File : checks.ads
1 ------------------------------------------------------------------------------
2 -- --
3 -- GNAT COMPILER COMPONENTS --
4 -- --
5 -- C H E C K S --
6 -- --
7 -- S p e c --
8 -- --
9 -- Copyright (C) 1992-2015, Free Software Foundation, Inc. --
10 -- --
11 -- GNAT is free software; you can redistribute it and/or modify it under --
12 -- terms of the GNU General Public License as published by the Free Soft- --
13 -- ware Foundation; either version 3, or (at your option) any later ver- --
14 -- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
15 -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
16 -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --
17 -- for more details. You should have received a copy of the GNU General --
18 -- Public License distributed with GNAT; see file COPYING3. If not, go to --
19 -- http://www.gnu.org/licenses for a complete copy of the license. --
20 -- --
21 -- GNAT was originally developed by the GNAT team at New York University. --
22 -- Extensive contributions were provided by Ada Core Technologies Inc. --
23 -- --
24 ------------------------------------------------------------------------------
25
26 -- Package containing routines used to deal with runtime checks. These
27 -- routines are used both by the semantics and by the expander. In some
28 -- cases, checks are enabled simply by setting flags for gigi, and in
29 -- other cases the code for the check is expanded.
30
31 -- The approach used for range and length checks, in regards to suppressed
32 -- checks, is to attempt to detect at compilation time that a constraint
33 -- error will occur. If this is detected a warning or error is issued and the
34 -- offending expression or statement replaced with a constraint error node.
35 -- This always occurs whether checks are suppressed or not. Dynamic range
36 -- checks are, of course, not inserted if checks are suppressed.
37
38 with Errout; use Errout;
39 with Namet; use Namet;
40 with Table;
41 with Types; use Types;
42 with Uintp; use Uintp;
43 with Urealp; use Urealp;
44
45 package Checks is
46
47 procedure Initialize;
48 -- Called for each new main source program, to initialize internal
49 -- variables used in the package body of the Checks unit.
50
51 function Access_Checks_Suppressed (E : Entity_Id) return Boolean;
52 function Accessibility_Checks_Suppressed (E : Entity_Id) return Boolean;
53 function Alignment_Checks_Suppressed (E : Entity_Id) return Boolean;
54 function Allocation_Checks_Suppressed (E : Entity_Id) return Boolean;
55 function Atomic_Synchronization_Disabled (E : Entity_Id) return Boolean;
56 function Discriminant_Checks_Suppressed (E : Entity_Id) return Boolean;
57 function Division_Checks_Suppressed (E : Entity_Id) return Boolean;
58 function Duplicated_Tag_Checks_Suppressed (E : Entity_Id) return Boolean;
59 function Elaboration_Checks_Suppressed (E : Entity_Id) return Boolean;
60 function Index_Checks_Suppressed (E : Entity_Id) return Boolean;
61 function Length_Checks_Suppressed (E : Entity_Id) return Boolean;
62 function Overflow_Checks_Suppressed (E : Entity_Id) return Boolean;
63 function Predicate_Checks_Suppressed (E : Entity_Id) return Boolean;
64 function Range_Checks_Suppressed (E : Entity_Id) return Boolean;
65 function Storage_Checks_Suppressed (E : Entity_Id) return Boolean;
66 function Tag_Checks_Suppressed (E : Entity_Id) return Boolean;
67 function Validity_Checks_Suppressed (E : Entity_Id) return Boolean;
68 -- These functions check to see if the named check is suppressed, either
69 -- by an active scope suppress setting, or because the check has been
70 -- specifically suppressed for the given entity. If no entity is relevant
71 -- for the current check, then Empty is used as an argument. Note: the
72 -- reason we insist on specifying Empty is to force the caller to think
73 -- about whether there is any relevant entity that should be checked.
74
75 function Is_Check_Suppressed (E : Entity_Id; C : Check_Id) return Boolean;
76 -- This function is called if Checks_May_Be_Suppressed (E) is True to
77 -- determine whether check C is suppressed either on the entity E or
78 -- as the result of a scope suppress pragma. If Checks_May_Be_Suppressed
79 -- is False, then the status of the check can be determined simply by
80 -- examining Scope_Suppress, so this routine is not called in that case.
81
82 function Overflow_Check_Mode return Overflow_Mode_Type;
83 -- Returns current overflow checking mode, taking into account whether
84 -- we are inside an assertion expression and the assertion policy.
85
86 -----------------------------------------
87 -- Control of Alignment Check Warnings --
88 -----------------------------------------
89
90 -- When we have address clauses, there is an issue of whether the address
91 -- specified is appropriate to the alignment. In the general case where the
92 -- address is dynamic, we generate a check and a possible warning (this
93 -- warning occurs for example if we have a restricted run time with the
94 -- restriction No_Exception_Propagation). We also issue this warning in
95 -- the case where the address is static, but we don't know the alignment
96 -- at the time we process the address clause. In such a case, we issue the
97 -- warning, but we may be able to find out later (after the back end has
98 -- annotated the actual alignment chosen) that the warning was not needed.
99
100 -- To deal with deleting these potentially annoying warnings, we save the
101 -- warning information in a table, and then delete the waranings in the
102 -- post compilation validation stage if we can tell that the check would
103 -- never fail (in general the back end will also optimize away the check
104 -- in such cases).
105
106 -- Table used to record information
107
108 type Alignment_Warnings_Record is record
109 E : Entity_Id;
110 -- Entity whose alignment possibly warrants a warning
111
112 A : Uint;
113 -- Compile time known value of address clause for which the alignment
114 -- is to be checked once we know the alignment.
