Version 1.8 of ai05s/ai05-0013-1.txt

Unformatted version of ai05s/ai05-0013-1.txt version 1.8
Other versions for file ai05s/ai05-0013-1.txt

!standard 7.6(9.4/2)          07-11-19 AI05-0013-1/07
!standard D.7(4/2)
!class binding interpretation 06-04-10
!status work item 06-05-29
!status ARG Approved 11-0-1 06-11-18
!status work item 06-04-10
!status received 06-04-03
!priority Medium
!difficulty Medium
!qualifier Error
!subject No_Nested_Finalization is difficult to enforce
!summary
(See recommendation.)
!question
7.6(9.4) says that "A type is said to need finalization if ... it is a limited type that has an access discriminant whose designated type needs finalization."
This rule was intended to support coextensions, which get finalized when the parent object gets finalized, and must therefore have been taken into account for computing the "needs finalization" properties. However:
(1) Coextensions can exist for nonlimited types. Thus, the "limited" should be deleted from the wording.
(2) This property cannot be computed at the freezing point of the type (which is the natural place to do so), as the designated type may not be frozen yet. Indeed, there is no place during the current compilation where it can be computed if the designated type is an incomplete one from a limited view - it will not be known until link-time if the complete type is controlled.
This definition is used in No_Nested_Finalization; (2) implies link-time checking. Such checking would be very expensive to build, because every nested use of a type with an access discriminant would have to be recorded, along with its definition, and checks would have to be made if the actual complete type does in fact "need finalization". Is this intended? (No.)
!recommendation
Change the No_Nested_Finalization check to disallow allocators of nested access types which designate types that need finalization, and delete the coextension rule from the definition of "needs finalization".
!wording
Replace 7.6(9.4/2) with:
it is a class-wide type; or
Replace D.7(3-10/2) with:
No_Task_Hierarchy
All (nonenvironment) tasks shall depend directly on the environment task of the partition.
No_Nested_Finalization
Objects of a type that needs finalization (see 7.6) are declared only at library level. There are no allocators where the type determined by the subtype_mark of the subtype_indication or qualified_expression needs finalization where the type of the allocator does not have library-level accessibility.
No_Abort_Statements
There shall be no abort_statements, and there shall be no calls on Task_Identification.Abort_Task.
No_Terminate_Alternatives
There shall be no selective_accepts with terminate_alternatives.
No_Task_Allocators
There shall be no allocators for task types or types containing task subcomponents.
No_Implicit_Heap_Allocations
There shall be no operations that implicitly require heap storage allocation to be performed by the implementation. It is implementation defined which operations implicitly require heap storage allocation.
No_Dynamic_Priorities
There shall be no semantic dependences on the package Dynamic_Priorities, and no occurrences of the attribute Priority.
No_Dynamic_Attachment
There shall be no call to any of the operations defined in package Interrupts (Is_Reserved, Is_Attached, Current_Handler, Attach_Handler, Exchange_Handler, Detach_Handler, and Reference).
Replace D.7(10.3/2-10.7/2) with:
No_Protected_Type_Allocators
There shall be no allocators for protected types or types containing protected type subcomponents.
No_Relative_Delay
There shall be no delay_relative_statements.
No_Requeue_Statements
There shall be no requeue_statements.
No_Select_Statements
There shall be no select_statements.
No_Specific_Termination_Handlers
There shall be no calls to the Set_Specific_Handler and Specific_Handler subprograms in Task_Termination.
!discussion
Directly attempting to fix problem (2) leads into a rat-hole of bad or incompatible solutions. (If you are interested, version /01 of this AI contained an exhaustive list.)
The key is to fix the uses of "needs finalization" to consider coextensions. There is only one use: restriction No_Nested_Finalization. The best way to do this for No_Nested_Finalization is to make the allocators, rather than the access types, illegal. At this point, the designated type must be frozen, so there is no problem knowing whether it "needs finalization".
Note that the new rule uses the accessibility level of the access type of the allocator. This is needed to take coextensions into account; the accessibility level is determined by an extensive set of rules and we certainly don't want to duplicate those.
During editorial review it was noted that the wording of D.7 is weird because it uses sometimes "shall" and sometimes "is". This is inconsistent, and furthermore the meaning of "is" is unclear because we don't know if it's describing a rule that the user must adhere to, or the semantics of the language, or what (D.7(3) is especially bad). So we are fixing the entire section.
!corrigendum 7.6(9.4/2)
Replace the paragraph:
by:
!corrigendum D.7(4/2)
Replace the paragraph:
Objects of a type that needs finalization (see 7.6) and access types that designate a type that needs finalization, shall be declared only at library level.
by:
Objects of a type that needs finalization (see 7.6) are be declared only at library level. There are no allocators where the type determined by the subtype_mark of the subtype_indication or qualified_expression needs finalization where the type of the allocator does not have library-level accessibility.
!ACATS test
An ACATS B-Test should be created to test these cases.
!appendix

