Version 1.1 of ai12s/ai12-0445-1.txt

Unformatted version of ai12s/ai12-0445-1.txt version 1.1
Other versions for file ai12s/ai12-0445-1.txt

´╗┐!standard 3.2(8) 22-04-28 AI12-0445-1/01
!standard 3.10.2(20)
!standard 5.5.3(28/5)
!standard 5.5.3(29/5)
!standard 9.8(20/3)
!standard 13.1(7/2)
!standard 13.3(37/2)
!standard 13.3(55)
!standard 13.11.2(9/3)
!standard 13.11.3(5.2/4)
!standard A.4.2(1)
!standard A.4.4(1)
!standard A.4.5(1)
!standard A.5.2(29/3)
!standard A.5.2(40.1/1)
!standard A.10.4(1)
!standard A.10.6(7)
!standard A.18.31(16/5)
!standard B.1(3)
!standard C.3(9)
!standard xx.xx()
!standard xx.xx()
!class presentation 22-04-28
!status work item 22-04-28
!status received 22-02-18
!priority Critical
!difficulty Medium
!subject Rewordings of normative material
!summary
A large number of paragraphs need to be reworded.
!question
ISO comment #20 says:
Verbal forms used to express provisions in the text do not always comply with the rules specified in the ISO/IEC Directives, Part 2. Do not use verbal forms ("could", "might", "need") that are not defined in the ISO/IEC Directives, Part 2.
The ISO "House Style" gives further information on this, essentially saying that they do not care whether the Standard reads well, they are more concerned with preciseness and lack of ambiguity.
As such, we need to remove any occurrences of those words from any normative text, and for some things that is complex.
!recommendation
** TBD
!wording
Modify 3.2(8):
A /subtype/ of a given type is a combination of the type, a constraint on values of the type, and certain attributes specific to the subtype. The given type is called the /type of the subtype/. Similarly, the associated constraint is called the /constraint of the subtype/. The set of values of a subtype consists of the values of its type that satisfy its constraint and any exclusion of the null value. Such values /belong/ to the subtype. {The other values of the type are /outside/ the subtype.}
[We use "outside" in various notes (see AI12-0422-1), and it is already (dubiously) used in some Implementation Permissions (3.5.4(24) and 3.5.6(7/5)) - Editor.]
Modify 3.10.2(20):
* For determining whether one level is statically deeper than another when within a generic package body, the generic package is presumed to be instantiated at the same level as where it was declared; runtime checks are {required}[needed] in the case of more deeply nested instantiations.
[Replace "needed" - Editor.]
Modify 5.5.3(28/5):
If the callable entity identified in the iterator_procedure_call allows exit, then it is a bounded error for a call of the loop body procedure to be performed from within an abort-deferred operation (see 9.8), unless the entire loop_statement was within the same abort-deferred operation. If detected, Program_Error is raised at the point of the call; otherwise, a transfer of control from the sequence_of_statements of the loop_statement {will}[might] not {necessarily} terminate the loop_statement, and the loop body procedure {can}[might] be called again.
["might not" needs to be replaced by other wording, "cannot" does not have the same meaning at all - Editor.]
Modify 5.5.3(29/5):
If a loop_statement with the procedural_iterator as its iteration_scheme (see 5.5) does not begin with the reserved word parallel, it is a bounded error if the loop body procedure is invoked from a different logical thread of control than the one that initiates the loop_statement. If detected, Program_Error is raised; otherwise, conflicts associated with concurrent executions of the loop body procedure can occur without being detected by the applicable conflict check policy (see 9.10.1). Furthermore, propagating an exception or making an attempt to exit in the presence of multiple threads of control {will}[might] not {necessarily} terminate the loop_statement, deadlock {can}[might] occur, or the loop body procedure {can}[might] be called again.
[See previous paragraph for comments - Editor.]
Modify 9.8(20/3):
An attempt to execute an asynchronous_select as part of the execution of an abort-deferred operation is a bounded error. Similarly, an attempt to create a task that depends on a master that is included entirely within the execution of an abort-deferred operation is a bounded error. In both cases, Program_Error is raised if the error is detected by the implementation; otherwise, the operations proceed as they would outside an abort-deferred operation, except that an abort of the abortable_part or the created task {does not necessarily}[might or might not] have an effect.
["might or might not" is doubly bad, "can or cannot" is doesn't have the right meaning, so I tried the above rewording. - Editor.]
Modify 13.1(7/2):
The representation of an object consists of a certain number of bits (the size of the object). For an object of an elementary type, these are the bits that are normally read or updated by the machine code when loading, storing, or operating-on the value of the object. For an object of a composite type, these are the bits reserved for this object, and include bits occupied by subcomponents of the object. If the size of an object is greater than that of its subtype, the additional bits are padding bits. For an elementary object, these padding bits are normally read and updated along with the others. For a composite object, {it is unspecified whether} padding bits {are}[might not be] read or updated in any given composite operation[, depending on the implementation].
