Version 1.9 of ai05s/ai05-0050-1.txt

Unformatted version of ai05s/ai05-0050-1.txt version 1.9
Other versions for file ai05s/ai05-0050-1.txt

!standard 6.5(24/2)          09-05-31 AI05-0050-1/07
!class binding interpretation 07-05-04
!status Amendment 201Z 08-11-26
!status ARG Approved 7-0-0 08-11-02
!status work item 07-05-04
!status received 07-04-20
!priority Medium
!difficulty Medium
!qualifier Omission
!subject Return permissions are not enough for built-in-place return objects
!summary
If an object is being initialized by a function call and the implementation can tell before the call that the object subtype and the function result subtype are incompatible, then the implementation is permitted to raise an exception before the call.
If the object declared in an extended return statement is unconstrained, has discriminants, and is nonlimited, the existing permission does not apply. (In this case, the discriminant values might change before the extended return statement finishes, so raising an exception when the object is declared could raise an exception that would not be raised by the full call). Note that the permission still applies to simple return statements and constrained return objects in extended return statements.
All of these permissions apply to recursive calls (that is, calls to a function in a return statement).
!question
Should the implementation permissions of 6.5(24/2) be revised? The current permission both requires inefficient implementations in some cases and also allows an exception to be raised in cases where no exception would be raised without the permission.
!recommendation
(See summary.)
!wording
Replace 6.5(24/2)
If the result subtype of a function is unconstrained, and a call on the function is used to provide the initial value of an object with a constrained nominal subtype, Constraint_Error may be raised at the point of the call (after abandoning the execution of the function body) if, while elaborating the return_subtype_indication or evaluating the expression of a return statement that applies to the function body, it is determined that the value of the result will violate the constraint of the subtype of this object.
with
For a function call used to initialize a composite object with a constrained nominal subtype or used to initialize a return object that is built in place into such an object:
- If the result subtype of the function is constrained, and conversion of
an object of this subtype to the subtype of the object being initialized would raise Constraint_Error, then Constraint_Error may be raised before calling the function.
- If the result subtype of the function is unconstrained, and a return
statement is executed such that the return object is known to be constrained, and conversion of the return object to the subtype of the object being initialized would raise Constraint_Error, then Constraint_Error may be raised at the point of the call (after abandoning the execution of the function body).
[Editor's note: The definition of "built in place" was added by AI05-0067-1.]
AARM Reason:
Without such a permission, it would be very difficult to implement "built-in-place" semantics. The intention is that the exception is raised at same point that it would have been raised without the permission; it should not change handlers if the implementation switches between return-by-copy and built-in-place. This means that the exception is not handleable within the function, because in the return-by-copy case, the constraint check to verify that the result satisfies the constraints of the object being initialized happens after the function returns. This implies further that upon detecting such a situation, the implementation may need to simulate a goto to a point outside any local exception handlers prior to raising the exception.
AARM Ramification:
These permissions do not apply in the case of an extended return object with mutable discriminants. That's necessary because in that case a return object can be created with the "wrong" discriminants and then changed to the "right" discriminants later (but before returning). We don't want this case raising an exception when the canonical semantics will not do so.
It's still possible to write a program that will raise an exception using this permission that would not in the canonical semantics. That could happen if a return statement with the "wrong" discriminants or bounds is abandoned (via an exception, or for an extended_return_statement, via an exit or goto statement), and then a return statement with the "right" discrimiants or bounds is executed. The only solution for this problem is to not have the permission at all, but this is too unusual of a case to worry about the effects of the permission, especially given the implementation difficulties for built-in-place objects that this permission is intended to ease.
Note that the mutable-discriminant case only happens when built-in-place initialization is optional. This means that any difficulties associated with implementing built-in-place initialization without these permissions can be sidestepped by not building in place.
!discussion
The implementation permissions of 6.5(24/2) do not go far enough.
This section states:
If the result subtype of a function is unconstrained, and a call on the function is used to provide the initial value of an object with a constrained nominal subtype, Constraint_Error may be raised at the point of the call (after abandoning the execution of the function body) if, while elaborating the return_subtype_indication or evaluating the expression of a return statement that applies to the function body, it is determined that the value of the result will violate the constraint of the subtype of this object.
This is a fine start, but more is needed in order to efficiently implement built-in-place initialization as required by AI95-00318-02.
First, the original permission does not cover a function with a constrained result type. But such a function can be used to initialize an object with the wrong constraints, and thus has the same implementation issues that the original permission is intended to eliminate.
Consider:
declare type T; type Inner (D : access T) is limited null record; type T is limited record F : Inner (Outer'access); end record; -- requires initialization to be built in place
type Unconstrained is array (Positive range <>) of T;
subtype S1 is Unconstrained (1 .. Some_Func_Returning_20); subtype S2 is Unconstrained (1 .. Some_Func_Returning_10);
function F return S1 is begin Text_Io.Put_Line ("F was called"); return (others => <>); end F;
