blob: c5cabb98af4bf8e45c48c670c6572e2145a98128 [file] [log] [blame]
.. _Standard_and_Implementation_Defined_Restrictions:
************************************************
Standard and Implementation Defined Restrictions
************************************************
All Ada Reference Manual-defined Restriction identifiers are implemented:
* language-defined restrictions (see 13.12.1)
* tasking restrictions (see D.7)
* high integrity restrictions (see H.4)
GNAT implements additional restriction identifiers. All restrictions, whether
language defined or GNAT-specific, are listed in the following.
.. _Partition-Wide_Restrictions:
Partition-Wide Restrictions
===========================
There are two separate lists of restriction identifiers. The first
set requires consistency throughout a partition (in other words, if the
restriction identifier is used for any compilation unit in the partition,
then all compilation units in the partition must obey the restriction).
Immediate_Reclamation
---------------------
.. index:: Immediate_Reclamation
[RM H.4] This restriction ensures that, except for storage occupied by
objects created by allocators and not deallocated via unchecked
deallocation, any storage reserved at run time for an object is
immediately reclaimed when the object no longer exists.
Max_Asynchronous_Select_Nesting
-------------------------------
.. index:: Max_Asynchronous_Select_Nesting
[RM D.7] Specifies the maximum dynamic nesting level of asynchronous
selects. Violations of this restriction with a value of zero are
detected at compile time. Violations of this restriction with values
other than zero cause Storage_Error to be raised.
Max_Entry_Queue_Length
----------------------
.. index:: Max_Entry_Queue_Length
[RM D.7] This restriction is a declaration that any protected entry compiled in
the scope of the restriction has at most the specified number of
tasks waiting on the entry at any one time, and so no queue is required.
Note that this restriction is checked at run time. Violation of this
restriction results in the raising of Program_Error exception at the point of
the call.
.. index:: Max_Entry_Queue_Depth
The restriction `Max_Entry_Queue_Depth` is recognized as a
synonym for `Max_Entry_Queue_Length`. This is retained for historical
compatibility purposes (and a warning will be generated for its use if
warnings on obsolescent features are activated).
Max_Protected_Entries
---------------------
.. index:: Max_Protected_Entries
[RM D.7] Specifies the maximum number of entries per protected type. The
bounds of every entry family of a protected unit shall be static, or shall be
defined by a discriminant of a subtype whose corresponding bound is static.
Max_Select_Alternatives
-----------------------
.. index:: Max_Select_Alternatives
[RM D.7] Specifies the maximum number of alternatives in a selective accept.
Max_Storage_At_Blocking
-----------------------
.. index:: Max_Storage_At_Blocking
[RM D.7] Specifies the maximum portion (in storage elements) of a task's
Storage_Size that can be retained by a blocked task. A violation of this
restriction causes Storage_Error to be raised.
Max_Task_Entries
----------------
.. index:: Max_Task_Entries
[RM D.7] Specifies the maximum number of entries
per task. The bounds of every entry family
of a task unit shall be static, or shall be
defined by a discriminant of a subtype whose
corresponding bound is static.
Max_Tasks
---------
.. index:: Max_Tasks
[RM D.7] Specifies the maximum number of task that may be created, not
counting the creation of the environment task. Violations of this
restriction with a value of zero are detected at compile
time. Violations of this restriction with values other than zero cause
Storage_Error to be raised.
No_Abort_Statements
-------------------
.. index:: No_Abort_Statements
[RM D.7] There are no abort_statements, and there are
no calls to Task_Identification.Abort_Task.
No_Access_Parameter_Allocators
------------------------------
.. index:: No_Access_Parameter_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator as the actual parameter to an access
parameter.
No_Access_Subprograms
---------------------
.. index:: No_Access_Subprograms
[RM H.4] This restriction ensures at compile time that there are no
declarations of access-to-subprogram types.
No_Allocators
-------------
.. index:: No_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator.
No_Anonymous_Allocators
-----------------------
.. index:: No_Anonymous_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator of anonymous access type.
No_Calendar
-----------
.. index:: No_Calendar
[GNAT] This restriction ensures at compile time that there is no implicit or
explicit dependence on the package `Ada.Calendar`.
