| ------------------------------------------------------------------------------ |
| -- -- |
| -- GNAT COMPILER COMPONENTS -- |
| -- -- |
| -- S Y S T E M . V A L _ U T I L -- |
| -- -- |
| -- B o d y -- |
| -- -- |
| -- Copyright (C) 1992-2022, Free Software Foundation, Inc. -- |
| -- -- |
| -- GNAT is free software; you can redistribute it and/or modify it under -- |
| -- terms of the GNU General Public License as published by the Free Soft- -- |
| -- ware Foundation; either version 3, or (at your option) any later ver- -- |
| -- sion. GNAT is distributed in the hope that it will be useful, but WITH- -- |
| -- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -- |
| -- or FITNESS FOR A PARTICULAR PURPOSE. -- |
| -- -- |
| -- As a special exception under Section 7 of GPL version 3, you are granted -- |
| -- additional permissions described in the GCC Runtime Library Exception, -- |
| -- version 3.1, as published by the Free Software Foundation. -- |
| -- -- |
| -- You should have received a copy of the GNU General Public License and -- |
| -- a copy of the GCC Runtime Library Exception along with this program; -- |
| -- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see -- |
| -- <http://www.gnu.org/licenses/>. -- |
| -- -- |
| -- GNAT was originally developed by the GNAT team at New York University. -- |
| -- Extensive contributions were provided by Ada Core Technologies Inc. -- |
| -- -- |
| ------------------------------------------------------------------------------ |
| |
| -- Ghost code, loop invariants and assertions in this unit are meant for |
| -- analysis only, not for run-time checking, as it would be too costly |
| -- otherwise. This is enforced by setting the assertion policy to Ignore. |
| |
| pragma Assertion_Policy (Ghost => Ignore, |
| Loop_Invariant => Ignore, |
| Assert => Ignore); |
| |
| with System.Case_Util; use System.Case_Util; |
| |
| package body System.Val_Util |
| with SPARK_Mode |
| is |
| |
| --------------- |
| -- Bad_Value -- |
| --------------- |
| |
| procedure Bad_Value (S : String) is |
| pragma Annotate (GNATprove, Intentional, "exception might be raised", |
| "Intentional exception from Bad_Value"); |
| begin |
| -- Bad_Value might be called with very long strings allocated on the |
| -- heap. Limit the size of the message so that we avoid creating a |
| -- Storage_Error during error handling. |
| if S'Length > 127 then |
| raise Constraint_Error with "bad input for 'Value: """ |
| & S (S'First .. S'First + 127) & "..."""; |
| else |
| raise Constraint_Error with "bad input for 'Value: """ & S & '"'; |
| end if; |
| end Bad_Value; |
| |
| --------------------------- |
| -- First_Non_Space_Ghost -- |
| --------------------------- |
| |
| function First_Non_Space_Ghost |
| (S : String; |
| From, To : Integer) return Positive |
| is |
| begin |
| for J in From .. To loop |
| if S (J) /= ' ' then |
| return J; |
| end if; |
| |
| pragma Loop_Invariant (for all K in From .. J => S (K) = ' '); |
| end loop; |
| |
| raise Program_Error; |
| end First_Non_Space_Ghost; |
| |
| ----------------------- |
| -- Last_Number_Ghost -- |
| ----------------------- |
| |
| function Last_Number_Ghost (Str : String) return Positive is |
| begin |
| for J in Str'Range loop |
| if Str (J) not in '0' .. '9' | '_' then |
| return J - 1; |
| end if; |
| |
| pragma Loop_Invariant |
| (for all K in Str'First .. J => Str (K) in '0' .. '9' | '_'); |
| end loop; |
| |
| return Str'Last; |
| end Last_Number_Ghost; |
| |
| ---------------------- |
| -- Normalize_String -- |
| ---------------------- |
| |
| procedure Normalize_String |
| (S : in out String; |
| F, L : out Integer) |
| is |
| begin |
| F := S'First; |
| L := S'Last; |
| |
| -- Case of empty string |
| |
| if F > L then |
| return; |