[Have to replace "might not", but "cannot" is wrong and "may not" is not allowed. - Editor]
Modify 13.3(37/2):
The recommended level of support for the Size attribute of objects is the same as for subtypes (see below), except that only a confirming Size clause {is required to}[need] be supported for an aliased elementary object.
[Replace "need". Could use a form of "should" here instead, maybe - Editor.]
Modify 13.3(55):
* The Size (if not specified) of a static discrete or fixed point subtype should be the number of bits {necessary}[needed] to represent each value belonging to the subtype using an unbiased representation, leaving space for a sign bit only if the subtype contains negative values. If such a subtype is a first subtype, then an implementation should support a specified Size for it that reflects this representation.
[Replace "needed" - Editor.]
Modify 13.11.2(9/3):
c) Free(X), when X is not equal to null first performs finalization of
the object designated by X (and any coextensions of the object - see 3.10.2), as described in 7.6.1. It then deallocates the storage occupied by the object designated by X (and any coextensions). If the storage pool is a user-defined object, then the storage is deallocated by calling Deallocate as described in 13.11. There is one exception: if the object being freed contains tasks, {it is unspecified whether} the object {is}[might not be] deallocated.
[Have to replace "might not", but "cannot" is wrong and "may not" is not allowed. - Editor]
Modify 13.11.3(5.2/4):
Otherwise, the expected type for the Default_Storage_Pool aspect is Root_Storage_Pool'Class and the aspect_definition shall be a name that denotes a variable. This aspect overrides any Default_Storage_Pool pragma that {applies} [might apply] to the generic unit; if the aspect is not specified, the default pool of the instance is that defined for the generic unit.
[We don't need "might" here, as we already have "any" to say that there doesn't have to be one. So we can just use "applies". - Editor]
Modify A.4.2(1):
The package Strings.Maps defines the types, operations, and other entities {necessary}[needed] for character sets and character-to-character mappings.
[Replace "needed" - Editor.]
Modify A.4.4(1):
The language-defined package Strings.Bounded provides a generic package each of whose instances yields a private type Bounded_String and a set of operations. An object of a particular Bounded_String type represents a String whose low bound is 1 and whose length can vary conceptually between 0 and a maximum size established at the generic instantiation. The subprograms for fixed-length string handling are either overloaded directly for Bounded_String, or are modified as {necessary}[needed] to reflect the variability in length. Additionally, since the Bounded_String type is private, appropriate constructor and selector operations are provided.
[Replace "needed" - Editor.]
Modify A.4.5(1):
The language-defined package Strings.Unbounded provides a private type Unbounded_String and a set of operations. An object of type Unbounded_String represents a String whose low bound is 1 and whose length can vary conceptually between 0 and Natural'Last. The subprograms for fixed-length string handling are either overloaded directly for Unbounded_String, or are modified as {necessary}[needed] to reflect the flexibility in length. Since the Unbounded_String type is private, relevant constructor and selector operations are provided.
[Replace "needed" - Editor.]
Modify A.5.2(29/3):
An object of the private type State can be used to hold the internal state of a generator. Such objects are only {necessary}[needed] if the application is designed to save and restore generator states or to examine or manufacture them. The implicit initial value of type State corresponds to the implicit initial value of all generators.
[Replace "needed" - Editor.]
Modify A.5.2(40.1/1):
It is a bounded error to invoke Value with a string that is not the image of any generator state. If the error is detected, Constraint_Error or Program_Error is raised. Otherwise, a call to Reset with the resulting state will produce a generator such that calls to Random with this generator will produce a sequence of values of the appropriate subtype, but which {are}[might] not {necessarily}[be] random in character. That is, the sequence of values {do not necessarily}[might not] fulfill the implementation requirements of this subclause.
[The usual fixes for "might not" don't work here. "Cannot" is too definite (we don't know that the sequence is bad, just that it might be). We fall back on the "necessarily" crutch - Editor.]
Modify A.10.4(1):
The subprograms described in this subclause are concerned with the line and page structure of a file of mode Out_File or Append_File. They operate either on the file given as the first parameter, or, in the absence of such a file parameter, on the current default output file. They provide for output of text with a specified maximum line length or page length. In these cases, line and page terminators are output implicitly and automatically when {necessary}[needed]. When line and page lengths are unbounded (that is, when they have the conventional value zero), as in the case of a newly opened file, new lines and new pages are only started when explicitly called for.
[Replace "needed" - Editor.]
Modify A.10.6(7):
