1\input texinfo @c -*-texinfo-*- 2@c %**start of header 3@setfilename adacontrol_ug.info 4@settitle AdaControl User Guide V1.18r9 5@c %**end of header 6@macro rule{text} 7@sp 1 8@noindent @b{\text\} 9@end macro 10 11@titlepage 12@title AdaControl User Guide 13 14@c The following two commands start the copyright page. 15@page 16@vskip 0pt plus 1filll 17@end titlepage 18 19@ifnottex 20@node Top, Introduction, (dir), (dir) 21@top AdaControl User Guide 22@end ifnottex 23 24Last edited: @today{} 25 26This is the AdaControl User Guide. It describes how to install and use 27AdaControl. Please refer to the AdaControl Programmer Manual to learn 28how to add new kinds of rules to AdaControl. 29 30@menu 31* Introduction:: 32* Installation:: 33* Program Usage:: 34* Command language reference:: 35* Rules reference:: 36* Examples of using AdaControl for common programming rules:: 37* Specifying an Ada entity name:: 38* Syntax of regular expressions:: 39* Non upward-compatible changes:: 40@end menu 41 42AdaControl is Copyright @copyright{} 2005-2016 Eurocontrol/Adalog, 43except for some specific modules that are @copyright{} 2006 44Belgocontrol/Adalog, @copyright{} 2006 CSEE/Adalog, @copyright{} 452006 SAGEM/Adalog, or @copyright{} 2015 Alstom/Adalog. 46AdaControl is free software; you can redistribute 47it and/or modify it under terms of the GNU General Public License as 48published by the Free Software Foundation; either version 2, or (at 49your option) any later version. This unit is distributed in the hope 50that it will be useful, but WITHOUT ANY WARRANTY; without even the 51implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR 52PURPOSE. See the GNU General Public License for more details. You 53should have received a copy of the GNU General Public License 54distributed with this program; see file COPYING. If not, write to the 55Free Software Foundation, 59 Temple Place - Suite 330, Boston, MA 5602111-1307, USA. 57 58As a special exception, if other files instantiate generics from this 59program, or if you link units from this program with other files to 60produce an executable, this does not by itself cause the resulting 61executable to be covered by the GNU General Public License. This 62exception does not however invalidate any other reasons why the 63executable file might be covered by the GNU Public License. 64 65This document is Copyright @copyright{} 2005-2016 66Eurocontrol/Adalog. This document may be copied, in whole or in part, 67in any form or by any means, as is or with alterations, provided that 68(1) alterations are clearly marked as alterations and (2) this 69copyright notice is included unmodified in any copy. 70 71@iftex 72@contents 73@end iftex 74 75@node Introduction, Installation, Top, Top 76@chapter Introduction 77AdaControl is an Ada rules controller. It is used to control that Ada 78software meets the requirements of a number of parameterizable 79rules. It is not intended to supplement checks made by the compiler, 80but rather to search for particular violations of good-practice rules, 81or to check that some rules are obeyed project-wide. AdaControl can 82also be handy to make statistics about certain usages of language 83features, or simply to search for the occurrences of particular 84constructs; its scope is therefore not limited to enforcing 85programming rules, although it is of course one of its main goals. 86 87AdaControl is a commercial product of 88@url{http://www.adalog.fr/adalog2.htm,Adalog} with professional grade 89support available. Getting support is highly recommended for 90industrial projects. Adacontrol can also be customized or extended to 91match your special needs, please refer to @ref{Support} or contact 92Adalog at @email{info@@adalog.fr}. 93 94@menu 95* Features:: 96* Support:: 97* History:: 98* References:: 99@end menu 100 101@node Features, Support, Introduction, Introduction 102@section Features 103AdaControl analyzes a set of Ada units, according to parameterizable 104controls. Controls can be given from the command line, from a file, 105or interactively. There is a wide range of controls available. Some 106are quite simple (although very useful): 107@itemize @bullet 108@item 109Control physical layout of the program (Maximum line length, no use of 110tabulations...) 111@item 112Control occurences of special strings in comments (like TBD for ``To 113Be Defined''), with full wildcarding. 114@item 115Use of features (goto statement, tasking, pointers, variables in 116package specifications...) 