6. Subprograms¶
6.1. Subprogram Declarations¶
We distinguish the declaration view introduced by a subprogram_declaration
from the implementation view introduced by a subprogram_body
or an
expression_function_declaration
. For subprograms that are not declared by
a subprogram_declaration
, the subprogram_body
or
expression_function_declaration
also introduces a declaration view which
may be in SPARK 2014 even if the implementation view is not.
Rules are imposed in SPARK 2014 to ensure that the execution of a function call does not modify any variables declared outside of the function. It follows as a consequence of these rules that the evaluation of any SPARK 2014 expression is side-effect free.
We also introduce the notion of a global item, which is a name that denotes a global object or a state abstraction (see Abstraction of State). Global items are presented in Global aspects (see Global Aspects).
An entire object is an object which is not a subcomponent of a larger
containing object. More specifically, an entire object is
an object declared by an object_declaration
(as opposed to, for example,
a slice or the result object of a function call) or a formal parameter of
a subprogram. In particular, a component of a protected unit is not
an entire object.
Static Semantics
- The exit value of a global item or parameter of a subprogram is its value immediately following the successful call of the subprogram.
- The entry value of a global item or parameter of a subprogram is its value at the call of the subprogram.
- An output of a subprogram is a global item or parameter whose final value
may be updated by a successful call to the subprogram. The result of a
function is also an output. A global item or parameter which is an external
state with the property Async_Readers => True, and for which intermediate
values are written during an execution leading to a successful call, is also
an output even if the final state is the same as the initial state. (see
External State). [On the contrary, a global item or parameter is not
an output of the subprogram if it is updated only on paths that lead to an
explicit
raise_statement
or to apragma Assert (statically_False)
or to a call to a subprogram markedNo_Return
.] - An input of a subprogram is a global item or parameter whose
initial value may be used in determining the exit value of an
output of the subprogram. For a global item or parameter which is
an external state with Async_Writers => True, each successive value
read from the external state is also an input of the subprogram
(see External State). As a special case, a global item or
parameter is also an input if it is mentioned in a
null_dependency_clause
in the Depends aspect of the subprogram (see Depends Aspects). - An output of a subprogram is said to be fully initialized by a call if all parts of the output are initialized as a result of any successful execution of a call of the subprogram. In the case of a parameter X of a class-wide type T’Class, this set of “all parts” is not limited to the (statically known) parts of T. For example, if the underlying dynamic tag of X is T2’Tag, where T2 is an extension of T that declares a component C, then C would be included in the set. In this case, this set of “all parts” is not known statically. [In order to fully initialize such a parameter, it is necessary to use some form of dispatching assignment. This can be done by either a direct (class-wide) assignment to X, passing X as an actual out-mode parameter in a call where the formal parameter is of a class-wide type, or passing X as a controlling out-mode parameter in a dispatching call.] The meaning of “all parts” in the case of a parameter of a specific tagged type is determined by the applicable Extensions_Visible aspect (see Extensions_Visible Aspects). [A state abstraction cannot be fully initialized by initializing individual constituents unless its refinement is visible.]
Legality Rules
- A function declaration shall not have a
parameter_specification
with a mode of out or in out. This rule also applies to asubprogram_body
for a function for which no explicit declaration is given.
6.1.1. Preconditions and Postconditions¶
Legality Rules
- The corresponding expression for an inherited Pre’Class or Post’Class of an inherited subprogram S of a tagged type T shall not call a non-inherited primitive function of type T.
[The notion of corresponding expression is defined in Ada RM 6.1.1(18/4) as follows: If a Pre’Class or Post’Class aspect is specified for a primitive subprogram S of a tagged type T, or such an aspect defaults to True, then a corresponding expression also applies to the corresponding primitive subprogram S of each descendant of T.]
[The rationale for this rule is that, otherwise, if the contract applicable to an inherited subprogram changes due to called subprograms in its contract being overridden, then the inherited subprogram would have to be re-verified for the derived type. This rule forbids the cases that require re-verification.]
- The Pre aspect shall not be specified on an overridding primitive operation, or a primitive operation of a type T at a point where T is tagged. Pre’Class should be used instead to express preconditions.
[The rationale for this rule is that, otherwise, the combination of dynamic semantics and verification rules below would force an identical Pre’Class each time Pre is used on a dispatching operation.]
Verification Rules
For a call on a nondispatching operation, a verification condition is introduced (as for any run-time check) to ensure that the specific precondition check associated with the statically denoted callee will succeed. Upon entry to such a subprogram, the specific preconditions of the subprogram may then be assumed.
For a call (dispatching or not) on a dispatching operation, a verification condition is introduced (as for any run-time check) to ensure that the class-wide precondition check associated with the statically denoted callee will succeed.
The verification condition associated with the specific precondition of a dispatching subprogram is imposed on the callee, as opposed to on callers of the subprogram. Upon entry to a subprogram, the class-wide preconditions of the subprogram may be assumed. Given this, the specific preconditions of the subprogram must be proven.
The callee is responsible for discharging the verification conditions associated with any postcondition checks, class-wide or specific. The success of these checks may then be assumed by the caller.
In the case of an overriding dispatching operation whose Pre’Class attribute is explicitly specified, a verification condition is introduced to ensure that the specified Pre’Class condition is implied by the Pre’Class condition of the overridden inherited subprogram(s). Similarly, in the case of an overriding dispatching operation whose Post’Class attribute is explicitly specified, a verification condition is introduced to ensure that the specified Post’Class condition implies the Post’Class condition of the overridden inherited subprogram(s). [These verification conditions do not correspond to any run-time check. They are intended to, in effect, require users to make explicit the implicit disjunction/conjunction of class-wide preconditions/postconditions that is described in Ada RM 6.1.1.]
6.1.2. Subprogram Contracts¶
In order to extend Ada’s support for specification of subprogram contracts (e.g., the Pre and Post) by providing more precise and/or concise contracts, the SPARK 2014 aspects, Global, Depends, and Contract_Cases are defined.
Legality Rules
- The Global, Depends and Contract_Cases aspects may be
specified for a subprogram with an
aspect_specification
. More specifically, such aspect specifications are allowed in the same contexts as Pre or Post aspect specifications. [In particular, these aspects may be specified for a generic subprogram but not for an instance of a generic subprogram.]
See section Contract Cases for further detail on Contract_Case aspects, section Global Aspects for further detail on Global aspects and section Depends Aspects for further detail on Depends aspects.
6.1.3. Contract Cases¶
The Contract_Cases aspect provides a structured way of defining a subprogram
contract using mutually exclusive subcontract cases. The final case in the
Contract_Case aspect may be the keyword others which means that, in a
specific call to the subprogram, if all the conditions
are False this
contract_case
is taken. If an others contract_case
is not specified,
then in a specific call of the subprogram exactly one of the guarding
conditions
should be True.