115
116 W : Error_Msg_Id;
117 -- Id of warning message we might delete
118 end record;
119
120 package Alignment_Warnings is new Table.Table (
121 Table_Component_Type => Alignment_Warnings_Record,
122 Table_Index_Type => Int,
123 Table_Low_Bound => 0,
124 Table_Initial => 10,
125 Table_Increment => 200,
126 Table_Name => "Alignment_Warnings");
127
128 procedure Validate_Alignment_Check_Warnings;
129 -- This routine is called after back annotation of type data to delete any
130 -- alignment warnings that turn out to be false alarms, based on knowing
131 -- the actual alignment, and a compile-time known alignment value.
132
133 -------------------------------------------
134 -- Procedures to Activate Checking Flags --
135 -------------------------------------------
136
137 procedure Activate_Division_Check (N : Node_Id);
138 pragma Inline (Activate_Division_Check);
139 -- Sets Do_Division_Check flag in node N, and handles possible local raise.
140 -- Always call this routine rather than calling Set_Do_Division_Check to
141 -- set an explicit value of True, to ensure handling the local raise case.
142
143 procedure Activate_Overflow_Check (N : Node_Id);
144 pragma Inline (Activate_Overflow_Check);
145 -- Sets Do_Overflow_Check flag in node N, and handles possible local raise.
146 -- Always call this routine rather than calling Set_Do_Overflow_Check to
147 -- set an explicit value of True, to ensure handling the local raise case.
148 -- Note that for discrete types, this call has no effect for MOD, REM, and
149 -- unary "+" for which overflow is never possible in any case.
150 --
151 -- Note: for the discrete-type case, it is legitimate to call this routine
152 -- on an unanalyzed node where the Etype field is not set. However, for the
153 -- floating-point case, Etype must be set (to a floating-point type).
154 --
155 -- For floating-point, we set the flag if we have automatic overflow checks
156 -- on the target, or if Check_Float_Overflow mode is set. For the floating-
157 -- point case, we ignore all the unary operators ("+", "-", and abs) since
158 -- none of these can result in overflow. If there are no overflow checks on
159 -- the target, and Check_Float_Overflow mode is not set, then the call has
160 -- no effect, since in such cases we want to generate NaN's and infinities.
161
162 procedure Activate_Range_Check (N : Node_Id);
163 pragma Inline (Activate_Range_Check);
164 -- Sets Do_Range_Check flag in node N, and handles possible local raise
165 -- Always call this routine rather than calling Set_Do_Range_Check to
166 -- set an explicit value of True, to ensure handling the local raise case.
167
168 --------------------------------
169 -- Procedures to Apply Checks --
170 --------------------------------
171
172 -- General note on following checks. These checks are always active if
173 -- Expander_Active and not Inside_A_Generic. They are inactive and have
174 -- no effect Inside_A_Generic. In the case where not Expander_Active
175 -- and not Inside_A_Generic, most of them are inactive, but some of them
176 -- operate anyway since they may generate useful compile time warnings.
177
178 procedure Apply_Access_Check (N : Node_Id);
179 -- Determines whether an expression node requires a runtime access
180 -- check and if so inserts the appropriate run-time check.
181
182 procedure Apply_Accessibility_Check
183 (N : Node_Id;
184 Typ : Entity_Id;
185 Insert_Node : Node_Id);
186 -- Given a name N denoting an access parameter, emits a run-time
187 -- accessibility check (if necessary), checking that the level of
188 -- the object denoted by the access parameter is not deeper than the
189 -- level of the type Typ. Program_Error is raised if the check fails.
190 -- Insert_Node indicates the node where the check should be inserted.
191
192 procedure Apply_Address_Clause_Check (E : Entity_Id; N : Node_Id);
193 -- E is the entity for an object which has an address clause. If checks
194 -- are enabled, then this procedure generates a check that the specified
195 -- address has an alignment consistent with the alignment of the object,
196 -- raising PE if this is not the case. The resulting check (if one is
197 -- generated) is prepended to the Actions list of N_Freeze_Entity node N.
198 -- Note that the check references E'Alignment, so it cannot be emitted
199 -- before N (its freeze node), otherwise this would cause an illegal
200 -- access before elaboration error in GIGI. For the case of a clear overlay
201 -- situation, we also check that the size of the overlaying object is not
202 -- larger than the overlaid object.
203
204 procedure Apply_Arithmetic_Overflow_Check (N : Node_Id);
205 -- Handle overflow checking for an arithmetic operator. Also handles the
206 -- cases of ELIMINATED and MINIMIZED overflow checking mode. If the mode
207 -- is one of the latter two, then this routine can also be called with
208 -- an if or case expression node to make sure that we properly handle
209 -- overflow checking for dependent expressions. This routine handles
210 -- front end vs back end overflow checks (in the front end case it expands
211 -- the necessary check). Note that divide is handled separately using
212 -- Apply_Divide_Checks. Node N may or may not have Do_Overflow_Check.
213 -- In STRICT mode, there is nothing to do if this flag is off, but in
214 -- MINIMIZED/ELIMINATED mode we still have to deal with possible use
215 -- of doing operations in Long_Long_Integer or Bignum mode.
216
217 procedure Apply_Constraint_Check
218 (N : Node_Id;
219 Typ : Entity_Id;
220 No_Sliding : Boolean := False);
221 -- Top-level procedure, calls all the others depending on the class of
222 -- Typ. Checks that expression N satisfies the constraint of type Typ.
223 -- No_Sliding is only relevant for constrained array types, if set to
224 -- True, it checks that indexes are in range.
225
226 procedure Apply_Discriminant_Check
227 (N : Node_Id;
228 Typ : Entity_Id;
229 Lhs : Node_Id := Empty);
230 -- Given an expression N of a discriminated type, or of an access type
231 -- whose designated type is a discriminanted type, generates a check to
232 -- ensure that the expression can be converted to the subtype given as
233 -- the second parameter. Lhs is empty except in the case of assignments,
234 -- where the target object may be needed to determine the subtype to
235 -- check against (such as the cases of unconstrained formal parameters
236 -- and unconstrained aliased objects). For the case of unconstrained
237 -- formals, the check is performed only if the corresponding actual is
238 -- constrained, i.e., whether Lhs'Constrained is True.