No_Coextensions
---------------
.. index:: No_Coextensions
[RM H.4] This restriction ensures at compile time that there are no
coextensions. See 3.10.2.
No_Default_Initialization
-------------------------
.. index:: No_Default_Initialization
[GNAT] This restriction prohibits any instance of default initialization
of variables. The binder implements a consistency rule which prevents
any unit compiled without the restriction from with'ing a unit with the
restriction (this allows the generation of initialization procedures to
be skipped, since you can be sure that no call is ever generated to an
initialization procedure in a unit with the restriction active). If used
in conjunction with Initialize_Scalars or Normalize_Scalars, the effect
is to prohibit all cases of variables declared without a specific
initializer (including the case of OUT scalar parameters).
No_Delay
--------
.. index:: No_Delay
[RM H.4] This restriction ensures at compile time that there are no
delay statements and no dependences on package Calendar.
No_Dependence
-------------
.. index:: No_Dependence
[RM 13.12.1] This restriction checks at compile time that there are no
dependence on a library unit.
No_Direct_Boolean_Operators
---------------------------
.. index:: No_Direct_Boolean_Operators
[GNAT] This restriction ensures that no logical operators (and/or/xor)
are used on operands of type Boolean (or any type derived from Boolean).
This is intended for use in safety critical programs where the certification
protocol requires the use of short-circuit (and then, or else) forms for all
composite boolean operations.
No_Dispatch
-----------
.. index:: No_Dispatch
[RM H.4] This restriction ensures at compile time that there are no
occurrences of `T'Class`, for any (tagged) subtype `T`.
No_Dispatching_Calls
--------------------
.. index:: No_Dispatching_Calls
[GNAT] This restriction ensures at compile time that the code generated by the
compiler involves no dispatching calls. The use of this restriction allows the
safe use of record extensions, classwide membership tests and other classwide
features not involving implicit dispatching. This restriction ensures that
the code contains no indirect calls through a dispatching mechanism. Note that
this includes internally-generated calls created by the compiler, for example
in the implementation of class-wide objects assignments. The
membership test is allowed in the presence of this restriction, because its
implementation requires no dispatching.
This restriction is comparable to the official Ada restriction
`No_Dispatch` except that it is a bit less restrictive in that it allows
all classwide constructs that do not imply dispatching.
The following example indicates constructs that violate this restriction.
.. code-block:: ada
package Pkg is
type T is tagged record
Data : Natural;
end record;
procedure P (X : T);
type DT is new T with record
More_Data : Natural;
end record;
procedure Q (X : DT);
end Pkg;
with Pkg; use Pkg;
procedure Example is
procedure Test (O : T'Class) is
N : Natural := O'Size;-- Error: Dispatching call
C : T'Class := O; -- Error: implicit Dispatching Call
begin
if O in DT'Class then -- OK : Membership test
Q (DT (O)); -- OK : Type conversion plus direct call
else
P (O); -- Error: Dispatching call
end if;
end Test;
Obj : DT;
begin
P (Obj); -- OK : Direct call
P (T (Obj)); -- OK : Type conversion plus direct call
P (T'Class (Obj)); -- Error: Dispatching call
Test (Obj); -- OK : Type conversion
if Obj in T'Class then -- OK : Membership test
null;
end if;
end Example;
No_Dynamic_Attachment
---------------------
.. index:: No_Dynamic_Attachment
[RM D.7] This restriction ensures that there is no call to any of the
operations defined in package Ada.Interrupts
(Is_Reserved, Is_Attached, Current_Handler, Attach_Handler, Exchange_Handler,
Detach_Handler, and Reference).
.. index:: No_Dynamic_Interrupts
The restriction `No_Dynamic_Interrupts` is recognized as a
synonym for `No_Dynamic_Attachment`. This is retained for historical
compatibility purposes (and a warning will be generated for its use if
warnings on obsolescent features are activated).
No_Dynamic_Priorities
---------------------
.. index:: No_Dynamic_Priorities
[RM D.7] There are no semantic dependencies on the package Dynamic_Priorities.
No_Entry_Calls_In_Elaboration_Code
----------------------------------
.. index:: No_Entry_Calls_In_Elaboration_Code
[GNAT] This restriction ensures at compile time that no task or protected entry
calls are made during elaboration code. As a result of the use of this
restriction, the compiler can assume that no code past an accept statement
in a task can be executed at elaboration time.