A Contract_Cases aspect may be used in conjunction with the
language-defined aspects Pre and Post in which case the precondition
specified by the Pre aspect is augmented with a check that exactly one
of the conditions
of the contract_case_list
is satisfied and
the postcondition specified by the Post aspect is conjoined with
conditional expressions representing each of the contract_cases
.
For example:
procedure P (...)
with Pre => General_Precondition,
Post => General_Postcondition,
Contract_Cases => (A1 => B1,
A2 => B2,
...
An => Bn);
is short hand for
procedure P (...)
with Pre => General_Precondition
and then Exactly_One_Of (A1, A2, ..., An),
Post => General_Postcondition
and then (if A1'Old then B1)
and then (if A2'Old then B2)
and then ...
and then (if An'Old then Bn);
where
A1 .. An are Boolean expressions involving the entry values of formal parameters and global objects and
B1 .. Bn are Boolean expressions that may also use the exit values of formal parameters, global objects and results.
Exactly_One_Of(A1,A2...An)
evaluates to True if exactly one of its inputs evaluates to True and all other of its inputs evaluate to False.
The Contract_Cases aspect is specified with an aspect_specification
where
the aspect_mark
is Contract_Cases and the aspect_definition
must follow
the grammar of contract_case_list
given below.
Syntax
contract_case_list ::= (contract_case {, contract_case})
contract_case ::= condition => consequence
| others => consequence
where
consequence ::=
Boolean_expression
Legality Rules
- A Contract_Cases aspect may have at most one others
contract_case
and if it exists it shall be the last one in thecontract_case_list
.
- A
consequence
expression is considered to be a postcondition expression for purposes of determining the legality of Old or Resultattribute_references
.
Static Semantics
- A Contract_Cases aspect is an assertion (as defined in RM
11.4.2(1.1/3)); its assertion expressions are as described
below. Contract_Cases may be specified as an
assertion_aspect_mark
in an Assertion_Policy pragma.
Dynamic Semantics
- Upon a call of a subprogram which is subject to an enabled
Contract_Cases aspect, Contract_Cases checks are
performed as follows:
- Immediately after the specific precondition expression is
evaluated and checked (or, if that check is disabled, at the
point where the check would have been performed if it were
enabled), all of the
conditions
of thecontract_case_list
are evaluated in textual order. A check is performed that exactly one (if no otherscontract_case
is provided) or at most one (if an otherscontract_case
is provided) of theseconditions
evaluates to True; Assertions.Assertion_Error is raised if this check fails. - Immediately after the specific postcondition expression is
evaluated and checked (or, if that check is disabled, at the
point where the check would have been performed if it were
enabled), exactly one of the
consequences
is evaluated. Theconsequence
to be evaluated is the one corresponding to the onecondition
whose evaluation yielded True (if such acondition
exists), or to the otherscontract_case
(if everycondition
‘s evaluation yielded False). A check is performed that the evaluation of the selectedconsequence
evaluates to True; Assertions.Assertion_Error is raised if this check fails.
- Immediately after the specific precondition expression is
evaluated and checked (or, if that check is disabled, at the
point where the check would have been performed if it were
enabled), all of the
- If an Old
attribute_reference
occurs within aconsequence
other than theconsequence
selected for (later) evaluation as described above, then the associated implicit constant declaration (see Ada RM 6.1.1) is not elaborated. [In particular, the prefix of the Oldattribute_reference
is not evaluated].
Verification Rules
The verification conditions associated with the Contract_Cases runtime checks performed at the beginning of a call are assigned in the same way as those associated with a specific precondition check. More specifically, the verification condition is imposed on the caller or on the callee depending on whether the subprogram in question is a dispatching operation.
Examples
-- This subprogram is specified using a Contract_Cases aspect.
-- The prover will check that the cases are disjoint and
-- cover the domain of X.
procedure Incr_Threshold (X : in out Integer; Threshold : in Integer)
with Contract_Cases => (X < Threshold => X = X'Old + 1,
X >= Threshold => X = X'Old);
-- This is the equivalent specification not using Contract_Cases.
-- It is noticeably more complex and the prover is not able to check
-- for disjoint cases or that he domain of X is covered.
procedure Incr_Threshold_1 (X : in out Integer; Threshold : in Integer)
with Pre => (X < Threshold and not (X = Threshold))
or else (not (X < Threshold) and X = Threshold),
Post => (if X'Old < Threshold then X = X'Old + 1
elsif X'Old = Threshold then X = X'Old);
-- Contract_Cases can be used in conjunction with pre and postconditions.
procedure Incr_Threshold_2 (X : in out Integer; Threshold : in Integer)
with Pre => X in 0 .. Threshold,
Post => X >= X'Old,
Contract_Cases => (X < Threshold => X = X'Old + 1,
X = Threshold => X = X'Old);
6.1.4. Global Aspects¶
A Global aspect of a subprogram lists the global items whose values are used or affected by a call of the subprogram.
The Global aspect shall only be specified for the initial declaration of a subprogram (which may be a declaration, a body or a body stub), of a protected entry, or of a task unit. The implementation of a subprogram body shall be consistent with the subprogram’s Global aspect. Similarly, the implementation of an entry or task body shall be consistent with the entry or task’s Global aspect.
Note that a Refined_Global aspect may be applied to a subprogram body when using state abstraction; see section Refined_Global Aspects for further details.
The Global aspect is introduced by an aspect_specification
where
the aspect_mark
is Global and the aspect_definition
must
follow the grammar of global_specification
For purposes of the rules concerning the Global, Depends, Refined_Global, and Refined_Depends aspects, when any of these aspects are specified for a task unit the task unit’s body is considered to be the body of a nonreturning procedure and the current instance of the task unit is considered to be a formal parameter (of that notional procedure) of mode in out. [For example, rules which refer to the “subprogram body” refer, in the case of a task unit, to the task body.] [Because a task (even a discriminated task) is effectively a constant, one might think that a mode of in would make more sense. However, the current instance of a task unit is, strictly speaking, a variable; for example, it may be passed as an actual out or in out mode parameter in a call.] The Depends and Refined_Depends aspect of a task unit T need not mention this implicit parameter; an implicit specification of “T => T” is assumed, although this may be confirmed explicitly.
Similarly, for purposes of the rules concerning the Global, Refined_Global, Depends, and Refined_Depends aspects as they apply to protected operations, the current instance of the enclosing protected unit is considered to be a formal parameter (of mode in for a protected function, of mode in out otherwise) and a protected entry is considered to be a protected procedure. [For example, rules which refer to the “subprogram body” refer, in the case of a protected entry, to the entry body. As another example, the Global aspect of a subprogram nested within a protected operation might name the current instance of the protected unit as a global in the same way that it might name any other parameter of the protected operation.]
[Note that AI12-0169 modifies the Ada RM syntax for an entry_body
to allow an optional aspect_specification
immediately before the
entry_barrier
. This is relevant for aspects such as Refined_Global
and Refined_Depends.]
