function Stable_Properties
1938 -- If no aspect specified, then returns length-zero result.
1939 -- Negated indicates that reserved word NOT was specified.
1941 ----------------------------------
1942 -- Insert_Stable_Property_Check --
1943 ----------------------------------
1945 procedure Insert_Stable_Property_Check
1949 New_List
1950 (Make_Pragma_Argument_Association
1952 Expression =>
1953 Make_Stable_Property_Condition
1956 Make_Pragma_Argument_Association
1958 Expression =>
1959 Make_String_Literal
1961 Strval =>
1962 "failed stable property check at "
1970 )));
1974 Pragma_Identifier =>
1980 begin
1981 -- Enclosing_Declaration may return, for example,
1982 -- a N_Procedure_Specification node. Cope with this.
1983 loop
1993 ------------------------------------
1994 -- Make_Stable_Property_Condition --
1995 ------------------------------------
1997 function Make_Stable_Property_Condition
1999 is
2001 (Make_Function_Call
2003 Name =>
2005 Parameter_Associations =>
2007 begin
2008 return Make_Op_Eq
2010 Call_Property_Function,
2011 Make_Attribute_Reference
2017 -----------------------
2018 -- Stable_Properties --
2019 -----------------------
2021 function Stable_Properties
2023 return Subprogram_List
2024 is
2026 Find_Value_Of_Aspect
2029 begin
2030 -- ??? For a derived type, we wish Find_Value_Of_Aspect
2031 -- somehow knew that this aspect is not inherited.
2032 -- But it doesn't, so we cope with that here.
2033 --
2034 -- There are probably issues here with inheritance from
2035 -- interface types, where just looking for the one parent type
2036 -- isn't enough. But this is far from the only work needed for
2037 -- Stable_Properties'Class for interface types.
2040 declare
2043 begin
2045 Find_Value_Of_Aspect
2048 then
2049 -- prevent inheritance
2057 -- This is a little bit subtle.
2058 -- We need to assign True in the Subp_Id case in order to
2059 -- distinguish between no aspect spec at all vs. an
2060 -- explicitly specified "with S_P => []" empty list.
2061 -- In both cases Stable_Properties will return a length-0
2062 -- array, but the two cases are not equivalent.
2063 -- Very roughly speaking the lack of an S_P aspect spec for
2064 -- a subprogram would be equivalent to something like
2065 -- "with S_P => [not]", where we apply the "not" modifier to
2066 -- an empty set of subprograms, if such a construct existed.
2067 -- We could just assign True here, but it seems untidy to
2068 -- return True in the case of an aspect spec for a type
2069 -- (since negation is only allowed for subp S_P aspects).
2072 else
2073 return Parse_Aspect_Stable_Properties
2085 -- start of processing for Add_Stable_Property_Contracts
2087 begin
2089 then
2101 then
2102 -- ??? Need to filter out checks for SPFs that are
2103 -- mentioned explicitly in the postcondition of
2104 -- Subp_Id.
2106 Insert_Stable_Property_Check
2112 declare
2118 function Excluded_By_Aspect_Spec_Of_Subp
2120 -- Examine Subp_Properties to determine whether SPF should
2121 -- be excluded.
2123 -------------------------------------
2124 -- Excluded_By_Aspect_Spec_Of_Subp --
2125 -------------------------------------
2127 function Excluded_By_Aspect_Spec_Of_Subp
2129 begin
2131 -- Look through renames for equality test here ???
2135 -- Look through renames for equality test here ???
2138 begin
2142 -- ??? Need to filter out checks for SPFs that are
2143 -- mentioned explicitly in the postcondition of
2144 -- Subp_Id.
2145 Insert_Stable_Property_Check
2156 -------------------------
2157 -- Append_Enabled_Item --
2158 -------------------------
2161 begin
2162 -- Do not chain ignored or disabled pragmas
2166 then
2169 -- Otherwise, add the item
2171 else
2176 -- If the pragma is a conjunct in a composite postcondition, it
2177 -- has been processed in reverse order. In the postcondition body
2178 -- it must appear before the others.
2183 then
2185 else
2191 ------------------------------------
2192 -- Build_Postconditions_Procedure --
2193 ------------------------------------
2195 procedure Build_Postconditions_Procedure
2199 is
2208 -- Extra declarations needed to handle interactions between
2209 -- postconditions and finalization.
2217 -- Start of processing for Build_Postconditions_Procedure
2219 begin
2220 -- Nothing to do if there are no actions to check on exit
2226 -- Otherwise, we generate the postcondition procedure and add
2227 -- associated objects and conditions used to coordinate postcondition
2228 -- evaluation with finalization.