| end if; |
| |
| -- Scan for leading spaces |
| |
| while F < L and then S (F) = ' ' loop |
| pragma Loop_Invariant (F in S'First .. L - 1); |
| pragma Loop_Invariant (for all J in S'First .. F => S (J) = ' '); |
| F := F + 1; |
| end loop; |
| |
| -- Case of no nonspace characters found. Decrease L to ensure L < F |
| -- without risking an overflow if F is Integer'Last. |
| |
| if S (F) = ' ' then |
| L := L - 1; |
| return; |
| end if; |
| |
| -- Scan for trailing spaces |
| |
| while S (L) = ' ' loop |
| pragma Loop_Invariant (L in F + 1 .. S'Last); |
| pragma Loop_Invariant (for all J in L .. S'Last => S (J) = ' '); |
| L := L - 1; |
| end loop; |
| |
| -- Except in the case of a character literal, convert to upper case |
| |
| if S (F) /= ''' then |
| for J in F .. L loop |
| S (J) := To_Upper (S (J)); |
| pragma Loop_Invariant |
| (for all K in F .. J => S (K) = To_Upper (S'Loop_Entry (K))); |
| end loop; |
| end if; |
| end Normalize_String; |
| |
| ------------------- |
| -- Scan_Exponent -- |
| ------------------- |
| |
| procedure Scan_Exponent |
| (Str : String; |
| Ptr : not null access Integer; |
| Max : Integer; |
| Exp : out Integer; |
| Real : Boolean := False) |
| is |
| P : Integer := Ptr.all; |
| M : Boolean; |
| X : Integer; |
| |
| begin |
| if P >= Max |
| or else (Str (P) /= 'E' and then Str (P) /= 'e') |
| then |
| Exp := 0; |
| return; |
| end if; |
| pragma Annotate |
| (CodePeer, False_Positive, "test always false", |
| "the slice might be empty or not start with an 'e'"); |
| |
| -- We have an E/e, see if sign follows |
| |
| P := P + 1; |
| |
| if Str (P) = '+' then |
| P := P + 1; |
| |
| if P > Max then |
| Exp := 0; |
| return; |
| else |
| M := False; |
| end if; |
| |
| elsif Str (P) = '-' then |
| P := P + 1; |
| |
| if P > Max or else not Real then |
| Exp := 0; |
| return; |
| else |
| M := True; |
| end if; |
| |
| else |
| M := False; |
| end if; |
| |
| if Str (P) not in '0' .. '9' then |
| Exp := 0; |
| return; |
| end if; |
| |
| -- Scan out the exponent value as an unsigned integer. Values larger |
| -- than (Integer'Last / 10) are simply considered large enough here. |
| -- This assumption is correct for all machines we know of (e.g. in the |
| -- case of 16 bit integers it allows exponents up to 3276, which is |
| -- large enough for the largest floating types in base 2.) |
| |
| X := 0; |
| |
| declare |
| Rest : constant String := Str (P .. Max) with Ghost; |
| Last : constant Natural := Last_Number_Ghost (Rest) with Ghost; |
| |
| begin |
| pragma Assert (Is_Natural_Format_Ghost (Rest)); |
| |
| loop |
| pragma Assert (Str (P) in '0' .. '9'); |
| |
| if X < (Integer'Last / 10) then |
| X := X * 10 + (Character'Pos (Str (P)) - Character'Pos ('0')); |
| end if; |
| |
| pragma Loop_Invariant (X >= 0); |
| pragma Loop_Invariant (P in Rest'First .. Last); |
| pragma Loop_Invariant (Str (P) in '0' .. '9'); |
| pragma Loop_Invariant |
| (Scan_Natural_Ghost (Rest, Rest'First, 0) |
| = Scan_Natural_Ghost (Rest, P + 1, X)); |
| |
| P := P + 1; |
| |
| exit when P > Max; |
| |
| if Str (P) = '_' then |
| Scan_Underscore (Str, P, Ptr, Max, False); |
| else |
| exit when Str (P) not in '0' .. '9'; |
| end if; |
| end loop; |
| |
| pragma Assert (P = Last + 1); |
| end; |
| |
| if M then |
| X := -X; |
| end if; |
| |
| Ptr.all := P; |
| Exp := X; |
| end Scan_Exponent; |
| |
| -------------------- |
| -- Scan_Plus_Sign -- |
| -------------------- |
| |
| procedure Scan_Plus_Sign |
| (Str : String; |
| Ptr : not null access Integer; |
| Max : Integer; |
| Start : out Positive) |
| is |
| P : Integer := Ptr.all; |
| |
| begin |
| if P > Max then |
| Bad_Value (Str); |
| end if; |
| |
| -- Scan past initial blanks |
| |
| while Str (P) = ' ' loop |
| P := P + 1; |
| |
