Version 1.4 of ais/ai-00279.txt

Unformatted version of ais/ai-00279.txt version 1.4
Other versions for file ais/ai-00279.txt

!standard 13.13.02 (34)          01-12-21 AI95-00279/01
!class binding interpretation 01-12-21
!status work item 01-12-21
!status received 01-11-08
!qualifier Omission
!priority Medium
!difficulty Medium
!subject Tag read by T'Class'Input
!summary
If the tag identified by T'Class'Input identifies a type:
-- that is the tag of some type not covered by T'Class, Constraint_Error
is raised;
-- that is the tag of an abstract type, Constraint_Error is raised; -- that is the tag of a type whose freezing point has not yet been
elaborated, a bounded error occurs - either the call works normally, or Program_Error is raised.
!question
T'Class'Input reads in a string, maps it to a tag by calling Tags.Internal_Tag, and dispatches accordingly.
What happens if the the call to Tags.Internal_Tag yields either
a) the tag of some type not covered by T'Class
or
b) the tag of an abstract type
or
c) the tag of a type whose freezing point has not
yet been elaborated (e.g. a type with a not-yet-elaborated component subtype)?
!recommendation
(See summary.)
!wording
(See corrigendum.)
!discussion
The exact wording of 13.13.2(34) is "...dispatches to the subprogram denoted by the Input attribute of the specific type identified by the internal tag; returns that result.". Reading this strictly, we would expect the appropriate 'Input to be called (by dispatching), followed by a conversion to the return type. That is, somewhere this is code like:
return T'Class(Call_by_Tag (Tags.Internal_Tag(...), 'Input(Stream));
(where Call_by_Tag is a magic routine that dispatches to the appropriate routine identified by the tag in its first parameter).
If the tag dispatched on is not covered by T, then this final conversion would raise Constraint_Error. Therefore, we simply confirm the existing language by saying that Constraint_Error is raised in this case. However, there is no benefit in insisting that the call to the 'Input routine is actually made, so we just clarify this to just say that Constraint_Error is raised.
If the tag dispatched on is an abstract type, then the appropriate 'Input is called. The language says that this 'Input operation exists, but that it cannot be called because it is not available. (See AI-195 for the definition of "available".)
We certainly cannot allow a non-available routine to be dispatched to. Thus, there must be a runtime check for this case, and an exception raised. We choose to raise Constraint_Error to be similar to the previous case.
If the tag dispatched on is for a type that has not yet been frozen, we could have an access-before-elaboration problem. If the approriate 'Input is user-defined, the body of the 'Input routine could not yet be frozen (as a body is a freezing point), so that any normal call to this routine should raise Program_Error. For the default implementation for 'Input, it is unclear whether the overhead of checking for access-before-elaboration is worthwhile. This overhead would be required on all uses of the Input attribute, in order to handle a very unlikely case. Therefore, we define this case to be a bounded error, requiring either the attribute to work as defined by the RM, or raising Program_Error. This allows implementations to only check for access-before-elaboration in default implementations of Input where there would might be a problem if the routine is called before the type is frozen.
!corrigendum 13.13.02(34)
Replace the paragraph:
First reads the external tag from Stream and determines the corresponding internal tag (by calling Tags.Internal_Tag(String'Input(Stream)) -- see 3.9) and then dispatches to the subprogram denoted by the Input attribute of the specific type identified by the internal tag; returns that result.
by:
First reads the external tag from Stream and determines the corresponding internal tag (by calling Tags.Internal_Tag(String'Input(Stream)) -- see 3.9) and then dispatches to the subprogram denoted by the Input attribute of the specific type identified by the internal tag; returns that result.
[Note: I didn't provide wording, since I'm uncertain that I have the "correct" answer here. - ED]
!ACATS test
A C-Test could be written to test these cases.
!appendix

From: Steve Baird
Date: Thursday, November 08, 2001   8:54 PM

T'Class'Input reads in a string, maps it to a tag,
and dispatches accordingly.

What happens if the the call to Tags.Internal_Tag yields either
   a) the tag of some type not covered by T'Class
or
   b) the tag of an abstract type
or
   c) the tag of a type whose freezing point has not
      yet been elaborated (e.g. a type with a
      not-yet-elaborated component subtype).
?

Is this erroneous? Must Program_Error be raised?

