Version 1.10 of ai12s/ai12-0240-1.txt

From: Tucker Taft
Sent: Thursday, October  5, 2017  12:05 AM

Here is a new AI [Version /01 of the AI - Editor] based on generalizing to
Ada some work we have been doing on adding "safe" pointers to SPARK.  I have
coupled this with a no-parameter-aliasing restriction because you really need
both to get much benefit from either.  We have several customers, both SPARK
users and "regular" Ada users, who have quite an interest in this topic as
well.  We will be prototyping this in any case, but in my view (and others)
it could be a really great feature for Ada 202X more generally.

****************************************************************

From: Randy Brukardt
Sent: Thursday, October  5, 2017  8:08 PM

This seems insufficiently baked for the ARG to work on it. (If we had
unlimited time, it would be different, but this looks like something that
could take all of the time available.)

In particular, the comment in the !discussion:

   Tracking validity of components is more challenging, and perhaps additional
   rules over and above those given above will be needed.  In particular, we
   have proposed rules for dynamically-indexed array components.  They will
   need to be studied and used in examples to know whether they are adequate
   and usable.

I don't think the ARG is the place to develop these sorts of rules. In addition
to the proposed rules, there need to be rules for dealing with this in
generics. (The word "generic" does not appear in this proposed AI, so it's
pretty clear that there is an enormous amount missing).

For instance, how do the parameter aliasing restrictions get enforced on
generic formal types? Assume-the-worst in generic bodies would be wildly
incompatible, and not enforcing them would seem to destroy the entire idea.
Not allowing generics at all doesn't seem viable, either, nor is abandoning
the contract model (I suspect SPARK does the last, but that won't fly in Ada).

Similarly, how are the restrictions enforced when a type with a component of a
tracked access type is passed as a generic actual type? Assume-the-worse would
ban most existing assignments -- no way.

Finally, I'm terrified at the notion of automatic deallocation of objects.
In the case of a general access type (or generic formal type), the compiler
cannot know at compile-time the proper storage pool to use to deallocate the
original object. (The object may not have been allocated at all [it could have
been an aliased global object], or could have been implicitly converted from
some other type.) Besides, most anonymous access types have no storage pool
associated, so how could it be deallocated automatically? I think automatic
deallocation has to be limited to pool-specific types (where the correct pool
is well-defined); other places where it would be needed ought to be illegal.

[Yes, any use of Unchecked_Deallocation on a general access type is dangerous,
but such uses are directly visible in the code, involve the name "Unchecked",
and as such should be carefully checked in code reviews. Stuff that happens
automatically is much, much harder to review.]

These sorts of (big) issues tell me that this idea needs more work before the
ARG starts on it. There clearly need to be more examples created, and possibly
a prototype implementation. The basic idea seems sound, but it is hard to say
if it is usable in Ada at this point, and it seems to be the sort of
experimental idea that isn't ready for Standardization.

****************************************************************

From: Jeff Cousins
Sent: Friday, October  6, 2017  5:06 AM

Interesting, and clearly some work has gone into this.  But...

It says "The Ownership aspect is a relatively simple idea" but it looks quite
complicated to me, most of it is more like what I would expect a static
analysis tool to do than a compiler.  E.g. it has a section on control flow -
if we were to require flow analysis of a compiler, then there are more useful
things that it could look for, such as checking that all paths through a
subprogram assign values to all the out parameters, and that all paths through
a function return a value.

It seems to have an Ada 83 view of access types, i.e. that they only point to
objects allocated on the heap.  Randy's reply elaborates on this.

Also, access types are currently classified as being elementary types, I think
that would have to be revised if they have to carry around hidden state
information with them.

****************************************************************

From: Tucker Taft
Sent: Friday, October  6, 2017  10:31 AM

> Interesting, and clearly some work has gone into this.  But...
>
> It says "The Ownership aspect is a relatively simple idea" but it looks
> quite complicated to me, most of it is more like what I would expect a
> static analysis tool to do than a compiler.

