Version 1.3 of ai12s/ai12-0422-1.txt

Unformatted version of ai12s/ai12-0422-1.txt version 1.3
Other versions for file ai12s/ai12-0422-1.txt

!standard 3.3(13/3)          21-01-15 AI12-0422-1/02
!standard 6.1.1(22.1/5)
!standard 6.1.2(10/5)
!class Amendment 21-01-14
!status work item 21-01-14
!status received 21-01-14
!priority Low
!difficulty Easy
!subject When is a constant known-on-entry?
!summary
The notion of "known to have no variable views" is defined, and used in several rules.
!problem
There are two issues with 6.1.1(22.1/5).
First, this rule is about a constant "for which all views are constant" and then references 3.3. Is the definition in 3.3 right? It seems to suggest that an object "for which all views are constant" can have a controlled subcomponent, which is wrong.
Second, even if that was correct, it seems to require breaking privacy to check this rule. If a component has a private type, and the full type has a controlled component, then certainly a variable view of a part of the object exists. That is what we're trying to fix. But this definition is eventually used in a Legality Rule, so breaking privacy should be a last resort.
!proposal
(See Summary.)
!wording
Add after 3.3(13/3):
AARM Ramification: If some part of an object has a variable view, then the object as a whole has a variable view, and not all views of the object are constant. That's true even if only a subcomponent has a variable view.
Also add after 3.3(13/3):
A constant object is /known to have no variable views/ if it does not have a part that is immutably limited, or of a controlled type, private type, or private extension.
AARM Reason: This definition can be used in Legality Rules as it respects privacy. It is an assume-the-worst rule, as all private types and private extensions are assumed to have a controlled component.
Modify 6.1.1(22.1/5):
* a name statically denoting a full constant declaration [of a type for
which all views are constant]{which is known to have no variable views} (see 3.3);
Modify 6.1.2(10/5):
The Global aspect identifies the set of variables (which, for the purposes of this clause includes all constants {except those which are known to have no variable views (see 3.3)}[with some part being immutably limited, or of a controlled type, private type, or private extension]) that are global to a callable entity or task body, and that are read or updated as part of the execution of the callable entity or task body. If specified for a protected unit, it refers to all of the protected operations of the protected unit. Constants of any type may also be mentioned in a Global aspect.
!discussion
We do not try to prevent the possible misreading of 3.3(13/3) noted in the question. Rather, we add an AARM note to clarify the meaning when a subcomponent may have a variable view.
If we did not either assume-the-worst or look into private types, we could have a "constant" whose value changes during a period of interest. A value which could be changed cannot be "known on entry", and it needs to be covered by a Global aspect.
It seemed best to add a term to describe the "assume-the-worst" list of items that potentially could have a variable view of a part of a constant object. Repeating that list in each rule just makes it more likely to make a mistake, and it will simplify writing any similar rules in the future.
** Temporary discussion **
This issue was raised in Steve Baird's AARM review. We ran out of time to resolve it before the agenda deadline.
Steve had noted that 6.1.2(10/5) includes a list of items rather than depending upon 3.3(13/3). Specifically:
"...includes all constants with some part being immutably limited, or of a controlled type, private type, or private extension ..."
He wondered why the difference. Randy explained that the reason is that this list avoids breaking privacy for a Legality Rule by looking into private types.
But the 6.1.1(22.1/5) definition ultimately is used in a Legality Rule. So it appears these should be the same.
Randy suggested just giving an AARM Ramification to help read 3.3(13/3):
AARM Ramification: If some part has a variable view, then the object as a whole has a variable view, and not all views of the object are constant. That's true even if only a subcomponent has a variable view.
But this does not address the privacy problem, and probably 3.3(13/3) would be better reworded in any case.
Tucker suggested using "all parts are known to have all views constant". Randy thinks that needs some definition or a lengthy explanatory note. And it seems backwards for the privacy issue.
Randy then created this AI from his fertile imagination. He has no illusions that anyone else agrees with it. He's expecting someone to complain about the double negative (which he has carefully hidden in the wording).
!ASIS
No ASIS Effect.
!ACATS test
No separate ACATS tests ought to be needed. One could imagine a B-Test that uses a constant array with a component of a private type as the prefix of 'Old and checks that a dynamic index is not allowed. But this seems rather low value as it is rather unlikely.
!appendix

****************************************************************


Questions? Ask the ACAA Technical Agent