Version 1.2 of acs/ac-00015.txt

Unformatted version of acs/ac-00015.txt version 1.2
Other versions for file acs/ac-00015.txt

!standard 13.9(3)          01-10-16 AC95-00015/01
!class amendment 01-10-16
!status received no action 01-10-10
!subject Unchecked attribute
!summary
!appendix

From: V. Santhanam (Boeing)
Sent: Wednesday, October 10, 2001 8:42 AM

Issue:

Ada supports unchecked_conversion between types which are not normally
convertible to and from. To achieve this one must WITH the generic function
unchecked_conversion and instantiate it for the target-destination type
pair. The instantiated function can then be used as any other function to
achieve the conversion. All of this just to request the compiler to treat an
expression of one type as if it were an expression of another type.
Typically, the compiler generates no code for any of the constructs used to
achieve this permission.

Solution:

Introduce a predefined attribute Unchecked. The syntax for its use will be:
	type_name'Unchecked (expression)
The static semantics of the construct are that the compiler treats
expression as if it were an expression of type type_name. The type of
expression itself must be determinable without an expected type (as in the
case of ordinary type conversions now). An implementation may place the
restriction that the size of the type of expression be the same as the
type_name'Size.

Reasoning:

It has been argued that the current arrangement is deliberate in that it
should not be easy to use this unsafe feature. I believe making a feature
hard to use is neither healthy nor effective. The fact that this feature has
been in the language from day one suggests that it is well understood by the
programming community that the feature is direly needed in some
applications. Having recognized this need, it is silly to argue that we are
going to make it HARD to use. What is needed is that such uses should be
self-evident in every context. However, the present scheme does not provide
this. For example, it is not uncommon to instantiate Unchecked_Conversion in
a project-wide package and use it wherever needed. And if the name of the
instantiation is not carefully chosen, the uses of the unsafe function can
be obscure. For example,

	function To_Integer_32 is new Unchecked_Conversion (Unsigned_32,
Integer_32);

does not make it evident in a use like:

	Y := My_Types.To_Integer_32 (X);

that there is unchecked conversion going on here. The proposed scheme will
make it evident at the site:
	Y := Integer_32'Unchecked (X);

****************************************************************

From: Christoph Grein
Sent: Friday, October 12, 2001 12:19 AM

> Having recognized this need, it is silly to argue that we are
> going to make it HARD to use.

No, it's not made _hard_ but _obvious_ at the top via a with-clause.
Your attribute is hidden in the executable part and thus not obvious.

> What is needed is that such uses should be
> self-evident in every context. However, the present scheme does not provide
> this. For example, it is not uncommon to instantiate Unchecked_Conversion in
> a project-wide package and use it wherever needed. And if the name of the
> instantiation is not carefully chosen, the uses of the unsafe function can
> be obscure. For example,
>
> 	function To_Integer_32 is new Unchecked_Conversion (Unsigned_32,
> Integer_32);

Then this is a naming problem. They should have chosen a name like
Unchecked_integer_32.

> does not make it evident in a use like:
>
> 	Y := My_Types.To_Integer_32 (X);
>
> that there is unchecked conversion going on here. The proposed scheme will
> make it evident at the site:
> 	Y := Integer_32'Unchecked (X);

Again, this is evident only at the place of use, not at the top of the unit
via a with-clause.

****************************************************************

From: Robert Dewar
Sent: Saturday, October 13, 2001  9:49 AM

This attribute can be added perfectly legally by any Ada vendor. The first
step here is to persuade at least one vendor to implement this attribute.
It would be foolish, even there were agreement, for the ARG to mandate a
new attribute that none of the Ada vendors considered worth while
implementing (the implementation of this attribute is certainly trivail
in GNAT, but we do not consider it a desirable addition to the language,
and certainly none of our users have suggested this attribute (and they
are very free in suggesting useful new attributes and pragmas :-)))

****************************************************************

From: Randy Brukardt
Sent: Tuesday, October 16, 2001  7:03 PM

> What is needed is that such uses should be self-evident in every context.

I don't agree with this premise.

> For example, it is not uncommon to instantiate Unchecked_Conversion in
> a project-wide package and use it wherever needed. And if the name of the
> instantiation is not carefully chosen, the uses of the unsafe function can
> be obscure. For example,
>
>   function To_Integer_32 is new Unchecked_Conversion (Unsigned_32, Integer_32);
>
> does not make it evident in a use like:
>
>   Y := My_Types.To_Integer_32 (X);
>
> that there is unchecked conversion going on here.

That's true, and it's irrelevant. With a proper type system, the only thing
needed at the call site is an indication of the conversion. The actual kind of
conversion used to implement this should not matter, be it a type conversion,
an unchecked conversion, or a function call doing a complex calculation.

For example, Claw has defines various types to match the Win32 API. For
example:

    type HWnd is mod 32; -- A window handle.
    type Int is range -2**31 .. 2**31-1;

Sometimes we have to convert between them because of harebrained M$oft API
definitions. Claw is full of

    function To_HWnd is new Unchecked_Conversion (HWnd, Int);

declarations. Clearly, this is the only way to get from an Int to an HWnd. The
exact mechanism for the conversion is generally not interesting (this is just
another abstraction). If there is a problem with Ada, it is that we cannot
"delete" the (normal, checked) type conversion from HWnd to Int, since it will
not do the correct thing (and it usually will work, causing problems on fielded
systems. We had precisely this happen to us with Claw, as Windows NT liked to
declare handles with the upper bit set). [In general, we can't delete
operations in Ada, because doing so causes problems with the generic contract
model.]

****************************************************************


Questions? Ask the ACAA Technical Agent