117@item 118Use of any declared entity, with full overloading resolution 119@end itemize 120Other rules are quite sophisticated: 121@itemize @bullet 122@item 123Control series of ``if''...''elsif'' that could be replaced by 124``case'' statements 125@item 126Verify usage of declarations (variables that should be constant, 127variables read but not written...) 128@item 129Control declarations that could be moved to a more reduced, internal 130scope 131@item 132Limit the call depth of a program (and diagnose recursive subprograms) 133@item 134Enforce a pattern that guarantees that exceptions are not handled 135silently 136@item 137Enforce a pattern for paired calls (like semaphore's ``P'' and ``V'') 138that guarantees that the closing call is always executed, even in 139presence of exceptions. 140@item 141Check that there is no aliasing between out parameters 142@item 143Ensure that no protected operation calls a potentially blocking operation 144@end itemize 145and much, much more... See @ref{Rules reference} for the complete 146reference for all possible controls. 147 148AdaControl is very simple to use. It takes, as parameters, a list of 149units to process and a list of commands that define the controls to 150apply. The complete syntax of the commands is described in chapter 151@ref{Command language reference}. 152 153AdaControl produces messages to the standard output, unless 154redirected. Several levels of messages are defined (i.e. error or found), 155depending on the kind of the control (i.e. check or search). 156 157Rules can be locally disabled for a part of the source code, and various 158options can be passed to the program. 159 160Ex: 161 162Given the following package: 163@example 164@b{package} Pack @b{is} 165 @b{pragma} Pure (Pack); 166 ... 167@b{end} Pack; 168@end example 169The following command: 170@example 171adactl -l "search pragmas (pure)" pack 172@end example 173produces the following result (displayed to standard output): 174@example 175pack.ads:2:4: Found: PRAGMAS: use of pragma Pure 176@end example 177 178AdaControl integrates nicely in environments such as GPS 179(@pxref{Running AdaControl from GPS}), AdaGide (@pxref{Running 180AdaControl from AdaGide}), or emacs (@pxref{Control kinds and report 181messages}). In those environments, you can run AdaControl from menus 182or by just clicking on a button! 183 184@node Support, History, Features, Introduction 185@section Support 186@subsection Commercial support 187Adalog provides commercial support for AdaControl. Support includes 188the following benefits: 189@itemize @bullet 190@item 191Help with installation procedures. 192@item 193Explanations regarding the use of the tool, and help for translating 194coding standards into AdaControl rules. 195@item 196Dedicated account into our BT system for priority handling of 197problem reports. 198@item 199Correction of problems encountered in the use of AdaControl. 200Pre-releases versions of AdaControl are provided for each corrected 201problem. 202@item 203Access to beta-versions before they are released 204@item 205Keeping in sync customer's own custom rules with the latest version of 206AdaControl. 207@item 208Reduced rate for on-demand development of custom rules. 209@item 210Priority consideration of enhancement requests. Satisfying enhancement 211requests is not part of the support contract; however, Adalog is 212constantly improving AdaControl, and suggestions originating from 213supported customers are given a high priority in our todo list. 214@end itemize 215 216Adalog cannot correct problems whose origin is due to compiler bugs or 217defects in the implementation of ASIS (contact your compiler provider 218for support on these problems). However, Adalog will do its best 219effort to find workarounds for such problems. 220 221In addition, Adalog can provide various services: 222@itemize @bullet 223@item 224Custom improvements to AdaControl, including application-specific 225rules; 226@item 227consulting services for defining coding standards; 228@item 229consulting services in all areas related to Ada, real-time, 230compilation, etc. See @url{http://www.adalog.fr/adalog2.htm,Adalog's site} for details. 231@end itemize 232 233For pricing information about support contract and other services, 234please contact @email{info@@adalog.fr}. 235 236@subsection Other support 237There is a Wiki for questions about AdaControl at @* 238@url{https://sourceforge.net/p/adacontrol/wiki/Home/}. This is the 239place to ask for information, make suggestions, or get help from the 240community. 