| blob | b0a0ab2022876a70b6bee7924363fc23ebf120cc |
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C O N T R A C T S --
6 -- --
7 -- B o d y --
8 -- --
9 -- Copyright (C) 2015-2023, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
66 -- Analyze all delayed pragmas chained on the contract of package
67 -- instantiation Inst_Id as if they appear at the end of a declarative
68 -- region. The pragmas in question are:
69 --
70 -- Part_Of
72 procedure Build_Subprogram_Contract_Wrapper
77 -- Generate a wrapper for a given subprogram body when the expansion of
78 -- postconditions require it by moving its declarations and statements
79 -- into a locally declared subprogram _Wrapped_Statements.
81 -- Postcondition and precondition checks then get inserted in place of
82 -- the original statements and declarations along with a call to
83 -- _Wrapped_Statements.
85 procedure Check_Class_Condition
90 -- Perform checking of class-wide pre/postcondition Cond inherited by Subp
91 -- from Par_Subp. Is_Precondition enables check specific for preconditions.
92 -- In SPARK_Mode, an inherited operation that is not overridden but has
93 -- inherited modified conditions pre/postconditions is illegal.
96 -- Determine whether arbitrary declaration Decl denotes a renaming of
97 -- a discriminant or protection field _object.
99 procedure Check_Type_Or_Object_External_Properties
101 -- Perform checking of external properties pragmas that is common to both
102 -- type declarations and object declarations.
105 -- Expand the contracts of a subprogram body and its correspoding spec (if
106 -- any). This routine processes all [refined] pre- and postconditions as
107 -- well as Contract_Cases, Subprogram_Variant, invariants and predicates.
108 -- Body_Id denotes the entity of the subprogram body.
110 procedure Preanalyze_Condition
113 -- Preanalyze the class-wide condition Expr of Subp
115 procedure Set_Class_Condition
119 -- Set the class-wide Kind condition of Subp
121 -----------------------
122 -- Add_Contract_Item --
123 -----------------------
129 -- Prepend Prag to the list of classifications
132 -- Prepend Prag to the list of contract and test cases
135 -- Prepend Prag to the list of pre- and postconditions
137 ------------------------
138 -- Add_Classification --
139 ------------------------
142 begin
147 ----------------------------
148 -- Add_Contract_Test_Case --
149 ----------------------------
152 begin
157 ----------------------------
158 -- Add_Pre_Post_Condition --
159 ----------------------------
162 begin
167 -- Local variables
169 -- A contract must contain only pragmas
174 -- Start of processing for Add_Contract_Item
176 begin
177 -- Create a new contract when adding the first item
184 -- Constants, the applicable pragmas are:
185 -- Part_Of
189 | Name_Async_Writers
190 | Name_Effective_Reads
191 | Name_Effective_Writes
192 | Name_No_Caching
193 | Name_Part_Of
194 then
195 Add_Classification;
197 -- The pragma is not a proper contract item
199 else
203 -- Entry bodies, the applicable pragmas are:
204 -- Refined_Depends
205 -- Refined_Global
206 -- Refined_Post
210 Add_Classification;
213 Add_Pre_Post_Condition;
215 -- The pragma is not a proper contract item
217 else
221 -- Entry or subprogram declarations, the applicable pragmas are:
222 -- Attach_Handler
223 -- Contract_Cases
224 -- Depends
225 -- Extensions_Visible
226 -- Global
227 -- Interrupt_Handler
228 -- Postcondition
229 -- Precondition
230 -- Test_Case
231 -- Volatile_Function
235 | E_Generic_Function
236 | E_Generic_Procedure
237 | E_Procedure
238 then
241 then
242 Add_Classification;
245 | Name_Extensions_Visible
246 | Name_Global
247 then
248 Add_Classification;
252 then
253 Add_Classification;
256 | Name_Subprogram_Variant
257 | Name_Test_Case
258 then
259 Add_Contract_Test_Case;
262 Add_Pre_Post_Condition;
264 -- The pragma is not a proper contract item
266 else
270 -- Packages or instantiations, the applicable pragmas are:
271 -- Abstract_States
272 -- Initial_Condition
273 -- Initializes
274 -- Part_Of (instantiation only)
278 | Name_Initial_Condition
279 | Name_Initializes
280 then
281 Add_Classification;
283 -- Indicator Part_Of must be associated with a package instantiation
286 Add_Classification;
288 -- The pragma is not a proper contract item
290 else
294 -- Package bodies, the applicable pragmas are:
295 -- Refined_States
299 Add_Classification;
301 -- The pragma is not a proper contract item
303 else
307 -- The four volatility refinement pragmas are ok for all types.
308 -- Part_Of is ok for task types and protected types.
309 -- Depends and Global are ok for task types.
312 declare
314 Prag_Nam in Name_Async_Readers
315 | Name_Async_Writers
316 | Name_Effective_Reads
317 | Name_Effective_Writes
318 | Name_No_Caching
321 | Name_Depends
322 | Name_Global)
325 begin
327 Add_Classification;
328 else
330 -- The pragma is not a proper contract item
336 -- Subprogram bodies, the applicable pragmas are:
337 -- Postcondition
338 -- Precondition
339 -- Refined_Depends
340 -- Refined_Global
341 -- Refined_Post
345 Add_Classification;
348 | Name_Precondition
349 | Name_Refined_Post
350 then
351 Add_Pre_Post_Condition;
353 -- The pragma is not a proper contract item
355 else
359 -- Task bodies, the applicable pragmas are:
360 -- Refined_Depends
361 -- Refined_Global
365 Add_Classification;
367 -- The pragma is not a proper contract item
369 else
373 -- Task units, the applicable pragmas are:
374 -- Depends
375 -- Global
376 -- Part_Of
378 -- Variables, the applicable pragmas are:
379 -- Async_Readers
380 -- Async_Writers
381 -- Constant_After_Elaboration
382 -- Depends
383 -- Effective_Reads
384 -- Effective_Writes
385 -- Global
386 -- No_Caching
387 -- Part_Of
391 | Name_Async_Writers
392 | Name_Constant_After_Elaboration
393 | Name_Depends
394 | Name_Effective_Reads
395 | Name_Effective_Writes
396 | Name_Global
397 | Name_No_Caching
398 | Name_Part_Of
399 then
400 Add_Classification;
402 -- The pragma is not a proper contract item
404 else
408 else
413 -----------------------
414 -- Analyze_Contracts --
415 -----------------------
420 begin
424 -- Entry or subprogram declarations
427 | N_Entry_Declaration
428 | N_Generic_Subprogram_Declaration
429 | N_Subprogram_Declaration
430 then
433 -- Entry or subprogram bodies
438 -- Objects
443 -- Package instantiation
448 -- Protected units
451 | N_Single_Protected_Declaration
452 then
455 -- Subprogram body stubs
460 -- Task units
463 | N_Task_Type_Declaration
464 then
467 -- For type declarations, we need to do the preanalysis of Iterable
468 -- and the 3 Xxx_Literal aspect specifications.
470 -- Other type aspects need to be resolved here???
474 then
475 declare
485 begin
503 | N_Private_Type_Declaration
504 | N_Task_Type_Declaration
505 | N_Protected_Type_Declaration
506 | N_Formal_Type_Declaration
507 then
515 -------------------------------------
516 -- Analyze_Pragmas_In_Declarations --
517 -------------------------------------
522 begin
523 -- Move through the body's declarations analyzing all pragmas which
524 -- appear at the top of the declarations.
531 if Pragma_Significant_To_Subprograms
533 then
537 -- Skip the renamings of discriminants and protection fields
542 -- We have reached something which is not a pragma so we can be sure
543 -- there are no more contracts or pragmas which need to be taken into
544 -- account.
546 else
554 -----------------------------------------------
555 -- Analyze_Entry_Or_Subprogram_Body_Contract --
556 -----------------------------------------------
558 -- WARNING: This routine manages SPARK regions. Return statements must be
559 -- replaced by gotos which jump to the end of the routine and restore the
560 -- SPARK mode.
569 -- Save the SPARK_Mode-related data to restore on exit
571 begin
572 -- When a subprogram body declaration is illegal, its defining entity is
573 -- left unanalyzed. There is nothing left to do in this case because the
574 -- body lacks a contract, or even a proper Ekind.
579 -- Do not analyze a contract multiple times
584 else
589 -- Due to the timing of contract analysis, delayed pragmas may be
590 -- subject to the wrong SPARK_Mode, usually that of the enclosing
591 -- context. To remedy this, restore the original SPARK_Mode of the
592 -- related subprogram body.
596 -- Ensure that the contract cases or postconditions mention 'Result or
597 -- define a post-state.
601 -- A stand-alone nonvolatile function body cannot have an effectively
602 -- volatile formal parameter or return type (SPARK RM 7.1.3(9)). This
603 -- check is relevant only when SPARK_Mode is on, as it is not a standard
604 -- legality rule. The check is performed here because Volatile_Function
605 -- is processed after the analysis of the related subprogram body. The
606 -- check only applies to source subprograms and not to generated TSS
607 -- subprograms.
