Version 1.10 of ai12s/ai12-0112-1.txt

Storage_Check

Check that evaluation of an allocator does not require more space than is available for a storage pool. Check that the space available for a task or subprogram has not been exceeded.

• The following check corresponds to situations in which the exception Assertion_Error is raised upon failure.

Container_Check

Check the precondition of a routine declared in a child unit of Ada.Containers or in an instance of a generic unit declared in a child unit of Ada.Containers.

From: Randy Brukardt
Sent: Tuesday, February 11, 2014  12:18 PM

[A partial message in response to messages in the thread filed in AI12-0111-1.]

> One thing that would have helped is to design all the safety stuff so
> that it was in the form of preconditions and postconditions, which
> could be easily suppressed.

I've suggested that before (including on Friday). It's still possible, of
course, it would be compatible to do so (we couldn't use predicates, but
preconditions would work). (But it would be a lot of work for the Standard, and
some for implementers.) Of course, we couldn't have done this for Ada 2005, as
we  didn't have preconditions then.

In particular, if we added the routine Is_Tampering_with_Cursors (Container
: in Vector) return Boolean, then the bounded vector Insert could be:

procedure Insert (Container : in out Vector;
                  Before    : in     Extended_Index;
                  New_Item  : in     Vector)
    with Pre => (if Container.Is_Tampering_with_Cursors then raise Program_Error with "Tampering check") and then
                (if Before not in Container.First_Index .. Container.Last_Index + 1 then raise Constraint_Error) and then
                (if Container.Length = Container.Capacity then raise Capacity_Error),
         Post => (Container.Is_Tampering_with_Cursors'Old = Container.Is_Tampering_with_Cursors) and
                  Container.Length'Old + 1 = Container.Length);

The postcondition is intended to show provers that a call of Insert doesn't
change the tampering state.

Having these as preconditions and postconditions would allow easy suppression
of the checks (and also would allow the compiler to combine and/or eliminate
them, so it wouldn't be as necessary to suppress them).

This seems to me to be the best way to fix the performance problem caused by
the checking. But that presumes that we're sure that the performance problem
is caused solely by the checking.

****************************************************************

From: Randy Brukardt
Sent: Wednesday, January 11, 2017  7:33 PM

[The quote is from the e-mail discussion of AI12-0215-1 - Editor.]

>Yes, this exhibit N in the long list of reasons that we should have had all
>of the container operations having a container parameter.

It strikes me that it might make sense to put on the record all of these
reasons. We're talking about a routine like:

    function Next (Position : Cursor) return Cursor;

(1) This routine (and its relatives) is not primitive for the container type,
    so it doesn't get inherited by derivation. Thus derivation of the
    container type is incomplete and rather useless;

(2) One can't use the prefixed notation to call this routine (Cursor is not
    tagged, and you wouldn't want it to be the prefix anyway);

(3) The Global aspect for this routine is problematic, as we have to include
    any container object of the correct type. (The object being read not being
    part of the specification.) That means we either need some unusual Global
    specification for this case, or we have to fall back to "reads all", which
    is far from ideal. (Recall that Cursor is a private type, from outside of
    the package it doesn't appear to designate anything.)

(4) Reading and writing the container is not symmetric. One uses different
    parameter lists for each. (This is mitigated somewhat by the Ada 2012
    Reference routine and the indexed notation - probably most new code will
    use that, but of course the original routines still can be used.)

---

If, instead, the routine had been declared as (I'm showing the precondition,
which would have been written in English in Ada 2005/12):

    function Next (Container : Map; Position : Cursor) return Cursor
       with Pre => (if not Cursor_Belongs_To_Container (Container, Position)
                    then raise Program_Error);

The routine is primitive, so (1) and (2) are eliminated (in particular,
prefixed notation can be used). The precondition eliminates (3); we only need
to include global container state (the storage pool, at a minimum) in the
Global aspect [and nothing at all for the bounded containers). (4) is
eliminated as Element and Replace have the same type profile (different modes,
of course).

