Re: Issue with GNAT GPL 2009 and GtkAda

[Robert A Duff <bobduff@shell01.TheWorld.com>]

Stephen Leake <stephen_leake@stephe-leake.org> writes:

> Robert A Duff <bobduff@shell01.TheWorld.com> writes:
>>     type T_Ref is access all T;
>>     Global : T_Ref;
>>
>>     procedure P (X : in out T) is -- Suppose T is tagged.
>>     begin
>>         Global := X'Access; -- Illegal!
>>     end P;
>>
>>     procedure Q (...) is
>>         Local : aliased T;
>>     begin
>>         P (Local);
>>     end Q;
>>
>> After calling Q, Global is a dangling pointer.  The language design rule
>> is:  If you do anything that _might_ create a dangling pointer, you
>> have to use 'Unchecked_Access (and take care).
>
> But if X was actually a global object, 'Access would be ok; I thought
> the run-time accessibility checks would handle that case for tagged
> types.
>
> But apparently accessibility information is only passed with access
> parameters (either 'access', or 'in [out]' of an access type).

Right.  Access parameters (anonymous access types only!) get the extra
info, other parameters, and regular objects and so on do not.

> This is my key mis-understanding. If 'in out' parameters of tagged types
> carried accessibility information that could be checked at runtime,
> the above example would be ok.

Yes.

> I'm not clear why you say that is the "wrong direction".

Because I think it was a mistake to use dynamic accessibility
for access parameters.  For the usual reasons:  Catching
errors sooner is better than later.  Especially when "later"
means "by the customer".  Run-time checks are inefficient.

Run-time checks give more flexibility, usually.  But in this
case, I don't find that important.  When using access parameters,
it's (almost?) always the case that either:

    1. The callee expects to store the pointer in a global,
       so the caller needs to pass a pointer to a global.

    2. The caller can pass pointers to local objects,
       so the callee had better not store the pointer in a global.

And this distinction is known when writing the code.
You don't see code like:

    if (the thing is pointing to a global) then
        Store it globally;
    else
        Do something else;
    end if;

Unfortunately, this distinction is not visible in the spec.
How is the caller supposed to know whether it's OK
to pass a pointer to local?  You have to look at the
body of the callee, or trust in comments.

I also don't like the fact that anonymity causes all kinds of magic.
It's confusing.  I think:

    type T is <some stuff>;
    X : T;

and

    X : <some stuff>;

ought to mean the same thing (whether X is a parameter,
or something else).

- Bob