2230 -- Generate:
2231 --
2232 -- procedure _postconditions (Return_Exp : Result_Typ);
2233 --
2234 -- -- Result_Obj_Type created when Result_Type is non-elementary
2235 -- [type Result_Obj_Type is access all Result_Typ;]
2236 --
2237 -- Result_Obj : Result_Obj_Type;
2238 --
2239 -- Postcond_Enabled : Boolean := True;
2240 -- Return_Success_For_Postcond : Boolean := False;
2241 --
2242 -- procedure _postconditions (Return_Exp : Result_Typ) is
2243 -- begin
2244 -- if Postcond_Enabled and then Return_Success_For_Postcond then
2245 -- [stmts];
2246 -- end if;
2247 -- end;
2253 -- Force the front-end inlining of _Postconditions when generating C
2254 -- code, since its body may have references to itypes defined in the
2255 -- enclosing subprogram, which would cause problems for unnesting
2256 -- routines in the absence of inlining.
2264 -- The related subprogram is a function: create the specification of
2265 -- parameter _Result.
2271 Parameter_Type =>
2275 Proc_Spec :=
2282 -- Insert _Postconditions before the first source declaration of the
2283 -- body. This ensures that the body will not cause any premature
2284 -- freezing, as it may mention types:
2286 -- Generate:
2287 --
2288 -- procedure Proc (Obj : Array_Typ) is
2289 -- procedure _postconditions is
2290 -- begin
2291 -- ... Obj ...
2292 -- end _postconditions;
2293 --
2294 -- subtype T is Array_Typ (Obj'First (1) .. Obj'Last (1));
2295 -- begin
2297 -- In the example above, Obj is of type T but the incorrect placement
2298 -- of _Postconditions will cause a crash in gigi due to an out-of-
2299 -- order reference. The body of _Postconditions must be placed after
2300 -- the declaration of Temp to preserve correct visibility.
2302 Insert_Before_First_Source_Declaration
2307 -- When Result is present (e.g. the postcondition checks apply to a
2308 -- function) we make a local object to capture the result, so, if
2309 -- needed, we can call the generated postconditions procedure during
2310 -- finalization instead of at the point of return.
2312 -- Note: The placement of the following declarations before the
2313 -- declaration of the body of the postconditions, but after the
2314 -- declaration of the postconditions spec is deliberate and required
2315 -- since other code within the expander expects them to be located
2316 -- here. Perhaps when more space is available in the tree this will
2317 -- no longer be necessary ???
2320 -- Elementary result types mean a copy is cheap and preferred over
2321 -- using pointers.
2326 -- Otherwise, we create a named access type to capture the result
2328 -- Generate:
2329 --
2330 -- type Result_Obj_Type is access all [Result_Type];
2332 else
2335 Result_Obj_Type_Decl :=
2338 Type_Definition =>
2341 Subtype_Indication => New_Occurrence_Of
2347 -- Create the result obj declaration
2349 -- Generate:
2350 --
2351 -- Result_Object_For_Postcond : Result_Obj_Type;
2353 Result_Obj_Decl :=
2355 Defining_Identifier =>
2356 Make_Defining_Identifier
2358 Object_Definition =>
2359 New_Occurrence_Of
2366 -- Build the Postcond_Enabled flag used to delay evaluation of
2367 -- postconditions until finalization has been performed when cleanup
2368 -- actions are present.
2370 -- Generate:
2371 --
2372 -- Postcond_Enabled : Boolean := True;
2374 Postcond_Enabled_Decl :=
2376 Defining_Identifier =>
2377 Make_Defining_Identifier
2384 -- Create a flag to indicate that return has been reached
2386 -- This is necessary for deciding whether to execute _postconditions
2387 -- during finalization.
2389 -- Generate:
2390 --
2391 -- Return_Success_For_Postcond : Boolean := False;
2393 Return_Success_Decl :=
2395 Defining_Identifier =>
2396 Make_Defining_Identifier
2403 -- Set an explicit End_Label to override the sloc of the implicit
2404 -- RETURN statement, and prevent it from inheriting the sloc of one
2405 -- the postconditions: this would cause confusing debug info to be
2406 -- produced, interfering with coverage-analysis tools.
2408 -- Also, wrap the postcondition checks in a conditional which can be
2409 -- used to delay their evaluation when clean-up actions are present.