From: Pascal Leroy
Date: Monday, April 3, 2006  8:04 AM

7.6(9.4) says that "A type is said to need finalization if ... it is a
limited type that has an access discriminant whose designated type needs
finalization."

This rule was intended to support coextensions, which get finalized when
the parent object gets finalized, and must therefore been taken into
account for computing the "needs finalization" properties.  However, there
are two problems with this wording:

1 - The word "limited" should be erased because coextensions can exist for
nonlimited types in Ada 2005.
2 - There is a nasty interaction with the freezing rules.  I'd like to be
able to compute the "needs finalization" property at the freezing point of
the type that has the access discriminant, but at this point the type
designated by the access discriminant may not be frozen yet (heck, it may
not even be complete if it comes from a limited view).

Comments?

****************************************************************

From: Randy Brukardt
Date: Monday, November 19, 2007 11:48 PM

I've always been confused when reading D.7(3), even though I "know" the intent:

All (nonenvironment) tasks depend directly on the environment task of the partition.

This is supposed to imply some sort of check that makes programs that violates it
illegal. But it always seems to me to be talking about some change in semantics
instead (tasks, no matter where they are declared, depend directly on the
environment task). [Indeed, we have a pragma with actions much like this in Annex H,
so the idea isn't unique.]

This was one of the reasons behind introducing "shall" here, which Tuck and Bob were
so certain was incorrect. However, leaving the wording alone doesn't address the
original problem that some of these restrictions are easy to misconstrue. (That's
especially true as 13.12 never says anything about checking for violations of
restrictions - it simply says that "a partition shall obey a restriction", and that
can be accomplished in a number of ways, not all of which necessarily involve
any checking.)

It strikes me that the restrictions that make sense (mostly original ones) are
written in the negative: "There are no <blahs>." *That* seems like a restriction.
So I'm wondering if it would be better if restrictions like the above one were
defined in terms of what is not allowed:

    No (nonenvironment) tasks depend directly on a task other than the
    environment task of the partition.

Similar rewordings would be a good idea for D.7(10.1/2):

    No protected objects are declared other than at library level.

and D.7(10.2/2):

    No Timing_Events are declared other that at library level.

and D.7(10.8/2):

    No entry barrier has a Boolean expression that is neither a static Boolean expression
    nor a Boolean component of the enclosing protected object.

This last wording is a bit of stretch.

Note that these last three are the three new restrictions that use "shall", probably
because they don't make much sense as restrictions without making it clear that a
check is required (which is especially important for Ravenscar use).

The first sentence of D.7(4/2) would need some change, too (this was the other place
that had "shall" originally).

   No objects of a type that needs finalization (see 7.6) are declared
   other than at library level. There are no allocators where the type
   determined by the subtype_mark of the subtype_indication or qualified_expression
   needs finalization where the type of the allocator does not have
   library-level accessibility.

Brickbats encouraged...

****************************************************************

From: Tucker Taft
Date: Tuesday, November 20, 2007  6:39 AM

I see your point Randy.  I still think adding "shall"
to these definitions is a mistake, and believe we should
remove it where it snuck in.  On the other hand, adding
some additional, admittedly redundant information every-
where we define restrictions might help resolve the
confusion.  That is, get some "shall"s or at least
references to the fundamental "checking" aspect of
restrictions into the wording in the close neighborhood
of the restriction definitions as a reminder to the user
of the purpose of these definitions.

****************************************************************

From: Tucker Taft
Date: Tuesday, November 20, 2007  7:18 AM

As far as using "no" in the wording, that does
seem to help in some cases.  Alternatively,
we can rely on words like "each," "only," or "exclusively"
to convey the "restrictive" intent, without having
to reverse the sense of the sentence, and without
having to use the word "shall."  Hence:

    The only (nonenvironment) tasks are ones that depend
    directly on the environment task of the partition.

