optimization away of checks in 'valid

optimization away of checks in 'valid

[Joseph Wisniewski]

Ran into an issue with one compiler having to do with the implementation of 'valid. Was looking for comments as to how other compilers handle this. 

Basically, the question is, if 'valid is called on an integer object, are there conditions under which some of the checks done by 'valid (range checking on an object of an integer subtype) are removed?

Specifically, we had a case where C++ code was not checking the bounds of a integer subtype as it was passed to Ada code via a function parameter. The Ada code _was_ checking via 'valid. 'valid returned true even though the integer value was out of bounds. Turns out the compiler relied on the "allowed assumption" that all callers "check their bounds" for such data. As such, the range checks in 'valid were eliminated as redundant as part of building with optimization on. In fact, I believe the checks were eliminated under no-opt also. 

My question is whether this is similar behavior across compilers or if 'valid is viewed as always performing the same checks, including and perhaps especiallyh bounds checks in this kind of situation.

Re: optimization away of checks in 'valid

[Ludovic Brenta]

Joseph Wisniewski wrote on comp.lang.ada:
> we had a case where C++ code was not checking the bounds of a
> integer subtype as it was passed to Ada code via a function
> parameter. The Ada code _was_ checking via 'valid. 'valid returned
> true even though the integer value was out of bounds. Turns out the
> compiler relied on the "allowed assumption" that all callers "check
> their bounds" for such data.

I'd think this assumption should be disallowed for exported
subprograms, or actually for all subprograms with a Convention other
than Ada?

-- 
Ludovic Brenta.

Re: optimization away of checks in 'valid

[Georg Bauhaus]

On 26.09.12 03:33, Joseph Wisniewski wrote:
> Specifically, we had a case where C++ code was not checking the bounds of a integer subtype as it was passed to Ada code via a function parameter. The Ada code _was_ checking via 'valid. 'valid returned true even though the integer value was out of bounds. Turns out the compiler relied on the "allowed assumption" that all callers "check their bounds" for such data.

FWIW, is the function like any of the ones below?
I see Exported_2 and Exported_3 have 'Valid removed
after compilation, as expected maybe.

with Interfaces.C;

package Rcheck is

   use type Interfaces.C.int;

   subtype T is Interfaces.C.int range -7 .. 100;
   subtype int is Interfaces.C.int;

   function Exported_1 (Item : T) return T;
   pragma Export (C, Exported_1);

   function Exported_2 (Item : int) return int;
   pragma Export (C, Exported_2);

   function Exported_3 (Item : int) return T;
   pragma Export (C, Exported_3);

   Default_Value : constant T := 33;

end Rcheck;


package body Rcheck is

   Dummy : constant := 66;

   function Exported_1 (Item : T) return T is
      Result : T;
   begin
      if Item'Valid then
	 Result := Dummy;
      else
	 Result := Default_Value;
      end if;
      return Result;
   end Exported_1;

   function Exported_2 (Item : int) return int is
      Result : int;
   begin
      if Item'Valid then
	 Result := Dummy;
      else
	 Result := Default_Value;
      end if;
      return Result;
   end Exported_2;

   function Exported_3 (Item : int) return T is
      Result : T;
   begin
      if Item'Valid then
	 Result := Dummy;
      else
	 Result := Default_Value;
      end if;
      return Result;
   end Exported_3;

end Rcheck;

Re: optimization away of checks in 'valid

[Jeffrey Carter]

Joseph Wisniewski wrote on comp.lang.ada:
> we had a case where C++ code was not checking the bounds of a
> integer subtype as it was passed to Ada code via a function
> parameter. The Ada code _was_ checking via 'valid. 'valid returned
> true even though the integer value was out of bounds. Turns out the
> compiler relied on the "allowed assumption" that all callers "check
> their bounds" for such data.

Using any scalar subtype other than those in Interfaces.C when interfacing to 
C/++ is asking for trouble.

-- 
Jeff Carter
"Sons of a silly person."
Monty Python & the Holy Grail
02

--- news://freenews.netfront.net/ - complaints: news@netfront.net ---

Re: optimization away of checks in 'valid

[Stephen Leake]

Joseph Wisniewski <wisniewski.ru@gmail.com> writes:

> Basically, the question is, if 'valid is called on an integer object,
> are there conditions under which some of the checks done by 'valid
> (range checking on an object of an integer subtype) are removed?

See ARM 13.9.2; it lists the operations that can return invalid values.

> Specifically, we had a case where C++ code was not checking the bounds
> of a integer subtype as it was passed to Ada code via a function
> parameter. 

Reading an input parameter is not in the list of operations that can
return invalid values.

"interfacing to another language" is on the list, which is what you are
doing, but I suspect that really means "calling a subprogram implemented
in another language"; ie, a subprogram with pragma Import.

Do you have pragma Export on the Ada function? That would mean reading
the input parameter _is_ interfacing to another language, and you could
complain to your compiler vendor.

-- 
-- Stephe