No_Enumeration_Maps
-------------------
.. index:: No_Enumeration_Maps
[GNAT] This restriction ensures at compile time that no operations requiring
enumeration maps are used (that is Image and Value attributes applied
to enumeration types).
No_Exception_Handlers
---------------------
.. index:: No_Exception_Handlers
[GNAT] This restriction ensures at compile time that there are no explicit
exception handlers. It also indicates that no exception propagation will
be provided. In this mode, exceptions may be raised but will result in
an immediate call to the last chance handler, a routine that the user
must define with the following profile:
.. code-block:: ada
procedure Last_Chance_Handler
(Source_Location : System.Address; Line : Integer);
pragma Export (C, Last_Chance_Handler,
"__gnat_last_chance_handler");
The parameter is a C null-terminated string representing a message to be
associated with the exception (typically the source location of the raise
statement generated by the compiler). The Line parameter when nonzero
represents the line number in the source program where the raise occurs.
No_Exception_Propagation
------------------------
.. index:: No_Exception_Propagation
[GNAT] This restriction guarantees that exceptions are never propagated
to an outer subprogram scope. The only case in which an exception may
be raised is when the handler is statically in the same subprogram, so
that the effect of a raise is essentially like a goto statement. Any
other raise statement (implicit or explicit) will be considered
unhandled. Exception handlers are allowed, but may not contain an
exception occurrence identifier (exception choice). In addition, use of
the package GNAT.Current_Exception is not permitted, and reraise
statements (raise with no operand) are not permitted.
No_Exception_Registration
-------------------------
.. index:: No_Exception_Registration
[GNAT] This restriction ensures at compile time that no stream operations for
types Exception_Id or Exception_Occurrence are used. This also makes it
impossible to pass exceptions to or from a partition with this restriction
in a distributed environment. If this restriction is active, the generated
code is simplified by omitting the otherwise-required global registration
of exceptions when they are declared.
No_Exceptions
-------------
.. index:: No_Exceptions
[RM H.4] This restriction ensures at compile time that there are no
raise statements and no exception handlers.
No_Finalization
---------------
.. index:: No_Finalization
[GNAT] This restriction disables the language features described in
chapter 7.6 of the Ada 2005 RM as well as all form of code generation
performed by the compiler to support these features. The following types
are no longer considered controlled when this restriction is in effect:
*
`Ada.Finalization.Controlled`
*
`Ada.Finalization.Limited_Controlled`
*
Derivations from `Controlled` or `Limited_Controlled`
*
Class-wide types
*
Protected types
*
Task types
*
Array and record types with controlled components
The compiler no longer generates code to initialize, finalize or adjust an
object or a nested component, either declared on the stack or on the heap. The
deallocation of a controlled object no longer finalizes its contents.
No_Fixed_Point
--------------
.. index:: No_Fixed_Point
[RM H.4] This restriction ensures at compile time that there are no
occurrences of fixed point types and operations.
No_Floating_Point
-----------------
.. index:: No_Floating_Point
[RM H.4] This restriction ensures at compile time that there are no
occurrences of floating point types and operations.
No_Implicit_Conditionals
------------------------
.. index:: No_Implicit_Conditionals
[GNAT] This restriction ensures that the generated code does not contain any
implicit conditionals, either by modifying the generated code where possible,
or by rejecting any construct that would otherwise generate an implicit
conditional. Note that this check does not include run time constraint
checks, which on some targets may generate implicit conditionals as
well. To control the latter, constraint checks can be suppressed in the
normal manner. Constructs generating implicit conditionals include comparisons
of composite objects and the Max/Min attributes.
No_Implicit_Dynamic_Code
------------------------
.. index:: No_Implicit_Dynamic_Code
.. index:: trampoline
[GNAT] This restriction prevents the compiler from building 'trampolines'.
This is a structure that is built on the stack and contains dynamic
code to be executed at run time. On some targets, a trampoline is
built for the following features: `Access`,
`Unrestricted_Access`, or `Address` of a nested subprogram;
nested task bodies; primitive operations of nested tagged types.
