Version 1.1 of ais/ai-00266.txt

Unformatted version of ais/ai-00266.txt version 1.1
Other versions for file ais/ai-00266.txt

!standard D.2.2 (5)          01-05-10 AI95-00266/01
!standard D.7 (00)
!class amendment 01-05-10
!status work item 01-05-10
!status received 01-05-10
!priority High
!difficulty Medium
!subject Task Termination procedure
!summary
A pragma is proposed that used as part of a task definition specifies a task termination procedure to be called when a task body completes.
!problem
In Ada 95, a task propagating an exception will silently be terminated. This is a significant hazard in high integrity systems.
!proposal
The provision of an application-defined task finalization procedure is required so as to mitigate the hazard of "silent task death" in high integrity systems and to provide the opportunity for application- specific recovery action in an environment that does not support dynamic task creation. The proposal is to allow the application to specify a task finalization handler that is executed by the task itself when it completes its task body (normally or abnormally). The handler is a parameterless library-level procedure and the attachment of the handler is in effect for the lifetime of the task (this is analogous to the use of pragma Attach_Handler to attach interrupt handlers). The default handler is a null body procedure (like Finalize).
!wording
Static Semantics
pragma Termination_Handler ( <handler_name> );
The handler_name shall resolve to denote a library-level procedure with a parameterless profile.
The Termination_Handler pragma is allowed only within a task_definition.
Dynamic Semantics
The effect of specifying pragma Termination_Handler is that the enclosing task executes the procedure denoted by handler_name after the task body completes and all finalization of the task body has been performed. An exception that is propagated by handler_name has no effect.
Implementation Permissions
An implementation may place restrictions on the constructs that may be executed by handler_name.
!example
!discussion
Many safety critical and high integrity systems prohibit exception handling, and so the use of a "when others" handler at the task body level is then not available.
!ACATS test
!appendix

[Editor's note: This originally was part of the Ravenscar proposal,
see AI-249.]

****************************************************************

From: Randy Brukardt
Date: Wednesday, April 11, 2001, 5:41 PM.

This proposal seems to be exactly equivalent to the following code. (We use
code like this in Claw to handle locking, so that the user can't lock
something and leave it locked by omission or by abnormal termination.)

Since this code is pure Ada 95, it would be useful to understand why this
is not an effective solution to the problem posed.

     type Handler_Object is new Ada.Finalization.Limited_Controlled
         with null record;
     procedure Finalize (Object : in out Handler_Object) is
     begin
         <handler_name>; -- Call to <handler_name>; as a practical matter,
             -- you'd probably put the code here.
     end Finalize;

     task My_Task ...

     task body My_Task is
         Termination_Handler : Handler_Object; -- Declare this first,
               -- so it gets finalized last.
          ...
     end My_Task;

The basic idea is to insure that the last thing Finalized is your
termination handler. Clearly, it's easier to mess this up than with the
pragma (if someone sticks something in front of the termination object, you
could have trouble), but the semantics seem to be exactly the same. So I
would consider this proposal unnecessary without further justification. I'd
also suggest that the semantics be defined in terms of this sort of code if
possible (it would make the proposal look "simpler", which is always good).

****************************************************************

Questions? Ask the ACAA Technical Agent