613 then
617 -- Restore the SPARK_Mode of the enclosing context after all delayed
618 -- pragmas have been analyzed.
622 -- Capture all global references in a generic subprogram body now that
623 -- the contract has been analyzed.
626 Save_Global_References_In_Contract
631 -- Deal with preconditions, [refined] postconditions, Contract_Cases,
632 -- Subprogram_Variant, invariants and predicates associated with body
633 -- and its spec. Do not expand the contract of subprogram body stubs.
640 ------------------------------------------
641 -- Analyze_Entry_Or_Subprogram_Contract --
642 ------------------------------------------
644 -- WARNING: This routine manages SPARK regions. Return statements must be
645 -- replaced by gotos which jump to the end of the routine and restore the
646 -- SPARK mode.
648 procedure Analyze_Entry_Or_Subprogram_Contract
651 is
657 -- Save the SPARK_Mode-related data to restore on exit
667 begin
668 -- Do not analyze a contract multiple times
673 else
678 -- Due to the timing of contract analysis, delayed pragmas may be
679 -- subject to the wrong SPARK_Mode, usually that of the enclosing
680 -- context. To remedy this, restore the original SPARK_Mode of the
681 -- related subprogram body.
685 -- All subprograms carry a contract, but for some it is not significant
686 -- and should not be processed.
693 -- Do not analyze the pre/postconditions of an entry declaration
694 -- unless annotating the original tree for GNATprove. The
695 -- real analysis occurs when the pre/postconditons are relocated to
696 -- the contract wrapper procedure (see Build_Contract_Wrapper).
701 -- Otherwise analyze the pre/postconditions.
702 -- If these come from an aspect specification, their expressions
703 -- might include references to types that are not frozen yet, in the
704 -- case where the body is a rewritten expression function that is a
705 -- completion, so freeze all types within before constructing the
706 -- contract code.
708 else
709 declare
713 begin
722 then
729 if Freeze_Types
731 then
732 Freeze_Expr_Types
735 Expr =>
736 Expression
747 -- Analyze contract-cases, subprogram-variant and test-cases
755 -- Do not analyze the contract cases of an entry declaration
756 -- unless annotating the original tree for GNATprove.
757 -- The real analysis occurs when the contract cases are moved
758 -- to the contract wrapper procedure (Build_Contract_Wrapper).
763 -- Otherwise analyze the contract cases
765 else
772 else
780 -- Analyze classification pragmas
796 -- Analyze Global first, as Depends may mention items classified in
797 -- the global categorization.
803 -- Depends must be analyzed after Global in order to see the modes of
804 -- all global items.
810 -- Ensure that the contract cases or postconditions mention 'Result
811 -- or define a post-state.
816 -- A nonvolatile function cannot have an effectively volatile formal
817 -- parameter or return type (SPARK RM 7.1.3(9)). This check is relevant
818 -- only when SPARK_Mode is on, as it is not a standard legality rule.
819 -- The check is performed here because pragma Volatile_Function is
820 -- processed after the analysis of the related subprogram declaration.
826 then
830 -- Restore the SPARK_Mode of the enclosing context after all delayed
831 -- pragmas have been analyzed.
835 -- Capture all global references in a generic subprogram now that the
836 -- contract has been analyzed.
839 Save_Global_References_In_Contract
845 ----------------------------------------------
846 -- Check_Type_Or_Object_External_Properties --
847 ----------------------------------------------
849 procedure Check_Type_Or_Object_External_Properties
851 is
856 -- Local variables
867 -- Start of processing for Check_Type_Or_Object_External_Properties
869 begin
870 -- Analyze all external properties
875 -- If the parent type of a derived type is volatile
876 -- then the derived type inherits volatility-related flags.
879 declare
882 begin
891 else
898 declare
900 begin
904 Error_Msg_N
906 Prag);
914 declare
916 begin
920 Error_Msg_N
922 Prag);
930 declare
932 begin
936 Error_Msg_N
938 Prag);
946 declare
948 begin
952 Error_Msg_N
954 Prag);
959 -- Verify the mutual interaction of the various external properties.
960 -- For types and variables for which No_Caching is enabled, it has been
961 -- checked already that only False values for other external properties
962 -- are allowed.
964 if Seen
966 then
967 Check_External_Properties
971 -- Analyze the non-external volatility property No_Caching
979 -- The following checks are relevant only when SPARK_Mode is on, as
980 -- they are not standard Ada legality rules. Internally generated
981 -- temporaries are ignored, as well as return objects.
986 then
989 -- The declaration of an effectively volatile object or type must
990 -- appear at the library level (SPARK RM 7.1.3(3), C.6(6)).
993 Error_Msg_N
995 & Decl_Kind
999 -- An object of a discriminated type cannot be effectively
1000 -- volatile except for protected objects (SPARK RM 7.1.3(5)).
1004 then
1005 Error_Msg_N
1007 Type_Or_Obj_Id);
1010 -- An object decl shall be compatible with respect to volatility
1011 -- with its type (SPARK RM 7.1.3(2)).
1015 Check_Volatility_Compatibility
1021 -- A component of a composite type (in this case, the composite
1022 -- type is an array type) shall be compatible with respect to
1023 -- volatility with the composite type (SPARK RM 7.1.3(6)).
1026 Check_Volatility_Compatibility
1031 -- A component of a composite type (in this case, the composite
1032 -- type is a record type) shall be compatible with respect to
1033 -- volatility with the composite type (SPARK RM 7.1.3(6)).
1036 declare
1038 begin
1040 Check_Volatility_Compatibility
1050 -- The type or object is not effectively volatile
1052 else
1053 -- A non-effectively volatile type cannot have effectively
1054 -- volatile components (SPARK RM 7.1.3(6)).
1056 if Is_Type_Id
1059 then
1060 Error_Msg_N
1063 Type_Or_Obj_Id);
1069 -----------------------------
1070 -- Analyze_Object_Contract --
1071 -----------------------------
1073 -- WARNING: This routine manages SPARK regions. Return statements must be
1074 -- replaced by gotos which jump to the end of the routine and restore the
1075 -- SPARK mode.
1077 procedure Analyze_Object_Contract
1080 is
1085 -- Save the SPARK_Mode-related data to restore on exit
1091 begin
1092 -- The loop parameter in an element iterator over a formal container
1093 -- is declared with an object declaration, but no contracts apply.
1099 -- Do not analyze a contract multiple times
1106 else
1111 -- The anonymous object created for a single concurrent type inherits
1112 -- the SPARK_Mode from the type. Due to the timing of contract analysis,
1113 -- delayed pragmas may be subject to the wrong SPARK_Mode, usually that
1114 -- of the enclosing context. To remedy this, restore the original mode
1115 -- of the related anonymous object.
1119 then
1123 -- Checks related to external properties, same for constants and
1124 -- variables.
1128 -- Constant-related checks
1132 -- Analyze indicator Part_Of
1136 -- Check whether the lack of indicator Part_Of agrees with the
1137 -- placement of the constant with respect to the state space.
1143 -- Variable-related checks
1147 -- The anonymous object created for a single task type carries
1148 -- pragmas Depends and Global of the type.
1152 -- Analyze Global first, as Depends may mention items classified
1153 -- in the global categorization.
1161 -- Depends must be analyzed after Global in order to see the modes
1162 -- of all global items.
1173 -- Analyze indicator Part_Of
1178 -- The variable is a constituent of a single protected/task type
1179 -- and behaves as a component of the type. Verify that references
1180 -- to the variable occur within the definition or body of the type
1181 -- (SPARK RM 9.3).
1184 and then Is_Single_Concurrent_Object
1187 then
1195 -- Otherwise check whether the lack of indicator Part_Of agrees with
1196 -- the placement of the variable with respect to the state space.
1198 else
1203 -- Common checks
1207 -- A Ghost object cannot be of a type that yields a synchronized
1208 -- object (SPARK RM 6.9(19)).
1213 -- A Ghost object cannot be effectively volatile (SPARK RM 6.9(7) and
1214 -- SPARK RM 6.9(19)).
1219 -- A Ghost object cannot be imported or exported (SPARK RM 6.9(7)).
1220 -- One exception to this is the object that represents the dispatch
1221 -- table of a Ghost tagged type, as the symbol needs to be exported.
1231 -- Restore the SPARK_Mode of the enclosing context after all delayed
1232 -- pragmas have been analyzed.
1237 -----------------------------------
1238 -- Analyze_Package_Body_Contract --
1239 -----------------------------------
1241 -- WARNING: This routine manages SPARK regions. Return statements must be
1242 -- replaced by gotos which jump to the end of the routine and restore the
1243 -- SPARK mode.
1245 procedure Analyze_Package_Body_Contract
1248 is
1255 -- Save the SPARK_Mode-related data to restore on exit
1259 begin
1260 -- Do not analyze a contract multiple times
1265 else
1270 -- Due to the timing of contract analysis, delayed pragmas may be
1271 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1272 -- context. To remedy this, restore the original SPARK_Mode of the
1273 -- related package body.