241 242For problem reports, please create a ticket into our BT system at @* 243@url{https://sourceforge.net/p/adacontrol/tickets/}. 244 245@subsection Your support to us, too! 246If you enjoy AdaControl, there are several things you can do to help 247us continue and improve this nice project. 248@itemize @bullet 249@item 250Rate it, or even better post a review, on the 251@url{http://sourceforge.net/projects/adacontrol/reviews/,SourceForge 252review page} 253@item 254Click ``I use it'' from 255@url{http://www.adalog.fr/adacontrol2.htm,AdaControl's home page}. 256@item 257Rate it on @url{http://www.ohloh.net/p/11353?ref=sample, AdaControl's 258Ohloh page} 259@item 260Get a support contract, or encourage your company, your friends, or 261anybody else to get a support contract! 262@item 263Provide good ideas, new rules, suggestions for improvements... 264@end itemize 265And remember: developing AdaControl is an expensive effort (according 266to Ohlo's COCOMO model, it is worth 15 man.year of development). We 267need support from our users to keep it running! 268 269@node History, References, Support, Introduction 270@section History 271The development of AdaControl was initially funded by Eurocontrol 272(@url{http://www.eurocontrol.int}), which needed a tool to help in 273verifying the million+ lines of code that does Air Traffic Flow 274Management over Europe. Because it was felt that such a tool would 275benefit the community at-large, and that further improvements made by 276the community would benefit Eurocontrol, it was decided to release 277AdaControl as free software. Later, Eurocontrol, Belgocontrol, Alstom, 278Ansaldo (formerly CSEE-Transport), and SAGEM-DS sponsored the 279development of more rules. 280 281The requirements for AdaControl were written by Philippe Waroquiers 282(Eurocontrol-Brussels), who also conducted extensive testing of 283AdaControl over the Eurocontrol software. The software was developped 284by Arnaud Lecanu and Jean-Pierre Rosen (Adalog). Rules, improvements, 285etc. were contributed by Pierre-Louis Escouflaire (Adalog), Alain 286Fontaine (ABF consulting), Richard Toy (Eurocontrol-Maastricht), and 287Isidro Ilasa Veloso (GMV). AdaGide support and improvement of icons 288were contributed by Gautier de Montmollin. Emmanuel Masker (Alstom) 289and Yannick Duchene contributed to GPS integration. 290 291See file @code{HISTORY} for a description of the various versions of 292AdaControl, including enhancements of the current version over the 293previous ones. Users of a previous version are warned that the rules 294are not 100% upward-compatible: this is necessary to make the rules 295more consistent and easier to use. However, the incompatibilities are 296straightforward to fix and should affect only a very limited number of 297files. See @ref{Non upward-compatible changes} for details. 298 299@node References, , History, Introduction 300@section References 301@enumerate 302@item 303``On the benefits for industrials of sponsoring free software 304development'', @i{Ada User Journal}, Volume 26, number 4, december 2005 305 306@url{http://www.adalog.fr/publicat/Free-software.pdf} 307@item 308``A Comparison of Industrial Coding Rules'', @i{Ada User Journal}, 309Volume 29, number 4, december 2008 310 311@url{http://www.adalog.fr/publicat/coding-rules.pdf} 312@item 313``A Methodology for Avoiding Known Compiler Problems 314Using Static Analysis'', @i{proceedings of the ACM SIGAda Annual International Conference (SIGAda 2010)} 315 316@url{http://dl.acm.org/authorize?316395} 317@end enumerate 318 319@node Installation, Program Usage, Introduction, Top 320@chapter Installation 321Like any ASIS application, AdaControl can be run only if the compiler 322available on the system has exactly the same version as the one used 323to compile AdaControl itself. The executable distribution of 324AdaControl will work only with GNAT version GPL 2016, as distributed 325by AdaCore. If you are using any other version, please use the source 326distribution of AdaControl and compile it as indicated below. 327 328Another reason for using the source distribution of AdaControl is that 329the user may not be interested in all provided rules. It is very easy 330to remove some rules from AdaControl to increase its 331speed. @xref{Customizing AdaControl}. 