From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,3f280e3f1e97f305
X-Google-Attributes: gid103376,public
From: bobduff@world.std.com (Robert A Duff)
Subject: Re: Finding out parameters which are not written
Date: 1997/08/12
Message-ID: <EEtC87.9CC@world.std.com>#1/1
X-Deja-AN: 263913375
References: <33F02867.322D@aut.alcatel.at> <33F07EA1.51D1@aut.alcatel.at>
Organization: The World Public Access UNIX, Brookline, MA
Newsgroups: comp.lang.ada
Date: 1997-08-12T00:00:00+00:00
List-Id: <comp.lang.ada>


In article <33F07EA1.51D1@aut.alcatel.at>,
Gerhard Radatz  <gerhard.radatz@aut.alcatel.at> wrote:
>Gerhard Radatz wrote:
>> 
>> Does anyone know about a tool which can detect such situations as the
>> following:
>> 
>>         procedure xxx (result: out INTEGER) is
>>         begin
>>              if <<condition>> then
>>                  result := 0;
>>              end if;
>>         end;
>> 
>> Obviously, this proc is erroneous and result will not be written if
>> <<condition>> is FALSE.

>I admit that it is very difficult to find such potential problems at
>compile time. ...

It doesn't seem so hard to me.  The compiler can just check whether
every path through the function assigns to every 'out' parameter of a
scalar type.  If not, warn -- it's almost certainly a bug.  (For
composite types, it's not formally erroneous, and not necessarily a
bug.)  There's no practical reason to worry about the fact that
<<condition>> might be always True (which of course the compiler can't
know, in general).

GNAT does exactly this sort of analysis for function returns -- it makes
sure that every path through the function ends with a return statement,
or the raise of an exception (and it has some mechanism for marking
procedures that always raise an exception).  I don't know if GNAT does
something similar for scalar 'out' parameters, but it could.

Of course, none of this solves the more general problem of uninitialized
objects -- that really requires run-time checks.

- Bob