1279 -- The analysis of pragma Refined_State detects whether the spec has
1280 -- abstract states available for refinement.
1286 -- Restore the SPARK_Mode of the enclosing context after all delayed
1287 -- pragmas have been analyzed.
1291 -- Capture all global references in a generic package body now that the
1292 -- contract has been analyzed.
1295 Save_Global_References_In_Contract
1301 ------------------------------
1302 -- Analyze_Package_Contract --
1303 ------------------------------
1305 -- WARNING: This routine manages SPARK regions. Return statements must be
1306 -- replaced by gotos which jump to the end of the routine and restore the
1307 -- SPARK mode.
1315 -- Save the SPARK_Mode-related data to restore on exit
1322 begin
1323 -- Do not analyze a contract multiple times
1329 -- Do not analyze the contract of the internal package
1330 -- created to check conformance of an actual package.
1331 -- Such an internal package is removed from the tree after
1332 -- legality checks are completed, and it does not contain
1333 -- the declarations of all local entities of the generic.
1337 then
1340 else
1345 -- Due to the timing of contract analysis, delayed pragmas may be
1346 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1347 -- context. To remedy this, restore the original SPARK_Mode of the
1348 -- related package.
1354 -- Locate and store pragmas Initial_Condition and Initializes, since
1355 -- their order of analysis matters.
1371 -- Analyze the initialization-related pragmas. Initializes must come
1372 -- before Initial_Condition due to item dependencies.
1383 -- Restore the SPARK_Mode of the enclosing context after all delayed
1384 -- pragmas have been analyzed.
1388 -- Capture all global references in a generic package now that the
1389 -- contract has been analyzed.
1392 Save_Global_References_In_Contract
1398 --------------------------------------------
1399 -- Analyze_Package_Instantiation_Contract --
1400 --------------------------------------------
1402 -- WARNING: This routine manages SPARK regions. Return statements must be
1403 -- replaced by gotos which jump to the end of the routine and restore the
1404 -- SPARK mode.
1412 -- Save the SPARK_Mode-related data to restore on exit
1417 begin
1418 -- Nothing to do when the package instantiation is erroneous or left
1419 -- partially decorated.
1428 -- Due to the timing of contract analysis, delayed pragmas may be
1429 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1430 -- context. To remedy this, restore the original SPARK_Mode of the
1431 -- related package.
1435 -- Check whether the lack of indicator Part_Of agrees with the placement
1436 -- of the package instantiation with respect to the state space. Nested
1437 -- package instantiations do not need to be checked because they inherit
1438 -- Part_Of indicator of the outermost package instantiation (see routine
1439 -- Propagate_Part_Of in Sem_Prag).
1448 -- Restore the SPARK_Mode of the enclosing context after all delayed
1449 -- pragmas have been analyzed.
1454 --------------------------------
1455 -- Analyze_Protected_Contract --
1456 --------------------------------
1461 begin
1462 -- Do not analyze a contract multiple times
1467 else
1473 -------------------------------------------
1474 -- Analyze_Subprogram_Body_Stub_Contract --
1475 -------------------------------------------
1481 begin
1482 -- A subprogram body stub may act as its own spec or as the completion
1483 -- of a previous declaration. Depending on the context, the contract of
1484 -- the stub may contain two sets of pragmas.
1486 -- The stub is a completion, the applicable pragmas are:
1487 -- Refined_Depends
1488 -- Refined_Global
1493 -- The stub acts as its own spec, the applicable pragmas are:
1494 -- Contract_Cases
1495 -- Depends
1496 -- Global
1497 -- Postcondition
1498 -- Precondition
1499 -- Subprogram_Variant
1500 -- Test_Case
1502 else
1507 ---------------------------
1508 -- Analyze_Task_Contract --
1509 ---------------------------
1511 -- WARNING: This routine manages SPARK regions. Return statements must be
1512 -- replaced by gotos which jump to the end of the routine and restore the
1513 -- SPARK mode.
1520 -- Save the SPARK_Mode-related data to restore on exit
1524 begin
1525 -- Do not analyze a contract multiple times
1530 else
1535 -- Due to the timing of contract analysis, delayed pragmas may be
1536 -- subject to the wrong SPARK_Mode, usually that of the enclosing
1537 -- context. To remedy this, restore the original SPARK_Mode of the
1538 -- related task unit.
1542 -- Analyze Global first, as Depends may mention items classified in the
1543 -- global categorization.
1551 -- Depends must be analyzed after Global in order to see the modes of
1552 -- all global items.
1560 -- Restore the SPARK_Mode of the enclosing context after all delayed
1561 -- pragmas have been analyzed.
1566 ---------------------------
1567 -- Analyze_Type_Contract --
1568 ---------------------------
1571 begin
1572 Check_Type_Or_Object_External_Properties
1576 ---------------------------------------
1577 -- Build_Subprogram_Contract_Wrapper --
1578 ---------------------------------------
1580 procedure Build_Subprogram_Contract_Wrapper
1585 is
1596 begin
1597 -- When there are no postcondition statements we do not need to
1598 -- generate a wrapper.
1604 -- Obtain the related subprogram id from the body id.
1608 else
1613 -- Generate the contracts wrapper by moving the original declarations
1614 -- and statements within a local subprogram, calling it and possibly
1615 -- preserving the result for the purpose of evaluating postconditions,
1616 -- contracts, type invariants, etc.
1618 -- In the case of a function, generate:
1619 --
1620 -- function Original_Func (X : in out Integer) return Typ is
1621 -- <prologue renamings>
1622 -- <preconditions>
1623 --
1624 -- function _Wrapped_Statements return Typ is
1625 -- <original declarations>
1626 -- begin
1627 -- <original statements>
1628 -- end;
1629 --
1630 -- begin
1631 -- return
1632 -- Result_Obj : constant Typ := _Wrapped_Statements
1633 -- do
1634 -- <postconditions statments>
1635 -- end return;
1636 -- end;
1638 -- Or else, in the case of a procedure, generate:
1639 --
1640 -- procedure Original_Proc (X : in out Integer) is
1641 -- <prologue renamings>
1642 -- <preconditions>
1643 --
1644 -- procedure _Wrapped_Statements is
1645 -- <original declarations>
1646 -- begin
1647 -- <original statements>
1648 -- end;
1649 --
1650 -- begin
1651 -- _Wrapped_Statements;
1652 -- <postconditions statments>
1653 -- end;
1655 -- Create Identifier
1662 Set_Has_Pragma_Inline_Always
1665 -- Create specification and declaration for the wrapper
1668 Wrapper_Spec :=
1671 else
1672 Wrapper_Spec :=
1678 -- Create the wrapper body using Body_Id's statements and declarations
1680 Wrapper_Body :=
1684 Handled_Statement_Sequence =>
1693 -- Prepend a call to the wrapper when the subprogram is a procedure
1699 Set_Statements
1702 -- Generate the post-execution statements and the extended return
1703 -- when the subprogram being wrapped is a function.
1705 else
1712 Object_Definition =>
1714 Expression =>
1716 Name =>
1718 Handled_Statement_Sequence =>
1724 ----------------------------------
1725 -- Build_Entry_Contract_Wrapper --
1726 ----------------------------------
1732 procedure Add_Discriminant_Renamings
1735 -- Add renaming declarations for all discriminants of concurrent type
1736 -- Conc_Typ. Obj_Id is the entity of the wrapper formal parameter which
1737 -- represents the concurrent object.
1739 procedure Add_Matching_Formals
1742 -- Add formal parameters that match those of entry E to list Formals.
1743 -- The routine also adds matching actuals for the new formals to list
1744 -- Actuals.
1747 -- Relocate pragma Prag to list To. The routine creates a new list if
1748 -- To does not exist.
1750 --------------------------------
1751 -- Add_Discriminant_Renamings --
1752 --------------------------------
1754 procedure Add_Discriminant_Renamings
1757 is
1761 begin
1762 -- Inspect the discriminants of the concurrent type and generate a
1763 -- renaming for each one.
1768 Renaming_Decl :=
1770 Defining_Identifier =>
1772 Subtype_Mark =>
1774 Name =>
1777 Selector_Name =>
1787 --------------------------
1788 -- Add_Matching_Formals --
1789 --------------------------
1791 procedure Add_Matching_Formals
1794 is
1798 begin
1799 -- Inspect the formal parameters of the entry and generate a new
1800 -- matching formal with the same name for the wrapper. A reference
1801 -- to the new formal becomes an actual in the entry call.
1811 Parameter_Type =>
1823 ---------------------
1824 -- Transfer_Pragma --
1825 ---------------------
1830 begin
1841 -- Local variables
1855 -- Start of processing for Build_Entry_Contract_Wrapper
1857 begin
1858 -- This routine generates a specialized wrapper for a protected or task
1859 -- entry [family] which implements precondition/postcondition semantics.