Trampolines do not work on machines that prevent execution of stack
data. For example, on windows systems, enabling DEP (data execution
protection) will cause trampolines to raise an exception.
Trampolines are also quite slow at run time.
On many targets, trampolines have been largely eliminated. Look at the
version of system.ads for your target --- if it has
Always_Compatible_Rep equal to False, then trampolines are largely
eliminated. In particular, a trampoline is built for the following
features: `Address` of a nested subprogram;
`Access` or `Unrestricted_Access` of a nested subprogram,
but only if pragma Favor_Top_Level applies, or the access type has a
foreign-language convention; primitive operations of nested tagged
types.
No_Implicit_Heap_Allocations
----------------------------
.. index:: No_Implicit_Heap_Allocations
[RM D.7] No constructs are allowed to cause implicit heap allocation.
No_Implicit_Loops
-----------------
.. index:: No_Implicit_Loops
[GNAT] This restriction ensures that the generated code does not contain any
implicit `for` loops, either by modifying
the generated code where possible,
or by rejecting any construct that would otherwise generate an implicit
`for` loop. If this restriction is active, it is possible to build
large array aggregates with all static components without generating an
intermediate temporary, and without generating a loop to initialize individual
components. Otherwise, a loop is created for arrays larger than about 5000
scalar components.
No_Initialize_Scalars
---------------------
.. index:: No_Initialize_Scalars
[GNAT] This restriction ensures that no unit in the partition is compiled with
pragma Initialize_Scalars. This allows the generation of more efficient
code, and in particular eliminates dummy null initialization routines that
are otherwise generated for some record and array types.
No_IO
-----
.. index:: No_IO
[RM H.4] This restriction ensures at compile time that there are no
dependences on any of the library units Sequential_IO, Direct_IO,
Text_IO, Wide_Text_IO, Wide_Wide_Text_IO, or Stream_IO.
No_Local_Allocators
-------------------
.. index:: No_Local_Allocators
[RM H.4] This restriction ensures at compile time that there are no
occurrences of an allocator in subprograms, generic subprograms, tasks,
and entry bodies.
No_Local_Protected_Objects
--------------------------
.. index:: No_Local_Protected_Objects
[RM D.7] This restriction ensures at compile time that protected objects are
only declared at the library level.
No_Local_Timing_Events
----------------------
.. index:: No_Local_Timing_Events
[RM D.7] All objects of type Ada.Timing_Events.Timing_Event are
declared at the library level.
No_Long_Long_Integers
---------------------
.. index:: No_Long_Long_Integers
[GNAT] This partition-wide restriction forbids any explicit reference to
type Standard.Long_Long_Integer, and also forbids declaring range types whose
implicit base type is Long_Long_Integer, and modular types whose size exceeds
Long_Integer'Size.
No_Multiple_Elaboration
-----------------------
.. index:: No_Multiple_Elaboration
[GNAT] Normally each package contains a 16-bit counter used to check for access
before elaboration, and to control multiple elaboration attempts.
This counter is eliminated for units compiled with the static model
of elaboration if restriction `No_Elaboration_Code`
is active but because of
the need to check for multiple elaboration in the general case, these
counters cannot be eliminated if elaboration code may be present. The
restriction `No_Multiple_Elaboration`
allows suppression of these counters
in static elaboration units even if they do have elaboration code. If this
restriction is used, then the situations in which multiple elaboration is
possible, including non-Ada main programs, and Stand Alone libraries, are not
permitted, and will be diagnosed by the binder.
No_Nested_Finalization
----------------------
.. index:: No_Nested_Finalization
[RM D.7] All objects requiring finalization are declared at the library level.
No_Protected_Type_Allocators
----------------------------
.. index:: No_Protected_Type_Allocators
[RM D.7] This restriction ensures at compile time that there are no allocator
expressions that attempt to allocate protected objects.
No_Protected_Types
------------------
.. index:: No_Protected_Types
[RM H.4] This restriction ensures at compile time that there are no
declarations of protected types or protected objects.
No_Recursion
------------
.. index:: No_Recursion
[RM H.4] A program execution is erroneous if a subprogram is invoked as
part of its execution.