239
240 procedure Apply_Divide_Checks (N : Node_Id);
241 -- The node kind is N_Op_Divide, N_Op_Mod, or N_Op_Rem if either of the
242 -- flags Do_Division_Check or Do_Overflow_Check is set, then this routine
243 -- ensures that the appropriate checks are made. Note that overflow can
244 -- occur in the signed case for the case of the largest negative number
245 -- divided by minus one. This procedure only applies to Integer types.
246
247 procedure Apply_Parameter_Aliasing_Checks
248 (Call : Node_Id;
249 Subp : Entity_Id);
250 -- Given a subprogram call Call, add a check to verify that none of the
251 -- actuals overlap. Subp denotes the subprogram being called.
252
253 procedure Apply_Parameter_Validity_Checks (Subp : Entity_Id);
254 -- Given a subprogram Subp, add both a pre and post condition pragmas that
255 -- verify the proper initialization of scalars in parameters and function
256 -- results.
257
258 procedure Apply_Predicate_Check (N : Node_Id; Typ : Entity_Id);
259 -- N is an expression to which a predicate check may need to be applied
260 -- for Typ, if Typ has a predicate function.
261
262 procedure Apply_Type_Conversion_Checks (N : Node_Id);
263 -- N is an N_Type_Conversion node. A type conversion actually involves
264 -- two sorts of checks. The first check is the checks that ensures that
265 -- the operand in the type conversion fits onto the base type of the
266 -- subtype it is being converted to (see RM 4.6 (28)-(50)). The second
267 -- check is there to ensure that once the operand has been converted to
268 -- a value of the target type, this converted value meets the
269 -- constraints imposed by the target subtype (see RM 4.6 (51)).
270
271 procedure Apply_Universal_Integer_Attribute_Checks (N : Node_Id);
272 -- The argument N is an attribute reference node intended for processing
273 -- by gigi. The attribute is one that returns a universal integer, but
274 -- the attribute reference node is currently typed with the expected
275 -- result type. This routine deals with range and overflow checks needed
276 -- to make sure that the universal result is in range.
277
278 function Build_Discriminant_Checks
279 (N : Node_Id;
280 T_Typ : Entity_Id)
281 return Node_Id;
282 -- Subsidiary routine for Apply_Discriminant_Check. Builds the expression
283 -- that compares discriminants of the expression with discriminants of the
284 -- type. Also used directly for membership tests (see Exp_Ch4.Expand_N_In).
285
286 function Convert_From_Bignum (N : Node_Id) return Node_Id;
287 -- Returns result of converting node N from Bignum. The returned value is
288 -- not analyzed, the caller takes responsibility for this. Node N must be
289 -- a subexpression node of type Bignum. The result is Long_Long_Integer.
290
291 function Convert_To_Bignum (N : Node_Id) return Node_Id;
292 -- Returns result of converting node N to Bignum. The returned value is not
293 -- analyzed, the caller takes responsibility for this. Node N must be a
294 -- subexpression node of a signed integer type or Bignum type (if it is
295 -- already a Bignum, the returned value is Relocate_Node (N)).
296
297 procedure Determine_Range
298 (N : Node_Id;
299 OK : out Boolean;
300 Lo : out Uint;
301 Hi : out Uint;
302 Assume_Valid : Boolean := False);
303 -- N is a node for a subexpression. If N is of a discrete type with no
304 -- error indications, and no other peculiarities (e.g. missing Etype),
305 -- then OK is True on return, and Lo and Hi are set to a conservative
306 -- estimate of the possible range of values of N. Thus if OK is True on
307 -- return, the value of the subexpression N is known to lie in the range
308 -- Lo .. Hi (inclusive). If the expression is not of a discrete type, or
309 -- some kind of error condition is detected, then OK is False on exit, and
310 -- Lo/Hi are set to No_Uint. Thus the significance of OK being False on
311 -- return is that no useful information is available on the range of the
312 -- expression. Assume_Valid determines whether the processing is allowed to
313 -- assume that values are in range of their subtypes. If it is set to True,
314 -- then this assumption is valid, if False, then processing is done using
315 -- base types to allow invalid values.
316
317 procedure Determine_Range_R
318 (N : Node_Id;
319 OK : out Boolean;
320 Lo : out Ureal;
321 Hi : out Ureal;
322 Assume_Valid : Boolean := False);
323 -- Similar to Determine_Range, but for a node N of floating-point type. OK
324 -- is True on return only for IEEE floating-point types and only if we do
325 -- not have to worry about extended precision (i.e. on the x86, we must be
326 -- using -msse2 -mfpmath=sse). At the current time, this is used only in
327 -- GNATprove, though we could consider using it more generally in future.
328 -- For that to happen, the possibility of arguments of infinite or NaN
329 -- value should be taken into account, which is not the case currently.
330
331 procedure Install_Null_Excluding_Check (N : Node_Id);
332 -- Determines whether an access node requires a runtime access check and
333 -- if so inserts the appropriate run-time check.
334
335 function Make_Bignum_Block (Loc : Source_Ptr) return Node_Id;
336 -- This function is used by top level overflow checking routines to do a
337 -- mark/release operation on the secondary stack around bignum operations.
338 -- The block created looks like:
339 --
340 -- declare
341 -- M : Mark_Id := SS_Mark;
342 -- begin
343 -- SS_Release (M);
344 -- end;
345 --
346 -- The idea is that the caller will insert any needed extra declarations
347 -- after the declaration of M, and any needed statements (in particular
348 -- the bignum operations) before the call to SS_Release, and then do an
349 -- Insert_Action of the whole block (it is returned unanalyzed). The Loc
350 -- parameter is used to supply Sloc values for the constructed tree.