What I meant was that the *idea* is simple, but the compiler support is indeed
not simple.

>  E.g. it has a section on control flow - if we were to require flow analysis
> of a compiler, then there are more useful things that it could look for,
> such as checking that all paths through a subprogram assign values to all
> the out parameters, and that all paths through a function return a value.

You are correct that this would introduce some control-flow based checks, and
there are many checks that could take advantage of that.  In fact, almost
every Ada compiler already does some amount of control flow, merely to provide
helpful warnings.  This would be the first time we would make legality depend
on that, which is worth considering!

> It seems to have an Ada 83 view of access types, i.e. that they only point
> to objects allocated on the heap.  Randy's reply elaborates on this.

This is a good point.  The TBD "conversion" rules were meant to cover that, in
particular a value of such an "owning" access type would only be allowed to
point to an actual heap object, of the correct storage pool.  'Access or
'Unchecked_Access would be illegal for such types, as would be conversions
from types that are not "owning" access types or that use a different
Storage_Pool.

> Also, access types are currently classified as being elementary types, I
> think that would have to be revised if they have to carry around hidden
> state information with them.

The rules are intended to mean that the hidden state is only needed at compile
time.  But even now, there are access types that are multiple words, e.g.
access-to-protected-subprogram, and in some implementations,
access-to-unconstrained-array.  So being multiple words doesn't necessarily
imply being "composite" from a language point of view.

****************************************************************

From: Randy Brukardt
Sent: Monday, October  9, 2017  8:21 PM

> Here is a new AI ...

I noted that the !problem seems to concentrate totally on the problems of
static analysis tools. It starts:

"When attempting to prove properties about a program, ..."

I'd argue that a large proportion of Ada users aren't planning to do that
anytime soon. And arguably, static analysis tools can solve their own problems
(as you say is being done with SPARK). So what's the value of this proposal
to the average Ada user?

Static analysis features like Preconditions and Predicates are evaluated at
runtime in Ada, so they are valuable to Ada programmers even if they never
even have imagined a static analysis tool. I think that is an important part
of any major feature added to Ada.

---

> You are correct that this would introduce some control-flow based
> checks, and there are many checks that could take advantage of that.
> In fact, almost every Ada compiler already does some amount of control
> flow, merely to provide helpful warnings.  This would be the first
> time we would make legality depend on that, which is worth considering!

So far as I know, only GNAT uses front-end flow analysis for "helpful
warnings". I've never seen such warnings in other Ada compilers (most
compiler warnings aren't very helpful!).

Janus/Ada is probably extreme in this regard, but it could not enforce any
rules on anything larger than an expression. Flow analysis is done only in the
optimizer, only if the optimizer is on, and can only produce warnings - it has
to produce an executable program by that point; the data structures needed to
produce detailed errors are long gone by that point. I would have to discard
40% of the compiler and rewrite it to have any way to do any serious flow
analysis in the front-end. (Hint: I'm not going to do that.)

Additionally, if we require flow analysis for Legality Rules, we would have to
define precisely what flow analysis is required and not required for that
purpose. Besides being a lot of work, it certainly would be different than what
any actual compiler did for such things, meaning that every vendor would have
to bifurcate their flow work (much as every vendor has to split compile-time
expression evaluation into static and non-static parts). That's going to be a
lot of work even for compilers that already do the needed analysis.

It also seems that this sort of requirement would also require abandoning all
pretense of a contract model for generics. (You all know where I stand on
that.) It wouldn't make much sense to require assume-the-worst in a generic
body, as that would essentially make all code illegal; nor does it make much
sense to use a bunch of runtime checks for this (or any such model).

Finally, if we were to start requiring flow analysis, there are lots of things
that would be better uses for it than this proposal: uninitialized stand-alone
object prevention seems to lead the list (as Jeff noted).

It might be that this idea is best left as a SPARK feature, since it doesn't
seem to fit into the existing model of what an Ada compiler is required to do.

