From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 border2.nntp.dca1.giganews.com!nntp.giganews.com!newspeer1.nac.net!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!news.stack.nl!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Newsgroups: comp.lang.ada
Subject: Re: Quick question regarding limited type return syntax
Date: Sat, 02 Aug 2014 23:35:34 +0300
Organization: Tidorum Ltd
Message-ID: <c450cgFq3u2U1@mid.individual.net>
References: <166aaec5-5e9c-40e0-9b07-9b9c7d5f7f33@googlegroups.com>
 <EngCv.101926$Ji3.44609@fx16.iad>
 <16a6846f-2964-438a-ab9b-2029075f7924@googlegroups.com>
 <bf9193d6-e1a8-4df3-8e36-b07a2b07655e@googlegroups.com>
 <lret2q$fs$1@loke.gir.dk> <lrfh8k$rpi$1@dont-email.me>
 <lrgpg1$40g$1@loke.gir.dk> <D7TCv.160339$HF6.16263@fx30.iad>
 <c43h9sFgdq8U1@mid.individual.net>
 <20m59uxjlygw$.2mpabkt469vp.dlg@40tude.net>
 <wcciombyqmq.fsf@shell01.TheWorld.com>
 <cp8rrf40gpmj.zx1py68uwkjl$.dlg@40tude.net>
 <wccegwzyn76.fsf@shell01.TheWorld.com>
 <a5pzvn575hsz.8rt38rwse8bg.dlg@40tude.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Trace: individual.net O2b1JOeatabSBR75tAQptAWB+DBApcKFl7u3WzglL7FbztLGR8
Cancel-Lock: sha1:4tN8/EudWujwiU0e+DrpaIb+j2A=
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
In-Reply-To: <a5pzvn575hsz.8rt38rwse8bg.dlg@40tude.net>
Xref: number.nntp.dca.giganews.com comp.lang.ada:188112
Date: 2014-08-02T23:35:34+03:00
List-Id: <comp.lang.ada>

On 14-08-02 19:56 , Dmitry A. Kazakov wrote:
> On Sat, 02 Aug 2014 10:34:53 -0400, Robert A Duff wrote:
> 
>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>
>>> On Sat, 02 Aug 2014 09:20:45 -0400, Robert A Duff wrote:
>>>
>>>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>>>
>>>>> ...Dispatching calls
>>>>> through class-wide access discriminants upon initialization/finalization.
>>>>
>>>> Can you please give an example of what you mean?
>>>
>>> Components not discriminants. I had Rosen's trick in mind:
>>>
>>>    type T is ...
>>>        Self : not null access T := T'Unchecked_Access;
>>
>> Sorry, I still don't get it.  I don't see any class-wide types or
>> dispatching calls there.  Also, it's illegal as written (the Rosen trick
>> is only allowed for limited types.)  Perhaps a complete compilable
>> example would help illustrate the language anomaly you are talking
>> about.
> 
> with Ada.Finalization;
> with Ada.Text_IO;
> procedure Test is
>    package P is
>       type T is new Ada.Finalization.Limited_Controlled with record
>          Self : not null access T'Class := T'Unchecked_Access;
>       end record;
>       overriding procedure Initialize (X : in out T);
>       procedure Foo (X : in out T) is null;
>    end P;
>    
>    package body P is
>       procedure Initialize (X : in out T) is
>       begin
>          X.Self.Foo;
>       end Initialize;   
>    end P;
>    
>    package Q is
>       use P;
>       type S is new T with record
>          I : Integer;
>       end record;
>       overriding procedure Initialize (X : in out S);
>       overriding procedure Foo (X : in out S);
>    end Q;
>    
>    package body Q is
>       procedure Initialize (X : in out S) is
>       begin
>          T (X).Initialize;
>          X.I := 1;
>       end Initialize;
>       procedure Foo (X : in out S) is
>       begin
>          X.I := X.I + 1;
>       end Foo;
>    end Q;
>    
>    Y : Q.S;
> begin
>    Ada.Text_IO.Put_Line (Integer'Image (Y.I));
> end Test;

(Dmitry, I find it quite annoying that you just dump this code on us
without bothering to explain why you think it shows some problem in Ada.)

The code indeed accesses an uninitialized datum: when Y is initialized,
Initialize (S) calls Initialize (T), which makes a dispatching call to
Foo (S), which accesses the component S.I, which is not yet initialized.

The flow of control in the example is a bit sneaky, but the
self-referring component T.Self is in no way essential to the
sneakiness; the same could be achieved by simply making a redispatching
call to Foo in Initialize(T).

There are many other ways to create even sneakier flow of control with
even more obscure opportunities for accessing uninitialized data.

Perhaps you have some personal design and coding rules which would
prevent access to uninitialized data except for the kind of code shown
in the example? That is, perhaps the ability to write such code in Ada
breaks the safety of your design and coding rules? Perhaps the rule is
that the Initialize operation of a derived type should first call
Initialize on the parent type, and only then initialize the components
added in the derivation (the extension components)? That is not a bad
rule, but combining it with (re-)dispatching calls to operations
overridden in the derived type obviously invites errors of the kind
shown in the example.

-- 
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
      .      @       .