351
352 procedure Minimize_Eliminate_Overflows
353 (N : Node_Id;
354 Lo : out Uint;
355 Hi : out Uint;
356 Top_Level : Boolean);
357 -- This is the main routine for handling MINIMIZED and ELIMINATED overflow
358 -- processing. On entry N is a node whose result is a signed integer
359 -- subtype. The Do_Overflow_Check flag may or may not be set on N. If the
360 -- node is an arithmetic operation, then a range analysis is carried out,
361 -- and there are three possibilities:
362 --
363 -- The node is left unchanged (apart from expansion of an exponentiation
364 -- operation). This happens if the routine can determine that the result
365 -- is definitely in range. The Do_Overflow_Check flag is turned off in
366 -- this case.
367 --
368 -- The node is transformed into an arithmetic operation with a result
369 -- type of Long_Long_Integer.
370 --
371 -- The node is transformed into a function call that calls an appropriate
372 -- function in the System.Bignums package to compute a Bignum result.
373 --
374 -- In the first two cases, Lo and Hi are set to the bounds of the possible
375 -- range of results, computed as accurately as possible. In the third case
376 -- Lo and Hi are set to No_Uint (there are some cases where we could get an
377 -- advantage from keeping result ranges for Bignum values, but it could use
378 -- a lot of space and is very unlikely to be valuable).
379 --
380 -- If the node is not an arithmetic operation, then it is unchanged but
381 -- Lo and Hi are still set (to the bounds of the result subtype if nothing
382 -- better can be determined).
383 --
384 -- Note: this function is recursive, if called with an arithmetic operator,
385 -- recursive calls are made to process the operands using this procedure.
386 -- So we end up doing things top down. Nothing happens to an arithmetic
387 -- expression until this procedure is called on the top level node and
388 -- then the recursive calls process all the children. We have to do it
389 -- this way. If we try to do it bottom up in natural expansion order, then
390 -- there are two problems. First, where do we stash the bounds, and more
391 -- importantly, semantic processing will be messed up. Consider A+B+C where
392 -- A,B,C are all of type integer, if we processed A+B before doing semantic
393 -- analysis of the addition of this result to C, that addition could end up
394 -- with a Long_Long_Integer left operand and an Integer right operand, and
395 -- we would get a semantic error.
396 --
397 -- The routine is called in three situations if we are operating in either
398 -- MINIMIZED or ELIMINATED modes.
399 --
400 -- Overflow processing applied to the top node of an expression tree when
401 -- that node is an arithmetic operator. In this case the result is
402 -- converted to the appropriate result type (there is special processing
403 -- when the parent is a conversion, see body for details).
404 --
405 -- Overflow processing applied to the operands of a comparison operation.
406 -- In this case, the comparison is done on the result Long_Long_Integer
407 -- or Bignum values, without raising any exceptions.
408 --
409 -- Overflow processing applied to the left operand of a membership test.
410 -- In this case no exception is raised if a Long_Long_Integer or Bignum
411 -- result is outside the range of the type of that left operand (it is
412 -- just that the result of IN is false in that case).
413 --
414 -- Note that if Bignum values appear, the caller must take care of doing
415 -- the appropriate mark/release operations on the secondary stack.
416 --
417 -- Top_Level is used to avoid inefficient unnecessary transitions into the
418 -- Bignum domain. If Top_Level is True, it means that the caller will have
419 -- to convert any Bignum value back to Long_Long_Integer, possibly checking
420 -- that the value is in range. This is the normal case for a top level
421 -- operator in a subexpression. There is no point in going into Bignum mode
422 -- to avoid an overflow just so we can check for overflow the next moment.
423 -- For calls from comparisons and membership tests, and for all recursive
424 -- calls, we do want to transition into the Bignum domain if necessary.
425 -- Note that this setting is only relevant in ELIMINATED mode.
426
427 -------------------------------------------------------
428 -- Control and Optimization of Range/Overflow Checks --
429 -------------------------------------------------------
430
431 -- Range checks are controlled by the Do_Range_Check flag. The front end
432 -- is responsible for setting this flag in relevant nodes. Originally
433 -- the back end generated all corresponding range checks. But later on
434 -- we decided to generate many range checks in the front end. We are now
435 -- in the transitional phase where some of these checks are still done
436 -- by the back end, but many are done by the front end. It is possible
437 -- that in the future we might move all the checks to the front end. The
438 -- main remaining back end checks are for subscript checking.
439
440 -- Overflow checks are similarly controlled by the Do_Overflow_Check flag.
441 -- The difference here is that if back end overflow checks are inactive
442 -- (Backend_Overflow_Checks_On_Target set False), then the actual overflow
443 -- checks are generated by the front end, but if back end overflow checks
444 -- are active (Backend_Overflow_Checks_On_Target set True), then the back
445 -- end does generate the checks.
446
447 -- The following two routines are used to set these flags, they allow
448 -- for the possibility of eliminating checks. Checks can be eliminated
449 -- if an identical check has already been performed.
450
451 procedure Enable_Overflow_Check (N : Node_Id);
452 -- First this routine determines if an overflow check is needed by doing
453 -- an appropriate range check. If a check is not needed, then the call
454 -- has no effect. If a check is needed then this routine sets the flag
455 -- Do_Overflow_Check in node N to True, unless it can be determined that
456 -- the check is not needed. The only condition under which this is the
457 -- case is if there was an identical check earlier on.
