!standard 9.4(0) 05-10-21 AC95-00117/01 !standard 3.10.2(0) !class Amendment 05-10-21 !status received no action 05-10-21 !status received 05-05-20 !subject Unserialized access to protected components via access types !summary !appendix !topic Unserialized access to protected components via access types !reference RM95-9.4, RM95-3.10.2 !from Duncan Sands 05-05-20 !discussion The following program D is legal. Is this intended? When run, it outputs 0 then 1, showing that it is possible to manipulate protected components from outside the protected object. I would have expected protected components to be at a deeper accessibility level, making it necessary to use 'Unchecked_Access to get this effect. -- C -- package C is type IA is access all Integer; protected PT is procedure G (P : out IA); function H return Integer; private I : aliased Integer; end; end; package body C is protected body PT is procedure G (P : out IA) is begin P := I'Access; end; function H return Integer is begin return I; end; end; end; -- D -- with Ada.Text_IO; use Ada.Text_IO; with C; use C; procedure D is X : IA; begin Put_Line (Integer'Image (PT.H)); PT.G (X); X.all := 1; Put_Line (Integer'Image (PT.H)); end; **************************************************************** From: Gary Dismukes Date: Friday, May 20, 2005 4:15 PM > The following program D is legal. Is this intended? When run, > it outputs 0 then 1, showing that it is possible to manipulate > protected components from outside the protected object. I would > have expected protected components to be at a deeper accessibility > level, making it necessary to use 'Unchecked_Access to get this > effect. I don't think that such a case was ever considered when formulating the accessibility rules. After all, it's not a case of creating a dangling reference, which is what the accessibility rules are designed to prevent. It's not clear to me that this is a serious concern, since it's under control of the protected abstraction whether to provide access to the component (in other words, if you don't want anyone outside to get access then don't do that:). It's interesting to note that in the case where the protected declaration is a type rather than a single protected object, then the accessibility rules will disallow taking Access of the component, but in the single object case the restriction doesn't apply. Perhaps we could consider extending the restriction to cover this case (by having it also apply in the anonymous type case), but I'm not sure it would be worth the effort. **************************************************************** From: Duncan Sands Date: Thursday, June 2, 2005 10:26 AM Fair enough. Thanks for taking the time to reply. ****************************************************************