332 333@menu 334* Building and installing AdaControl from source:: 335* Installing an executable distribution:: 336* Installing support for AdaGide:: 337@end menu 338 339@node Building and installing AdaControl from source, Installing an executable distribution, Installation, Installation 340@section Building and installing AdaControl from source 341This section is only for the source distribution of AdaControl. If you 342downloaded an executable distribution (and are using the latest 343version of GNAT GPL), you may skip to the next section. 344 345@anchor{Getting the correct version of the sources for your Gnat version} 346@subsection Getting the correct version of the sources for your Gnat version 347ASIS is continuously evolving to support Ada-2005/2012 features, and 348so is AdaControl. As a consequence, the full set of features of 349AdaControl is supported only with recent versions of Gnat, namely with 350GnatPRO 7.2.0 and GnatGPL-2013 (and higher). We refer to these 351versions as the ``new Gnat'', and we encourage all users to use the 352latest versions. 353 354Some user may however need to use an older version of Gnat. We provide 355also a version of AdaControl that is compatible with versions GnatPRO 3567.0.x and GnatGPL-2011 and older (before some incompatible -but 357necessary- changes in ASIS happened). We refer to these versions as 358the ``old Gnat''. 359 360The release whose distribution files start with ``adactl'' is for the 361new Gnat, and the one whose distribution files start with 362``adactl-old'' is for the old-gnat. Both versions provide the same 363features, except that controls related to Ada-2012 (or that depend on 364new features of ASIS) are not available in the old-gnat 365version. Moreover, the old-gnat version is now frozen, and will not 366receive any new features or improvements in the future, unless 367requested by a supported customer (such requests will be honoured as 368part of the support contract). See @ref{Support} for 369information on becoming a supported user. 370 371Note that intermediate releases of Gnat (GnatPRO-7.1.x, GnatGPL-2012) 372are not fully compatible with either of these distribution. Depending 373on exact version, problems may range from compilation errors to 374incorrect results in some rare (Ada 2012) cases. Compatible sources 375can be obtained from the Git repository of AdaControl on SourceForge 376(@url{http://adacontrol.sourceforge.net}). We will be happy to help 377our supported customers who must use one of these versions. 378 379@subsection Prerequisites 380The following software must be installed in order to compile 381AdaControl from source: 382@itemize 383@item 384A GNAT compiler, any version (but please consider @ref{Getting the 385correct version of the sources for your Gnat version} above). Note 386that the compiler must also be available on the machine in order to 387run AdaControl (all ASIS application need the compiler). 388@item 389ASIS for GNAT 390@item 391The GNATColl component (if support of .gpr files is desired) 392@end itemize 393 394Make sure to have the same version of GNAT and ASIS. The version used 395for running AdaControl must be the same as the one used to compile 396AdaControl itself. 397 398As mentionned above, support of Gnat .gpr projects requires the 399GNATColl component from AdaCore. If for some reason you don't want to 400include this component, it is possible to build AdaControl without 401this support. To do so, go to the @code{src} directory and: 402@itemize @bullet 403@item 404rename @code{implementation_options-i_options_from_gpr_project.adb} to 405@code{implementation_options-i_options_from_gpr_project_gpr.adb} 406@item 407rename 408@code{implementation_options-i_options_from_gpr_project_nogpr.adb} to 409@code{implementation_options-i_options_from_gpr_project.adb} 410@end itemize 411 412@subsection Build and install with installer (Windows) 413Run the installer (@code{adactl_src-setup.exe}). This will 414automatically build and install AdaControl, no other installation is 415necessary. 416 417@anchor{Build and install with project file} 418@subsection Build and install with project file 419Simply go to the root directory of the distribution and type: 420@example 421gprbuild build.gpr 422gprinstall build.gpr 423@end example 424You're done! 425 426Caveat (@i{old gnat only}): Due to a bug in some versions, if you are using GNATPro 4276.1.2 and above, you must set the variable GNAT_FIX to 1; i.e. invoke 428the command as: 429@example 430gprbuild -Pbuild.gpr -XGNAT_FIX=1 431@end example 432or if gprbuild is not available for your distribution: 433@example 434gnatmake -Pbuild.gpr -XGNAT_FIX=1 435@end example 436 437@subsection Build and install with Makefile 438It is also possible to build and install AdaControl with a regular 439Makefile, although it does little more than run the previous 440commands. This is mainly useful if you want to embed AdaControl into 441some distribution that uses Makefiles, or if you want to change the 442default compilation options (see comments in Makefile for details). 