Any Put procedure, for an item of a numeric or an enumeration type, outputs the value of the item as a numeric literal, identifier, or character literal, as appropriate. This is preceded by leading spaces if required by the Format parameters Width or Fore (as described in later subclauses), and then a minus sign for a negative value; for an enumeration type, the spaces follow instead of leading. The format given for a Put procedure is overridden if it is insufficiently wide, by using the minimum {necessary}[needed] width.
[Replace "needed" - Editor.]
Modify A.10.9(26):
If Exp has the value zero, there is no exponent part. If Exp has a value greater than zero, then the exponent part to be output has as many digits as are {necessary}[needed] to represent the exponent part of the value of Item (for which a single digit integer part is used), and includes an initial sign (plus or minus). If the exponent part to be output has fewer than Exp characters, including the sign, then leading zeros precede the digits, to make up the difference. For the value 0.0 of Item, the exponent has the value zero.
[Replace "needed" - Editor.]
Modify A.18.31(16/5):
The Implementation Advice about the Move and Swap operations is deleted for bounded holders; these operations can copy elements as {necessary}[needed].
[Replace "needed" - Editor.]
Modify B.1(3):
A pragma Linker_Options is used to specify the system linker parameters {necessary}[needed] when a given compilation unit is included in a partition.
[Replace "needed" - Editor.]
Modify C.3(9):
C.3 Interrupt Support
The implementation shall provide a mechanism to determine the minimum stack space that is {necessary}[needed] for each interrupt handler and to reserve that space for the execution of the handler. This space should accommodate nested invocations of the handler where the system permits this.
[Replace "needed" - Editor.]
[*** TBD: A number of remaining paragraphs that still need wording proposals are found at the start of the !appendix - Editor.]
!discussion
To summarize the ISO rules from the Directives part 2 (often referred to as the drafting standard):
Requirements use "shall" preferably, or phrases involving forms of "require", "has to", or "it is necessary". "Must" is not allowed (it can be used for external requirements, such as government laws, but that usually doesn't apply to us).
Recommendations use "should" preferably, or phrases involving forms of "recommend" or "ought to".
Permissions should use "may" preferably, or phrases using forms of "permit" or "allow". "Might" is not allowed in this context. Negative forms are not allowed (no "may not"); permissions must be positive. A quote: "Rather than using negative permissions, either rewrite the sentence to state what is permitted, or rewrite as a requirement/recommendation not to do something."
Possibility should use "can", or phrases using forms of "able" or "possible".
ISO has taken this further and does not want to see "might", "could", or "need" at all; they assume that they are being used in one of the above contexts. I don't know where "need" comes from (other than the "House Style", but that's not normative), the Directives never mentions it as a word to avoid, and in fact it uses the word "needs" with the meaning of desires repeatedly. But the Directives is clear that one should not use any words other than the above to express requirements, recommendations, or permissions.
We have a particular problem with "need not", used frequently to get around not being able to say "may not". That is discussed and handled in AI12-0444-1. [Editor's note: one case of "could cause" is also in AI12-0444-1, as all of the related paragraphs use both "need not" and "could cause".]
Note that while some phrases are given meanings, other uses of the words seem be to be allowed by the Directives. For instance, "necessary" is used in many contexts in the Directives that are not requirements.
We handle occurrences of "must" in AI12-0438-1, and simple changes where some other word should be replaced by "can" in AI12-0439-1.
The remaining cases are handled in this AI.
---
The editor has created a file that contains just the normative text of the Standard. In this file, we have the following number of occurrences:
must 11 might 68 could 16 need 215 (58 of these are "needs", mostly in "needs finalization")
(48 of these are "needed", which is a technical term
when used with compilation units. In order to convince ISO this is OK, this term should be defined in the "terms" (probably along with "mentioned")).
(74 of these are "need not", which should not be
used but has no easy replacement).
----
We might be able to argue that "need" is not mentioned in the drafting document, but even so we ought to get rid of as many of those as possible.
There is nearly 200 paragraphs here that probably need fixing, and there is not a one-size-fits all solution. Many of the occurrences of "could" and "might" could be replaced by "can", but certainly not all.
We could consider making wording changes only for the ISO version (new commands would be needed in the formatter to support that if is done a lot
- currently, we can only do that on a full paragraph basis or with a few
macros - but new commands should not be hard to define and implement).
!ASIS
No ASIS effect.
!ACATS test
No ACATS test should be needed, no change in meaning is intended and these are notes anyway.
!appendix

