CVS difference for ai05s/ai05-0265-1.txt
--- ai05s/ai05-0265-1.txt 2011/11/01 05:31:56 1.2
+++ ai05s/ai05-0265-1.txt 2011/12/17 06:05:14 1.3
@@ -1,8 +1,8 @@
-!standard A.18.2(97/2) 11-10-27 AI05-0265-1/01
+!standard A.18.2(97/2) 11-12-16 AI05-0265-1/02
!standard A.18.2(137/2)
!standard A.18.2(139/2)
!standard A.18.2(141/2)
-!standard A.18.2(143/2)
+!standard A.18.2(145/2)
!standard A.18.2(147/2)
!standard A.18.2(228/2)
!standard A.18.2(230/2)
@@ -37,6 +37,7 @@
!standard A.18.25(0)
!class binding interpretation 11-10-27
!status Amendment 2012 11-10-27
+!status ARG Approved 8-0-1 11-12-11
!status work item 11-10-27
!status received 10-10-02
!priority Low
@@ -62,39 +63,39 @@
Add the following paragraph after A.18.2(97/2), A.18.3(69/2), A.18.4(15/2),
A.18.7(14/2), A.18.10(88/3), A.18.18(34/3):
-If tampering with cursors is *prohibited* for a particular <container-kind>
-object <M>, Program_Error is propagated by any language-defined subprogram that
-is defined to tamper with the cursors of <M>. Similarly, if tampering with
+When tampering with cursors is *prohibited* for a particular <container-kind>
+object <M>, Program_Error is propagated by a call of any language-defined subprogram
+that is defined to tamper with the cursors of <M>. Similarly, when tampering with
elements is *prohibited* for a particular <container-kind> object <M>,
-Program_Error is propagated by any language-defined subprogram that is defined
-to tamper with the elements of <M>.
+Program_Error is propagated by a call of any language-defined subprogram that is
+defined to tamper with the elements of <M> (or tamper with the cursors of <M>), leaving
+<M> unmodified.
<M> is a letter, appropriate for each container (M for maps, V for
vectors, and so on).
-Modify A.18.2(139/3), A.18.3(83/3), A.18.4(38/3), A.18.7(36/3), A.18.10(117/3), A.18.10(153/3),
-A.18.10(212/3), A.18.10(216/3):
+Modify A.18.2(139/3), A.18.3(83/3), A.18.4(38/3), A.18.7(36/3), A.18.10(117/3):
[Program_Error is propagated if Process.all tampers]{Tampering} with the elements
of the <container-kind> that contains the element designated by Position {is
-prohibited during the execution of Process.all}.
+prohibited during the execution of the call on Process.all}.
-Modify A.18.2(137/2), A.18.2(141/2), A.18.2(143/2), A.18.3(85/3), A.18.4(40/3), A.18.7(95/2),
+Modify A.18.2(137/2), A.18.2(141/2), A.18.2(145/2), A.18.3(85/3), A.18.4(40/3), A.18.7(95/2),
A.18.10(118/3), A.18.18(48/3), A.18.18(50/3):
[Program_Error is propagated if Process.all tampers]{Tampering} with the elements of Container
-{is prohibited during the execution of Process.all}.
+{is prohibited during the execution of the call on Process.all}.
Modify A.18.10(152/3), A.18.10(211/3), A.18.10(215/3):
[Program_Error is propagated if Process.all tampers]{Tampering} with the cursors
of the <container-kind> that contains the element designated by Position {is
-prohibited during the execution of Process.all}.
+prohibited during the execution of a call on Process.all}.
Modify A.18.2(228/2), A.18.3(142/2), A.18.4(75/2), A.18.7(86/2), A.18.10(151/3):
[Program_Error is propagated if Process.all tampers]{Tampering} with the cursors of Container
-{is prohibited during the execution of Process.all}.
+{is prohibited during the execution of a call on Process.all}.
Modify A.18.2(147.14/3), A.18.2(147.17/3), A.18.3(86.7/3), A.18.3(86.10/3), A.18.4(41.7/3),
A.18.4(41.10/3), A.18.7(36.6/3), A.18.7(96.11/3), A.18.10(126/3), A.18.10(129/3), A.18.18(57/3),
@@ -113,11 +114,27 @@
denotes this object) [tampers with the cursors of Container while the iterator
object exists].