X : S2 := F; begin null; end;
An implementation should be allowed to raise Constraint_Error before the call to F (without invoking 11.6). Otherwise, F could try to build a large object in place in a smaller object. That would not be good.
Thus the permission was extended to cover all types of function returns.
Second, built in place is only required for limited types, so it would be OK for an implementation to ignore the implementation permissions of 6.5(24/2) for a nonlimited type. If an implementation chooses to implement built in place for nonlimited types, it must take care with types with mutable discriminants.
In particular, it must not modify discriminants of constrained objects. Consider:
subtype Index is Integer range 1 .. 20;
type Rec (Length : Index := 10) is record F : String (1 .. Length); end record;
function F return Rec is begin return Result : Rec do Result := (5, "12345"); Text_Io.Put_Line ("Assignment succeeded"); end return; end F;
X1 : Rec (10) := F;
In a case like this, the revised permission does not provide a permission to raise Constraint_Error early (the return object is not "known to be constrained", and thus the second bullet does not apply). That means that implementations will typically have to use an anonymous temporary object in this case and avoid building the result in place.
We considered a model which would be similar to an in-out or out mode parameter with an unconstrained nominal subtype. In this model, Constraint_Error could be raised anywhere that the return object was initialized or assigned, not just at the point of the call.
Besides seeming rather non-specific, this model would allow an exception to be raised in cases where it would not be raised in the absence of the permission. That seems bad. For instance:
declare type T (Is_Big : Boolean := True) is record case Is_Big is when False => null; when True => Big_Component : String (1..1024) := (others => 'X'); end case; end record;
function F return T is begin return X : T do -- X is unconstrained X.Big_Component := (others => 'Y'); X := (Is_Big => False); end return; end F;
Small_Object : T (Is_Big => False) := F; begin null; end;
The permissive model would have allowed the declaration of X to raise Constraint_Error. But that is bad, as the function ultimately returns an object with the correct discriminant. Moreover, this is a common way to declare objects where the constraint is not immediately known. Therefore, we did not use this permissive model.
Finally, the implementation permissions of 6.5(24/2) should apply recursively in the case where a function call returns the result of another function call. For instance:
declare type T; type Inner (D : access T) is limited null record; type T is limited record F : Inner (Outer'access); end record; -- requires initialization to be built in place
type Unconstrained is array (Positive range <>) of T;
function Some_Function return T is ... ;
function F1 return Unconstrained is begin return (1 .. 10 => Some_Function); end F1;
function F2 return Unconstrained is begin return F1; exception when Constraint_Error => return (1 .. 3 => <>); end F2;
X : Unconstrained (1..3) := F2; begin null; end;
In the execution of this example, it should be OK for the return statement in F1 to raise Constraint_Error before executing any calls to Some_Function.
----
One could argue that these permissions are already implied by 11.6 and therefore do not need to be repeated. This is simply not the case. For example, the permissions given in this section allow a constraint check to be moved into an independent subprogram. 11.6 alone would not allow this.
Even if the permissions of this section were redundant, they should still be stated explicitly here for the sake of the clarity of the language definition. Reliance on these permissions is effectively required in the cases where in-place initialization is required. Section 11.6 is about permissions which enable optional optimizations - an implementer should have the option of completely ignoring 11.6. Permissions which are needed in order to correctly implement the language should be stated outside of 11.6 .
----
The original wording of 6.5(24/2) applied in the case of a scalar result type. We don't want this permission to apply (for example) in the case of a function whose result subtype is Standard.Float. Thus, the revised permission includes the phrase "of a composite type". This permission refers to dynamic semantics, so there are no issues with privacy.
----
It is still possible for an implementation taking advantage of these permissions to raise Constraint_Error in cases were the canonical semantics would not have. That can happen when a return statement with the "wrong" discriminants is abandoned and then a return statement with the "right" discriminants is executed in its place. For instance:
type Rec (D : Integer) is record ...
function F return Rec is begin return O : Rec(4) do -- (1) if <some condition> then goto Different_Object; end if; end return; <<Different_Object>> return O : Rec(5) do -- (2) ... end return; end F;
O : Rec(5) := F;
The permission above would allow raising Constraint_Error at (1). But since that object is never actually returned, and the object that is returned has the right shape, the full function call which did not take advantage of the permission would not raise any exception.
This cannot be avoided without dropping the permission completely; but that would have an unacceptable implementation cost for built-in-place objects. (Rec in the example above could be a type that must be built in place.)
!corrigendum 6.5(24/2)
Replace the paragraph:
If the result subtype of a function is unconstrained, and a call on the function is used to provide the initial value of an object with a constrained nominal subtype, Constraint_Error may be raised at the point of the call (after abandoning the execution of the function body) if, while elaborating the return_subtype_indication or evaluating the expression of a return statement that applies to the function body, it is determined that the value of the result will violate the constraint of the subtype of this object.
by:
For a function call used to initialize a composite object with a constrained nominal subtype or used to initialize a return object that is built in place into such an object:
!ACATS test
As a permission, it is hard to write tests. But an ACATS C-Test should be constructed to ensure that a case such as the one in the discussion where mutable discriminants are changed from the "wrong" ones to the "right" ones does not raise a premature exception.
!appendix