****************************************************************

From: Tucker Taft
Sent: Monday, October  9, 2017  8:36 PM

You may not buy the rationale, but in my view, safe storage management is a
huge issue, and many languages have adopted full garbage collection, not
because it is a "good thing," but merely because having to deal with storage
leaks and dangling references is so painful.

I think if Ada had a "mode" in which all storage management was safe and
automatic, and there were no dangling references or storage leaks, and yet
also no asynchronous garbage collector meaning that real-time guarantees are
straightforward, all in the presence of multitasking and/or parallelism, this
would be truly extraordinary.  In my experience using a language that has
these features (ParaSail) improves productivity by another order of magnitude
over current Ada.

I realize controlled types were supposed to solve all of these problems, but
they are painful to get right, can make debugging significantly harder, can
add measurable overhead, and don't really address issues of multi-tasking.

I agree this AI is a lot of work, but I think the payoff could be enormous.

****************************************************************

From: Randy Brukardt
Sent: Monday, October  9, 2017  9:07 PM

> You may not buy the rationale, but in my view, safe storage management
> is a huge issue, and many languages have adopted full garbage
> collection, not because it is a "good thing,"
> but merely because having to deal with storage leaks and dangling
> references is so painful.

You didn't give that as a rationale! The only thing the AI talks about is
proving programs and eliminating aliasing.

I'm surely not against "safe storage management" (that would be like being
against apple pie!), but I don't see how the features in the AI provide
anything safe. (Quite the reverse in fact, unless one assumes things about the
TBDs known only to the author.)

> I think if Ada had a "mode" in which all storage management was safe
> and automatic, and there were no dangling references or storage leaks,
> and yet also no asynchronous garbage collector meaning that real-time
> guarantees are straightforward, all in the presence of multitasking
> and/or parallelism, this would be truly extraordinary.

Yes, it would be truly extraordinary. I'd actually say impossible. :-)

If you can do that, without (a) wrecking the model of Ada (i.e. generic
contract model), (b) wrecking Ada implementations  (i.e. requiring flow
analysis were none is previously required), and (c) wrecking portability
(i.e. requiring checks without sufficient definition), please do so. But the
proposal you sent does none of that, and doesn't even give a rationale for
anything that would help a non-SPARK Ada user. As I initially said,
insufficiently baked.

To get this proposal into anything resembling a usable form by mid-2019 would
require putting virtually all of our effort into that, and forgetting about
parallel operations, Global, and most of the other open proposals.
(That is, the stuff we've already promised.) A proposal would have to be
absolutely stupendous for that, and you'd have to make a much better case (in
particular, that you could really deliver the benefits that you claim in this
e-mail *and* keep usability).

P.S. I'd much rather you did your homework rather than coming up with new
pie-in-the-sky ideas. I realize the latter is more fun, but fun doesn't get
anything finished, and we're entering the home stretch of this Standard.

****************************************************************

From: Tucker Taft
Sent: Monday, October  9, 2017  10:18 PM

I realize this isn't part of my homework, but it seems important to at least
add the conversion rules into this, so it can be evaluated for safety.
Without the conversion rules, safety is clearly hopeless to evaluate.

So here is an update which adds conversion rules (and disallows 'Access and
'Unchecked_Access). [This is version /02 of the AI - Editor.]

I promise to do no more work on this until all my other homework is done... ;-)

****************************************************************

From: Randy Brukardt
Sent: Wednesday, October 11, 2017  10:42 PM

(A) This has been assigned AI12-0240-1.
(B) The AI had horrible formatting, which I fixed. But that prevents comparing
    for changes, so I just copied the "Converting values" part and left the
    rest alone. Since you left the TBD about conversions later in the
    description, I'm pretty sure you didn't do a careful update. Hope I
    didn't miss any other change.
(C) Ada has a name for an access type doesn't allow 'Access and
    'Unchecked_Access -- a pool-specific type. An anonymous type can't specify
    an aspect anyway, so those can't be involved. So why not just say that the
    types in question have to be pool-specific? It seems simpler and fewer
    rules would be needed (the needed conversion rules already exist for those
    types).