    Protected objects are declared exclusively at library level.

    Timing events are declared exclusively at library level.

    The Boolean expression in each entry barrier is either a
    static Boolean expression or a Boolean component of the
    enclosing protected object.

One way to help stick to *definitional* wording (as opposed
to slipping into "legality rule" wording) is to imagine
each Restriction identifier as being placed in a phrase such as:

  A partition satisfies the "Simple_Barriers" restriction when:

    The Boolean expression in each entry barrier is either a
    static Boolean expression or a Boolean component of the
    enclosing protected object.

****************************************************************

From: Robert A. Duff
Date: Tuesday, November 20, 2007  7:48 AM

> This was one of the reasons behind introducing "shall" here, which Tuck and
> Bob were so certain was incorrect.

Not quite incorrect -- just unnecessary.  The current style is (mostly) to
define the restrictions, and then have a single "shall" rule saying you have to
obey.  We could have chosen a style where each restriction says "If this
restriction applies, then Thou Shalt [Not]..."  But I don't see any reason to
move to this other style -- if it ain't broke, don't fix it.  Yeah, I know --
you think it IS broken.  But to me, it's like many other things, e.g. static
expressions.  We define what they are, and then separately require their use.
We don't say something like, "A static expression shall not contain a variable
reference."

>     No (nonenvironment) tasks depend directly on a task other than the
>     environment task of the partition.

I don't see how the negative helps.  It's still a definition, rather than a
"shall" rule.  And it forces you into a double negative "No ... other than..."
which is slightly less readable.

****************************************************************

From: Robert A. Duff
Date: Tuesday, November 20, 2007  7:54 AM

>   A partition satisfies the "Simple_Barriers" restriction when:

...which makes me think perhaps we should put something like that in the
introductory paragraphs:

    The following restriction_identifiers are language defined;
    the following definitions define how each restriction may
    be satisfied.

or:

    The following restriction_identifiers are language defined;
    a partitition satisfies the restriction as defined below.

or:

    The following restriction_identifiers are language defined;
    a partitition is defined to satisfy the restriction under the
    conditions given below.

Or something.

****************************************************************

From: Randy Brukardt
Date: Tuesday, November 20, 2007  2:08 PM

> > This was one of the reasons behind introducing "shall" here, which Tuck and
> > Bob were so certain was incorrect.
>
> Not quite incorrect -- just unnecessary.  The current style is (mostly) to
> define the restrictions, and then have a single "shall" rule
> saying you have to obey.

But that's the problem. What does it mean to "obey" a restriction? When the
restriction is written as a negative (There are no delay_statements.) that's
pretty clear. But when it is written positively, it isn't so clear. The only
reason I know what is meant is because I've talked to you guys; I can't get
there from the normative wording. Everytime I read D.7(3), I have to
remember that it doesn't mean what it says, it means "No nested tasks". Why
should that be?

As I previously pointed out, I can think of at least two ways to obey "All
(nonenvironment) tasks depend directly on the environment task of the
partition." That kind of ambiguity is not good; we ought to use wording that
makes it clear that task objects that violate this are illegal and not that
some semantic change is intended.

Sometimes its easy to get too close to some wording, and read what you know
is meant rather than what it actually says. I think you're doing that here.

> >     No (nonenvironment) tasks depend directly on a task other than the
> >     environment task of the partition.
>
> I don't see how the negative helps.  It's still a definition, rather than a
> "shall" rule.  And it forces you into a double negative "No ... other than..."
> which is slightly less readable.

Because it is more clear that it is intended that such tasks don't exist,
rather than that there is some semantic change. (And other restrictions do
make semantic changes, so we must be very clear.)

It probably would be even clearer if it said something like:

     No object is created which creates a task that depends directly on a
     task other than the environment task of the partition.

which makes it crystal clear that the real point of the Restriction is to
ban the creation of certain kinds of objects.

****************************************************************

From: Randy Brukardt
Date: Tuesday, November 20, 2007  2:08 PM

> >   A partition satisfies the "Simple_Barriers" restriction when:
>
> ...which makes me think perhaps we should put something like that in the
> introductory paragraphs:
>
>     The following restriction_identifiers are language defined;
>     the following definitions define how each restriction may
>     be satisfied.
>
> or:
>
>     The following restriction_identifiers are language defined;
>     a partitition satisfies the restriction as defined below.
>
> or:
>
>     The following restriction_identifiers are language defined;
>     a partitition is defined to satisfy the restriction under the
>     conditions given below.
>
> Or something.