Here are wording involving "might" that don't have obvious fixes:

7.6.1(16/2):

   * For an Adjust invoked as part of assignment operations other than
        those invoked as part of an assignment_statement, other adjustments
        due to be performed might or might not be performed, and then
        Program_Error is raised. During its propagation, finalization might or
        might not be applied to objects whose Adjust failed. For an Adjust
        invoked as part of an assignment_statement, any other adjustments due
        to be performed are performed, and then Program_Error is raised.

["might or might not" is doubly bad. "can or cannot" doesn't make much sense.
I thought of using "it is not specified whether other adjustments due to be
performed are actually performed", but that's pretty long (and one would have
to do something similar for the next sentence). Any better ideas??]



Here are wording changes involving "need to" that ought to be replaced (the
ISO "house rules" mention "need to" rather than "need" itself):

Introduction

52.20/5   * The Jorvik profile is introduced to support hard real-time
        applications that need to go beyond the restrictions of the Ravenscar
        profile.

[Did not try.]

12.5.1 Formal Private and Derived Types

1/3 In its most general form, the category determined for a formal private
type is all types, but the category can be restricted to only nonlimited types
or to only tagged types. Similarly, the category for a formal incomplete type
is all types but the category can be restricted to only tagged types; unlike
other formal types, the actual type does not need to be able to be frozen (see
13.14). The category determined for a formal derived type is the derivation
class rooted at the ancestor type.

[Did not try to find rewording.]

13.6 Change of Representation

1/3 A type_conversion (see 4.6) can be used to convert between two different
representations of the same array or record. To convert an array from one
representation to another, two array types need to be declared with matching
component subtypes, and convertible index types. If one type has Pack
specified and the other does not, then explicit conversion can be used to pack
or unpack an array.

[Did not try to find rewording.]

2/5 To convert an untagged record from one representation to another, two
record types with a common ancestor type need to be declared. Distinct
representations can then be specified for the record types, and explicit
conversion between the types can be used to effect a change in representation.

[Did not try to find rewording.]

D.9 Delay Accuracy

12    * An upper bound on the lateness of a delay_relative_statement, for a
        positive value of the delay expression, in a situation where the task
        has sufficient priority to preempt the processor as soon as it becomes
        ready, and does not need to wait for any other execution resources.
        The upper bound is expressed as a function of the value of the delay
        expression. The lateness is obtained by subtracting the value of the
        delay expression from the actual duration. The actual duration is
        measured from a point immediately before a task executes the
        delay_statement to a point immediately after the task resumes
        execution following this statement.

[Did not try to find rewording.]

13    * An upper bound on the lateness of a delay_until_statement, in a
        situation where the value of the requested expiration time is after
        the time the task begins executing the statement, the task has
        sufficient priority to preempt the processor as soon as it becomes
        ready, and it does not need to wait for any other execution resources.
        The upper bound is expressed as a function of the difference between
        the requested expiration time and the clock value at the time the
        statement begins execution. The lateness of a delay_until_statement is
        obtained by subtracting the requested expiration time from the real
        time that the task resumes execution following this statement.

[Did not try to find rewording.]


Here are wording changes involving other forms of "need" that aren't technical
uses or "need not" or "need to": 

3.5.10 Operations of Fixed Point Types

4   S'Fore      S'Fore yields the minimum number of characters needed before
                the decimal point for the decimal representation of any value
                of the subtype S, assuming that the representation does not
                include an exponent, but includes a one-character prefix that
                is either a minus sign or a space. (This minimum number does
                not include superfluous zeros or underlines, and is at least
                2.) The value of this attribute is of the type
                universal_integer.

[Did not try to find rewording.]