1860 -- Preconditions and case guards of contract cases are checked before
1861 -- the protected action or rendezvous takes place.
1863 -- procedure Wrapper
1864 -- (Obj_Id : Conc_Typ; -- concurrent object
1865 -- [Index : Index_Typ;] -- index of entry family
1866 -- [Formal_1 : ...; -- parameters of original entry
1867 -- Formal_N : ...])
1868 -- is
1869 -- [Discr_1 : ... renames Obj_Id.Discr_1; -- discriminant
1870 -- Discr_N : ... renames Obj_Id.Discr_N;] -- renamings
1872 -- <contracts pragmas>
1873 -- <case guard checks>
1875 -- begin
1876 -- Entry_Call (Obj_Id, [Index,] [Formal_1, Formal_N]);
1877 -- end Wrapper;
1879 -- Create the wrapper only when the entry has at least one executable
1880 -- contract item such as contract cases, precondition or postcondition.
1884 -- Inspect the list of pre/postconditions and transfer all available
1885 -- pragmas to the declarative list of the wrapper.
1890 | Name_Precondition
1892 then
1900 -- Inspect the list of test/contract cases and transfer only contract
1901 -- cases pragmas to the declarative part of the wrapper.
1907 then
1916 -- The entry lacks executable contract items and a wrapper is not needed
1922 -- Create the profile of the wrapper. The first formal parameter is the
1923 -- concurrent object.
1925 Obj_Id :=
1936 -- Construct the call to the original entry. The call will be gradually
1937 -- augmented with an optional entry index and extra parameters.
1939 Call_Nam :=
1944 -- When creating a wrapper for an entry family, the second formal is the
1945 -- entry index.
1953 Parameter_Type =>
1956 -- The call to the original entry becomes an indexed component to
1957 -- accommodate the entry index.
1959 Call_Nam :=
1965 -- Add formal parameters to match those of the entry and build actuals
1966 -- for the entry call.
1970 Call :=
1975 -- Add renaming declarations for the discriminants of the enclosing type
1976 -- as the various contract items may reference them.
1980 Wrapper_Id :=
1985 -- The wrapper body is analyzed when the enclosing type is frozen
1989 Specification =>
1994 Handled_Statement_Sequence =>
1999 ---------------------------
2000 -- Check_Class_Condition --
2001 ---------------------------
2003 procedure Check_Class_Condition
2008 is
2010 -- Check reference to formal of inherited operation or to primitive
2011 -- operation of root type.
2013 ------------------
2014 -- Check_Entity --
2015 ------------------
2021 begin
2024 and then
2026 and then
2029 then
2030 -- These checks do not apply to dispatching calls within the
2031 -- condition, but only to calls whose static tag is that of
2032 -- the parent type.
2037 then
2041 -- Determine whether entity has a renaming
2048 -- AI12-0166: A precondition for a protected operation
2049 -- cannot include an internal call to a protected function
2050 -- of the type. In the case of an inherited condition for an
2051 -- overriding operation, both the operation and the function
2052 -- are given by primitive wrappers.
2054 if Is_Precondition
2059 then
2061 Error_Msg_NE
2068 -- Check that there are no calls left to abstract operations if
2069 -- the current subprogram is not abstract.
2074 then
2077 then
2082 Error_Msg_NE
2085 else
2086 Error_Msg_NE
2091 -- In SPARK mode, report error on inherited condition for an
2092 -- inherited operation if it contains a call to an overriding
2093 -- operation, because this implies that the pre/postconditions
2094 -- of the inherited operation have changed silently.
2097 and then Warn_On_Suspicious_Contract
2101 then
2102 Error_Msg_N
2107 Error_Msg_NE
2120 -- Start of processing for Check_Class_Condition
2122 begin
2123 -- No check required if the subprograms match
2134 -----------------------------
2135 -- Create_Generic_Contract --
2136 -----------------------------
2143 -- Add a single contract-related source pragma Prag to the contract of
2144 -- generic template Templ_Id.
2146 ---------------------------------
2147 -- Add_Generic_Contract_Pragma --
2148 ---------------------------------
2153 begin
2154 -- Mark the pragma to prevent the premature capture of global
2155 -- references when capturing global references of the context
2156 -- (see Save_References_In_Pragma).
2160 -- Pragmas that apply to a generic subprogram declaration are not
2161 -- part of the semantic structure of the generic template:
2163 -- generic
2164 -- procedure Example (Formal : Integer);
2165 -- pragma Precondition (Formal > 0);
2167 -- Create a generic template for such pragmas and link the template
2168 -- of the pragma with the generic template.
2171 Rewrite
2178 -- Otherwise link the pragma with the generic template
2180 else
2185 -- Local variables
2190 -- Start of processing for Create_Generic_Contract
2192 begin
2193 -- A generic package declaration carries contract-related source pragmas
2194 -- in its visible declarations.
2203 -- A generic package body carries contract-related source pragmas in its
2204 -- declarations.
2213 -- Generic subprogram declaration
2218 else
2222 -- When the generic subprogram acts as a compilation unit, inspect
2223 -- the Pragmas_After list for contract-related source pragmas.
2228 then
2232 -- Otherwise inspect the successive declarations for contract-related
2233 -- source pragmas.
2235 else
2239 -- A generic subprogram body carries contract-related source pragmas in
2240 -- its declarations.
2250 -- Inspect the relevant declarations looking for contract-related source
2251 -- pragmas and add them to the contract of the generic unit.
2257 -- The source pragma is a contract annotation
2263 -- The region where a contract-related source pragma may appear
2264 -- ends with the first source non-pragma declaration or statement.
2266 else
2275 --------------------------------
2276 -- Expand_Subprogram_Contract --
2277 --------------------------------
2283 procedure Add_Invariant_And_Predicate_Checks
2287 -- Process the result of function Subp_Id (if applicable) and all its
2288 -- formals. Add invariant and predicate checks where applicable. The
2289 -- routine appends all the checks to list Stmts. If Subp_Id denotes a
2290 -- function, Result contains the entity of parameter _Result, to be
2291 -- used in the creation of procedure _Postconditions.
2293 procedure Add_Stable_Property_Contracts
2295 -- Augment postcondition contracts to reflect Stable_Property aspect
2296 -- (if Class_Present = False) or Stable_Property'Class aspect (if
2297 -- Class_Present = True).
2300 -- Append a node to a list. If there is no list, create a new one. When
2301 -- the item denotes a pragma, it is added to the list only when it is
2302 -- enabled.
2304 procedure Process_Contract_Cases
2307 -- Process pragma Contract_Cases. This routine prepends items to the
2308 -- body declarations and appends items to list Stmts.
2311 -- Collect all [inherited] spec and body postconditions and accumulate
2312 -- their pragma Check equivalents in list Stmts.
2315 -- Collect all [inherited] spec and body preconditions and prepend their
2316 -- pragma Check equivalents to the declarations of the body.
2318 ----------------------------------------
2319 -- Add_Invariant_And_Predicate_Checks --
2320 ----------------------------------------
2322 procedure Add_Invariant_And_Predicate_Checks
2326 is
2328 -- Id denotes the return value of a function or a formal parameter.
2329 -- Add an invariant check if the type of Id is access to a type with
2330 -- invariants. The routine appends the generated code to Stmts.
2333 -- Determine whether type Typ can benefit from invariant checks. To
2334 -- qualify, the type must have a non-null invariant procedure and
2335 -- subprogram Subp_Id must appear visible from the point of view of
2336 -- the type.
2338 ---------------------------------
2339 -- Add_Invariant_Access_Checks --
2340 ---------------------------------
2347 begin
2354 Ref :=
2359 -- Generate:
2360 -- if <Id> /= null then
2361 -- <invariant_call (<Ref>)>
2362 -- end if;
2364 Append_Enabled_Item
2367 Condition =>
2378 -------------------------
2379 -- Invariant_Checks_OK --
2380 -------------------------
2384 -- Determine whether type Typ has public visibility of subprogram
2385 -- Subp_Id.
2387 -----------------------------------------
2388 -- Has_Public_Visibility_Of_Subprogram --
2389 -----------------------------------------
2394 begin
2395 -- An Initialization procedure must be considered visible even
2396 -- though it is internally generated.
2404 -- Internally generated code is never publicly visible except
2405 -- for a subprogram that is the implementation of an expression
2406 -- function. In that case the visibility is determined by the
2407 -- last check.
2410 and then
2412 or else not
2414 then
2417 -- Determine whether the subprogram is declared in the visible
2418 -- declarations of the package containing the type, or in the
2419 -- visible declaration of a child unit of that package.
2421 else
2422 declare
2429 begin
2430 return
2431 Decls = Visible_Declarations
2434 or else
2438 and then
2440 and then
2441 Decls = Visible_Declarations
2442 (Specification
2448 -- Start of processing for Invariant_Checks_OK
2450 begin
2451 return
2458 -- Local variables
2461 -- Source location of subprogram body contract
2466 -- Start of processing for Add_Invariant_And_Predicate_Checks
2468 begin
2471 -- Process the result of a function
2476 -- Generate _Result which is used in procedure _Postconditions to
2477 -- verify the return value.