No_Reentrancy
-------------
.. index:: No_Reentrancy
[RM H.4] A program execution is erroneous if a subprogram is executed by
two tasks at the same time.
No_Relative_Delay
-----------------
.. index:: No_Relative_Delay
[RM D.7] This restriction ensures at compile time that there are no delay
relative statements and prevents expressions such as `delay 1.23;` from
appearing in source code.
No_Requeue_Statements
---------------------
.. index:: No_Requeue_Statements
[RM D.7] This restriction ensures at compile time that no requeue statements
are permitted and prevents keyword `requeue` from being used in source
code.
.. index:: No_Requeue
The restriction `No_Requeue` is recognized as a
synonym for `No_Requeue_Statements`. This is retained for historical
compatibility purposes (and a warning will be generated for its use if
warnings on oNobsolescent features are activated).
No_Secondary_Stack
------------------
.. index:: No_Secondary_Stack
[GNAT] This restriction ensures at compile time that the generated code
does not contain any reference to the secondary stack. The secondary
stack is used to implement functions returning unconstrained objects
(arrays or records) on some targets.
No_Select_Statements
--------------------
.. index:: No_Select_Statements
[RM D.7] This restriction ensures at compile time no select statements of any
kind are permitted, that is the keyword `select` may not appear.
No_Specific_Termination_Handlers
--------------------------------
.. index:: No_Specific_Termination_Handlers
[RM D.7] There are no calls to Ada.Task_Termination.Set_Specific_Handler
or to Ada.Task_Termination.Specific_Handler.
No_Specification_of_Aspect
--------------------------
.. index:: No_Specification_of_Aspect
[RM 13.12.1] This restriction checks at compile time that no aspect
specification, attribute definition clause, or pragma is given for a
given aspect.
No_Standard_Allocators_After_Elaboration
----------------------------------------
.. index:: No_Standard_Allocators_After_Elaboration
[RM D.7] Specifies that an allocator using a standard storage pool
should never be evaluated at run time after the elaboration of the
library items of the partition has completed. Otherwise, Storage_Error
is raised.
No_Standard_Storage_Pools
-------------------------
.. index:: No_Standard_Storage_Pools
[GNAT] This restriction ensures at compile time that no access types
use the standard default storage pool. Any access type declared must
have an explicit Storage_Pool attribute defined specifying a
user-defined storage pool.
No_Stream_Optimizations
-----------------------
.. index:: No_Stream_Optimizations
[GNAT] This restriction affects the performance of stream operations on types
`String`, `Wide_String` and `Wide_Wide_String`. By default, the
compiler uses block reads and writes when manipulating `String` objects
due to their supperior performance. When this restriction is in effect, the
compiler performs all IO operations on a per-character basis.
No_Streams
----------
.. index:: No_Streams
[GNAT] This restriction ensures at compile/bind time that there are no
stream objects created and no use of stream attributes.
This restriction does not forbid dependences on the package
`Ada.Streams`. So it is permissible to with
`Ada.Streams` (or another package that does so itself)
as long as no actual stream objects are created and no
stream attributes are used.
Note that the use of restriction allows optimization of tagged types,
since they do not need to worry about dispatching stream operations.
To take maximum advantage of this space-saving optimization, any
unit declaring a tagged type should be compiled with the restriction,
though this is not required.
No_Task_Allocators
------------------
.. index:: No_Task_Allocators
[RM D.7] There are no allocators for task types
or types containing task subcomponents.
No_Task_Attributes_Package
--------------------------
.. index:: No_Task_Attributes_Package
[GNAT] This restriction ensures at compile time that there are no implicit or
explicit dependencies on the package `Ada.Task_Attributes`.
.. index:: No_Task_Attributes
The restriction `No_Task_Attributes` is recognized as a synonym
for `No_Task_Attributes_Package`. This is retained for historical
compatibility purposes (and a warning will be generated for its use if
warnings on obsolescent features are activated).
No_Task_Hierarchy
-----------------
.. index:: No_Task_Hierarchy
[RM D.7] All (non-environment) tasks depend
directly on the environment task of the partition.
No_Task_Termination
-------------------
.. index:: No_Task_Termination
[RM D.7] Tasks that terminate are erroneous.
