!standard D.2.2 (5) 01-05-10 AI95-00266/01 !standard D.7 (00) !class amendment 01-05-10 !status work item 01-05-10 !status received 01-05-10 !priority High !difficulty Medium !subject Task Termination procedure !summary A pragma is proposed that used as part of a task definition specifies a task termination procedure to be called when a task body completes. !problem In Ada 95, a task propagating an exception will silently be terminated. This is a significant hazard in high integrity systems. !proposal The provision of an application-defined task finalization procedure is required so as to mitigate the hazard of "silent task death" in high integrity systems and to provide the opportunity for application- specific recovery action in an environment that does not support dynamic task creation. The proposal is to allow the application to specify a task finalization handler that is executed by the task itself when it completes its task body (normally or abnormally). The handler is a parameterless library-level procedure and the attachment of the handler is in effect for the lifetime of the task (this is analogous to the use of pragma Attach_Handler to attach interrupt handlers). The default handler is a null body procedure (like Finalize). !wording Static Semantics pragma Termination_Handler ( ); The handler_name shall resolve to denote a library-level procedure with a parameterless profile. The Termination_Handler pragma is allowed only within a task_definition. Dynamic Semantics The effect of specifying pragma Termination_Handler is that the enclosing task executes the procedure denoted by handler_name after the task body completes and all finalization of the task body has been performed. An exception that is propagated by handler_name has no effect. Implementation Permissions An implementation may place restrictions on the constructs that may be executed by handler_name. !example !discussion Many safety critical and high integrity systems prohibit exception handling, and so the use of a "when others" handler at the task body level is then not available. !ACATS test !appendix [Editor's note: This originally was part of the Ravenscar proposal, see AI-249.] **************************************************************** From: Randy Brukardt Date: Wednesday, April 11, 2001, 5:41 PM. This proposal seems to be exactly equivalent to the following code. (We use code like this in Claw to handle locking, so that the user can't lock something and leave it locked by omission or by abnormal termination.) Since this code is pure Ada 95, it would be useful to understand why this is not an effective solution to the problem posed. type Handler_Object is new Ada.Finalization.Limited_Controlled with null record; procedure Finalize (Object : in out Handler_Object) is begin ; -- Call to ; as a practical matter, -- you'd probably put the code here. end Finalize; task My_Task ... task body My_Task is Termination_Handler : Handler_Object; -- Declare this first, -- so it gets finalized last. ... end My_Task; The basic idea is to insure that the last thing Finalized is your termination handler. Clearly, it's easier to mess this up than with the pragma (if someone sticks something in front of the termination object, you could have trouble), but the semantics seem to be exactly the same. So I would consider this proposal unnecessary without further justification. I'd also suggest that the semantics be defined in terms of this sort of code if possible (it would make the proposal look "simpler", which is always good). ****************************************************************