Syntax
global_specification ::= (moded_global_list {, moded_global_list})
| global_list
| null_global_specification
moded_global_list ::= mode_selector => global_list
global_list ::= global_item
| (global_item {, global_item})
mode_selector ::= Input | Output | In_Out | Proof_In
global_item ::= name
null_global_specification ::= null
Static Semantics
- A
global_specification
that is aglobal_list
is shorthand for amoded_global_list
with themode_selector
Input.
- A
global_item
is referenced by a subprogram if:- It denotes an input or an output of the subprogram, or;
- Its entry value is used to determine the value of an assertion expression within the subprogram, or;
- Its entry value is used to determine the value of an assertion expression within another subprogram that is called either directly or indirectly by this subprogram.
- A
null_global_specification
indicates that the subprogram does not reference anyglobal_item
directly or indirectly.
If a subprogram’s Global aspect is not otherwise specified and either
- the subprogram is a library-level subprogram declared in a library unit that is declared pure (i.e., a subprogram to which the implementation permissions of Ada RM 10.2.1 apply); or
- a Pure_Function pragma applies to the subprogram
then a Global aspect of null is implicitly specified for the subprogram.
Name Resolution Rules
- A
global_item
shall denote an entire object or a state abstraction. [This is a name resolution rule because aglobal_item
can unambiguously denote a state abstraction even if a function having the same fully qualified name is also present].
Legality Rules
- The Global aspect may only be specified for the initial declaration of a subprogram (which may be a declaration, a body or a body stub), of a protected entry, or of a task unit.
- A
global_item
occurring in a Global aspect specification of a subprogram shall not denote a formal parameter of the subprogram.
- A
global_item
shall not denote a state abstraction whose refinement is visible. [A state abstraction cannot be named within its enclosing package’s body other than in its refinement. Its constituents shall be used rather than the state abstraction.]
- Each
mode_selector
shall occur at most once in a single Global aspect.
- A function subprogram shall not have a
mode_selector
of Output or In_Out in its Global aspect.
- The
global_items
in a single Global aspect specification shall denote distinct entities.
- If a subprogram is nested within another and if the
global_specification
of the outer subprogram has an entity denoted by aglobal_item
with amode_specification
of Input or the entity is a formal parameter with a mode of in, then aglobal_item
of theglobal_specification
of the inner subprogram shall not denote the same entity with amode_selector
of In_Out or Output.
Dynamic Semantics
There are no dynamic semantics associated with a Global aspect as it is used purely for static analysis purposes and is not executed.
Verification Rules
- For a subprogram that has a
global_specification
, an object (except a constant without variable inputs) or state abstraction that is declared outside the scope of the subprogram, shall only be referenced within its implementation if it is aglobal_item
in theglobal_specification
.
- A
global_item
shall occur in a Global aspect of a subprogram if and only if it denotes an entity (except for a constant without variable inputs) that is referenced by the subprogram.
- Where the refinement of a state abstraction is not visible (see
State Refinement) and a subprogram references one or more
of its constituents the constituents may be represented by a
global_item
that denotes the state abstraction in theglobal_specification
of the subprogram. [The state abstraction encapsulating a constituent is known from the Part_Of indicator on the declaration of the constituent.]
- Each entity denoted by a
global_item
in aglobal_specification
of a subprogram that is an input or output of the subprogram shall satisfy the following mode specification rules [which are checked during analysis of the subprogram body]:- a
global_item
that denotes an input but not an output has amode_selector
of Input; - a
global_item
has amode_selector
of Output if:- it denotes an output but not an input, other than the use of a
discriminant or an attribute related to a property, not its
value, of the
global_item
[examples of attributes that may be used are A’Last, A’First and A’Length; examples of attributes that are dependent on the value of the object and shall not be used are X’Old and X’Update] and - is always fully initialized by a call of the subprogram. ;
- it denotes an output but not an input, other than the use of a
discriminant or an attribute related to a property, not its
value, of the
- otherwise the
global_item
denotes both an input and an output, and has amode_selector
of In_Out.
- a
[For purposes of determining whether an output of a subprogram shall have amode_selector
of Output or In_Out, reads of array bounds, discriminants, or tags of any part of the output are ignored. Similarly, for purposes of determining whether an entity is fully initialized as a result of any successful execution of the call, only nondiscriminant parts are considered. This implies that given an output of a discriminated type that is not known to be constrained (“known to be constrained” is defined in Ada RM 3.3), the discriminants of the output might or might not be updated by the call.]
- An entity that is denoted by a
global_item
which is referenced by a subprogram but is neither an input nor an output but is only referenced directly, or indirectly in assertion expressions has amode_selector
of Proof_In.
- A
global_item
shall not denote a constant object other than a formal parameter [of an enclosing subprogram] of mode in, a generic formal object of mode in, or a constant with variable inputs.
If aglobal_item
denotes a generic formal object of mode in, then the correspondingglobal_item
in an instance of the generic unit may denote a constant which has no variable inputs. [This can occur if the corresponding actual parameter is an expression which has no variable inputs]. Outside of the instance, such aglobal_item
is ignored. For example,
generic
Xxx : Integer;
package Ggg is
procedure Ppp (Yyy : in out Integer) with Global => Xxx,
Depends => (Yyy =>+ Xxx);
end Ggg;
package body Ggg is
procedure Ppp (Yyy : in out Integer) is
begin
Yyy := Integer'Max (Xxx, Yyy);
end Ppp;
end Ggg;
package Iii is new Ggg
(Xxx => 123); -- actual parameter lacks variable inputs
procedure Qqq (Zzz : in out Integer) with Global => null,
Depends => (Zzz =>+ null);
procedure Qqq (Zzz : in out Integer) is
begin
Iii.Ppp (Yyy => Zzz);
end Qqq;
-- Qqq's Global and Depends aspects don't mention Iii.Xxx even though
-- Qqq calls Iii.Ppp which does reference Iii.Xxx as a global.
-- As seen from outside of Iii, Iii.Ppp's references to Iii.Xxx in its
-- Global and Depends aspect specifications are ignored.
- The
mode_selector
of aglobal_item
denoting a constant with variable inputs shall beInput
orProof_In
.
- The
mode_selector
of aglobal_item
denoting a variable marked as a constant after elaboration shall beInput
orProof_In
[, to ensure that such variables are only updated directly by package elaboration code]. A subprogram or entry having such aglobal_item
shall not be called during library unit elaboration[, to ensure only the final (“constant”) value of the object is referenced].