| pragma Loop_Invariant (Ptr.all = Ptr.all'Loop_Entry); |
| pragma Loop_Invariant (P in Ptr.all .. Max); |
| pragma Loop_Invariant (for some J in P .. Max => Str (J) /= ' '); |
| pragma Loop_Invariant |
| (for all J in Ptr.all .. P - 1 => Str (J) = ' '); |
| |
| if P > Max then |
| Ptr.all := P; |
| Bad_Value (Str); |
| end if; |
| end loop; |
| |
| Start := P; |
| |
| pragma Assert (Start = First_Non_Space_Ghost (Str, Ptr.all, Max)); |
| |
| -- Skip past an initial plus sign |
| |
| if Str (P) = '+' then |
| P := P + 1; |
| |
| if P > Max then |
| Ptr.all := Start; |
| Bad_Value (Str); |
| end if; |
| end if; |
| |
| Ptr.all := P; |
| end Scan_Plus_Sign; |
| |
| --------------- |
| -- Scan_Sign -- |
| --------------- |
| |
| procedure Scan_Sign |
| (Str : String; |
| Ptr : not null access Integer; |
| Max : Integer; |
| Minus : out Boolean; |
| Start : out Positive) |
| is |
| P : Integer := Ptr.all; |
| |
| begin |
| -- Deal with case of null string (all blanks). As per spec, we raise |
| -- constraint error, with Ptr unchanged, and thus > Max. |
| |
| if P > Max then |
| Bad_Value (Str); |
| end if; |
| |
| -- Scan past initial blanks |
| |
| while Str (P) = ' ' loop |
| P := P + 1; |
| |
| pragma Loop_Invariant (Ptr.all = Ptr.all'Loop_Entry); |
| pragma Loop_Invariant (P in Ptr.all .. Max); |
| pragma Loop_Invariant (for some J in P .. Max => Str (J) /= ' '); |
| pragma Loop_Invariant |
| (for all J in Ptr.all .. P - 1 => Str (J) = ' '); |
| |
| if P > Max then |
| Ptr.all := P; |
| Bad_Value (Str); |
| end if; |
| end loop; |
| |
| Start := P; |
| |
| pragma Assert (Start = First_Non_Space_Ghost (Str, Ptr.all, Max)); |
| |
| -- Remember an initial minus sign |
| |
| if Str (P) = '-' then |
| Minus := True; |
| P := P + 1; |
| |
| if P > Max then |
| Ptr.all := Start; |
| Bad_Value (Str); |
| end if; |
| |
| -- Skip past an initial plus sign |
| |
| elsif Str (P) = '+' then |
| Minus := False; |
| P := P + 1; |
| |
| if P > Max then |
| Ptr.all := Start; |
| Bad_Value (Str); |
| end if; |
| |
| else |
| Minus := False; |
| end if; |
| |
| Ptr.all := P; |
| end Scan_Sign; |
| |
| -------------------------- |
| -- Scan_Trailing_Blanks -- |
| -------------------------- |
| |
| procedure Scan_Trailing_Blanks (Str : String; P : Positive) is |
| begin |
| for J in P .. Str'Last loop |
| if Str (J) /= ' ' then |
| Bad_Value (Str); |
| end if; |
| |
| pragma Loop_Invariant (for all K in P .. J => Str (K) = ' '); |
| end loop; |
| end Scan_Trailing_Blanks; |
| |
| --------------------- |
| -- Scan_Underscore -- |
| --------------------- |
| |
| procedure Scan_Underscore |
| (Str : String; |
| P : in out Natural; |
| Ptr : not null access Integer; |
| Max : Integer; |
| Ext : Boolean) |
| is |
| C : Character; |
| |
| begin |
| P := P + 1; |
| |
| -- If underscore is at the end of string, then this is an error and we |
| -- raise Constraint_Error, leaving the pointer past the underscore. This |
| -- seems a bit strange. It means e.g. that if the field is: |
| |
| -- 345_ |
| |
| -- that Constraint_Error is raised. You might think that the RM in this |
| -- case would scan out the 345 as a valid integer, leaving the pointer |
| -- at the underscore, but the ACVC suite clearly requires an error in |
| -- this situation (see for example CE3704M). |
| |
| if P > Max then |
| Ptr.all := P; |
| Bad_Value (Str); |
| end if; |
| |
| -- Similarly, if no digit follows the underscore raise an error. This |
| -- also catches the case of double underscore which is also an error. |
| |
| C := Str (P); |
| |
| if C in '0' .. '9' |
| or else (Ext and then (C in 'A' .. 'F' or else C in 'a' .. 'f')) |
| then |
| return; |
| else |
| Ptr.all := P; |
| Bad_Value (Str); |
| end if; |
| end Scan_Underscore; |
| |
| end System.Val_Util; |