File: rt.mss

package info (click to toggle)
ada-reference-manual 1%3A2012.3-2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 12,872 kB
  • sloc: ada: 29,393; makefile: 193; python: 92
file content (5010 lines) | stat: -rwxr-xr-x 219,031 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
4932
4933
4934
4935
4936
4937
4938
4939
4940
4941
4942
4943
4944
4945
4946
4947
4948
4949
4950
4951
4952
4953
4954
4955
4956
4957
4958
4959
4960
4961
4962
4963
4964
4965
4966
4967
4968
4969
4970
4971
4972
4973
4974
4975
4976
4977
4978
4979
4980
4981
4982
4983
4984
4985
4986
4987
4988
4989
4990
4991
4992
4993
4994
4995
4996
4997
4998
4999
5000
5001
5002
5003
5004
5005
5006
5007
5008
5009
5010
@Comment{ $Source: e:\\cvsroot/ARM/Source/rt.mss,v $ }
@comment{ $Revision: 1.75 $ $Date: 2006/10/19 06:40:31 $ $Author: Randy $ }
@Part(realtime, Root="ada.mss")
@Comment{$Date: 2006/10/19 06:40:31 $}

@LabeledNormativeAnnex{Real-Time Systems}

@begin{Intro}
@Defn{real-time systems}
@Defn{embedded systems}
This Annex specifies additional characteristics of Ada implementations
intended for real-time systems software. To conform to this Annex, an
implementation shall also conform to the Systems Programming Annex.
@end{Intro}

@begin{Metrics}

The metrics are documentation requirements; an implementation shall
document the values of the language-defined metrics for at least one
configuration @Redundant[of hardware or an underlying system] supported by
the implementation, and shall document the details of that configuration.
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[Values of all @MetricsTitle.]}]}@ChgNote{We're going to document the
individual metrics sections.}
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The details of the configuration used to generate the values of all
metrics.]}]}
@begin{Reason}
The actual values of the metrics are likely to depend on hardware
configuration details that are variable and generally outside the control
of a compiler vendor.
@end{Reason}

The metrics do not necessarily yield a simple number.
@Redundant[For some, a range is more suitable, for others a formula
dependent on some parameter is appropriate, and for
others,
it may be more suitable to break the metric into several cases.]
Unless specified otherwise, the metrics in this annex are expressed in
processor clock cycles.
For metrics that require documentation of an upper bound,
if there is no upper bound,
the implementation shall report that the metric is unbounded.
@begin{Discussion}
There are several good reasons to specify metrics in seconds; there are however
equally good reasons to specify them in processor clock cycles. In
defining the metrics, we have tried to strike a balance on a case-by-case
basis.

It has been suggested that all metrics should be given names,
so that @lquotes@;data-sheets@rquotes@; could be formulated and published
by vendors.
However the paragraph number can serve that purpose.
@end{Discussion}

@end{Metrics}

@begin{Notes}

The specification of the metrics makes a distinction between upper bounds
and simple execution times. Where something is just specified as @lquotes@;the
execution time of@rquotes@; a piece of code, this leaves one
the freedom
to choose a nonpathological case. This kind of metric is of the form
@lquotes@;there exists a program such that the value of the metric is V@rquotes@;.
Conversely, the meaning of upper bounds is @lquotes@;there is no program such
that the value of the metric is greater than V@rquotes@;.
This kind of metric can only be partially tested, by finding the value
of V for one or more test programs.

The metrics do not cover the whole language; they are limited
to features that are specified in @RefSec{Systems Programming}
and in this Annex. The metrics are intended
to provide guidance to potential users as to whether a particular
implementation of such a feature is going to be adequate for a
particular real-time application. As such, the metrics are aimed
at known implementation choices that can result in significant
performance differences.

The purpose of the metrics is not necessarily to provide fine-grained
quantitative results or to serve as a comparison between different
implementations on the same or different platforms. Instead, their
goal is rather qualitative; to define a standard set of approximate values
that can be measured and used to estimate the general suitability of an
implementation, or to evaluate the comparative utility of certain features
of an implementation for a particular real-time application.

@end{Notes}

@begin{Extend83}
@Defn{extensions to Ada 83}
This Annex is new to Ada 95.
@end{Extend83}


@LabeledClause{Task Priorities}
@begin{Intro}
@Redundant[This clause specifies the priority model for real-time systems.
In addition, the methods for specifying priorities are defined.]
@end{Intro}

@begin{Syntax}
@begin{SyntaxText}
@leading@keepnext@;The form of a @nt{pragma} Priority is as follows:
@end{SyntaxText}

@PragmaSyn`@key{pragma} @prag(Priority)(@Syn2{expression});'

@begin{SyntaxText}
@leading@keepnext@;The form of a @nt{pragma} Interrupt_Priority is as follows:
@end{SyntaxText}

@PragmaSyn`@key{pragma} @prag(Interrupt_Priority)[(@Syn2{expression})];'
@end{Syntax}

@begin{Resolution}

@PDefn2{Term=[expected type],
  Sec=(Priority pragma argument)}
@PDefn2{Term=[expected type],
  Sec=(Interrupt_Priority pragma argument)}
The expected type for the @nt{expression} in a Priority
or Interrupt_Priority pragma is Integer.
@end{Resolution}

@begin{Legality}

A Priority pragma is allowed only immediately within a @nt{task_definition},
a @nt{protected_definition}, or the @nt{declarative_part} of a
@nt{subprogram_body}. An Interrupt_Priority pragma is allowed only
immediately within a @nt{task_definition} or a @nt{protected_definition}.
At most one such pragma shall appear within a given construct.

For a Priority pragma that appears in the @nt{declarative_part} of a
@nt{subprogram_body}, the @nt{expression} shall be static, and its value shall
be in the range of System.Priority.
@begin{Reason}
This value is needed before it gets elaborated, when the environment task
starts executing.
@end{Reason}

@end{Legality}

@begin{StaticSem}

@leading@keepnext@;The following declarations exist in package System:
@begin{example}
@key{subtype} Any_Priority @key{is} Integer @key{range} @RI{implementation-defined};
@key{subtype} Priority @key{is} Any_Priority
   @key{range} Any_Priority'First .. @RI{implementation-defined};
@key{subtype} Interrupt_Priority @key{is} Any_Priority
   @key{range} Priority'Last+1 .. Any_Priority'Last;

Default_Priority : @key{constant} Priority := (Priority'First + Priority'Last)/2;
@end{example}
@ImplDef{The declarations of Any_Priority and Priority.}

The full range of priority values supported by an implementation is specified
by the subtype Any_Priority. The subrange of priority values that are high
enough to require the blocking of one or more interrupts is specified by the
subtype Interrupt_@!Priority. @Redundant[The subrange of priority values below
System.@!Interrupt_@!Priority'First is specified by the subtype System.@!Priority.]

The priority specified by a Priority or Interrupt_Priority pragma is the
value of the @nt{expression} in the pragma, if any. If there is no
@nt{expression} in an Interrupt_Priority pragma, the priority value is
Interrupt_Priority'Last.

@end{StaticSem}

@begin{RunTime}

A Priority pragma has no effect
if it occurs in the @nt{declarative_part} of the @nt{subprogram_body} of a
subprogram other than the main subprogram.

@Defn{task priority}
@Defn{priority}
@Defn{priority inheritance}
@Defn{base priority}
@Defn{active priority}
A @i{task priority} is an integer value that indicates a degree of urgency
and is the basis for resolving competing demands of tasks for
resources. Unless otherwise specified, whenever tasks compete
for processors or other implementation-defined resources, the
resources are allocated to the task with the highest priority
value.
The @i{base priority} of a task is the priority with which it was
created, or to which it was later set by Dynamic_Priorities.Set_Priority
(see @RefSecNum{Dynamic Priorities}). At all times, a task also has
an @i{active priority}, which generally reflects its base priority
as well as any priority it inherits from other sources.
@i{Priority inheritance} is the process by which the priority of a
task or other entity (e.g. a protected object;
see @RefSecNum{Priority Ceiling Locking}) is used in the evaluation of another
task's active priority.
@ImplDef{Implementation-defined execution resources.}

The effect of specifying such a pragma in a @nt{protected_definition}
is discussed in @RefSecNum{Priority Ceiling Locking}.

@Defn2{Term=[creation], Sec=(of a task object)}
The @nt{expression} in a Priority or Interrupt_Priority pragma that
appears in a @nt{task_definition} is evaluated for each task object
(see @RefSecNum{Task Units and Task Objects}).
For a Priority pragma, the
value of the @nt{expression} is converted to the subtype Priority; for an
Interrupt_Priority pragma, this value is converted to the subtype Any_Priority.
The priority value is then associated with the task object whose
@nt{task_definition} contains the pragma.
@PDefn2{Term=[implicit subtype conversion],Sec=(pragma Priority)}
@PDefn2{Term=[implicit subtype conversion],Sec=(pragma Interrupt_Priority)}

Likewise, the priority value is associated with the environment task if the
pragma appears in the @nt{declarative_part} of the main subprogram.

The initial value of a task's base priority is specified by default or
by means of a Priority or Interrupt_Priority pragma.
@Redundant[After a task is created,
its base priority can be changed only by a call to
Dynamic_Priorities.Set_Priority (see @RefSecNum{Dynamic Priorities}).]
The initial base priority of a task in the absence of a pragma is the
base priority of the task that creates it at the time of creation
(see @RefSecNum{Task Units and Task Objects}).
If a pragma Priority does not apply to the main subprogram,
the initial base priority of the environment task is
System.Default_Priority.
@Redundant[The task's active priority is used when the task competes for
processors.
Similarly, the task's active priority is used
to determine the task's position in any queue when Priority_Queuing is
specified (see @RefSecNum{Entry Queuing Policies}).]

@Leading@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00357-01]}
At any time, the active priority of a task is the maximum of all the
priorities the task is inheriting at that instant. For a task that is not
held (see @RefSecNum{Asynchronous Task Control}), its base priority is
@Chg{Version=[2],New=[],Old=[always ]}a source of priority inheritance
@Chg{Version=[2],New=[unless otherwise
specified for a particular task dispatching policy],Old=[]}.
Other sources of priority inheritance are specified under the following
conditions:
@begin{Discussion}
Other parts of the annex, e.g.
@RefSecNum{Asynchronous Task Control}, define
other sources of priority inheritance.
@end{Discussion}
@begin{itemize}

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0072],ARef=[AI95-00092-01]}
During activation, a task being activated inherits the active priority
@Chg{New=[that],Old=[of the]} its activator (see
@RefSecNum{Task Execution - Task Activation})@Chg{New=[ had at the time
the activation was initiated],Old=[]}.

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0072],ARef=[AI95-00092-01]}
During rendezvous, the task accepting the entry call inherits the
@Chg{New=[],Old=[active ]}priority of the @Chg{New=[entry call],Old=[caller]}
(see @RefSecNum{Entry Calls}@Chg{New=[ and @RefSecNum{Entry Queuing Policies}],Old=[]}).

During a protected action on a protected object, a task inherits the ceiling
priority of the protected object (see @RefSecNum{Intertask Communication} and
@RefSecNum{Priority Ceiling Locking}).

@end{itemize}

In all of these cases, the priority ceases to be
inherited as soon as the condition calling for the inheritance no longer
exists.

@end{RunTime}

@begin{ImplReq}

The range of System.Interrupt_Priority shall include at least one value.

The range of System.Priority shall include at least 30 values.

@end{ImplReq}

@begin{Notes}

The priority expression can include references to
discriminants of the enclosing type.

It is a consequence of the active priority rules that at the point when
a task stops inheriting a priority from another source, its active priority
is re-evaluated. This is in addition to other instances described in this
Annex for such re-evaluation.

An implementation may provide a non-standard mode in which tasks
inherit priorities under conditions other than those specified
above.
@begin{Ramification}
The use of a Priority or Interrupt_Priority pragma does not
require the package System to be named in a @nt{with_clause} for the
enclosing @nt{compilation_unit}.
@end{Ramification}

@end{Notes}

@begin{Extend83}
@Defn{extensions to Ada 83}
The priority of a task is per-object and not per-type.

Priorities need not be static anymore (except for the main subprogram).

@end{Extend83}

@begin{DiffWord83}

The description of the Priority pragma has been moved to this annex.

@end{DiffWord83}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0072],ARef=[AI95-00092-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Clarified that dynamic
  priority changes are not transitive - that is, they don't apply to tasks
  that are being activated by or in rendezvous with the task that had its
  priority changed.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
  @ChgAdded{Version=[2],Text=[Generalized the definition of priority
  inheritance to take into account the differences between the existing and
  new dispatching policies.]}
@end{DiffWord95}


@LabeledClause{Priority Scheduling}

@begin{Intro}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
@Redundant[This clause describes the rules that determine which task is
selected for execution when more than one task is ready
(see @Chg{Version=[2],New=[@RefSecNum{Tasks and Synchronization}],
Old=[@RefSecNum{Task Execution - Task Activation}]}).@Chg{Version=[2],
New=[],Old=[ The rules have two parts: the task dispatching model
(see @RefSecNum{The Task Dispatching Model}),
and a specific task dispatching policy
(see @RefSecNum{Task Dispatching Pragmas}).]}]
@end{Intro}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
  @ChgAdded{Version=[2],Text=[This introduction is simplified in order to
  reflect the rearrangement and expansion of this clause.]}
@end{DiffWord95}


@LabeledSubClause{The Task Dispatching Model}

@begin{Intro}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
@Redundant[The task dispatching model specifies @Chg{Version=[2],
New=[task],Old=[preemptive]} scheduling, based on conceptual
priority-ordered ready queues.]
@end{Intro}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[@key<package> Ada.Dispatching @key<is>@ChildUnit{Parent=[Ada],Child=[Dispatching]}
  @key<pragma> Pure(Dispatching);
  @AdaExcDefn{Dispatching_Policy_Error} : @key<exception>;
@key<end> Ada.Dispatching;]}
@end{Example}

@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[Dispatching serves as the parent of other
language-defined library units concerned with task dispatching.]}

@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
A task @Chg{Version=[2],New=[can become],Old=[runs (that is, it becomes]} a
@i{running task}@Chg{Version=[2],New=[],Old=[)]} only @Chg{Version=[2],
New=[if],Old=[when]} it is ready (see @Chg{Version=[2],New=[@RefSecNum{Tasks and Synchronization}],
Old=[@RefSecNum{Task Execution - Task Activation}]}) and
the execution resources required by that task are available.
Processors are allocated to tasks based on each task's active priority.

It is implementation defined whether, on a multiprocessor, a task that
is waiting for access to a protected object keeps its processor busy.
@ImplDef{Whether, on a multiprocessor, a task that
is waiting for access to a protected object keeps its processor busy.}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
@Defn{task dispatching}
@Defn{dispatching, task}
@RootDefn{task dispatching point}
@RootDefn{dispatching point}
@i{Task dispatching} is the process by which one ready task is selected
for execution on a processor. This selection is done at certain points
during the execution of a task called @i{task dispatching points}.
A task reaches a task dispatching point whenever it becomes blocked,
and @Chg{Version=[2],New=[when it terminates],Old=[whenever it becomes ready.
In addition, the completion of an @nt{accept_statement}
(see @RefSecNum{Entries and Accept Statements}), and task termination are
task dispatching points for the executing task]}.
@Redundant[Other task dispatching points are defined
throughout this Annex@Chg{Version=[2],New=[ for specific policies],Old=[]}.]
@begin{Ramification}
On multiprocessor systems, more than one task can be chosen, at the
same time, for execution on more than one processor, as explained below.
@end{Ramification}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
@Defn{ready queue}
@Defn{head (of a queue)}
@Defn{tail (of a queue)}
@Defn{ready task}
@PDefn{task dispatching policy}
@PDefn{dispatching policy for tasks}
@i{Task dispatching policies} are specified in terms of conceptual
@i{ready queues}@Chg{Version=[2],New=[ and],Old=[,]} task states@Chg{Version=[2],
New=[],Old=[, and task preemption]}.
A ready queue is an ordered list of ready tasks.
The first position in a queue is called the
@i{head of the queue}, and the last position is called the
@i{tail of the queue}.
A task is @i{ready} if it is in a ready queue,
or if it is running.
Each processor has one ready queue for each priority value. At any instant,
each ready queue of a processor contains exactly the set of tasks of that
priority that are ready for execution on that
processor, but are not running on any processor; that is, those tasks
that are ready, are not running on any processor, and can be
executed using that processor and other available resources.
A task can be on the ready queues of more than one processor.
@begin{Discussion}
The core language defines a ready task as one that is not
blocked. Here we refine this definition and
talk about ready queues.
@end{Discussion}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
@Defn{running task}
Each processor also has one @i{running task},
which is the task currently being executed by that processor.
Whenever a task running on a processor reaches a task dispatching
point@Chg{Version=[2],New=[ it goes back to one or more ready queues; a],
Old=[, one]} task @Chg{Version=[2],New=[(possibly the same task) ],Old=[]}is
@Chg{Version=[2],New=[then ],Old=[]}selected to run on that processor.
The task selected is the one at the head of the highest priority
nonempty ready queue;
this task is then removed from all ready queues to which it
belongs.
@begin{Discussion}
There is always at least one task to run,
if we count the idle task.
@end{Discussion}

@ChgRef{Version=[2],Kind=[Deleted],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[@Defn{preemptible resource}
A preemptible resource is a resource that while allocated
to one task can be allocated (temporarily) to another
instead.
Processors are preemptible resources. Access to a protected object
(see @RefSecNum{Protected Subprograms and Protected Actions})
is a nonpreemptible resource.
@Defn{preempted task}
When a higher-priority task is dispatched to the processor, and the previously
running task is placed on the appropriate ready queue, the latter task
is said to be @i{preempted}.]}
@begin{Reason}
  @ChgRef{Version=[2],Kind=[Deleted]}
  @ChgDeleted{Version=[2],Text=[A processor that is executing a task is available
  to execute tasks of higher priority, within the set of tasks that that
  processor is able to execute. Write access to a protected object, on the other
  hand, cannot be granted to a new task before the old task has released it.]}
@end{Reason}

@ChgRef{Version=[2],Kind=[Deleted],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[@PDefn{task dispatching point}
@PDefn{dispatching point}
A new running task is also selected whenever there is a nonempty ready queue
with a higher priority than the priority of the running
task, or when the task dispatching policy requires a
running task to go back to a ready queue.
@Redundant[These are also task dispatching points.]]}
@begin{Ramification}
  @ChgRef{Version=[2],Kind=[Deleted]}
  @ChgDeleted{Version=[2],Text=[Thus, when a task becomes ready, this is a task
  dispatching point for all running tasks of lower priority.]}
@end{Ramification}

@end{RunTime}

@begin{ImplPerm}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
An implementation is allowed to define additional resources as execution
resources, and to define the corresponding allocation policies for them.
Such resources may have an implementation@Chg{Version=[2],New=[-],Old=[ ]}defined
effect on task dispatching@Chg{Version=[2],New=[],
Old=[ (see @RefSecNum{Task Dispatching Pragmas})]}.
@ChgImplDef{Version=[2],Kind=[Revised],
Text=[The @Chg{Version=[2],New=[effect],Old=[affect]} of
implementation@Chg{Version=[2],New=[-],Old=[ ]}defined
execution resources on task dispatching.]}

An implementation may place implementation-defined restrictions on
tasks whose active priority is in the Interrupt_Priority range.
@begin{Ramification}
For example, on some operating systems,
it might be necessary to disallow them altogether.
This permission applies to tasks whose priority is set to interrupt
level for any reason: via a pragma,
via a call to Dynamic_Priorities.Set_Priority,
or via priority inheritance.
@end{Ramification}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00321-01]}
@ChgNote{This was moved up from the previous section.}
@ChgAdded{Version=[2],Text=[@Redundant[For optimization purposes,]
an implementation may alter the points at which task dispatching occurs, in an
implementation-defined manner. However, a @nt{delay_statement} always
corresponds to at least one task dispatching point.]}

@end{ImplPerm}

@begin{Notes}

Section 9 specifies under which circumstances a task
becomes ready.
The ready state is affected by the rules for
task activation and termination, delay statements, and entry calls.
@PDefn{blocked}
When a task is not ready, it is said to be blocked.

An example of a possible implementation-defined execution
resource is a page of physical memory, which needs to be loaded
with a particular page of virtual memory before a task can
continue execution.

The ready queues are purely conceptual; there is no requirement that such
lists physically exist in an implementation.

While a task is running, it is not on any ready queue. Any time
the task that is running on a processor is added to a ready queue,
a new running task is selected for that processor.

In a multiprocessor system, a task can be on the ready queues of more than
one processor. At the extreme, if several processors share the same set of
ready tasks, the contents of their ready queues is identical, and so
they can be viewed as sharing one ready queue, and can be implemented that
way.
@Redundant[Thus, the dispatching model covers
multiprocessors where dispatching is implemented using a single
ready queue, as well as those with separate dispatching domains.]

The priority of a task is determined by rules specified in this subclause, and
under @RefSec{Task Priorities}, @RefSec{Priority Ceiling Locking}, and
@RefSec{Dynamic Priorities}.

