3. Standard and Implementation Defined Restrictions
All RM defined Restriction identifiers are implemented:
- language-defined restrictions (see 13.12.1)
- tasking restrictions (see D.7)
- high integrity restrictions (see H.4)
GNAT implements additional restriction identifiers. All restrictions, whether
language defined or GNAT-specific, are listed in the following.
3.1 Partition-Wide Restrictions
There are two separate lists of restriction identifiers. The first
set requires consistency throughout a partition (in other words, if the
restriction identifier is used for any compilation unit in the partition,
then all compilation units in the partition must obey the restriction).
Immediate_Reclamation
[RM H.4] This restriction ensures that, except for storage occupied by
objects created by allocators and not deallocated via unchecked
deallocation, any storage reserved at run time for an object is
immediately reclaimed when the object no longer exists.
Max_Asynchronous_Select_Nesting
[RM D.7] Specifies the maximum dynamic nesting level of asynchronous
selects. Violations of this restriction with a value of zero are
detected at compile time. Violations of this restriction with values
other than zero cause Storage_Error to be raised.
Max_Entry_Queue_Length
[RM D.7] This restriction is a declaration that any protected entry compiled in
the scope of the restriction has at most the specified number of
tasks waiting on the entry at any one time, and so no queue is required.
Note that this restriction is checked at run time. Violation of this
restriction results in the raising of Program_Error exception at the point of
the call.
Max_Protected_Entries
[RM D.7] Specifies the maximum number of entries per protected type. The
bounds of every entry family of a protected unit shall be static, or shall be
defined by a discriminant of a subtype whose corresponding bound is static.
Max_Select_Alternatives
[RM D.7] Specifies the maximum number of alternatives in a selective accept.
Max_Storage_At_Blocking
[RM D.7] Specifies the maximum portion (in storage elements) of a task's
Storage_Size that can be retained by a blocked task. A violation of this
restriction causes Storage_Error to be raised.
Max_Task_Entries
[RM D.7] Specifies the maximum number of entries
per task. The bounds of every entry family
of a task unit shall be static, or shall be
defined by a discriminant of a subtype whose
corresponding bound is static.
Max_Tasks
[RM D.7] Specifies the maximum number of task that may be created, not
counting the creation of the environment task. Violations of this
restriction with a value of zero are detected at compile
time. Violations of this restriction with values other than zero cause
Storage_Error to be raised.
No_Abort_Statements
[RM D.7] There are no abort_statements, and there are
no calls to Task_Identification.Abort_Task.
No_Access_Parameter_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator as the actual parameter to an access
parameter.
No_Access_Subprograms
[RM H.4] This restriction ensures at compile time that there are no
declarations of access-to-subprogram types.
No_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator.
No_Anonymous_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator of anonymous access type.
No_Calendar
[GNAT] This restriction ensures at compile time that there is no implicit or
explicit dependence on the package Ada.Calendar.
No_Coextensions
[RM H.4] This restriction ensures at compile time that there are no
coextensions. See 3.10.2.
No_Default_Initialization
[GNAT] This restriction prohibits any instance of default initialization
of variables. The binder implements a consistency rule which prevents
any unit compiled without the restriction from with'ing a unit with the
restriction (this allows the generation of initialization procedures to
be skipped, since you can be sure that no call is ever generated to an
initialization procedure in a unit with the restriction active). If used
in conjunction with Initialize_Scalars or Normalize_Scalars, the effect
is to prohibit all cases of variables declared without a specific
initializer (including the case of OUT scalar parameters).
No_Delay
[RM H.4] This restriction ensures at compile time that there are no
delay statements and no dependences on package Calendar.
No_Dependence
[RM 13.12.1] This restriction checks at compile time that there are no
dependence on a library unit.
No_Direct_Boolean_Operators
[GNAT] This restriction ensures that no logical (and/or/xor) are used on
operands of type Boolean (or any type derived
from Boolean). This is intended for use in safety critical programs
where the certification protocol requires the use of short-circuit
(and then, or else) forms for all composite boolean operations.
No_Dispatch
[RM H.4] This restriction ensures at compile time that there are no
occurrences of T'Class, for any (tagged) subtype T.