No_Tasking
----------
.. index:: No_Tasking
[GNAT] This restriction prevents the declaration of tasks or task types
throughout the partition. It is similar in effect to the use of
`Max_Tasks => 0` except that violations are caught at compile time
and cause an error message to be output either by the compiler or
binder.
No_Terminate_Alternatives
-------------------------
.. index:: No_Terminate_Alternatives
[RM D.7] There are no selective accepts with terminate alternatives.
No_Unchecked_Access
-------------------
.. index:: No_Unchecked_Access
[RM H.4] This restriction ensures at compile time that there are no
occurrences of the Unchecked_Access attribute.
No_Use_Of_Entity
----------------
.. index:: No_Use_Of_Entity
[GNAT] This restriction ensures at compile time that there are no references
to the entity given in the form ::
No_Use_Of_Entity => Name
where ``Name`` is the fully qualified entity, for example ::
No_Use_Of_Entity => Ada.Text_IO.Put_Line
Simple_Barriers
---------------
.. index:: Simple_Barriers
[RM D.7] This restriction ensures at compile time that barriers in entry
declarations for protected types are restricted to either static boolean
expressions or references to simple boolean variables defined in the private
part of the protected type. No other form of entry barriers is permitted.
.. index:: Boolean_Entry_Barriers
The restriction `Boolean_Entry_Barriers` is recognized as a
synonym for `Simple_Barriers`. This is retained for historical
compatibility purposes (and a warning will be generated for its use if
warnings on obsolescent features are activated).
Static_Priorities
-----------------
.. index:: Static_Priorities
[GNAT] This restriction ensures at compile time that all priority expressions
are static, and that there are no dependences on the package
`Ada.Dynamic_Priorities`.
Static_Storage_Size
-------------------
.. index:: Static_Storage_Size
[GNAT] This restriction ensures at compile time that any expression appearing
in a Storage_Size pragma or attribute definition clause is static.
.. _Program_Unit_Level_Restrictions:
Program Unit Level Restrictions
===============================
The second set of restriction identifiers
does not require partition-wide consistency.
The restriction may be enforced for a single
compilation unit without any effect on any of the
other compilation units in the partition.
No_Elaboration_Code
-------------------
.. index:: No_Elaboration_Code
[GNAT] This restriction ensures at compile time that no elaboration code is
generated. Note that this is not the same condition as is enforced
by pragma `Preelaborate`. There are cases in which pragma
`Preelaborate` still permits code to be generated (e.g., code
to initialize a large array to all zeroes), and there are cases of units
which do not meet the requirements for pragma `Preelaborate`,
but for which no elaboration code is generated. Generally, it is
the case that preelaborable units will meet the restrictions, with
the exception of large aggregates initialized with an others_clause,
and exception declarations (which generate calls to a run-time
registry procedure). This restriction is enforced on
a unit by unit basis, it need not be obeyed consistently
throughout a partition.
In the case of aggregates with others, if the aggregate has a dynamic
size, there is no way to eliminate the elaboration code (such dynamic
bounds would be incompatible with `Preelaborate` in any case). If
the bounds are static, then use of this restriction actually modifies
the code choice of the compiler to avoid generating a loop, and instead
generate the aggregate statically if possible, no matter how many times
the data for the others clause must be repeatedly generated.
It is not possible to precisely document
the constructs which are compatible with this restriction, since,
unlike most other restrictions, this is not a restriction on the
source code, but a restriction on the generated object code. For
example, if the source contains a declaration:
.. code-block:: ada
Val : constant Integer := X;
where X is not a static constant, it may be possible, depending
on complex optimization circuitry, for the compiler to figure
out the value of X at compile time, in which case this initialization
can be done by the loader, and requires no initialization code. It
is not possible to document the precise conditions under which the
optimizer can figure this out.
Note that this the implementation of this restriction requires full
code generation. If it is used in conjunction with "semantics only"
checking, then some cases of violations may be missed.
No_Entry_Queue
--------------
.. index:: No_Entry_Queue
[GNAT] This restriction is a declaration that any protected entry compiled in
the scope of the restriction has at most one task waiting on the entry
at any one time, and so no queue is required. This restriction is not
checked at compile time. A program execution is erroneous if an attempt
is made to queue a second task on such an entry.
