Re: A hole in Ada type safety

[anon@att.net]

Better look again!

Even though a compiler emulates the "Unchecked_Conversion" with a built-in 
"pragma inline" being enforced.  The function still must be able to be 
written in Ada. That goes back to the origins of Ada and has not change. 
Plus, the function's source code can be inserted into a routine or 
re-named for use or testing of this routine. That is also apart of Ada.

Any programmer should be able to simulated the Unchecked_Conversion 
function in Ada (non GNAT), such as:

      pragma Suppress ( All_Checks ) ;    -- Ada 95/2005
      Target_Object := Target ( Source_Object ) ;
      pragma Unsuppress ( All_Checks ) ;  -- Ada 95/2005

Now, in Ada 83 there was no way to turn the checks back on after they
were suppressed. The exception was to use a function where the scope of 
the suppressed checks would be limited to that function only, thus a 
reason for the creation of the generic "Unchecked_Conversion" function.


The body of the "Unchecked_Conversion" function is:

---------------------------------------
  function Unchecked_Conversion ( S : Source ) 
           return Target is

      -- Ada 83 a Suppress statement per check must be given
      -- 
      pragma Suppress ( All_Checks ) ; 

    begin
      --  This statement should compile because all checks have been 
      --  turn off. Even without checks this routine must still comply 
      --  with type conversion rules set in RM 4.6, which can limited
      --  or restriction the conversion. 
      --
      --  Starting with Ada 95 the semantic and expansion analysis 
      --  must also, insure that the additional rules RM 13.9 
      --  ( 5 .. 10 ) are enforced. Since these rules can be derived
      --  from the legal rules for type conversion ( RM 4.6 ), these
      --  checks can be done in the while evaluating the type 
      --  conversion expression.
      --
      --  Ada 83, RM 13.10.2 ( 3 ) states the programmer is 
      --  "responsibility to ensure that these conversions maintain
      --  the properties that are guaranteed by the language for 
      --  objects of the target type." But the vendor can set
      --  restrictions.
      --
      return Target ( S ) ;
  end Unchecked_Conversion ;
---------------------------------------

Now in Ada 2005, RM 7.5 (1/2) states that a routine can not just copy
a "limited private" object. RM 6.5 (5.1/2, 5.c/2 ) states that if 
the target is limited the function "must produce a ""new"" object" 
instead of just copying the object.

Aka the "Unchecked_Conversion" which is a generic function is no 
longer just an inlined expression that is just a type conversions 
with all checks being disable. The function must now return a "new" 
object RM 6.5 (5.5/2, 5.c/2 ), by first requesting an new object 
from the Target's storage pool and then copying the Source data to 
that new object. So, in Ada 2005 the "Unchecked_Conversion" must be 
handled as a true generic function with a true return, instead of a 
built-in inline expression.

But GNAT still just performs a simple copy. So, is GNAT or the RM 
or is the generic "Unchecked_Conversion" function in error?


In <m2y62g7v92.fsf@pushface.org>, Simon Wright <simon@pushface.org> writes:
>anon@att.net writes:
>
>> Your two programs has pointed out a puzzle in the RM-2005.  And that is 
>> does the definition of the standard Generic package Unchecked_Conversion 
>> violate the RM (6.5/(5.5/2). 
>
>"I beseech you, in the bowels of Christ, think it possible that you may
> be mistaken."
> O. Cromwell, 1650.