443 444Go to the root directory of the distribution and type: 445@example 446make build 447make install 448@end example 449 450It is also possible to delete object files and do other actions with 451this ``Makefile'', run the following command to get more information: 452@example 453make help 454@end example 455 456NOTE: Building AdaControl needs the ``make'' command provide with GNAT; it 457works both with WIN32 shell and UNIX shell. 458 459@subsection Manual installation 460Automatic install will place AdaControl's files in standard locations, 461in your Gnat installation tree. You can skip this section unless you 462want different locations (for example, if GPS is not installed in the 463Gnat tree). 464 465All you need to run AdaControl is the executable named @code{adactl} 466under Linux or @code{adactl.exe} under Windows. In addition, 467@code{pfni} (or @code{pfni.exe} under Windows) is a convenient 468utility, required by the GPS support. @xref{pfni}. Copy these 469executables (found in the root directory of the distribution) to any 470convenient directory on your path. 471 472To also add AdaControl support to GPS, copy the file 473@code{GPS/adacontrol.xml} into the @code{<GNAT_dir>/share/gprconfig} 474directory; copy all other files from the @code{GPS} directory into the 475@code{<GPS_dir>/share/gps/plug-ins} directory. Copy also HTML files 476from the @code{doc} directory into the 477@code{<GPS_dir>/share/doc/gps/html} to access AdaControl's guides from 478the "Help" menu of GPS. 479 480@subsection Build with a compiler other than GNAT 481It should be possible to compile AdaControl with other compilers than 482GNAT, although we didn't have an opportunity to try it. If you have 483another compiler that supports ASIS, note that it may require some 484easy changes in the package @code{Implementation_Options} to give 485proper parameters to the @code{Associate} procedure of ASIS. Rules 486that need string pattern matchings need the package 487@code{Gnat.Regpat}. If you compile AdaControl with another compiler, 488you can either port @code{Gnat.Regpat} to your system, or use a 489(limited) portable implementation of a simple pattern matching 490(package @code{String_Matching_Portable}). Edit the file 491@code{string_matching.ads} and change it as indicated in the comments. 492No other change should be necessary. 493 494Alternatively, if you are using another compiler, you can try and 495compile your program with GNAT just to be able to run 496AdaControl. However, compilers often differ in their support of 497representation clauses, which can cause your program to be rejected by 498GNAT. In that case, we provide a sed script to comment-out all 499representation clauses; this can be sufficient to allow you to use 500AdaControl. @xref{unrepr.sed}. 501 502@subsection Testing AdaControl 503Testing AdaControl needs a UNIX shell, so it works only with UNIX 504systems. However, it is possible to run the tests on a WIN32 system 505by using an UNIX-like shell for WIN32, such as those provided by 506CYGWIN or MSYS. To run the tests, enter the following commands: 507@example 508cd test 509./run.sh 510@end example 511 512All tests must report PASSED. If they don't, it may be due to one of 513the following issues: 514@itemize 515@item 516You are using an old version of GNAT. AdaControl runs without any 517known problem (and it has been checked against the whole ACATS) only 518with the latest GNATPro and GNATGPL versions; earlier versions are 519known to have bugs and unimplemented features that will not allow 520AdaControl to run correctly in some cases. We strongly recommend to 521always use the most recent version of GNAT. 522@item 523You run an old-gnat version of AdaControl with GNATPro (6.1.2 and 524above) and you forgot to specify the ``-XGNAT_FIX=1'' 525option. @xref{Build and install with project file}. 