From: Stephen W. Baird
Sent: Friday, April 20, 2007  2:44 PM

!question

Should the implementation permissions of 6.5(24/2) be extended?

!discussion

The implementation permissions of 6.5(24/2) do not go far enough.

This section states:
  If the result subtype of a function is unconstrained, and a call on the
  function is used to provide the initial value of an object with a
  constrained nominal subtype, Constraint_Error may be raised at the point
  of the call (after abandoning the execution of the function body) if,
  while elaborating the return_subtype_indication or evaluating the
  expression of a return statement that applies to the function body, it
  is determined that the value of the result will violate the constraint
  of the subtype of this object.

This is a fine start, but more is needed in order to efficiently
implement initialization in place as required by AI95-00318-02 .

--------

Issue #1:

If an object is being initialized by a function call and the implementation
can tell before the call that the object subtype and the function result
subtype are incompatible, then the implementation should be permitted
to raise an exception before the call.

Consider:

  declare
    type T;
    type Inner (D : access T) is limited null record;
    type T is
	limited record
	    F : Inner (Outer'Access);
	end record;
       -- requires initialization in place

    type Unconstrained is array (Positive range <>) of T;

    subtype S1 is Unconstrained (1 .. Ident_Int (10));
    subtype S2 is Unconstrained (1 .. Ident_Int (11));

    function F return S1 is
    begin
        Text_Io.Put_Line ("F was called");
        return (others => <>);
    end F;

    X : S2 := F;
  begin null; end;

An implementation should be allowed to raise Constraint_Error before the
call to F (without invoking 11.6).

In the case where the result subtype of a function is a constrained definite
structure, an implemention ought to be able to have a caller
simply pass in a buffer address; nothing more complicated than that should
be needed.

In order to implement initialization in place, F must be passed the address of
X. An implementation must verify before the call that S1 and S2 have compatible
constraints - it would not do to pass in, for example, the address of a small
object to a function which is going to fill in a large result.

The question is what to do if that test fails. The simple thing would be to
raise Constraint_Error at that point. The annoyingly complicated thing that
the language currently seems to require is to allocate a buffer of the size
the function expects, pass that buffer address into the function, finalize the
returned value, and then raise Constraint_Error (or something like that).

One could go further and handle cases involving qualified expressions
such as

    Y : S1 := S2'(F);

, but this doesn't seem necessary.

