CVS difference for ai05s/ai05-0252-1.txt

Differences between 1.1 and version 1.2
Log of other versions for file ai05s/ai05-0252-1.txt

--- ai05s/ai05-0252-1.txt	2011/06/17 01:33:57	1.1
+++ ai05s/ai05-0252-1.txt	2011/06/20 04:55:19	1.2
@@ -26,6 +26,10 @@
     Notes), it would be good if all ARG members reviewed 13.11.4 in the current
     Standard draft.
+(3) If a pool is passed as a parameter, and that pool is used for a local access
+    type, the accessibility check will pass, but the pool will belong to a different
+    master than the access type. (See e-mail of June 19th.)
 ** TBD.
@@ -51,6 +55,12 @@
 call Set_Pool_for_Subpool (as that routine also reinitializes the data
 structures necessary to handle finalization).
+(3) seems to require a purpose-built legality rule or runtime check. Such a
+parameter could never pass the accessibility check for a local access type
+(and it wouldn't be visible for any other kind of access type), so we can
+ban it outright. But we would have to cover Root_Storage_Pool'Class as well,
+and that would be somewhat incompatible.
 Bob asked four additional questions in his letter ballot comments. (Actually
@@ -423,5 +433,64 @@
 So you're complaining about something that was already changed as you wanted.
 Not that I'd expect you to change your vote (the other issues you mentioned are
 more significant).
+From: Randy Brukardt
+Sent: Sunday, June 19, 2011  10:48 PM
+The accessibility checks for subpools are intended to ensure that the pool
+object and the access type belong to the same master. This prevents trouble with
+finalization (since the contents of subpools can be finalized when the pool
+object goes away, rather than when the collection of the access type goes away).
+Accessibility checks generally are designed to be conservative. That means, for
+instance, that (non-aliased) parameters are assumed to be local. This however
+causes problems for the subpool pool accessibility check. Consider:
+   procedure Do_It (A_Pool : in out Root_Storage_Pool_With_Subpools) is
+      Local : Natural;
+      type A_Controlled_Type is new Ada.Finalization.Controlled with...
+      procedure Finalize (Object : in out A_Controlled_Type) is
+      begin
+          ... <<use Local here>> ...
+      end Finalize;
+      type A_Acc is access A_Controlled_Type
+          with Storage_Pool => A_Pool; -- (A)
+      AA : A_Acc := new A_Controlled_Type;
+   begin
+      ...
+   end Do_It;
+   Some_Pool : Some_Pool_Type_with_Subpools;
+   Do_It (Some_Pool);
+The accessibility check at (A) will pass, because A_Pool is treated as if it is
+local for the purposes of accessibility (so we don't have to pass runtime
+accessibility levels). But this means that A_Acc and Some_Pool are in different
+masters. And the finalization of the allocated objects of type A_Acc might not
+occur until Some_Pool is finalized -- which means the finalization is going to
+access a non-existent local variable. Ouch!
+I've thought of a number of ways to fix this. It should be noted that such a
+pool as a parameter will never work for a pool that supports subpools. So a
+straight legality rule would work -- except that it would be incompatible (since
+pools of Root_Storage_Pool'Class have to be assumed to be able to have
+subpools). (The incompatibility would be pretty unlikely, as this would be an
+unusual thing to do.) A runtime check would work, but it is a bit weird,
+especially for a case this unlikely.
+Exactly how to word a rule seems interesting, too. It would be best to do
+something to "fix" the accessibility levels for cases like this (parameters are
+not *quite* the same level as local objects), but that seems very messy (I tried
+it for aliased parameters, and I managed to introduce lots of bugs, so we
+abandoned it).
+Anyway, I'll put this into the subpool discussion AI for the meeting.

Questions? Ask the ACAA Technical Agent