****************************************************************

From: Raphael Amiard
Sent: Thursday, October 12, 2017  9:11 AM

> I noted that the !problem seems to concentrate totally on the problems
> of static analysis tools. It starts:
>
> "When attempting to prove properties about a program, ..."
>
> I'd argue that a large proportion of Ada users aren't planning to do
> that anytime soon. And arguably, static analysis tools can solve their
> own problems (as you say is being done with SPARK). So what's the
> value of this proposal to the average Ada user?

In my opinion you're drawing a line in the sand that is not so clearly
delimited. A static type system like the one Ada has exists to prove
properties about a program, and it is part of the compiler, not of an external
static analysis tool.

In this instance, the value of this proposal is to solve a class of memory
problems in the language directly, instead of relying on static analysis
tools to do it, IMHO.

****************************************************************

From: Randy Brukardt
Sent: Thursday, October 12, 2017  10:35 PM

My point, which I may not have made so well, is that the Problem statement/
Proposal explanation ought to spend at least some time on the benefits to
people who aren't using formal static analysis tools. To only talk about proof
issues leaves a lot of us out.

My understanding was that such techniques could be used to make programs that
don't use any tools safe (which Tucker also said in his reply to me). The AI
needs to emphasize that to get more broad-based support.

****************************************************************

From: Tucker Taft
Sent: Monday, January 15, 2018  10:37 AM

Here is an update to (well, really a complete re-write of) the AI on safe
pointers with automatic storage management.  It is available in various formats.
We have been working on it in Google Docs, which allows commenting, suggestions,
etc.  So here is the link to that:

  https://docs.google.com/document/d/1pCIzY7ch1Zwa56MUNglzH4M_Ci3L90FvtZh9TBP5okg/edit?usp=sharing

But I realize google-anything can be of concern to some folks.  So I have
attached a "plain text" version, and will send a "rich text" version separately
(my first attempt to send a "rich text" version doesn't seem to have gotten past
the various spam filters).  The plain text retains some indications of italic
and bold fonts, I believe, which isn't particularly helpful, and has a list of
the various comments at the end of the file, which is even less useful.  At some
point I will clean up the plain text version so it conforms with our normal
lexical conventions, but in the mean time, hopefully this is adequate.

[This is version /02 of the AI.]

****************************************************************

From: Randy Brukardt
Sent: Monday, January 15, 2018  10:02 PM

The .RTF version was ginormous, so the list wouldn't send it. I've put a version
into the Grab Bag, but of course Tucker updated the AI since his previous
sending, so most likely you want to use one of these versions:

    Text version:
http://www.ada-auth.org/ai-files/grab_bag/AI12-0240-1v7-stt.TXT

    Rich Text version:
http://www.ada-auth.org/ai-files/grab_bag/AI12-0240-1v7-stt.rtf

Or you can use the original Google Docs version (although that can change, so
it's not useful for a permanent reference):

https://docs.google.com/document/d/1pCIzY7ch1Zwa56MUNglzH4M_Ci3L90FvtZh9TBP5
okg/edit?usp=sharing

P.S. I didn't really read it, but I did verify that the .rtf could be loaded
successfully.

****************************************************************

From: Tucker Taft
Sent: Wednesday, January 24, 2018  10:37 AM

I have new versions of this.  I was planning to provide a "pdf" instead of an
"rtf" plus a ".txt" file.

I have attached a new ".txt" version, and I'll send the PDF directly to Randy.
[This is version /04 of the AI - ED.]

The major change was a more generalized 'Copy attribute, so it could be used
more widely to prevent limitations that, for example, come with by-reference
parameter passing.  In addition, I tried to incorporate issues relating to the
use of controlled types with subcomponents that are owning access objects.

****************************************************************

From: Randy Brukardt
Sent: Wednesday, January 24, 2018  4:58 PM

> I have attached a new ".txt" version, and I'll send the PDF directly
> to Randy.