2482 -- Add an invariant check when the return type has invariants and
2483 -- the related function is visible to the outside.
2486 Append_Enabled_Item
2492 -- Add an invariant check when the return type is an access to a
2493 -- type with invariants.
2498 -- Add invariant checks for all formals that qualify (see AI05-0289
2499 -- and AI12-0044).
2508 then
2510 Append_Enabled_Item
2518 -- Note: we used to add predicate checks for OUT and IN OUT
2519 -- formals here, but that was misguided, since such checks are
2520 -- performed on the caller side, based on the predicate of the
2521 -- actual, rather than the predicate of the formal.
2529 -----------------------------------
2530 -- Add_Stable_Property_Contracts --
2531 -----------------------------------
2533 procedure Add_Stable_Property_Contracts
2535 is
2538 procedure Insert_Stable_Property_Check
2540 -- Build the pragma for one check and insert it in the tree.
2542 function Make_Stable_Property_Condition
2544 -- Builds tree for "Func (Formal) = Func (Formal)'Old" expression.
2546 function Stable_Properties
2549 -- If no aspect specified, then returns length-zero result.
2550 -- Negated indicates that reserved word NOT was specified.
2552 ----------------------------------
2553 -- Insert_Stable_Property_Check --
2554 ----------------------------------
2556 procedure Insert_Stable_Property_Check
2560 New_List
2561 (Make_Pragma_Argument_Association
2563 Expression =>
2564 Make_Stable_Property_Condition
2567 Make_Pragma_Argument_Association
2569 Expression =>
2570 Make_String_Literal
2572 Strval =>
2573 "failed stable property check at "
2581 )));
2585 Pragma_Identifier =>
2591 begin
2592 -- Enclosing_Declaration may return, for example,
2593 -- a N_Procedure_Specification node. Cope with this.
2594 loop
2604 ------------------------------------
2605 -- Make_Stable_Property_Condition --
2606 ------------------------------------
2608 function Make_Stable_Property_Condition
2610 is
2612 (Make_Function_Call
2614 Name =>
2616 Parameter_Associations =>
2618 begin
2619 return Make_Op_Eq
2621 Call_Property_Function,
2622 Make_Attribute_Reference
2628 -----------------------
2629 -- Stable_Properties --
2630 -----------------------
2632 function Stable_Properties
2634 return Subprogram_List
2635 is
2637 Find_Value_Of_Aspect
2640 begin
2641 -- ??? For a derived type, we wish Find_Value_Of_Aspect
2642 -- somehow knew that this aspect is not inherited.
2643 -- But it doesn't, so we cope with that here.
2644 --
2645 -- There are probably issues here with inheritance from
2646 -- interface types, where just looking for the one parent type
2647 -- isn't enough. But this is far from the only work needed for
2648 -- Stable_Properties'Class for interface types.
2651 declare
2654 begin
2656 Find_Value_Of_Aspect
2659 then
2660 -- prevent inheritance
2668 -- This is a little bit subtle.
2669 -- We need to assign True in the Subp_Id case in order to
2670 -- distinguish between no aspect spec at all vs. an
2671 -- explicitly specified "with S_P => []" empty list.
2672 -- In both cases Stable_Properties will return a length-0
2673 -- array, but the two cases are not equivalent.
2674 -- Very roughly speaking the lack of an S_P aspect spec for
2675 -- a subprogram would be equivalent to something like
2676 -- "with S_P => [not]", where we apply the "not" modifier to
2677 -- an empty set of subprograms, if such a construct existed.
2678 -- We could just assign True here, but it seems untidy to
2679 -- return True in the case of an aspect spec for a type
2680 -- (since negation is only allowed for subp S_P aspects).
2683 else
2684 return Parse_Aspect_Stable_Properties
2696 -- start of processing for Add_Stable_Property_Contracts
2698 begin
2700 then
2712 then
2713 -- ??? Need to filter out checks for SPFs that are
2714 -- mentioned explicitly in the postcondition of
2715 -- Subp_Id.
2717 Insert_Stable_Property_Check
2723 declare
2729 function Excluded_By_Aspect_Spec_Of_Subp
2731 -- Examine Subp_Properties to determine whether SPF should
2732 -- be excluded.
2734 -------------------------------------
2735 -- Excluded_By_Aspect_Spec_Of_Subp --
2736 -------------------------------------
2738 function Excluded_By_Aspect_Spec_Of_Subp
2740 begin
2742 -- Look through renames for equality test here ???
2746 -- Look through renames for equality test here ???
2749 begin
2753 -- ??? Need to filter out checks for SPFs that are
2754 -- mentioned explicitly in the postcondition of
2755 -- Subp_Id.
2756 Insert_Stable_Property_Check
2767 -------------------------
2768 -- Append_Enabled_Item --
2769 -------------------------
2772 begin
2773 -- Do not chain ignored or disabled pragmas
2777 then
2780 -- Otherwise, add the item
2782 else
2787 -- If the pragma is a conjunct in a composite postcondition, it
2788 -- has been processed in reverse order. In the postcondition body
2789 -- it must appear before the others.
2794 then
2796 else
2802 ----------------------------
2803 -- Process_Contract_Cases --
2804 ----------------------------
2806 procedure Process_Contract_Cases
2809 is
2811 -- Process pragma Contract_Cases for subprogram Subp_Id
2813 --------------------------------
2814 -- Process_Contract_Cases_For --
2815 --------------------------------
2821 begin
2827 Expand_Pragma_Contract_Cases
2834 Expand_Pragma_Subprogram_Variant
2846 -- Start of processing for Process_Contract_Cases
2848 begin
2856 ----------------------------
2857 -- Process_Postconditions --
2858 ----------------------------
2862 -- Collect all [refined] postconditions of a specific kind denoted
2863 -- by Post_Nam that belong to the body, and generate pragma Check
2864 -- equivalents in list Stmts.
2867 -- Collect all [inherited] postconditions of the spec, and generate
2868 -- pragma Check equivalents in list Stmts.
2870 ---------------------------------
2871 -- Process_Body_Postconditions --
2872 ---------------------------------
2880 begin
2881 -- Process the contract
2888 then
2889 Append_Enabled_Item
2898 -- The subprogram body being processed is actually the proper body
2899 -- of a stub with a corresponding spec. The subprogram stub may
2900 -- carry a postcondition pragma, in which case it must be taken
2901 -- into account. The pragma appears after the stub.
2907 -- Note that non-matching pragmas are skipped
2912 then
2913 Append_Enabled_Item
2918 -- Skip internally generated code
2923 -- Postcondition pragmas are usually grouped together. There
2924 -- is no need to inspect the whole declarative list.
2926 else
2935 ---------------------------------
2936 -- Process_Spec_Postconditions --
2937 ---------------------------------
2945 -- Return True if the contract of subprogram Subp_Id has been
2946 -- processed.
2948 ---------------
2949 -- Seen_Subp --
2950 ---------------
2953 begin
2963 -- Local variables
2970 -- Start of processing for Process_Spec_Postconditions
2972 begin
2973 -- Process the contract
2982 then
2983 Append_Enabled_Item
2992 -- Process the contracts of all inherited subprograms, looking for
2993 -- class-wide postconditions.
3002 -- Wrappers of class-wide pre/postconditions reference the
3003 -- parent primitive that has the inherited contract.
3007 then
3020 then
3021 Item :=
3022 Build_Pragma_Check_Equivalent
3027 -- The pragma Check equivalent of the class-wide
3028 -- postcondition is still created even though the
3029 -- pragma may be ignored because the equivalent
3030 -- performs semantic checks.
3044 -- Stmts is passed as IN OUT to signal that the list can be updated,
3045 -- even if the corresponding integer value representing the list does
3046 -- not change.
3048 -- Start of processing for Process_Postconditions
3050 begin
3051 -- The processing of postconditions is done in reverse order (body
3052 -- first) to ensure the following arrangement:
3054 -- <refined postconditions from body>
3055 -- <postconditions from body>
3056 -- <postconditions from spec>
3057 -- <inherited postconditions>
3063 Process_Spec_Postconditions;
3067 ---------------------------
3068 -- Process_Preconditions --
3069 ---------------------------
3073 -- The insertion node after which all pragma Check equivalents are
3074 -- inserted.
3077 -- Prepend a single item to the declarations of the subprogram body
3080 -- Prepend a normal precondition to the declarations of the body and
3081 -- analyze it.
3084 -- Collect all preconditions of subprogram Subp_Id and prepend their
3085 -- pragma Check equivalents to the declarations of the body.