Examples
with Global => null; -- Indicates that the subprogram does not reference
-- any global items.
with Global => V; -- Indicates that V is an input of the subprogram.
with Global => (X, Y, Z); -- X, Y and Z are inputs of the subprogram.
with Global => (Input => V); -- Indicates that V is an input of the subprogram.
with Global => (Input => (X, Y, Z)); -- X, Y and Z are inputs of the subprogram.
with Global => (Output => (A, B, C)); -- A, B and C are outputs of
-- the subprogram.
with Global => (In_Out => (D, E, F)); -- D, E and F are both inputs and
-- outputs of the subprogram
with Global => (Proof_In => (G, H)); -- G and H are only used in
-- assertion expressions within
-- the subprogram
with Global => (Input => (X, Y, Z),
Output => (A, B, C),
In_Out => (P, Q, R),
Proof_In => (T, U));
-- A global aspect with all types of global specification
6.1.5. Depends Aspects¶
A Depends aspect defines a dependency relation for a subprogram
which may be given in the aspect_specification
of the subprogram.
A dependency relation is a sort of formal specification which
specifies a simple relationship between inputs and outputs of the
subprogram. It may be used with or without a postcondition.
The Depends aspect shall only be specified for the initial declaration of a subprogram (which may be a declaration, a body or a body stub), of a protected entry, or of a task unit.
Unlike a postcondition, the functional behavior of a subprogram is not specified by the Depends aspect but the Depends aspect has to be complete in the sense that every input and output of the subprogram must appear in it. Whereas, a postcondition may be partial and only specify properties of particular interest.
Like a postcondition, the dependency relation may be omitted from a subprogram declaration in when it defaults to the conservative relation that each output depends on every input of the subprogram. A particular SPARK 2014 tool may synthesize a more accurate approximation from the subprogram implementation if it is present (see Synthesis of SPARK 2014 Aspects).
For accurate information flow analysis the Depends aspect should be present on every subprogram.
A Depends aspect for a subprogram specifies for each output every input on which it depends. The meaning of X depends on Y in this context is that the input value(s) of Y may affect:
- the exit value of X; and
- the intermediate values of X if it is an external state (see section External State), or if the subprogram is a nonreturning procedure [, possibly the notional nonreturning procedure corresponding to a task body].
This is written X => Y. As in UML, the entity at the tail of the arrow depends on the entity at the head of the arrow.
If an output does not depend on any input this is indicated using a null, e.g., X => null. An output may be self-dependent but not dependent on any other input. The shorthand notation denoting self-dependence is useful here, X =>+ null.
Note that a Refined_Depends aspect may be applied to a subprogram body when using state abstraction; see section Refined_Depends Aspects for further details.
See section Global Aspects regarding how the rules given in this section apply to protected operations and to task bodies.
The Depends aspect is introduced by an aspect_specification
where
the aspect_mark
is Depends and the aspect_definition
must follow
the grammar of dependency_relation
given below.
Syntax
dependency_relation ::= null
| (dependency_clause {, dependency_clause})
dependency_clause ::= output_list =>[+] input_list
| null_dependency_clause
null_dependency_clause ::= null => input_list
output_list ::= output
| (output {, output})
input_list ::= input
| (input {, input})
| null
input ::= name
output ::= name | function_result
where
function_result
is a function Resultattribute_reference
.
Name Resolution Rules
- An
input
oroutput
of adependency_relation
shall denote only an entire object or a state abstraction. [This is a name resolution rule because aninput
oroutput
can unambiguously denote a state abstraction even if a function having the same fully qualified name is also present.]
Legality Rules
- The Depends aspect shall only be specified for the initial declaration of a subprogram (which may be a declaration, a body or a body stub), of a protected entry, or of a task unit.
- An
input
oroutput
of adependency_relation
shall not denote a state abstraction whose refinement is visible [a state abstraction cannot be named within its enclosing package’s body other than in its refinement].
- The explicit input set of a subprogram is the set of formal parameters of
the subprogram of mode in and in out along with the entities denoted
by
global_items
of the Global aspect of the subprogram with amode_selector
of Input and In_Out.
- The input set of a subprogram is the explicit input set of the
subprogram augmented with those formal parameters of mode out and
those
global_items
with amode_selector
of Output having discriminants, array bounds, or a tag which can be read and whose values are not implied by the subtype of the parameter. More specifically, it includes formal parameters of mode out andglobal_items
with amode_selector
of Output which are of an unconstrained array subtype, an unconstrained discriminated subtype, a tagged type (with one exception), or a type having a subcomponent of an unconstrained discriminated subtype. The exception mentioned in the previous sentence is in the case where the formal parameter is of a specific tagged type and the applicable Extensions_Visible aspect is False. In that case, the tag of the parameter cannot be read and so the fact that the parameter is tagged does not cause it to included in the subprogram’s input_set, although it may be included for some other reason (e.g., if the parameter is of an unconstrained discriminated subtype).
- The output set of a subprogram is the set of formal parameters of the
subprogram of mode in out and out along with the entities denoted by
global_items
of the Global aspect of the subprogram with amode_selector
of In_Out and Output and (for a function) thefunction_result
.
- The entity denoted by each
input
of adependency_relation
of a subprogram shall be a member of the input set of the subprogram.
- Every member of the explicit input set of a subprogram shall be denoted by
at least one
input
of thedependency_relation
of the subprogram.
- The entity denoted by each
output
of adependency_relation
of a subprogram shall be a member of the output set of the subprogram.
- Every member of the output set of a subprogram shall be denoted by exactly
one
output
in thedependency_relation
of the subprogram.
- For the purposes of determining the legality of a Result
attribute_reference
, adependency_relation
is considered to be a postcondition of the function to which the enclosingaspect_specification
applies.
- In a
dependency_relation
there can be at most onedependency_clause
which is anull_dependency_clause
and if it exists it shall be the lastdependency_clause
in thedependency_relation
.
- An entity denoted by an
input
which is in aninput_list
of anull_dependency_clause
shall not be denoted by aninput
in anotherinput_list
of the samedependency_relation
.
- The
inputs
in a singleinput_list
shall denote distinct entities.
- A
null_dependency_clause
shall not have aninput_list
of null.
Static Semantics
- A
dependency_clause
with a “+” symbol in the syntaxoutput_list
=>+input_list
means that eachoutput
in theoutput_list
has a self-dependency, that is, it is dependent on itself. [The text (A, B, C) =>+ Z is shorthand for (A => (A, Z), B => (B, Z), C => (C, Z)).]
- A
dependency_clause
of the form A =>+ A has the same meaning as A => A. [The reason for this rule is to allow the short hand: ((A, B) =>+ (A, C)) which is equivalent to (A => (A, C), B => (A, B, C)).]
- A
dependency_clause
with a nullinput_list
means that the final value of the entity denoted by eachoutput
in theoutput_list
does not depend on any member of the input set of the subprogram (other than itself, if theoutput_list
=>+ null self-dependency syntax is used).
- The
inputs
in theinput_list
of anull_dependency_clause
may be read by the subprogram but play no role in determining the values of any outputs of the subprogram.