No_Dispatching_Calls
[GNAT] This restriction ensures at compile time that the code generated by the
compiler involves no dispatching calls. The use of this restriction allows the
safe use of record extensions, classwide membership tests and other classwide
features not involving implicit dispatching. This restriction ensures that
the code contains no indirect calls through a dispatching mechanism. Note that
this includes internally-generated calls created by the compiler, for example
in the implementation of class-wide objects assignments. The
membership test is allowed in the presence of this restriction, because its
implementation requires no dispatching.
This restriction is comparable to the official Ada restriction
No_Dispatch except that it is a bit less restrictive in that it allows
all classwide constructs that do not imply dispatching.
The following example indicates constructs that violate this restriction.
| | package Pkg is
type T is tagged record
Data : Natural;
end record;
procedure P (X : T);
type DT is new T with record
More_Data : Natural;
end record;
procedure Q (X : DT);
end Pkg;
with Pkg; use Pkg;
procedure Example is
procedure Test (O : T'Class) is
N : Natural := O'Size;-- Error: Dispatching call
C : T'Class := O; -- Error: implicit Dispatching Call
begin
if O in DT'Class then -- OK : Membership test
Q (DT (O)); -- OK : Type conversion plus direct call
else
P (O); -- Error: Dispatching call
end if;
end Test;
Obj : DT;
begin
P (Obj); -- OK : Direct call
P (T (Obj)); -- OK : Type conversion plus direct call
P (T'Class (Obj)); -- Error: Dispatching call
Test (Obj); -- OK : Type conversion
if Obj in T'Class then -- OK : Membership test
null;
end if;
end Example;
|
No_Dynamic_Attachment
[RM D.7] This restriction ensures that there is no call to any of the
operations defined in package Ada.Interrupts
(Is_Reserved, Is_Attached, Current_Handler, Attach_Handler, Exchange_Handler,
Detach_Handler, and Reference).
No_Dynamic_Priorities
[RM D.7] There are no semantic dependencies on the package Dynamic_Priorities.
No_Entry_Calls_In_Elaboration_Code
[GNAT] This restriction ensures at compile time that no task or protected entry
calls are made during elaboration code. As a result of the use of this
restriction, the compiler can assume that no code past an accept statement
in a task can be executed at elaboration time.
No_Enumeration_Maps
[GNAT] This restriction ensures at compile time that no operations requiring
enumeration maps are used (that is Image and Value attributes applied
to enumeration types).
No_Exception_Handlers
[GNAT] This restriction ensures at compile time that there are no explicit
exception handlers. It also indicates that no exception propagation will
be provided. In this mode, exceptions may be raised but will result in
an immediate call to the last chance handler, a routine that the user
must define with the following profile:
| | procedure Last_Chance_Handler
(Source_Location : System.Address; Line : Integer);
pragma Export (C, Last_Chance_Handler,
"__gnat_last_chance_handler");
|
The parameter is a C null-terminated string representing a message to be
associated with the exception (typically the source location of the raise
statement generated by the compiler). The Line parameter when nonzero
represents the line number in the source program where the raise occurs.
No_Exception_Propagation
[GNAT] This restriction guarantees that exceptions are never propagated
to an outer subprogram scope. The only case in which an exception may
be raised is when the handler is statically in the same subprogram, so
that the effect of a raise is essentially like a goto statement. Any
other raise statement (implicit or explicit) will be considered
unhandled. Exception handlers are allowed, but may not contain an
exception occurrence identifier (exception choice). In addition, use of
the package GNAT.Current_Exception is not permitted, and reraise
statements (raise with no operand) are not permitted.
No_Exception_Registration
[GNAT] This restriction ensures at compile time that no stream operations for
types Exception_Id or Exception_Occurrence are used. This also makes it
impossible to pass exceptions to or from a partition with this restriction
in a distributed environment. If this exception is active, then the generated
code is simplified by omitting the otherwise-required global registration
of exceptions when they are declared.
No_Exceptions
[RM H.4] This restriction ensures at compile time that there are no
raise statements and no exception handlers.
No_Finalization
[GNAT] This restriction disables the language features described in
chapter 7.6 of the Ada 2005 RM as well as all form of code generation
performed by the compiler to support these features. The following types
are no longer considered controlled when this restriction is in effect:
-
Ada.Finalization.Controlled
-
Ada.Finalization.Limited_Controlled
-
Derivations from
Controlled or Limited_Controlled
-
Class-wide types
-
Protected types
-
Task types
-
Array and record types with controlled components
The compiler no longer generates code to initialize, finalize or adjust an
object or a nested component, either declared on the stack or on the heap. The
deallocation of a controlled object no longer finalizes its contents.
