Version 1.3 of ais/ai-00279.txt

Unformatted version of ais/ai-00279.txt version 1.3
Other versions for file ais/ai-00279.txt

!standard 13.13.02 (34)          01-12-21 AI95-00279/01
!class binding interpretation 01-12-21
!status work item 01-12-21
!status received 01-11-08
!qualifier Omission
!priority Medium
!difficulty Medium
!subject Tag read by T'Class'Input
!summary
If the tag identified by T'Class'Input identifies a type:
-- that is the tag of some type not covered by T'Class, Constraint_Error
is raised;
-- that is the tag of an abstract type, Constraint_Error is raised; -- that is the tag of a type whose freezing point has not yet been
elaborated, a bounded error occurs - either the call works normally, or Program_Error is raised.
!question
T'Class'Input reads in a string, maps it to a tag by calling Tags.Internal_Tag, and dispatches accordingly.
What happens if the the call to Tags.Internal_Tag yields either
a) the tag of some type not covered by T'Class
or
b) the tag of an abstract type
or
c) the tag of a type whose freezing point has not
yet been elaborated (e.g. a type with a not-yet-elaborated component subtype)?
!recommendation
(See summary.)
!wording
(See corrigendum.)
!discussion
The exact wording of 13.13.2(34) is "...dispatches to the subprogram denoted by the Input attribute of the specific type identified by the internal tag; returns that result.". Reading this strictly, we would expect the appropriate 'Input to be called (by dispatching), followed by a conversion to the return type. That is, somewhere this is code like:
return T'Class(Call_by_Tag (Tags.Internal_Tag(...), 'Input(Stream));
(where Call_by_Tag is a magic routine that dispatches to the appropriate routine identified by the tag in its first parameter).
If the tag dispatched on is not covered by T, then this final conversion would raise Constraint_Error. Therefore, we simply confirm the existing language by saying that Constraint_Error is raised in this case. However, there is no benefit in insisting that the call to the 'Input routine is actually made, so we just clarify this to just say that Constraint_Error is raised.
If the tag dispatched on is an abstract type, then the appropriate 'Input is called. The language says that this 'Input operation exists, but that it cannot be called because it is not available. (See AI-195 for the definition of "available".)
We certainly cannot allow a non-available routine to be dispatched to. Thus, there must be a runtime check for this case, and an exception raised. We choose to raise Constraint_Error to be similar to the previous case.
If the tag dispatched on is for a type that has not yet been frozen, we could have an access-before-elaboration problem. If the approriate 'Input is user-defined, the body of the 'Input routine could not yet be frozen (as a body is a freezing point), so that any normal call to this routine should raise Program_Error. For the default implementation for 'Input, it is unclear whether the overhead of checking for access-before-elaboration is worthwhile. This overhead would be required on all uses of the Input attribute, in order to handle a very unlikely case. Therefore, we define this case to be a bounded error, requiring either the attribute to work as defined by the RM, or raising Program_Error. This allows implementations to only check for access-before-elaboration in default implementations of Input where there would might be a problem if the routine is called before the type is frozen.
!corrigendum 13.13.02(34)
Replace the paragraph:
First reads the external tag from Stream and determines the corresponding internal tag (by calling Tags.Internal_Tag(String'Input(Stream)) -- see 3.9) and then dispatches to the subprogram denoted by the Input attribute of the specific type identified by the internal tag; returns that result.
by:
First reads the external tag from Stream and determines the corresponding internal tag (by calling Tags.Internal_Tag(String'Input(Stream)) -- see 3.9) and then dispatches to the subprogram denoted by the Input attribute of the specific type identified by the internal tag; returns that result.
[Note: I didn't provide wording, since I'm uncertain that I have the "correct" answer here. - ED]
!ACATS test
A C-Test could be written to test these cases.
!appendix

From: Steve Baird
Date: Thursday, November 08, 2001   8:54 PM

T'Class'Input reads in a string, maps it to a tag,
and dispatches accordingly.