- A Depends aspect of a subprogram with a null
dependency_relation
indicates that the subprogram has noinputs
oroutputs
. [From an information flow analysis viewpoint it is a null operation (a no-op).]
- A function without an explicit Depends aspect specification has
the default
dependency_relation
that its result is dependent on all of its inputs. [Generally an explicit Depends aspect is not required for a function declaration.]
- A procedure without an explicit Depends aspect specification has a
default
dependency_relation
that each member of its output set is dependent on every member of its input set. [This conservative approximation may be improved by analyzing the body of the subprogram if it is present.]
Dynamic Semantics
There are no dynamic semantics associated with a Depends aspect as it is used purely for static analysis purposes and is not executed.
Verification Rules
- Each entity denoted by an
output
given in the Depends aspect of a subprogram shall be an output in the implementation of the subprogram body and the output shall depend on all, but only, the entities denoted by theinputs
given in theinput_list
associated with theoutput
.
- Each output of the implementation of the subprogram body is denoted by
an
output
in the Depends aspect of the subprogram.
- Each input of the implementation of a subprogram body is denoted by an
input
of the Depends aspect of the subprogram.
If not all parts of an output are updated, then the updated entity is dependent on itself as the parts that are not updated have their current value preserved.
[In the case of a parameter of a tagged type (specific or class-wide), see the definition of “fully initialized” for a clarification of what the phrase “all parts” means in the preceding sentence.]
Examples
procedure P (X, Y, Z in : Integer; Result : out Boolean)
with Depends => (Result => (X, Y, Z));
-- The exit value of Result depends on the entry values of X, Y and Z
procedure Q (X, Y, Z in : Integer; A, B, C, D, E : out Integer)
with Depends => ((A, B) => (X, Y),
C => (X, Z),
D => Y,
E => null);
-- The exit values of A and B depend on the entry values of X and Y.
-- The exit value of C depends on the entry values of X and Z.
-- The exit value of D depends on the entry value of Y.
-- The exit value of E does not depend on any input value.
procedure R (X, Y, Z : in Integer; A, B, C, D : in out Integer)
with Depends => ((A, B) =>+ (A, X, Y),
C =>+ Z,
D =>+ null);
-- The "+" sign attached to the arrow indicates self-dependency, that is
-- the exit value of A depends on the entry value of A as well as the
-- entry values of X and Y.
-- Similarly, the exit value of B depends on the entry value of B
-- as well as the entry values of A, X and Y.
-- The exit value of C depends on the entry value of C and Z.
-- The exit value of D depends only on the entry value of D.
procedure S
with Global => (Input => (X, Y, Z),
In_Out => (A, B, C, D)),
Depends => ((A, B) =>+ (A, X, Y, Z),
C =>+ Y,
D =>+ null);
-- Here globals are used rather than parameters and global items may appear
-- in the Depends aspect as well as formal parameters.
function F (X, Y : Integer) return Integer
with Global => G,
Depends => (F'Result => (G, X),
null => Y);
-- Depends aspects are only needed for special cases like here where the
-- parameter Y has no discernible effect on the result of the function.
6.1.6. Class-Wide Global and Depends Aspects¶
The Global’Class and Depends’Class aspects may be specified for a dispatching subprogram just as the Global and Depends aspects may be specified for any subprogram (dispatching or not). [The syntax, static semantics, and legality rules are all the same, except that the Depends’Class aspect of a subprogram is checked for consistency with the Global’Class aspect of the subprogram rather than with the Global aspect.]
Verification Rules
When analyzing a dispatching call, the Global and Depends aspects of the statically denoted callee play no role; the corresponding class-wide aspects are used instead.
[No relationship between the Global’Class/Depends’Class aspects of a subprogram and the subprogram’s implementation is explicitly verified. This is instead accomplished implicitly by checking the consistency of the subprogram’s implementation with its Global/Depends aspects (as described in preceding sections) and then checking (as described in this section) the consistency of the Global/Depends aspects with the Global’Class/Depends’Class aspects.]
Static Semantics
A Global or Global’Class aspect specification G2 is said to be a valid overriding of another such specification, G1, if the following conditions are met:
- each Input-mode item of G2 is an Input-mode or an In_Out-mode item of G1 or a direct or indirect constituent thereof; and
- each In_Out-mode item of G2 is an In_Out-mode item of G1 or a direct or indirect constituent thereof; and
- each Output-mode item of G2 is an Output-mode or In_Out-mode item of G1 or a direct or indirect constituent therof; and
- each Output-mode item of G1 which is not a state abstraction whose refinment is visible at the point of G2 is an Output-mode item of G2; and
- for each Output-mode item of G1 which is a state abstraction whose refinment is visible at the point of G2, each direct or indirect constituent thereof is an Output-mode item of G2.
A Depends or Depends’Class aspect specification D2 is said to be a valid overriding of another such specification, D1, if the set of dependencies of D2 is a subset of the dependencies of D1 or, in the case where D1 mentions a state abstraction whose refinement is visible at the point of D2, if D2 is derivable from such a subset as described in Refined_Depends Aspects.
Legality Rules
The Global aspect of a subprogram shall be a valid overriding of the Global’Class aspect of the subprogram. The Global’Class aspect of an an overriding subprogram shall be a valid overriding of the Global’Class aspect(s) of the overridden inherited subprogram(s).
The Depends aspect of a subprogram shall be a valid overriding of the Depends’Class aspect of the subprogram. The Depends’Class aspect of an an overriding subprogram shall be a valid overriding of the Depends’Class aspect(s) of the overridden inherited subprogram(s).
6.1.7. Extensions_Visible Aspects¶
- The Extensions_Visible aspect provides a mechanism for ensuring that “hidden” components of a formal parameter of a specific tagged type are unreferenced. For example, if a formal parameter of a specific tagged type T is converted to a class-wide type and then used as a controlling operand in a dispatching call, then the (dynamic) callee might reference components of the parameter which are declared in some extension of T. Such a use of the formal parameter could be forbidden via an Extensions_Visible aspect specification as described below. The aspect also plays a corresponding role in the analysis of callers of the subprogram.
Static Semantics
- Extensions_Visible is a Boolean-valued aspect which may be specified for a noninstance subprogram or a generic subprogram. If directly specified, the aspect_definition shall be a static [Boolean] expression. The aspect is inherited by an inherited primitive subprogram. If the aspect is neither inherited nor directly specified for a subprogram, then the aspect is False, except in the case of the predefined equality operator of a type extension. In that case, the aspect value is that of the primitive [(possibly user-defined)] equality operator for the parent type.
Legality Rules
- If the Extensions_Visible aspect is False for a subprogram, then
certain restrictions are imposed on the use of any parameter of the
subprogram which is of a specific tagged type (or of a private type
whose full view is a specific tagged type).