--------

Issue #2:

Initialization in place is only required for limited types, so it would
be ok for an implementation to ignore the implementation permissions of
6.5(24/2) for a nonlimited type. If an implementation chooses not to
do this, however, there can be problems with extended return statements
which attempt to modify discriminants of the function result object after
it has been initialized.

Consider:

  subtype Index is Integer range 1 .. 20;

  type Rec (Length : Index := 10) is
    record
      F : String (1 .. Length);
    end record;

  function F return Rec is
  begin
    return Result : Rec do
      Result := (5, "12345");
      Text_Io.Put_Line ("Assignment succeeded");
    end return;
  end F;

  X1 : Rec (10) := F;

For an in-out or out mode parameter with an unconstrained nominal subtype,
the formal inherits the constraints (if any) of the actual. The same
model should apply, at the discretion of the implementation, to return objects
in the case where the nominal subtype of the return object is unconstrained
and definite and "a call on the function is  used to provide the initial value
of an object with a constrained nominal subtype".

This means that for the preceding example, execution of F could (at the
discretion of the implementation) be abandoned (and Constraint_Error raised at
the call site) at the point of the assignment statement. If the literal
"10" in the declaration of X1 were replaced with some other value, then the
default initialization of Result could raise Constraint_Error.

There is also a similar issue in the case of a function call which is
used to initialize an allocator when the designated subtype of the
access type is unconstrained but allocated objects themselves are constrained.

-------

Issue #3:

The implementation permissions of 6.5(24/2) should apply recursively in
the case where a function call returns the result of another function call.

Consider:

  declare
    type T;
    type Inner (D : access T) is limited null record;
    type T is
	limited record
	    F : Inner (Outer'Access);
	end record;
       -- requires initialization in place

    type Unconstrained is array (Positive range <>) of T;

    function Some_Function return T is ... ;

    function F1 return Unconstrained is
    begin
      return (1 .. 10 => Some_Function);
    end F1;

    function F2 return Unconstrained is
    begin
      return F1;
    exception
      when Constraint_Error =>
        return (1 .. 3 => <>);
    end F2;

    X : Unconstrained (1..3) := F2;
  begin null; end;


In the execution of this example, it should be ok for the return statement
in F1 to raise Constraint_Error before executing any calls to Some_Function.

One might argue that this freedom is already implicit in the current wording,
but this does not seem to be obvious.

--------

It seems that it would not make sense to propose RM wording for these issues
until we reach consensus on which, if any, of these issues require
any action at all.

One could argue that no action is required for any them:
   #1 is essentially a complaint that the language requires an
      implementation to do something that is silly and complex, but
      not something that is undefined or impossible.
   #2 is only a concern for implementations which choose to implement
      initialization in place for functions with unconstrained definite
      non-limited discriminated result subtypes. The language only
      requires initialization in place in the limited case.
      If an implementation doesn't want to deal with the complications of
      implementing the given example, then maybe it shouldn't choose to
      implement initialization in place for this case.
   #3 could be viewed as requiring only a clarification of the current
      wording.

****************************************************************

From: Tucker Taft
Sent: Friday, April 20, 2007  4:05 PM

...
> In the case where the result subtype of a function is a constrained definite
> structure, an implemention ought to be able to have a caller
> simply pass in a buffer address; nothing more complicated than that should
> be needed.
>
> In order to implement initialization in place, F must be passed the address of
> X. An implementation must verify before the call that S1 and S2 have compatible
> constraints - it would not do to pass in, for example, the address of a small
> object to a function which is going to fill in a large result.

I had presumed that for cases like this, one would use
an implementation based on the existing "OUT" parameter model,
where there is a "constrained" bit and an object whose
discriminants are of interest if the object is
constrained.  The function would check the constrained bit,
and if True, check to be sure the discriminants match.
If they don't match, it would propagate an exception.

On the other hand, for OUT parameters, there is a check
before the function is called if the formal subtype is
constrained, so one could argue that that is a precedent
for raising the exception before the call occurs if
the return subtype is constrained and so is the target
object, and the subtypes don't match.