The only negative is expressed by the precondition: a check is needed that the
cursor belongs to the container. Of course as a precondition this can often be
eliminated. [It's likely that an earlier precondition or postcondition will
have previously checked/asserted this fact, and this could easily be a stable
property that doesn't change for most routines.]

---

A possibility here would be to add the necessary additional routines. For the
Maps, there are only 6 routines that could be added (2 Nexts, 2 Previouses,
Key, and Element) -- the others are operators which obviously can't have more
parameters. [The next three parameter "<" that I see will be the first. ;-)]
That would allow applications that care about Global or want to uniformly use
prefixed notation or to do a derivation to work usefully, and won't (I think)
require any other code to change. [It would be only incompatible with anyone
that decided to add these themselves somewhere; that might make some calls
ambiguous. That's the normal problem from added new routines.]

I'm thinking that adding these routines might be a good idea, especially for
the purposes of AI12-0112-1 (which intends to add Pre/Post/Global/Nonblocking/
Stable_Properties to all of the containers, along with some additional
routines to support those, and remove English text where possible). The nasty
Global aspect for the existing routines seems to be justification enough (and
the other reasons add importance). Any objections to adding them to the next
draft of AI12-0112-1???

****************************************************************

From: Randy Brukardt
Sent: Thursday, January 12, 2017  3:46 PM

[From mail found about AI12-0215-1 - Editor.]

> > My initial thought was that this is fine, (with the obvious caveat 
> > that this is a tagged type, so there has to be a null extension on 
> > the
> > type) but then I remembered that you can't usefully derive
> a type in a containers package.
> 
> This seems more of a failing of the structure of the containers 
> packages, and doesn't argue against the value of the feature more 
> generally.  As you mention below, and we have discovered for other 
> reasons in the context of SPARK, having cursor operations that don't 
> take the associated container as a parameter create numerous problems 
> when it comes to doing anything "formal" with the containers.

I take it from this that you agree with my suggestion to add the missing
container reading operations so that derivation and formal analysis work
appropriately? (I made that a separate thread, that no one seems to have
commented on so far.) We can't get rid of the existing operations for obvious
reasons, but we could add ones that work "right" and formal uses could just
ignore the ones without a container parameter. (That seems like a more
practical solution than defining a completely separate set of containers that
have better behavior.)

****************************************************************

From: Tucker Taft
Sent: Thursday, January 12, 2017  4:31 PM

[Just the reply to the above message, see AI12-0215-1 for the whole
thread - Editor.]

> ... I take it from this that you agree with my suggestion to add the 
> missing container reading operations so that derivation and formal 
> analysis work appropriately? (I made that a separate thread, that no 
> one seems to have commented on so far.)

Yes, I agree with that proposal.

****************************************************************

From: Bob Duff
Sent: Sunday, January 15, 2017  6:01 PM

> If, instead, the routine had been declared as (I'm showing the 
> precondition, which would have been written in English in Ada 2005/12):
> 
>     function Next (Container : Map; Position : Cursor) return Cursor
>        with Pre => (if not Cursor_Belongs_To_Container (Container, Position)
>                     then raise Program_Error);

I have often thought that those ops should take a Container param.

The SPARK folks at AdaCore designed "formal containers" to be used with
proofs. Not proving the implementation of the container is correct, but
proving that clients obey the pre/post. They came to the same conclusion. They
tried to keep their interface similar to the language-defined ones, but they
found the need to add the Container params.

> I'm thinking that adding these routines might be a good idea, 
> especially for the purposes of AI12-0112-1 (which intends to add 
> Pre/Post/Global/Nonblocking/Stable_Properties to all of the 
> containers, along with some additional routines to support those, and 
> remove English text where possible). The nasty Global aspect for the 
> existing routines seems to be justification enough (and the other 
> reasons add importance). Any objections to adding them to the next draft of
> AI12-0112-1???

I don't object to adding those routines, but I think I object to AI12-0112-1.
Sounds like a lot of useless work for little gain.

And if we do that, it should be done by hacking on an existing container
implementation, with regression testing.  There's no way ARG can get it right
in a vacuum.