Such a parameter shall not be converted (implicitly or explicitly) to
a class-wide type. Such a parameter shall not be passed as an actual
parameter in a call to a subprogram whose Extensions_Visible aspect is
True. These restrictions also apply to any parenthesized expression,
qualified expression, or type conversion whose operand is subject to
these restrictions, to any Old, Update, or Loop_Entry
attribute_reference
whose prefix is subject to these restrictions, and to any conditional expression having at least one dependent_expression which is subject to these restrictions. [A subcomponent of a parameter is not itself a parameter and is therefore not subject to these restrictions. A parameter whose type is class-wide is not subject to these restrictions. An Old, Update, or Loop_Entryattribute_reference
does not itself violate these restrictions (despite the fact that (in the tagged case) each of these attributes yields a result having the same underlying dynamic tag as their prefix).] - A subprogram whose Extensions_Visible aspect is True shall not override an inherited primitive operation of a tagged type whose Extensions_Visible aspect is False. [The reverse is allowed.]
- If a nonnull type extension inherits a procedure having both a False Extensions_Visible aspect and one or more controlling out-mode parameters, then the inherited procedure requires overriding. [This is because the inherited procedure would not initialize the noninherited component(s).]
- The Extensions_Visible aspect shall not be specified for a subprogram which has no parameters of either a specific tagged type or a private type unless the subprogram is declared in an instance of a generic unit and the corresponding subprogram in the generic unit satisfies this rule. [Such an aspect specification, if allowed, would be ineffective.]
- [These rules ensure that the value of the underlying tag (at run time) of the actual parameter of a call to a subprogram whose Extensions_Visible aspect is False will have no effect on the behavior of that call. In particular, if the actual parameter has any additional components which are not components of the type of the formal parameter, then these components are unreferenced by the execution of the call.]
Verification Rules
- SPARK 2014 requires that an actual parameter corresponding to an in mode or in out mode formal parameter in a call shall be fully initialized before the call; similarly, the callee is responsible for fully initializing any out-mode parameters before returning.
- In the case of a formal parameter of a specific tagged type T (or of a private type whose full view is a specific tagged type), the set of components which shall be initialized in order to meet these requirements depends on the Extensions_Visible aspect of the callee. If the aspect is False, then that set of components is the [statically known] set of nondiscriminant components of T. If the aspect is True, then this set is the set of nondiscriminant components of the specific type associated with the tag of the corresponding actual parameter. [In general, this is not statically known. This set will always include the nondiscriminant components of T, but it may also include additional components.]
- [To put it another way, if the applicable Extensions_Visible aspect is True, then the initialization requirements (for both the caller and the callee) for a parameter of a specific tagged type T are the same as if the formal parameter’s type were T’Class. If the aspect is False, then components declared in proper descendants of T need not be initialized. In the case of an out mode parameter, such initialization by the callee is not only not required, it is effectively forbidden because such an out-mode parameter could not be fully initialized without some form of dispatching (e.g., a class-wide assignment or a dispatching call in which an out-mode parameter is a controlling operand). Such a dispatching assignment will always fully initialize its controlling out-mode parameters, regardless of the Extensions_Visible aspect of the callee. An assignment statement whose target is of a class-wide type T’Class is treated, for purposes of formal verification, like a call to a procedure with two parameters of type T’Class, one of mode out and one of mode in.]
- [In the case of an actual parameter of a call to a subprogram whose Extensions_Visible aspect is False where the corresponding formal parameter is of a specific tagged type T, these rules imply that formal verification can safely assume that any components of the actual parameter which are not components of T will be neither read nor written by the call.]
6.2. Formal Parameter Modes¶
In flow analysis, particularly information flow analysis, the update of a component of composite object is treated as updating the whole of the composite object with the component set to its new value and the remaining components of the composite object with their value preserved.
This means that if a formal parameter of a subprogram is a composite type and only individual components, but not all, are updated, then the mode of the formal parameter should be in out.
In general, it is not possible to statically determine whether all elements of an array have been updated by a subprogram if individual array elements are updated. The mode of a formal parameter of an array with such updates should be in out.
A formal parameter with a mode of out is treated as not having an entry value (apart from any discriminant or attributes of properties of the formal parameter). Hence, a subprogram cannot read a value of a formal parameter of mode out until the subprogram has updated it.
Verification Rules
- A subprogram formal parameter of a composite type which is updated but not fully initialized by the subprogram shall have a mode of in out.
- A subprogram formal parameter of mode out shall not be read by the subprogram until it has been updated by the subprogram. The use of a discriminant or an attribute related to a property, not its value, of the formal parameter is not considered to be a read of the formal parameter. [Examples of attributes that may be used are A’First, A’Last and A’Length; examples of attributes that are dependent on the value of the formal parameter and shall not be used are X’Old and X’Update.]
Examples
1 2 3 4 5 6 7 8 9 10 11 | -- The following example is acceptable in Ada
-- but will raise a flow anomaly in SPARK stating that
-- X may not be initialized because an out parameter indicates
-- that the entire String is initialized.
procedure Param_1_Illegal (X : out String)
is
begin
if X'Length > 0 and X'First = 1 then
X (1) := '?';
end if;
end Param_1_Illegal;
|
1 2 3 4 5 6 7 8 9 | -- In SPARK the parameter mode should be in out meaning that the
-- entire array is initialized before the call to the subprogram.
procedure Param_1_Legal (X : in out String)
is
begin
if X'Length > 0 and X'First = 1 then
X (1) := '?';
end if;
end Param_1_Legal;
|
6.3. Subprogram Bodies¶
6.3.1. Conformance Rules¶
No extensions or restrictions.
6.3.2. Inline Expansion of Subprograms¶
No extensions or restrictions.
6.4. Subprogram Calls¶
No extensions or restrictions.
6.4.1. Parameter Associations¶
No extensions or restrictions.
6.4.2. Anti-Aliasing¶
An alias is a name which refers to the same object as another name. The presence of aliasing is inconsistent with the underlying flow analysis and proof models used by the tools which assume that different names represent different entities. In general, it is not possible or is difficult to deduce that two names refer to the same object and problems arise when one of the names is used to update the object (although object renaming declarations are not problematic in SPARK 2014).
A common place for aliasing to be introduced is through the actual parameters and between actual parameters and global variables in a procedure call. Extra verification rules are given that avoid the possibility of aliasing through actual parameters and global variables. A function is not allowed to have side-effects and cannot update an actual parameter or global variable. Therefore, function calls cannot introduce aliasing and are excluded from the anti-aliasing rules given below for procedure calls.
Static Semantics
- Two names that denote parts of the same unsynchronized (see section Tasks and Synchronization) stand-alone object whose Constant_After_Elaboration aspect is False, or which denote parts of the same unsynchronized parameter, are said to potentially introduce aliasing. [This definition has the effect of exempting most synchronized objects from the anti-aliasing rules given below; aliasing of most synchronized objects via parameter passing is allowed.]