-Modify A.18.19(10/3), A.18.20(14/3), A.18.21(15/3), A.18.22(12/3), A.18.23(15/3),
+Replace A.18.19(10/3), A.18.20(14/3), A.18.21(15/3), A.18.22(12/3), A.18.23(15/3),
A.18.24(12/3), A.18.25(14/3):
-"...that {prohibits}[disallows] tampering with cursors..."
+It is a bounded error to assign from a bounded <container-name> object while tampering with elements
+Redundant[or cursors] of that object is prohibited. Either Program_Error is raised by the assignment,
+execution proceeds with the target object prohibiting tampering with elements Redundant[or cursors], or
+execution proceeds normally.
+
+Erroneous Execution
+
+When a bounded <container-name> object <V> is finalized, if tampering with cursors is prohibited for <V>
+other than due to an assignment from another <container-name>, then execution is erroneous.
+
+AARM Reason: This is a tampering event, but since the implementation is not allowed to use Ada.Finalization,
+it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will
+be called that could make the check.) Since the check probably cannot be made, the bad effects that could
+occur (such as an iterator going into an infinite loop or accessing a non-existent element) cannot be
+prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering
+because it was copied from another object as that cannot cause any negative effects.
+
!discussion
Ada 2005 wording like A.18.2(137/2) - "Program_Error is propagated if Process.all
@@ -129,6 +146,31 @@
Since this matches the intended implementation, it should make the model clearer
and reduce implementation mistakes.
+
+We added an erroneous execution case to bounded containers because it is impossible to detect a
+tampering event caused by an assignment or other finalization. For example:
+
+ for C in My_List.Iterator loop
+ ...
+ My_List := Your_List; -- !!
+ ...
+ end loop;
+
+For unbounded container forms, the assignment statement is required to raise Program_Error as
+My_List prohibits tampering of cursors, and the finalization of the target of the assignment
+is a tampering event.
+
+The same is true for the bounded container forms, except that this cannot be implemented in
+Standard Ada. We do not allow bounded containers to depend on Ada.Finalization, so there will
+not be a call to some Finalize routine when My_List is finalized. Thus, there is no way to make
+the check to raise Program_Error. As such, a typical implementation will fail to raise
+Program_Error here.
+
+That is OK, as we've defined execution to be erroneous in this case. That's necessary as the
+surrounding iterator probably will malfunction after this assignment, generating cursors that
+don't point at elements, possibly causing a hardware trap for a bad address or overwriting
+some other object's memory, or even going into an infinite loop.
+
!corrigendum A.18.2(97/2)
@dinsa
@@ -136,12 +178,13 @@
Reverse_Elements, or Swap procedures or the Sort or Merge procedures of an instance
of Generic_Sorting with @i<V> as a parameter.>
@dinss
-If tampering with cursors is @i<prohibited> for a particular vector
-object @i<V>, Program_Error is propagated by any language-defined subprogram
-that is defined to tamper with the cursors of @i<V>. Similarly, if tampering with
-elements is @i<prohibited> for a particular vector object @i<V>,
-Program_Error is propagated by any language-defined subprogram that is defined
-to tamper with the elements of @i<V>.
+When tampering with cursors is @i<prohibited> for a particular vector
+object @i<V>, Program_Error is propagated by a call of any language-defined subprogram
+that is defined to tamper with the cursors of @i<V>, leaving @i<V> unmodified. Similarly,
+when tampering with elements is @i<prohibited> for a particular vector object @i<V>,
+Program_Error is propagated by a call of any language-defined subprogram that is defined
+to tamper with the elements of @i<V> (or tamper with the cursors of @i<V>), leaving
+@i<V> unmodified.
