From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,c9b7709f7cadc963,start
X-Google-Attributes: gid103376,public
From: Franco Mazzanti <mazzanti@iei.pi.cnr.it>
Subject: Re: Beware: Rep spec on an enumeration type clause
Date: 1997/12/12
Message-ID: <34911237.81B700D6@iei.pi.cnr.it>#1/1
X-Deja-AN: 297517979
Organization: Universita' di Pisa
Newsgroups: comp.lang.ada
Date: 1997-12-12T00:00:00+00:00
List-Id: <comp.lang.ada>


Rakesh Malhotra wrote:

> We work on safety critical projects.  And if we have a safety critical
> bit of code that defines and uses an enumeration then we use the rep
> clause to provide more than 1 bit separation between adjacent values in
> the enumeration.  That way if 1 bit got corrupted the value could not
> become some other legal value.
>
> Hence type SIGNAL_TYPE is (RED, GREEN);
> for SIGNAL_TYPE use (RED => 16#00#, GREEN => 16#03#);
>
> So if a signal was supposed to be RED, with just a 1 bit corruption it
> could never become GREEN.  Obviously we have these kinds of enum's and
> rep clauses all over the code space, and they are used in arrays to
> index etc etc.    An even worse example (from the coder's point of view)
> is that we create our own BOOLEAN_TYPE with states defined as TRUE_STATE
> and FALSE_STATE ; then give both true and false explicit values; and
> then test for those in "if" statements etc :)  Pretty horrible eh ?
>
> --
> Rakesh.


Since the program behaviour when some invalid object is encountered is
highly
implementation dependent, this approach seems really dangerous to me ...
For example, for example, the following program, compiled with GNAT v.3.09
happily (and legally) produces the output:

> I is neither AA, BB or CC
> I is  AA or BB

with Ada.Text_IO; use Ada.Text_IO;
procedure Main is
   type T is (AA, BB, CC);
   for T use (AA => -1, BB => 10, CC => 20);
   I:T;                -- not initialised
   V:array (T) of Integer;
begin
  if not I'Valid then
     Put_Line("I is neither AA, BB or CC ");
  end if;
   case I is
      when AA..BB =>  -- can be selected if I is invalid
        Put_line("I is AA or BB");
      when CC =>  -- can be selected if I is invalid
        Put_line("I is CC");
         V(CC) := 0;
   end case;
end Main;

------------------------------------------------------------
   Franco Mazzanti
   Istituto di Elaborazione della Informazione
   mazzanti@iei.pi.cnr.it
------------------------------------------------------------