> The question is what to do if that test fails. The simple thing would be to
> raise Constraint_Error at that point. The annoyingly complicated thing that
> the language currently seems to require is to allocate a buffer of the size
> the function expects, pass that buffer address into the function, finalize the
> returned value, and then raise Constraint_Error (or something like that).

Where does the language require this?  If the model is
"initialize in place," then allocating a buffer the size
the function "expects" is clearly inappropriate.  I think
the language presumes you never allocate "extra" space
when calling these functions.  You might be assigning
the function call into a component of another object,
so the space might already "exist" in that sense.
So the function can't "expect" a space of a particular
size, it must deal with what is the nominal subtype
of the target object.

In any case, I like your suggested generalization,
but in the absence of that, functions returning constrained
subtypes of limited types whose first subtype is unconstrained
must deal with the possibility that the target object has
the wrong constraints.  Note that this applies to functions
returning arrays as well.  It certainly seems annoying to
have to pass in a 'constrained bit when the result subtype
is constrained.  There is no precedent for having to do
something like that for arrays.

> One could go further and handle cases involving qualified expressions
> such as
>
>     Y : S1 := S2'(F);
>
> , but this doesn't seem necessary.

I would think if we allow the optimization, then we
should be fairly flexible about it.

,,,
> There is also a similar issue in the case of a function call which is
> used to initialize an allocator when the designated subtype of the
> access type is unconstrained but allocated objects themselves are constrained.

I think a nastier situation occurs when the default
value of the discriminant does *not* match that of the
target object, but the assignment produces a value
that *does* match.  For example:

    X1 : Rec(5) := F;

This is a case where if you do the optimization,
constraint_error is raised.  If you don't do the
optimization, then the function call succeeds
and X1 is appropriately initialized.  I think this
means that for nonlimited types, if the result
object is unconstrained, you must *not* do the
optimization on the off chance that the final
value of the discriminants at the point of the
actual return to the caller *do* match the target's
nominal subtype.

> -------
>
> Issue #3:
>
> The implementation permissions of 6.5(24/2) should apply recursively in
> the case where a function call returns the result of another function call.

I always presumed that they did.  Clarification should
be provided if the words imply otherwise.

> ...
> It seems that it would not make sense to propose RM wording for these issues
> until we reach consensus on which, if any, of these issues require
> any action at all.
>
> One could argue that no action is required for any them:
>    #1 is essentially a complaint that the language requires an
>       implementation to do something that is silly and complex, but
>       not something that is undefined or impossible.

It is pretty bad for functions returning arrays.
I think your generalization should be allowed.

>    #2 is only a concern for implementations which choose to implement
>       initialization in place for functions with unconstrained definite
>       non-limited discriminated result subtypes. The language only
>       requires initialization in place in the limited case.
>       If an implementation doesn't want to deal with the complications of
>       implementing the given example, then maybe it shouldn't choose to
>       implement initialization in place for this case.

I think we need to *disallow* the optimization for nonlimited
types when the return object is unconstrained.  It seems
very bad if the optimization results in a Constraint_Error
that wouldn't occur if you implemented the "canonical"
semantics.

>    #3 could be viewed as requiring only a clarification of the current
>       wording.

I hope it is just a clarification, but if we are going to have
to reword this section a bit anyway, we might as well be
explicit about nested calls.

****************************************************************

From: Randy Brukardt
Sent: Friday, April 20, 2007  5:08 PM

> I think a nastier situation occurs when the default
> value of the discriminant does *not* match that of the
> target object, but the assignment produces a value
> that *does* match.  For example:
>
>     X1 : Rec(5) := F;
>
> This is a case where if you do the optimization,
> constraint_error is raised.  If you don't do the
> optimization, then the function call succeeds
> and X1 is appropriately initialized.  I think this
> means that for nonlimited types, if the result
> object is unconstrained, you must *not* do the
> optimization on the off chance that the final
> value of the discriminants at the point of the
> actual return to the caller *do* match the target's
> nominal subtype.

I don't get it (although I didn't read this very carefully). If you have a
constrained object, you have to pass in those constraints with the object.
(That is, initialization of constraints and of the rest of the object might
be done separately, and in separate places.) Indeed, this example is pretty
much the *only* case where I'd even consider doing the optimization. (I'd
never consider it for unconstrained types, nor for assignments; it's just
too messy in those cases.) If it can't be done here, then it is worthless
for non-limited types (at least for those with any sort of discriminants or
bounds), and then why are we talking about it at all?

