Re: Uninitialized subtype variables

[cis.ohio-state.edu!zaphod.mps.ohio-state.edu!wupost!micro-heart-of-gold.m it.edu!bu.edu!inmet!spock!stt@ucbvax.Berkeley.EDU (Tucker Taft)]

In article <1992Oct21.234759.24972@beaver.cs.washington.edu> 
  pattis@cs.washington.edu (Richard Pattis) writes:

>I cannot find anything in the LRM (mostly around 3.2.1) for Ada that says
>after elaborating 
>   X : NATURAL;
>X's value is guaranteed to be >= 0. Is this in fact correct? Is there even a
>guarantee that the bit pattern it contains can be interpreted as a
>legal INTEGER?

No.  Any use of the value of an uninitialized scalar object is erroneous (i.e.
completely unpredictable effect) in Ada 83 (RM 3.2.1(18)).  
In Ada 9x we are proposing that such a use be a 
"bounded error" which means that no random memory
may be trashed nor may your disk be erased simply as a 
result of using the value
of an uninitialized scalar.

>Now, suppose I also declared PROCEDURE P (N : NATURAL); A smart compiler
>could avoid checking the parameter constraint when calling P(X). But this coul
d
>lead to some interesting errors if X truly contained a negative value from its
>(lack of) initialization.

Some Ada 83 optimizers presume all variables are within their subtype
at all times, whereas others presume only explicitly initialized variables
are within their subtype, plus those where data flow guarantees
some initialization has taken place.  It depends somewhat on the
philosophy of the authors of the optimizer -- whether they believe
erroneousness is uncommon and should be ignored (as is allowed
by the rules in the 83 RM), or is common and should be accommodated.

For Ada 9X we are trying to formulate rules which will allow optimizers
to eliminate most constraint checks based on declared subtypes,
but will still prevent random stores to memory, or random jumps.
One approach is to require constraint checks on array component assignments
(and similar memory-altering operations) even if 
subtype information implies the check can't fail,
but be more permissive elsewhere.  Of course if the data flow
analysis "proves" that even after ignoring the subtype information,
the index is within range, then the constraint check can still
be eliminated.

>Any comments?

It's a bag of worms, but we are still trying to do something about it ;-).
Uninitialized scalar variables are one of the few "holes" left in the
Ada safety net, and it would be nice to somehow narrow the hole a bit.
Of course, some kind of "pragma SUPPRESS" should be provided to rip
it open again on user request, but we would like the RM to specify
essentially "safe" semantics as the default, presuming it can
be done without unduly complicating the semantics nor significantly 
hurting code quality.

>------------------------------------------------------------------------------
>  Richard E. Pattis			"Programming languages are like
>  Department of Computer Science	 pizzas - they come in only "too"
>    and Engineering			 sizes: too big and too small."


S. Tucker Taft    stt@inmet.com
Ada 9X Mapping/Revision Team
Intermetrics, Inc.
Cambridge, MA  02138