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgNote{This note is moved up from the next subclause.}
@ChgAdded{Version=[2],Text=[The setting of a task's base priority as a result
of a call to Set_Priority does not always take effect immediately when
Set_Priority is called. The effect of setting the task's base priority is
deferred while the affected task performs a protected action.]}

@end{Notes}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
  @ChgAdded{Version=[2],Text=[This description is simplified to describe only
  the parts of the dispatching model common to all policies. In particular,
  rules about preemption are moved elsewhere. This makes
  it easier to add other policies (which may not involve preemption).]}
@end{DiffWord95}


@LabeledRevisedSubClause{Version=[2],
New=[Task Dispatching Pragmas],
Old=[The Standard Task Dispatching Policy]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[@Redundant[This clause allows a single task
dispatching policy to be defined for all priorities, or the range of priorities
to be split into subranges that are assigned individual dispatching
policies.]]}
@end{Intro}

@begin{Syntax}
@begin{SyntaxText}
@Leading@Keepnext@;The form of a @nt{pragma} Task_Dispatching_Policy is as follows:
@end{SyntaxText}

@PragmaSyn`@key{pragma} @prag(Task_Dispatching_Policy)(@SynI{policy_}@Syn2{identifier});'

@begin{SyntaxText}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Type=[Leading],Keepnext=[T],Text=[The form of a
@nt{pragma} Priority_Specific_Dispatching is as follows:]}
@end{SyntaxText}

@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=`@AddedPragmaSyn`Version=[2],@key{pragma} @prag<Priority_Specific_Dispatching> (@*
@ @ @ @ @ @SynI{policy_}@Syn2{identifier}, @SynI{first_priority_}@Syn2{expression}, @SynI{last_priority_}@Syn2{expression});''}

@end{Syntax}

@begin{Resolution}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The expected type for @SynI{first_priority_}@nt{expression}
and @SynI{last_priority_}@nt{expression} is Integer.]}
@end{Resolution}

@begin{Legality}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01],ARef=[AI95-00355-01]}
The @SynI{policy_}@nt{identifier} @Chg{Version=[2],New=[used in a @nt{pragma}
Task_Dispatching_Policy shall be the name of a task dispatching policy],
Old=[shall either be FIFO_Within_Priorities or
an implementation-defined @Syn2{identifier}]}.
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[Implementation-defined @SynI{policy_}@Syn2{identifier}s allowed
in a @nt{pragma} Task_Dispatching_Policy.]}]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The @SynI{policy_}@nt{identifier}
used in a @nt{pragma}
Priority_Specific_Dispatching shall be the name of a task dispatching policy.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[Both @Syni{first_priority_}@!@nt{expression} and
@Syni{last_priority_}@!@nt{expression} shall be static expressions in the range
of System.Any_Priority; @SynI{last_priority_}@!@nt{expression} shall have a
value greater than or equal to @SynI{first_priority_}@!@nt{expression}.]}

@end{Legality}

@begin{StaticSem}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[@nt{Pragma} Task_Dispatching_Policy specifies the
single task dispatching policy.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[@nt{Pragma} Priority_Specific_Dispatching specifies
the task dispatching policy for the specified range of priorities. Tasks with
base priorities within the range of priorities specified in a
Priority_Specific_Dispatching pragma have their active priorities determined
according to the specified dispatching policy. Tasks with active priorities
within the range of priorities specified in a Priority_Specific_Dispatching
pragma are dispatched according to the specified dispatching policy.]}
@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[Each ready queue is managed by exactly one
  policy. Anything else would be chaos. The ready queue is determined by
  the active priority. However, how the active priority is calculated is
  determined by the policy; in order to break out of this circle, we have
  to say that the active priority is calculated by the method determined
  by the policy of the base priority.]}
@end{Reason}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[If a partition contains one or more
Priority_Specific_Dispatching pragmas the dispatching policy for priorities not
covered by any Priority_Specific_Dispatching pragmas is
FIFO_Within_Priorities.]}

@end{StaticSem}

@begin{LinkTime}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00355-01]}
@PDefn2{Term=[configuration pragma], Sec=(Task_Dispatching_Policy)}
@PDefn2{Term=[pragma, configuration], Sec=(Task_Dispatching_Policy)}
A Task_Dispatching_Policy pragma is a configuration pragma.@Chg{Version=[2],
New=[ A Priority_Specific_Dispatching pragma is a configuration pragma.
@PDefn2{Term=[configuration pragma], Sec=(Priority_Specific_Dispatching)}
@PDefn2{Term=[pragma, configuration], Sec=(Priority_Specific_Dispatching)}],Old=[]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The priority ranges specified in more than one
Priority_Specific_Dispatching pragma within the same partition shall not be
overlapping.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[If a partition contains one or more
Priority_Specific_Dispatching pragmas it shall not contain a
Task_Dispatching_Policy pragma.]}

@ChgRef{Version=[2],Kind=[Deleted],ARef=[AI95-00333-01]}
@ChgDeleted{Version=[2],Text=[If the FIFO_Within_Priorities policy is specified
for a partition, then the Ceiling_Locking policy
(see @RefSecNum{Priority Ceiling Locking}) shall also be specified for
the partition.]}

@end{LinkTime}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00355-01]}
@Defn{task dispatching policy}
@Redundant[A @i{task dispatching policy} specifies the details of task
dispatching that are not covered by the basic task dispatching model.
These rules govern when tasks are inserted into and
deleted from the ready queues@Chg{Version=[2],New=[],Old=[,
and whether a task is inserted at the head or the tail of the
queue for its active priority]}.]
@Chg{Version=[2],New=[A single],Old=[The]} task dispatching policy is
specified by a Task_Dispatching_Policy @Chg{Version=[2],New=[],Old=[configuration ]}pragma.
@Chg{Version=[2],New=[Pragma Priority_Specific_Dispatching assigns distinct
dispatching policies to subranges of System.Any_Priority.],
Old=[@PDefn{unspecified}If no such pragma appears in any of the program
units comprising a partition, the task dispatching policy for
that partition is unspecified.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[@PDefn{unspecified}If neither @nt{pragma} applies
to any of the program units comprising a partition, the task dispatching policy
for that partition is unspecified.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[If a partition contains one or more
Priority_Specific_Dispatching pragmas a task dispatching point occurs for the
currently running task of a processor whenever there is a non-empty ready queue
for that processor with a higher priority than the priority of the running
task.]}

@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[If we have priority specific dispatching then we
  want preemption across the entire range of priorities. That prevents higher
  priority tasks from being blocked by lower priority tasks that have a
  different policy. On the other hand, if we have a single policy for the
  entire partition, we want the characteristics of that policy to apply for
  preemption; specifically, we may not require any preemption. Note that policy
  Non_Preemptive_FIFO_Within_Priorities is not allowed in a priority specific
  dispatching pragma.]}
@end{Discussion}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[A task that has its base priority changed may move
from one dispatching policy to another. It is immediately subject
to the new dispatching policy.]}

@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[Once subject to the new dispatching policy, it
  may be immediately preempted or dispatched, according the rules of the new
  policy.]}
@end{Ramification}

@ChgNote{The following stuff is moved to the next subclause}
@begin{NotIso}
@ChgAdded{Version=[2],Noprefix=[T],Noparanum=[T],Text=[@Shrink{@i<Paragraphs 7
through 13 were moved to D.2.3.>}]}@Comment{This message should be deleted if the
paragraphs are ever renumbered.}
@end{NotIso}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Type=[Leading],Text=[The language defines only one task
dispatching policy, FIFO_Within_Priorities; when this policy is in effect,
modifications to the ready queues occur only as follows:]}

@begin{itemize}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[When a blocked task becomes ready,
it is added at the tail of the ready queue for its active priority.]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[When the active priority of a ready task that is
not running changes, or the setting of its base priority takes effect, the task
is removed from the ready queue for its old active priority and is added at the
tail of the ready queue for its new active priority, except in the case where
the active priority is lowered due to the loss of inherited priority, in which
case the task is added at the head of the ready queue for its new active
priority.]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[When the setting of the base priority of a
running task takes effect, the task is added to the tail of the ready queue for
its active priority.]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[When a task executes a @nt{delay_statement} that
does not result in blocking, it is added to the tail of the ready queue for its
active priority.]}
@begin{Ramification}
  @ChgRef{Version=[2],Kind=[DeletedNoDelMsg]}
  @ChgDeleted{Version=[2],Text=[If the delay does result in blocking,
  the task moves to the @lquotes@;delay queue@rquotes@;,
  not to the ready queue.]}
@end{Ramification}

@end{itemize}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[@PDefn{task dispatching point}
@PDefn{dispatching point}
Each of the events specified above is a task dispatching point
(see @RefSecNum{The Task Dispatching Model}).]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[In addition, when a task is preempted, it is
added at the head of the ready queue for its active priority.]}

@end{RunTime}

@begin{ImplReq}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00333-01],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[An implementation shall allow, for a single
partition, both the locking policy (see @RefSecNum{Priority Ceiling Locking})
to be specified as Ceiling_Locking
and also one or more Priority_Specific_Dispatching pragmas to be given.]}
@end{ImplReq}

@begin{DocReq}

@begin{NotIso}
@ChgAdded{Version=[2],Noprefix=[T],Noparanum=[T],Text=[@Shrink{@i<Paragraphs 14
through 16 were moved to D.2.3.>}]}@Comment{This message should be deleted if the
paragraphs are ever renumbered.}
@end{NotIso}
@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Type=[Leading],Text=[@Defn{priority inversion}
@i{Priority inversion} is the duration for which a task remains at the
head of the highest priority ready queue while the processor executes
a lower priority task. The implementation shall document:]}
@begin{Itemize}
@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[The maximum priority inversion a user task can experience due to activity
of the implementation (on behalf of lower priority tasks), and]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[whether execution of a task can be preempted by
the implementation processing of delay
expirations for lower priority tasks, and if so, for how long.]}
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[Implementation-defined aspects of priority inversion.]}]}
@end{Itemize}

@end{DocReq}

@begin{ImplPerm}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00256-01]}
Implementations are allowed to define other task dispatching policies, but
need not support more than one @Chg{Version=[2],New=[task dispatching],
Old=[such]} policy per partition.

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00355-01]}
@Chg{Version=[2],New=[An implementation need not support @nt{pragma}
Priority_Specific_Dispatching if it is infeasible to support it in the
target environment.],
Old=[@Redundant[For optimization purposes,]
an implementation may alter the points at which task dispatching occurs,
in an implementation defined manner.
However, a @nt{delay_statement} always corresponds to at least one task
dispatching point.]}

@ChgImplDef{Version=[2],Kind=[Revised],Text=[Implementation defined task
dispatching@Chg{Version=[2],New=[ policies],Old=[]}.]}

@end{ImplPerm}

@begin{Notes}

@begin{NotIso}
@ChgAdded{Version=[2],Noprefix=[T],Noparanum=[T],Text=[@Shrink{@i<Paragraphs 19
through 21 were deleted.>}]}@Comment{This message should be deleted if the
paragraphs are ever renumbered.}
@end{NotIso}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[If the active priority of a running task is
lowered due to loss of inherited priority (as it is on completion of a
protected operation) and there is a ready task of the same active priority that
is not running, the running task continues to run (provided that there is no
higher priority task).]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[The setting of a task's base priority as a result
of a call to Set_Priority does not always take effect immediately when
Set_Priority is called. The effect of setting the task's base priority is
deferred while the affected task performs a protected action.]}

@ChgRef{Version=[2],Kind=[DeletedNoDelMsg],ARef=[AI95-00321-01]}
@ChgDeleted{Version=[2],Text=[Setting the base priority of a ready task causes
the task to move to the end of the queue for its active priority,
regardless of whether the active priority of the task actually changes.]}

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00333-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  @B[Amendment Correction:] It is no longer required to specify Ceiling_Locking
  with the language-defined task dispatching policies; we only require that
  implementations @i<allow> them to be used together.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[@key{Pragma} Priority_Specific_Dispatching is
  new; it allows specifying different policies for different priorities.]}
@end{Extend95}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00256-01]}
  @ChgAdded{Version=[2],Text=[Clarified that an implementation need support
  only one task dispatching policy (of any kind, language-defined or otherwise)
  per partition.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
  @ChgAdded{Version=[2],Text=[This description is simplified to describe only
  the rules for the Task_Dispatching_Policy pragma that are common to
  all policies. In particular, rules about preemption are moved elsewhere. This
  makes it easier to add other policies (which may not involve preemption).]}
@end{DiffWord95}


@LabeledAddedSubClause{Version=[2],Name=[Preemptive Dispatching]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[@Redundant[This clause defines a preemptive task
dispatching policy.]]}
@end{Intro}

@begin{StaticSem}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The @SynI{policy_}@nt{identifier}
FIFO_Within_Priorities is a task dispatching policy.]}

@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[When FIFO_Within_Priorities is in effect,
modifications to the ready queues occur only as follows:]}

@begin{itemize}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[When a blocked task becomes ready, it is added at
the tail of the ready queue for its active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When the active priority of a ready task that is
not running changes, or the setting of its base
priority takes effect, the task is removed from the ready queue for
its old active priority and is added at the tail of the ready queue for its new
active priority, except in the case where the active priority is lowered due to
the loss of inherited priority, in which case the task is added at the
head of the ready queue for its new active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When the setting of the base priority of a running task takes effect, the
task is added to the tail of the ready queue for its active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When a task executes a @nt{delay_statement} that
does not result in blocking, it is added to the tail of the ready queue for
its active priority.]}
@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[If the delay does result in blocking,
  the task moves to the @lquotes@;delay queue@rquotes@;,
  not to the ready queue.]}
@end{Ramification}

@end{itemize}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[@PDefn{task dispatching point}
@PDefn{dispatching point}
Each of the events specified above is a task dispatching point
(see @RefSecNum{The Task Dispatching Model}).]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[A task dispatching point occurs for the currently
running task of a processor whenever there is a nonempty ready queue for that
processor with a higher priority than the priority of the running task. The
currently running task is said to be @i<preempted> and it is added at the head
of the ready queue for its active priority.@Defn2{Term=[preempt],Sec=[a running task]}]}

@end{RunTime}

@begin{ImplReq}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00333-01]}
@ChgAdded{Version=[2],Text=[An implementation shall allow, for a single
partition, both the task dispatching policy to be specified as
FIFO_Within_Priorities and also the locking policy (see
@RefSecNum{Priority Ceiling Locking}) to be specified as Ceiling_Locking.]}
@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This is the preferred combination of the
  FIFO_Within_Priorities policy with a locking policy, and we want that
  combination to be portable.]}
@end{Reason}
@end{ImplReq}

@begin{DocReq}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[@Defn{priority inversion}
@i{Priority inversion} is the duration for which a task remains at the
head of the highest priority nonempty ready queue while the processor executes
a lower priority task. The implementation shall document:]}

@begin{Itemize}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[The maximum priority inversion a user task
can experience due to activity
of the implementation (on behalf of lower priority tasks), and]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The maximum priority inversion a user task can experience from
the implementation.]}]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[whether execution of a task can be preempted
by the implementation processing of delay
expirations for lower priority tasks, and if so, for how long.]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The amount of time that a task can be preempted for processing on
behalf of lower-priority tasks.]}]}
@end{Itemize}

@end{DocReq}

@begin{Notes}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[If the active priority of a running task is
lowered due to loss of
inherited priority (as it is on completion of a protected
operation) and there is a ready task of the same active priority
that is not running,
the running task continues to run (provided that there is no higher
priority task).]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
@ChgAdded{Version=[2],Text=[Setting the base priority of a ready task causes
the task to move to the tail of the queue for its active priority,
regardless of whether the active priority of the task actually changes.]}

@end{Notes}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
  @ChgAdded{Version=[2],Text=[This subclause is new; it mainly consists of
  text that was found in @RefSecNum{The Task Dispatching Model} and
  @RefSecNum{Task Dispatching Pragmas} in Ada 95. This was
  separated out so the definition of additional policies was easier.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00333-01]}
  @ChgAdded{Version=[2],Text=[We require that implementations allow
  this policy and Ceiling_Locking together.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[We explicitly defined FIFO_Within_Priorities
  to be a task dispatching policy.]}
@end{DiffWord95}


@LabeledAddedSubClause{Version=[2],Name=[Non-Preemptive Dispatching]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00298-01]}
@ChgAdded{Version=[2],Text=[@Redundant[This clause defines a non-preemptive task
dispatching policy.]]}
@end{Intro}

@begin{StaticSem}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00298-01],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The @SynI{policy_}@nt{identifier}
Non_Preemptive_FIFO_Within_Priorities is a task dispatching policy.]}

@end{StaticSem}

@begin{Legality}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[Non_Preemptive_FIFO_Within_Priorities shall not be
specified as the @SynI{policy_}@nt{identifier} of @nt{pragma}
Priority_Specific_Dispatching (see
@RefSecNum{Task Dispatching Pragmas}).]}

@begin{Reason}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[The non-preemptive nature of this policy could
cause the policies of higher priority tasks to malfunction, missing deadlines
and having unlimited priority inversion. That would render the use of such
policies impotent and misleading. As such, this policy only makes sense
for a complete system.]}
@end{Reason}
@end{Legality}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00298-01]}
@ChgAdded{Version=[2],Text=[When Non_Preemptive_FIFO_Within_Priorities is in
effect, modifications to the ready queues occur only as follows:]}

@begin{itemize}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00298-01]}
@ChgAdded{Version=[2],Text=[When a blocked task becomes ready, it is added at
the tail of the ready queue for its active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When the active priority of a ready task that is
not running changes, or the setting of its base
priority takes effect, the task is removed from the ready queue for
its old active priority and is added at the tail of the ready queue for its new
active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When the setting of the base priority of a running task takes effect, the
task is added to the tail of the ready queue for its active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When a task executes a @nt{delay_statement} that
does not result in blocking, it is added to the tail of the ready queue for
its active priority.]}
@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[If the delay does result in blocking,
  the task moves to the @lquotes@;delay queue@rquotes@;,
  not to the ready queue.]}
@end{Ramification}

@end{itemize}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[For this policy, a non-blocking @nt{delay_statement}
is the only non-blocking event that is a task dispatching point (see
@RefSecNum{The Task Dispatching Model}).@PDefn{task dispatching point}
@PDefn{dispatching point}]}

@end{RunTime}

@begin{ImplReq}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00333-01]}
@ChgAdded{Version=[2],Text=[An implementation shall allow, for a single
partition, both the task dispatching policy to be specified as
Non_Preemptive_FIFO_Within_Priorities and also the locking policy (see
@RefSecNum{Priority Ceiling Locking}) to be specified as Ceiling_Locking.]}
@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This is the preferred combination of the
  Non_Preemptive_FIFO_Within_Priorities policy with a locking policy, and we
  want that combination to be portable.]}
@end{Reason}
@end{ImplReq}

@begin{ImplPerm}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00298-01]}
@ChgAdded{Version=[2],Text=[Since implementations are allowed to round all
ceiling priorities in subrange System.Priority to System.Priority'Last (see
@RefSecNum{Priority Ceiling Locking}), an implementation may allow a task to
execute within a protected object without raising its active priority provided
the associated protected unit does not contain pragma Interrupt_Priority,
Interrupt_Handler, or Attach_Handler.]}

@end{ImplPerm}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00298-01],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  Policy Non_Preemptive_FIFO_Within_Priorities is new.]}
@end{Extend95}


@LabeledAddedSubClause{Version=[2],Name=[Round Robin Dispatching]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[@Redundant[This clause defines the task dispatching
policy Round_Robin_Within_Priorities and the package Round_Robin.]]}
@end{Intro}

@begin{StaticSem}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The @SynI{policy}_@nt{identifier}
Round_Robin_Within_Priorities is a task dispatching policy.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{with} System;
@key{with} Ada.Real_Time;
@key{package} Ada.Dispatching.Round_Robin @key{is}@ChildUnit{Parent=[Ada.Dispatching],Child=[Round_Robin]}
  @AdaObjDefn{Default_Quantum} : @key{constant} Ada.Real_Time.Time_Span :=
             @RI[implementation-defined];
  @key{procedure} @AdaSubDefn{Set_Quantum} (Pri     : @key{in} System.Priority;
                         Quantum : @key{in} Ada.Real_Time.Time_Span);
  @key{procedure} @AdaSubDefn{Set_Quantum} (Low, High : @key{in} System.Priority;
                         Quantum   : @key{in} Ada.Real_Time.Time_Span);
  @key{function} @AdaSubDefn{Actual_Quantum} (Pri : System.Priority) @key{return} Ada.Real_Time.Time_Span;
  @key{function} @AdaSubDefn{Is_Round_Robin} (Pri : System.Priority) @key{return} Boolean;
@key{end} Ada.Dispatching.Round_Robin;]}
@end{Example}
@ChgImplDef{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The value of Default_Quantum in Dispatching.Round_Robin.]}]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[When task dispatching policy Round_Robin_Within_Priorities is the single
policy in effect for a partition, each task with priority in the range of
System.Interrupt_Priority is dispatched according to policy
FIFO_Within_Priorities.]}

@end{StaticSem}

@begin{Runtime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The procedures Set_Quantum set the required Quantum
value for a single priority level Pri or a range of priority levels Low .. High.
If no quantum is set for a Round Robin priority level, Default_Quantum is used.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The function Actual_Quantum returns the actual
quantum used by the implementation for the priority level Pri.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[The function Is_Round_Robin returns True if
priority Pri is covered by task dispatching policy
Round_Robin_Within_Priorities; otherwise it returns False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[A call of Actual_Quantum or Set_Quantum raises
exception Dispatching.Dispatching_Policy_Error if a predefined policy other
than Round_Robin_Within_Priorities applies to the specified priority
or any of the priorities in the specified range.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[For Round_Robin_Within_Priorities,
the dispatching rules for FIFO_Within_Priorities apply with the following
additional rules:]}

@begin{Itemize}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When a task is added or moved to the tail of the
ready queue for its base priority, it has an execution time budget equal to the
quantum for that priority level. This will also occur when a blocked task
becomes executable again.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When a task is preempted (by a higher priority
task) and is added to the head of the ready queue for its priority level, it
retains its remaining budget.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[While a task is executing, its budget is decreased
by the amount of execution time it uses. The accuracy of this accounting is the
same as that for execution time clocks (see @RefSecNum{Execution Time}).]}
@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[Note that this happens even when the task
  is executing at a higher, inherited priority, and even if that higher
  priority is dispatched by a different policy than round robin.]}
@end{Ramification}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[When a task has exhausted its budget and is without
an inherited priority (and is not executing within a protected operation), it
is moved to the tail of the ready queue for its priority level. This is a task
dispatching point.]}

@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[In this case, it will be given
  a budget as described in the first bullet.]}

  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[The rules for FIFO_Within_Priority (to which
  these bullets are added) say that a task that has its base priority set to a
  Round Robin priority is moved to the tail of the ready queue for its new
  priority level, and then will be given a budget as described in the first
  bullet. That happens whether or not the task's original base priority was
  a Round Robin priority.]}
@end{Ramification}

@end{Itemize}

@end{Runtime}

@begin{ImplReq}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00333-01],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[An implementation shall allow, for a single
partition, both the task dispatching policy to be specified as
Round_Robin_Within_Priorities and also the locking policy (see
@RefSecNum{Priority Ceiling Locking}) to be specified as Ceiling_Locking.]}
@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This is the preferred combination of the
  Round_Robin_Within_Priorities policy with a locking policy, and we
  want that combination to be portable.]}
@end{Reason}
@end{ImplReq}

@begin{DocReq}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[An implementation shall document the quantum values
supported.]}
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The quantum values supported for round robin dispatching.]}]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[An implementation shall document the accuracy with
which it detects the exhaustion of the budget of a task.]}
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The accuracy of the detection of the exhaustion of the budget of a task
for round robin dispatching.]}]}

@end{DocReq}

@begin{Notes}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[Due to implementation constraints, the quantum
value returned by Actual_Quantum might not be identical to that set with
Set_Quantum.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
@ChgAdded{Version=[2],Text=[A task that executes continuously with an inherited
priority will not be subject to round robin dispatching.]}

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  Policy Round_Robin_Within_Priorities and package
  Dispatching.Round_Robin are new.]}
@end{Extend95}


@RMNewPage@Comment{For printed Ada 2005 RM}
@LabeledAddedSubClause{Version=[2],Name=[Earliest Deadline First Dispatching]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The deadline of a task is an indication of the
urgency of the task; it represents a point on an ideal physical time line.
The deadline might affect how resources are allocated to the task.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[This clause defines a package for representing the
deadline of a task and a dispatching policy that defines Earliest Deadline
First (EDF) dispatching. A pragma is defined to assign an initial deadline to a
task.]}

@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This pragma is the only way of assigning an
  initial deadline to a task so that its activation can be controlled by EDF
  scheduling. This is similar to the way pragma Priority is used to give an
  initial priority to a task.]}
@end{Discussion}

@end{Intro}

@begin{MetaRules}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[To predict the behavior of a multi-tasking program
it is necessary to control access to the processor which is preemptive, and
shared objects which are usually non-preemptive and embodied in protected
objects. Two common dispatching policies for the processor are fixed priority
and EDF. The most effective control over shared objects is via preemption
levels. With a pure priority scheme a single notion of priority is used for
processor dispatching and preemption levels. With EDF and similar schemes
priority is used for preemption levels (only), with another measure used for
dispatching. T.P. Baker showed (@i<Real-Time Systems>, March 1991, vol. 3, num.
1, @i<Stack-Based Scheduling of Realtime Processes>) that for EDF a newly
released task should only preempt the currently running task if it has an
earlier deadline and a higher preemption level than any currently
@lquotes@;locked@rquotes protected object. The rules of this clause implement
this scheme including the case where the newly released task should execute
before some existing tasks but not preempt the currently executing task.]}
@end{MetaRules}

@begin{Syntax}

@begin{SyntaxText}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Type=[Leading],Keepnext=[T],Text=[The form of a
@nt{pragma} Relative_Deadline is as follows:]}
@end{SyntaxText}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=`@AddedPragmaSyn`Version=[2],@key{pragma} @prag<Relative_Deadline> (@SynI{relative_deadline_}@Syn2{expression});''}

@end{Syntax}

@begin{Resolution}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The expected type for
@SynI{relative_deadline_}@nt{expression} is Real_Time.Time_Span.]}

@end{Resolution}

@begin{Legality}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[A Relative_Deadline pragma is allowed only
immediately within a @nt{task_definition} or the @nt{declarative_part} of a
@nt{subprogram_body}. At most one such pragma shall appear within a given
construct.]}

@end{Legality}

@begin{StaticSem}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The @SynI{policy_}@nt{identifier}
EDF_Across_Priorities is a task dispatching policy.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{with} Ada.Real_Time;
@key{with} Ada.Task_Identification;
@key{package} Ada.Dispatching.EDF @key{is}@ChildUnit{Parent=[Ada.Dispatching],Child=[EDF]}
  @key{subtype} @AdaSubtypeDefn{Name=[Deadline],Of=[Time]} @key{is} Ada.Real_Time.Time;
  @AdaObjDefn{Default_Deadline} : @key{constant} Deadline :=
              Ada.Real_Time.Time_Last;
  @key{procedure} @AdaSubDefn{Set_Deadline} (D : @key{in} Deadline;
              T : @key{in} Ada.Task_Identification.Task_Id :=
              Ada.Task_Identification.Current_Task);
  @key{procedure} @AdaSubDefn{Delay_Until_And_Set_Deadline} (
              Delay_Until_Time : @key{in} Ada.Real_Time.Time;
              Deadline_Offset : @key{in} Ada.Real_Time.Time_Span);
  @key{function} @AdaSubDefn{Get_Deadline} (T : Ada.Task_Identification.Task_Id :=
              Ada.Task_Identification.Current_Task) @key{return} Deadline;
@key{end} Ada.Dispatching.EDF;]}
@end{Example}

@end{StaticSem}

@begin{LinkTime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[If the EDF_Across_Priorities policy is specified
for a partition, then the Ceiling_Locking policy (see
@RefSecNum{Priority Ceiling Locking}) shall also be
specified for the partition.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[If the EDF_Across_Priorities policy appears in a
Priority_Specific_Dispatching pragma
(see @RefSecNum{Task Dispatching Pragmas})
in a partition, then the
Ceiling_Locking policy (see @RefSecNum{Priority Ceiling Locking}) shall also
be specified for the partition.]}

@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[Unlike the other language-defined dispatching
  policies, the semantic description of EDF_Across_Priorities assumes
  Ceiling_Locking (and a ceiling priority) in order to make the mapping between
  deadlines and priorities work. Thus, we require both policies to be specified
  if EDF is used in the partition.]}
@end{Reason}

@end{LinkTime}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[A Relative_Deadline pragma has no effect if it
occurs in the @nt{declarative_part} of the @nt{subprogram_body} of a
subprogram other than the main subprogram.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The initial absolute deadline of a task containing
pragma Relative_Deadline is the value of Real_Time.Clock +
@SynI{relative_deadline_}@nt{expression}, where the call of Real_Time.Clock is made
between task creation and the start of its activation. If there is no
Relative_Deadline pragma then the initial absolute deadline of a task is the
value of Default_Deadline. @Redundant[The environment task is also given
an initial deadline by this rule.]]}

@begin{TheProof}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[The environment task is a normal task by
  @RefSecNum{Program Execution}, so of course this rule applies to it.]}
@end{TheProof}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The procedure Set_Deadline changes the absolute
deadline of the task to D. The function Get_Deadline returns the absolute
deadline of the task.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The procedure Delay_Until_And_Set_Deadline delays
the calling task until time Delay_Until_Time. When the task becomes runnable
again it will have deadline Delay_Until_Time + Deadline_Offset.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[On a system with a single processor, the setting of
the deadline of a task to the new value occurs immediately at the first point
that is outside the execution of a protected action. If the task is currently
on a ready queue it is removed and re-entered on to the ready queue determined
by the rules defined below.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[When EDF_Across_Priorities is specified for
priority range @i<Low>..@i<High> all ready queues in this range are ordered by
deadline. The task at the head of a queue is the one with the earliest
deadline.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[A task dispatching point occurs
for the currently running task @i<T> to
which policy EDF_Across_Priorities applies:]}

@begin{Itemize}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[when a change to the deadline of @i<T> occurs;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[there is a task on the ready queue for the
active priority of @i<T> with a deadline earlier than the deadline of @i<T>; or]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[there is a non-empty ready queue for that processor
with a higher priority than the active priority of the running task.]}

@end{Itemize}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[In these cases, the currently running task is said
to be preempted and is returned to
the ready queue for its active priority.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[For a task @i<T> to which policy
EDF_Across_Priorities applies, the base priority is not a source of
priority inheritance; the active priority when first activated or
while it is blocked is defined as the maximum of the following:]}

@begin{Itemize}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[the lowest priority in the range specified as
EDF_Across_Priorities that includes the base priority of @i<T>;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[the priorities, if any, currently inherited by
@i<T>;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[the highest priority @i<P>, if any, less than the
base priority of @i<T> such that one or more tasks are executing within a
protected object with ceiling priority @i<P> and task @i<T>
has an earlier deadline than all such tasks.]}
@end{Itemize}

@begin{Ramification}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[The active priority of @i<T> might be lower than
its base priority.]}
@end{Ramification}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[When a task @i<T> is first activated or becomes
unblocked, it is added to the ready queue corresponding to this active
priority. Until it becomes blocked again, the active priority of @i<T>
remains no less than this value; it will exceed this value only while it is
inheriting a higher priority.]}

@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[These rules ensure that a task executing in
  a protected object is preempted only by a task with a shorter deadline and a
  higher base priority. This matches the traditional preemption level
  description without the need to define a new kind of protected object
  locking.]}
@end{Discussion}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[When the setting of the base priority of a ready
task takes effect and the new priority is in a range specified as
EDF_Across_Priorities, the task is added to the ready queue
corresponding to its new active priority, as determined above.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[For all the operations defined in Dispatching.EDF,
Tasking_Error is raised if the task identified by T has terminated.
Program_Error is raised if the value of T is Null_Task_Id.]}

@end{RunTime}

@begin{Bounded}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[@PDefn2{Term=(bounded error),Sec=(cause)}
If EDF_Across_Priorities is specified for priority range @i<Low>..@i<High>, it
is a bounded error to declare a protected object with ceiling priority
@i<Low> or to assign the value @i<Low> to attribute 'Priority. In either case
either Program_Error is raised or the ceiling of the protected
object is assigned the value @i<Low>+1.]}

@end{Bounded}

@begin{Erron}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[@PDefn2{Term=(erroneous execution),Sec=(cause)}
If a value of Task_Id is passed as a parameter to any of the subprograms
of this package and the corresponding task object no longer exists,
the execution of the program is erroneous.]}

@end{Erron}

@begin{DocReq}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[On a multiprocessor, the implementation shall
document any conditions that cause the completion of the setting of the deadline
of a task to be delayed later than what is specified for a single processor.]}
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[Any conditions that cause the completion of the setting of the deadline
of a task to be delayed for a multiprocessor.]}]}
@end{DocReq}

@begin{Notes}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[If two adjacent priority ranges, @i<A>..@i<B> and
@i<B>+1..@i<C> are specified to have policy
EDF_Across_Priorities then this is not equivalent to this policy being
specified for the single range, @i<A>..@i<C>.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[The above rules implement the preemption-level
protocol (also called Stack Resource Policy protocol) for resource sharing
under EDF dispatching. The preemption-level for a task is denoted by its base
priority. The definition of a ceiling preemption-level for a protected object
follows the existing rules for ceiling locking.]}

@begin{ImplNote}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
  @ChgAdded{Version=[2],Text=[An implementation may support additional
  dispatching policies by replacing absolute deadline with an alternative
  measure of urgency.]}
@end{ImplNote}

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  Policy EDF_Across_Priorities and package Dispatching.EDF are new.]}
@end{Extend95}


@LabeledClause{Priority Ceiling Locking}

@begin{Intro}
@Redundant[This clause specifies the interactions between priority task
scheduling and protected object ceilings. This interaction is based on
the concept of the @i{ceiling priority} of a protected object.]
@end{Intro}

@begin{Syntax}
@begin{SyntaxText}
@Leading@Keepnext@;The form of a @nt{pragma} Locking_Policy is as follows:
@end{SyntaxText}

@PragmaSyn`@key{pragma} @prag(Locking_Policy)(@SynI{policy_}@Syn2{identifier});'
@end{Syntax}

@begin{Legality}

The @SynI{policy_}@Syn2{identifier} shall either be Ceiling_Locking
or an implementation-defined @Syn2{identifier}.
@ImplDef{Implementation-defined @SynI{policy_}@Syn2{identifier}s allowed
in a @nt{pragma} Locking_Policy.}

@end{Legality}

@begin{LinkTime}

@PDefn2{Term=[configuration pragma], Sec=(Locking_Policy)}
@PDefn2{Term=[pragma, configuration], Sec=(Locking_Policy)}
A Locking_Policy pragma is a configuration pragma.

@end{LinkTime}

@begin{RunTime}

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0073],ARef=[AI95-00091-01]}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00327-01]}
@Defn{locking policy}
@Redundant[A locking policy specifies the details of protected object
locking. @Chg{Version=[2],New=[All protected objects have a priority.
The locking policy specifies the meaning of
the priority of a],Old=[These rules specify whether or not]} protected @Chg{Version=[2],
New=[object],Old=[objects have
priorities]}, and the relationships between these priorities and
task priorities. In addition, the policy specifies the state of a task
when it executes a protected action, and how its active priority is
affected by the locking.]
The @i{locking policy} is specified by a Locking_Policy pragma. For
implementation-defined locking policies, the @Chg{Version=[2],New=[meaning of
the priority of],Old=[effect of a Priority or
Interrupt_Priority pragma on]} a protected object is
implementation defined.
If no Locking_Policy pragma @Chg{New=[applies to],Old=[appears in]} any
of the program units comprising a partition, the locking policy for that
partition, as well as the @Chg{Version=[2],New=[meaning of
the priority of],Old=[effect of specifying either a Priority or
Interrupt_Priority pragma for]} a protected object, are implementation defined.
@Chg{Version=[2],New=[@Defn2{Term=[Priority],Sec=[of a protected object]}],Old=[]}

@ChgImplDef{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The locking policy if no Locking_Policy pragma applies to any unit of
a partition.]}]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Text=[The @nt{expression} of a Priority or Interrupt_Priority
pragma (see @RefSecNum{Task Priorities}) is evaluated as part of the creation
of the corresponding
protected object and converted to the subtype System.Any_Priority or
System.Interrupt_Priority, respectively. The value of the expression is the
initial priority of the corresponding protected object. If no Priority or
Interrupt_Priority pragma applies to a protected object, the initial priority
is specified by the locking policy.
@PDefn2{Term=[implicit subtype conversion],Sec=(pragma Priority)}
@PDefn2{Term=[implicit subtype conversion],Sec=(pragma Interrupt_Priority)}]}

@Leading@;There is one predefined locking policy, Ceiling_Locking; this policy is
defined as follows:
@begin{itemize}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00327-01]}
@Defn2{Term=[ceiling priority], Sec=(of a protected object)}
Every protected object has a @i{ceiling priority}, which
is determined by either a Priority or Interrupt_Priority pragma as
defined in @RefSecNum{Task Priorities}@Chg{Version=[2],New=[, or by
assignment to the Priority attribute as described
in @RefSecNum{Dynamic Priorities for Protected Objects}],Old=[]}.
The ceiling priority of a protected object (or ceiling, for short) is an
upper bound on the active priority a task can have when
it calls protected operations of that protected object.

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00327-01]}
The @Chg{Version=[2],New=[initial ceiling priority of a],Old=[@nt{expression}
of a Priority or Interrupt_Priority pragma is evaluated
as part of the creation of the corresponding]}
protected object
@Chg{Version=[2],New=[is
equal to the initial priority for that object.],Old=[and converted
to the subtype System.Any_Priority or System.Interrupt_Priority, respectively.
The value of the @nt{expression} is the ceiling priority of
the corresponding protected object.
@PDefn2{Term=[implicit subtype conversion],Sec=(pragma Priority)}
@PDefn2{Term=[implicit subtype conversion],Sec=(pragma Interrupt_Priority)}]}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00327-01]}
If an Interrupt_Handler or Attach_Handler pragma
(see @RefSecNum{Protected Procedure Handlers}) appears in a
@nt{protected_definition} without an Interrupt_Priority pragma, the
@Chg{Version=[2],New=[initial],Old=[ceiling]} priority of protected objects
of that type is implementation defined,
but in the range of the subtype System.Interrupt_Priority.
@ImplDef{Default ceiling priorities.}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00327-01]}
If no @nt{pragma} Priority, Interrupt_Priority,
Interrupt_Handler, or Attach_Handler is specified in the
@nt{protected_definition}, then the @Chg{Version=[2],New=[initial],Old=[ceiling]}
priority of the corresponding protected object is System.Priority'Last.

While a task executes a protected action, it inherits the ceiling
priority of the corresponding protected object.

@IndexCheck{Ceiling_Check}
@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}
When a task calls a protected operation, a check is made that its active
priority is not higher than the ceiling of the corresponding protected object;
Program_Error is raised if this check fails.

@end{Itemize}

@end{RunTime}

@begin{Bounded}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[Following any change of priority,
it is a bounded error for the active priority of any task with a call queued on
an entry of a protected object to be higher than the ceiling priority of the
protected object.
@PDefn2{Term=(bounded error),Sec=(cause)}
In this case one of the following applies:]}

@begin{Itemize}

@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[at any time prior to executing the entry body
Program_Error is raised in the calling task;
@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}]}

@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[when the entry is open the entry body is executed
at the ceiling priority of the protected object;]}

@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[when the entry is open the entry body is executed
at the ceiling priority of the protected object and then Program_Error is
raised in the calling task; or
@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}]}

@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[when the entry is open the entry body
is executed at the ceiling priority of the protected object that was in effect
when the entry call was queued.]}
@end{Itemize}
@begin{Ramification}
@ChgRef{Version=[2],Kind=[Added]}@Comment{This note was moved along with the above rules}
@ChgAdded{Version=[2],Text=[Note that the error is @lquotes@;blamed@rquotes@;
on the task that did the entry call, not the task that changed the
priority of the task or protected object.
This seems to make sense for the case of changing the priority of a task
blocked on a call, since if the Set_Priority had happened a
little bit sooner, before the task queued a call,
the entry-calling task would get the error.
Similarly, there is no reason not to raise the priority of a
task that is executing in an @nt{abortable_part}, so long as its
priority is lowered before it gets to the end and needs to cancel the
call.
The priority might need to be lowered to allow it to remove the call
from the entry queue,
in order to avoid violating the ceiling.
This seems relatively harmless, since there is an error,
and the task is about to start raising an exception anyway.]}
@end{Ramification}
@end{Bounded}

@begin{ImplPerm}

The implementation is allowed to round all ceilings in a certain
subrange of System.Priority or System.Interrupt_Priority up to
the top of that subrange, uniformly.
@begin{Discussion}
For example, an implementation might use Priority'Last for all ceilings
in Priority, and Interrupt_Priority'Last for all ceilings in
Interrupt_Priority.
This would be equivalent to having two ceiling priorities for protected objects,
@lquotes@;nonpreemptible@rquotes@; and @lquotes@;noninterruptible@rquotes@;, and is an allowed behavior.

Note that the implementation cannot choose a subrange that crosses the
boundary between normal and interrupt priorities.
@end{Discussion}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00256-01]}
Implementations are allowed to define other locking policies,
but need not support more than one @Chg{Version=[2],New=[locking],Old=[such]}
policy per partition.

@Redundant[Since implementations are allowed to place restrictions
on code that runs at an interrupt-level active priority
(see @RefSecNum{Protected Procedure Handlers}
and @RefSecNum{The Task Dispatching Model}),
the implementation may implement a language feature in terms
of a protected object with an implementation-defined ceiling,
but the ceiling shall be no less than Priority'Last.]
@ImplDef{The ceiling of any protected object used internally by the
implementation.}
@begin{TheProof}
This permission follows from the fact that
the implementation can place restrictions on interrupt
handlers and on any other code that runs at an interrupt-level
active priority.

The implementation might protect a storage pool with a
protected object whose ceiling is Priority'Last, which would cause
@nt{allocator}s to fail when evaluated at interrupt priority.
Note that the ceiling of such an object has to be at least
Priority'Last,
since there is no permission for @nt{allocator}s to fail when evaluated at
a non-interrupt priority.
@end{TheProof}

@end{ImplPerm}

@begin{ImplAdvice}

The implementation should use names that end with
@lquotes@;_Locking@rquotes@; for implementation-defined locking policies.

@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[Names that end with @lquotes@;_Locking@rquotes@; should be used for
implementation-defined locking policies.]}]}

@end{ImplAdvice}

@begin{Notes}

While a task executes in a protected action, it can be preempted
only by tasks whose active priorities are higher than the
ceiling priority of the protected object.

If a protected object has a ceiling priority in the range
of Interrupt_Priority, certain interrupts are blocked while
protected actions of that object execute. In the extreme, if
the ceiling is Interrupt_Priority'Last, all blockable interrupts
are blocked during that time.

The ceiling priority of a protected object has to be in the
Interrupt_Priority range if one of its procedures is to be used as
an interrupt handler (see @RefSecNum{Interrupt Support}).

When specifying the ceiling of a protected object, one should
choose a value that is at least as high as the highest active priority
at which tasks can be executing when they call
protected operations of that object. In determining this
value the following factors, which can affect active priority,
should be considered: the effect of Set_Priority, nested
protected operations, entry calls, task activation, and other
implementation-defined factors.

Attaching a protected procedure whose ceiling is below the
interrupt hardware priority to an interrupt causes the execution of the
program to be erroneous
(see @RefSecNum{Protected Procedure Handlers}).