458
459 procedure Enable_Range_Check (N : Node_Id);
460 -- Set Do_Range_Check flag in node N True, unless it can be determined
461 -- that the check is not needed. The only condition under which this is
462 -- the case is if there was an identical check earlier on. This routine
463 -- is not responsible for doing range analysis to determine whether or
464 -- not such a check is needed -- the caller is expected to do this. The
465 -- one other case in which the request to set the flag is ignored is
466 -- when Kill_Range_Check is set in an N_Unchecked_Conversion node.
467
468 -- The following routines are used to keep track of processing sequences
469 -- of statements (e.g. the THEN statements of an IF statement). A check
470 -- that appears within such a sequence can eliminate an identical check
471 -- within this sequence of statements. However, after the end of the
472 -- sequence of statements, such a check is no longer of interest, since
473 -- it may not have been executed.
474
475 procedure Conditional_Statements_Begin;
476 -- This call marks the start of processing of a sequence of statements.
477 -- Every call to this procedure must be followed by a matching call to
478 -- Conditional_Statements_End.
479
480 procedure Conditional_Statements_End;
481 -- This call removes from consideration all saved checks since the
482 -- corresponding call to Conditional_Statements_Begin. These two
483 -- procedures operate in a stack like manner.
484
485 -- The mechanism for optimizing checks works by remembering checks
486 -- that have already been made, but certain conditions, for example
487 -- an assignment to a variable involved in a check, may mean that the
488 -- remembered check is no longer valid, in the sense that if the same
489 -- expression appears again, another check is required because the
490 -- value may have changed.
491
492 -- The following routines are used to note conditions which may render
493 -- some or all of the stored and remembered checks to be invalidated.
494
495 procedure Kill_Checks (V : Entity_Id);
496 -- This procedure records an assignment or other condition that causes
497 -- the value of the variable to be changed, invalidating any stored
498 -- checks that reference the value. Note that all such checks must
499 -- be discarded, even if they are not in the current statement range.
500
501 procedure Kill_All_Checks;
502 -- This procedure kills all remembered checks
503
504 -----------------------------
505 -- Length and Range Checks --
506 -----------------------------
507
508 -- In the following procedures, there are three arguments which have
509 -- a common meaning as follows:
510
511 -- Expr The expression to be checked. If a check is required,
512 -- the appropriate flag will be placed on this node. Whether
513 -- this node is further examined depends on the setting of
514 -- the parameter Source_Typ, as described below.
515
516 -- ??? Apply_Length_Check and Apply_Range_Check do not have an Expr
517 -- formal
518
519 -- ??? Apply_Length_Check and Apply_Range_Check have a Ck_Node formal
520 -- which is undocumented, is it the same as Expr?
521
522 -- Target_Typ The target type on which the check is to be based. For
523 -- example, if we have a scalar range check, then the check
524 -- is that we are in range of this type.
525
526 -- Source_Typ Normally Empty, but can be set to a type, in which case
527 -- this type is used for the check, see below.
528
529 -- The checks operate in one of two modes:
530
531 -- If Source_Typ is Empty, then the node Expr is examined, at the very
532 -- least to get the source subtype. In addition for some of the checks,
533 -- the actual form of the node may be examined. For example, a node of
534 -- type Integer whose actual form is an Integer conversion from a type
535 -- with range 0 .. 3 can be determined to have a value in range 0 .. 3.
536
537 -- If Source_Typ is given, then nothing can be assumed about the Expr,
538 -- and indeed its contents are not examined. In this case the check is
539 -- based on the assumption that Expr can be an arbitrary value of the
540 -- given Source_Typ.
541
542 -- Currently, the only case in which a Source_Typ is explicitly supplied
543 -- is for the case of Out and In_Out parameters, where, for the conversion
544 -- on return (the Out direction), the types must be reversed. This is
545 -- handled by the caller.
546
547 procedure Apply_Length_Check
548 (Ck_Node : Node_Id;
549 Target_Typ : Entity_Id;
550 Source_Typ : Entity_Id := Empty);
551 -- This procedure builds a sequence of declarations to do a length check
552 -- that checks if the lengths of the two arrays Target_Typ and source type
553 -- are the same. The resulting actions are inserted at Node using a call
554 -- to Insert_Actions.
555 --
556 -- For access types, the Directly_Designated_Type is retrieved and
557 -- processing continues as enumerated above, with a guard against null
558 -- values.
559 --
560 -- Note: calls to Apply_Length_Check currently never supply an explicit
561 -- Source_Typ parameter, but Apply_Length_Check takes this parameter and
562 -- processes it as described above for consistency with the other routines
563 -- in this section.
564
565 procedure Apply_Range_Check
566 (Ck_Node : Node_Id;
567 Target_Typ : Entity_Id;
568 Source_Typ : Entity_Id := Empty);
569 -- For a Node of kind N_Range, constructs a range check action that tests
570 -- first that the range is not null and then that the range is contained in
571 -- the Target_Typ range.
572 --
573 -- For scalar types, constructs a range check action that first tests that
574 -- the expression is contained in the Target_Typ range. The difference
575 -- between this and Apply_Scalar_Range_Check is that the latter generates
576 -- the actual checking code against the Etype of the expression.
577 --
578 -- For constrained array types, construct series of range check actions
579 -- to check that each Expr range is properly contained in the range of
580 -- Target_Typ.
581 --
582 -- For a type conversion to an unconstrained array type, constructs a range
583 -- check action to check that the bounds of the source type are within the
584 -- constraints imposed by the Target_Typ.
585 --
586 -- For access types, the Directly_Designated_Type is retrieved and
587 -- processing continues as enumerated above, with a guard against null
588 -- values.
589 --
590 -- The source type is used by type conversions to unconstrained array
591 -- types to retrieve the corresponding bounds.
592
593 procedure Apply_Static_Length_Check
594 (Expr : Node_Id;
595 Target_Typ : Entity_Id;
596 Source_Typ : Entity_Id := Empty);
597 -- Tries to determine statically whether the two array types source type
598 -- and Target_Typ have the same length. If it can be determined at compile
599 -- time that they do not, then an N_Raise_Constraint_Error node replaces
600 -- Expr, and a warning message is issued.