You can find both of these in the Grab-Bag, see
http://www.ada-auth.org/ai-files/grab_bag/AI12-0240-1v8-stt.TXT for the text
version and  http://www.ada-auth.org/ai-files/grab_bag/AI12-0240-1v8-stt.pdf
for the PDF version.

****************************************************************

From: Randy Brukardt
Sent: Thursday, January 25, 2018  12:38 AM

I've read little of this AI, but I note that you made the same mistake here
that you did in container aggregates:

If a type has a partial view, the Ownership aspect may be specified explicitly
only on the partial view, and if specified True, the full type shall not be an
elementary type nor an untagged private or derived type with Ownership aspect
False; furthermore, if the Ownership aspect for the full type would be True if
not explicitly specified, the Ownership aspect of the partial view shall be
True, either by inheritance from an ancestor type or by an explicit
specification.

Since an aspect has the same value for all views, the full type will always
have the same value. So rules like: "derived type with Ownership aspect False"
can't ever happen and thus are vacuous.

Note that this is the same reason that Preelaborable_Initialization (as
currently defined) cannot be an aspect: it has different values for the
partial and full views.

****************************************************************

From: Tucker Taft
Sent: Saturday, March 24, 2018  9:31 AM

I updated a bit this presentation on safe pointers (AI-0240). It could still
use more pictures, etc., but it might be useful for those still struggling to
understand this proposal.

https://docs.google.com/presentation/d/1NdZl-Pee6ZyniVtAoqx6i8Fv0KD6nrqLixqX3LXzvkA/edit

****************************************************************

From: Tucker Taft
Sent: Tuesday, March 27, 2018  11:48 AM

Randy and I were discussing how to handle cursors, if the rest of the container
data structure were implemented using these Ownership pointers.  We began to
discuss some sort of "secondary" pointers or "unchecked" references, but I just
realized that good old 'Unchecked_Access provides exactly what we need.  The
pointer inside a cursor would not have Ownership True, would be of a general
access type, and would be initialized by using 'Unchecked_Access.
Unchecked_Access already seems to have exactly the right semantics for such 
pointers, namely it is up to the programmer to worry about dangling references.  

So I don't see any need to add any special notion of "Unchecked_References" to
AI12-0240.  So long as Unchecked_Access works, I don't think we need a new
feature to handle the "cursor problem."

****************************************************************

From: Randy Brukardt
Sent: Tuesday, March 27, 2018  5:37 PM

I don't think this works. Recall (for the rest of you, this was from our
private discussion) that the primary concern is being able to statically claim
that a dereference is not a global object because it is "owned" by an object
that is explicitly passed as a parameter. This is necessary so that the Global
reference can statically be "null" (or some other very restricted setting) 
rather than having to be "all" -- "all" necessarily prevents most parallelism
when checking for safety.

Note that we have to be able to dereference the unchecked reference, as it is 
not legal to convert the unchecked reference back to the owned pointer (that
would be a conversion into a pool-specific type, which is generally not
allowed).

For the owned pointers themselves, there is a fairly simple reachability rule
which provides the needed safety. The same rule can be used for the unchecked
pointers used in cursors, so long as the compiler can know that the unchecked
pointers cannot contain anything other than an owned pointer.

However, proving that the unchecked pointers cannot contain anything other
than an owned pointer requires analysis of all of the code that could possibly
create such a pointer. One can probably prove it in very limited circumstances
(such as when declared in a body), but the possibility of child units having
visibility into a private part means that separate compilation makes such a
proof unlikely unless we were to require analysis beyond what is usually
expected of Ada compilers.

As such, it seems necessary to declare that the type is an unchecked reference
of an owned pointer, so that we can apply the rules for owned pointers without
having to engage in complex proofs (perhaps OK for SPARK, not OK for Ada).
Once that's done, we might as well make that a pool-specific type in order to
be telling the truth about the capabilities of the type. (Personally, I'd
rather that all of these things are unchecked references by default, and that
the owned pointers are marked on the component or object declaration, as that
would require the least "noise" in the code -- there are only a few owned
pointer components in a typical program. Unmarked objects and components are
either "observers" if they have a short lifetime and "unchecked" if they have
a long lifetime. I don't see the value of having separate types. But that can
be discussed later.)

