From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,e8c8d1c63ffacf0d
X-Google-Attributes: gid103376,public
From: Robert A Duff <bobduff@world.std.com>
Subject: Re: Constraint checking of actuals passed to Attributes
Date: 2000/05/10
Message-ID: <wccr9bak1zc.fsf@world.std.com>#1/1
X-Deja-AN: 621545727
Sender: bobduff@world.std.com (Robert A Duff)
References: <391250A8.99D1585C@hotmail.com> <39171B69.2F983487@averstar.com>
 <8f93lm$1es$1@nnrp1.deja.com> <wcc4s8721fj.fsf@world.std.com>
 <8f9snr$vbr$1@nnrp1.deja.com> <wccitwnmi4r.fsf@world.std.com>
 <yecitwn9kmr.fsf@king.cts.com>
Organization: The World Public Access UNIX, Brookline, MA
Newsgroups: comp.lang.ada
Date: 2000-05-10T00:00:00+00:00
List-Id: <comp.lang.ada>

Keith Thompson <kst@cts.com> writes:

> If I understand the context of this example correctly, the intent is
> to make these guarantees if Uninit is merely uninitialized, but not if
> it's abnormal

Yes.

> I suppose the real requirement being imposed here is that, if the
> underlying system has "abnormal" representations for a given type, the
> Ada implementation must guarantee that an uninitialized variable isn't
> set to one of those representations.

Yes, that's necessary.  Eg, an uninitialized array has to have bounds
or whatever dope the implementation uses properly initialized, so that
things like "A(1) := ...;" will work.

But the real bone of contention here, I think, is the requirement that,
for example:

    My_String: String(1..10);
    My_Index: Integer range 1..5;
    ...
    My_String(My_Index) := ...;

will need a check (that My_Index is in 1..10) unless the compiler can
prove that My_Index is initialized.  (Or, more precisely, is valid.)  In
Ada 83, no such check was required, because either My_Index is in 1..5,
and therefore in 1..10, or else the program was erroneous, and therefore
can do anything.  This intended change was a deliberate attempt to
increase safety at the expense of a small inefficiency.

In the run-time model the AverStar compiler chooses, the compiler can
prove validity quite often.  For example, an 'in' parameter of an
integer type is always valid, because it was constraint checked at the
call site.  The constraint check at the call site is not required -- the
compiler is allowed to propagate invalid values all over the place, but
I think that's less efficient, because then you have more checks inside
the called procedure.  We also do flow analysis, to find cases where
variables are initialized by assignment statements on every path leading
to some place, rather than on the variable's declaration.

Again, I'm talking about the *intent* of the language design team.
Whether Robert Dewar or anyone else can see that intent in the RM
wording is another story.

- Bob