601
602 procedure Apply_Scalar_Range_Check
603 (Expr : Node_Id;
604 Target_Typ : Entity_Id;
605 Source_Typ : Entity_Id := Empty;
606 Fixed_Int : Boolean := False);
607 -- For scalar types, determines whether an expression node should be
608 -- flagged as needing a runtime range check. If the node requires such a
609 -- check, the Do_Range_Check flag is turned on. The Fixed_Int flag if set
610 -- causes any fixed-point values to be treated as though they were discrete
611 -- values (i.e. the underlying integer value is used).
612
613 type Check_Result is private;
614 -- Type used to return result of Get_Range_Checks call, for later use in
615 -- call to Insert_Range_Checks procedure.
616
617 function Get_Range_Checks
618 (Ck_Node : Node_Id;
619 Target_Typ : Entity_Id;
620 Source_Typ : Entity_Id := Empty;
621 Warn_Node : Node_Id := Empty) return Check_Result;
622 -- Like Apply_Range_Check, except it does not modify anything. Instead
623 -- it returns an encapsulated result of the check operations for later
624 -- use in a call to Insert_Range_Checks. If Warn_Node is non-empty, its
625 -- Sloc is used, in the static case, for the generated warning or error.
626 -- Additionally, it is used rather than Expr (or Low/High_Bound of Expr)
627 -- in constructing the check.
628
629 procedure Append_Range_Checks
630 (Checks : Check_Result;
631 Stmts : List_Id;
632 Suppress_Typ : Entity_Id;
633 Static_Sloc : Source_Ptr;
634 Flag_Node : Node_Id);
635 -- Called to append range checks as returned by a call to Get_Range_Checks.
636 -- Stmts is a list to which either the dynamic check is appended or the
637 -- raise Constraint_Error statement is appended (for static checks).
638 -- Static_Sloc is the Sloc at which the raise CE node points, Flag_Node is
639 -- used as the node at which to set the Has_Dynamic_Check flag. Checks_On
640 -- is a boolean value that says if range and index checking is on or not.
641
642 procedure Insert_Range_Checks
643 (Checks : Check_Result;
644 Node : Node_Id;
645 Suppress_Typ : Entity_Id;
646 Static_Sloc : Source_Ptr := No_Location;
647 Flag_Node : Node_Id := Empty;
648 Do_Before : Boolean := False);
649 -- Called to insert range checks as returned by a call to Get_Range_Checks.
650 -- Node is the node after which either the dynamic check is inserted or
651 -- the raise Constraint_Error statement is inserted (for static checks).
652 -- Suppress_Typ is the type to check to determine if checks are suppressed.
653 -- Static_Sloc, if passed, is the Sloc at which the raise CE node points,
654 -- otherwise Sloc (Node) is used. The Has_Dynamic_Check flag is normally
655 -- set at Node. If Flag_Node is present, then this is used instead as the
656 -- node at which to set the Has_Dynamic_Check flag. Normally the check is
657 -- inserted after, if Do_Before is True, the check is inserted before
658 -- Node.
659
660 -----------------------
661 -- Expander Routines --
662 -----------------------
663
664 -- Some of the earlier processing for checks results in temporarily setting
665 -- the Do_Range_Check flag rather than actually generating checks. Now we
666 -- are moving the generation of such checks into the front end for reasons
667 -- of efficiency and simplicity (there were difficulties in handling this
668 -- in the back end when side effects were present in the expressions being
669 -- checked).
670
671 -- Probably we could eliminate the Do_Range_Check flag entirely and
672 -- generate the checks earlier, but this is a delicate area and it
673 -- seemed safer to implement the following routines, which are called
674 -- late on in the expansion process. They check the Do_Range_Check flag
675 -- and if it is set, generate the actual checks and reset the flag.
676
677 procedure Generate_Range_Check
678 (N : Node_Id;
679 Target_Type : Entity_Id;
680 Reason : RT_Exception_Code);
681 -- This procedure is called to actually generate and insert a range check.
682 -- A check is generated to ensure that the value of N lies within the range
683 -- of the target type. Note that the base type of N may be different from
684 -- the base type of the target type. This happens in the conversion case.
685 -- The Reason parameter is the exception code to be used for the exception
686 -- if raised.
687 --
688 -- Note: if the expander is not active, or if we are in GNATprove mode,
689 -- then we do not generate explicit range code. Instead we just turn the
690 -- Do_Range_Check flag on, since in these cases that's what we want to see
691 -- in the tree (GNATprove in particular depends on this flag being set). If
692 -- we generate the actual range check, then we make sure the flag is off,
693 -- since the code we generate takes complete care of the check.
694 --
695 -- Historical note: We used to just pass on the Do_Range_Check flag to the
696 -- back end to generate the check, but now in code-generation mode we never
697 -- have this flag set, since the front end takes care of the check. The
698 -- normal processing flow now is that the analyzer typically turns on the
699 -- Do_Range_Check flag, and if it is set, this routine is called, which
700 -- turns the flag off in code-generation mode.
701
702 procedure Generate_Index_Checks (N : Node_Id);
703 -- This procedure is called to generate index checks on the subscripts for
704 -- the indexed component node N. Each subscript expression is examined, and
705 -- if the Do_Range_Check flag is set, an appropriate index check is
706 -- generated and the flag is reset.
707
708 -- Similarly, we set the flag Do_Discriminant_Check in the semantic
709 -- analysis to indicate that a discriminant check is required for selected
710 -- component of a discriminated type. The following routine is called from
711 -- the expander to actually generate the call.