!corrigendum A.18.2(137/2)
@@ -155,7 +198,7 @@
@xindent<If Index is not in the range First_Index (Container) .. Last_Index (Container),
then Constraint_Error is propagated. Otherwise, Query_Element calls Process.@b<all>
with the element at position Index as the argument. Tampering with the elements of Container
-is prohibited during the execution of Process.@b<all>. Any exception raised by Process.@b<all>
+is prohibited during the execution of the call on Process.@b<all>. Any exception raised by Process.@b<all>
is propagated.>
!corrigendum A.18.2(139/2)
@@ -171,7 +214,7 @@
Otherwise, Query_Element calls Process.@b<all> with the element designated
by Position as the argument. Tampering with the elements of the vector that
contains the element designated by Position is prohibited during the execution
-of Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
+of the call on Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
!corrigendum A.18.2(141/2)
@@ -185,10 +228,10 @@
@xindent<If Index is not in the range First_Index (Container) .. Last_Index (Container),
then Constraint_Error is propagated. Otherwise, Update_Element calls Process.@b<all>
with the element at position Index as the argument. Tampering with the elements of Container
-is prohibited during the execution of Process.@b<all>. Any exception raised by Process.@b<all>
-is propagated.>
+is prohibited during the execution of the call on Process.@b<all>. Any exception raised by
+Process.@b<all> is propagated.>
-!corrigendum A.18.2(143/2)
+!corrigendum A.18.2(145/2)
@drepl
@xindent<If Position equals No_Element, then Constraint_Error is propagated; if Position does
@@ -200,8 +243,8 @@
@xindent<If Position equals No_Element, then Constraint_Error is propagated; if Position does
not designate an element in Container, then Program_Error is propagated. Otherwise,
Update_Element calls Process.@b<all> with the element designated by Position as the argument.
-Tampering with the elements of Container is prohibited during the execution of Process.@b<all>.
-Any exception raised by Process.@b<all> is propagated.>
+Tampering with the elements of Container is prohibited during the execution of the call on
+Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
!corrigendum A.18.2(147/2)
@@ -219,7 +262,7 @@
@dby
@xindent<Invokes Process.@b<all> with a cursor that designates each element in
Container, in index order. Tampering with the cursors of Container is prohibited during the
-execution of Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
+execution of a call on Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
!corrigendum A.18.2(230/2)
@@ -235,13 +278,15 @@
@xbullet<it replaces one or more elements of @i<L>, that is, it calls the Replace_Element
or Swap procedures with @i<L> as a parameter.>
@dinst
-If tampering with cursors is @i<prohibited> for a particular list
-object @i<L>, Program_Error is propagated by any language-defined subprogram
-that is defined to tamper with the cursors of @i<L>. Similarly, if tampering with
-elements is @i<prohibited> for a particular list object @i<L>,
-Program_Error is propagated by any language-defined subprogram that is defined
-to tamper with the elements of @i<L>.
+When tampering with cursors is @i<prohibited> for a particular list
+object @i<L>, Program_Error is propagated by a call of any language-defined subprogram
+that is defined to tamper with the cursors of @i<L>, leaving @i<L> unmodified. Similarly,
+when tampering with elements is @i<prohibited> for a particular list object @i<L>,
+Program_Error is propagated by a call of any language-defined subprogram that is defined
+to tamper with the elements of @i<L> (or tamper with the cursors of @i<L>), leaving
+@i<L> unmodified.
+
!corrigendum A.18.3(83/2)
@drepl
@@ -255,7 +300,8 @@
Otherwise, Query_Element calls Process.@b<all> with the element designated
by Position as the argument. Tampering with the elements of the list that
contains the element designated by Position is prohibited during the execution
-of Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
+of the call on Process.@b<all>. Any exception raised by Process.@b<all> is
+propagated.>
!corrigendum A.18.3(85/2)
@@ -271,8 +317,8 @@
Position does not designate an element in Container, then Program_Error is propagated.
Otherwise, Update_Element calls Process.@b<all> with the element designated by
Position as the argument. Tampering with the elements of Container is prohibited
-during the execution of Process.@b<all>. Any exception raised by Process.@b<all>
-is propagated.>
+during the execution of the call on Process.@b<all>. Any exception raised by
+Process.@b<all> is propagated.>
!corrigendum A.18.3(86/2)
@@ -291,8 +337,8 @@
@dby
@xindent<Iterate calls Process.@b<all> with a cursor that designates each node in
Container, starting with the first node and moving the cursor as per the Next function.
-Tampering with the cursors of Container is prohibited during the
-execution of Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
+Tampering with the cursors of Container is prohibited during the execution of a call
+on Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
!corrigendum A.18.3(144/2)
@@ -307,12 +353,13 @@
@xbullet<it replaces one or more elements of @i<M>, that is, it calls the Replace or
Replace_Element procedures with @i<M> as a parameter.>
@dinst
-If tampering with cursors is @i<prohibited> for a particular map
-object @i<M>, Program_Error is propagated by any language-defined subprogram
-that is defined to tamper with the cursors of @i<M>. Similarly, if tampering with
-elements is @i<prohibited> for a particular map object @i<M>,
-Program_Error is propagated by any language-defined subprogram that is defined
-to tamper with the elements of @i<M>.