3087 ----------------------
3088 -- Prepend_To_Decls --
3089 ----------------------
3092 begin
3093 -- Ensure that the body has a declarative list
3103 -----------------------------
3104 -- Prepend_Pragma_To_Decls --
3105 -----------------------------
3110 begin
3111 -- Skip the sole class-wide precondition (if any) since it is
3112 -- processed by Merge_Class_Conditions.
3117 -- Accumulate the corresponding Check pragmas at the top of the
3118 -- declarations. Prepending the items ensures that they will be
3119 -- evaluated in their original order.
3121 else
3128 -------------------------------
3129 -- Process_Preconditions_For --
3130 -------------------------------
3139 begin
3140 -- Process the contract. If the body is an expression function
3141 -- that is a completion, freeze types within, because this may
3142 -- not have been done yet, when the subprogram declaration and
3143 -- its completion by an expression function appear in distinct
3144 -- declarative lists of the same unit (visible and private).
3146 Freeze_T :=
3157 then
3158 if Freeze_T
3160 then
3161 Freeze_Expr_Types
3164 Expr =>
3165 Expression
3177 -- The subprogram declaration being processed is actually a body
3178 -- stub. The stub may carry a precondition pragma, in which case
3179 -- it must be taken into account. The pragma appears after the
3180 -- stub.
3184 -- Inspect the declarations following the body stub
3189 -- Note that non-matching pragmas are skipped
3194 then
3198 -- Skip internally generated code
3203 -- Preconditions are usually grouped together. There is no
3204 -- need to inspect the whole declarative list.
3206 else
3215 -- Local variables
3221 -- Start of processing for Process_Preconditions
3223 begin
3224 -- Find the proper insertion point for all pragma Check equivalents
3230 -- First source declaration terminates the search, because all
3231 -- preconditions must be evaluated prior to it, by definition.
3236 -- Certain internally generated object renamings such as those
3237 -- for discriminants and protection fields must be elaborated
3238 -- before the preconditions are evaluated, as their expressions
3239 -- may mention the discriminants. The renamings include those
3240 -- for private components so we need to find the last such.
3245 loop
3251 -- Otherwise the declaration does not come from source. This
3252 -- also terminates the search, because internal code may raise
3253 -- exceptions which should not preempt the preconditions.
3255 else
3262 -- The processing of preconditions is done in reverse order (body
3263 -- first), because each pragma Check equivalent is inserted at the
3264 -- top of the declarations. This ensures that the final order is
3265 -- consistent with following diagram:
3267 -- <inherited preconditions>
3268 -- <preconditions from spec>
3269 -- <preconditions from body>
3273 -- Move the generated entry-call prologue renamings into the
3274 -- outer declarations for use in the preconditions.
3292 -- Local variables
3300 -- Start of processing for Expand_Subprogram_Contract
3302 begin
3303 -- Obtain the entity of the initial declaration
3307 else
3311 -- Do not perform expansion activity when it is not needed
3316 -- GNATprove does not need the executable semantics of a contract
3321 -- The contract of a generic subprogram or one declared in a generic
3322 -- context is not expanded, as the corresponding instance will provide
3323 -- the executable semantics of the contract.
3328 -- All subprograms carry a contract, but for some it is not significant
3329 -- and should not be processed. This is a small optimization.
3334 -- The contract of an ignored Ghost subprogram does not need expansion,
3335 -- because the subprogram and all calls to it will be removed.
3340 -- No action needed for helpers and indirect-call wrapper built to
3341 -- support class-wide preconditions.
3346 -- Do not re-expand the same contract. This scenario occurs when a
3347 -- construct is rewritten into something else during its analysis
3348 -- (expression functions for instance).
3354 -- Prevent multiple expansion attempts of the same contract
3358 -- Ensure that the formal parameters are visible when expanding all
3359 -- contract items.
3367 else
3372 -- The expansion of a subprogram contract involves the creation of Check
3373 -- pragmas to verify the contract assertions of the spec and body in a
3374 -- particular order. The order is as follows:
3376 -- function Original_Code (...) return ... is
3377 -- <prologue renamings>
3378 -- <inherited preconditions>
3379 -- <preconditions from spec>
3380 -- <preconditions from body>
3381 -- <contract case conditions>
3383 -- function _Wrapped_Statements (...) return ... is
3384 -- <source declarations>
3385 -- begin
3386 -- <source statements>
3387 -- end _Wrapped_Statements;
3389 -- begin
3390 -- return Result : constant ... := _Wrapped_Statements do
3391 -- <refined postconditions from body>
3392 -- <postconditions from body>
3393 -- <postconditions from spec>
3394 -- <inherited postconditions>
3395 -- <contract case consequences>
3396 -- <invariant check of function result>
3397 -- <invariant and predicate checks of parameters
3398 -- end return;
3399 -- end Original_Code;
3401 -- Step 1: augment contracts list with postconditions associated with
3402 -- Stable_Properties and Stable_Properties'Class aspects. This must
3403 -- precede Process_Postconditions.
3406 Add_Stable_Property_Contracts
3410 -- Step 2: Handle all preconditions. This action must come before the
3411 -- processing of pragma Contract_Cases because the pragma prepends items
3412 -- to the body declarations.
3416 -- Step 3: Handle all postconditions. This action must come before the
3417 -- processing of pragma Contract_Cases because the pragma appends items
3418 -- to list Stmts.
3422 -- Step 4: Handle pragma Contract_Cases. This action must come before
3423 -- the processing of invariants and predicates because those append
3424 -- items to list Stmts.
3428 -- Step 5: Apply invariant and predicate checks on a function result and
3429 -- all formals. The resulting checks are accumulated in list Stmts.
3433 -- Step 6: Construct subprogram _wrapped_statements
3435 -- When no statements are present we still need to insert contract
3436 -- related declarations.
3441 -- Otherwise, we need a wrapper
3443 else
3448 End_Scope;
3452 -------------------------------
3453 -- Freeze_Previous_Contracts --
3454 -------------------------------
3459 -- Determine whether arbitrary node N causes contract freezing. This is
3460 -- used as an assertion for the current body declaration that caused
3461 -- contract freezing, and as a condition to detect body declaration that
3462 -- already caused contract freezing before.
3466 -- Freeze the contracts of all eligible constructs which precede body
3467 -- Body_Decl.
3471 -- Freeze the contract of the nearest package body (if any) which
3472 -- encloses body Body_Decl.
3474 ------------------------------
3475 -- Causes_Contract_Freezing --
3476 ------------------------------
3479 begin
3480 -- The following condition matches guards for calls to
3481 -- Freeze_Previous_Contracts from routines that analyze various body
3482 -- declarations. In particular, it detects expression functions, as
3483 -- described in the call from Analyze_Subprogram_Body_Helper.
3485 return
3487 and then
3489 N_Entry_Body | N_Package_Body | N_Protected_Body |
3490 N_Subprogram_Body | N_Subprogram_Body_Stub | N_Task_Body;
3493 ----------------------
3494 -- Freeze_Contracts --
3495 ----------------------
3501 begin
3502 -- Nothing to do when the body which causes freezing does not appear
3503 -- in a declarative list because there cannot possibly be constructs
3504 -- with contracts.
3510 -- Inspect the declarations preceding the body, and freeze individual
3511 -- contracts of eligible constructs.
3516 -- Stop the traversal when a preceding construct that causes
3517 -- freezing is encountered as there is no point in refreezing
3518 -- the already frozen constructs.
3523 -- Entry or subprogram declarations
3526 | N_Entry_Declaration
3527 | N_Generic_Subprogram_Declaration
3528 | N_Subprogram_Declaration
3529 then
3530 Analyze_Entry_Or_Subprogram_Contract
3534 -- Objects
3537 Analyze_Object_Contract
3541 -- Protected units
3544 | N_Single_Protected_Declaration
3545 then
3548 -- Subprogram body stubs
3553 -- Task units
3556 | N_Task_Type_Declaration
3557 then
3562 | N_Private_Type_Declaration
3563 | N_Task_Type_Declaration
3564 | N_Protected_Type_Declaration
3565 | N_Formal_Type_Declaration
3566 then
3574 -----------------------------------
3575 -- Freeze_Enclosing_Package_Body --
3576 -----------------------------------
3582 begin
3583 -- Climb the parent chain looking for an enclosing package body. Do
3584 -- not use the scope stack, because a body utilizes the entity of its
3585 -- corresponding spec.
3590 Analyze_Package_Body_Contract
3596 -- Do not look for an enclosing package body when the construct
3597 -- which causes freezing is a body generated for an expression
3598 -- function and it appears within a package spec. This ensures
3599 -- that the traversal will not reach too far up the parent chain
3600 -- and attempt to freeze a package body which must not be frozen.
3602 -- package body Enclosing_Body
3603 -- with Refined_State => (State => Var)
3604 -- is
3605 -- package Nested is
3606 -- type Some_Type is ...;
3607 -- function Cause_Freezing return ...;
3608 -- private
3609 -- function Cause_Freezing is (...);
3610 -- end Nested;
3611 --
3612 -- Var : Nested.Some_Type;
3616 then
3619 -- Prevent the search from going too far
3629 -- Local variables
3633 -- Start of processing for Freeze_Previous_Contracts
3635 begin
3638 -- A body that is in the process of being inlined appears from source,
3639 -- but carries name _parent. Such a body does not cause freezing of
3640 -- contracts.