No_Implementation_Aspect_Specifications
---------------------------------------
.. index:: No_Implementation_Aspect_Specifications
[RM 13.12.1] This restriction checks at compile time that no
GNAT-defined aspects are present. With this restriction, the only
aspects that can be used are those defined in the Ada Reference Manual.
No_Implementation_Attributes
----------------------------
.. index:: No_Implementation_Attributes
[RM 13.12.1] This restriction checks at compile time that no
GNAT-defined attributes are present. With this restriction, the only
attributes that can be used are those defined in the Ada Reference
Manual.
No_Implementation_Identifiers
-----------------------------
.. index:: No_Implementation_Identifiers
[RM 13.12.1] This restriction checks at compile time that no
implementation-defined identifiers (marked with pragma Implementation_Defined)
occur within language-defined packages.
No_Implementation_Pragmas
-------------------------
.. index:: No_Implementation_Pragmas
[RM 13.12.1] This restriction checks at compile time that no
GNAT-defined pragmas are present. With this restriction, the only
pragmas that can be used are those defined in the Ada Reference Manual.
No_Implementation_Restrictions
------------------------------
.. index:: No_Implementation_Restrictions
[GNAT] This restriction checks at compile time that no GNAT-defined restriction
identifiers (other than `No_Implementation_Restrictions` itself)
are present. With this restriction, the only other restriction identifiers
that can be used are those defined in the Ada Reference Manual.
No_Implementation_Units
-----------------------
.. index:: No_Implementation_Units
[RM 13.12.1] This restriction checks at compile time that there is no
mention in the context clause of any implementation-defined descendants
of packages Ada, Interfaces, or System.
No_Implicit_Aliasing
--------------------
.. index:: No_Implicit_Aliasing
[GNAT] This restriction, which is not required to be partition-wide consistent,
requires an explicit aliased keyword for an object to which 'Access,
'Unchecked_Access, or 'Address is applied, and forbids entirely the use of
the 'Unrestricted_Access attribute for objects. Note: the reason that
Unrestricted_Access is forbidden is that it would require the prefix
to be aliased, and in such cases, it can always be replaced by
the standard attribute Unchecked_Access which is preferable.
No_Obsolescent_Features
-----------------------
.. index:: No_Obsolescent_Features
[RM 13.12.1] This restriction checks at compile time that no obsolescent
features are used, as defined in Annex J of the Ada Reference Manual.
No_Wide_Characters
------------------
.. index:: No_Wide_Characters
[GNAT] This restriction ensures at compile time that no uses of the types
`Wide_Character` or `Wide_String` or corresponding wide
wide types
appear, and that no wide or wide wide string or character literals
appear in the program (that is literals representing characters not in
type `Character`).
SPARK_05
--------
.. index:: SPARK_05
[GNAT] This restriction checks at compile time that some constructs
forbidden in SPARK 2005 are not present. Error messages related to
SPARK restriction have the form:
::
violation of restriction "SPARK_05" at <source-location>
<error message>
.. index:: SPARK
The restriction `SPARK` is recognized as a
synonym for `SPARK_05`. This is retained for historical
compatibility purposes (and an unconditional warning will be generated
for its use, advising replacement by `SPARK`).
This is not a replacement for the semantic checks performed by the
SPARK Examiner tool, as the compiler currently only deals with code,
not SPARK 2005 annotations, and does not guarantee catching all
cases of constructs forbidden by SPARK 2005.
Thus it may well be the case that code which passes the compiler with
the SPARK restriction is rejected by the SPARK Examiner, e.g. due to
the different visibility rules of the Examiner based on SPARK 2005
`inherit` annotations.
This restriction can be useful in providing an initial filter for code
developed using SPARK 2005, or in examining legacy code to see how far
it is from meeting SPARK restrictions.