****************************************************************

From: Randy Brukardt
Sent: Monday, January 16, 2017  7:59 PM

> I don't object to adding those routines, but I think I object to 
> AI12-0112-1.  Sounds like a lot of useless work for little gain.
> 
> And if we do that, it should be done by hacking on an existing 
> container implementation, with regression testing.
> There's no way ARG can get it right in a vacuum.

Why? It certainly doesn't hurt to try the changes in an implementation, but I 
don't think there is much chance that much beyond a handful of typos would be
found.

For Pre and Nonblocking, this is just replacing English rules with
specifications. It's rather rote; all of the preconditions are of the form
"(if Some_Predicate (Container) then raise Some_Exception)", combined with
"and then". Any cut-and-errors would be clearly obvious (failing the Dewar
rules). Besides, we're planning to use Nonblocking in the entire Ada library
(it doesn't work if that's not done), so whether or not a containers overhaul
is done isn't relevant to it.

For Post/Stable_Properties, we're also encoding the English rules; there's a
bit more risk of omission but again errors would be clearly obvious
(requiring an obvious nonsense property).

Global could be more of a problem, but there I think we have to be very
conservative; no existing implementation is going to help much there, as the
rules have to allow far more than any single implementation needs --
regardless of design.

If there is any risk, it is in the English wording changes (deleting too much
certainly would be possible). But if you look at the prototype AI12-0112-1,
you'll see that the descriptions of the container operations are *much* more
understandable. Getting the English for what really was code was very
difficult and probably isn't exactly right. Most likely, we'll fix some errors
by this exercise (and probably fix some errors in existing implementations,
too, if our experience with containers ACATS tests is any guide). [Indeed, by
making these checks first-class preconditions, we will eliminate most of the
need for ACATS tests on those checks, which are annoying to write, and only
important if someone has screwed up. That would allow redirecting that effort
elsewhere.]

****************************************************************

topic Pragma Suppress (Container_Checks)
!reference Ada 202x 2012 RM11.5, A.18.4
!from Gautier de Montmollin 17-12-05
!keywords Suppress Container_Checks
!discussion

Hello,

Like it or not, GNAT has a pragma Suppress (Container_Checks) which is
activated with the -gnatp option. It changes changes the behaviour
of Maps (and perhaps other containers) when an element hasn't been
found: the behaviour of function Element @ A.18.4 34/2 fails, and
Constraint_Error is NOT propagated as expected.
Especially, function Element (Container : Map; Key : Key_Type) return Element_Type; (68/2)
cannot be used at all.

Actually my proposal is either:

  - For the Ada standard, to add this pragma. It would join the other documented
    pragmata in 11.5 (Suppressing Checks) that have to be used with caution.
  - Or for the GNAT compiler, to warn better of the risks of this undocumented
    (in the Ada standard sense) pragma

****************************************************************

From: Randy Brukardt
Sent: Tuesday, December 5, 2017  3:57 PM

(1) pragma Suppress always causes the risk of making a program's erroneous.
If this is a real concern (and it should be), don't use pragma Suppress.
(It's almost never necessary with modern compilers which can eliminate the
vast majority of checks by optimizations.) [I'm not going to say more here,
as it would get off-topic; I had much more to say about this in a recent
comp.lang.ada thread.]

(2) We already have this issue on our radar. In particular, AI12-0112-1
intends to make almost all of the container checks into explicit preconditions
and provide a way to suppress language-defined preconditions. This will make
the description of the checks clearer and still provide the functionality if
it is needed.

(3) 11.5(27/2) allows an implementation to define additional check names for
Suppress. There's no requirement that the check names be language-defined.
So GNAT is perfectly OK defining Container_Check, Box_Check, Gautier_Check,
or any other name that they like. :-) As to the quality of their
documentation, that's hardly a language Standard concern.