****************************************************************

From: Randy Brukardt
Date: Wednesday, November 14, 2001   7:26 PM

> T'Class'Input reads in a string, maps it to a tag,
> and dispatches accordingly.
>
> What happens if the the call to Tags.Internal_Tag
> yields either
>    a) the tag of some type not covered by T'Class

The exact wording of 13.13.2(34) is "...dispatches to the subprogram denoted
by the Input attribute of the specific type identified by the internal tag;
returns that result.". Reading this strictly, I would expect the appropriate
'Input to be called, then Constraint_Error to be raised because it isn't
possible to convert the result to the return type. That is, somewhere this
is code like:

    return T'Class(Call_by_Tag (Tags.Internal_Tag(...), 'Input(....));

But we may want to change that. Note that I already pointed out that this
isn't clearly defined in my (old) write-up of AI-260 ('Tag_Read).

> or
>    b) the tag of an abstract type

Here again, it is clear what happens: if the abstract type is Abstr,
Abstr'Input is called. Note that Abstr'Input is defined. AI-195 says that it
exists, but cannot be called, because it is not "available".

So we seem to have a case where a routine that is not "available" can be
dispatched to.

> or
>    c) the tag of a type whose freezing point has not
>       yet been elaborated (e.g. a type with a
>       not-yet-elaborated component subtype).
> ?

Sigh. If the 'Input is user-defined, it couldn't have been elaborated yet,
so Program_Error must be raised. But are predefined 'Input elaborated? (I
hope not - we don't need the overhead). If not, then we have an ugly and
highly unlikely case. Probably it is best to just declare it erroneous, as
any check is going to be expensive and distributed.

> Is this erroneous? Must Program_Error be raised?

The answers to these questions probably are all different. I think (a)
should be Constraint_Error, and in any case, should be the same as whatever
AI-260 says happens for 'Tag_Read.

(b) is a special case which will have to raise some exception; probably
Constraint_Error or Program_Error.

(c) seems best to be erroneous, because the check is going to occur on every
use of a stream attribute, and this is very rare. But when it can be
checked, it should raise Program_Error (as it is an
access-before-elaboration error).

In any case, I don't think this new issue should be used to prevent AI-195
from being completed. That AI already has too many issues in it, and if we
stick every stream issue that we discover (and I expect our grandchildren
will still be discovering problems with streams) into it, we'll never finish
it and fix many important stream problems.

Besides, issue (a) was already discussed in the context of AI-260, and it
would make just as much sense to put this issue there. Or open a new AI.

****************************************************************

From: Steve Baird
Date: Monday, January 28, 2002   2:27 PM

To recap, AI-279 is a response to the following question:

    T'Class'Input reads in a string, maps it to a tag by calling
    Tags.Internal_Tag, and dispatches accordingly.

    What happens if the the call to Tags.Internal_Tag yields either
      a) the tag of some type not covered by T'Class
    or
      b) the tag of an abstract type
    or
      c) the tag of a type whose freezing point has not
         yet been elaborated (e.g. a type with a
         not-yet-elaborated component subtype)?

The answers given in the AI summary are
    a) raise Constraint_Error
    b) raise Constraint_Error
    c) bounded error: raise Program_Error or "the call works normally".

For a & b, this is fine. One might argue for raising Program_Error instead
of Constraint_Error, but that's a nit. It is important to be clear that
no dispatching call occurs if the exception is raised; the check precedes
the call.

I believe the third case should result in erroneous execution.

The suggestion that "the call works normally" or works "as defined by the
RM"
is not well defined. The language (specifically, the freezing rules)
statically prohibits the creation of an object of an unfrozen type. The
dynamic
semantics of a statically illegal construct are undefined. With the possible
exception of the rules pertaining to erroneous execution, the RM does not
have rules of the form "<blap> is prohibited, but this is what it does at
runtime if you do somehow manage to get it through the compiler".

Allowing non-erroneous execution in this case might allow a subprogram to
be called before it can be named (i.e. before the elaboration of its
initial declaration). This would be new to Ada. It could mean,
for example, that a one-part subprogram might require an elaboration
check, or that an elaboration checking implementation strategy based on
initializing some piece of state at the point of the initial declaration
of a subprogram and then updating it when the body is elaborated would
no longer work.

Requiring implementations to detect the error and raise some exception
would also be a well-defined solution, but would require a fair
amount of overhead (in execution time, code space, and implementation
complexity) to cope with a case which, as far as I know, noone
has ever run into in practice.

****************************************************************

From: Robert Dewar
Date: Monday, January 28, 2002   3:45 PM

I agree with Steve's position on this point, case c) should be erroneous.

****************************************************************

From: Randy Brukardt
Date: Monday, January 28, 2002   5:07 PM

> I agree with Steve's position on this point, case c) should
> be erroneous

I made this a bounded error when I wrote up the AI, because I didn't like
the extent of erroneousness that is caused.

If this is erroneous, then *any* call to 'Input before all tagged types are
elaborated is potentially erroneous. Moreover, there is no way to prevent
erroneous execution in that case, because the programmer has no control over
the data actually read. And, there is no way to detect that there was/might
be a problem, until you've run off the tracks.