On a single processor implementation, the ceiling priority
rules guarantee that there is no possibility of deadlock involving
only protected subprograms (excluding the case where a protected operation
calls another protected operation on the same protected object).

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  All protected objects now have a priority, which
  is the value of the Priority attribute of
  @RefSecNum{Dynamic Priorities for Protected Objects}. How this value
  is interpreted depends on the locking policy; for instance, the ceiling
  priority is derived from this value when the locking policy is
  Ceiling_Locking.]}
@end{Extend95}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0073],ARef=[AI95-00091-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Corrected the wording to
  reflect that pragma Locking_Policy cannot be inside of a program unit.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00256-01]}
  @ChgAdded{Version=[2],Text=[Clarified that an implementation need support
  only one locking policy (of any kind, language-defined or otherwise)
  per partition.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[The bounded error for the priority of a task
  being higher than the ceiling of an object it is currently in was moved here
  from @RefSecNum{Dynamic Priorities}, so that it applies no matter how the
  situation arises.]}
@end{DiffWord95}


@Comment{@RMNewPage  Break here so printed Ada 95 RM looks better.}
@LabeledClause{Entry Queuing Policies}

@begin{Intro}
@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0074],ARef=[AI95-00068-01]}
@Redundant[@Defn{queuing policy}
This clause specifies a mechanism for a user to choose an entry
@i{queuing policy}. It also defines @Chg{New=[two],Old=[one]}
such polic@Chg{New=[ies],Old=[y]}. Other policies are implementation defined.]
@ImplDef{Implementation-defined queuing policies.}
@end{Intro}

@begin{Syntax}
@begin{SyntaxText}
@Leading@Keepnext@;The form of a @nt{pragma} Queuing_Policy is as follows:
@end{SyntaxText}

@PragmaSyn`@key{pragma} @prag(Queuing_Policy)(@SynI{policy_}@Syn2{identifier});'
@end{Syntax}

@begin{Legality}

The @SynI{policy_}@Syn2{identifier} shall be either FIFO_Queuing,
Priority_Queuing or an implementation-defined @Syn2{identifier}.

@end{Legality}

@begin{LinkTime}

@PDefn2{Term=[configuration pragma], Sec=(Queuing_Policy)}
@PDefn2{Term=[pragma, configuration], Sec=(Queuing_Policy)}
A Queuing_Policy pragma is a configuration pragma.

@end{LinkTime}

@begin{RunTime}

@Defn{queuing policy}
@Redundant[A @i{queuing policy} governs the order in which tasks are queued
for entry service, and the order in which different entry queues are
considered for service.]
The queuing policy is specified by a Queuing_Policy pragma.
@begin{Ramification}
The queuing policy includes entry queuing order,
the choice among open alternatives of a @nt{selective_accept},
and the choice among queued entry calls of
a protected object when more than one @nt{entry_barrier} @nt{condition} is True.
@end{Ramification}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00355-01]}
Two queuing policies, FIFO_Queuing and Priority_Queuing,
are language defined. If no Queuing_Policy pragma
@Chg{Version=[2],New=[applies to],Old=[appears in]} any of the program units
comprising the partition, the queuing policy for that partition
is FIFO_Queuing. The rules for this policy are specified in
@RefSecNum{Entry Calls} and @RefSecNum{Selective Accept}.

@Leading@Keepnext@;The Priority_Queuing policy is defined as follows:
@begin{itemize}

@Defn{priority of an entry call}
The calls to an entry @Redundant[(including a member of an entry family)]
are queued in an order consistent with the priorities of the calls. The
@i{priority of an entry call} is initialized from the active
priority of the calling task at the time
the call is made, but can change later. Within the same priority,
the order is consistent with the calling (or requeuing,
or priority setting) time (that is, a FIFO order).

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0075],ARef=[AI95-00205-01]}
After a call is first queued, changes to the active priority of a task do
not affect the priority of the call, unless the base priority of the task is
set@Chg{New=[ while the task is blocked on an entry call],Old=[]}.

When the base priority of a task is set (see @RefSecNum{Dynamic Priorities}),
if the task is blocked on an entry call, and the call is queued,
the priority of the call is updated to the new active priority of the
calling task. This causes the call to be removed from and then reinserted in
the queue at the new active priority.
@begin{Reason}
A task is blocked on an entry call if the entry call is simple,
conditional, or timed.
If the call came from the @nt{triggering_statement} of an
@nt{asynchronous_select}, or a requeue thereof,
then the task is not blocked on that call;
such calls do not have their priority updated.
Thus, there can exist many queued calls from a given task
(caused by many nested ATC's),
but a task can be blocked on only one call at a time.

A previous version of Ada 9X required queue reordering in the
@nt{asynchronous_select} case as well.
If the call corresponds to a @lquotes@;synchronous@rquotes@; entry call, then the task
is blocked while queued, and it makes good sense to move it up in the
queue if its priority is raised.

However, if the entry call is @lquotes@;asynchronous,@rquotes@; that is, it is
due to an @nt{asynchronous_select} whose @nt{triggering_statement}
is an entry call, then the task is not waiting for this
entry call, so the placement of the entry call on the
queue is irrelevant to the rate at which the task proceeds.

Furthermore, when an entry is used for @nt{asynchronous_select}s,
it is almost certain to be a @lquotes@;broadcast@rquotes@; entry or have
only one caller at a time. For example, if the entry is
used to notify tasks of a mode switch, then all tasks on the
entry queue would be signaled when the mode changes. Similarly,
if it is indicating some interrupting event such as a control-C,
all tasks sensitive to the interrupt will want to be informed
that the event occurred. Hence, the order on such a queue is
essentially irrelevant.

Given the above, it seems an unnecessary semantic and implementation
complexity to specify that asynchronous queued calls are moved in
response to dynamic priority changes. Furthermore, it is somewhat
inconsistent, since the call was originally queued based on the active
priority of the task, but dynamic priority changes are changing the base
priority of the task, and only indirectly the active priority. We say
explicitly that asynchronous queued calls are not affected by normal
changes in active priority during the execution of an
@nt{abortable_part}. Saying that, if a change in the base priority
affects the active priority, then we do want the calls reordered, would
be inconsistent.
It would also require the implementation to maintain a readily
accessible list of all queued calls which would not otherwise be
necessary.

Several rules were removed or simplified when we changed the rules so
that calls due to @nt{asynchronous_select}s are never moved due to
intervening changes in active priority, be they due to protected
actions, some other priority inheritance, or changes in the base
priority.
@end{Reason}

When more than one @nt{condition} of an @nt{entry_barrier} of a protected
object becomes True, and more than one of the respective queues is nonempty,
the call with the highest priority is selected. If more than one such
call has the same priority, the call that is queued on the entry whose
declaration is first in textual order in the @nt{protected_definition} is
selected. For members of the same entry family,
the one with the lower family index is selected.

If the expiration time of two or more open
@nt{delay_alternative}s is the same and no other
@nt{accept_alternative}s are open, the
@nt{sequence_of_statements} of the @nt{delay_alternative} that is
first in textual order in the @nt{selective_accept} is executed.

When more than one alternative of a @nt{selective_accept} is
open and has queued calls, an alternative whose queue has the highest-priority
call at its head is selected.
If two or more open alternatives have equal-priority queued calls,
then a call on the entry in the @nt{accept_alternative} that is
first in textual order in the @nt{selective_accept}
is selected.

@end{itemize}

@end{RunTime}

@begin{ImplPerm}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00256-01]}
Implementations are allowed to define other queuing policies, but
need not support more than one @Chg{Version=[2],New=[queuing],Old=[such]}
policy per partition.
@begin{Discussion}
  @ChgRef{Version=[1],Kind=[Added],Ref=[8652/0116],ARef=[AI95-00069-01]}
  @ChgRef{Version=[2],Kind=[RevisedAdded],ARef=[AI95-00256-01]}
  @ChgAdded{Version=[1],Text=[This rule is really redundant, as
  @RefSecNum(Pragmas and Program Units) allows an implementation to limit the
  use of configuration pragmas to an empty environment. In that case, there
  would be no way to have multiple policies in a partition.@Chg{Version=[2],New=[],
  Old=[ In any case, the
  wording here really ought to be "...more than one queuing policy per
  partition.", since this part of the rule applies to all queuing policies, not
  just implementation-defined ones.]}]}
@end{Discussion}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00188-02]}
@ChgAdded{Version=[2],Text=[Implementations are allowed to defer the reordering
of entry queues following a change of base priority of a task blocked on the
entry call if it is not practical to reorder the queue immediately.]}
@begin{Reason}
@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[Priority change is immediate, but the effect of the
change on entry queues can be deferred. That is necessary in order to implement
priority changes on top of a non-Ada kernel.]}
@end{Reason}
@begin{Discussion}
@ChgRef{Version=[2],Kind=[Added]}
@ChgAdded{Version=[2],Text=[The reordering should occur as soon as the blocked
task can itself perform the reinsertion into the entry queue.]}
@end{Discussion}
@end{ImplPerm}

@begin{ImplAdvice}

The implementation should use names that end with
@lquotes@;_Queuing@rquotes@; for implementation-defined queuing policies.

@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[Names that end with @lquotes@;_Queuing@rquotes@; should be used for
implementation-defined queuing policies.]}]}

@end{ImplAdvice}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0074],ARef=[AI95-00068-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Corrected the number of
  queuing policies defined.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0075],ARef=[AI95-00205-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Corrected so that a call of
  Set_Priority in an abortable part does not change the priority of the
  triggering entry call.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00188-02]}
  @ChgAdded{Version=[2],Text=[Added a permission to defer queue reordering
  when the base priority of a task is changed. This is a counterpart to
  stronger requirements on the implementation of priority change.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00256-01]}
  @ChgAdded{Version=[2],Text=[Clarified that an implementation need support
  only one queuing policy (of any kind, language-defined or otherwise)
  per partition.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[Fixed wording to make clear that @nt{pragma}
  never appears inside of a unit; rather it @lquotes@;applies to@rquotes the
  unit.]}
@end{DiffWord95}


@LabeledClause{Dynamic Priorities}


@begin{Intro}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[@Redundant[This clause describes how the
  priority of an entity can be modified or queried at run time.]]}
@end{Intro}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[This clause is turned into two subclauses.
  This clause introduction is new.]}
@end{DiffWord95}


@LabeledAddedSubClause{Version=[2],Name=[Dynamic Priorities for Tasks]}

@begin{Intro}
@Redundant[This clause describes how the base priority of a task can be
modified or queried at run time.]
@end{Intro}

@begin{StaticSem}
@Leading@Keepnext@;The following language-defined library package exists:
@begin{Example}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00362-01]}
@key[with] System;
@key[with] Ada.Task_Identification; @RI{-- See @RefSecNum[The Package Task_Identification]}
@key[package] Ada.Dynamic_Priorities @key[is]@ChildUnit{Parent=[Ada],Child=[Dynamic_Priorities]}@Chg{Version=[2],New=[
    @key[pragma] Preelaborate(Dynamic_Priorities);],Old=[]}

    @key[procedure] @AdaSubDefn{Set_Priority}(Priority : @key[in] System.Any_Priority;
                           T : @key[in] Ada.Task_Identification.Task_Id :=
                           Ada.Task_Identification.Current_Task);

    @key[function] @AdaSubDefn{Get_Priority} (T : Ada.Task_Identification.Task_Id :=
                           Ada.Task_Identification.Current_Task)
                           @key[return] System.Any_Priority;

@key[end] Ada.Dynamic_Priorities;
@end{example}
@end{StaticSem}

@begin{RunTime}
The procedure Set_Priority sets the base priority of the specified task
to the specified Priority value.
Set_Priority has no effect if the task is terminated.

The function Get_Priority returns T's current base priority.
@Defn2{Term=[Tasking_Error],Sec=(raised by failure of run-time check)}
Tasking_Error is raised if the task is terminated.
@begin{Reason}
There is no harm in setting the priority of a terminated task.
A previous version of Ada 9X made this a run-time error.
However, there is little difference between setting the priority of a
terminated task, and setting the priority of a task that is about to
terminate very soon;
neither case should be an error.
Furthermore, the run-time check is not necessarily feasible to implement
on all systems, since priority changes might be deferred due to
inter-processor communication overhead,
so the error might not be detected until after Set_Priority has
returned.

However, we wish to allow implementations to avoid storing @lquotes@;extra@rquotes@;
information about terminated tasks.
Therefore, we make Get_Priority of a terminated task raise an exception;
the implementation need not continue to store the priority of a task
that has terminated.
@end{Reason}

@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}
Program_Error is raised by Set_Priority and Get_Priority if T is equal
to Null_Task_Id.

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00188-02]}
@Chg{Version=[2],New=[On a system with a single processor, the setting of],
Old=[Setting]} the @Chg{Version=[2],New=[],Old=[task's ]}base
priority@Chg{Version=[2],New=[ of a task @i{T}],Old=[]}
to the new value @Chg{Version=[2],
New=[occurs immediately at the first point when @i{T} is
outside the execution of],Old=[takes place as soon
as is practical but not while the task is performing]} a
protected action@Chg{Version=[2],New=[],Old=[.
This setting occurs no later then the next abort completion point of
the task T
(see @RefSecNum{Abort of a Task - Abort of a Sequence of Statements})]}.

@begin{ImplNote}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00188-02]}
@Chg{Version=[2],New=[The priority change is immediate if the target task
is on a delay queue or a ready queue outside of a protected action.
However, consider when],Old=[When]}
Set_Priority is called by a task T1 to set the priority of T2,
if T2 is blocked, waiting on an entry call queued on a protected object,
the entry queue needs to be reordered.
Since T1 might have a priority that is higher than the ceiling of the
protected object, T1 cannot, in general, do the reordering.
One way to implement this is to wake T2 up and have T2 do the work.
This is similar to the disentangling of queues that needs to happen when
a high-priority task aborts a lower-priority task,
which might have a call queued on a protected object with a low
ceiling.@Chg{Version=[2],New=[ We have an @ImplPermName in
@RefSecNum{Entry Queuing Policies} to allow this implementation. We could
have required an immediate priority change if on a ready queue during a
protected action, but that would have required extra checks for ceiling
violations to meet @BoundedName requirements of
@RefSecNum{Priority Ceiling Locking} and potentially could cause a protected
action to be abandoned in the middle (by raising Program_Error). That seems
bad.],Old=[]}
@end{ImplNote}
@begin{Reason}
@Leading@;A previous version of Ada 9X made it a run-time error
for a high-priority task to set the priority of a lower-priority
task that has a queued call on a protected object with a low ceiling.
This was changed because:
@begin{Itemize}
The check was not feasible to implement on all systems,
since priority changes might be deferred due to
inter-processor communication overhead.
The calling task would continue to execute without finding out whether
the operation succeeded or not.

The run-time check would tend to cause intermittent system failures @em
how is the caller supposed to know whether the other task happens to
have a queued call at any given time? Consider for example an
interrupt that needs to trigger a priority change in some task.
The interrupt handler could not safely call Set_Priority without knowing
exactly what the other task is doing,
or without severely restricting the ceilings used in the system.
If the interrupt handler wants to hand the job off to a third task whose
job is to call Set_Priority, this won't help, because one would normally
want the third task to have high priority.
@end{Itemize}
@end{Reason}
@end{RunTime}

@begin{Bounded}
@ChgRef{Version=[2],Kind=[Deleted],ARef=[AI95-00327-01]}
@ChgDeleted{Version=[2],Text=[@PDefn2{Term=(bounded error),Sec=(cause)}
If a task is blocked on a protected entry call, and the call is queued,
it is a bounded error to raise its base priority
above the ceiling priority of the corresponding
protected object.
When an entry call is cancelled, it is a bounded error
if the priority of the calling task is higher than
the ceiling priority of the corresponding
protected object.
@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}
In either of these cases,
either Program_Error is raised in the task that called the entry,
or its priority is temporarily lowered,
or both, or neither.]}
@begin{Ramification}
@ChgRef{Version=[2],Kind=[Deleted]}
@ChgDeleted{Version=[2],Text=[Note that the error is @lquotes@;blamed@rquotes@; on the task that did the entry call,
not the task that called Set_Priority.
This seems to make sense for the case of a task blocked on a call,
since if the Set_Priority had happened a
little bit sooner, before the task queued a call,
the entry-calling task would get the error.
In the other case, there is no reason not to raise the priority of a
task that is executing in an @nt{abortable_part}, so long as its
priority is lowered before it gets to the end and needs to cancel the
call.
The priority might need to be lowered to allow it to remove the call
from the entry queue,
in order to avoid violating the ceiling.
This seems relatively harmless, since there is an error,
and the task is about to start raising an exception anyway.]}
@end{Ramification}
@end{Bounded}

@begin{Erron}
@PDefn2{Term=(erroneous execution),Sec=(cause)}
If any subprogram in this package is called with a parameter T that
specifies a task object that no longer exists, the execution of the
program is erroneous.
@begin{Ramification}
Note that this rule overrides the above rule saying that
Program_Error is raised on Get_Priority of a terminated task.
If the task object still exists, and the task is terminated,
Get_Priority raises Program_Error.
However, if the task object no longer exists,
calling Get_Priority causes erroneous execution.
@end{Ramification}
@end{Erron}

@begin{DocReq}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00188-02]}
@ChgAdded{Version=[2],Text=[On a multiprocessor, the implementation shall
document any conditions that cause the completion of the setting of the
priority of a task to be delayed later than what is specified for a
single processor.]}
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[Any conditions that cause the completion of the setting of the priority
of a task to be delayed for a multiprocessor.]}]}
@end{DocReq}

@begin{Metrics}
@Leading@;The implementation shall document the following metric:
@begin{Itemize}
The execution time of a call to Set_Priority, for the nonpreempting case,
in processor clock cycles. This is measured for a call that modifies the
priority of a ready task that is not running (which
cannot be the calling one), where the new
base priority of the affected task is lower than the active priority of the
calling task, and the affected task is not on any entry queue and is not
executing a protected operation.
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for Set_Priority.]}]}
@end{Metrics}

@begin{Notes}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00321-01]}
Setting a task's base priority affects task dispatching. First, it can
change the task's active priority. Second, under the @Chg{Version=[2],
New=[FIFO_Within_Priorities],Old=[standard
task dispatching]} policy it always causes the task to move to
the tail of the ready queue corresponding to its active priority,
even if the new base priority is unchanged.

Under the priority queuing policy, setting a task's base
priority has an effect on a queued entry call
if the task is blocked waiting for the call. That is, setting the
base priority of a task causes the priority of a queued entry
call from that task to be updated and the call to be removed and
then reinserted in the entry queue at the new priority
(see @RefSecNum{Entry Queuing Policies}),
unless the call originated from the @nt{triggering_statement} of an
@nt{asynchronous_select}.

The effect of two or more Set_Priority calls executed in parallel on
the same task is defined as executing these calls in some serial order.

@begin{TheProof}
This follows from the general reentrancy requirements stated near the
beginning of @RefSec{Predefined Language Environment}.
@end{TheProof}

The rule for when Tasking_Error is raised for Set_Priority or Get_Priority is
different from the rule for when Tasking_Error is raised on an
entry call (see @RefSecNum{Entry Calls}). In particular, setting or
querying the priority of a completed or an abnormal
task is allowed, so long as the task is not yet terminated.

Changing the priorities of a set of tasks can be performed by a
series of calls to Set_Priority for each task separately. For
this to work reliably, it should be done within a protected
operation that has high enough ceiling priority to guarantee that
the operation completes without being preempted by any of the
affected tasks.

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00188-02]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  @b[Amendment Correction:] Priority changes are
  now required to be done immediately so long as the target task is not on an
  entry queue.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00362-01]}
  @ChgAdded{Version=[2],Text=[Dynamic_Priorities is now Preelaborated,
  so it can be used in preelaborated units.]}
@end{Extend95}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[This Ada 95 clause was turned into a subclause.
  The paragraph numbers are the same as those for
  @RefSecNum{Dynamic Priorities} in Ada 95.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00321-01]}
  @ChgAdded{Version=[2],Text=[There is no @lquotes@;standard@rquotes policy
  anymore, so that phrase was replaced by the name of a specific policy in
  the notes.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[The bounded error for the priority of a task
  being higher than the ceiling of an object it is currently in was moved
  to @RefSecNum{Priority Ceiling Locking}, so that it applies no matter how
  the situation arises.]}
@end{DiffWord95}


@RMNewPage@Comment{For printed Ada 2005 RM}
@LabeledAddedSubClause{Version=[2],Name=[Dynamic Priorities for Protected Objects]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Text=[This clause specifies how the priority of a
protected object can be modified or queried at run time.]}
@end{Intro}

@begin{StaticSem}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Type=[Leading],Keepnext=[T],Text=[The following attribute
is defined for @PrefixType{a @nt{prefix} P that denotes a protected object}:]}

@begin(Description)
@ChgAttribute{Version=[2],Kind=[AddedNormal],ChginAnnex=[T],
  Leading=<F>, Prefix=<P>, AttrName=<Priority>, ARef=[AI95-00327-01],
  Text=[@Chg{Version=[2],New=[Denotes a non-aliased component of the
  protected object P. This component is of type System.Any_Priority and its
  value is the priority of P. P'Priority denotes a variable if and only if P
  denotes a variable. A reference to this attribute shall appear only
  within the body of P.],Old=[]}]}
@EndPrefixType{}
@end{Description}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Text=[The initial value of this attribute is
the initial value of the priority of the protected object@Redundant[, and can
be changed by an assignment].]}
@end{StaticSem}

@begin{Runtime}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Text=[If the locking policy Ceiling_Locking (see
@RefSecNum{Priority Ceiling Locking}) is in effect
then the ceiling priority of a protected object @i<P> is set to the value of
@i<P>'Priority at the end of each protected action of @i<P>.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00445-01]}
@ChgAdded{Version=[2],Text=[If the locking policy Ceiling_Locking is in effect,
then for a protected object @i<P> with either an Attach_Handler or
Interrupt_Handler pragma applying to one of its procedures, a check is made
that the value to be assigned to @i<P>'Priority is in the range
System.Interrupt_Priority. If the check fails, Program_Error is
raised.@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}]}
@end{Runtime}

@begin{Metrics}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[The implementation shall document
the following metric:]}

@begin{Itemize}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Type=[Leading],Text=[The difference in execution time of
calls to the following procedures in protected object P:]}

@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key<protected> P @key<is>
   @key<procedure> Do_Not_Set_Ceiling (Pr : System.Any_Priority);
   @key<procedure> Set_Ceiling (Pr : System.Any_Priority);
@key<end> P;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key<protected body> P @key<is>
   @key<procedure> Do_Not_Set_Ceiling (Pr : System.Any_Priority) @key<is>
   @key<begin>
      @key<null>;
   @key<end>;
   @key<procedure> Set_Ceiling (Pr : System.Any_Priority) @key<is>
   @key<begin>
      P'Priority := Pr;
   @key<end>;
@key<end> P;]}
@end{Example}
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for setting the priority of a protected object.]}]}
@end{Metrics}

@begin{Notes}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
@ChgAdded{Version=[2],Text=[Since P'Priority is a normal variable, the value
following an assignment to the attribute immediately reflects the new value
even though its impact on the ceiling priority of P is postponed until
completion of the protected action in which it is executed.]}
@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01],ARef=[AI95-00445-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  The ability to dynamically change and query the priority of a protected
  object is new.]}
@end{Extend95}



@RMNewPage@Comment{For printed RM Ada 2005 only}
@LabeledClause{Preemptive Abort}

@begin{Intro}
@Redundant[This clause specifies requirements on the immediacy with
which an aborted construct is completed.]
@end{Intro}

@begin{RunTime}

On a system with a single processor, an aborted construct is completed
immediately at the first point that is outside the execution of an
abort-deferred operation.

