[Ada] Refactor ownership pointer checking in SPARK as a generic

Ownership checking as done in SPARK should be applied only to SPARK code, which requires GNATprove knowledge of the SPARK_Mode boundary. Transform the checking unit into a generic to allow passing in the knowledge from GNATprove to that unit in GNAT sources. Keeping the code in GNAT sources makes it possible in the future to adapt it further (or simply instantiate it differently) to be used on Ada code, independently of GNATprove. There is no impact on compilation. 2019-07-11 Claire Dross <dross@adacore.com> gcc/ada/ * gnat1drv.adb: SPARK checking rules for pointer aliasing are moved to GNATprove backend. * sem_spark.ads, sem_spark.adb (Sem_SPARK): Is now a generic unit. Takes as parameters: - Retysp which is used to query the most underlying type visible in SPARK. We do not introduce aliasing checks for types which are not visibly deep. - Component_Is_Visible_In_SPARK is used to avoid doing pointer aliasing checks on components which are not visible in SPARK. - Emit_Messages returns True in the second phase of SPARK analysis. Error messages for failed aliasing checks are only output in this case. Additionally, errors on constructs not supported in SPARK are removed as duplicates of marking errors. Components are stored in the permission map using their original component to avoid inconsistencies between components of different views of the same type. (Check_Expression): Handle delta constraints. (Is_Deep): Exported so that we can check for SPARK restrictions on deep types inside SPARK semantic checkings. (Is_Traversal_Function): Exported so that we can check for SPARK restrictions on traversal functions inside SPARK semantic checkings. (Check_Call_Statement, Read_Indexes): Check wether we are dealing with a subprogram pointer type before querying called entity. (Is_Subpath_Expression): Image attribute can appear inside a path. (Check_Loop_Statement): Correct order of statements in the loop. (Check_Node): Ignore raise nodes. (Check_Statement): Use Last_Non_Pragma to get the object declaration in an extended return statement. From-SVN: r273402

[Ada] Refactor ownership pointer checking in SPARK as a generic
Ownership checking as done in SPARK should be applied only to SPARK code, which requires GNATprove knowledge of the SPARK_Mode boundary. Transform the checking unit into a generic to allow passing in the knowledge from GNATprove to that unit in GNAT sources. Keeping the code in GNAT sources makes it possible in the future to adapt it further (or simply instantiate it differently) to be used on Ada code, independently of GNATprove. There is no impact on compilation. 2019-07-11 Claire Dross <dross@adacore.com> gcc/ada/ * gnat1drv.adb: SPARK checking rules for pointer aliasing are moved to GNATprove backend. * sem_spark.ads, sem_spark.adb (Sem_SPARK): Is now a generic unit. Takes as parameters: - Retysp which is used to query the most underlying type visible in SPARK. We do not introduce aliasing checks for types which are not visibly deep. - Component_Is_Visible_In_SPARK is used to avoid doing pointer aliasing checks on components which are not visible in SPARK. - Emit_Messages returns True in the second phase of SPARK analysis. Error messages for failed aliasing checks are only output in this case. Additionally, errors on constructs not supported in SPARK are removed as duplicates of marking errors. Components are stored in the permission map using their original component to avoid inconsistencies between components of different views of the same type. (Check_Expression): Handle delta constraints. (Is_Deep): Exported so that we can check for SPARK restrictions on deep types inside SPARK semantic checkings. (Is_Traversal_Function): Exported so that we can check for SPARK restrictions on traversal functions inside SPARK semantic checkings. (Check_Call_Statement, Read_Indexes): Check wether we are dealing with a subprogram pointer type before querying called entity. (Is_Subpath_Expression): Image attribute can appear inside a path. (Check_Loop_Statement): Correct order of statements in the loop. (Check_Node): Ignore raise nodes. (Check_Statement): Use Last_Non_Pragma to get the object declaration in an extended return statement. From-SVN: r273402
a8fa1b3d · Claire Dross · Pierre-Marie de Rodat · be04e8ed · a8fa1b3d · a8fa1b3d
Commit a8fa1b3d authored Jul 11, 2019 by Claire Dross Committed by Pierre-Marie de Rodat Jul 11, 2019
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 57 additions and 8 deletions

gcc/ada/ChangeLog
+35 -0

gcc/ada/gnat1drv.adb
+0 -8

gcc/ada/sem_spark.adb
+0 -0

gcc/ada/sem_spark.ads
+22 -0

No files found.
--- a/gcc/ada/ChangeLog
+++ b/gcc/ada/ChangeLog
+2019-07-11  Claire Dross  <dross@adacore.com>
+
+	* gnat1drv.adb: SPARK checking rules for pointer aliasing are
+	moved to GNATprove backend.
+	* sem_spark.ads, sem_spark.adb (Sem_SPARK): Is now a generic
+	unit. Takes as parameters:
+	 - Retysp which is used to query the most underlying type
+	   visible in SPARK. We do not introduce aliasing checks for
+	   types which are not visibly deep.
+	 - Component_Is_Visible_In_SPARK is used to avoid doing pointer
+	   aliasing checks on components which are not visible in SPARK.
+	 - Emit_Messages returns True in the second phase of SPARK
+	   analysis. Error messages for failed aliasing checks are only
+	   output in this case.
+	Additionally, errors on constructs not supported in SPARK are
+	removed as duplicates of marking errors. Components are stored
+	in the permission map using their original component to avoid
+	inconsistencies between components of different views of the
+	same type.
+	(Check_Expression): Handle delta constraints.
+	(Is_Deep): Exported so that we can check for SPARK restrictions
+	on deep types inside SPARK semantic checkings.
+	(Is_Traversal_Function): Exported so that we can check for SPARK
+	restrictions on traversal functions inside SPARK semantic
+	checkings.
+	(Check_Call_Statement, Read_Indexes): Check wether we are
+	dealing with a subprogram pointer type before querying called
+	entity.
+	(Is_Subpath_Expression): Image attribute can appear inside a
+	path.
+	(Check_Loop_Statement): Correct order of statements in the loop.
+	(Check_Node): Ignore raise nodes.
+	(Check_Statement): Use Last_Non_Pragma to get the object
+	declaration in an extended return statement.
+
 2019-07-11  Patrick Bernardi  <bernardi@adacore.com>

 	* bindgen.adb (Gen_Main): Do not generate a reference to

--- a/gcc/ada/gnat1drv.adb
+++ b/gcc/ada/gnat1drv.adb
@@ -63,7 +63,6 @@ with Sem_Ch13;
 with Sem_Elim;
 with Sem_Eval;
 with Sem_Prag;
-with Sem_SPARK; use Sem_SPARK;
 with Sem_Type;
 with Set_Targ;
 with Sinfo;     use Sinfo;
@@ -1586,13 +1585,6 @@ begin

      if GNATprove_Mode then

-         --  Perform the new SPARK checking rules for pointer aliasing. This is
-         --  only activated in GNATprove mode and on SPARK code.
-
-         if Debug_Flag_FF then
-            Check_Safe_Pointers (Main_Unit_Node);
-         end if;
-
         --  In GNATprove mode we're writing the ALI much earlier than usual
         --  as flow analysis needs the file present in order to append its
         --  own globals to it.

--- a/gcc/ada/sem_spark.adb
+++ b/gcc/ada/sem_spark.adb
--- a/gcc/ada/sem_spark.ads
+++ b/gcc/ada/sem_spark.ads
@@ -132,12 +132,34 @@
 --  get read-write permission, which can be specified using the node's
 --  Children_Permission field.

+--  The implementation is done as a generic, so that GNATprove can instantiate
+--  it with suitable formal arguments that depend on the SPARK_Mode boundary
+--  as well as the two-phase architecture of GNATprove (which runs the GNAT
+--  front end twice, once for global generation and once for analysis).
+
 with Types; use Types;

+generic
+   with function Retysp (X : Entity_Id) return Entity_Id;
+   --  Return the representative type in SPARK for a type.
+
+   with function Component_Is_Visible_In_SPARK (C : Entity_Id) return Boolean;
+   --  Return whether a component is visible in SPARK. No aliasing check is
+   --  performed for a component that is visible.
+
+   with function Emit_Messages return Boolean;
+   --  Return True when error messages should be emitted.
+
 package Sem_SPARK is

   procedure Check_Safe_Pointers (N : Node_Id);
   --  The entry point of this package. It analyzes a node and reports errors
   --  when there are violations of ownership rules.

+   function Is_Deep (Typ : Entity_Id) return Boolean;
+   --  A function that can tell whether a type is deep. Returns True if the
+   --  type passed as argument is deep.
+
+   function Is_Traversal_Function (E : Entity_Id) return Boolean;
+
 end Sem_SPARK;