Did I find a bug here?

Did I find a bug here?

[reinert]

Assume this simple program:

procedure test0 is
  type A_Type is (A,B,C);
  subtype A_sub_Type is A_Type with Static_Predicate => A_sub_Type in A | B;
  X : A_type      := A;
  Y : A_sub_Type  := A;
begin
  case A_sub_Type(X) is
    when A => null;
    when B => null;
    when others => null;  -- ???? Should the compiler complain here?
  end case;
end test0;

Should the compiler complain about "when others => null" ? My compiler does not (running debian 10 updated, gnat-8).

reinert

Did I find a bug here?

[reinert]

Assume this simple program:

procedure test0 is
  type ABC_Type is (A,B,C);
  subtype AB_Type is ABC_Type with Static_Predicate => AB_Type in A | B;
  X : ABC_type    := A;
begin
-- alternative 1:  
case AB_Type(X) is
    when A => null;
    when B => null;
    when others => null; -- ??? should the compiler complain here?
  end case;
--alternative 2:
  case AB_Type(X) is
    when A => null;
    when B => null;
  end case;
end test0;

Should the compiler complain about "when others => null" here?
My compiler does not (running debian 10, updated, gnat-8).
I find it strange that both alternatives goes through.

reinert

Re: Did I find a bug here?

[J-P. Rosen]

Le 02/04/2021 à 08:30, reinert a écrit :
> Assume this simple program:
> 
> procedure test0 is
>    type ABC_Type is (A,B,C);
>    subtype AB_Type is ABC_Type with Static_Predicate => AB_Type in A | B;
>    X : ABC_type    := A;
> begin
> -- alternative 1:
> case AB_Type(X) is
>      when A => null;
>      when B => null;
>      when others => null; -- ??? should the compiler complain here?
>    end case;
> --alternative 2:
>    case AB_Type(X) is
>      when A => null;
>      when B => null;
>    end case;
> end test0;
> 
> Should the compiler complain about "when others => null" here?
> My compiler does not (running debian 10, updated, gnat-8).
> I find it strange that both alternatives goes through.
> 
A case statement is allowed to have alternatives that cover no value. A 
friendly compiler can warn you that "this branch covers no value", but 
what you wrote is not illegal (and sometimes useful, if you have 
variants of your software that use slightly different definitions of the 
type).

-- 
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
Tel: +33 1 45 29 21 52, Fax: +33 1 45 29 25 00
http://www.adalog.fr

Re: Did I find a bug here?

[Niklas Holsti]

On 2021-04-02 10:30, J-P. Rosen wrote:
> Le 02/04/2021 à 08:30, reinert a écrit :
>> Assume this simple program:
>>
>> procedure test0 is
>>    type ABC_Type is (A,B,C);
>>    subtype AB_Type is ABC_Type with Static_Predicate => AB_Type in A | B;
>>    X : ABC_type    := A;
>> begin
>> -- alternative 1:
>> case AB_Type(X) is
>>      when A => null;
>>      when B => null;
>>      when others => null; -- ??? should the compiler complain here?
>>    end case;
>> --alternative 2:
>>    case AB_Type(X) is
>>      when A => null;
>>      when B => null;
>>    end case;
>> end test0;
>>
>> Should the compiler complain about "when others => null" here?
>> My compiler does not (running debian 10, updated, gnat-8).
>> I find it strange that both alternatives goes through.
>>
> A case statement is allowed to have alternatives that cover no value. A 
> friendly compiler can warn you that "this branch covers no value", but 
> what you wrote is not illegal (and sometimes useful, if you have 
> variants of your software that use slightly different definitions of the 
> type).


Recent discussion in ISO SC22 WG9, about the Ada part of the ISO 
"programming language vulnerabilities" document, brought out that if the 
selecting expression (here AB_Type(X)) in a case statement or case 
expression has an invalid representation (for example, is an 
uninitialized variable with an out-of-range value), an Ada compiler is 
required to raise Constraint_Error if there is no "others" alternative, 
but if there is an "others" alternative the compiler can instead let 
execution proceed to that alternative without raising Constraint_Error.

