From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00
	autolearn=unavailable autolearn_force=no version=3.4.4
Path: 
 eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!news.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Simon Wright <simon@pushface.org>
Newsgroups: comp.lang.ada
Subject: SPARK 2014 and protected objects
Date: Tue, 30 Aug 2016 11:34:03 +0100
Organization: A noiseless patient Spider
Message-ID: <ly1t16k0kk.fsf@pushface.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: mx02.eternal-september.org;
 posting-host="90a7515de723fda2443060f3e878f4b0";
	logging-data="3414"; mail-complaints-to="abuse@eternal-september.org";
	posting-account="U2FsdGVkX18MUTJRaR5R2LZUlmg0zodDbZWS+cbp4Lo="
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (darwin)
Cancel-Lock: sha1:bR9SwvqiTeJKBfImojyK5ETmrBY=
	sha1:zw6qYceGxqKfYAgy0rbzKgqdZOU=
Xref: news.eternal-september.org comp.lang.ada:31639
Date: 2016-08-30T11:34:03+01:00
List-Id: <comp.lang.ada>

I'm struggling with a package whose spec has subprograms whose bodies
call a PO declared in the package body, which governs access to volatile
data (an SPI-connected device). gnatprove (2016) wants me to use
Abstract_State and (sometimes) Part_Of, but I can't get the syntax
right. Does anyone have any worked examples?

What I have so far is at http://pastebin.com/HGpH4xL4; the error I get
is

     1. package body PO
     2. with Refined_State => (State => (Protected_Value,
                               |
        >>> non-external state "State" cannot contain external constituents in refinement

     3.                                  Impl))
     4. is
     5.
     6.    Protected_Value : Integer := 0
     7.      with Volatile;
     8.
     9.    protected Impl is
    10.       procedure Set (Value : Integer);
    11.       procedure Get (Value : out Integer);
    12.    end Impl;

If I don't include Impl in the refined state then I get

     1. package body PO
                     |
        >>> body of package "PO" has unused hidden states
        >>> variable "Impl" defined at line 8

     2. with Refined_State => (State => (Protected_Value))
                               |
        >>> non-external state "State" cannot contain external constituents in refinement

     3. is
     4.
     5.    Protected_Value : Integer := 0
     6.      with Volatile;
     7.

(I've looked at AdaCore's Certyflie[1], but it looks as though all the
POs are in packages that they don't prove)

[1] https://github.com/AdaCore/Certyflie