From: olivea!news.bu.edu!inmet!spock!stt@uunet.uu.net (Tucker Taft)
Subject: Re: Don't we already have a 'Valid? (was Re: Unchecked_Conversion...)
Date: 16 Sep 93 17:39:19 GMT [thread overview]
Message-ID: <CDGJpK.798@inmet.camb.inmet.com> (raw)
In article <CDAooM.nEt@yktnews.watson.ibm.com> ncohen@watson.ibm.com writes:
>Some clarifications:
>3. Like Robert Eachus (if I understand his post correctly), I believe
> that the best solution would have been an attribute like
>
> target_subtype'Would_Be_Valid(source_object)
>
> indicating without performing the unchecked conversion of
> source_object to target_subtype whether the bits of source_object are
> a valid representation of a value of target_subtype. This provides a
> convenient way for the programmer to validate untrustworthy data
> without ever constructing invalid values. (I'm sure there is a better
> name, but Would_Be_Valid conveys my intent.)
There are a few reasons why we chose the object'Valid approach
rather than the above "attribute-function" approach (all nicely
documented by Ben Brosgol in the Ada 9X Rationale document coming
out imminently):
1) The above proposal implies a function call, which takes a value,
not an object, as a parameter, meaning that the source object must
already have a valid value or else the implementation is
allowed to raise Program_Error. Furthermore, what is the
formal type of the parameter to the "Would_Be_Valid" function?
2) Unchecked_Conversion takes a source *sub*type and a target subtype
as generic parameters. That is critical because
the particular subtypes specified can affect the actual number of
bits involved in the unchecked conversion. By contrast,
the attribute-function approach is given a value, which does
not indicate unambiguously how many bits will be involved
in the conversion (which matters when converting between
bit arrays and scalars on a big-endian machine, for example).
3) A common source of potentially invalid data is from input
or unchecked conversion of a whole record. It is much more
convenient to check the fields of interest of a record with
the object-attribute approach, rather than the attribute-function
approach applied to slices of the source of the record. E.g.:
type Enum is (ABC, XYZ, ...);
type Enum_Array is array(Positive range <>) of Enum;
type Enum_Stack is record
Length : Natural range 0..Max := 0;
Data : Enum_Array(1..Max);
end record;
Stk : Enum_Stack;
...
Read_Stack(Into => Stk);
if not Stk.Length'Valid then
Put_Length("Bogus Length");
raise Data_Error;
else
for I in 1..Stk.Length loop
if not Stk.Data(I)'Valid then
Put_Line("Trouble in River City");
raise Data_Error;
end if;
end loop;
end if;
-- Stk now checked out, relevant data is valid
An alternative to the attribute-function approach that would
almost work would be a generic "Checked_Conversion" function, which would
combine the conversion with a validity check. However, since validity
is not unambiguously defined for composite types (because of examples
like the Stack above), Checked_Conversion would be limited to scalar
types, which would make it pretty inconvenient.
By the way, we believe we have fixed the wording problems in the
manual in the latest version, so that the Unchecked_Conversion is
not erroneous, even if the bits being converted do not correspond
to a valid value of the target subtype.
>Norman H. Cohen ncohen@watson.ibm.com
S. Tucker Taft stt@inmet.com
Ada 9X Mapping/Revision Team
Intermetrics, Inc.
Cambridge, MA 02138
next reply other threads:[~1993-09-16 17:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
1993-09-16 17:39 Tucker Taft [this message]
-- strict thread matches above, loose matches on Subject: below --
1993-09-16 16:25 Don't we already have a 'Valid? (was Re: Unchecked_Conversion...) cis.ohio-state.edu!magnus.acs.ohio-state.edu!usenet.ins.cwru.edu!howland.
1993-09-13 13:41 Norman H. Cohen
1993-09-10 20:49 Robert I. Eachus
1993-09-10 17:06 Mark A Biggar
1993-09-10 15:07 cis.ohio-state.edu!news.sei.cmu.edu!magnesium.club.cc.cmu.edu!honeydew.sr
1993-09-10 14:00 Mike Berman
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox