1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
<TITLE>AARM95 - Data Validity</TITLE>
<META NAME="Author" CONTENT="JTC1/SC22/WG9/ARG, by Randall Brukardt, ARG Editor">
<META NAME="GENERATOR" CONTENT="Arm_Form.Exe, Ada Reference Manual generator">
<STYLE type="text/css">
DIV.paranum {position: absolute; font-family: Arial, Helvetica, sans-serif; left: 0.5 em; top: auto}
TT {font-family: "Courier New", monospace}
DT {display: compact}
DIV.Normal {font-family: "Times New Roman", Times, serif; margin-bottom: 0.6em}
DIV.Wide {font-family: "Times New Roman", Times, serif; margin-top: 0.6em; margin-bottom: 0.6em}
DIV.Annotations {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-bottom: 0.6em}
DIV.WideAnnotations {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-top: 0.6em; margin-bottom: 0.6em}
DIV.Index {font-family: "Times New Roman", Times, serif}
DIV.SyntaxSummary {font-family: "Times New Roman", Times, serif; margin-left: 2.0em; margin-bottom: 0.4em}
DIV.Notes {font-family: "Times New Roman", Times, serif; margin-left: 2.0em; margin-bottom: 0.6em}
DIV.NotesHeader {font-family: "Times New Roman", Times, serif; margin-left: 2.0em}
DIV.SyntaxIndented {font-family: "Times New Roman", Times, serif; margin-left: 2.0em; margin-bottom: 0.4em}
DIV.Indented {font-family: "Times New Roman", Times, serif; margin-left: 6.0em; margin-bottom: 0.6em}
DIV.CodeIndented {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-bottom: 0.6em}
DIV.SmallIndented {font-family: "Times New Roman", Times, serif; margin-left: 10.0em; margin-bottom: 0.6em}
DIV.SmallCodeIndented {font-family: "Times New Roman", Times, serif; margin-left: 8.0em; margin-bottom: 0.6em}
DIV.Examples {font-family: "Courier New", monospace; margin-left: 2.0em; margin-bottom: 0.6em}
DIV.SmallExamples {font-family: "Courier New", monospace; font-size: 80%; margin-left: 7.5em; margin-bottom: 0.6em}
DIV.IndentedExamples {font-family: "Courier New", monospace; margin-left: 8.0em; margin-bottom: 0.6em}
DIV.SmallIndentedExamples {font-family: "Courier New", monospace; font-size: 80%; margin-left: 15.0em; margin-bottom: 0.6em}
UL.Bulleted {font-family: "Times New Roman", Times, serif; margin-left: 2.0em; margin-right: 2.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.SmallBulleted {font-family: "Times New Roman", Times, serif; margin-left: 6.0em; margin-right: 6.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.NestedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-right: 4.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.SmallNestedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 8.0em; margin-right: 8.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.IndentedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 8.0em; margin-right: 8.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.CodeIndentedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 6.0em; margin-right: 6.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.CodeIndentedNestedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 8.0em; margin-right: 8.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.SyntaxIndentedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-right: 4.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.NotesBulleted {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-right: 4.0em; margin-top: 0em; margin-bottom: 0.5em}
UL.NotesNestedBulleted {font-family: "Times New Roman", Times, serif; margin-left: 6.0em; margin-right: 6.0em; margin-top: 0em; margin-bottom: 0.5em}
DL.Hanging {font-family: "Times New Roman", Times, serif; margin-top: 0em; margin-bottom: 0.6em}
DD.Hanging {margin-left: 6.0em}
DL.IndentedHanging {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-top: 0em; margin-bottom: 0.6em}
DD.IndentedHanging {margin-left: 2.0em}
DL.HangingInBulleted {font-family: "Times New Roman", Times, serif; margin-left: 2.0em; margin-right: 2.0em; margin-top: 0em; margin-bottom: 0.5em}
DD.HangingInBulleted {margin-left: 4.0em}
DL.SmallHanging {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-top: 0em; margin-bottom: 0.6em}
DD.SmallHanging {margin-left: 7.5em}
DL.SmallIndentedHanging {font-family: "Times New Roman", Times, serif; margin-left: 8.0em; margin-top: 0em; margin-bottom: 0.6em}
DD.SmallIndentedHanging {margin-left: 2.0em}
DL.SmallHangingInBulleted {font-family: "Times New Roman", Times, serif; margin-left: 6.0em; margin-right: 6.0em; margin-top: 0em; margin-bottom: 0.5em}
DD.SmallHangingInBulleted {margin-left: 5.0em}
DL.Enumerated {font-family: "Times New Roman", Times, serif; margin-right: 0.0em; margin-top: 0em; margin-bottom: 0.5em}
DD.Enumerated {margin-left: 2.0em}
DL.SmallEnumerated {font-family: "Times New Roman", Times, serif; margin-left: 4.0em; margin-right: 4.0em; margin-top: 0em; margin-bottom: 0.5em}
DD.SmallEnumerated {margin-left: 2.5em}
DL.NestedEnumerated {font-family: "Times New Roman", Times, serif; margin-left: 2.0em; margin-right: 2.0em; margin-top: 0em; margin-bottom: 0.5em}
DL.SmallNestedEnumerated {font-family: "Times New Roman", Times, serif; margin-left: 6.0em; margin-right: 6.0em; margin-top: 0em; margin-bottom: 0.5em}
</STYLE>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#FFFFF0" LINK="#0000FF" VLINK="#800080" ALINK="#FF0000">
<P><A HREF="AA-TOC.html">Contents</A> <A HREF="AA-0-29.html">Index</A> <A HREF="AA-13-9.html">Previous</A> <A HREF="AA-13-9-2.html">Next</A></P>
<HR>
<H1> 13.9.1 Data Validity</H1>
<DIV Class="Paranum"><FONT SIZE=-2>1</FONT></DIV>
<DIV Class="Normal"> Certain actions that can potentially lead to erroneous
execution are not directly erroneous, but instead can cause objects to
become <I>abnormal</I>. Subsequent uses of abnormal objects can be erroneous.</DIV>
<DIV Class="Paranum"><FONT SIZE=-2>2</FONT></DIV>
<DIV Class="Normal"> A scalar object can have an <I>invalid representation</I>,
which means that the object's representation does not represent any value
of the object's subtype. <A NAME="I4606"></A>The primary cause of invalid
representations is uninitialized variables.</DIV>
<DIV Class="Paranum"><FONT SIZE=-2>3</FONT></DIV>
<DIV Class="Normal"> Abnormal objects and invalid representations are
explained in this subclause. </DIV>
<H4 ALIGN=CENTER>Dynamic Semantics</H4>
<DIV Class="Paranum"><FONT SIZE=-2>4</FONT></DIV>
<DIV Class="Normal" Style="margin-bottom: 0.4em"> <A NAME="I4607"></A><A NAME="I4608"></A>When
an object is first created, and any explicit or default initializations
have been performed, the object and all of its parts are in the <I>normal</I>
state. Subsequent operations generally leave them normal. However, an
object or part of an object can become <I>abnormal</I> in the following
ways: </DIV>
<DIV Class="Paranum"><FONT SIZE=-2>5</FONT></DIV>
<UL Class="Bulleted"><LI TYPE=DISC><A NAME="I4609"></A>An assignment to the object is disrupted
due to an abort (see <A HREF="AA-9-8.html">9.8</A>) or due to the failure
of a language-defined check (see <A HREF="AA-11-6.html">11.6</A>).</LI></UL>
<DIV Class="Paranum"><FONT SIZE=-2>6</FONT></DIV>
<UL Class="Bulleted"><LI TYPE=DISC>The object is not scalar, and is passed to an <B>in out</B>
or <B>out</B> parameter of an imported procedure or language-defined
input procedure, if after return from the procedure the representation
of the parameter does not represent a value of the parameter's subtype.
</LI></UL>
<DIV Class="Paranum"><FONT SIZE=-2>7</FONT></DIV>
<DIV Class="Normal"> <A NAME="I4610"></A>Whether or not an object actually
becomes abnormal in these cases is not specified. An abnormal object
becomes normal again upon successful completion of an assignment to the
object as a whole. </DIV>
<H4 ALIGN=CENTER>Erroneous Execution</H4>
<DIV Class="Paranum"><FONT SIZE=-2>8</FONT></DIV>
<DIV Class="Normal"> <A NAME="I4611"></A>It is erroneous to evaluate
a <FONT FACE="Arial, Helvetica">primary</FONT> that is a <FONT FACE="Arial, Helvetica">name</FONT>
denoting an abnormal object, or to evaluate a <FONT FACE="Arial, Helvetica">prefix</FONT>
that denotes an abnormal object. </DIV>
<DIV Class="Paranum"><FONT SIZE=-2>8.a</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Ramification: </B>Although
a composite object with no subcomponents of an access type, and with
static constraints all the way down cannot become abnormal, a scalar
subcomponent of such an object can become abnormal.</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>8.b</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>The <B>in out</B> or <B>out</B>
parameter case does not apply to scalars; bad scalars are merely invalid
representations, rather than abnormal, in this case. </FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>8.c</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Reason: </B>The reason we allow
access objects, and objects containing subcomponents of an access type,
to become abnormal is because the correctness of an access value cannot
necessarily be determined merely by looking at the bits of the object.
The reason we allow scalar objects to become abnormal is that we wish
to allow the compiler to optimize assuming that the value of a scalar
object belongs to the object's subtype, if the compiler can prove that
the object is initialized with a value that belongs to the subtype. The
reason we allow composite objects to become abnormal if some constraints
are nonstatic is that such object might be represented with implicit
levels of indirection; if those are corrupted, then even assigning into
a component of the object, or simply asking for its Address, might have
an unpredictable effect. The same is true if the discriminants have been
destroyed. </FONT></DIV>
<H4 ALIGN=CENTER>Bounded (Run-Time) Errors</H4>
<DIV Class="Paranum"><FONT SIZE=-2>9</FONT></DIV>
<DIV Class="Normal" Style="margin-bottom: 0.4em"> <A NAME="I4612"></A><A NAME="I4613"></A>If
the representation of a scalar object does not represent a value of the
object's subtype (perhaps because the object was not initialized), the
object is said to have an <I>invalid representation</I>. It is a bounded
error to evaluate the value of such an object. <A NAME="I4614"></A><A NAME="I4615"></A>If
the error is detected, either Constraint_Error or Program_Error is raised.
Otherwise, execution continues using the invalid representation. The
rules of the language outside this subclause assume that all objects
have valid representations. The semantics of operations on invalid representations
are as follows:</DIV>
<DIV Class="Paranum"><FONT SIZE=-2>9.a</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Discussion: </B>The AARM is
more explicit about what happens when the value of the case expression
is an invalid representation.</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>10</FONT></DIV>
<UL Class="Bulleted"><LI TYPE=DISC>If the representation of the object represents a value
of the object's type, the value of the type is used.</LI></UL>
<DIV Class="Paranum"><FONT SIZE=-2>11</FONT></DIV>
<UL Class="Bulleted"><LI TYPE=DISC>If the representation of the object does not represent
a value of the object's type, the semantics of operations on such representations
is implementation-defined, but does not by itself lead to erroneous or
unpredictable execution, or to other objects becoming abnormal. </LI></UL>
<H4 ALIGN=CENTER>Erroneous Execution</H4>
<DIV Class="Paranum"><FONT SIZE=-2>12</FONT></DIV>
<DIV Class="Normal"> <A NAME="I4616"></A>A call to an imported function
or an instance of Unchecked_Conversion is erroneous if the result is
scalar, and the result object has an invalid representation. </DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.a</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Ramification: </B>In a typical
implementation, every bit pattern that fits in an object of an integer
subtype will represent a value of the type, if not of the subtype. However,
for an enumeration or floating point type, there are typically bit patterns
that do not represent any value of the type. In such cases, the implementation
ought to define the semantics of operations on the invalid representations
in the obvious manner (assuming the bounded error is not detected): a
given representation should be equal to itself, a representation that
is in between the internal codes of two enumeration literals should behave
accordingly when passed to comparison operators and membership tests,
etc. We considered <I>requiring</I> such sensible behavior, but it resulted
in too much arcane verbiage, and since implementations have little incentive
to behave irrationally, such verbiage is not important to have.</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.b</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>If a stand-alone scalar object
is initialized to a an in-range value, then the implementation can take
advantage of the fact that any out-of-range value has to be abnormal.
Such an out-of-range value can be produced only by things like unchecked
conversion, input, and disruption of an assignment due to abort or to
failure of a language-defined check. This depends on out-of-range values
being checked before assignment (that is, checks are not optimized away
unless they are proven redundant).</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.c</FONT></DIV>
<DIV Class="Annotations" Style="margin-bottom: 0.4em"><FONT SIZE=-1>Consider
the following example: </FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.d</FONT></DIV>
<DIV Class="SmallExamples"><TT><B>type</B> My_Int <B>is</B> <B>range</B> 0..99;<BR>
<B>function</B> Safe_Convert <B>is</B> <B>new</B> Unchecked_Conversion(My_Int, Integer);<BR>
<B>function</B> Unsafe_Convert <B>is</B> <B>new</B> Unchecked_Conversion(My_Int, Positive);<BR>
X : Positive := Safe_Convert(0); --<I> Raises Constraint_Error.</I><BR>
Y : Positive := Unsafe_Convert(0); --<I> Erroneous.</I></TT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.e</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>The call to Unsafe_Convert causes
erroneous execution. The call to Safe_Convert is not erroneous. The result
object is an object of subtype Integer containing the value 0. The assignment
to X is required to do a constraint check; the fact that the conversion
is unchecked does not obviate the need for subsequent checks required
by the language rules. </FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.f</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Implementation Note: </B>If
an implementation wants to have a ``friendly'' mode, it might always
assign an uninitialized scalar a default initial value that is outside
the object's subtype (if there is one), and check for this value on some
or all reads of the object, so as to help detect references to uninitialized
scalars. Alternatively, an implementation might want to provide an ``unsafe''
mode where it presumed even uninitialized scalars were always within
their subtype. </FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.g</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Ramification: </B>The above
rules imply that it is a bounded error to apply a predefined operator
to an object with a scalar subcomponent having an invalid representation,
since this implies reading the value of each subcomponent. Either Program_Error
or Constraint_Error is raised, or some result is produced, which if composite,
might have a corresponding scalar subcomponent still with an invalid
representation.</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>12.h</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>Note that it is not an error to
assign, convert, or pass as a parameter a composite object with an uninitialized
scalar subcomponent. In the other hand, it is a (bounded) error to apply
a predefined operator such as =, <, and <B>xor</B> to a composite
operand with an invalid scalar subcomponent. </FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>13</FONT></DIV>
<DIV Class="Normal"> <A NAME="I4617"></A>The dereference of an access
value is erroneous if it does not designate an object of an appropriate
type or a subprogram with an appropriate profile, if it designates a
nonexistent object, or if it is an access-to-variable value that designates
a constant object. [Such an access value can exist, for example, because
of Unchecked_Deallocation, Unchecked_Access, or Unchecked_Conversion.]
</DIV>
<DIV Class="Paranum"><FONT SIZE=-2>13.a</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1><B>Ramification: </B>The above
mentioned Unchecked_... features are not the only causes of such access
values. For example, interfacing to other languages can also cause the
problem.</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>13.b</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>One obscure example is if the
Adjust subprogram of a controlled type uses Unchecked_Access to create
an access-to-variable value designating a subcomponent of its controlled
parameter, and saves this access value in a global object. When Adjust
is called during the initialization of a constant object of the type,
the end result will be an access-to-variable value that designates a
constant object. </FONT></DIV>
<DIV Class="NotesHeader"><FONT SIZE=-1>NOTES</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>14</FONT></DIV>
<DIV Class="Notes"><FONT SIZE=-1>18 Objects can become abnormal
due to other kinds of actions that directly update the object's representation;
such actions are generally considered directly erroneous, however. </FONT></DIV>
<H4 ALIGN=CENTER>Wording Changes from Ada 83</H4>
<DIV Class="Paranum"><FONT SIZE=-2>14.a</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>In order to reduce the amount
of erroneousness, we separate the concept of an undefined value into
objects with invalid representation (scalars only) and abnormal objects.</FONT></DIV>
<DIV Class="Paranum"><FONT SIZE=-2>14.b</FONT></DIV>
<DIV Class="Annotations"><FONT SIZE=-1>Reading an object with an invalid
representation is a bounded error rather than erroneous; reading an abnormal
object is still erroneous. In fact, the only safe thing to do to an abnormal
object is to assign to the object as a whole. </FONT></DIV>
<HR>
<P><A HREF="AA-TOC.html">Contents</A> <A HREF="AA-0-29.html">Index</A> <A HREF="AA-13-9.html">Previous</A> <A HREF="AA-13-9-2.html">Next</A> <A HREF="AA-TTL.html">Legal</A></P>
</BODY>
</HTML>
|