Verification Rules
- A procedure call shall not pass two actual parameters which potentially introduce aliasing unless either
- both of the corresponding formal parameters are of mode in; or
- at least one of the corresponding formal parameters is of mode in and is of a by-copy type.
- If an actual parameter in a procedure call and a
global_item
referenced by the called procedure potentially introduce aliasing, then
- the mode of the corresponding formal parameter shall be in; and
- if the
global_item
‘s mode is Output or In_Out, then the parameter’s corresponding formal parameter shall be of a by-copy type.
- Where one of these rules prohibits the occurrence of an object V or any of its subcomponents
as an actual parameter, the following constructs are also prohibited in this context:
- A type conversion whose operand is a prohibited construct;
- A call to an instance of Unchecked_Conversion whose operand is a prohibited construct;
- A qualified expression whose operand is a prohibited construct;
- A prohibited construct enclosed in parentheses.
Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | procedure Anti_Aliasing is
type Rec is record
X : Integer;
Y : Integer;
end record;
type Arr is array (1 .. 10) of Integer;
type Arr_With_Rec is array (1 .. 10) of Rec;
Local_1, Local_2 : Integer := 0;
Rec_1 : Rec := (0, 0);
Arr_1 : arr := (others => 0);
Arr_Rec : Arr_With_Rec := (others => (0, 0));
procedure One_In_One_Out (X : in Integer; Y : in out Integer)
is
begin
Y := X + Y;
end One_In_One_Out;
procedure Two_In_Out (X, Y : in out Integer) with Global => null
is
Temp : Integer;
begin
Temp := Y;
Y := X + Y;
X := Temp;
end Two_In_Out;
procedure With_In_Global (I : in out Integer)
with Global => Local_1
is
begin
I := I + Local_1;
end With_In_Global;
procedure With_In_Out_Global (I : in Integer)
with Global => (In_Out => Local_1)
is
begin
Local_1 := I + Local_1;
end With_In_Out_Global;
procedure With_Composite_In_Out_Global (I : in Integer)
with Global => (In_Out => Rec_1)
is
begin
Rec_1.X := I + Rec_1.X;
end With_Composite_In_Out_Global;
begin
-- This is ok because parameters are by copy and there
-- is only one out parameter
One_In_One_Out (Local_1, Local_1);
-- This is erroneous both parameters are in out and
-- the actual parameters overlap
Two_In_Out (Local_1, Local_1);
-- This is ok the variables do not overlap even though
-- they are part of the same record.
Two_In_Out (Rec_1.X, Rec_1.Y);
-- This is ok the variables do not overlap they
-- can statically determined to be distinct elements
Two_In_Out (Arr_1 (1), Arr_1 (2));
-- This is erroneous because it cannot be determined statically
-- whether the elements overlap
Two_In_Out (Arr_1 (Local_1), Arr_1 (Local_2));
-- This is ok the variables do not overlap they
-- can statically determined to be distinct components
Two_In_Out (Arr_Rec (Local_1).X , Arr_Rec (Local_2).Y);
-- This erroneous Global and formal in out parameter overlap.
With_In_Global (Local_1);
-- This erroneous Global In_Out and formal parameter overlap.
With_In_Out_Global (Local_1);
-- This erroneous Global In_Out and formal parameter overlap.
With_Composite_In_Out_Global (Rec_1.Y);
end Anti_Aliasing;
|
6.5. Return Statements¶
No extensions or restrictions.
6.5.1. Nonreturning Procedures¶
Verification Rules
A call to a nonreturning procedure introduces an obligation to prove that the statement will not be executed, much like the verification condition associated with
pragma Assert (False);
[In other words, the verification conditions introduced for a call to a nonreturning procedure are the same as those introduced for a runtime check which fails unconditionally. See also section Exceptions, where a similar verification rule is imposed on
raise_statements
.]
6.6. Overloading of Operators¶
Legality Rules
- [The declaration and body of a user-defined equality operation on a record
- type shall not have any variable inputs; see Expressions for the statement of this rule.]
6.7. Null Procedures¶
No extensions or restrictions.
6.8. Expression Functions¶
Legality Rules
- Contract_Cases, Global and Depends aspects may be applied to an expression function as for any other function declaration if it does not have a separate declaration. If it has a separate declaration then the aspects are applied to that. It may have refined aspects applied (see State Refinement).
Examples
function Expr_Func_1 (X : Natural; Y : Natural) return Natural is (X + Y)
with Pre => X <= Natural'Last - Y;
6.9. Ghost Entities¶
Ghost entities are intended for use in discharging verification conditions and in making it easier to express assertions about a program. The essential property of ghost entities is that they have no effect on the dynamic behavior of a valid SPARK program. More specifically, if one were to take a valid SPARK program and remove all ghost entity declarations from it and all “innermost” statements, declarations, and pragmas which refer to those declarations (replacing removed statements with null statements when syntactically required), then the resulting program might no longer be a valid SPARK program (e.g., it might no longer be possible to discharge all of the program’s verification conditions) but its dynamic semantics (when viewed as an Ada program) should be unaffected by this transformation. [This transformation might affect the performance characteristics of the program (e.g., due to no longer evaluating provably true assertions), but that is not what we are talking about here. In rare cases, it might be necessary to make a small additional change after the removals (e.g., adding an Elaborate_Body pragma) in order to avoid producing a library package that no longer needs a body (see Ada RM 7.2(4))].
Static Semantics
SPARK 2014 defines the Boolean-valued representation aspect Ghost. Ghost is an aspect of all entities (e.g., subprograms, types, objects). An entity whose Ghost aspect is True is said to be a ghost entity; terms such as “ghost function” or “ghost variable” are defined analogously (e.g., a function whose Ghost aspect is True is said to be a ghost function). In addition, a subcomponent of a ghost object is a ghost object.
Ghost is an assertion aspect. [This means that Ghost can be named in an Assertion_Policy pragma.]
- The Ghost aspect of an entity declared inside of a ghost entity (e.g., within the body of a ghost subprogram) is defined to be True. The Ghost aspect of an entity implicitly declared as part of the explicit declaration of a ghost entity (e.g., an implicitly declared subprogram associated with the declaration of a ghost type) is defined to be True. The Ghost aspect of a child of a ghost library unit is defined to be True.
- A statement or pragma is said to be a “ghost statement” if
- it occurs within a ghost subprogram or package; or
- it is a call to a ghost procedure; or
- it is an assignment statement whose target is a ghost variable; or
- it is a pragma which encloses a name denoting a ghost entity or which specifies an aspect of a ghost entity.
- If the Ghost assertion policy in effect at the point of a ghost statement or the declaration of a ghost entity is Ignore, then the elaboration of that construct (at run time) has no effect, other Ada or SPARK 2014 rules notwithstanding. Similarly, the elaboration of the completion of a ghost entity has no effect if the Ghost assertion policy in effect at the point of the entity’s initial declaration is Ignore. [A Ghost assertion policy of Ignore can be used to ensure that a compiler generates no code for ghost constructs.] Such a declaration is said to be a disabled ghost declaration; terms such as “disabled ghost type” and “disabled ghost subprogram” are defined analogously.