@end{RunTime}

@begin{DocReq}
On a multiprocessor, the implementation shall document any conditions that
cause the completion of an aborted construct to be delayed later than
what is specified for a single processor.
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[On a multiprocessor, any conditions that
cause the completion of an aborted construct to be delayed later than
what is specified for a single processor.]}]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[On a multiprocessor, any conditions that
cause the completion of an aborted construct to be delayed later than
what is specified for a single processor.]}]}
@end{DocReq}

@begin{Metrics}
@Leading@;The implementation shall document the following metrics:
@begin{Itemize}
The execution time, in processor clock cycles, that it takes for an
@nt{abort_statement} to cause the completion of the aborted task.
This is measured in a situation where a task T2 preempts task T1
and aborts T1. T1 does not have any finalization code. T2 shall
verify that T1 has terminated, by means of the Terminated attribute.

On a multiprocessor, an upper bound in seconds,
on the time that the completion of an aborted task can be delayed beyond
the point that it is required for a single processor.

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00114-01]}
An upper bound on the execution time of an
@nt{asynchronous_select}, in processor clock cycles. This is measured
between a point immediately before a task
T1 executes a protected operation Pr.Set that makes the @nt{condition}
of an @nt{entry_barrier} Pr.Wait @Chg{Version=[2],
New=[True],Old=[true]}, and the point where task T2 resumes
execution immediately after an entry call to Pr.Wait in an
@nt{asynchronous_select}. T1 preempts T2 while
T2 is executing the abortable part, and then blocks itself so that
T2 can execute. The execution time of T1 is measured separately,
and subtracted.

An upper bound on the execution time of an
@nt{asynchronous_select},
in the case that no asynchronous transfer of control takes
place. This is measured between a point immediately before a task
executes the @nt{asynchronous_select} with a nonnull abortable
part, and the point where the task continues execution immediately after
it. The execution time of the abortable part is subtracted.
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for aborts.]}]}
@end{Metrics}

@begin{ImplAdvice}

Even though the @nt{abort_statement} is included in the list of
potentially blocking operations
(see @RefSecNum{Protected Subprograms and Protected Actions}),
it is recommended that this statement be implemented in a way that
never requires the task executing the @nt{abort_statement} to
block.

@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The @nt{abort_statement} should not require the task executing the
statement to block.]}]}

On a multi-processor,
the delay associated with aborting a task on another processor
should be bounded;
the implementation should use periodic polling,
if necessary, to achieve this.

@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[On a multi-processor,
the delay associated with aborting a task on another processor
should be bounded.]}]}

@end{ImplAdvice}

@begin{Notes}

Abortion does not change the active or base priority of the aborted task.

Abortion cannot be more immediate than is allowed by the rules for
deferral of abortion during finalization and in protected actions.

@end{Notes}


@LabeledClause{Tasking Restrictions}

@begin{Intro}
@Redundant[This clause defines restrictions that can be used with a
pragma Restrictions (see @RefSecNum{Pragma Restrictions}) to facilitate the
construction of highly efficient tasking run-time systems.]
@end{Intro}

@begin{StaticSem}
@Leading@;The following @SynI{restriction_}@nt{identifier}s are language defined:
@begin{Description}
@Defn2{Term=[Restrictions],Sec=(No_Task_Hierarchy)}No_Task_Hierarchy @\All (nonenvironment) tasks depend directly on
                        the environment task of the partition.

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0042],ARef=[AI95-00130-01]}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00360-01]}
@Defn2{Term=[Restrictions],Sec=(No_Nested_Finalization)}No_Nested_Finalization @\Objects
  @Chg{Version=[2],New=[of a type that needs finalization (see
  @RefSecNum{User-Defined Assignment and Finalization})],Old=[with
  controlled@Chg{New=[, protected, or task],Old=[]} parts]} and
  access types that designate @Chg{Version=[2],New=[a type that needs
  finalization],Old=[such objects@Chg{New=[,],Old=[]}]} shall be
  declared only at library level.
    @begin{Ramification}
@ChgRef{Version=[1],Kind=[Deleted],Ref=[8652/0042],ARef=[AI95-00130-01]}
    @ChgNote{This is no longer true.}
    @ChgDeleted{Version=[1],Text=[Note that protected types with entries and
    interrupt-handling protected types have nontrivial finalization actions.
    However, this restriction does not restrict those things.]}
    @end{Ramification}

@Defn2{Term=[Restrictions],Sec=(No_Abort_Statements)}No_Abort_Statements @\There are no @nt{abort_statement}s, and there are no
calls on Task_Identification.Abort_Task.

@Defn2{Term=[Restrictions],Sec=(No_Terminate_Alternatives)}No_Terminate_Alternatives @\There are no @nt{selective_accept}s with
                        @nt{terminate_alternative}s.

@Defn2{Term=[Restrictions],Sec=(No_Task_Allocators)}No_Task_Allocators @\There are no @nt{allocator}s for task types or types
                        containing task subcomponents.

@Defn2{Term=[Restrictions],Sec=(No_Implicit_Heap_Allocations)}No_Implicit_Heap_Allocations @\There are no operations that implicitly require
                        heap storage allocation to be performed by the
                        implementation. The operations that implicitly
                        require heap storage allocation are
                        implementation defined.
@ImplDef{Any operations that implicitly
require heap storage allocation.}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00327-01]}
No_Dynamic_Priorities @\There are no semantic dependences on the package
                Dynamic_Priorities@Chg{Version=[2],New=[, and no occurrences
                of the attribute Priority],Old=[]}.
@Defn2{Term=[Restrictions],Sec=(No_Dynamic_Priorities)}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00305-01],ARef=[AI95-00394-01]}
@Chg{Version=[2],New=[@Defn2{Term=[Restrictions],Sec=(No_Dynamic_Attachment)}No_Dynamic_Attachment],
Old=[@Defn2{Term=[Restrictions],Sec=(No_Asynchronous_Control)}No_Asynchronous_Control]}
    @\There
    @Chg{Version=[2],New=[is no call to any of the operations defined
    in package Interrupts (Is_Reserved, Is_Attached, Current_Handler,
    Attach_Handler, Exchange_Handler, Detach_Handler, and Reference).],
    Old=[are no semantic dependences on the package Asynchronous_Task_Control.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Local_Protected_Objects)}No_Local_Protected_Objects @\Protected
   objects shall be declared only at library level.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Local_Timing_Events)}No_Local_Timing_Events @\Timing_Events
   shall be declared only at library level.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Protected_Type_Allocators)}No_Protected_Type_Allocators @\There
   are no @nt{allocator}s for protected types or types
   containing protected type subcomponents.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Relative_Delay)}No_Relative_Delay @\There
   are no @nt{delay_relative_statement}s.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Requeue_Statements)}No_Requeue_Statements @\There
   are no @nt{requeue_statement}s.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Select_Statements)}No_Select_Statements @\There
   are no @nt{select_statement}s.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00394-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Specific_Termination_Handlers)}No_Specific_Termination_Handlers @\There
  are no calls to the Set_Specific_Handler and Specific_Handler subprograms
  in Task_Termination.]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(Simple_Barriers)}Simple_Barriers @\The
   Boolean expression in an entry barrier shall be either a static Boolean
   expression or a Boolean component of the enclosing protected object.]}

@end{Description}

@Leading@;The following @SynI{restriction_parameter_}@nt{identifier}s are
language defined:
@begin{Description}
@Defn2{Term=[Restrictions],Sec=(Max_Select_Alternatives)}Max_Select_Alternatives @\Specifies the maximum number of alternatives
                in a @nt{selective_accept}.

@Defn2{Term=[Restrictions],Sec=(Max_Task_Entries)}Max_Task_Entries @\Specifies the maximum number of entries per task.
    The bounds of every entry family
    of a task unit shall be static,
    or shall be defined by a discriminant of a subtype whose
    corresponding bound is static.
    @Redundant[A value of zero indicates that no rendezvous
    are possible.]

Max_Protected_Entries @\Specifies the maximum number of entries per
    protected type.
    The bounds of every entry family
    of a protected unit shall be static,
    or shall be defined by a discriminant of a subtype whose
    corresponding bound is static.
@Defn2{Term=[Restrictions],Sec=(Max_Protected_Entries)}
@end{Description}
@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[1],Kind=[Deleted],Ref=[8652/0076],ARef=[AI95-00067-01]}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[The following
@SynI{restriction_}@nt{identifier} is language defined:]}@Comment{Use ChgAdded so
we get conditional Leading.}@Chg{Version=[1],New=[],Old=[If the following restrictions
are violated, the behavior is implementation defined.
@IndexCheck{Storage_Check}
@Defn2{Term=[Storage_Error],Sec=(raised by failure of run-time check)}
If an implementation chooses to detect such a violation,
Storage_Error should be raised.]}

@begin{Description}
@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01],ARef=[AI95-00394-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],Sec=(No_Task_Termination)}No_Task_Termination @\All
   tasks are non-terminating. It is implementation-defined what happens if
   a task attempts to terminate. If there is a fall-back handler (see C.7.3)
   set for the partition it should be called when the first task attempts to
   terminate.]}
@ChgImplDef{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[When restriction No_Task_Termination applies to a partition, what
  happens when a task terminates.]}]}
@end{Description}

@Leading@;The following @SynI{restriction_parameter_}@nt{identifier}s are
language defined:
@begin{Description}
@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0076],ARef=[AI95-00067-01]}
@Defn2{Term=[Restrictions],Sec=(Max_Storage_At_Blocking)}Max_Storage_At_Blocking @\Specifies
  the maximum portion @redundant[(in storage elements)]
  of a task's Storage_Size that can be retained by a blocked task@Chg{New=[.
  If an implementation chooses to detect a violation of this
  restriction, Storage_Error should be raised;
  @IndexCheck{Storage_Check}
  @Defn2{Term=[Storage_Error],Sec=(raised by failure of run-time check)}
  otherwise, the behavior is implementation defined],Old=[]}.
@ChgImplDef{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The behavior when restriction Max_Storage_At_Blocking is violated.]}]}

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0076],ARef=[AI95-00067-01]}
@Defn2{Term=[Restrictions],Sec=(Max_Asynchronous_Select_Nesting)}Max_Asynchronous_Select_Nesting @\Specifies
  the maximum dynamic nesting level of @nt{asynchronous_select}s.
  A value of zero prevents the use of any @nt{asynchronous_@!select}@Chg{New=[ and,
  if a program contains an @nt{asynchronous_@!select}, it is illegal.
  @ChgNote{Part of the previous rule is redundant, but it is a different part
  [all of it for Old; from "prevents" to "and," for New] for each. So we omit it.}
  If an implementation chooses to detect a violation of this
  restriction for values other than zero, Storage_Error should be raised;
  @IndexCheck{Storage_Check}
  @Defn2{Term=[Storage_Error],Sec=(raised by failure of run-time check)}
  otherwise, the behavior is implementation defined],Old=[]}.
@ChgImplDef{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The behavior when restriction Max_Asynchronous_Select_Nesting is violated.]}]}

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0076],ARef=[AI95-00067-01]}
@Defn2{Term=[Restrictions],Sec=(Max_Tasks)}Max_Tasks @\Specifies the maximum
  number of task creations that may be executed over the lifetime of a
  partition, not counting the creation of the environment task@Chg{New=[.
  A value of zero prevents any task creation and, if a program contains a
  task creation, it is illegal. If an implementation chooses to detect a
  violation of this restriction, Storage_Error should be raised;
  @IndexCheck{Storage_Check}
  @Defn2{Term=[Storage_Error],Sec=(raised by failure of run-time check)}
  otherwise, the behavior is implementation defined],Old=[]}.
  @begin{Ramification}
     Note that this is not a limit on the
     number of tasks active at a given time;
     it is a limit on the total number of task creations that occur.
  @end{Ramification}
  @begin{ImplNote}
     We envision an implementation approach that places TCBs or pointers
     to them in a fixed-size table, and never reuses table elements.
  @end{ImplNote}
@ChgImplDef{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The behavior when restriction Max_Tasks is violated.]}]}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00305-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[Restrictions],
Sec=(Max_Entry_Queue_Length)}Max_Entry_Queue_Length @\Max_Entry_Queue_Length
  defines the maximum number of calls
  that are queued on an entry. Violation of this restriction
  results in the raising of Program_Error at the point of the call or
  requeue.@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}]}
@end{Description}

It is implementation defined whether the use of pragma Restrictions
results in a reduction in executable program size, storage requirements,
or execution time. If possible, the implementation should provide
quantitative descriptions of such effects for each restriction.
@ChgImplDef{Version=[2],Kind=[Revised],Text=[@Chg{Version=[2],
New=[Whether the use of],Old=[Implementation-defined aspects of]}
pragma Restrictions@Chg{Version=[2],New=[ results in a reduction in
program code or data size or execution time],Old=[]}.]}
@end{RunTime}

@begin{ImplAdvice}
When feasible, the implementation should take advantage of the specified
restrictions to produce a more efficient implementation.

@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[When feasible, specified restrictions should be used to produce a more
efficient implementation.]}]}
@end{ImplAdvice}

@begin{Notes}
The above Storage_Checks can be suppressed with pragma Suppress.
@end{Notes}

@begin{Incompatible95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00360-01]}
  @ChgAdded{Version=[2],Text=[@Defn{incompatibilities with Ada 95}
  @b[Amendment Correction:] The No_Nested_Finalization is now defined in terms
  of types that need finalization. These types include a variety of
  language-defined types that @i<might> be implemented with a controlled type.
  If the restriction No_Nested_Finalization (see
  @RefSecNum{Tasking Restrictions}) applies to the partition, and one of these
  language-defined types does not have a controlled part, it will not be
  allowed in local objects in Ada 2005 whereas it would be allowed in original
  Ada 95. Such code is not portable, as other Ada compilers may have had a
  controlled part, and thus would be illegal under the restriction.]}
@end{Incompatible95}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01],ARef=[AI95-00305-01],ARef=[AI95-00394-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  Restrictions No_Dynamic_Attachment, No_Local_Protected_Objects,
  No_Protected_Type_Allocators, No_Local_Timing_Events, No_Relative_Delay,
  No_Requeue_Statement, No_Select_Statements, No_Specific_Termination_Handlers,
  No_Task_Termination, Max_Entry_Queue_Length, and Simple_Barriers are newly
  added to Ada.]}
@end{Extend95}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0042],ARef=[AI95-00130-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Clarified that
  No_Nested_Finalization covered task and protected parts as well.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0076],ARef=[AI95-00067-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Changed the description of
  Max_Tasks and Max_Asynchronous_Select_Nested to eliminate conflicts with the
  High Integrity Annex (see @RefSecNum{High Integrity Restrictions}).]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00327-01]}
  @ChgAdded{Version=[2],Text=[Added using of the new Priority attribute to
  the restriction No_Dynamic_Priorities.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00394-01]}
  @ChgAdded{Version=[2],Text=[Restriction No_Asynchronous_Control is now
  obsolescent.]}
@end{DiffWord95}


@LabeledClause{Monotonic Time}
@begin{Intro}
@Redundant[This clause specifies a high-resolution,
monotonic clock package.]
@end{Intro}

@begin{StaticSem}
@Leading@;The following language-defined library package exists:
@begin{example}
@key[package] Ada.Real_Time @key[is]@ChildUnit{Parent=[Ada],Child=[Real_Time]}

  @key[type] @AdaTypeDefn{Time} @key[is] @key[private];
  @AdaObjDefn{Time_First} : @key[constant] Time;
  @AdaObjDefn{Time_Last} : @key[constant] Time;
  @AdaObjDefn{Time_Unit} : @key[constant] := @RI{implementation-defined-real-number};



  @key[type] @AdaTypeDefn{Time_Span} @key[is] @key[private];
  @AdaObjDefn{Time_Span_First} : @key[constant] Time_Span;
  @AdaObjDefn{Time_Span_Last} : @key[constant] Time_Span;
  @AdaObjDefn{Time_Span_Zero} : @key[constant] Time_Span;
  @AdaObjDefn{Time_Span_Unit} : @key[constant] Time_Span;


  @AdaObjDefn{Tick} : @key[constant] Time_Span;
  @key[function] @AdaSubDefn{Clock} @key[return] Time;


  @key[function] "+" (Left : Time; Right : Time_Span) @key[return] Time;
  @key[function] "+" (Left : Time_Span; Right : Time) @key[return] Time;
  @key[function] "-" (Left : Time; Right : Time_Span) @key[return] Time;
  @key[function] "-" (Left : Time; Right : Time) @key[return] Time_Span;


  @key[function] "<" (Left, Right : Time) @key[return] Boolean;
  @key[function] "<="(Left, Right : Time) @key[return] Boolean;
  @key[function] ">" (Left, Right : Time) @key[return] Boolean;
  @key[function] ">="(Left, Right : Time) @key[return] Boolean;


  @key[function] "+" (Left, Right : Time_Span) @key[return] Time_Span;
  @key[function] "-" (Left, Right : Time_Span) @key[return] Time_Span;
  @key[function] "-" (Right : Time_Span) @key[return] Time_Span;
  @key[function] "*" (Left : Time_Span; Right : Integer) @key{return} Time_Span;
  @key[function] "*" (Left : Integer; Right : Time_Span) @key{return} Time_Span;
  @key[function] "/" (Left, Right : Time_Span) @key[return] Integer;
  @key[function] "/" (Left : Time_Span; Right : Integer) @key[return] Time_Span;

  @key[function] "@key[abs]"(Right : Time_Span) @key[return] Time_Span;

@ChgRef{Version=[1], Kind=[Deleted]}
@Chg[New=<>,Old=<@ @;@comment{Empty paragraph to hang junk paragraph number from original RM}>]

  @key[function] "<" (Left, Right : Time_Span) @key[return] Boolean;
  @key[function] "<="(Left, Right : Time_Span) @key[return] Boolean;
  @key[function] ">" (Left, Right : Time_Span) @key[return] Boolean;
  @key[function] ">="(Left, Right : Time_Span) @key[return] Boolean;


  @key[function] @AdaSubDefn{To_Duration} (TS : Time_Span) @key[return] Duration;
  @key[function] @AdaSubDefn{To_Time_Span} (D : Duration) @key[return] Time_Span;


@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00386-01]}
  @key[function] @AdaSubDefn{Nanoseconds}  (NS : Integer) @key{return} Time_Span;
  @key[function] @AdaSubDefn{Microseconds} (US : Integer) @key{return} Time_Span;
  @key[function] @AdaSubDefn{Milliseconds} (MS : Integer) @key{return} Time_Span;@Chg{Version=[2],New=[
  @key[function] @AdaSubDefn{Seconds}      (S  : Integer) @key{return} Time_Span;
  @key[function] @AdaSubDefn{Minutes}      (M  : Integer) @key{return} Time_Span;],Old=[]}


  @key[type] @AdaTypeDefn{Seconds_Count} @key[is] @key[range] @RI{implementation-defined};

  @key{procedure} @AdaSubDefn{Split}(T : @key{in} Time; SC : @key{out} Seconds_Count; TS : @key{out} Time_Span);
  @key{function} @AdaSubDefn{Time_Of}(SC : Seconds_Count; TS : Time_Span) @key{return} Time;

@key[private]
   ... -- @RI{not specified by the language}
@key[end] Ada.Real_Time;
@end{example}
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[Implementation-defined aspects of package Real_Time.]}]}

@Defn{real time}
In this Annex, @i{real time} is defined to be the physical time as observed
in the external environment.
The type Time is a @i{time type} as defined by
@RefSecNum{Delay Statements, Duration, and Time};
@Redundant[values of this type may be used in a
@nt{delay_until_statement}.]
Values of this type
represent segments of an ideal time line. The set of values of
the type Time corresponds one-to-one with an
implementation-defined range of mathematical integers.
@begin{Discussion}
Informally, real time is defined to be the International Atomic Time (TAI)
which is monotonic and nondecreasing. We use it here for the purpose of
discussing rate of change and monotonic behavior only. It does not imply
anything about the absolute value of Real_Time.Clock, or about Real_Time.Time
being synchronized with TAI. It is also used for real time in the metrics,
for comparison purposes.
@end{Discussion}
@begin{ImplNote}
The specification of TAI as @lquotes@;real time@rquotes@; does not preclude the
use of a simulated TAI clock for simulated execution environments.
@end{ImplNote}

@Defn{epoch}
@PDefn{unspecified}
The Time value I represents the half-open real time
interval that starts with E+I*Time_Unit and is limited by E+(I+1)*Time_Unit,
where Time_Unit is an implementation-defined real number and E is an
unspecified origin point, the @i{epoch}, that is the same
for all values of the type Time.
It is not specified by the language whether the time values are
synchronized with any standard time reference.
@Redundant[For example, E can correspond to the time of system
initialization or it can correspond to the epoch of some time standard.]
@begin{Discussion}
E itself does not have to be a proper time value.