****************************************************************

From: Tucker Taft
Sent: Friday, April 20, 2007  5:35 PM

I would disallow the optimization if the object declared
in the extended return statement is *unconstrained* and
nonlimited.  This means that its discriminant values might
change before the extended return statement finishes.
I would allow it if the return object is constrained by
its initial value, or if it is nominally constrained.

****************************************************************

From: Stephen W. Baird
Sent: Friday, April 20, 2007  6:05 PM

> > The question is what to do if that test fails. The simple thing would
> > be to raise Constraint_Error at that point. The annoyingly complicated
> > thing that the language currently seems to require is to allocate a
> > buffer of the size the function expects, pass that buffer address into
> > the function, finalize the returned value, and then raise Constraint_Error
> > (or something like that).
>
> Where does the language require this?

You're right, it really doesn't.

I expressed my opinion that
   "In the case where the result subtype of a function is a constrained
    definite structure, an implemention ought to be able to have a caller
    simply pass in a buffer address; nothing more complicated than that
    should be needed".

I think it follows from this premise that the language effectively
imposes this requirement because there really isn't any other reasonable
alternative available (since we are not currently allowed to raise
the exception before the call).

If you don't accept the premise, then I agree that this behavior is not
required.

> In any case, I like your suggested generalization, ...

... which would allow the simple implementation I described.
We agree on the important point.

> > Issue #2
>
> I think a nastier situation occurs when the default
> value of the discriminant does *not* match that of the
> target object, but the assignment produces a value
> that *does* match.  For example:
>
>     X1 : Rec(5) := F;
>
> This is a case where if you do the optimization,
> constraint_error is raised.  If you don't do the
> optimization, then the function call succeeds
> and X1 is appropriately initialized.  I think this
> means that for nonlimited types, if the result
> object is unconstrained, you must *not* do the
> optimization on the off chance that the final
> value of the discriminants at the point of the
> actual return to the caller *do* match the target's
> nominal subtype.

Good point.

I agree with your recommendations regarding all three issues.

****************************************************************

From: Randy Brukardt
Sent: Tuesday, October 30, 2007  7:10 PM

[Commenting on version /02 of the AI.]

I don't see much problem with allowing this permission for scalar types
(although I doubt it would be used much).

The issue with Deallocate is just the tip of the iceberg; any object that
needs finalization has similar issues if it gets constructed far enough to
"exist", as there is no permission to do the finalization early. That's
touched on in another AI (AI05-0066-1), although I suspect that we'll end up
with a solution that doesn't fix it. I think any object that is "inaccessible"
should be able to be finalized at the leaving of any master (so long as it
doesn't contain any tasks that haven't terminated -- waiting for tasks at
random points would be a no-no). The reason for restricting to the leaving
of any master prevents Finalize from being called in the middle of an operation
(it shouldn't be necessary to protect it against multitasking issues in an
otherwise single-tasking environment). A similar permission for Deallocate
is also needed. I don't see any reason to clutter this one spot with something
that needs to cover the entire language.

****************************************************************

From: Randy Brukardt
Sent: Saturday, June 14, 2008  1:30 AM

[Commenting on version /03 of the AI.]

...
>   For a function call used to initialize a composite object with a constrained
>   nominal subtype:
>
>     - If the result subtype of the function is constrained, and does not match
>       that of the object, Constraint_Error may be raised before calling the
>       function.
>
>     - Otherwise (the result subtype of the function is unconstrained), if a
>       return statement is executed such that the return object is known to be
>       constrained, and this constraint does not match that of the object,
>       Constraint_Error may be raised at the point of the call (after abandoning
>       the execution of the function body).

This is much better than the previous effort.

I think it would be good if the discussion pointed out that this permission
still could raise an exception that the canonical semantics would not:

     type Rec (D : Integer) is record ...

     function F return Rec is
     begin
         return O : Rec(4) do -- (1)
            if <some condition> then goto Different_Object; end if;
         end return;
        <<Different_Object>>
         return O : Rec(5) do -- (2)
            ...
         end return;
     end F;

     O : Rec(5) := F;

The permission above would raise an exception at (1). But since that object is
never actually returned, and the object that is returned is the right shape, the
full function call without the permission would succeed.