Legality Rules
- The Ghost aspect may only be specified [explicitly] for
the declaration of a subprogram, a
generic subprogram, a type (including a partial view thereof),
an object (or list of objects, in the case of an
aspect_specification
for anobject_declaration
having more than onedefining_identifier
), a package, or a generic package. The Ghost aspect may be specified via either anaspect_specification
or via a pragma. The representation pragma Ghost takes a single argument, a name denoting one or more entities whose Ghost aspect is then specified to be True. [In particular, SPARK 2014 does not currently include any form of ghost components of non-ghost record types, or ghost parameters of non-ghost subprograms. SPARK 2014 does define ghost state abstractions, but these are described elsewhere.]
A Ghost aspect value of False shall not be explicitly specified except in a confirming aspect specification. [For example, a non-ghost declaration cannot occur within a ghost subprogram.]
The value specified for the Ghost assertion policy in an Assertion_Policy pragma shall be either Check or Ignore. [In other words, implementation-defined assertion policy values are not permitted.] The Ghost assertion policy in effect at any point of a SPARK program shall be either Check or Ignore.
- A ghost type or object shall not be effectively volatile. A ghost object shall not be imported or exported. [In other words, no ghost objects for which reading or writing would constitute an external effect (see Ada RM 1.1.3).]
- A ghost primitive subprogram of a non-ghost type extension shall not override an inherited non-ghost primitive subprogram. A non-ghost primitive subprogram of a type extension shall not override an inherited ghost primitive subprogram. [A ghost subprogram may be a primitive subprogram of a non-ghost tagged type. A ghost type extension may have a non-ghost parent type or progenitor; primitive subprograms of such a type may override inherited (ghost or non-ghost) subprograms.]
- A Ghost pragma which applies to a declaration occuring in the visible part of a package shall not occur in the private part of that package. [This rule is to ensure that the ghostliness of a visible entity can be determined without having to look into the private part of the enclosing package.]
- A ghost entity shall only be referenced:
- from within an assertion expression; or
- from within an aspect specification [(i.e., either an
aspect_specification
or an aspect-specifying pragma)]; or - within the declaration or completion of a ghost entity (e.g., from within the body of a ghost subprogram); or
- within a ghost statement; or
- within a
with_clause
oruse_clause
; or - within a renaming_declaration which either renames a ghost entity or occurs within a ghost subprogram or package.
- A ghost entity shall not be referenced within an aspect specification
[(including an aspect-specifying pragma)]
which specifies an aspect of a non-ghost entity except in the
following cases:
- the reference occurs within an assertion expression which is not a predicate expression; or
- the specified aspect is either Global, Depends, Refined_Global, Refined_Depends, Initializes, or Refined_State. [For example, the Global aspect of a non-ghost subprogram might refer to a ghost variable.]
[Predicate expressions are excluded because predicates participate in membership tests; no Assertion_Policy pragma has any effect on this participation. In the case of a Static_Predicate expression, there are also other reasons (e.g., case statements).]
- An out or in out mode actual parameter in a call to a ghost subprogram shall be a ghost variable.
- If the Ghost assertion policy in effect at the point of the declaration of a ghost entity is Ignore, then the Ghost assertion policy in effect at the point of any reference to that entity shall be Ignore. If the Ghost assertion policy in effect at the point of the declaration of a ghost variable is Check, then the Ghost assertion policy in effect at the point of any assignment to a part of that variable shall be Check. [This includes both assignment statements and passing a ghost variable as an out or in out mode actual parameter.]
An Assertion_Policy pragma specifying a Ghost assertion policy shall not occur within a ghost subprogram or package. If a ghost entity has a completion then the Ghost assertion policies in effect at the declaration and at the completion of the entity shall be the same. [This rule applies to subprograms, packages, types, and deferred constants.]
The Ghost assertion policies in effect at the point of the declaration of an entity and at the point of an aspect specification which applies to that entity shall be the same.
- The Ghost assertion policies in effect at the declaration of a state abstraction and at the declaration of each constituent of that abstraction shall be the same.
- The Ghost assertion policies in effect at the declaration of a primitive subprogram of a ghost tagged type and at the declaration of the ghost tagged type shall be the same.
- If a tagged type is not a disabled ghost type, and if a primitive operation of the tagged type overrides an inherited operation, then the corresponding operation of the ancestor type shall be a disabled ghost subprogram if and only if the overriding subprogram is a disabled ghost subprogram.
- If the Ghost assertion policy in effect at the point of an a reference to a Ghost entity which occurs within an assertion expression is Ignore, then the assertion policy which governs the assertion expression (e.g., Pre for a precondition expression, Assert for the argument of an Assert pragma) shall [also] be Ignore.
- A ghost type shall not have a task or protected part. A ghost object shall not be of a type which yields synchronized objects (see section Tasks and Synchronization). A ghost object shall not have a volatile part. A synchronized state abstraction shall not be a ghost state abstraction (see Abstract_State Aspects).
Verification Rules
- A ghost procedure shall not have a non-ghost [global] output.
- An output of a non-ghost subprogram other than a ghost global shall not depend on a ghost input. [It is intended that this follows as a consequence of other rules.]
- A ghost procedure shall not have an effectively volatile global input with the properties Async_Writers or Effective_Reads set to True. [This rule says, in effect, that ghost procedures are subject to the same restrictions as non-ghost nonvolatile functions with respect to reading volatile objects.] A name occurring within a ghost statement shall not denote an effectively volatile object with the properties Async_Writers or Effective_Reads set to True. [In other words, a ghost statement is subject to effectively the same restrictions as a ghost procedure.]
- If the Ghost assertion policy in effect at the point of the declaration of a ghost variable or ghost state abstraction is Check, then the Ghost assertion policy in effect at the point of any call to a procedure for which that variable or state abstraction is a global output shall be Check.
Examples
function A_Ghost_Expr_Function (Lo, Hi : Natural) return Natural is
(if Lo > Integer'Last - Hi then Lo else ((Lo + Hi) / 2))
with Pre => Lo <= Hi,
Post => A_Ghost_Expr_Function'Result in Lo .. Hi,
Ghost;
function A_Ghost_Function (Lo, Hi : Natural) return Natural
with Pre => Lo <= Hi,
Post => A_Ghost_Function'Result in Lo .. Hi,
Ghost;
-- The body of the function is declared elsewhere.
function A_Nonexecutable_Ghost_Function (Lo, Hi : Natural) return Natural
with Pre => Lo <= Hi,
Post => A_Nonexecutable_Ghost_Function'Result in Lo .. Hi,
Ghost,
Import;
-- The body of the function is not declared elsewhere.