This half-open interval I consists of all
real numbers R such that E+I*Time_Unit <= R < E+(I+1)*Time_Unit.
@end{Discussion}

Values of the type Time_Span represent length of real time
duration.
The set of values of this type corresponds one-to-one
with an implementation-defined range of mathematical integers.
The Time_Span value corresponding to the integer I
represents the real-time duration I*Time_Unit.
@begin{Reason}
The purpose of this type is similar to Standard.Duration; the idea is to
have a type with a higher resolution.
@end{Reason}
@begin{Discussion}
We looked at many possible names for this type: Real_Time.Duration,
Fine_Duration, Interval, Time_Interval_Length, Time_Measure, and more.
Each of these names had some problems, and we've finally settled for Time_Span.
@end{Discussion}

Time_First and Time_Last are the smallest and largest values of the
Time type, respectively.
Similarly, Time_Span_First and Time_Span_Last are the smallest and
largest values of the Time_Span type, respectively.

A value of type Seconds_Count represents an elapsed time,
measured in seconds,
since the epoch.

@end{StaticSem}

@begin{RunTime}

Time_Unit is the smallest amount of real time representable by the Time type;
it is expressed in seconds. Time_Span_Unit is the difference between
two successive values of the Time type. It is also the smallest positive
value of type Time_Span. Time_Unit and Time_Span_Unit represent
the same real time duration.
@Defn{clock tick}
A @i{clock tick} is a real time interval during
which the clock value (as observed by calling the Clock function) remains
constant. Tick is the average length of such intervals.

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00432-01]}
The function To_Duration converts the value TS to a value of type
Duration. Similarly, the function To_Time_Span converts the value D
to a value of type Time_Span. For @Chg{Version=[2],New=[To_Duration],
Old=[both operations]}, the result is
rounded to the nearest @Chg{Version=[2],New=[value of type Duration],
Old=[exactly representable value]} (away from zero if exactly
halfway between two @Chg{Version=[2],New=[],
Old=[exactly representable ]}values).@Chg{Version=[2],New=[ If the result
is outside the range of Duration, Constraint_Error is raised. For To_Time_Span,
the value of D is first rounded to the nearest integral multiple of Time_Unit,
away from zero if exactly halfway between two multiples. If the
rounded value is outside the range of Time_Span, Constraint_Error is
raised. Otherwise, the value is converted to the type Time_Span.],Old=[]}

To_Duration(Time_Span_Zero) returns 0.0,
and To_Time_Span(0.0) returns Time_Span_Zero.

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00386-01],ARef=[AI95-00432-01]}
The functions Nanoseconds, Microseconds, @Chg{Version=[2],New=[],
Old=[and ]}Milliseconds@Chg{Version=[2],New=[, Seconds, and Minutes],Old=[]}
convert the input
parameter to a value of the type Time_Span. NS, US,@Chg{Version=[2],New=[],Old=[ and]}
MS@Chg{Version=[2],New=[, S, and M],Old=[]} are interpreted as a number of
nanoseconds, microseconds,@Chg{Version=[2],New=[],Old=[ and]}
milliseconds@Chg{Version=[2],New=[, seconds, and minutes],Old=[]}
respectively.@Chg{Version=[2],New=[ The input parameter is first converted to
seconds and rounded to the nearest integral multiple of Time_Unit, ],
Old=[The result is rounded to the nearest exactly
representable value (]}away from zero if exactly halfway between two
@Chg{Version=[2],New=[multiples. If the rounded value
is outside the range of Time_Span, Constraint_Error is raised.
Otherwise, the rounded value is converted to the type Time_Span],
Old=[exactly representable values)]}.
@begin{Discussion}
  @ChgRef{Version=[2],Kind=[Deleted],ARef=[AI95-00432-01]}
  @ChgDeleted{Version=[2],Text=[The above does not imply that the Time_Span
  type will have to accommodate Integer'Last of milliseconds; Constraint_Error
  is allowed to be raised.]}
@end{Discussion}

The effects of the operators on Time and Time_Span are as for the
operators defined for integer types.
@begin{ImplNote}
  Though time values are modeled by integers, the types Time and
  Time_Span need not be implemented as integers.
@end{ImplNote}

The function Clock returns
the amount of time since the epoch.

The effects of the Split and Time_Of operations are defined as follows,
treating values of type
Time, Time_Span, and Seconds_Count as mathematical integers.
The effect of Split(T,SC,TS) is to set SC and TS to values
such that T*Time_Unit = SC*1.0 + TS*Time_Unit, and 0.0 <= TS*Time_Unit < 1.0.
The value returned by Time_Of(SC,TS) is the value T such that T*Time_Unit =
SC*1.0 + TS*Time_Unit.
@end{RunTime}

@begin{ImplReq}

The range of Time values shall be sufficient to uniquely
represent the range of real times from program start-up to 50 years later.
Tick shall be no greater than 1 millisecond.
Time_Unit shall be less than or equal to 20 microseconds.
@begin{ImplNote}
The required range and accuracy of Time are such that
32-bits worth of seconds and 32-bits worth of ticks in a second could be
used as the representation.
@end{ImplNote}

Time_Span_First shall be no greater than @en@;3600 seconds, and
Time_Span_Last shall be no less than 3600 seconds.
@begin{Reason}
This is equivalent to @PorM one hour and there is still room for
a two-microsecond resolution.
@end{Reason}

@Defn{clock jump}
A @i{clock jump} is the difference between two successive distinct values of
the clock (as observed by calling the Clock function). There shall be no
backward clock jumps.

@end{ImplReq}

@begin{DocReq}

The implementation shall document the values of Time_First, Time_Last,
Time_Span_@!First, Time_Span_@!Last, Time_Span_@!Unit, and Tick.
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The values of Time_First, Time_Last,
Time_Span_@!First, Time_Span_@!Last, Time_Span_@!Unit, and Tick
for package Real_Time.]}]}

The implementation shall document the properties of the underlying
time base used for the clock and for type Time,
such as the range of values supported
and any relevant aspects of the underlying hardware
or operating system facilities used.
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The properties of the underlying
time base used in package Real_Time.]}]}
@begin{Discussion}
If there is an underlying operating system,
this might include information about which system call is used
to implement the clock.
Otherwise, it might include information about which
hardware clock is used.
@end{Discussion}

The implementation shall document whether or not there is any synchronization
with external time references, and if such synchronization exists, the sources
of synchronization information, the frequency of synchronization, and the
synchronization method applied.
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[Any synchronization of package Real_Time with external time references.]}]}

@ChgRef{Version=[1],Kind=[Revised]}
The implementation shall document any aspects of the @Chg{New=[], Old=[the]}
@chgnote{Correct typo as noted at Potsdam ARG meeting}
external environment that could interfere with the clock behavior as defined
in this clause.
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[Any aspects of the external environment that could interfere with
package Real_Time.]}]}
@begin{Discussion}
For example, the implementation is allowed to rely on the time services of
an underlying operating system, and this operating system clock can
implement time zones or allow the clock to be reset by an operator.
This dependence has to be documented.
@end{Discussion}
@end{DocReq}

@begin{Metrics}
For the purpose of the metrics defined in this clause, real time is
defined to be the International Atomic Time (TAI).

@Leading@;The implementation shall document the following metrics:
@begin{Itemize}
An upper bound on the real-time duration of a clock tick. This is a value
D such that if t1 and t2 are any real times such that t1 < t2 and
Clock@-{t1} = Clock@-{t2} then t2 @en@; t1 <= D.

An upper bound on the size of a clock jump.

@Defn{drift rate}
An upper bound on the @i{drift rate} of Clock with respect to real time.
This is a real number D such that
@begin{display}
E*(1@en@;D) <= (Clock@-{t+E} @en@; Clock@-{t}) <= E*(1+D)
        provided that: Clock@-{t} + E*(1+D) <= Time_Last.
@end{display}

where Clock@-{t} is the value of Clock at time t, and E is a real
time duration not less than 24 hours. The value of E used for
this metric shall be reported.
@begin{Reason}
This metric is intended to provide a measurement
of the long term (cumulative) deviation; therefore, 24
hours is the
lower bound on the measurement period. On some implementations,
this is also the maximum period, since the language does not
require that the range of the type Duration be more than 24 hours.
On those implementations that support longer-range Duration, longer
measurements should be performed.
@end{Reason}

An upper bound on the execution time of a call to the Clock
function, in processor clock cycles.

Upper bounds on the execution times of the operators of the types Time
and Time_Span, in processor clock cycles.
@begin{ImplNote}
A fast implementation of the Clock function involves repeated
reading until you get the same value twice.
It is highly improbable that more than three reads will be necessary.
Arithmetic on time values should not be significantly slower
than 64-bit arithmetic in the underlying machine instruction set.
@end{ImplNote}
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The metrics for package Real_Time.]}]}
@end{Metrics}

@begin{ImplPerm}
Implementations targeted to machines with word size smaller than 32
bits need not support the full range and granularity of the
Time and Time_Span types.
@begin{Discussion}
These requirements are based on machines with a word size of 32 bits.

Since the range and granularity are implementation defined, the supported
values need to be documented.
@end{Discussion}
@end{ImplPerm}

@begin{ImplAdvice}

When appropriate, implementations should provide configuration mechanisms to
change the value of Tick.
@ChgImplAdvice{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[When appropriate, mechanisms to change the value of Tick should be
provided.]}]}
@begin{Reason}
This is often needed when the compilation system was originally targeted to a
particular processor with a particular interval timer, but the customer
uses the same processor with a different interval timer.
@end{Reason}
@begin{Discussion}
Tick is a deferred constant and not a named number
specifically for this purpose.
@end{Discussion}
@begin{ImplNote}
This can be achieved either by pre-run-time configuration
tools, or by having Tick be initialized
(in the package private part)
by a function call residing in a board specific module.
@end{ImplNote}

It is recommended that Calendar.Clock and Real_Time.Clock be implemented
as transformations of the same time base.
@ChgImplAdvice{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[Calendar.Clock and Real_Time.Clock should be transformations of the
same time base.]}]}

It is recommended that the @lquotes@;best@rquotes@; time base which exists in the
underlying system be available to the application through
Clock. @lquotes@;Best@rquotes@; may mean highest accuracy or largest range.
@ChgImplAdvice{Version=[2],Kind=[Added],Text=[@ChgAdded{Version=[2],
Text=[The @lquotes@;best@rquotes@; time base which exists in the
underlying system should be available to the application through
Real_Time.Clock.]}]}

@end{ImplAdvice}

@begin{Notes}

The rules in this clause do not imply that the implementation can protect
the user from operator or installation errors which could result in the
clock being set incorrectly.

Time_Unit is the granularity of the Time type. In contrast,
Tick represents the granularity of Real_Time.Clock.
There is no requirement that these be the same.

@end{Notes}

@begin{Incompatible95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00386-01]}
  @ChgAdded{Version=[2],Text=[@Defn{incompatibilities with Ada 95}
  Functions Seconds and Minutes are newly added to Real_Time. If
  Real_Time is referenced in a @nt{use_clause}, and an entity @i<E> with a
  @nt{defining_identifier} of Seconds or Minutes is defined in a package that
  is also referenced in a @nt{use_clause}, the entity @i<E> may no longer be
  use-visible, resulting in errors. This should be rare and is easily fixed if
  it does occur.]}
@end{Incompatible95}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00432-01]}
  @ChgAdded{Version=[2],Text=[Added wording explaining how and when many of
  these functions can raise Constraint_Error. While there always was an
  intent to raise Constraint_Error if the values did not fit, there never
  was any wording to that effect, and since Time_Span was a private type,
  the normal numeric type rules do not apply to it.]}
@end{DiffWord95}


@LabeledClause{Delay Accuracy}

@begin{Intro}
@Redundant[This clause specifies performance requirements for the
@nt{delay_statement}.
The rules apply both to @nt{delay_@!relative_@!statement} and to
@nt{delay_@!until_@!statement}. Similarly, they apply equally to a
simple @nt{delay_@!statement} and to one which appears in a
@nt{delay_@!alternative}.]
@end{Intro}

@begin{RunTime}
@Leading@;The effect of the @nt{delay_statement} for Real_Time.Time is
defined in terms of Real_Time.Clock:
@begin{itemize}

If C@-{1} is a value of Clock read before a task executes a
@nt{delay_relative_statement} with duration D, and C@-{2} is a value of
Clock read after the task resumes execution following that
@nt{delay_statement}, then C@-{2} @en@; C@-{1} >= D.

If C is a value of Clock read after a task resumes execution following a
@nt{delay_until_statement} with Real_Time.Time value T, then C >= T.
@end{itemize}

@PDefn2{Term=[potentially blocking operation],Sec=(delay_statement)}
@PDefn2{Term=[blocking, potentially],Sec=(delay_statement)}
A simple @nt{delay_statement} with a negative or zero value for the
expiration time does not cause the calling task to be blocked; it is
nevertheless a potentially blocking operation
(see @RefSecNum{Protected Subprograms and Protected Actions}).

@ChgRef{Version=[2],Kind=[Revised]}
When a @nt{delay_statement} appears in a @nt{delay_alternative} of a
@nt{timed_entry_call} the selection of the entry call is attempted,
regardless of the specified expiration time.
When a @nt{delay_statement} appears in a
@Chg{Version=[2],New=[@nt{select_alternative}],Old=[@ntf{selective_accept_alternative}]},
and a call is queued on one of the open entries, the selection of that
entry call proceeds, regardless of the value of the delay expression.
@begin{Ramification}
The effect of these requirements is that one has to always attempt a rendezvous,
regardless of the value of the delay expression. This can be tested by
issuing a @nt{timed_entry_call} with an expiration time
of zero, to an open entry.
@end{Ramification}

@end{RunTime}

@begin{DocReq}

The implementation shall document the minimum value of the delay expression
of a @nt{delay_relative_statement} that causes the task to actually be blocked.
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The minimum value of the delay expression of a
@nt{delay_relative_statement} that causes a task to actually be blocked.]}]}

The implementation shall document the minimum difference between the value of
the delay expression of a @nt{delay_until_statement} and the value of
Real_Time.Clock, that causes the task to actually be blocked.
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[Implementation-defined aspects of @nt{delay_statement}s.]}]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The minimum difference between the value of the delay expression of a
@nt{delay_until_statement} and the value of Real_Time.Clock, that causes the
task to actually be blocked.]}]}

@end{DocReq}

@begin{Metrics}
@Leading@;The implementation shall document the following metrics:
@begin{Itemize}
An upper bound on the execution time, in processor clock cycles, of a
@nt{delay_relative_statement} whose requested value of the delay expression
is less than or equal to zero.

An upper bound on the execution time, in processor clock cycles, of a
@nt{delay_until_statement} whose requested value of the delay expression is
less than or equal to the value of Real_Time.Clock at the
time of executing the statement. Similarly, for Calendar.Clock.

@Defn{lateness}
@Defn{actual duration}
An upper bound on the @i{lateness} of a @nt{delay_relative_statement},
for a positive value of the delay expression, in a situation
where the task has sufficient priority to preempt the processor as
soon as it becomes ready, and does not need to
wait for any other execution resources. The upper bound is
expressed as a function of the value of the delay expression.
The lateness is obtained by subtracting the value of the delay expression
from the @i{actual duration}. The actual duration is measured from a point
immediately before a task executes the @nt{delay_statement} to a point
immediately after the task resumes execution following this statement.

An upper bound on the lateness of a @nt{delay_until_statement}, in a
situation where the value of the requested expiration time is after the time
the task begins executing the statement, the task has sufficient priority
to preempt the processor as soon as it becomes ready, and
it does not need to wait for any other execution resources. The upper
bound is expressed as a function of the difference between the requested
expiration time and the clock value at the time the statement begins
execution. The lateness of a @nt{delay_until_statement} is obtained by
subtracting the requested expiration time from the real time that the task
resumes execution following this statement.
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for delay statements.]}]}
@end{Metrics}

@begin{Notes}

@ChgRef{Version=[2],Kind=[Deleted],ARef=[AI95-00355-01]}
@ChgDeleted{Version=[2],Text=[The execution time of a @nt{delay_statement} that
does not cause the task to be blocked (e.g. @lquotes@;@key[delay]
0.0;@rquotes@; ) is of interest in situations where delays are used to achieve
voluntary round-robin task dispatching among equal-priority tasks.]}

@end{Notes}

@begin{DiffWord83}

The rules regarding a @nt{timed_entry_call} with a very small positive
Duration value, have been tightened to always require the check whether
the rendezvous is immediately possible.

@end{DiffWord83}

@begin{DiffWord95}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00355-01]}
  @ChgAdded{Version=[2],Text=[The note about @lquotes@;voluntary
  round-robin@rquote, while still true, has been deleted as potentially
  confusing as it is describing a different kind of round-robin than is defined
  by the round-robin dispatching policy.]}

@end{DiffWord95}


@LabeledClause{Synchronous Task Control}

@begin{Intro}
@Redundant[This clause describes a language-defined private semaphore
(suspension object), which can be used for @i{two-stage suspend}
operations and as a simple building block for implementing higher-level
queues.]
@end{Intro}

@begin{StaticSem}

@Leading@;The following language-defined package exists:
@begin{example}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00362-01]}
@key{package} Ada.Synchronous_Task_Control @key{is}@ChildUnit{Parent=[Ada],Child=[Synchronous_Task_Control]}@Chg{Version=[2],New=[
  @key[pragma] Preelaborate(Synchronous_Task_Control);],Old=[]}

  @key{type} @AdaTypeDefn{Suspension_Object} @key{is} @key{limited} @key{private};
  @key{procedure} @AdaSubDefn{Set_True}(S : @key{in} @key{out} Suspension_Object);
  @key{procedure} @AdaSubDefn{Set_False}(S : @key{in} @key{out} Suspension_Object);
  @key{function} @AdaSubDefn{Current_State}(S : Suspension_Object) @key{return} Boolean;
  @key{procedure} @AdaSubDefn{Suspend_Until_True}(S : @key{in} @key{out} Suspension_Object);
@key{private}
     ... -- @RI{not specified by the language}
@key{end} Ada.Synchronous_Task_Control;
@end{example}

The type Suspension_Object is a by-reference type.@begin{ImplNote}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00318-02]}@ChgNote{This is a real term now, let's get it right}
The implementation can ensure this by, for example, making the full view
@Chg{Version=[2],New=[an explicitly],Old=[a]}
limited record type.@end{implnote}

@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00114-01]}
An object of the type Suspension_Object has two visible states:
@Chg{Version=[2],New=[True],Old=[true]} and
@Chg{Version=[2],New=[False],Old=[false]}. Upon initialization,
its value is set to @Chg{Version=[2],New=[False],Old=[false]}.
@begin{Discussion}
This object is assumed to be private to the declaring task, i.e. only that
task will call Suspend_Until_True on this object, and the count of callers is
at most one. Other tasks can, of course, change and query the state of this
object.
@end{Discussion}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00114-01]}
The operations Set_True and Set_False are atomic with respect to each other
and with respect to Suspend_Until_True; they set the state to
@Chg{Version=[2],New=[True],Old=[true]} and
@Chg{Version=[2],New=[False],Old=[false]} respectively.

Current_State returns the current state of the object.
@begin{Discussion}
This state can change immediately after the operation returns.
@end{Discussion}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00114-01]}
The procedure Suspend_Until_True blocks the calling task until the
state of the object S is @Chg{Version=[2],New=[True],Old=[true]}; at that
point the task becomes ready
and the state of the object becomes @Chg{Version=[2],New=[False],Old=[false]}.

@PDefn2{Term=[potentially blocking operation],Sec=(Suspend_Until_True)}
@PDefn2{Term=[blocking, potentially],Sec=(Suspend_Until_True)}
@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}
Program_Error is raised upon calling Suspend_Until_True if another
task is already waiting on that suspension object.
Suspend_Until_True is a potentially blocking operation
(see @RefSecNum{Protected Subprograms and Protected Actions}).
@end{RunTime}

@begin{ImplReq}

The implementation is required to allow the calling of Set_False and
Set_True during any protected action, even one that has its ceiling priority
in the Interrupt_Priority range.