****************************************************************

From: Tucker Taft
Sent: Thursday, May 9, 2018  7:00 PM

https://docs.google.com/presentation/d/19dxDPWCb-Mg6A97SwAiu8iBRX2Q8s-3ynmwo_wXp48w/edit?usp=sharing_eip&ts=5af38b77

Here is an updated presentation about the "safe pointers" (Ownership aspect) 
which I gave on Monday at the High Confidence Software and Systems conference.
It might be of interest to those trying to "grok" the proposed AI. Randy and I
are talking about further additions to support secondary pointers such as
those used for cursors. This doesn't mention that. -Tuck

****************************************************************

From: Randy Brukardt
Sent: Wednesday, October 10, 2018  3:05 PM

[Replying to a message from Tucker Taft in another thread. - Editor.]

>Intriguingly, the anonymous access types are emerging as useful for 
>implementing the notion of temporarily borrowing an object in the 
>context of "owning" access types.  See AI12-0240-1:
>
>http://www.ada-auth.org/cgi-bin/cvsweb.cgi/ai12s/ai12-0240-1.txt?rev=1.9

This is not "intriguing" or "useful", but rather a downright evil (mis)usage 
of anonymous access types. The primary purpose of using these [in AI12-0240-1] 
is to provide a hack to avoid declaring explicitly what "kind" of owning 
access type is involved. That is a terrible idea, because:
  (A) owned access types are always pool-specific, while anonymous access 
      types are always general. Moreover, the point of anonymous access types
      is to allow easy inter-conversion, and that has to be banned for owned 
      access types. Their use in this context is a complete and utter lie to 
      any uninitiated reader.
  (B) one wants to use the various kinds of owned access types in many 
      contexts, and assuming the form of the declaration is unnecessarily
      constraining to the programmer.
  (C) note that there are at least four "kinds" of owned access types, so 
      purely depending on the form of declaration is insufficient [to 
      differentiate them].

We (you and I) discussed privately better ways to declare these things, which 
I wrote up in the alternative AI (AI12-0240-2), in large part because you 
suddenly became unwilling to discuss needed changes to the proposal (as well
as refusing to answer reasonable questions about the proposal, rather claiming
"the SPARK folks have considered all of the issues" -- which I don't believe, 
simply because I can't find any rules about owned access objects used in 
constants in AI12-0240-1).

In a private thread, we've been discussing ways to let the SPARK people have 
better visibility into things that we're doing that might affect them -- but 
this cuts both ways! The ARG ought to have better visibility into things that
SPARK is doing that might interfere with future Ada features.

>This AI probably won't make it into Ada 2020, but the SPARK folks are in
>the process of adding a stripped-down version of it to SPARK, ...

This is unfortunate, mainly because the proposal needs work (and 
simplification!), and sticking it into SPARK in a half-baked form will make 
a substantial constituency that will be against properly baking it.

It's also unfortunate if a stripped down version of this AI doesn't make it 
into Ada 2020, because it means that unbounded containers that can be used in
parallel with checking on are either (a) impossible or (b) have to be written
in non-Ada.

***************************************************************

From: Tucker Taft
Sent: Wednesday, October 10, 2018  3:38 PM

It sounds like somewhere along the way I dropped the ball on discussing 
alternative approaches, and sorry for that.  We have been working away on 
something based on AI12-0240-1 for inclusion in SPARK.  Be that as it may, I
am still interested in alternatives.  I was sort of waiting for your 
alternative (AI12-0240-2) to show up in my inbox, but I guess you uploaded it
and expected me to go find it online (which is a reasonable expectation, but 
alas, I never realized it was there).  I just went and looked at it, and it 
is interesting but also quite different.  I'll share it with the SPARK team 
and see what sort of comments they have on it.