To prevent the erroneousness, you would have to have elaborate pragmas for
every tagged type that the 'Input might read, which completely defeats the
purpose of classwide 'Input (and would require adding such pragmas during
maintenance as tagged types are added).

The only safe thing to do would be to avoid using classwide 'Input until the
main subprogram starts executing (assuming that all tagged types are library
level, which is almost always the case). But in reusable code, there would
be no way to enforce this prohibition, and no way to prevent catastrophe if
it happened.

So while I'm uncomfortable spending much effort on a rare case, making this
erroneous would make using 'Input unsafe in any high-reliability system.

****************************************************************

From: Robert Dewar
Date: Monday, January 28, 2002   9:19 PM

<<The only safe thing to do would be to avoid using classwide 'Input until the
main subprogram starts executing (assuming that all tagged types are library
level, which is almost always the case). But in reusable code, there would
be no way to enforce this prohibition, and no way to prevent catastrophe if
it happened.
>>

Indeed that's the only safe thing to do.

<<So while I'm uncomfortable spending much effort on a rare case, making this
erroneous would make using 'Input unsafe in any high-reliability system.
>>

If you don't want this to be erroneous, you have a lot more work to do in
describing what the possible behaviors are. You can't appeal to the "proper
RM behavior" here, as was pointed out earlier in the thread.

****************************************************************

From: Randy Brukardt
Date: Monday, January 28, 2002   9:47 PM

> <<So while I'm uncomfortable spending much effort on a rare case, making this
> erroneous would make using 'Input unsafe in any high-reliability system.
> >>
>
> If you don't want this to be erroneous, you have a lot more work to do in
> describing what the possible behaviors are. You can't appeal to the "proper
> RM behavior" here, as was pointed out earlier in the thread.

Steve was reacting to my informal description of the semantics. I made no
attempt to determine the RM wording, since I felt that we needed to discuss
this at an ARG meeting before putting in that effort.

If it turns out to be impossible to word, then I probably would lean toward
requiring an access before elaboration check. My original reaction to that was
(as Steve put it) "would require a fair amount of overhead (in execution time,
code space, and implementation complexity)", but I've since concluded that
doing so is no worse than the elaboration check that is needed on every
user-defined 'Input routine anyway. The only requirement would be that default
'Input routines actually exist somewhere, which I believe is necessary anyway
for dispatching. The question is whether the (small) overhead is worth it; Ada
concludes that is the case for regular subprograms, so it seems hard to argue
that it shouldn't be the case for the default implementation of 'Input.

****************************************************************

From: Randy Brukardt
Date: Monday, April 22, 2002  10:36 PM

At the Cupertino meeting, we discussed this issue. In particular, we discussed
case (c) (If Internal_Tag returns the tag of a type whose freezing point has
not yet been elaborated?)

The discussion at the meeting purported to demonstrate that doing an
elaboration check to detect this case is difficult. Given that, I
reluctantly agreed to let this case be erroneous. I also got assigned to
revise the AI.

In writing the minutes and in preparing to revise the AI, I have realized
that there is in fact a reasonably inexpensive way to make this check.
Moreover, I also realized that there is another way to prevent this problem
altogether. And this case seems to show a case where Ada's default behavior
is unsafe.

There also is an additional, similar problem not covered by the AI as it
stands. Case (c2):
(If Internal_Tag returns the tag of a type which was elaborated but no
longer exists (because the master it was defined in has been left)?)

My objection to making this erroneous is simply that this is an unusual case
of erroneousness, where neither the use of 'Input nor anything that the
caller of it does is wrong. The problem only occurs when a conjunction of
unfortunate occurrences happens. This is a problem (especially in
pre-packaged libraries), as the only way to verify the absence of this
problem would be full program call graph analysis. In addition, this case is
by far the most likely of any of the cases considered by this AI. (Consider
reading a configuration file.) Abort can cause erroneousness like this, but
everyone knows abort is unsafe (and it is easy to see if it is used, just
search for "abort" in your program) -- this is not true for 'Class'Input.

3.9 is amazingly vague on the description of how Internal_Tag works. That
probably is a consequence of not wanting to constrain the implementations
much.

When thinking about how this problem would occur in an implementation using
dynamically constructed tags, I realized that such an implementation could
not have this problem. Such an implementation would have to register the
tags with some sort of tag manager when they are created (presumably at the
freezing point for the type). That means that any call to Internal_Tag
before the type is elaborated would raise Tag_Error -- and no problem could
occur.

A similar (but simpler) implementation would work for the 'Input check. An
array of booleans, one for each tag, would be stored with (logically) the
tag data structure. When the type is frozen, the associated Boolean is set
to true (these addresses can be set at compile time). The Boolean would be
set to False if the type went out of scope. If the Boolean is False, the
type is non-existent, and Program_Error should be raised.