No_Fixed_Point
[RM H.4] This restriction ensures at compile time that there are no
occurrences of fixed point types and operations.
No_Floating_Point
[RM H.4] This restriction ensures at compile time that there are no
occurrences of floating point types and operations.
No_Implicit_Conditionals
[GNAT] This restriction ensures that the generated code does not contain any
implicit conditionals, either by modifying the generated code where possible,
or by rejecting any construct that would otherwise generate an implicit
conditional. Note that this check does not include run time constraint
checks, which on some targets may generate implicit conditionals as
well. To control the latter, constraint checks can be suppressed in the
normal manner. Constructs generating implicit conditionals include comparisons
of composite objects and the Max/Min attributes.
No_Implicit_Dynamic_Code
[GNAT] This restriction prevents the compiler from building "trampolines".
This is a structure that is built on the stack and contains dynamic
code to be executed at run time. On some targets, a trampoline is
built for the following features: Access,
Unrestricted_Access, or Address of a nested subprogram;
nested task bodies; primitive operations of nested tagged types.
Trampolines do not work on machines that prevent execution of stack
data. For example, on windows systems, enabling DEP (data execution
protection) will cause trampolines to raise an exception.
Trampolines are also quite slow at run time.
On many targets, trampolines have been largely eliminated. Look at the
version of system.ads for your target -- if it has
Always_Compatible_Rep equal to False, then trampolines are largely
eliminated. In particular, a trampoline is built for the following
features: Address of a nested subprogram;
Access or Unrestricted_Access of a nested subprogram,
but only if pragma Favor_Top_Level applies, or the access type has a
foreign-language convention; primitive operations of nested tagged
types.
No_Implicit_Heap_Allocations
[RM D.7] No constructs are allowed to cause implicit heap allocation.
No_Implicit_Loops
[GNAT] This restriction ensures that the generated code does not contain any
implicit for loops, either by modifying
the generated code where possible,
or by rejecting any construct that would otherwise generate an implicit
for loop. If this restriction is active, it is possible to build
large array aggregates with all static components without generating an
intermediate temporary, and without generating a loop to initialize individual
components. Otherwise, a loop is created for arrays larger than about 5000
scalar components.
No_Initialize_Scalars
[GNAT] This restriction ensures that no unit in the partition is compiled with
pragma Initialize_Scalars. This allows the generation of more efficient
code, and in particular eliminates dummy null initialization routines that
are otherwise generated for some record and array types.
No_IO
[RM H.4] This restriction ensures at compile time that there are no
dependences on any of the library units Sequential_IO, Direct_IO,
Text_IO, Wide_Text_IO, Wide_Wide_Text_IO, or Stream_IO.
No_Local_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator in subprograms, generic subprograms, tasks,
and entry bodies.
No_Local_Protected_Objects
[RM D.7] This restriction ensures at compile time that protected objects are
only declared at the library level.
No_Local_Timing_Events
[RM D.7] All objects of type Ada.Timing_Events.Timing_Event are
declared at the library level.
No_Nested_Finalization
[RM D.7] All objects requiring finalization are declared at the library level.
No_Protected_Type_Allocators
[RM D.7] This restriction ensures at compile time that there are no allocator
expressions that attempt to allocate protected objects.
No_Protected_Types
[RM H.4] This restriction ensures at compile time that there are no
declarations of protected types or protected objects.
No_Recursion
[RM H.4] A program execution is erroneous if a subprogram is invoked as
part of its execution.
No_Reentrancy
[RM H.4] A program execution is erroneous if a subprogram is executed by
two tasks at the same time.
No_Relative_Delay
[RM D.7] This restriction ensures at compile time that there are no delay
relative statements and prevents expressions such as delay 1.23; from
appearing in source code.
No_Requeue_Statements
[RM D.7] This restriction ensures at compile time that no requeue statements
are permitted and prevents keyword requeue from being used in source
code.
No_Secondary_Stack
[GNAT] This restriction ensures at compile time that the generated code
does not contain any reference to the secondary stack. The secondary
stack is used to implement functions returning unconstrained objects
(arrays or records) on some targets.