The list below summarizes the checks that are performed when this
restriction is in force:
* No block statements
* No case statements with only an others clause
* Exit statements in loops must respect the SPARK 2005 language restrictions
* No goto statements
* Return can only appear as last statement in function
* Function must have return statement
* Loop parameter specification must include subtype mark
* Prefix of expanded name cannot be a loop statement
* Abstract subprogram not allowed
* User-defined operators not allowed
* Access type parameters not allowed
* Default expressions for parameters not allowed
* Default expressions for record fields not allowed
* No tasking constructs allowed
* Label needed at end of subprograms and packages
* No mixing of positional and named parameter association
* No access types as result type
* No unconstrained arrays as result types
* No null procedures
* Initial and later declarations must be in correct order (declaration can't come after body)
* No attributes on private types if full declaration not visible
* No package declaration within package specification
* No controlled types
* No discriminant types
* No overloading
* Selector name cannot be operator symbol (i.e. operator symbol cannot be prefixed)
* Access attribute not allowed
* Allocator not allowed
* Result of catenation must be String
* Operands of catenation must be string literal, static char or another catenation
* No conditional expressions
* No explicit dereference
* Quantified expression not allowed
* Slicing not allowed
* No exception renaming
* No generic renaming
* No object renaming
* No use clause
* Aggregates must be qualified
* Non-static choice in array aggregates not allowed
* The only view conversions which are allowed as in-out parameters are conversions of a tagged type to an ancestor type
* No mixing of positional and named association in aggregate, no multi choice
* AND, OR and XOR for arrays only allowed when operands have same static bounds
* Fixed point operands to * or / must be qualified or converted
* Comparison operators not allowed for Booleans or arrays (except strings)
* Equality not allowed for arrays with non-matching static bounds (except strings)
* Conversion / qualification not allowed for arrays with non-matching static bounds
* Subprogram declaration only allowed in package spec (unless followed by import)
* Access types not allowed
* Incomplete type declaration not allowed
* Object and subtype declarations must respect SPARK restrictions
* Digits or delta constraint not allowed
* Decimal fixed point type not allowed
* Aliasing of objects not allowed
* Modular type modulus must be power of 2
* Base not allowed on subtype mark
* Unary operators not allowed on modular types (except not)
* Untagged record cannot be null
* No class-wide operations
* Initialization expressions must respect SPARK restrictions
* Non-static ranges not allowed except in iteration schemes
* String subtypes must have lower bound of 1
* Subtype of Boolean cannot have constraint
* At most one tagged type or extension per package
* Interface is not allowed
* Character literal cannot be prefixed (selector name cannot be character literal)
* Record aggregate cannot contain 'others'
* Component association in record aggregate must contain a single choice
* Ancestor part cannot be a type mark
* Attributes 'Image, 'Width and 'Value not allowed
* Functions may not update globals
* Subprograms may not contain direct calls to themselves (prevents recursion within unit)
* Call to subprogram not allowed in same unit before body has been seen (prevents recursion within unit)
The following restrictions are enforced, but note that they are actually more
strict that the latest SPARK 2005 language definition:
* No derived types other than tagged type extensions
* Subtype of unconstrained array must have constraint
This list summarises the main SPARK 2005 language rules that are not
currently checked by the SPARK_05 restriction:
* SPARK annotations are treated as comments so are not checked at all
* Based real literals not allowed
* Objects cannot be initialized at declaration by calls to user-defined functions
* Objects cannot be initialized at declaration by assignments from variables
* Objects cannot be initialized at declaration by assignments from indexed/selected components
* Ranges shall not be null
* A fixed point delta expression must be a simple expression
* Restrictions on where renaming declarations may be placed
* Externals of mode 'out' cannot be referenced
* Externals of mode 'in' cannot be updated
* Loop with no iteration scheme or exits only allowed as last statement in main program or task
* Subprogram cannot have parent unit name
* SPARK 2005 inherited subprogram must be prefixed with overriding
* External variables (or functions that reference them) may not be passed as actual parameters
* Globals must be explicitly mentioned in contract
* Deferred constants cannot be completed by pragma Import
* Package initialization cannot read/write variables from other packages
* Prefix not allowed for entities that are directly visible
* Identifier declaration can't override inherited package name
* Cannot use Standard or other predefined packages as identifiers
* After renaming, cannot use the original name
* Subprograms can only be renamed to remove package prefix
* Pragma import must be immediately after entity it names
* No mutual recursion between multiple units (this can be checked with gnatcheck)
Note that if a unit is compiled in Ada 95 mode with the SPARK restriction,
violations will be reported for constructs forbidden in SPARK 95,
instead of SPARK 2005.