Version 1.1 of acs/ac-00117.txt

Unformatted version of acs/ac-00117.txt version 1.1
Other versions for file acs/ac-00117.txt

!standard 9.4(0)          05-10-21 AC95-00115/01
!standard 3.10.2(0)
!class Amendment 05-10-21
!status received no action 05-10-21
!status received 05-05-20
!subject Unserialized access to protected components via access types
!appendix

!topic Unserialized access to protected components via access types
!reference RM95-9.4, RM95-3.10.2
!from Duncan Sands 05-05-20
!discussion

The following program D is legal.  Is this intended?  When run,
it outputs 0 then 1, showing that it is possible to manipulate
protected components from outside the protected object.  I would
have expected protected components to be at a deeper accessibility
level, making it necessary to use 'Unchecked_Access to get this
effect.

-- C --
package C is
   type IA is access all Integer;

   protected PT is
      procedure G (P : out IA);
      function H return Integer;
   private
      I : aliased Integer;
   end;
end;
package body C is
   protected body PT is
      procedure G (P : out IA) is
      begin
         P := I'Access;
      end;
      function H return Integer is
      begin
         return I;
      end;
   end;
end;

-- D --
with Ada.Text_IO; use Ada.Text_IO;
with C; use C;
procedure D is
   X : IA;
begin
   Put_Line (Integer'Image (PT.H));
   PT.G (X);
   X.all := 1;
   Put_Line (Integer'Image (PT.H));
end;

****************************************************************

From: Gary Dismukes
Date: Friday, May 20, 2005  4:15 PM

> The following program D is legal.  Is this intended?  When run,
> it outputs 0 then 1, showing that it is possible to manipulate
> protected components from outside the protected object.  I would
> have expected protected components to be at a deeper accessibility
> level, making it necessary to use 'Unchecked_Access to get this
> effect.

I don't think that such a case was ever considered when formulating
the accessibility rules.  After all, it's not a case of creating
a dangling reference, which is what the accessibility rules are
designed to prevent.  It's not clear to me that this is a serious
concern, since it's under control of the protected abstraction whether
to provide access to the component (in other words, if you don't want
anyone outside to get access then don't do that:).  It's interesting
to note that in the case where the protected declaration is a type
rather than a single protected object, then the accessibility rules
will disallow taking Access of the component, but in the single object
case the restriction doesn't apply.  Perhaps we could consider extending
the restriction to cover this case (by having it also apply in the
anonymous type case), but I'm not sure it would be worth the effort.

****************************************************************

From: Duncan Sands
Date: Thursday, June 2, 2005  10:26 AM

Fair enough.  Thanks for taking the time to reply.

****************************************************************


Questions? Ask the ACAA Technical Agent