@end{ImplReq}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00362-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  Synchronous_Task_Control is now Preelaborated,
  so it can be used in preelaborated units.]}
@end{Extend95}



@LabeledClause{Asynchronous Task Control}

@begin{Intro}
@Redundant[This clause introduces a language-defined package to do
asynchronous suspend/resume on tasks.
It uses a conceptual @i{held priority} value to represent the task's
@i{held} state.]
@end{Intro}

@begin{StaticSem}

@Leading@;The following language-defined library package exists:
@begin{example}
@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00362-01]}
@key{with} Ada.Task_Identification;
@key{package} Ada.Asynchronous_Task_Control @key{is}@ChildUnit{parent=[Ada],Child=[Asynchronous_Task_Control]}@Chg{Version=[2],New=[
  @key[pragma] Preelaborate(Asynchronous_Task_Control);],Old=[]}
  @key{procedure} @AdaSubDefn{Hold}(T : @key[in] Ada.Task_Identification.Task_Id);
  @key{procedure} @AdaSubDefn{Continue}(T : @key[in] Ada.Task_Identification.Task_Id);
  @key{function} @AdaSubDefn{Is_Held}(T : Ada.Task_Identification.Task_Id)
   @key{return} Boolean;
@key{end} Ada.Asynchronous_Task_Control;
@end{example}

@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00357-01]}
@PDefn2{Term=[task state], Sec=(held)}
@Defn{held priority}
@Defn{idle task}
After the Hold operation has been applied to a task, the task becomes
@i{held}. For each processor there is a conceptual @i{idle task},
which is always ready. The base priority of the idle task is below
System.@!Any_@!Priority'First. The @i{held priority} is a
constant of the type @Chg{Version=[2],New=[Integer],Old=[integer]}
whose value is below the base priority of the idle task.
@begin{Discussion}
The held state should not be confused with the blocked state as defined
in @RefSecNum{Task Execution - Task Activation}; the task is still ready.
@end{Discussion}

@ChgRef{Version=[2],Kind=[Added],ARef=[AI95-00357-01]}
@ChgAdded{Version=[2],Text=[For any priority below System.Any_Priority'First,
the task dispatching policy is FIFO_Within_Priorities.]}
@begin{Honest}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This applies even if a Task_Dispatching_Policy
  specifies the policy for all of the priorities of the partition.]}
@end{Honest}
@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[A task at the held priority never runs, so it is
  not necessary to implement FIFO_Within_Priorities for systems that have only
  one policy (such as EDF_Across_Priorities).]}
@end{Ramification}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00357-01]}
The Hold operation sets the state of T to held. For a held
task@Chg{Version=[2],New=[, the active
priority is reevaluated as if the base priority of the task were the held
priority],Old=[: the task's own base priority does not constitute an
inheritance source
(see @RefSecNum{Task Priorities}), and the value of the held priority
is defined to be such a source instead]}.
@begin{Ramification}
For example, if T is currently inheriting priorities from other sources (e.g.
it is executing in a protected action), its active priority does not change,
and it continues to execute until it leaves the protected action.
@end{Ramification}

@ChgRef{Version=[2],Kind=[Revised],ARef=[AI95-00357-01]}
The Continue operation resets the state of T to not-held;
@Chg{Version=[2],New=[its],Old=[T's]} active priority
is then reevaluated as @Chg{Version=[2],New=[determined by the
task dispatching policy associated with its base priority.],Old=[described in
@RefSecNum{Task Priorities}.
@Redundant[This time, T's base priority is taken into account.]]}

The Is_Held function returns True if and only if T is in the held state.
@begin{Discussion}
Note that the state of T can be changed immediately after Is_Held returns.
@end{Discussion}

As part of these operations, a check is made that the task
identified by
T is not terminated.
@Defn2{Term=[Tasking_Error],Sec=(raised by failure of run-time check)}
Tasking_Error is raised if the check fails.
@Defn2{Term=[Program_Error],Sec=(raised by failure of run-time check)}
Program_Error is raised if the value of T is Null_Task_Id.

@end{RunTime}

@begin{Erron}
@PDefn2{Term=(erroneous execution),Sec=(cause)}
If any operation in this package is called with a parameter T that
specifies a task object that no longer exists, the execution of the
program is erroneous.
@end{Erron}

@begin{ImplPerm}

An implementation need not support Asynchronous_Task_Control if it is
infeasible to support it in the target environment.
@begin{Reason}
A direct implementation of the Asynchronous_Task_Control semantics using
priorities is not necessarily efficient enough.
Thus, we envision implementations that use some other mechanism to set
the @lquotes@;held@rquotes@; state.
If there is no other such mechanism,
support for Asynchronous_Task_Control might be infeasible,
because an implementation in terms of priority would require one idle
task per processor.
On some systems, programs are not supposed to know how many processors
are available,
so creating enough idle tasks would be problematic.
@end{Reason}

@end{ImplPerm}

@begin{Notes}

It is a consequence of the priority rules that held tasks cannot be dispatched
on any processor in a partition (unless they are inheriting
priorities) since their priorities are defined to be
below the priority of any idle task.

The effect of calling Get_Priority and Set_Priority on a Held task is the
same as on any other task.

Calling Hold on a held task or Continue on a non-held task has no effect.

@Leading@;The rules affecting queuing are derived from the above rules, in
addition to the normal priority rules:
@begin{itemize}

When a held task is on the ready queue, its priority is so low as to never
reach the top of the queue as long as there are other tasks on that queue.

If a task is executing in a protected action, inside a rendezvous, or is
inheriting priorities from other sources (e.g. when activated), it
continues to execute until it is no longer executing the corresponding
construct.

If a task becomes held while waiting (as a caller) for a rendezvous to
complete, the active priority of the accepting task is not affected.

@ChgRef{Version=[1],Kind=[Revised],Ref=[8652/0077],ARef=[AI95-00111-01]}
If a task becomes held while waiting in a @nt{selective_accept},
and a@Chg{New=[n],Old=[]} entry call is issued to one of the open entries,
the corresponding @Chg{New=[@nt{accept_@!alternative}],Old=[accept body]}
executes. When the rendezvous completes, the active
priority of the accepting task is lowered to the held priority
(unless it is still inheriting from other sources), and the task does
not execute until another Continue.

The same holds if the held task is the only task on a protected entry queue
whose barrier becomes open. The corresponding entry body executes.

@end{itemize}

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00362-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  Asynchronous_Task_Control is now Preelaborated,
  so it can be used in preelaborated units.]}
@end{Extend95}

@begin{DiffWord95}
  @ChgRef{Version=[2],Kind=[AddedNormal],Ref=[8652/0077],ARef=[AI95-00111-01]}
  @ChgAdded{Version=[2],Text=[@b<Corrigendum:> Corrected to eliminate the
  use of the undefined term @lquotes@;accept body@rquotes@;.]}

  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00357-01]}
  @ChgAdded{Version=[2],Text=[The description of held tasks was changed to
  reflect that the calculation of active priorities depends on the
  dispatching policy of the base priority. Thus, the policy of the held
  priority was specified in order to avoid surprises (especially when using
  the EDF policy).]}
@end{DiffWord95}


@LabeledClause{Other Optimizations and Determinism Rules}

@begin{Intro}
@Redundant[This clause describes various requirements for
improving the response and determinism in a real-time system.]
@end{Intro}

@begin{ImplReq}

If the implementation blocks interrupts (see @RefSecNum{Interrupt Support}) not
as a result of direct user
action (e.g. an execution of a protected action) there shall be an upper
bound on the duration of this blocking.
@begin{Ramification}
The implementation shall not allow itself to be interrupted when it is in a
state where it is unable to support all the language-defined operations
permitted in the execution of interrupt handlers.
(see @RefSecNum{Protected Subprograms and Protected Actions}).
@end{Ramification}

The implementation shall recognize entry-less protected types.
The overhead of acquiring the execution resource of an object of such a type
(see @RefSecNum{Protected Subprograms and Protected Actions}) shall be
minimized. In particular, there should not be any overhead due to evaluating
@nt{entry_barrier} @nt{condition}s.
@begin{ImplNote}
Ideally the overhead should just be a spin-lock.
@end{ImplNote}

Unchecked_Deallocation shall be supported for terminated tasks that are
designated by access types, and shall have the effect of releasing all
the storage associated with the task. This includes any run-time system
or heap storage that has been implicitly allocated for the task by the
implementation.

@end{ImplReq}

@begin{DocReq}

The implementation shall document the
upper bound on the duration of interrupt blocking caused by the
implementation. If this is different for different interrupts or
interrupt priority levels, it should be documented for each case.
@ChgImplDef{Version=[2],Kind=[Deleted],Text=[@ChgDeleted{Version=[2],
Text=[The upper bound on the duration of interrupt blocking caused by
the implementation.]}]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The upper bound on the duration of interrupt blocking caused by
the implementation.]}]}

@end{DocReq}

@begin{Metrics}
@Leading@;The implementation shall document the following metric:
@begin{Itemize}
The overhead associated with obtaining
a mutual-exclusive access to an entry-less protected object. This shall be
measured in the following way:

@NoPrefix@Leading@keepnext@;For a protected object of the form:
@begin{example}
@key{protected} Lock @key{is}
   @key{procedure} Set;
   @Key{function} Read @Key{return} Boolean;
@key{private}
   Flag : Boolean := False;
@key{end} Lock;

@key{protected body} Lock @key{is}
   @key{procedure} Set @key{is}
   @key{begin}
      Flag := True;
   @key{end} Set;
   @Key{function} Read @Key{return} Boolean
   @key{Begin}
      @key{return} Flag;
   @key{end} Read;
@key{end} Lock;
@end{example}

@NoPrefix@;The execution time, in processor clock cycles, of a call to
Set. This shall be measured between the point just before
issuing the call, and the point just after the call
completes.
The function Read shall be called later to verify that Set was indeed
called (and not optimized away). The
calling task shall have
sufficiently high priority as to not be preempted during the measurement
period. The protected object shall have sufficiently high ceiling priority
to allow the task to call Set.

@NoPrefix@;For a multiprocessor, if supported, the metric shall be reported for the
case where no contention (on the execution resource) exists
@Redundant[from tasks executing on other processors].
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for entry-less protected objects.]}]}
@end{Metrics}


@LabeledAddedClause{Version=[2],Name=[Run-time Profiles]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[@Redundant[This clause
specifies a mechanism for defining run-time profiles.]]}
@end{Intro}

@begin{Syntax}
@begin{SyntaxText}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Type=[Leading],Keepnext=[T],Text=[The form of a
@nt{pragma} Profile is as follows:]}
@end{SyntaxText}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=`@AddedPragmaSyn`Version=[2],@key{pragma} @prag<Profile> (@SynI{profile_}@Syn2{identifier} {, @SynI{profile_}@Syn2{pragma_argument_association}});''}

@end{Syntax}

@begin{Legality}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[The @SynI{profile_}@nt{identifier} shall be the name
of a run-time profile. The semantics of any
@SynI{profile_}@nt{pragma_@!argument_@!association}s are defined by
the run-time profile specified by the @SynI{profile_}@nt{identifier}.]}
@end{Legality}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[
A profile is equivalent to the set of configuration pragmas that is
defined for each run-time profile.]}
@end{StaticSem}

@begin{Linktime}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[@PDefn2{Term=[configuration pragma], Sec=(Profile)}
@PDefn2{Term=[pragma, configuration], Sec=(Profile)}
A @nt{pragma} Profile is a configuration pragma.
There may be more than one @nt{pragma} Profile for a partition.]}
@end{Linktime}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  @nt{Pragma} Profile is new.]}
@end{Extend95}


@RMNewPage
@LabeledAddedSubClause{Version=[2],Name=[The Ravenscar Profile]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[@Redundant[This clause
defines the Ravenscar profile.]@Defn{Ravenscar}]}
@end{Intro}

@begin{Legality}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[The @SynI{profile_}@nt{identifier}
Ravenscar is a run-time profile.
For run-time profile Ravenscar, there shall be no
@Syni{profile_}@nt{pragma_argument_association}s.]}
@end{Legality}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[The run-time profile
Ravenscar is equivalent to the following set of pragmas:]}

@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01],ARef=[AI95-00297-01],ARef=[AI95-00394-01]}
@ChgAdded{Version=[2],Text=[
@key{pragma} Task_Dispatching_Policy (FIFO_Within_Priorities);
@key{pragma} Locking_Policy (Ceiling_Locking);
@key{pragma} Detect_Blocking;
@key{pragma} Restrictions (
                No_Abort_Statements,
                No_Dynamic_Attachment,
                No_Dynamic_Priorities,
                No_Implicit_Heap_Allocations,
                No_Local_Protected_Objects,
                No_Local_Timing_Events,
                No_Protected_Type_Allocators,
                No_Relative_Delay,
                No_Requeue_Statements,
                No_Select_Statements,
                No_Specific_Termination_Handlers,
                No_Task_Allocators,
                No_Task_Hierarchy,
                No_Task_Termination,
                Simple_Barriers,
                Max_Entry_Queue_Length => 1,
                Max_Protected_Entries => 1,
                Max_Task_Entries => 0,
                No_Dependence => Ada.Asynchronous_Task_Control,
                No_Dependence => Ada.Calendar,
                No_Dependence => Ada.Execution_Time.Group_Budget,
                No_Dependence => Ada.Execution_Time.Timers,
                No_Dependence => Ada.Task_Attributes);]}
@end{Example}

@begin{Discussion}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[The Ravenscar profile is named for the location
of the meeting that defined its initial version. The name is now in widespread
use, so we stick with existing practice, rather than using a more descriptive
name.@Comment{ This is another example of Ada's lousy marketing sense; casual
readers, especially those outside of Ada, have no conception of what
@lquotes@;Ravenscar@rquotes@; is, and thus are much less likely to investigate
it to find out how it can help them.}]}
@end{Discussion}

@end{StaticSem}

@begin{Notes}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00249-01]}
@ChgAdded{Version=[2],Text=[
The effect of the Max_Entry_Queue_Length => 1 restriction applies
only to protected entry queues due to the accompanying restriction of
Max_Task_Entries => 0.]}
@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00296-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  The Ravenscar profile is new.]}
@end{Extend95}


@RMNewPage@Comment{For printed Ada 2007 RM}
@LabeledAddedClause{Version=[2],Name=[Execution Time]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[This clause describes a language-defined package to
measure execution time.]}
@end{Intro}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{with} Ada.Task_Identification;
@key{with} Ada.Real_Time; @key{use} Ada.Real_Time;
@key{package} Ada.Execution_Time @key{is}@ChildUnit{Parent=[Ada],Child=[Execution_Time]}]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{type} @AdaTypeDefn{CPU_Time} @key{is private};
   @AdaObjDefn{CPU_Time_First} : @key{constant} CPU_Time;
   @AdaObjDefn{CPU_Time_Last}  : @key{constant} CPU_Time;
   @AdaObjDefn{CPU_Time_Unit}  : @key{constant} := @RI{implementation-defined-real-number};
   @AdaObjDefn{CPU_Tick} : @key{constant} Time_Span;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{function} @AdaSubDefn{Clock}
     (T : Ada.Task_Identification.Task_Id
          := Ada.Task_Identification.Current_Task)
     @key{return} CPU_Time;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{function} "+"  (Left : CPU_Time; Right : Time_Span) @key{return} CPU_Time;
   @key{function} "+"  (Left : Time_Span; Right : CPU_Time) @key{return} CPU_Time;
   @key{function} "-"  (Left : CPU_Time; Right : Time_Span) @key{return} CPU_Time;
   @key{function} "-"  (Left : CPU_Time; Right : CPU_Time)  @key{return} Time_Span;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{function} "<"  (Left, Right : CPU_Time) @key{return} Boolean;
   @key{function} "<=" (Left, Right : CPU_Time) @key{return} Boolean;
   @key{function} ">"  (Left, Right : CPU_Time) @key{return} Boolean;
   @key{function} ">=" (Left, Right : CPU_Time) @key{return} Boolean;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{procedure} @AdaSubDefn{Split}
     (T : @key{in} CPU_Time; SC : @key{out} Seconds_Count; TS : @key{out} Time_Span);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{function} @AdaSubDefn{Time_Of} (SC : Seconds_Count;
                     TS : Time_Span := Time_Span_Zero) @key{return} CPU_Time;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{private}
   ... -- @RI[not specified by the language]
@key{end} Ada.Execution_Time;]}

@end{Example}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[@Defn2{Term=[execution time],Sec=[of a task]}
@Defn2{Term=[CPU time],Sec=[of a task]}
The @i<execution time> or CPU time of a given task is defined as the time spent by
the system executing that task, including the time spent executing run-time or
system services on its behalf. The mechanism used to measure execution time is
implementation defined. It is implementation defined which task, if any, is
charged the execution time that is consumed by interrupt handlers and run-time
services on behalf of the system.]}
@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[The implementation-defined properties above
  and of the values declared in the package are repeated in @DocReqTitle,
  so we don't mark them as implementation-defined.]}
@end{Discussion}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The type CPU_Time represents the execution time of
a task. The set of values of this type corresponds one-to-one with an
implementation-defined range of mathematical integers.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The CPU_Time value I represents the half-open
execution-time interval that starts with I*CPU_Time_Unit and is limited by
(I+1)*CPU_Time_Unit, where CPU_Time_Unit is an implementation-defined
real number. For each task, the execution time value is set to zero at
the creation of the task.]}

@begin{Ramification}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[Since it is implementation-defined which task
  is charged execution time for system services, the execution time value
  may become non-zero even before the start of the activation of the task.]}
@end{Ramification}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[CPU_Time_First and CPU_Time_Last are the smallest
and largest values of the CPU_Time type, respectively.]}
@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[@Defn{CPU clock tick}
CPU_Time_Unit is the smallest amount of execution time representable
by the CPU_Time type; it is expressed in seconds. A @i<CPU clock tick> is an
execution time interval during which the clock value (as observed by
calling the Clock function) remains constant. CPU_Tick is the average
length of such intervals.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The effects of the operators on CPU_Time and
Time_Span are as for the operators defined for integer types.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The function Clock returns the current execution
time of the task identified by T; Tasking_Error is raised if that task has
terminated; Program_Error is raised if the value of T is
Task_Identification.Null_Task_Id.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The effects of the Split and Time_Of operations are defined as
follows, treating values of type CPU_Time, Time_Span, and
Seconds_Count as mathematical integers. The effect of Split (T, SC,
TS) is to set SC and TS to values such that T*CPU_Time_Unit = SC*1.0 +
TS*CPU_Time_Unit, and 0.0 <= TS*CPU_Time_Unit < 1.0. The value
returned by Time_Of(SC,TS) is the execution-time value T such that
T*CPU_Time_Unit=SC*1.0 + TS*CPU_Time_Unit.]}

@end{RunTime}

@begin{Erron}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[@PDefn2{Term=(erroneous execution),Sec=(cause)}
For a call of Clock, if the task identified by T no longer exists, the
execution of the program is erroneous.]}
@end{Erron}

@begin{ImplReq}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The range of CPU_Time values shall be sufficient
to uniquely represent the range of execution times from the task start-up to 50
years of execution time later. CPU_Tick shall be no greater than 1
millisecond.]}
@end{ImplReq}

@begin{DocReq}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The implementation shall document the values of
CPU_Time_First, CPU_Time_Last, CPU_Time_Unit, and CPU_Tick.]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The values of CPU_Time_First, CPU_Time_Last, CPU_Time_Unit, and CPU_Tick
of package Execution_Time.]}]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The implementation shall document the properties of
the underlying mechanism used to measure execution times, such as the range of
values supported and any relevant aspects of the underlying hardware or
operating system facilities used.]}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The properties of the mechanism used to implement package Execution_Time.]}]}

@end{DocReq}

@begin{Metrics}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Type=[Leading],Keepnext=[T],Text=[The implementation
shall document the following metrics:]}

@begin{Itemize}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text={An upper bound on the execution-time duration of a
clock tick. This is a value D such that if t1 and t2 are any execution times of
a given task such that t1 < t2 and Clock@-{t1} = Clock@-{t2} then
t2 @en@; t1 <= D.}}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[An upper bound on the size of a clock jump. A clock
jump is the difference between two successive distinct values of an
execution-time clock (as observed by calling the Clock function with the same
Task_Id).]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[An upper bound on the execution time of a call to
the Clock function, in processor clock cycles.]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[Upper bounds on the execution times of the
operators of the type CPU_Time, in processor clock cycles.]}
@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for execution time.]}]}

@end{Metrics}

@begin{ImplPerm}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[Implementations targeted to machines with word size
smaller than 32 bits need not support the full range and granularity of the
CPU_Time type.]}

@end{ImplPerm}

@begin{ImplAdvice}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[When appropriate, implementations should provide
configuration mechanisms to change the value of CPU_Tick.]}
@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[When appropriate, implementations should provide
configuration mechanisms to change the value of Execution_Time.CPU_Tick.]}]}

@end{ImplAdvice}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  The package Execution_Time is new.]}
@end{Extend95}


@LabeledAddedSubclause{Version=[2],Name=[Execution Time Timers]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[This clause describes a language-defined package
that provides a facility for calling a handler when a task has used a defined
amount of CPU time.]}
@end{Intro}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{with} System;
@key{package} Ada.Execution_Time.Timers @key{is}@ChildUnit{Parent=[Ada.Execution_Time],Child=[Timers]}]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{type} @AdaTypeDefn{Timer} (T : @key{not null access constant}
                       Ada.Task_Identification.Task_Id) @key{is}
      @key{tagged limited private};]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{type} @AdaTypeDefn{Timer_Handler} @key{is}
      @key{access protected procedure} (TM : @key{in out} Timer);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @AdaObjDefn{Min_Handler_Ceiling} : @key{constant} System.Any_Priority :=
   @RI[implementation-defined];]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{procedure} @AdaSubDefn{Set_Handler} (TM      : @key{in out} Timer;
                          In_Time : @key{in} Time_Span;
                          Handler : @key{in} Timer_Handler);
   @key{procedure} @AdaSubDefn{Set_Handler} (TM      : @key{in out} Timer;
                          At_Time : @key{in} CPU_Time;
                          Handler : @key{in} Timer_Handler);
   @key{function} @AdaSubDefn{Current_Handler} (TM : Timer) @key{return} Timer_Handler;
   @key{procedure} @AdaSubDefn{Cancel_Handler} (TM        : @key{in out} Timer;
                             Cancelled :    @key{out} Boolean);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{function} @AdaSubDefn{Time_Remaining} (TM : Timer) @key{return} Time_Span;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @AdaExcDefn{Timer_Resource_Error} : @key{exception};]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{private}
   ... --  not specified by the language
@key{end} Ada.Execution_Time.Timers;]}