But this brings up the question: is it really a good idea for Internal_Tag
to be returning a tag for a non-existent type? The AI intends to fix the
problem only for 'Class'Input. That is somewhat OK, as 'Class'Input is the
only Ada 95 place where the result of Internal_Tag can be usefully used (for
instance, to dispatch on). One could hope that Ada 0y would provide a real
solution to the problem is dispatching on externally derived tags, so that
functions like T'Class'Input could be written by users when needed. If such
a facility is added to Ada, it would have the same problem.

3.9 is quite silent on the lifetime of tags. This appears to be a
consequence of preferring a static model for tags. This model, while it must
be allowed in some way, is rather at odds with Ada's primarily dynamic model
of lifetimes. Thus, we get problems like the one covered in this AI, where
we can get a reference to something that doesn't yet (or still) exist.

About the only place where the RM ever talks about the lifetime of tags is
the Implementation Permission in 3.9(26):

The implementation of the functions in Ada.Tags may raise Tag_Error if no
specific type corresponding to the tag passed as a parameter exists in the
partition at the time the function is called.

This is a rather curious paragraph. It says that it would be OK for an
implementation to raise an exception if the type corresponding to a tag does
not exist, implying that it is OK to NOT raise an exception for a
non-existent type. Ada generally takes a safety-first approach, but here we
allowing (in fact encouraging) unsafe behavior.

This paragraph would have been better written as a bounded error, allowing
an implementation to return the correct answer:

It is a bounded error if one of the functions in Ada.Tags is called when no
specific type corresponding to the tag passed as a parameter exists in the
partition. If the error is detected, Tag_Error is raised; otherwise, the
function returns the same result that it would have had the type existed.

This would have been a better flag that there was an unsafe permission.

In any case, the overhead of making this check is rather small (one bit set
at the freezing of the type, one bit checked after a successful lookup in
Internal_Tag). A correct Ada application cannot depend on this working, as
3.9(26) already allows the check. Thus, I believe this check should be
mandated; doing do would eliminate case (c) [and (c2)] without
erroneousness. This is easy to accomplish: change "may" to "shall" in
3.9(26).

I could imagine a partial version of this check, where we don't mandate the
check for types whose masters are left. Such types are exceedingly rare, and
almost nothing useful can be done with them (at least in terms of
dispatching), since the entire hierarchy needs to be inside of the scope. In
such a case, we'd leave erroneousness for case (c2), but case (c) [the more
likely case] could not happen. That would eliminate the overhead of 'turning
off' existence bits when a tagged type goes out of scope. The only downside
of this is more RM wording.

In practice, these are probably the same, as an ACATS test checking that
nested tagged types 'disappear' from Ada.Tags.Internal_Tag couldn't be
justified from a usage-based standpoint (such a program is very unlikely to
occur in practice).

I prefer any of these solutions over making this case unconditionally
erroneous. Requiring this check also would help if any additional uses for
tags are added to Ada.

Comments welcome (now donning flame-proof suit...)

****************************************************************

From: Tucker Taft
Date: Tuesday, April 23, 2002  9:04 AM

What you propse seems reasonable.  A more detailed writeup
would help.  We implement Internal_Tag by statically allocating
a "link" which we insert into the hash table the first time
the type is elaborated.  It remains there indefinitely.
So we would have no trouble dealing with references
that occur before the type was ever elaborated, but
we do not currently ever remove the link from the table.
Doing so would be extra work, though not a huge amount.

I would imagine that some compilers build the Internal_Tag
hash table at link time.  If they all build them dynamically
the way that we do, then certainly providing some protection
against premature access to library-level tags would be easy
to provide.  Doing anything special for local tags seems
more trouble than it is worth.

****************************************************************

From: Steve Baird
Date: Tuesday, April 23, 2002  10:03 PM

> There also is an additional, similar problem not covered
> by the AI as it stands. Case (c2):
> (If Internal_Tag returns the tag of a type which was
> elaborated but no longer exists (because the master it was
> defined in has been left)?)

T'Class'Input reads in a string, maps it to a tag by calling
Tags.Internal_Tag, and dispatches accordingly.

3.9.1(3,4) implies that if T'Class covers some type T2, then
T2 will not cease to exist before T. While calling
T'Class'Input, clearly T still exists.

Thus, if Tags.Internal_Tag yields the tag of a type which no
longer exists, then it must be the tag of some type not
covered by T'Class, so this is already covered by case a).

I agree that this case may pose special challenges for
implementations which allocate tags dynamically.

****************************************************************

Questions? Ask the ACAA Technical Agent