+When tampering with cursors is @i<prohibited> for a particular map
+object @i<M>, Program_Error is propagated by a call of any language-defined subprogram
+that is defined to tamper with the cursors of @i<M>, leaving @i<M> unmodified. Similarly,
+when tampering with elements is @i<prohibited> for a particular map object @i<M>,
+Program_Error is propagated by a call of any language-defined subprogram that is defined
+to tamper with the elements of @i<M> (or tamper with the cursors of @i<M>), leaving
+@i<M> unmodified.
!corrigendum A.18.4(38/2)
@@ -327,8 +374,8 @@
Otherwise, Query_Element calls Process.@b<all> with the key and element from
the node designated by Position as the arguments. Tampering with the elements
of the map that contains the element designated by Position is prohibited
-during the execution of Process.@b<all>. Any exception raised by Process.@b<all>
-is propagated.>
+during the execution of the call on Process.@b<all>. Any exception raised by
+Process.@b<all> is propagated.>
!corrigendum A.18.4(40/2)
@@ -344,7 +391,7 @@
Position does not designate an element in Container, then Program_Error is propagated.
Otherwise, Update_Element calls Process.@b<all> with the key and element from the node
designated by Position as the arguments. Tampering with the elements of Container is prohibited
-during the execution of Process.@b<all>. Any exception raised by Process.@b<all>
+during the execution of the call on Process.@b<all>. Any exception raised by Process.@b<all>
is propagated.>
!corrigendum A.18.4(41/2)
@@ -365,7 +412,8 @@
@xindent<Iterate calls Process.@b<all> with a cursor that designates each node in
Container, starting with the first node and moving the cursor according to the
successor relation. Tampering with the cursors of Container is prohibited during the
-execution of Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
+execution of a call on Process.@b<all>. Any exception raised by Process.@b<all> is
+propagated.>
!corrigendum A.18.5(61/2)
@@ -385,12 +433,13 @@
@dinsa
@xbullet<it tampers with cursors of @i<S>.>
@dinst
-If tampering with cursors is @i<prohibited> for a particular set
-object @i<S>, Program_Error is propagated by any language-defined subprogram
-that is defined to tamper with the cursors of @i<S>. Similarly, if tampering with
-elements is @i<prohibited> for a particular set object @i<S>,
-Program_Error is propagated by any language-defined subprogram that is defined
-to tamper with the elements of @i<S>.
+When tampering with cursors is @i<prohibited> for a particular set
+object @i<S>, Program_Error is propagated by a call of any language-defined subprogram
+that is defined to tamper with the cursors of @i<S>, leaving @i<S> unmodified. Similarly,
+when tampering with elements is @i<prohibited> for a particular set object @i<S>,
+Program_Error is propagated by a call of any language-defined subprogram that is defined
+to tamper with the elements of @i<S> (or tamper with the cursors of @i<S>), leaving
+@i<S> unmodified.
!corrigendum A.18.7(36/2)
@@ -410,7 +459,8 @@
@xindent<Iterate calls Process.@b<all> with a cursor that designates each element in
Container, starting with the first element and moving the cursor according to the
successor relation. Tampering with the cursors of Container is prohibited during the
-execution of Process.@b<all>. Any exception raised by Process.@b<all> is propagated.>
+execution of a call on Process.@b<all>. Any exception raised by Process.@b<all> is
+propagated.>
!corrigendum A.18.7(95/2)
@@ -431,8 +481,9 @@
propagated. Otherwise, Update_Element_Preserving_Key uses Key to save the key
value @i<K> of the element designated by Position. Update_Element_Preserving_Key
then calls Process.@b<all> with that element as the argument. Tampering
-with the elements of Container is prohibited during the execution of Process.@b<all>.
-Any exception raised by Process.@b<all> is propagated. After Process.@b<all> returns,
+with the elements of Container is prohibited during the execution of the call on
+Process.@b<all>. Any exception raised by Process.@b<all> is propagated. After
+Process.@b<all> returns,
Update_Element_Preserving_Key checks if @i<K> determines the same equivalence class
as that for the new element; if not, the element is removed from the set and
Program_Error is propagated.>
Questions? Ask the ACAA Technical Agent