Any such wording should use "obey", since "obey" is what the "shall" rule
requires. No sense in continuing to confuse the issue by using "satisfy"
here and "obey" there.

****************************************************************

From: Tucker Taft
Date: Tuesday, November 20, 2007  5:04 PM

Good point.  Hence, something like:

  The following restriction_identifiers are language defined;
  each definition given below specifies under what conditions
  the associated restriction is *obeyed*:

****************************************************************

From: Robert A. Duff
Date: Tuesday, November 20, 2007  5:12 PM

I like it.

****************************************************************

From: Ed Schonberg
Date: Tuesday, November 20, 2007  2:41 PM

> It probably would be even clearer if it said something like:
>
>      No object is created which creates a task that depends  
> directly on a
> task other than the
>      environment task of the partition.
>
> which makes it crystal clear that the real point of the Restriction  
> is to
> ban the creation of certain kinds of objects.

Why not describe it top-down:

No task other than the environment task creates other tasks.

****************************************************************

From: Robert A. Duff
Date: Tuesday, November 20, 2007  4:38 PM

> Why not describe it top-down:
> 
> No task other than the environment task creates other tasks.

That's not quite right.  The issue is dependence, not creation.

If we have:

    type A is access Some_Task_Type;

at library level, then any task can do "new Some_Task_Type" of type A -- it
doesn't matter who creates it, it still depends on the env task.

****************************************************************

From: Ed Schonberg
Date: Tuesday, November 20, 2007  4:49 PM

Indeed. What about:
   tasks can  only depend on the environment task of the partition

I suppose we don't have to say anything special about the environment  
task itself.

****************************************************************

From: Robert A. Duff
Date: Tuesday, November 20, 2007  5:09 PM

That works.

Nitpick (which Tucker will appreciate ;-)):

    tasks can depend only on the environment task of the partition
              ^^^^^^^^^^^ I reversed these words.

I'm the "only"-placement police, and I infected Tucker with this disease during
Ada 9X.  ;-)

> I suppose we don't have to say anything special about the environment  task
> itself.

Well, I think we have to, so:

    tasks, other than the env task itself, can depend only on the env task of
    the partition

And while I'm at it, "of the partition" seems uselessly obvious, so:

    tasks, other than the env task itself, can depend only on the env task

I'd drop the "can", but then Randy will kill me.  ;-)

****************************************************************

From: Randy Brukardt
Date: Tuesday, November 20, 2007 11:48 PM

...
> Indeed. What about:
>    tasks can  only depend on the environment task of the partition
>
> I suppose we don't have to say anything special about the environment
> task itself.

But that's essentially the current wording, and it does not make it clear
how that is accomplished (that is, that something is not allowed as opposed
to just being a semantic change). We could of course use the original
wording if we added an additional sentence to make it clear how it is
enforced:
   "A partition obeys this restriction if no objects create tasks that
violate the above."

But I think it makes just as much sense to fold those into a single
sentence, especially as we never say things like "violate the above".

****************************************************************

From: Robert A. Duff
Date: Tuesday, November 20, 2007  4:54 PM

> Because it is more clear that it is intended that such tasks don't exist,
> rather than that there is some semantic change. (And other restrictions do
> make semantic changes, so we must be very clear.)

I don't see how using negative wording fixes this possible misunderstanding.
To me, "There are no tasks that don't depend on the env task" is exactly
equivalent to "All tasks depend on the env task".  (Of course, both need the
"other than the env task itself" complication to muddy them up.)

> It probably would be even clearer if it said something like:
> 
>      No object is created which creates a task that depends directly on a
> task other than the
>      environment task of the partition.
> 
> which makes it crystal clear that the real point of the Restriction is to
> ban the creation of certain kinds of objects.

I don't see how this prevents the possible confusion you're worried about.
What if someone interprets the above to mean that the implementation should
magically cause tasks to not depend on "a task other than..."?

Having said all that, I must say: I think this issue is a storm in a coffee
carafe (tempest in a teapot?), and I therefore have no strong objection to the
negative wordings you suggested.  I just don't think it's necessary.

****************************************************************


Questions? Ask the ACAA Technical Agent