From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM
	autolearn=ham autolearn_force=no version=3.4.4
X-Google-Thread: 103376,6b1a1ed8b075945
X-Google-Attributes: gid103376,public,usenet
X-Google-Language: ENGLISH,ASCII-7-bit
Path: 
 g2news2.google.com!news2.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!nx02.iad01.newshosting.com!newshosting.com!140.99.99.194.MISMATCH!news-in-02.newsfeed.easynews.com!easynews.com!easynews!news.he.net!xara.net!gxn.net!194.159.246.34.MISMATCH!peer-uk.news.demon.net!kibo.news.demon.net!news.demon.co.uk!demon!not-for-mail
From: Simon Wright <simon.j.wright@mac.com>
Newsgroups: comp.lang.ada
Subject: Re: Allocators and exceptions
Date: Sun, 09 Sep 2007 23:43:01 +0100
Organization: Pushface
Message-ID: <m2r6l7o3yi.fsf@mac.com>
References: <1189323618.588340.87180@o80g2000hse.googlegroups.com>
 <jvREi.80243$ax1.52638@bgtnsc05-news.ops.worldnet.att.net>
 <1189369871.672082.162750@50g2000hsm.googlegroups.com>
NNTP-Posting-Host: pogner.demon.co.uk
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: news.demon.co.uk 1189377781 18328 62.49.19.209 (9 Sep 2007 22:43:01
 GMT)
X-Complaints-To: abuse@demon.net
NNTP-Posting-Date: Sun, 9 Sep 2007 22:43:01 +0000 (UTC)
Cancel-Lock: sha1:B13y1yryd8O2AlQiUruw72NpTK4=
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (darwin)
Xref: g2news2.google.com comp.lang.ada:1851
Date: 2007-09-09T23:43:01+01:00
List-Id: <comp.lang.ada>

Maciej Sobczak <see.my.homepage@gmail.com> writes:

> procedure P is
>
>    type T (Init : Integer) is record
>       C : Positive := Positive (Init);
>    end record;
>
>    type T_Access is access T;
>
>    Ptr : T_Access;
>
> begin
>    Ptr := new T (-5);
> exception
>    when Constraint_Error =>
>       -- is memory leaked or deallocated?
>       null;
> end;
>
> I want to know whether the memory that was allocated for the new
> object was immediately deallocated due to the exception.  By
> "immediately" I mean before the control even goes to the exception
> part.
>
> I don't find this guarantee anywhere in the AARM and it scares me.

I'm not sure that I'd be scared, precisely.

If this was a safety-related program I would expect some serious test
effort, which would probably discover the mistake; or maybe formal
methods would be appropriate.

Even then, a safety-related _system_ ought to have some strategy for
recovering from such a runtime error. Perhaps it should reboot into a
safe mode? I would certainly expect the processor running a car's
ignition system not to just give up on an unhandled exception ...

In any case, why would the runtime system need to guarantee memory
recovery when it can hardly be expected to recover from the failed
design that led to the situation in the first place? I don't believe
there's any sensible recovery action to be taken -- the program's
state is corrupt already. Reboot, you know it makes sense!