@end{Example}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The type Timer represents an execution-time event
for a single task and is capable of detecting execution-time overruns. The
access discriminant T identifies the task concerned. The type Timer needs
finalization (see @RefSecNum{User-Defined Assignment and Finalization}).]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[An object of type Timer is said to be @i<set> if it
is associated with a non-null value of type Timer_Handler and @i<cleared>
otherwise. All Timer objects are initially cleared.
@PDefn2{Term=[set],Sec=[execution timer object]}
@PDefn2{Term=[clear],Sec=[execution timer object]}]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The type Timer_Handler identifies a protected
procedure to be executed by the implementation when the timer expires. Such a
protected procedure is called a @i<handler>.
@PDefn2{Term=[handler],Sec=[execution timer]}]}

@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[Type Timer is tagged. This makes it possible to
  share a handler between several events. In simple cases, 'Access can be used
  to compare the parameter with a specific timer object (this works because a
  tagged type is a by-reference type). In more complex cases, a type extension
  of type Timer can be declared; a double type conversion can be used to access
  the extension data. An example of how this can be done can be found for the
  similar type Timing_Event, see @RefSecNum{Timing Events}.]}
@end{Discussion}

@end{StaticSem}

@begin{Runtime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[When a Timer object is created, or upon the first
call of a Set_Handler procedure with the timer as parameter, the resources
required to operate an execution-time timer based on the associated
execution-time clock are allocated and initialized. If this operation would
exceed the available resources, Timer_Resource_Error is raised.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The procedures Set_Handler associate the handler
Handler with the timer TM; if Handler is @key[null], the timer is cleared,
otherwise it is set. The first procedure Set_Handler loads the timer TM with an
interval specified by the Time_Span parameter. In this mode, the timer TM
@i<expires> when the execution time of the task identified by TM.T.@key[all]
has increased by In_Time; if In_Time is less than or equal to zero, the timer
expires immediately. The second procedure Set_Handler loads the timer TM with
the absolute value specified by At_Time. In this mode, the timer TM expires
when the execution time of the task identified by TM.T.@key[all] reaches
At_Time; if the value of At_Time has already been reached when Set_Handler is
called, the timer expires immediately.@Defn2{Term=[expires],
Sec=[execution timer]}]}

@begin{ImplNote}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[Since an access-to-constant can designate a
  variable, the Task_Id value designated by the discriminant of a Timer
  object can be changed after the object is created. Thus, an implementation
  cannot use the value of the Task_Id other than where this Standard specifies.
  For instance, the Task_Id should be read when the timer is set, but it
  should not be used when the timer expires (as it may designate a different
  task at that point.]}
@end{ImplNote}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[A call of a procedure Set_Handler for a timer that
is already set replaces the handler and the (absolute or relative) execution
time; if Handler is not @b<null>, the timer remains set.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[When a timer expires, the associated handler is
executed, passing the timer as parameter. The initial action of the execution
of the handler is to clear the event.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The function Current_Handler returns the handler
associated with the timer TM if that timer is set; otherwise it returns
@b<null>.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The procedure Cancel_Handler clears the timer if it
is set. Cancelled is assigned True if the timer was set prior to it being
cleared; otherwise it is assigned False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The function Time_Remaining returns the execution
time interval that remains until the timer TM would expire, if that timer is
set; otherwise it returns Time_Span_Zero.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[The constant Min_Handler_Ceiling is the
minimum ceiling priority required for a protected object with a handler to
ensure that no ceiling violation will occur when that handler is invoked.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[As part of the finalization of an object of type
Timer, the timer is cleared.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[For all the subprograms defined in this package,
Tasking_Error is raised if the task identified by TM.T.@key[all] has terminated, and
Program_Error is raised if the value of TM.T.@key[all] is
Task_Identification.Null_Task_Id.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[An exception propagated from a handler invoked as
part of the expiration of a timer has no effect.]}

@end{Runtime}

@begin{Erron}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[@PDefn2{Term=(erroneous execution),Sec=(cause)}
For a call of any of the subprograms defined in this package, if the task
identified by TM.T.@key[all] no longer exists, the execution of the program is
erroneous.]}

@end{Erron}

@begin{ImplReq}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[For a given Timer object, the implementation shall
perform the operations declared in this package atomically with respect to any
of these operations on the same Timer object. The replacement of a handler by a
call of Set_Handler shall be performed atomically with respect to the execution
of the handler.]}

@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This prevents various race conditions. In
  particular it ensures that if an event occurs when Set_Handler is changing
  the handler then either the new or old handler is executed in response to the
  appropriate event. It is never possible for a new handler to be executed in
  response to an old event]}
@end{Reason}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[When an object of type Timer is finalized, the
system resources used by the timer shall be deallocated.]}

@end{ImplReq}

@begin{ImplPerm}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[Implementations may limit the number of timers that
can be defined for each task. If this limit is exceeded then
Timer_Resource_Error is raised.]}

@end{ImplPerm}

@begin{Notes}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
@ChgAdded{Version=[2],Text=[A Timer_Handler can be associated with several
Timer objects.]}

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00307-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  The package Execution_Time.Timers is new.]}
@end{Extend95}


@RMNewPage@Comment{For printed Ada 2007 RM}
@LabeledAddedSubclause{Version=[2],Name=[Group Execution Time Budgets]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[This clause describes a language-defined package to
assign execution time budgets to groups of tasks.]}
@end{Intro}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{with} System;
@key{package} Ada.Execution_Time.Group_Budgets @key{is}@ChildUnit{Parent=[Ada.Execution_Time],Child=[Group_Budgets]}]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{type} @AdaTypeDefn{Group_Budget} @key{is tagged limited private};]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{type} @AdaTypeDefn{Group_Budget_Handler} @key{is access}
       @key{protected procedure} (GB : @key{in out} Group_Budget);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{type} @AdaTypeDefn{Task_Array} @key{is array} (Positive @key{range} <>) @key{of}
                                  Ada.Task_Identification.Task_Id;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @AdaObjDefn{Min_Handler_Ceiling} : @key{constant} System.Any_Priority :=
    @RI[implementation-defined];]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{procedure} @AdaSubDefn{Add_Task} (GB : @key{in out} Group_Budget;
                      T  : @key{in} Ada.Task_Identification.Task_Id);
  @key{procedure} @AdaSubDefn{Remove_Task} (GB: @key{in out} Group_Budget;
                         T  : @key{in} Ada.Task_Identification.Task_Id);
  @key{function} @AdaSubDefn{Is_Member} (GB : Group_Budget;
                      T : Ada.Task_Identification.Task_Id) @key{return} Boolean;
  @key{function} @AdaSubDefn{Is_A_Group_Member}
     (T : Ada.Task_Identification.Task_Id) @key{return} Boolean;
  @key{function} @AdaSubDefn{Members} (GB : Group_Budget) @key{return} Task_Array;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{procedure} @AdaSubDefn{Replenish} (GB : @key{in out} Group_Budget; To : @key{in} Time_Span);
  @key{procedure} @AdaSubDefn{Add} (GB : @key{in out} Group_Budget; Interval : @key{in} Time_Span);
  @key{function} @AdaSubDefn{Budget_Has_Expired} (GB : Group_Budget) @key{return} Boolean;
  @key{function} @AdaSubDefn{Budget_Remaining} (GB : Group_Budget) @key{return} Time_Span;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{procedure} @AdaSubDefn{Set_Handler} (GB      : @key{in out} Group_Budget;
                         Handler : @key{in} Group_Budget_Handler);
  @key{function} @AdaSubDefn{Current_Handler} (GB : Group_Budget)
     @key{return} Group_Budget_Handler;
  @key{procedure} @AdaSubDefn{Cancel_Handler} (GB        : @key{in out} Group_Budget;
                            Cancelled : @key{out} Boolean);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @AdaExcDefn{Group_Budget_Error} : @key{exception};]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{private}
    --  not specified by the language
@key{end} Ada.Execution_Time.Group_Budgets;]}

@end{Example}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The type Group_Budget represents an execution time
budget to be used by a group of tasks. The type Group_Budget needs finalization
(see @RefSecNum{User-Defined Assignment and Finalization}). A task can belong
to at most one group. Tasks of any priority can be added to a group.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[An object of type Group_Budget has an associated
nonnegative value of type Time_Span known as its @i<budget>, which is
initially Time_Span_Zero. The type Group_Budget_Handler identifies a protected
procedure to be executed by the implementation when the budget is
@i<exhausted>, that is, reaches zero. Such a protected procedure is called a
@i<handler>.@Defn{budget}@Defn2{Term=[exhaust],Sec=[a budget]}
@PDefn2{Term=[handler],Sec=[group budget]}]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[An object of type Group_Budget also includes a
handler, which is a value of type Group_Budget_Handler. The handler of the
object is said to be @i<set> if it is not null and @i<cleared> otherwise. The
handler of all Group_Budget objects is initially cleared.
@PDefn2{Term=[set],Sec=[group budget object]}
@PDefn2{Term=[clear],Sec=[group budget object]}]}

@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]} @ChgAdded{Version=[2],Text=[Type
  Group_Budget is tagged. This makes it possible to share a handler between
  several events. In simple cases, 'Access can be used to compare the parameter
  with a specific group budget object (this works because a tagged type is a
  by-reference type). In more complex cases, a type extension of type
  Group_Budget can be declared; a double type conversion can be used to access
  the extension data. An example of how this can be done can be found for the
  similar type Timing_Event, see @RefSecNum{Timing Events}.]}
@end{Discussion}

@end{StaticSem}

@begin{RunTime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The procedure Add_Task adds the task identified by
T to the group GB; if that task is already a member of some other group,
Group_Budget_Error is raised.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The procedure Remove_Task removes the task
identified by T from the group GB; if that task is not a member of the group
GB, Group_Budget_Error is raised. After successful execution of this procedure,
the task is no longer a member of any group.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The function Is_Member returns True if the task
identified by T is a member of the group GB; otherwise it return False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The function Is_A_Group_Member returns True if the
task identified by T is a member of some group; otherwise it returns False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The function Members returns an array of values of
type Task_Identification.Task_Id identifying the members of the group GB. The
order of the components of the array is unspecified.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The procedure Replenish loads the group budget GB
with To as the Time_Span value. The exception Group_Budget_Error is raised if
the Time_Span value To is non-positive. Any execution of any member of the
group of tasks results in the budget counting down, unless exhausted. When the
budget becomes exhausted (reaches Time_Span_Zero), the associated handler is
executed if the handler of group budget GB is set. Nevertheless, the tasks
continue to execute.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The procedure Add modifies the budget of the group
GB. A positive value for Interval increases the budget. A negative value for
Interval reduces the budget, but never below Time_Span_Zero. A zero value for
Interval has no effect. A call of procedure Add that results in the value of
the budget going to Time_Span_Zero causes the associated handler to be executed
if the handler of the group budget GB is set.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The function Budget_Has_Expired returns True if the
budget of group GB is exhausted (equal to Time_Span_Zero); otherwise it
returns False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The function Budget_Remaining returns the remaining
budget for the group GB. If the budget is exhausted it returns Time_Span_Zero.
This is the minimum value for a budget.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The procedure Set_Handler associates the handler
Handler with the Group_Budget GB; if Handler is @b<null>, the handler of
Group_Budget is cleared, otherwise it is set.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[A call of Set_Handler for a Group_Budget that
already has a handler set replaces the handler; if Handler is not @b<null>, the
handler for Group_Budget remains set.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The function Current_Handler returns the handler
associated with the group budget GB if the handler for that group budget is
set; otherwise it returns @b<null>.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The procedure Cancel_Handler clears the handler for
the group budget if it is set. Cancelled is assigned True if the handler for
the group budget was set prior to it being cleared; otherwise it is assigned
False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The constant Min_Handler_Ceiling is the
minimum ceiling priority required for a protected object with a handler to
ensure that no ceiling violation will occur when that handler is invoked.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[The precision of the accounting of task execution
time to a Group_Budget is the same as that defined for execution-time clocks
from the parent package.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[As part of the finalization of an object of type
Group_Budget all member tasks are removed from the group identified by that
object.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[If a task is a member of a Group_Budget when it
terminates then as part of the finalization of the task it is removed from the
group.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[For all the operations defined in this package,
Tasking_Error is raised if the task identified by T has terminated, and
Program_Error is raised if the value of T is
Task_Identification.Null_Task_Id.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[An exception propagated from a handler invoked when
the budget of a group of tasks becomes exhausted has no effect.]}

@end{RunTime}

@begin{Erron}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[@PDefn2{Term=(erroneous execution),Sec=(cause)}
For a call of any of the subprograms defined in this package, if the task
identified by T no longer exists, the execution of the program is erroneous.]}
@end{Erron}

@begin{ImplReq}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[For a given Group_Budget object, the implementation
shall perform the operations declared in this package atomically with respect
to any of these operations on the same Group_Budget object. The replacement of
a handler, by a call of Set_Handler, shall be performed atomically with respect
to the execution of the handler.]}
@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This prevents various race conditions. In
  particular it ensures that if the budget is exhausted when Set_Handler
  is changing the handler then either the new or old handler is executed
  and the exhausting event is not lost.]}
@end{Reason}
@end{ImplReq}

@begin{Notes}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[Clearing or setting of the handler of a group
budget does not change the current value of the budget. Exhaustion or loading
of a budget does not change whether the handler of the group budget is set or
cleared.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
@ChgAdded{Version=[2],Text=[A Group_Budget_Handler can be associated with
several Group_Budget objects.]}
@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00354-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  The package Execution_Time.Group_Budgets is new.]}
@end{Extend95}


@LabeledAddedClause{Version=[2],Name=[Timing Events]}

@begin{Intro}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[This clause describes a language-defined package to
allow user-defined protected procedures to be executed at a specified time
without the need for a task or a delay statement.]}
@end{Intro}

@begin{StaticSem}
@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],KeepNext=[T],Type=[Leading],Text=[The following
language-defined library package exists:]}
@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{package} Ada.Real_Time.Timing_Events @key{is}@ChildUnit{Parent=[Ada.Real_Time],Child=[Timing_Events]}]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{type} @AdaTypeDefn{Timing_Event} @key{is tagged limited private};
  @key{type} @AdaTypeDefn{Timing_Event_Handler}
       @key{is access protected procedure} (Event : @key{in out} Timing_Event);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{procedure} @AdaSubDefn{Set_Handler} (Event   : @key{in out} Timing_Event;
                         At_Time : @key{in} Time;
                         Handler : @key{in} Timing_Event_Handler);
  @key{procedure} @AdaSubDefn{Set_Handler} (Event   : @key{in out} Timing_Event;
                         In_Time : @key{in} Time_Span;
                         Handler : @key{in} Timing_Event_Handler);
  @key{function} @AdaSubDefn{Current_Handler} (Event : Timing_Event)
       @key{return} Timing_Event_Handler;
  @key{procedure} @AdaSubDefn{Cancel_Handler} (Event     : @key{in out} Timing_Event;
                            Cancelled : @key{out} Boolean);]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[  @key{function} @AdaSubDefn{Time_Of_Event} (Event : Timing_Event) @key{return} Time;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{private}
  ... -- @RI[not specified by the language]
@key{end} Ada.Real_Time.Timing_Events;]}
@end{Example}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The type Timing_Event represents a time in the future
when an event is to occur. The type Timing_Event needs finalization (see
@RefSecNum{User-Defined Assignment and Finalization}).]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[An object of type Timing_Event is said to be
@i<set> if it is associated with a non-null value of type Timing_Event_Handler
and @i<cleared> otherwise. All Timing_Event objects are initially cleared.
@PDefn2{Term=[set],Sec=[timing event object]}
@PDefn2{Term=[clear],Sec=[timing event object]}]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The type Timing_Event_Handler identifies a
protected procedure to be executed by the implementation when the timing event
occurs. Such a protected procedure is called a @i{handler}.
@PDefn2{Term=[handler],Sec=[timing event]}]}

@begin{Discussion}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Type=[Leading],Text=[Type Timing_Event is tagged. This
  makes it possible to share a handler between several events. In simple cases,
  'Access can be used to compare the parameter with a specific timing event
  object (this works because a tagged type is a by-reference type). In more
  complex cases, a type extension of type Timing_Event can be declared; a
  double type conversion can be used to access the extension data. For
  example:]}

@begin{Example}
@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{type} Toaster_Timing_Event @key{is new} Timing_Event @key{with record}
   Slot : Natural;
@key{end record};]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[...]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[@key{protected body} Toaster @key{is}]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   @key{procedure} Timer(Event : @key{in out} Timing_Event) @key{is}
   @key{begin}
      Pop_Up_Toast (Toaster_Timing_Event(Timing_Event'Class(Event)).Slot);
   @key{end} Timer;]}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[   ...
@key{end} Toaster;]}
@end{Example}

  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[The extra conversion to the class-wide type
  is necessary to make the conversions legal. While this usage is clearly
  ugly, we think that the need for this sort of usage will be rare, so
  we can live with it. It's certainly better than having no way to associate
  data with an event.]}
@end{Discussion}

@end{StaticSem}

@begin{Runtime}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The procedures Set_Handler associate the handler
Handler with the event Event; if Handler is @key{null}, the event is cleared,
otherwise it is set. The first procedure Set_Handler sets the execution time
for the event to be At_Time. The second procedure Set_Handler sets the
execution time for the event to be Real_Time.Clock + In_Time.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[A call of a procedure Set_Handler for an event that
is already set replaces the handler and the time of execution; if Handler is
not @key{null}, the event remains set.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[As soon as possible after the time set for the
event, the handler is executed, passing the event as parameter. The handler is
only executed if the timing event is in the set state at the time of execution.
The initial action of the execution of the handler is to clear the event.]}

@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[The second sentence of this paragraph is because
  of a potential race condition. The time might expire and yet before the
  handler is executed, some task could call Cancel_Handler (or equivalently
  call Set_Handler with a @key{null} parameter) and thus clear the handler.]}
@end{Reason}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[If the Ceiling_Locking policy (see
@RefSecNum{Priority Ceiling Locking}) is in effect when a procedure
Set_Handler is called, a check is made that the ceiling priority of
Handler.@key{all} is Interrupt_Priority'Last. If the check fails, Program_Error
is raised.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[If a procedure Set_Handler is called with zero or
negative In_Time or with At_Time indicating a time in the past then the handler
is executed immediately by the task executing the call of Set_Handler. The
timing event Event is cleared.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The function Current_Handler returns the handler
associated with the event Event if that event is set; otherwise it returns
@key{null}.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The procedure Cancel_Handler clears the event if it
is set. Cancelled is assigned True if the event was set prior to it being
cleared; otherwise it is assigned False.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The function Time_Of_Event returns the time of the
event if the event is set; otherwise it returns Real_Time.Time_First.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[As part of the finalization of an object
of type Timing_Event, the Timing_Event is cleared.]}

@begin{ImplNote}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This is the only finalization defined by the
  language that has a visible effect; but an implementation may have other
  finalization that it needs to perform. Implementations need to ensure that
  the event is cleared before anything else is finalized that would prevent
  a set event from being triggered.]}
@end{ImplNote}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[If several timing events are set for the same time,
they are executed in FIFO order of being set.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[An exception propagated from a handler invoked by a
timing event has no effect.]}

@end{Runtime}

@begin{ImplReq}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[For a given Timing_Event object, the implementation
shall perform the operations declared in this package atomically with respect
to any of these operations on the same Timing_Event object. The replacement of
a handler by a call of Set_Handler shall be performed atomically with respect
to the execution of the handler.]}

@begin{Reason}
  @ChgRef{Version=[2],Kind=[AddedNormal]}
  @ChgAdded{Version=[2],Text=[This prevents various race conditions. In
  particular it ensures that if an event occurs when Set_Handler is changing
  the handler then either the new or old handler is executed in response to the
  appropriate event. It is never possible for a new handler to be executed in
  response to an old event.]}
@end{Reason}
@end{ImplReq}

@begin{Metrics}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Type=[Leading],Text=[The implementation shall document
the following metric:]}
@begin{Itemize}

@ChgRef{Version=[2],Kind=[AddedNormal]}
@ChgAdded{Version=[2],Text=[An upper bound on the lateness of the execution of
a handler. That is, the maximum time between when a handler is actually
executed and the time specified when the event was set.]}

@end{Itemize}
@ChgDocReq{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[The metrics for timing events.]}]}
@end{Metrics}

@begin{ImplAdvice}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[The protected handler procedure should be executed
directly by the real-time clock interrupt mechanism.]}

@ChgImplAdvice{Version=[2],Kind=[AddedNormal],Text=[@ChgAdded{Version=[2],
Text=[For a timing event, the handler should be executed directly by the
real-time clock interrupt mechanism.]}]}

@end{ImplAdvice}

@begin{Notes}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[Since a call of Set_Handler is not a potentially
blocking operation, it can be called from within a handler.]}

@ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
@ChgAdded{Version=[2],Text=[A Timing_Event_Handler can be associated with several
Timing_Event objects.]}

@end{Notes}

@begin{Extend95}
  @ChgRef{Version=[2],Kind=[AddedNormal],ARef=[AI95-00297-01]}
  @ChgAdded{Version=[2],Text=[@Defn{extensions to Ada 95}
  The package Real_Time.Timing_Events is new.]}
@end{Extend95}