2411 -- Generate:
2412 --
2413 -- procedure _postconditions is
2414 -- begin
2415 -- if Postcond_Enabled and then Return_Success_For_Postcond then
2416 -- [Stmts];
2417 -- end if;
2418 -- end;
2420 Proc_Bod :=
2422 Specification =>
2425 Handled_Statement_Sequence =>
2430 Condition =>
2432 Left_Opnd =>
2433 New_Occurrence_Of
2434 (Defining_Identifier
2436 Right_Opnd =>
2437 New_Occurrence_Of
2438 (Defining_Identifier
2445 ----------------------------
2446 -- Process_Contract_Cases --
2447 ----------------------------
2451 -- Process pragma Contract_Cases for subprogram Subp_Id
2453 --------------------------------
2454 -- Process_Contract_Cases_For --
2455 --------------------------------
2461 begin
2467 Expand_Pragma_Contract_Cases
2474 Expand_Pragma_Subprogram_Variant
2487 -- Stmts is passed as IN OUT to signal that the list can be updated,
2488 -- even if the corresponding integer value representing the list does
2489 -- not change.
2491 -- Start of processing for Process_Contract_Cases
2493 begin
2501 ----------------------------
2502 -- Process_Postconditions --
2503 ----------------------------
2507 -- Collect all [refined] postconditions of a specific kind denoted
2508 -- by Post_Nam that belong to the body, and generate pragma Check
2509 -- equivalents in list Stmts.
2512 -- Collect all [inherited] postconditions of the spec, and generate
2513 -- pragma Check equivalents in list Stmts.
2515 ---------------------------------
2516 -- Process_Body_Postconditions --
2517 ---------------------------------
2525 begin
2526 -- Process the contract
2533 then
2534 Append_Enabled_Item
2543 -- The subprogram body being processed is actually the proper body
2544 -- of a stub with a corresponding spec. The subprogram stub may
2545 -- carry a postcondition pragma, in which case it must be taken
2546 -- into account. The pragma appears after the stub.
2552 -- Note that non-matching pragmas are skipped
2557 then
2558 Append_Enabled_Item
2563 -- Skip internally generated code
2568 -- Postcondition pragmas are usually grouped together. There
2569 -- is no need to inspect the whole declarative list.
2571 else
2580 ---------------------------------
2581 -- Process_Spec_Postconditions --
2582 ---------------------------------
2592 begin
2593 -- Process the contract
2602 then
2603 Append_Enabled_Item
2612 -- Process the contracts of all inherited subprograms, looking for
2613 -- class-wide postconditions.
2624 then
2625 Item :=
2626 Build_Pragma_Check_Equivalent
2631 -- The pragma Check equivalent of the class-wide
2632 -- postcondition is still created even though the
2633 -- pragma may be ignored because the equivalent
2634 -- performs semantic checks.
2648 -- Stmts is passed as IN OUT to signal that the list can be updated,
2649 -- even if the corresponding integer value representing the list does
2650 -- not change.
2652 -- Start of processing for Process_Postconditions
2654 begin
2655 -- The processing of postconditions is done in reverse order (body
2656 -- first) to ensure the following arrangement:
2658 -- <refined postconditions from body>
2659 -- <postconditions from body>
2660 -- <postconditions from spec>
2661 -- <inherited postconditions>
2667 Process_Spec_Postconditions;
2671 ---------------------------
2672 -- Process_Preconditions --
2673 ---------------------------
2677 -- The sole [inherited] class-wide precondition pragma that applies
2678 -- to the subprogram.
2681 -- The insertion node after which all pragma Check equivalents are
2682 -- inserted.
2685 -- Determine whether arbitrary declaration Decl denotes a renaming of
2686 -- a discriminant or protection field _object.
2689 -- Merge two class-wide preconditions by "or else"-ing them. The
2690 -- changes are accumulated in parameter Into. Update the error
2691 -- message of Into.
2694 -- Prepend a single item to the declarations of the subprogram body
2697 -- Save a class-wide precondition into Class_Pre, or prepend a normal
2698 -- precondition to the declarations of the body and analyze it.
2701 -- Collect all inherited class-wide preconditions and merge them into
2702 -- one big precondition to be evaluated as pragma Check.
2705 -- Collect all preconditions of subprogram Subp_Id and prepend their
2706 -- pragma Check equivalents to the declarations of the body.
2708 --------------------------
2709 -- Is_Prologue_Renaming --
2710 --------------------------
2718 begin
2727 -- A discriminant renaming appears as
2728 -- Discr : constant ... := Prefix.Discr;
2734 then
2737 -- A protection field renaming appears as
2738 -- Prot : ... := _object._object;
2740 -- A renamed private component is just a component of
2741 -- _object, with an arbitrary name.