5   S'Aft       S'Aft yields the number of decimal digits needed after the
                decimal point to accommodate the delta of the subtype S,
                unless the delta of the subtype S is greater than 0.1, in
                which case the attribute yields the value one. (S'Aft is the
                smallest positive integer N for which (10**N)*S'Delta is
                greater than or equal to one.) The value of this attribute is
                of the type universal_integer.

[Did not try to find rewording.]

9.6.1 Formatting, Time Zones, and other operations for Time

82/2        Returns a string form of the Date relative to the given Time_Zone.
            The format is "Year-Month-Day Hour:Minute:Second", where the Year
            is a 4-digit value, and all others are 2-digit values, of the
            functions defined in Calendar and Calendar.Formatting, including a
            leading zero, if {necessary}[needed]. The separators between the values are a
            minus, another minus, a colon, and a single space between the Day
            and Hour. If Include_Time_Fraction is True, the integer part of
            Sub_Seconds*100 is suffixed to the string as a point followed by a
            2-digit value.

[Replace "needed".]

10.1.1 Compilation Units - Library Units

24    * The semantic dependences (see below) are the ones needed to check the
        compile-time rules across compilation unit boundaries; a compilation
        unit depends semantically on the other compilation units {necessary}[needed] to
        determine its legality. The visibility rules are based on the semantic
        dependences.

[Replace "needed".]

10.1.4 The Compilation Process

2   The declarative_items of the environment are library_items appearing in an
order such that there are no forward semantic dependences. Each included
subunit occurs in place of the corresponding stub. The visibility rules apply
as if the environment were the outermost declarative region, except that with_-
clauses are {necessary}[needed] to make declarations of library units visible (see 10.1.2).

[Replace "needed".]

11.1 Exception Declarations

6   The execution of any construct raises Storage_Error if there is
insufficient storage for that execution. The amount of storage {necessary}[needed] for the
execution of constructs is unspecified.

[Replace "needed".]

11.4.2 Pragmas Assert and Assertion_Policy

26/3 If the result of a function call in an assertion is not {necessary}[needed] to
determine the value of the assertion expression, an implementation is
permitted to omit the function call. This permission applies even if the
function has side effects.

[Replace "needed".]

11.6 Exceptions and Optimization

6/3   * If an exception is raised due to the failure of a language-defined
        check, then upon reaching the corresponding exception_handler (or the
        termination of the task, if none), the external interactions that have
        occurred need reflect only that the exception was raised somewhere
        within the execution of the sequence_of_statements with the handler
        (or the task_body), possibly earlier (or later if the interactions are
        independent of the result of the checked operation) than that defined
        by the canonical semantics, but not within the execution of some
        abort-deferred operation or independent subprogram that does not
        dynamically enclose the execution of the construct whose check failed.
        An independent subprogram is one that is defined outside the library
        unit containing the construct whose check failed, and for which the
        Inline aspect is False. Any assignment that occurred outside of such
        abort-deferred operations or independent subprograms can be disrupted
        by the raising of the exception, causing the object or its parts to
        become abnormal, and certain subsequent uses of the object to be
        erroneous, as explained in 13.9.1.

[No attempt to fix.]

12.5.1 Formal Private and Derived Types


1/3 In its most general form, the category determined for a formal private
type is all types, but the category can be restricted to only nonlimited types
or to only tagged types. Similarly, the category for a formal incomplete type
is all types but the category can be restricted to only tagged types; unlike
other formal types, the actual type does not need to be able to be frozen (see
13.14). The category determined for a formal derived type is the derivation
class rooted at the ancestor type.

[No attempt to fix.]

13.3 Operational and Representation Attributes

51.16/5   * If S is some other subtype, only confirming specifications of
        Object_Size need be supported.

[No attempt to fix.]

13.11 Storage Management

21.6/3 The number of calls to Allocate needed to implement an allocator for
any particular type is unspecified. The number of calls to Deallocate needed
to implement an instance of Unchecked_Deallocation (see 13.11.2) for any
particular object is the same as the number of Allocate calls for that object.

[No attempt to fix.]

22  An implementation shall document the set of values that a user-defined
Allocate procedure needs to accept for the Alignment parameter. An
implementation shall document how the standard storage pool is chosen, and how
storage is allocated by standard storage pools.

[No attempt to fix.]

13.11.4 Storage Subpools

19/3 A subpool object is an object of a type descended from Root_Subpool.
Typically, subpool objects are managed by the containing storage pool; only
the handles need be exposed to clients of the storage pool. Subpool objects
are designated by subpool handles, and are the run-time representation of a
subpool.