What happens if the the call to Tags.Internal_Tag yields either
   a) the tag of some type not covered by T'Class
or
   b) the tag of an abstract type
or
   c) the tag of a type whose freezing point has not
      yet been elaborated (e.g. a type with a
      not-yet-elaborated component subtype).
?

Is this erroneous? Must Program_Error be raised?

****************************************************************

From: Randy Brukardt
Date: Wednesday, November 14, 2001   7:26 PM

> T'Class'Input reads in a string, maps it to a tag,
> and dispatches accordingly.
>
> What happens if the the call to Tags.Internal_Tag
> yields either
>    a) the tag of some type not covered by T'Class

The exact wording of 13.13.2(34) is "...dispatches to the subprogram denoted
by the Input attribute of the specific type identified by the internal tag;
returns that result.". Reading this strictly, I would expect the appropriate
'Input to be called, then Constraint_Error to be raised because it isn't
possible to convert the result to the return type. That is, somewhere this
is code like:

    return T'Class(Call_by_Tag (Tags.Internal_Tag(...), 'Input(....));

But we may want to change that. Note that I already pointed out that this
isn't clearly defined in my (old) write-up of AI-260 ('Tag_Read).

> or
>    b) the tag of an abstract type

Here again, it is clear what happens: if the abstract type is Abstr,
Abstr'Input is called. Note that Abstr'Input is defined. AI-195 says that it
exists, but cannot be called, because it is not "available".

So we seem to have a case where a routine that is not "available" can be
dispatched to.

> or
>    c) the tag of a type whose freezing point has not
>       yet been elaborated (e.g. a type with a
>       not-yet-elaborated component subtype).
> ?

Sigh. If the 'Input is user-defined, it couldn't have been elaborated yet,
so Program_Error must be raised. But are predefined 'Input elaborated? (I
hope not - we don't need the overhead). If not, then we have an ugly and
highly unlikely case. Probably it is best to just declare it erroneous, as
any check is going to be expensive and distributed.

> Is this erroneous? Must Program_Error be raised?

The answers to these questions probably are all different. I think (a)
should be Constraint_Error, and in any case, should be the same as whatever
AI-260 says happens for 'Tag_Read.

(b) is a special case which will have to raise some exception; probably
Constraint_Error or Program_Error.

(c) seems best to be erroneous, because the check is going to occur on every
use of a stream attribute, and this is very rare. But when it can be
checked, it should raise Program_Error (as it is an
access-before-elaboration error).

In any case, I don't think this new issue should be used to prevent AI-195
from being completed. That AI already has too many issues in it, and if we
stick every stream issue that we discover (and I expect our grandchildren
will still be discovering problems with streams) into it, we'll never finish
it and fix many important stream problems.

Besides, issue (a) was already discussed in the context of AI-260, and it
would make just as much sense to put this issue there. Or open a new AI.

****************************************************************

From: Steve Baird
Date: Monday, January 28, 2002   2:27 PM

To recap, AI-279 is a response to the following question:

    T'Class'Input reads in a string, maps it to a tag by calling
    Tags.Internal_Tag, and dispatches accordingly.

    What happens if the the call to Tags.Internal_Tag yields either
      a) the tag of some type not covered by T'Class
    or
      b) the tag of an abstract type
    or
      c) the tag of a type whose freezing point has not
         yet been elaborated (e.g. a type with a
         not-yet-elaborated component subtype)?

The answers given in the AI summary are
    a) raise Constraint_Error
    b) raise Constraint_Error
    c) bounded error: raise Program_Error or "the call works normally".

For a & b, this is fine. One might argue for raising Program_Error instead
of Constraint_Error, but that's a nit. It is important to be clear that
no dispatching call occurs if the exception is raised; the check precedes
the call.

I believe the third case should result in erroneous execution.

The suggestion that "the call works normally" or works "as defined by the
RM"
is not well defined. The language (specifically, the freezing rules)
statically prohibits the creation of an object of an unfrozen type. The
dynamic
semantics of a statically illegal construct are undefined. With the possible
exception of the rules pertaining to erroneous execution, the RM does not
have rules of the form "<blap> is prohibited, but this is what it does at
runtime if you do somehow manage to get it through the compiler".