2747 then
2756 -------------------------
2757 -- Merge_Preconditions --
2758 -------------------------
2762 -- Return the boolean expression argument of a precondition while
2763 -- updating its parentheses count for the subsequent merge.
2766 -- Return the message argument of a precondition
2768 --------------------
2769 -- Expression_Arg --
2770 --------------------
2776 begin
2784 -----------------
2785 -- Message_Arg --
2786 -----------------
2790 begin
2794 -- Local variables
2802 -- Start of processing for Merge_Preconditions
2804 begin
2805 -- Merge the two preconditions by "or else"-ing them
2812 -- Merge the two error messages to produce a single message of the
2813 -- form:
2815 -- failed precondition from ...
2816 -- also failed inherited precondition from ...
2828 ----------------------
2829 -- Prepend_To_Decls --
2830 ----------------------
2835 begin
2838 -- Ensure that the body has a declarative list
2848 ------------------------------
2849 -- Prepend_To_Decls_Or_Save --
2850 ------------------------------
2855 begin
2858 -- Save the sole class-wide precondition (if any) for the next
2859 -- step, where it will be merged with inherited preconditions.
2865 -- Accumulate the corresponding Check pragmas at the top of the
2866 -- declarations. Prepending the items ensures that they will be
2867 -- evaluated in their original order.
2869 else
2872 else
2880 -------------------------------------
2881 -- Process_Inherited_Preconditions --
2882 -------------------------------------
2893 begin
2894 -- Process the contracts of all inherited subprograms, looking for
2895 -- class-wide preconditions.
2906 then
2907 Item :=
2908 Build_Pragma_Check_Equivalent
2913 -- The pragma Check equivalent of the class-wide
2914 -- precondition is still created even though the
2915 -- pragma may be ignored because the equivalent
2916 -- performs semantic checks.
2920 -- The spec of an inherited subprogram already
2921 -- yielded a class-wide precondition. Merge the
2922 -- existing precondition with the current one
2923 -- using "or else".
2927 else
2938 -- Add the merged class-wide preconditions
2946 -------------------------------
2947 -- Process_Preconditions_For --
2948 -------------------------------
2957 begin
2958 -- Process the contract. If the body is an expression function
2959 -- that is a completion, freeze types within, because this may
2960 -- not have been done yet, when the subprogram declaration and
2961 -- its completion by an expression function appear in distinct
2962 -- declarative lists of the same unit (visible and private).
2964 Freeze_T :=
2975 then
2976 if Freeze_T
2978 then
2979 Freeze_Expr_Types
2982 Expr =>
2983 Expression
2995 -- The subprogram declaration being processed is actually a body
2996 -- stub. The stub may carry a precondition pragma, in which case
2997 -- it must be taken into account. The pragma appears after the
2998 -- stub.
3002 -- Inspect the declarations following the body stub
3007 -- Note that non-matching pragmas are skipped
3012 then
3016 -- Skip internally generated code
3021 -- Preconditions are usually grouped together. There is no
3022 -- need to inspect the whole declarative list.
3024 else
3033 -- Local variables
3038 -- Start of processing for Process_Preconditions
3040 begin
3041 -- Find the proper insertion point for all pragma Check equivalents
3047 -- First source declaration terminates the search, because all
3048 -- preconditions must be evaluated prior to it, by definition.
3053 -- Certain internally generated object renamings such as those
3054 -- for discriminants and protection fields must be elaborated
3055 -- before the preconditions are evaluated, as their expressions
3056 -- may mention the discriminants. The renamings include those
3057 -- for private components so we need to find the last such.
3062 loop
3068 -- Otherwise the declaration does not come from source. This
3069 -- also terminates the search, because internal code may raise
3070 -- exceptions which should not preempt the preconditions.
3072 else
3080 -- The processing of preconditions is done in reverse order (body
3081 -- first), because each pragma Check equivalent is inserted at the
3082 -- top of the declarations. This ensures that the final order is
3083 -- consistent with following diagram:
3085 -- <inherited preconditions>
3086 -- <preconditions from spec>
3087 -- <preconditions from body>
3093 Process_Inherited_Preconditions;
3097 -- Local variables
3104 -- Start of processing for Expand_Subprogram_Contract
3106 begin
3107 -- Obtain the entity of the initial declaration
3111 else
3115 -- Do not perform expansion activity when it is not needed
3120 -- GNATprove does not need the executable semantics of a contract
3125 -- The contract of a generic subprogram or one declared in a generic
3126 -- context is not expanded, as the corresponding instance will provide
3127 -- the executable semantics of the contract.