712
713 procedure Generate_Discriminant_Check (N : Node_Id);
714 -- N is a selected component for which a discriminant check is required to
715 -- make sure that the discriminants have appropriate values for the
716 -- selection. This is done by calling the appropriate discriminant checking
717 -- routine for the selector.
718
719 -----------------------
720 -- Validity Checking --
721 -----------------------
722
723 -- In (RM 13.9.1(9-11)) we have the following rules on invalid values
724
725 -- If the representation of a scalar object does not represent value of
726 -- the object's subtype (perhaps because the object was not initialized),
727 -- the object is said to have an invalid representation. It is a bounded
728 -- error to evaluate the value of such an object. If the error is
729 -- detected, either Constraint_Error or Program_Error is raised.
730 -- Otherwise, execution continues using the invalid representation. The
731 -- rules of the language outside this subclause assume that all objects
732 -- have valid representations. The semantics of operations on invalid
733 -- representations are as follows:
734 --
735 -- 10 If the representation of the object represents a value of the
736 -- object's type, the value of the type is used.
737 --
738 -- 11 If the representation of the object does not represent a value
739 -- of the object's type, the semantics of operations on such
740 -- representations is implementation-defined, but does not by
741 -- itself lead to erroneous or unpredictable execution, or to
742 -- other objects becoming abnormal.
743
744 -- We quote the rules in full here since they are quite delicate. Most
745 -- of the time, we can just compute away with wrong values, and get a
746 -- possibly wrong result, which is well within the range of allowed
747 -- implementation defined behavior. The two tricky cases are subscripted
748 -- array assignments, where we don't want to do wild stores, and case
749 -- statements where we don't want to do wild jumps.
750
751 -- In GNAT, we control validity checking with a switch -gnatV that can take
752 -- three parameters, n/d/f for None/Default/Full. These modes have the
753 -- following meanings:
754
755 -- None (no validity checking)
756
757 -- In this mode, there is no specific checking for invalid values
758 -- and the code generator assumes that all stored values are always
759 -- within the bounds of the object subtype. The consequences are as
760 -- follows:
761
762 -- For case statements, an out of range invalid value will cause
763 -- Constraint_Error to be raised, or an arbitrary one of the case
764 -- alternatives will be executed. Wild jumps cannot result even
765 -- in this mode, since we always do a range check
766
767 -- For subscripted array assignments, wild stores will result in
768 -- the expected manner when addresses are calculated using values
769 -- of subscripts that are out of range.
770
771 -- It could perhaps be argued that this mode is still conformant with
772 -- the letter of the RM, since implementation defined is a rather
773 -- broad category, but certainly it is not in the spirit of the
774 -- RM requirement, since wild stores certainly seem to be a case of
775 -- erroneous behavior.
776
777 -- Default (default standard RM-compatible validity checking)
778
779 -- In this mode, which is the default, minimal validity checking is
780 -- performed to ensure no erroneous behavior as follows:
781
782 -- For case statements, an out of range invalid value will cause
783 -- Constraint_Error to be raised.
784
785 -- For subscripted array assignments, invalid out of range
786 -- subscript values will cause Constraint_Error to be raised.
787
788 -- Full (Full validity checking)
789
790 -- In this mode, the protections guaranteed by the standard mode are
791 -- in place, and the following additional checks are made:
792
793 -- For every assignment, the right side is checked for validity
794
795 -- For every call, IN and IN OUT parameters are checked for validity
796
797 -- For every subscripted array reference, both for stores and loads,
798 -- all subscripts are checked for validity.
799
800 -- These checks are not required by the RM, but will in practice
801 -- improve the detection of uninitialized variables, particularly
802 -- if used in conjunction with pragma Normalize_Scalars.
803
804 -- In the above description, we talk about performing validity checks,
805 -- but we don't actually generate a check in a case where the compiler
806 -- can be sure that the value is valid. Note that this assurance must
807 -- be achieved without assuming that any uninitialized value lies within
808 -- the range of its type. The following are cases in which values are
809 -- known to be valid. The flag Is_Known_Valid is used to keep track of
810 -- some of these cases.
811
812 -- If all possible stored values are valid, then any uninitialized
813 -- value must be valid.
814
815 -- Literals, including enumeration literals, are clearly always valid
816
817 -- Constants are always assumed valid, with a validity check being
818 -- performed on the initializing value where necessary to ensure that
819 -- this is the case.
820
821 -- For variables, the status is set to known valid if there is an
822 -- initializing expression. Again a check is made on the initializing
823 -- value if necessary to ensure that this assumption is valid. The
824 -- status can change as a result of local assignments to a variable.
825 -- If a known valid value is unconditionally assigned, then we mark
826 -- the left side as known valid. If a value is assigned that is not
827 -- known to be valid, then we mark the left side as invalid. This
828 -- kind of processing does NOT apply to non-local variables since we
829 -- are not following the flow graph (more properly the flow of actual
830 -- processing only corresponds to the flow graph for local assignments).
831 -- For non-local variables, we preserve the current setting, i.e. a
832 -- validity check is performed when assigning to a knonwn valid global.
833
834 -- Note: no validity checking is required if range checks are suppressed
835 -- regardless of the setting of the validity checking mode.
836
837 -- The following procedures are used in handling validity checking
838
839 procedure Apply_Subscript_Validity_Checks (Expr : Node_Id);
840 -- Expr is the node for an indexed component. If validity checking and
841 -- range checking are enabled, all subscripts for this indexed component
842 -- are checked for validity.
843
844 procedure Check_Valid_Lvalue_Subscripts (Expr : Node_Id);
845 -- Expr is a lvalue, i.e. an expression representing the target of an
846 -- assignment. This procedure checks for this expression involving an
847 -- assignment to an array value. We have to be sure that all the subscripts
848 -- in such a case are valid, since according to the rules in (RM
849 -- 13.9.1(9-11)) such assignments are not permitted to result in erroneous
850 -- behavior in the case of invalid subscript values.