No_Select_Statements
[RM D.7] This restriction ensures at compile time no select statements of any
kind are permitted, that is the keyword select may not appear.
No_Specific_Termination_Handlers
[RM D.7] There are no calls to Ada.Task_Termination.Set_Specific_Handler
or to Ada.Task_Termination.Specific_Handler.
No_Specification_of_Aspect
[RM 13.12.1] This restriction checks at compile time that no aspect
specification, attribute definition clause, or pragma is given for a
given aspect.
No_Standard_Allocators_After_Elaboration
[RM D.7] Specifies that an allocator using a standard storage pool
should never be evaluated at run time after the elaboration of the
library items of the partition has completed. Otherwise, Storage_Error
is raised.
No_Standard_Storage_Pools
[GNAT] This restriction ensures at compile time that no access types
use the standard default storage pool. Any access type declared must
have an explicit Storage_Pool attribute defined specifying a
user-defined storage pool.
No_Stream_Optimizations
[GNAT] This restriction affects the performance of stream operations on types
String, Wide_String and Wide_Wide_String. By default, the
compiler uses block reads and writes when manipulating String objects
due to their supperior performance. When this restriction is in effect, the
compiler performs all IO operations on a per-character basis.
No_Streams
[GNAT] This restriction ensures at compile/bind time that there are no
stream objects created and no use of stream attributes.
This restriction does not forbid dependences on the package
Ada.Streams. So it is permissible to with
Ada.Streams (or another package that does so itself)
as long as no actual stream objects are created and no
stream attributes are used.
Note that the use of restriction allows optimization of tagged types,
since they do not need to worry about dispatching stream operations.
To take maximum advantage of this space-saving optimization, any
unit declaring a tagged type should be compiled with the restriction,
though this is not required.
No_Task_Allocators
[RM D.7] There are no allocators for task types
or types containing task subcomponents.
No_Task_Attributes_Package
[GNAT] This restriction ensures at compile time that there are no implicit or
explicit dependencies on the package Ada.Task_Attributes.
No_Task_Hierarchy
[RM D.7] All (non-environment) tasks depend
directly on the environment task of the partition.
No_Task_Termination
[RM D.7] Tasks which terminate are erroneous.
No_Tasking
[GNAT] This restriction prevents the declaration of tasks or task types
throughout the partition. It is similar in effect to the use of
Max_Tasks => 0 except that violations are caught at compile time
and cause an error message to be output either by the compiler or
binder.
No_Terminate_Alternatives
[RM D.7] There are no selective accepts with terminate alternatives.
No_Unchecked_Access
[RM H.4] This restriction ensures at compile time that there are no
occurrences of the Unchecked_Access attribute.
Simple_Barriers
[RM D.7] This restriction ensures at compile time that barriers in entry
declarations for protected types are restricted to either static boolean
expressions or references to simple boolean variables defined in the private
part of the protected type. No other form of entry barriers is permitted.
Static_Priorities
[GNAT] This restriction ensures at compile time that all priority expressions
are static, and that there are no dependences on the package
Ada.Dynamic_Priorities.
Static_Storage_Size
[GNAT] This restriction ensures at compile time that any expression appearing
in a Storage_Size pragma or attribute definition clause is static.
3.2 Program Unit Level Restrictions
The second set of restriction identifiers
does not require partition-wide consistency.
The restriction may be enforced for a single
compilation unit without any effect on any of the
other compilation units in the partition.
No_Elaboration_Code
[GNAT] This restriction ensures at compile time that no elaboration code is
generated. Note that this is not the same condition as is enforced
by pragma Preelaborate. There are cases in which pragma
Preelaborate still permits code to be generated (e.g. code
to initialize a large array to all zeroes), and there are cases of units
which do not meet the requirements for pragma Preelaborate,
but for which no elaboration code is generated. Generally, it is
the case that preelaborable units will meet the restrictions, with
the exception of large aggregates initialized with an others_clause,
and exception declarations (which generate calls to a run-time
registry procedure). This restriction is enforced on
a unit by unit basis, it need not be obeyed consistently
throughout a partition.