3132 -- All subprograms carry a contract, but for some it is not significant
3133 -- and should not be processed. This is a small optimization.
3138 -- The contract of an ignored Ghost subprogram does not need expansion,
3139 -- because the subprogram and all calls to it will be removed.
3144 -- Do not re-expand the same contract. This scenario occurs when a
3145 -- construct is rewritten into something else during its analysis
3146 -- (expression functions for instance).
3152 -- Prevent multiple expansion attempts of the same contract
3156 -- Ensure that the formal parameters are visible when expanding all
3157 -- contract items.
3165 else
3170 -- The expansion of a subprogram contract involves the creation of Check
3171 -- pragmas to verify the contract assertions of the spec and body in a
3172 -- particular order. The order is as follows:
3174 -- function Example (...) return ... is
3175 -- procedure _Postconditions (...) is
3176 -- begin
3177 -- <refined postconditions from body>
3178 -- <postconditions from body>
3179 -- <postconditions from spec>
3180 -- <inherited postconditions>
3181 -- <contract case consequences>
3182 -- <invariant check of function result>
3183 -- <invariant and predicate checks of parameters>
3184 -- end _Postconditions;
3186 -- <inherited preconditions>
3187 -- <preconditions from spec>
3188 -- <preconditions from body>
3189 -- <contract case conditions>
3191 -- <source declarations>
3192 -- begin
3193 -- <source statements>
3195 -- _Preconditions (Result);
3196 -- return Result;
3197 -- end Example;
3199 -- Routine _Postconditions holds all contract assertions that must be
3200 -- verified on exit from the related subprogram.
3202 -- Step 1: augment contracts list with postconditions associated with
3203 -- Stable_Properties and Stable_Properties'Class aspects. This must
3204 -- precede Process_Postconditions.
3207 Add_Stable_Property_Contracts
3211 -- Step 2: Handle all preconditions. This action must come before the
3212 -- processing of pragma Contract_Cases because the pragma prepends items
3213 -- to the body declarations.
3215 Process_Preconditions;
3217 -- Step 3: Handle all postconditions. This action must come before the
3218 -- processing of pragma Contract_Cases because the pragma appends items
3219 -- to list Stmts.
3223 -- Step 4: Handle pragma Contract_Cases. This action must come before
3224 -- the processing of invariants and predicates because those append
3225 -- items to list Stmts.
3229 -- Step 5: Apply invariant and predicate checks on a function result and
3230 -- all formals. The resulting checks are accumulated in list Stmts.
3234 -- Step 6: Construct procedure _Postconditions
3239 End_Scope;
3243 -------------------------------
3244 -- Freeze_Previous_Contracts --
3245 -------------------------------
3250 -- Determine whether arbitrary node N causes contract freezing. This is
3251 -- used as an assertion for the current body declaration that caused
3252 -- contract freezing, and as a condition to detect body declaration that
3253 -- already caused contract freezing before.
3257 -- Freeze the contracts of all eligible constructs which precede body
3258 -- Body_Decl.
3262 -- Freeze the contract of the nearest package body (if any) which
3263 -- encloses body Body_Decl.
3265 ------------------------------
3266 -- Causes_Contract_Freezing --
3267 ------------------------------
3270 begin
3271 -- The following condition matches guards for calls to
3272 -- Freeze_Previous_Contracts from routines that analyze various body
3273 -- declarations. In particular, it detects expression functions, as
3274 -- described in the call from Analyze_Subprogram_Body_Helper.
3276 return
3278 and then
3280 N_Entry_Body | N_Package_Body | N_Protected_Body |
3281 N_Subprogram_Body | N_Subprogram_Body_Stub | N_Task_Body;
3284 ----------------------
3285 -- Freeze_Contracts --
3286 ----------------------
3292 begin
3293 -- Nothing to do when the body which causes freezing does not appear
3294 -- in a declarative list because there cannot possibly be constructs
3295 -- with contracts.
3301 -- Inspect the declarations preceding the body, and freeze individual
3302 -- contracts of eligible constructs.
3307 -- Stop the traversal when a preceding construct that causes
3308 -- freezing is encountered as there is no point in refreezing
3309 -- the already frozen constructs.