[No attempt to fix.]

13.13.2 Stream-Oriented Attributes

56/3 The number of calls performed by the predefined implementation of the
stream-oriented attributes on the Read and Write operations of the stream type
is unspecified. An implementation may take advantage of this permission to
perform internal buffering. However, all the calls on the Read and Write
operations of the stream type needed to implement an explicit invocation of a
stream-oriented attribute shall take place before this invocation returns. An
explicit invocation is one appearing explicitly in the program text, possibly
through a generic instantiation (see 12.3).

[No attempt to fix.]

56.1/3 If T is a discriminated type and its discriminants have defaults, then
in two cases an execution of the default implementation of S'Read is not
required to create an anonymous object of type T: If the discriminant values
that are read in are equal to the corresponding discriminant values of Item,
then no object of type T need be created and Item may be used instead. If they
are not equal and Item is a constrained variable, then Constraint_Error may be
raised at that point, before any further values are read from the stream and
before the object of type T is created.

[No attempt to fix.]

A.1 The Package Standard

51  An implementation may provide additional predefined integer types and
additional predefined floating point types. Not all of these types need have
names.

[No attempt to fix. Isn't the last part redundant with rules in 3.5.4 and 
3.5.7? And why do we care about unnamed types in Standard?]

A.6 Input-Output

1/2 Input-output is provided through language-defined packages, each of which
is a child of the root package Ada. The generic packages Sequential_IO and
Direct_IO define input-output operations applicable to files containing
elements of a given type. The generic package Storage_IO supports reading from
and writing to an in-memory buffer. Additional operations for text
input-output are supplied in the packages Text_IO, Wide_Text_IO, and
Wide_Wide_Text_IO. Heterogeneous input-output is provided through the child
packages Streams.Stream_IO and Text_IO.Text_Streams (see also 13.13). The
package IO_Exceptions defines the exceptions needed by the predefined
input-output packages.

[No attempt to fix.]

A.10.9 Input-Output for Real Types

23          Outputs the value of the parameter Item as a decimal literal with
            the format defined by Fore, Aft and Exp. If the value is negative,
            or if Num is a floating point type where Num'Signed_Zeros is True
            and the value is a negatively signed zero, then a minus sign is
            included in the integer part. If Exp has the value zero, then the
            integer part to be output has as many digits as are needed to
            represent the integer part of the value of Item, overriding Fore
            if necessary, or consists of the digit zero if the value of Item
            has no integer part.

[The easy fix here leaves too many "necessary"s.]

A.13 Exceptions in Input-Output

1   The package IO_Exceptions defines the exceptions needed by the predefined
input-output packages.

[No attempt to fix.]

A.18.2 The Generic Package Containers.Vectors

115/3       If the capacity of Container is already greater than or equal to
            Capacity, then Reserve_Capacity has no effect. Otherwise,
            Reserve_Capacity allocates additional storage as necessary to
            ensure that the length of the resulting vector can become at least
            the value Capacity without requiring an additional call to
            Reserve_Capacity, and is large enough to hold the current length
            of Container. Reserve_Capacity then, as necessary, moves elements
            into the new storage and deallocates any storage no longer needed.
            Any exception raised during allocation is propagated and Container
            is not modified.

[No attempt to fix.]

B.3.2 The Generic Package Interfaces.C.Pointers

2   The generic allows two styles of usage: one in which the array is
terminated by a special terminator element; and another in which the
programmer needs to keep track of the length.

[No attempt to fix.]

D.15 Timing Events

1/3 This subclause describes a language-defined package to allow user-defined
protected procedures to be executed at a specified time without the need for a
task or a delay statement.

[No attempt to fix.]

                                  Annex G
                                 (normative)

                                  Numerics

4     * a mode ("relaxed mode"), in which no accuracy or other numeric
        performance requirements need be satisfied, as for implementations not
        conforming to the Numerics Annex;

[No attempt to fix.]

                                   Annex H
                                 (normative)

                           High Integrity Systems


1/2 This Annex addresses requirements for high integrity systems (including
safety-critical systems and security-critical systems). It provides facilities
and specifies documentation requirements that relate to several needs:

[I believe this use of the word "needs" is OK, as it appears several times in
the Directives themselves.]

****************************************************************



Questions? Ask the ACAA Technical Agent