Allowing non-erroneous execution in this case might allow a subprogram to
be called before it can be named (i.e. before the elaboration of its
initial declaration). This would be new to Ada. It could mean,
for example, that a one-part subprogram might require an elaboration
check, or that an elaboration checking implementation strategy based on
initializing some piece of state at the point of the initial declaration
of a subprogram and then updating it when the body is elaborated would
no longer work.

Requiring implementations to detect the error and raise some exception
would also be a well-defined solution, but would require a fair
amount of overhead (in execution time, code space, and implementation
complexity) to cope with a case which, as far as I know, noone
has ever run into in practice.

****************************************************************

From: Robert Dewar
Date: Monday, January 28, 2002   3:45 PM

I agree with Steve's position on this point, case c) should be erroneous.

****************************************************************

From: Randy Brukardt
Date: Monday, January 28, 2002   5:07 PM

> I agree with Steve's position on this point, case c) should
> be erroneous

I made this a bounded error when I wrote up the AI, because I didn't like
the extent of erroneousness that is caused.

If this is erroneous, then *any* call to 'Input before all tagged types are
elaborated is potentially erroneous. Moreover, there is no way to prevent
erroneous execution in that case, because the programmer has no control over
the data actually read. And, there is no way to detect that there was/might
be a problem, until you've run off the tracks.

To prevent the erroneousness, you would have to have elaborate pragmas for
every tagged type that the 'Input might read, which completely defeats the
purpose of classwide 'Input (and would require adding such pragmas during
maintenance as tagged types are added).

The only safe thing to do would be to avoid using classwide 'Input until the
main subprogram starts executing (assuming that all tagged types are library
level, which is almost always the case). But in reusable code, there would
be no way to enforce this prohibition, and no way to prevent catastrophe if
it happened.

So while I'm uncomfortable spending much effort on a rare case, making this
erroneous would make using 'Input unsafe in any high-reliability system.

****************************************************************

From: Robert Dewar
Date: Monday, January 28, 2002   9:19 PM

<<The only safe thing to do would be to avoid using classwide 'Input until the
main subprogram starts executing (assuming that all tagged types are library
level, which is almost always the case). But in reusable code, there would
be no way to enforce this prohibition, and no way to prevent catastrophe if
it happened.
>>

Indeed that's the only safe thing to do.

<<So while I'm uncomfortable spending much effort on a rare case, making this
erroneous would make using 'Input unsafe in any high-reliability system.
>>

If you don't want this to be erroneous, you have a lot more work to do in
describing what the possible behaviors are. You can't appeal to the "proper
RM behavior" here, as was pointed out earlier in the thread.

****************************************************************

From: Randy Brukardt
Date: Monday, January 28, 2002   9:47 PM

> <<So while I'm uncomfortable spending much effort on a rare case, making this
> erroneous would make using 'Input unsafe in any high-reliability system.
> >>
>
> If you don't want this to be erroneous, you have a lot more work to do in
> describing what the possible behaviors are. You can't appeal to the "proper
> RM behavior" here, as was pointed out earlier in the thread.

Steve was reacting to my informal description of the semantics. I made no
attempt to determine the RM wording, since I felt that we needed to discuss
this at an ARG meeting before putting in that effort.

If it turns out to be impossible to word, then I probably would lean toward
requiring an access before elaboration check. My original reaction to that was
(as Steve put it) "would require a fair amount of overhead (in execution time,
code space, and implementation complexity)", but I've since concluded that
doing so is no worse than the elaboration check that is needed on every
user-defined 'Input routine anyway. The only requirement would be that default
'Input routines actually exist somewhere, which I believe is necessary anyway
for dispatching. The question is whether the (small) overhead is worth it; Ada
concludes that is the case for regular subprograms, so it seems hard to argue
that it shouldn't be the case for the default implementation of 'Input.

****************************************************************

Questions? Ask the ACAA Technical Agent