****************************************************************

From: Randy Brukardt
Sent: Thursday, December 6, 2018  8:44 PM

I've been thinking about the job of putting these contracts into the Standard.
I've concluded that writing a full AI for this would just double the work, as
I'd have to create an AI version of the changes, and then put the same changes
into RM. While this might be good for my bank account (and that assumes an 
unlimited willingness of AdaCore to put in more money -- something that does 
not likely exist), it seems silly.

My thinking is that simply putting the changes directly into the RM, with 
proper change marks, would be likely more useful for human reviewers than any
amount of time spent on the actual AI. Moreover, for machine testing, it is
relatively easy to extract the required specifications from the RM (it would 
be easy to write a tool to process the HTML to do that, including removing 
the paragraph numbers which would prevent directly cut-and-pasting). Machine 
testing seems mandated, although having a compiler that could ignore 
Nonblocking and Global aspects would seem very useful (else having a tool to 
strip those would be required - doing it by hand would take ages).

However, in order to follow this approach, I'll need essentially a "blank 
check" to make such changes as described in AI12-0112-1. Once these changes
are inserted in the RM (at the same time as changes for AIs 212, 111, and
266) would pretty much mean that the work to back them out would be equivalent
to the original work. (Summary: not gonna happen.)

Is this a reasonable approach? Should I put this on the agenda for discussion 
on Monday???

****************************************************************

From: Tucker Taft
Sent: Thursday, December 6, 2018  9:35 PM

Makes sense to me.  It would be nice to do this during a "lull" in making 
other changes to the RM, so we could review the final product before signing 
off on it.

****************************************************************

From: Randy Brukardt
Sent: Friday, December 14, 2018  9:15 PM

We've talked on several occasions about having a global permission for 
implementation-defined packages to appear in the Global specification of 
language-defined entities. This is needed, for instance, to support an 
implementation-defined helper package that implements all of the low-level IO 
operations. If that package has state, it needs to appear in the global 
contracts of packages that use it. Forcing implementations to move all of the 
state seems like a nightmare for implementers and adverse to good Ada design 
practice (share as much as possible of the implementation).

At the recent meeting we talked about putting this into the start of Annex A. 
We also talked about allowing additional postconditions, which we agreed was 
possible without any permission.

Here is suggested wording for this permission and some associated AARM notes. 
Improvements welcome.

=============

Add after Annex A(4): [Implementation Permissions]

The implementation may add specifications of synchronized entities of 
implementation-defined packages to the global specification for any 
language-defined entity that is not declare pure or has a global specification 
of \null\.

AARM Reason: Ada runtime libraries often use implementation-defined helper 
packages to implement the language-defined units. For instance, it is common
to use a common low-level package to implement I/O; if that package includes
support for Current Input and Current Output, then it is likely to have state
that needs to be reflected in the packages that use it such as Ada.Text_IO.

We want to allow such packages, so we have defined this permission to allow 
them to include state if necessary. We require that any such state is 
synchronized to ensure that appropriate use (as defined above) is allowed in
parallel operations.

We exclude units that are declared pure from this permission since this is a
declaration that the unit doesn't have any global state, so specifying 
otherwise would defeat the purpose. Similarly, entities that explicitly 
specify Global as \null\ are supposed to have no side-effects, and we don't 
want implementations to add any.
End AARM Reason.

AARM Ramification: Implementations are allowed to make other changes to the 
specifications of language-defined units, so long as those changes are 
semantically neutral (that is, no program could change legality or effect 
because of the changes). In particular, an implementation would need to add
implementation-defined units to the context clause in order to use the 
previous permission; this is allowed and does not need a separate permission.

Similarly, an implementation can add/enhance postconditions to 
language-defined subprograms, so long as those postconditions reflect the 
definition of the subprogram. This might be useful, for instance, if the 
implementation can use those postconditions to eliminate following code 
(perhaps by proving that a following precondition must be true based on the 
postcondition).
End AARM Ramification.

****************************************************************

From: Bob Duff
Sent: Saturday, December 15, 2018  10:50 AM

> Here is suggested wording for this permission and some associated AARM 
> notes.
> ...

Looks good to me.

By the way, how would one express the fact that Text_IO is messing around 
with the state on the disk? Is that even possible?