I think this is OK (abandoning return statements is unusual and expensive
because of the finalization issues), but we probably ought to mention it
somewhere.

>   If the function call is used to provide the initial value of an
>   initialized allocator, then the call to System.Storage_Pools.Allocate
>   may occur at any time during the execution of the call.
>   If a return statement is left without a normal return, the result
>   object may be deallocated.

I think it would make more sense to try to address this more generally, as
similar issues apply to failed allocators and probably any object declaration
with coextensions (even if the allocator of the coextension succeeds).
Admittedly, this case is easier (as finalization requires that the objects are
finalized here, while the allocator case currently requires that they are *not*
finalized), but it seems weird to fix a really unusual case without fixing the
*similar more likely cases.

>   AARM Notes

It's pretty obvious that these are the original Steve Baird notes (I don't think
Bob starts sentences with commas!), they would benefit from a lot of Bob Duff
pruning. I'm certain that we don't want two pages of weird examples in the AARM,
particularly for a rule that seems fairly straigtforward.

> !discussion

The discussion section needs cleanup, too, as it still includes various
alternatives that aren't of interest and lots of Bairdian prose with
formatting that will not pass muster. If the AI authors don't keep these
sections up-to-date, the editorial reviewers will make your editor do that.
And I don't get paid enough to deal with the mountains of comments from the
reviewers!!

****************************************************************

From: Randy Brukardt
Sent: Saturday, June 14, 2008  1:49 AM

> >   AARM Notes
>
> It's pretty obvious that these are the original Steve Baird notes (I
> don't think Bob starts sentences with commas!), they would benefit
> from a lot of Bob Duff pruning. I'm certain that we don't want two
> pages of weird examples in the AARM, particularly for a rule that
> seems fairly straigtforward.

To be a little more concrete, I think all that needs to be said in the AARM
Notes is:

  These permissions apply transitively in the case of a function call
  which returns the value of another function call.

[we don't need an example here, it's pretty obvious and there's one in the AI.]

  These permissions do not apply in the case of an extended
  return object with mutable discriminants. That's necessary because in that
  case a return object can be created with the "wrong" discriminants and
  then changed to the "right" discriminants later (but before returning).
  We don't want this case raising an exception when the canonical semantics
  will not do so.

[words are better here than just giving an example, and again the example will
be in the AI.]

  It's still possible to write a program that will raise an exception using this
  permission that would not in the canonical semantics. That could happen if a
  return statement with the "wrong" discriminants or bounds is abandoned (via an
  exception, or for an extended_return_statement, via an exit or goto
  statement), and then a return statement with the "right" discrimiants or
  bounds is executed. The only solution for this problem is not have the
  permission at all, but this is too unusual of a case to worry about the
  effects of the permission, especially given the implementation difficulties
  for build-in-place objects that this permission is intended to ease.

[This is my question from the previous mail, fleshed out a bit. Seems important
to mention, as it is the counterpoint to the previous paragraph. There's
probably a better way to say this.]

  Note that the mutable-discriminant case only happens when
  build-in-place initialization is optional. This means that any difficulties
  associated with implementing build-in-place initialization without these
  permissions can be sidestepped by not building-in-place.

[From the original notes.]

And then the examples in the current AI should be moved to the discussion (and
probably lots of the discussion blown away).

****************************************************************

From: Bob Duff
Sent: Friday, October 10, 2008  3:21 PM

Here's a (belated) new version of AI-50. [This is version /04. - ED]

I tried to obey the stuff in the minutes.  But I didn't define the term
"dynamically matching".  I couldn't figure out any way to do so, other than the
attempts recorded in the minutes, which apparently folks didn't like.  Anyway,
it seems better to just state the rule, rather than defining yet more
jaw-breaking terminology, especially since the term is used only for this one
rule.

I removed the stuff about Allocate and Deallocate, because that will be covered
by AI-107, as I understand it.

****************************************************************

Questions? Ask the ACAA Technical Agent