3314 -- Entry or subprogram declarations
3317 | N_Entry_Declaration
3318 | N_Generic_Subprogram_Declaration
3319 | N_Subprogram_Declaration
3320 then
3321 Analyze_Entry_Or_Subprogram_Contract
3325 -- Objects
3328 Analyze_Object_Contract
3332 -- Protected units
3335 | N_Single_Protected_Declaration
3336 then
3339 -- Subprogram body stubs
3344 -- Task units
3347 | N_Task_Type_Declaration
3348 then
3353 | N_Private_Type_Declaration
3354 | N_Task_Type_Declaration
3355 | N_Protected_Type_Declaration
3356 | N_Formal_Type_Declaration
3357 then
3365 -----------------------------------
3366 -- Freeze_Enclosing_Package_Body --
3367 -----------------------------------
3373 begin
3374 -- Climb the parent chain looking for an enclosing package body. Do
3375 -- not use the scope stack, because a body utilizes the entity of its
3376 -- corresponding spec.
3381 Analyze_Package_Body_Contract
3387 -- Do not look for an enclosing package body when the construct
3388 -- which causes freezing is a body generated for an expression
3389 -- function and it appears within a package spec. This ensures
3390 -- that the traversal will not reach too far up the parent chain
3391 -- and attempt to freeze a package body which must not be frozen.
3393 -- package body Enclosing_Body
3394 -- with Refined_State => (State => Var)
3395 -- is
3396 -- package Nested is
3397 -- type Some_Type is ...;
3398 -- function Cause_Freezing return ...;
3399 -- private
3400 -- function Cause_Freezing is (...);
3401 -- end Nested;
3402 --
3403 -- Var : Nested.Some_Type;
3407 then
3410 -- Prevent the search from going too far
3420 -- Local variables
3424 -- Start of processing for Freeze_Previous_Contracts
3426 begin
3429 -- A body that is in the process of being inlined appears from source,
3430 -- but carries name _parent. Such a body does not cause freezing of
3431 -- contracts.
3437 Freeze_Enclosing_Package_Body;
3438 Freeze_Contracts;
3441 --------------------------
3442 -- Get_Postcond_Enabled --
3443 --------------------------
3447 begin
3448 Decl :=
3454 = Name_uPostcond_Enabled
3455 then
3465 ------------------------------------
3466 -- Get_Result_Object_For_Postcond --
3467 ------------------------------------
3469 function Get_Result_Object_For_Postcond
3471 is
3473 begin
3474 Decl :=
3480 = Name_uResult_Object_For_Postcond
3481 then
3491 -------------------------------------
3492 -- Get_Return_Success_For_Postcond --
3493 -------------------------------------
3496 is
3498 begin
3499 Decl :=
3505 = Name_uReturn_Success_For_Postcond
3506 then
3516 ---------------------------------
3517 -- Inherit_Subprogram_Contract --
3518 ---------------------------------
3520 procedure Inherit_Subprogram_Contract
3523 is
3525 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
3526 -- Subp's contract.
3528 --------------------
3529 -- Inherit_Pragma --
3530 --------------------
3536 begin
3537 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
3538 -- chains, therefore the node must be replicated. The new pragma is
3539 -- flagged as inherited for distinction purposes.
3549 -- Start of processing for Inherit_Subprogram_Contract
3551 begin
3552 -- Inheritance is carried out only when both entities are subprograms
3553 -- with contracts.
3558 then
3563 -------------------------------------
3564 -- Instantiate_Subprogram_Contract --
3565 -------------------------------------
3569 -- Instantiate all contract-related source pragmas found in the list,
3570 -- starting with pragma First_Prag. Each instantiated pragma is added
3571 -- to list L.
3573 -------------------------
3574 -- Instantiate_Pragmas --
3575 -------------------------
3581 begin
3585 Inst_Prag :=
3596 -- Local variables
3600 -- Start of processing for Instantiate_Subprogram_Contract
3602 begin
3610 ----------------------------------------
3611 -- Save_Global_References_In_Contract --
3612 ----------------------------------------
3614 procedure Save_Global_References_In_Contract
3617 is
3619 -- Save all global references in contract-related source pragmas found
3620 -- in the list, starting with pragma First_Prag.
3622 ------------------------------------
3623 -- Save_Global_References_In_List --
3624 ------------------------------------
3629 begin
3640 -- Local variables
3644 -- Start of processing for Save_Global_References_In_Contract
3646 begin
3647 -- The entity of the analyzed generic copy must be on the scope stack
3648 -- to ensure proper detection of global references.
3654 then
3664 Pop_Scope;