851
852 procedure Ensure_Valid
853 (Expr : Node_Id;
854 Holes_OK : Boolean := False;
855 Related_Id : Entity_Id := Empty;
856 Is_Low_Bound : Boolean := False;
857 Is_High_Bound : Boolean := False);
858 -- Ensure that Expr represents a valid value of its type. If this type
859 -- is not a scalar type, then the call has no effect, since validity
860 -- is only an issue for scalar types. The effect of this call is to
861 -- check if the value is known valid, if so, nothing needs to be done.
862 -- If this is not known, then either Expr is set to be range checked,
863 -- or specific checking code is inserted so that an exception is raised
864 -- if the value is not valid.
865 --
866 -- The optional argument Holes_OK indicates whether it is necessary to
867 -- worry about enumeration types with non-standard representations leading
868 -- to "holes" in the range of possible representations. If Holes_OK is
869 -- True, then such values are assumed valid (this is used when the caller
870 -- will make a separate check for this case anyway). If Holes_OK is False,
871 -- then this case is checked, and code is inserted to ensure that Expr is
872 -- valid, raising Constraint_Error if the value is not valid.
873 --
874 -- Related_Id denotes the entity of the context where Expr appears. Flags
875 -- Is_Low_Bound and Is_High_Bound specify whether the expression to check
876 -- is the low or the high bound of a range. These three optional arguments
877 -- signal Remove_Side_Effects to create an external symbol of the form
878 -- Chars (Related_Id)_FIRST/_LAST. For suggested use of these parameters
879 -- see the warning in the body of Sem_Ch3.Process_Range_Expr_In_Decl.
880
881 function Expr_Known_Valid (Expr : Node_Id) return Boolean;
882 -- This function tests it the value of Expr is known to be valid in the
883 -- sense of RM 13.9.1(9-11). In the case of GNAT, it is only discrete types
884 -- which are a concern, since for non-discrete types we simply continue
885 -- computation with invalid values, which does not lead to erroneous
886 -- behavior. Thus Expr_Known_Valid always returns True if the type of Expr
887 -- is non-discrete. For discrete types the value returned is True only if
888 -- it can be determined that the value is Valid. Otherwise False is
889 -- returned.
890
891 procedure Insert_Valid_Check
892 (Expr : Node_Id;
893 Related_Id : Entity_Id := Empty;
894 Is_Low_Bound : Boolean := False;
895 Is_High_Bound : Boolean := False);
896 -- Inserts code that will check for the value of Expr being valid, in the
897 -- sense of the 'Valid attribute returning True. Constraint_Error will be
898 -- raised if the value is not valid.
899 --
900 -- Related_Id denotes the entity of the context where Expr appears. Flags
901 -- Is_Low_Bound and Is_High_Bound specify whether the expression to check
902 -- is the low or the high bound of a range. These three optional arguments
903 -- signal Remove_Side_Effects to create an external symbol of the form
904 -- Chars (Related_Id)_FIRST/_LAST. For suggested use of these parameters
905 -- see the warning in the body of Sem_Ch3.Process_Range_Expr_In_Decl.
906
907 procedure Null_Exclusion_Static_Checks (N : Node_Id);
908 -- Ada 2005 (AI-231): Check bad usages of the null-exclusion issue
909
910 procedure Remove_Checks (Expr : Node_Id);
911 -- Remove all checks from Expr except those that are only executed
912 -- conditionally (on the right side of And Then/Or Else. This call
913 -- removes only embedded checks (Do_Range_Check, Do_Overflow_Check).
914
915 procedure Validity_Check_Range
916 (N : Node_Id;
917 Related_Id : Entity_Id := Empty);
918 -- If N is an N_Range node, then Ensure_Valid is called on its bounds, if
919 -- validity checking of operands is enabled. Related_Id denotes the entity
920 -- of the context where N appears.
921
922 -----------------------------
923 -- Handling of Check Names --
924 -----------------------------
925
926 -- The following table contains Name_Id's for recognized checks. The first
927 -- entries (corresponding to the values of the subtype Predefined_Check_Id)
928 -- contain the Name_Id values for the checks that are predefined, including
929 -- All_Checks (see Types). Remaining entries are those that are introduced
930 -- by pragma Check_Names.
931
932 package Check_Names is new Table.Table (
933 Table_Component_Type => Name_Id,
934 Table_Index_Type => Check_Id,
935 Table_Low_Bound => 1,
936 Table_Initial => 30,
937 Table_Increment => 200,
938 Table_Name => "Name_Check_Names");
939
940 function Get_Check_Id (N : Name_Id) return Check_Id;
941 -- Function to search above table for matching name. If found returns the
942 -- corresponding Check_Id value in the range 1 .. Check_Name.Last. If not
943 -- found returns No_Check_Id.
944
945 private
946
947 type Check_Result is array (Positive range 1 .. 2) of Node_Id;
948 -- There are two cases for the result returned by Range_Check:
949 --
950 -- For the static case the result is one or two nodes that should cause
951 -- a Constraint_Error. Typically these will include Expr itself or the
952 -- direct descendants of Expr, such as Low/High_Bound (Expr)). It is the
953 -- responsibility of the caller to rewrite and substitute the nodes with
954 -- N_Raise_Constraint_Error nodes.
955 --
956 -- For the non-static case a single N_Raise_Constraint_Error node with a
957 -- non-empty Condition field is returned.
958 --
959 -- Unused entries in Check_Result, if any, are simply set to Empty For
960 -- external clients, the required processing on this result is achieved
961 -- using the Insert_Range_Checks routine.
962
963 pragma Inline (Apply_Length_Check);
964 pragma Inline (Apply_Range_Check);
965 pragma Inline (Apply_Static_Length_Check);
966 end Checks;