3646 Freeze_Enclosing_Package_Body;
3647 Freeze_Contracts;
3650 ---------------------------------
3651 -- Inherit_Subprogram_Contract --
3652 ---------------------------------
3654 procedure Inherit_Subprogram_Contract
3657 is
3659 -- Propagate a pragma denoted by Prag_Id from From_Subp's contract to
3660 -- Subp's contract.
3662 --------------------
3663 -- Inherit_Pragma --
3664 --------------------
3670 begin
3671 -- A pragma cannot be part of more than one First_Pragma/Next_Pragma
3672 -- chains, therefore the node must be replicated. The new pragma is
3673 -- flagged as inherited for distinction purposes.
3683 -- Start of processing for Inherit_Subprogram_Contract
3685 begin
3686 -- Inheritance is carried out only when both entities are subprograms
3687 -- with contracts.
3692 then
3697 -------------------------------------
3698 -- Instantiate_Subprogram_Contract --
3699 -------------------------------------
3703 -- Instantiate all contract-related source pragmas found in the list,
3704 -- starting with pragma First_Prag. Each instantiated pragma is added
3705 -- to list L.
3707 -------------------------
3708 -- Instantiate_Pragmas --
3709 -------------------------
3715 begin
3719 Inst_Prag :=
3730 -- Local variables
3734 -- Start of processing for Instantiate_Subprogram_Contract
3736 begin
3744 --------------------------
3745 -- Is_Prologue_Renaming --
3746 --------------------------
3748 -- This should be turned into a flag and set during the expansion of
3749 -- task and protected types when the renamings get generated ???
3757 begin
3760 then
3765 -- Analyze the renaming declaration so we can further examine it
3774 -- A discriminant renaming appears as
3775 -- Discr : constant ... := Prefix.Discr;
3781 then
3784 -- A protection field renaming appears as
3785 -- Prot : ... := _object._object;
3787 -- A renamed private component is just a component of
3788 -- _object, with an arbitrary name.
3794 then
3803 -----------------------------------
3804 -- Make_Class_Precondition_Subps --
3805 -----------------------------------
3807 procedure Make_Class_Precondition_Subps
3810 is
3815 -- Build the indirect-call wrapper and append it to the freezing actions
3816 -- of Tagged_Type.
3818 procedure Add_Call_Helper
3821 -- Factorizes code for building a call helper with the given identifier
3822 -- and append it to the freezing actions of Tagged_Type. Is_Dynamic
3823 -- controls building the static or dynamic version of the helper.
3826 -- Build an unique new name adding suffix to Subp_Id name (plus its
3827 -- homonym number for values bigger than 1).
3829 -------------------------------
3830 -- Add_Indirect_Call_Wrapper --
3831 -------------------------------
3836 -- Build the body of the indirect call wrapper
3839 -- Build the declaration of the indirect call wrapper
3841 --------------------
3842 -- Build_ICW_Body --
3843 --------------------
3852 begin
3855 -- Build call to wrapped subprogram
3857 declare
3861 begin
3862 -- Build parameter association & call
3866 New_Occurrence_Of
3872 Call :=
3876 else
3877 Call :=
3879 Expression =>
3886 ICW_Body :=
3890 Handled_Statement_Sequence =>
3894 -- The new operation is internal and overriding indicators do not
3895 -- apply.
3902 --------------------
3903 -- Build_ICW_Decl --
3904 --------------------
3913 begin
3921 -- The indirect call wrapper is commonly used for indirect calls
3922 -- but inlined for direct calls performed from the DTW.
3932 -- Link original subprogram to indirect wrapper and vice versa
3937 -- Inherit debug info flag to allow debugging the wrapper
3946 -- Local Variables
3951 -- Start of processing for Add_Indirect_Call_Wrapper
3953 begin
3964 -- We cannot defer the analysis of this ICW wrapper when it is
3965 -- built as a consequence of building its partner DTW wrapper
3966 -- at the freezing point of the tagged type.
3973 ---------------------
3974 -- Add_Call_Helper --
3975 ---------------------
3977 procedure Add_Call_Helper
3980 is
3982 -- Build the body of a call helper
3985 -- Build the declaration of a call helper
3988 -- Build the specification of the helper
3990 ----------------------------
3991 -- Build_Call_Helper_Body --
3992 ----------------------------
3996 function Copy_And_Update_References
3998 -- Copy Expr updating references to formals of Helper_Id; update
3999 -- also references to loop identifiers of quantified expressions.
4001 --------------------------------
4002 -- Copy_And_Update_References --
4003 --------------------------------
4005 function Copy_And_Update_References
4007 is
4011 -- Traverse Expr and append to Assoc_List the mapping of loop
4012 -- identifers of quantified expressions with its new copy.
4014 ------------------------------------------------
4015 -- Map_Quantified_Expression_Loop_Identifiers --
4016 ------------------------------------------------
4020 -- Append to Assoc_List the mapping of loop identifers of
4021 -- quantified expressions with its new copy.
4023 --------------------
4024 -- Map_Loop_Param --
4025 --------------------
4028 is
4029 begin
4032 then
4033 declare
4036 begin
4048 begin
4052 -- Local variables
4057 -- Start of processing for Copy_And_Update_References
4059 begin
4068 Map_Quantified_Expression_Loop_Identifiers;
4073 -- Local variables
4082 -- Start of processing for Build_Call_Helper_Body
4084 begin
4095 -- Evaluate the expression if we are building a dynamic helper
4096 -- or we are building a static helper for a non-abstract tagged
4097 -- type; for abstract tagged types the helper just returns True
4098 -- since it is called by the indirect call wrapper (ICW).
4099 and then
4100 (Is_Dynamic
4101 or else
4103 then
4104 Return_Expr :=
4107 -- When the subprogram is compiled with assertions disabled the
4108 -- helper just returns True; done to avoid reporting errors at
4109 -- link time since a unit may be compiled with assertions disabled
4110 -- and another (which depends on it) compiled with assertions
4111 -- enabled.
4113 else
4119 Body_Stmts :=
4124 Helper_Body :=
4133 ----------------------------
4134 -- Build_Call_Helper_Decl --
4135 ----------------------------
4141 begin
4150 -- Inherit debug info flag from Subp_Id to Helper_Id to allow
4151 -- debugging of the helper subprogram.
4160 ----------------------------
4161 -- Build_Call_Helper_Spec --
4162 ----------------------------
4165 is
4175 begin
4176 -- Create a list of formal parameters with the same types as the
4177 -- original subprogram but changing the controlling formal.
4186 = N_Access_Definition
4187 then
4188 Param_Type :=
4195 else
4196 Param_Type :=
4201 else
4207 Defining_Identifier =>
4211 Null_Exclusion_Present => Null_Exclusion_Present
4219 return
4223 Result_Definition =>
4227 -- Local variables
4232 -- Start of processing for Add_Call_Helper
4234 begin
4238 -- Add the helper to the freezing actions of the tagged type
4246 -- If this helper is built as part of building the DTW at the
4247 -- freezing point of its tagged type then we cannot defer
4248 -- its analysis.
4256 -----------------------
4257 -- Build_Unique_Name --
4258 -----------------------
4261 begin
4262 -- Append the homonym number. Strip the leading space character in
4263 -- the image of natural numbers. Also do not add the homonym value
4264 -- of 1.
4267 declare
4270 begin
4279 -- Local variables
4283 -- Start of processing for Make_Class_Precondition_Subps
4285 begin
4288 then
4289 pragma Assert
4295 -- Build and add to the freezing actions of Tagged_Type its
4296 -- dynamic-call helper.
4298 Helper_Id :=
4303 -- Link original subprogram to helper and vice versa
4311 then
4312 -- Build and add to the freezing actions of Tagged_Type its
4313 -- static-call helper.
4315 Helper_Id :=
4321 -- Link original subprogram to helper and vice versa
4326 -- Build and add to the freezing actions of Tagged_Type the
4327 -- indirect-call wrapper.
4329 Add_Indirect_Call_Wrapper;
4334 ----------------------------------------------
4335 -- Process_Class_Conditions_At_Freeze_Point --
4336 ----------------------------------------------
4341 -- Check class-wide pre/postconditions of Spec_Id
4343 function Has_Class_Postconditions_Subprogram
4345 -- Return True if Spec_Id has (or inherits) a postconditions subprogram.
4347 function Has_Class_Preconditions_Subprogram
4349 -- Return True if Spec_Id has (or inherits) a preconditions subprogram.