In the case of aggregates with others, if the aggregate has a dynamic
size, there is no way to eliminate the elaboration code (such dynamic
bounds would be incompatible with Preelaborate in any case). If
the bounds are static, then use of this restriction actually modifies
the code choice of the compiler to avoid generating a loop, and instead
generate the aggregate statically if possible, no matter how many times
the data for the others clause must be repeatedly generated.
It is not possible to precisely document
the constructs which are compatible with this restriction, since,
unlike most other restrictions, this is not a restriction on the
source code, but a restriction on the generated object code. For
example, if the source contains a declaration:
| | Val : constant Integer := X;
|
where X is not a static constant, it may be possible, depending
on complex optimization circuitry, for the compiler to figure
out the value of X at compile time, in which case this initialization
can be done by the loader, and requires no initialization code. It
is not possible to document the precise conditions under which the
optimizer can figure this out.
Note that this the implementation of this restriction requires full
code generation. If it is used in conjunction with "semantics only"
checking, then some cases of violations may be missed.
No_Entry_Queue
[GNAT] This restriction is a declaration that any protected entry compiled in
the scope of the restriction has at most one task waiting on the entry
at any one time, and so no queue is required. This restriction is not
checked at compile time. A program execution is erroneous if an attempt
is made to queue a second task on such an entry.
No_Implementation_Aspect_Specifications
[RM 13.12.1] This restriction checks at compile time that no
GNAT-defined aspects are present. With this restriction, the only
aspects that can be used are those defined in the Ada Reference Manual.
No_Implementation_Attributes
[RM 13.12.1] This restriction checks at compile time that no
GNAT-defined attributes are present. With this restriction, the only
attributes that can be used are those defined in the Ada Reference
Manual.
No_Implementation_Identifiers
[RM 13.12.1] This restriction checks at compile time that no
implementation-defined identifiers occur within language-defined
packages.
No_Implementation_Pragmas
[RM 13.12.1] This restriction checks at compile time that no
GNAT-defined pragmas are present. With this restriction, the only
pragmas that can be used are those defined in the Ada Reference Manual.
No_Implementation_Restrictions
[GNAT] This restriction checks at compile time that no GNAT-defined restriction
identifiers (other than No_Implementation_Restrictions itself)
are present. With this restriction, the only other restriction identifiers
that can be used are those defined in the Ada Reference Manual.
No_Implementation_Units
[RM 13.12.1] This restriction checks at compile time that there is no
mention in the context clause of any implementation-defined descendants
of packages Ada, Interfaces, or System.
No_Implicit_Aliasing
[GNAT] This restriction, which is not required to be partition-wide consistent,
requires an explicit aliased keyword for an object to which 'Access,
'Unchecked_Access, or 'Address is applied, and forbids entirely the use of
the 'Unrestricted_Access attribute for objects. Note: the reason that
Unrestricted_Access is forbidden is that it would require the prefix
to be aliased, and in such cases, it can always be replaced by
the standard attribute Unchecked_Access which is preferable.
No_Obsolescent_Features
[RM 13.12.1] This restriction checks at compile time that no obsolescent
features are used, as defined in Annex J of the Ada Reference Manual.
No_Wide_Characters
[GNAT] This restriction ensures at compile time that no uses of the types
Wide_Character or Wide_String or corresponding wide
wide types
appear, and that no wide or wide wide string or character literals
appear in the program (that is literals representing characters not in
type Character.
SPARK
[GNAT] This restriction checks at compile time that some constructs
forbidden in SPARK are not present. The SPARK version used as a
reference is the same as the Ada mode for the unit, so a unit compiled
in Ada 95 mode with SPARK restrictions will be checked for constructs
forbidden in SPARK 95. Error messages related to SPARK restriction have
the form:
| | violation of restriction "SPARK" at <file>
<error message>
|
This is not a replacement for the semantic checks performed by the
SPARK Examiner tool, as the compiler only deals currently with code,
not at all with SPARK annotations and does not guarantee catching all
cases of constructs forbidden by SPARK.
Thus it may well be the case that code which
passes the compiler in SPARK mode is rejected by the SPARK Examiner,
e.g. due to the different visibility rules of the Examiner based on
SPARK inherit annotations.
This restriction can be useful in providing an initial filter for
code developed using SPARK, or in examining legacy code to see how far
it is from meeting SPARK restrictions.
This document was generated
by GNAT Mailserver on May, 10 2012
using texi2html