> AARM Ramification: Implementations are allowed to make other changes 
> to the specifications of language-defined units, so long as those 
> changes are semantically neutral (that is, no program could change 
> legality or effect because of the changes). In particular, an 
> implementation would need to add implementation-defined units to the 
> context clause in order to use the previous permission; this is 
> allowed and does not need a separate permission.

That's so obvious, I'm tempted to add "of course":
"Implementations are allowed..."

And maybe remove the parenthetical remark -- anybody reading the AARM 
should know what "semantically neutral" means.

> Similarly, an implementation can add/enhance postconditions to 
> language-defined subprograms, so long as those postconditions reflect 
> the definition of the subprogram. This might be useful, for instance, 
> if the implementation can use those postconditions to eliminate 
> following code (perhaps by proving that a following precondition must 
> be true based on the postcondition).

I suggest shortening that a bit:

    Similarly, an implementation can add postconditions to
    language-defined subprograms, so long as those postconditions
    are True. This is useful if the
    implementation can use those postconditions for optimization.

***************************************************************

From: Bob Duff
Sent: Saturday, December 15, 2018  10:58 AM

> That's so obvious, I'm tempted to add "of course":
> "Implementations are allowed..."

Ooops, I meant to write:

    That's so obvious, I'm tempted to add "of course":
    "Implementations are of course allowed..."
                         ^^^^^^^^^

Of COURSE that's what I meant!  ;-)

***************************************************************

From: Randy Brukardt
Sent: Sunday, December 16, 2018  12:09 AM

> > Here is suggested wording for this permission and some associated 
> > AARM notes.
> > ...
> 
> Looks good to me.

Thanks for the comments.

> By the way, how would one express the fact that Text_IO is messing 
> around with the state on the disk?
> Is that even possible?

Not sure. I've always imagined it as the "state" of one of the helper 
packages, but I don't know if that is really the right model.
 
...
> And maybe remove the parenthetical remark -- anybody reading the AARM 
> should know what "semantically neutral" means.

I've heard several times from people on comp.lang.ada that they found the AARM
interesting reading. That is, not everyone reading it is an implementer or 
language lawyer. (I probably would have found it interesting had it existed
when I was at the University of Wisconsin.) So I don't want to assume too much 
about the reader's knowledge. Besides, it really easy to assume that such 
things are obvious when you've been talking about such things for decades. So 
I think the parenthetical remark is helpful to some readers, and reinforcing 
to others (including me!).

> > Similarly, an implementation can add/enhance postconditions to 
> > language-defined subprograms, so long as those postconditions 
> > reflect the definition of the subprogram. This might be useful, for 
> > instance, if the implementation can use those postconditions to 
> > eliminate following code (perhaps by proving that a following 
> > precondition must be true based on the postcondition).
> 
> I suggest shortening that a bit:
> 
>     Similarly, an implementation can add postconditions to
>     language-defined subprograms, so long as those postconditions
>     are True. This is useful if the
>     implementation can use those postconditions for optimization.

Seems a bit too short to me, it seems to say that you can only add "True" as 
postconditions. (Obviously, no one would write a note to say that, so it's 
nonsense, but it takes some thought to figure that out.) How about:

     Similarly, an implementation can add postconditions to
     language-defined subprograms, so long as those postconditions
     always evaluate to True. This is useful if the
     implementation can use those postconditions for optimization.

or maybe "always would evaluate to True" (since they won't actually be 
evaluated in most circumstances).

***************************************************************

From: Bob Duff
Sent: Sunday, December 16, 2018  1:50 PM

> Seems a bit too short to me, it seems to say that you can only add 
> "True" as postconditions.

Good point.
>      Similarly, an implementation can add postconditions to
>      language-defined subprograms, so long as those postconditions
>      always evaluate to True. This is useful if the
>      implementation can use those postconditions for optimization.

Yes, that's better.

> or maybe "always would evaluate to True" (since they won't actually be 
> evaluated in most circumstances).

I slightly prefer leaving out the "would".

***************************************************************