***************************************************************

From: Randy Brukardt
Sent: Wednesday, October 10, 2018  5:00 PM

[Taking this private, as it's not interesting to everyone else.]

> It sounds like somewhere along the way I dropped the ball on 
> discussing alternative approaches, and sorry for that.  We have been 
> working away on something based on AI12-0240-1 for inclusion in SPARK.  
> Be that as it may, I am still interested in alternatives.  I was sort 
> of waiting for your alternative (AI12-0240-2) to show up in my inbox, 
> but I guess you uploaded it and expected me to go find it online 
> (which is a reasonable expectation, but alas, I never realized it was 
> there).

It was on the agenda of the last meeting, so it wasn't exactly hidden. You 
had pretty much stopped responding to my messages on the topic at that point,
so I wasn't sure you remained interested.

>I just went and looked at it, and it is interesting but also quite 
>different.  I'll share it with the SPARK team and see what sort of 
>comments they have on it.

It's also not complete, in that I didn't make any attempt to define kinds 
beyond "owned" and "unchecked". There needs to be at least a definition of a
"viewer" kind, and possibly others.

The idea of using subtypes was yours, I think. I didn't initially like it, 
but I realized that in some cases, especially with "viewers", that there might
be  a lot of these and having to tag every object would be a pain. Using types
would force explicit conversions for these types all over the place, which 
seems like overkill, especially for safe things like "viewers".

OTOH, in normal use, there won't be many "owned" pointers, so it makes sense 
to have those on the declaration (especially as they are so important).
Thus, I eventually concluded that both forms are needed. (Note that I've 
sometimes missed the ability to declare an aliased subtype so I didn't have 
to remember to stick that on every object declaration; this feels the same 
to me. That is one area where I think early Ada 9x was closer to correct -- 
but we've agreed to disagree on that years ago and rehashing is not needed.)

BTW, so far as I understand, it's not possible to build a doubly-linked list 
solely with owned pointers; one of them has to be some other kind (and the 
only proposed one that works is "unchecked". That suggests that for 
ADT/container use in particular one has to have more than just owned 
pointers.

The requirement to effectively declare the ownership mappings might not be 
necessary, in that one probably could derive it from the various uses of the
owned pointers (at least in ADT cases, where those are all in the private part
and body). However, that would mean that Ada's one-pass like 
reading/compilation model would have to be abandoned -- that might be a mess 
in some compilers. (Ahem, Janus/Ada in particular.) Perhaps there is a better
way to do it that doesn't require quite so much detail.

Note of course that I was trying to solve a different problem than
AI12-0240-1: specifically, ownership in ADTs so that the implementation can 
use pointers without having to resort to Global All or something equally 
annoying (which of course would prevent parallel use when checking is 
enabled).

It would be best if we could solve both of these problems with one solution,
even if we only standardize the minimum corner for now (as roughly described
in AI12-0240-2).

Anyway, comments welcome, if only because I don't have many complete examples
to consider, so I really don't know how this works in practice (I've mainly
considered the doubly linked list container when designing AI12-0240-2.)

***************************************************************

From: Randy Brukardt
Sent: Wednesday, October 10, 2018  5:08 PM

> [Taking this private, as it's not interesting to everyone else.]

Apparently I did a bad job of that. :-) I intended that message just for 
Tucker, since it mostly discussed our previous private conversations on this 
topic.

***************************************************************

From: Tucker Taft
Sent: Wednesday, October 10, 2018  5:11 PM

Thanks for the background, and sorry for the misunderstanding.  It is 
probably safe to assume that when I stop responding, it is because my 
brain just overflowed, and I have forgotten to reply and now the e-mail is
buried in a sea of other e-mails.  I have also been traveling an insane 
amount this year, having traveled across the "pond" eight times since 
January, including two 2-week trips to Japan.  So my brain is "mush" much 
of the time due to jet lag.

***************************************************************

From: Tucker Taft
Sent: Thursday, October 11, 2018  7:00 PM

***************************************************************