Re: A hole in Ada type safety

[anon@att.net]

--
--  May be this program will help explain the problem.
--
--  Plus, 
--  RM 13.9 (12) -- say the function can copy "by reference, if the 
--  Source type is not a by-copy type." In Ada 2005, the definition
--  of Source type for the Unchecked_Conversion is still a "limited 
--  private" which is a "Limited Type, and all Limited types (RM 7.5) 
--  are now a by-copy type. So, Unchecked_Conversion must now use
--  only "by-copy" type of copying. This suggest that the RM 13.9 (12) 
--  paragraph may be in Error an needs to be update at least for Ada 
--  2012. And corrected in 2005.
--
--  RM 7.5 ( 1.b/2 ), Suggest that the copying "Limited Types" by 
--  reference was for Ada 95. That changes for Ada 2005.
--
--  This may also explain what Robert Dewar was taking about in 
--  AI95-00318-02.
--

--
-- Testing the Generic Unchecked_Conversion function.
-- By copying and renaming the function to Ada05_Conversion.
--
with Interfaces ;
with Text_IO ;
--
procedure Test_UC is

  use Interfaces ;
  --
  package Byte_IO is new Text_IO.Modular_IO ( Unsigned_8 ) ;
  package U32_IO is new Text_IO.Modular_IO ( Unsigned_32 ) ;
  --
  type Boolean_Array is array ( Natural range <> ) of Boolean ;
    pragma Pack ( Boolean_Array ) ;

  --
  -- Limited type: must copy by "by-copy type"
  --
  type Record_Type is limited record
                                Flags : Boolean_Array ( 0 .. 31 ) ;
                              end record ;
    pragma Pack ( Record_Type ) ;


  -- ------------------ --
  --  Ada05_Conversion  --
  -- ------------------ --
  generic
    type Source (<>) is limited private ;
    type Target (<>) is limited private ;
    function Ada05_Conversion ( S : Source ) return Target ;

  function Ada05_Conversion ( S : Source ) return Target is

      pragma Suppress ( All_Checks ) ;

    begin
      -- Compiling Error messages:
      --   (Ada 2005) cannot copy object of a limited type 
      --              (RM-2005 6.5(5.5/2))
      --   consider switching to return of access type
      --
      -- Additional References for reasoning: 
      --   RM 7.5 Limited Types ( 1/2, 1.a, 1.b/2 )
      --
      return Target ( S ) ;
    end Ada05_Conversion ;

  --
  function To_Byte is new Ada05_Conversion
                        ( Source => Unsigned_8, Target => Character ) ;

  function To_Unsigned_32 is new Ada05_Conversion
                     ( Source => Record_Type, Target => Unsigned_32 ) ;

  C  : Character := 'c' ;
  S  : Unsigned_8 := 16#41# ;  -- 'A'

  R0 : Record_Type ;
  R1 : Unsigned_32 ;

begin
  --
  -- Copy a simple unsigned_8 to character
  --
  C := To_Byte ( S ) ;             -- Perform conversion
  --
  -- Should display:
  --     Test 1:  C := 'A'
  --
  Text_IO.Put ( "Test 1:  " ) ;
  Text_IO.Put ( "C := '" ) ;
  Text_IO.Put ( C ) ;
  Text_IO.Put ( ''' ) ;
  Text_IO.New_Line ;
  --
  R0.Flags ( 28 .. 31 ) := ( others => True ) ; 
  R0.Flags ( 00 .. 27 ) := ( others => False ) ; 
  --
  -- Copy a limited record to a Unsigned_32 
  --
  R1 := To_Unsigned_32 ( R0 ) ;    -- Perform conversion
  --
  -- Should display:
  --     Test 2:  R0 := 2#11110000000000000000000000000000#
  --
  Text_IO.Put ( "Test 2:  " ) ;
  Text_IO.Put ( "R0 := " ) ;
  U32_IO.Put ( R1, base => 2 ) ;
  Text_IO.New_Line ;
end Test_UC ;

In <iqfaud$ggn$1@munin.nbi.dk>, "Randy Brukardt" <randy@rrsoftware.com> writes:
><anon@att.net> wrote in message news:iqes6i$18g$1@speranza.aioe.org...
>> The RM 13.9 (3) defines the Unchecked_Conversion function with
>>
>>    pragma Convention ( Intrinsic, Ada.Unchecked_Conversion ) ;
>>
>> Intrinsic is built-in" and RM C.1 ( 10 ) implies inlining to reduce
>> overhead of this function and RM 13.8 ( 15 ) helps reduces the code
>> to that of an inline Machine Code Insertions.
>>
>>
>> Proof basically come from RM 6.3.1 ( 4 ), RM 13.9 ( 15 ) and
>> C.1 ( 10 ).
>>
>> RM 6.3.1 Conformance Rules
>>
>>    4  "The Intrinsic calling convention represents subprograms that
>>       are ``built in'' to the compiler." ...
>>
>> RM 13.9 Unchecked Type Conversions
>>
>>  15   The implementation should not generate unnecessary run-time
>>       checks to ensure that the representation of S is a
>>       representation of the target type. It should take advantage of
>>       the permission to return by reference when possible.
>>       Restrictions on unchecked conversions should be avoided unless
>>       required by the target environment.
>>
>> RM C.1 Access to Machine Operations
>>
>>  10   "The implementation should ensure that little or no overhead
>>       is associated with calling intrinsic and machine-code
>>       subprograms"
>>
>>
>>
>> Associative RMs
>>
>> RM 13.8 Machine Code Insertions
>>
>>  11   "(17) Intrinsic subprograms (see 6.3.1, ``Conformance Rules'')
>>       can also be used to achieve machine code insertions." ...
>>
>> RM C.1 Access to Machine Operations
>>
>>   6   "The implementation shall document the overhead associated
>>        with calling machine-code or intrinsic subprograms, as
>>        compared to a fully-inlined call, and to a regular
>>        out-of-line call."
>>
>>
>>
>> Now in Ada 2005, RM 7.5 (1/2) states that a routine can not just copy
>> a "limited private" object. RM 6.5 (5.1/2, 5.c/2 ) states that if
>> the target is limited the function "must produce a ""new"" object"
>> instead of just copying the object.
>>
>> Aka the "Unchecked_Conversion" which is a generic function is no
>> longer just an inlined expression that is just a type conversions
>> with all checks being disable. The function must now return a "new"
>> object RM 6.5 (5.5/2, 5.c/2 ), by first requesting an new object
>> from the Target's storage pool and then copying the Source data to
>> that new object. So, in Ada 2005 the "Unchecked_Conversion" must be
>> handled as a true generic function with a true return, instead of a
>> built-in inline expression.
>>
>> But GNAT still just performs a simple copy. So, is GNAT or the RM
>> or is the generic "Unchecked_Conversion" function in error?
>
>You, of course. :-) Your language-lawyering skills need some work.
>
>13.9(12) (an implementation permission) says that an implementation can 
>return the result of an unchecked_conversion "by reference". Especially note 
>the second sentence of that rule, which explains the intent.
>
>                            Randy.
>
>
>
>
>
>