4351 ----------------------------
4352 -- Check_Class_Conditions --
4353 ----------------------------
4358 begin
4363 Check_Class_Condition
4368 | Class_Precondition);
4373 -----------------------------------------
4374 -- Has_Class_Postconditions_Subprogram --
4375 -----------------------------------------
4377 function Has_Class_Postconditions_Subprogram
4379 begin
4380 return
4381 Present (Nearest_Class_Condition_Subprogram
4384 or else
4385 Present (Nearest_Class_Condition_Subprogram
4390 ----------------------------------------
4391 -- Has_Class_Preconditions_Subprogram --
4392 ----------------------------------------
4394 function Has_Class_Preconditions_Subprogram
4396 begin
4397 return
4398 Present (Nearest_Class_Condition_Subprogram
4401 or else
4402 Present (Nearest_Class_Condition_Subprogram
4407 -- Local variables
4412 -- Start of processing for Process_Class_Conditions_At_Freeze_Point
4414 begin
4420 then
4426 -- Handle wrapper of protected operation
4431 -- Check inherited class-wide conditions, excluding internal
4432 -- entities built for mapping of interface primitives.
4437 then
4446 ----------------------------
4447 -- Merge_Class_Conditions --
4448 ----------------------------
4453 -- Collect all inherited class-wide conditions of Spec_Id and merge
4454 -- them into one big condition.
4456 ----------------------------------
4457 -- Process_Inherited_Conditions --
4458 ----------------------------------
4465 function Inherit_Condition
4468 -- Inherit the class-wide condition from Par_Subp to Subp and adjust
4469 -- all the references to formals in the inherited condition.
4472 -- Merge two class-wide preconditions or postconditions (the former
4473 -- are merged using "or else", and the latter are merged using "and-
4474 -- then"). The changes are accumulated in parameter Into.
4477 -- Return True if the contract of subprogram Id has been processed
4479 -----------------------
4480 -- Inherit_Condition --
4481 -----------------------
4483 function Inherit_Condition
4486 is
4488 -- Used in assertion to check that Expr has no reference to the
4489 -- formals of Par_Subp.
4491 ---------------------
4492 -- Check_Condition --
4493 ---------------------
4499 -- Check occurrence of Par_Formal_Id
4501 ------------------
4502 -- Check_Entity --
4503 ------------------
4506 begin
4510 then
4519 -- Start of processing for Check_Condition
4521 begin
4535 -- Local variables
4542 begin
4551 -- Check that Parent field of all the nodes have their correct
4552 -- decoration; required because otherwise mapped nodes with
4553 -- wrong Parent field are left unmodified in the copied tree
4554 -- and cause reporting wrong errors at later stages.
4556 pragma Assert
4559 New_Condition :=
4560 New_Copy_Tree
4564 -- Ensure that the inherited condition has no reference to the
4565 -- formals of the parent subprogram.
4572 ----------------------
4573 -- Merge_Conditions --
4574 ----------------------
4578 -- Return the boolean expression argument of a condition while
4579 -- updating its parentheses count for the subsequent merge.
4581 --------------------
4582 -- Expression_Arg --
4583 --------------------
4586 begin
4594 -- Local variables
4600 -- Start of processing for Merge_Conditions
4602 begin
4605 -- Merge the two preconditions by "or else"-ing them
4607 when Ignored_Class_Precondition
4608 | Class_Precondition
4609 =>
4615 -- Merge the two postconditions by "and then"-ing them
4617 when Ignored_Class_Postcondition
4618 | Class_Postcondition
4619 =>
4627 ---------------
4628 -- Seen_Subp --
4629 ---------------
4632 begin
4642 -- Local variables
4650 -- Start of processing for Process_Inherited_Conditions
4652 begin
4655 -- Process parent primitives looking for nearest ancestor with
4656 -- class-wide conditions.
4663 then
4668 -- Wrappers of class-wide pre/postconditions reference the
4669 -- parent primitive that has the inherited contract and help
4670 -- us to climb fast.
4674 then
4680 then
4685 Cond := Inherit_Condition
4691 else
4695 Check_Class_Condition
4700 | Class_Precondition);
4701 Build_Class_Wide_Expression
4707 -- We are done as soon as we process the nearest ancestor
4714 -- Process the contract of interface primitives not covered by
4715 -- the nearest ancestor.
4728 then
4731 Cond := Inherit_Condition
4735 Check_Class_Condition
4740 | Class_Precondition);
4741 Build_Class_Wide_Expression
4749 else
4759 -- Local variables
4763 -- Start of processing for Merge_Class_Conditions
4765 begin
4769 -- If this subprogram has class-wide conditions then preanalyze
4770 -- them before processing inherited conditions since conditions
4771 -- are checked and merged from right to left.
4779 -- Preanalyze merged inherited conditions
4788 ---------------------------------
4789 -- Preanalyze_Class_Conditions --
4790 ---------------------------------
4795 begin
4805 --------------------------
4806 -- Preanalyze_Condition --
4807 --------------------------
4809 procedure Preanalyze_Condition
4812 is
4814 -- Clear unset references on formals of Subp since preanalysis
4815 -- occurs in a place unrelated to the actual code.
4818 -- Traverse Expr and clear the Controlling_Argument of calls to
4819 -- nonabstract functions.
4822 -- Remove formals from homonym chains and make them not visible
4825 -- Traverse Expr searching for dispatching calls to functions whose
4826 -- original node was a selected component, and replace them with
4827 -- their original node.
4829 ----------------------------
4830 -- Clear_Unset_References --
4831 ----------------------------
4836 begin
4843 ----------------------------------
4844 -- Remove_Controlling_Arguments --
4845 ----------------------------------
4849 -- Reset the Controlling_Argument of calls to nonabstract
4850 -- function calls.
4852 ---------------------
4853 -- Remove_Ctrl_Arg --
4854 ---------------------
4857 begin
4861 then
4869 begin
4873 --------------------
4874 -- Remove_Formals --
4875 --------------------
4880 begin
4888 -----------------------------------------
4889 -- Restore_Original_Selected_Component --
4890 -----------------------------------------
4896 -- Traverse the subtree of N fixing the Parent field of all the
4897 -- nodes.
4900 -- Process dispatching calls to functions whose original node was
4901 -- a selected component, and replace them with their original
4902 -- node. Restored nodes are stored in the Restored_Nodes_List
4903 -- to fix the parent fields of their subtrees in a separate
4904 -- tree traversal.
4906 -----------------
4907 -- Fix_Parents --
4908 -----------------
4912 function Fix_Parent
4915 -- Process a single node
4917 ----------------
4918 -- Fix_Parent --
4919 ----------------
4921 function Fix_Parent
4924 is
4927 begin
4939 begin
4943 ------------------
4944 -- Restore_Node --
4945 ------------------
4948 begin
4952 then
4956 -- Save the restored node in the Restored_Nodes_List to fix
4957 -- the parent fields of their subtrees in a separate tree
4958 -- traversal.
4968 -- Start of processing for Restore_Original_Selected_Component
4970 begin
4973 -- After restoring the original node we must fix the decoration
4974 -- of the Parent attribute to ensure tree consistency; required
4975 -- because when the class-wide condition is inherited, calls to
4976 -- New_Copy_Tree will perform copies of this subtree, and formal
4977 -- occurrences with wrong Parent field cannot be mapped to the
4978 -- new formals.
4981 declare
4984 begin
4993 -- Start of processing for Preanalyze_Condition
4995 begin
5007 Pop_Scope;
5009 -- If this preanalyzed condition has occurrences of dispatching calls
5010 -- using the Object.Operation notation, during preanalysis such calls
5011 -- are rewritten as dispatching function calls; if at later stages
5012 -- this condition is inherited we must have restored the original
5013 -- selected-component node to ensure that the preanalysis of the
5014 -- inherited condition rewrites these dispatching calls in the
5015 -- correct context to avoid reporting spurious errors.
5017 Restore_Original_Selected_Component;
5019 -- Traverse Expr and clear the Controlling_Argument of calls to
5020 -- nonabstract functions. Required since the preanalyzed condition
5021 -- is not yet installed on its definite context and will be cloned
5022 -- and extended in derivations with additional conditions.
5024 Remove_Controlling_Arguments;
5026 -- Clear also attribute Unset_Reference; again because preanalysis
5027 -- occurs in a place unrelated to the actual code.
5029 Clear_Unset_References;
5032 ----------------------------------------
5033 -- Save_Global_References_In_Contract --
5034 ----------------------------------------
5036 procedure Save_Global_References_In_Contract
5039 is
5041 -- Save all global references in contract-related source pragmas found
5042 -- in the list, starting with pragma First_Prag.
5044 ------------------------------------
5045 -- Save_Global_References_In_List --
5046 ------------------------------------
5051 begin
5061 -- Local variables
5065 -- Start of processing for Save_Global_References_In_Contract
5067 begin
5068 -- The entity of the analyzed generic copy must be on the scope stack
5069 -- to ensure proper detection of global references.
5075 then
5085 Pop_Scope;
5088 -------------------------
5089 -- Set_Class_Condition --
5090 -------------------------
5092 procedure Set_Class_Condition
5096 is
5097 begin