In effect, "others" can cover all values, even those that are outside 
the nominal subtype of the selecting expression. See RM 5.4(12) and 5.4(13).

So if the programmer is worried about such cases (invalid 
representations from uninitialized variables or other causes such as 
Unchecked_Conversion), they can add an apparently unnecessary "others" 
alternative even if the other alternatives already cover all valid 
values. However, note that the compiler may choose to raise 
Constraint_Error even if there is an "others" alternative; RM 5.4 
(10.d). To avoid that uncertainty, the program can perform an explicit 
'Valid check before the case statement.

Re: Did I find a bug here?

[reinert]

.....snip...
> values. However, note that the compiler may choose to raise 
> Constraint_Error even if there is an "others" alternative; RM 5.4 
> (10.d). To avoid that uncertainty, the program can perform an explicit 
> 'Valid check before the case statement.

Could AB_Type(X) in "case AB_Type(X) is" function as such a valid check?

I try as much as possible to avoid "others" to make the compiler point 
out or to remind  (in my large programs) where to add (or check for) possible 
alternatives in case I extend  the value range of a variable. Then it may happen 
I need to put in for example something like "when A | B | C => null;" instead of "others".

reinert

Re: Did I find a bug here?

[J-P. Rosen]

Le 03/04/2021 à 07:46, reinert a écrit :
> Could AB_Type(X) in "case AB_Type(X) is" function as such a valid check?
Yes, but I recommend "case AB_Type'(X) is", i.e. a qualification rather 
than a conversion.

For the record:
A conversion carries the message: Take a value of type A and get the 
corresponding value from type B.

A qualification carries the message: I assume that the value belongs to 
(sub)type A.

-- 
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
Tel: +33 1 45 29 21 52, Fax: +33 1 45 29 25 00
http://www.adalog.fr

Re: Did I find a bug here?

[Niklas Holsti]

On 2021-04-03 9:41, J-P. Rosen wrote:
> Le 03/04/2021 à 07:46, reinert a écrit :
>> Could AB_Type(X) in "case AB_Type(X) is" function as such a valid check?
> Yes, 


I believe not. The use of X as an argument to a type conversion is an 
"evaluation" of X, by RM 4.6(28), which can be a bounded error by RM 
13.9.1(9) if X'Valid is False.

That bounded error can lead to an exception or simply to continued 
execution with the invalid value.


> but I recommend "case AB_Type'(X) is", i.e. a qualification rather 
> than a conversion.


That also requires an evaluation of X, by RM 4.7(4), and again can be a 
bounded error if X'Valid is False.

The use of X in X'Valid is explicitly defined to mean that X is "read" 
but is not "evaluated", RM 13.9.2(12)(13). So it seems to be the only 
safe way to check for validity.

Re: Did I find a bug here?

[J-P. Rosen]

Le 03/04/2021 à 10:18, Niklas Holsti a écrit :
> On 2021-04-03 9:41, J-P. Rosen wrote:
>> Le 03/04/2021 à 07:46, reinert a écrit :
>>> Could AB_Type(X) in "case AB_Type(X) is" function as such a valid check?
>> Yes, 
> 
> 
> I believe not. The use of X as an argument to a type conversion is an 
> "evaluation" of X, by RM 4.6(28), which can be a bounded error by RM 
> 13.9.1(9) if X'Valid is False.
> 
> That bounded error can lead to an exception or simply to continued 
> execution with the invalid value.
> 
Hmm, yes. I was thinking about eliminating "when others" because the 
intended range was covered. If you want to check for invalid values, 
'Valid is the only way to go (that's why it was added to the language!)

-- 
J-P. Rosen
Adalog
2 rue du Docteur Lombard, 92441 Issy-les-Moulineaux CEDEX
Tel: +33 1 45 29 21 52, Fax: +33 1 45 29 25 00
http://www.adalog.fr