CVS difference for ai12s/ai12-0210-1.txt

Differences between 1.9 and version 1.10
Log of other versions for file ai12s/ai12-0210-1.txt

--- ai12s/ai12-0210-1.txt	2019/06/11 04:13:54	1.9
+++ ai12s/ai12-0210-1.txt	2019/07/03 02:01:47	1.10
@@ -1,5 +1,7 @@
-!standard 7.3.2(23/3)                                 19-06-03  AI12-0210-1/04
+!standard 7.3.2(23/3)                                 19-07-02  AI12-0210-1/05
 !class ramification 16-12-19
+!status Amendment 1-2012 19-07-02
+!status ARG Approved 10-0-0  19-06-14
 !status work item 16-12-19
 !status received 16-09-29
 !priority Very_Low
@@ -88,7 +90,7 @@
 generic unit we are interested in is I1.G2, which is not declared within the
 immediate scope of T.
 
-Should there be some wording adjustment to fix this? (Yes.)
+Should there be some wording adjustment to fix this? (No.)
 
 !response
 
@@ -113,24 +115,25 @@
   able to reference invariant-violating values of the type
   (assuming the type invariant condition itself is well behaved -
   for example, no uses of global variables during evaluation of the
-  invariant expression). This goal is not completely acheieved;
+  invariant expression). This goal is not completely achieved;
   such leaking is possible but, importantly, it requires
   assistance (deliberate or not) of some form from the package that
   declares the invariant-bearing private type (or a child unit thereof);
   a client of a well-crafted package cannot use these holes to obtain an
   invariant-violating value without help.
 
-  The list of known techniques for achieving this kind of leak
+  The list of known techniques whereby this kind of leak can occur
   (ignoring things like erroneous execution and the various
   forms of unchecked type conversion) consists of:
-   - A boundary subprogram might assign
+   - A boundary entity might assign
      an invariant-violating value to a global variable that is
      visible to client code. 
    - Invariant checks on subprogram return are not performed on objects
      that are accessible only through access-valued components of other
-     objects. This can only cause a leak if there is a type with 
+     objects. This means components of extensions are not checked.
+     This can only cause a leak if there is a type with 
      access-valued components that is used as a parameter or result type
-     of a boundary subprogram. For a type T that has a type
+     of a boundary entity. For a type T that has a type
      invariant, avoiding the declaration of types with 
      access-valued components designating objects with parts of T in the 
      package that contains T is sufficient to prevent this leak.
@@ -143,7 +146,7 @@
    - Invariant checks are only performed for parts of the nominal type for
      tagged parameters and function results. For this leak to occur for a
      type T that has a type invariant, the body of a boundary 
-     subprogram of T needs to have visibility on a type extension that has
+     entity of T needs to have visibility on a type extension that has
      components of T or access-to-T and also has an ancestor type (or class)
      as a parameter or result of the subprogram.
    - Consider a package P which declares an invariant-bearing private type T
@@ -162,62 +165,6 @@
   above) from within the immediate scope of the invariant-bearing type. 
 
 !discussion
-
-[Editor's musings:
-
-For the third issue, one needs to be careful with the wording lest a type
-declared within the outer generic get swept up in the special case (such a
-type should always be checked in this case).
-
-There is also an issue with derived generic formal types.
-
-  procedure Invtest2 is
-     package Pkg2 is
-        type T is private;
-
-        generic
-           type Der is new T with private;
-        package G1 is
-           generic
-           package G2 is
-              procedure Proc2 (X : in out Der);
-           end G2;
-        end G1;
-
-     private
-        type T is record
-           Xx, Yy : Integer := 0;
-        end record with
-           Type_Invariant => (T.Xx <= T.Yy);
-     end Pkg2;
-
-     package body Pkg2 is
-        package body G1 is
-           package body G2 is
-              procedure Proc2 (X : in out Der) is
-              begin
-                 X.Yy := Integer'First; -- This can see the components of T.
-              end Proc2;
-           end G2;
-       end G1;
-     end Pkg2;
-
-     package I1 is new Pkg.G1(Pkg.T);
-
-     package I2 is new I1.G2;
-     Var : Pkg.T;
-  begin
-     I2.Proc (Var);
-     --  If we reach this point without raising an exception, then
-     --  Var has an invariant-violating value.
-  end Invtest2;
-
-I don't see how the existing rules deal with this, and it's not listed in the
-case of holes, either.
-
-End Editor's musings.]
-
----
 
 It seems ok, but worth noting, that we can have a generic whose body
 can see the full view of some private type but which is not in immediate

Questions? Ask the ACAA Technical Agent