526@item 527It may happen that the test @code{tfw_help} reports ``FAILED'' because 528it includes a check on the version of AdaControl, and the version 529string refers to a different version of Gnat. The only difference (you 530can see it by typing ``d'' when prompted for checking the differences) 531should be the name of the compiler. 532@end itemize 533 534@anchor{Customizing AdaControl} 535@subsection Customizing AdaControl 536If there are some rules that you are not interested in, it is very easy 537to remove them from AdaControl: 538@enumerate 539@item 540In the @code{src} directory, edit the file 541@code{framework-plugs.adb}. There is a @code{with} clause for each 542rule (children of package @code{Rules}). Comment out the ones you 543don't want. 544@item 545Recompile @code{framework-plugs.adb}. There will be error messages 546about unknown procedure calls. Comment out the corresponding lines. 547@item 548Compile AdaControl normally. That's all! 549@end enumerate 550 551It is also possible to add new rules to AdaControl. If your favorite 552rules are not currently supported, you have several options: 553@enumerate 554@item 555If you have some funding available, please contact 556@url{mailto::info@@adalog.fr,,info@@adalog.fr}. We'll be happy to 557make an offer to customize AdaControl to your needs. 558@item 559If you @i{don't} have funding, but have some knowledge of ASIS 560programming, you can add the rule yourself. We have made every effort 561to make this as simple as possible. Please refer to the AdaControl 562programmer's manual for details. If you do so, please send your rules 563to @url{mailto::rosen@@adalog.fr,,rosen@@adalog.fr}, and we'll be 564happy to integrate them in the general release of AdaControl to make them 565available to everybody. 566@item 567If you have good ideas, but don't feel like implementing them yourself 568(nor financing them), please send a note to 569@url{mailto::rosen@@adalog.fr,,rosen@@adalog.fr}. We will eventually 570incorporate all good suggestions, but we can't of course commit to any 571dead-line in that case. 572@end enumerate 573 574@node Installing an executable distribution, Installing support for AdaGide, Building and installing AdaControl from source, Installation 575@section Installing an executable distribution 576If you downloaded the Windows installer executable version of 577AdaControl, simply run @code{adactl_exe-setup.exe}. This will install 578all the files in the recommended locations (as has been done with the 579Windows installer source version), including GPS support if you have 580GPS installed and/or AdaGide support if you have AdaGide installed. 581 582Otherwise, go to the root directory of the installation and type: 583@example 584gprinstall build.gpr 585@end example 586 587This will install the executables and the GPS support in the standard 588locations (the Gnat directory). However, if you are using AdaGide, the 589support will have to be installed manually as explained below. 590 591@node Installing support for AdaGide, , Installing an executable distribution, Installation 592@section Installing support for AdaGide 593To add AdaControl support to AdaGide, copy the file 594@code{AdaControl.tdf} from the @code{AdaGide} directory of the 595distribution into AdaGide's root directory. Note that AdaControl 596support requires AdaGide version 7.42 or above. 597 598@node Program Usage, Command language reference, Installation, Top 599@chapter Program Usage 600AdaControl is a command-line program, i.e. it is normally called 601directly from the system shell. @i{Options} are introduced by a ``-'' 602followed by a letter and can be grouped as usual. Some options take 603the following word on the command line as a value; such options must 604appear last in a group of options. @i{Parameters} are words on the command 605line that stand by themselves. Options and parameters can be given in 606any order. 607 608The syntax for invoking AdaControl in regular mode is: 609@example 610adactl [-deEirsTuvwx] 611 [-p <project file>] [-f <rules file>] [-l <rules list>] 612 [-o <output file>] [-t <trace file>] [-F <format>] 613 [-S <statistics level>] [-m <warning limit>] [-M <message limit>] 614 @{<unit>[+|-<unit>]|[@@]<file>@} [-- <ASIS options>] 615@end example 616 617AdaControl can process Ada-2012 as well as Ada-95 programs, even if 618there are currently few Ada-2012 related controls - but we hope to 619improve that situation in the near future. 620 621If you are using Ada-2005 (or Ada-2012) features, make sure that GNAT 622is set up for Ada-2005/2012 (this is the default for GNAT-GPL). Due to 623technical reasons, the -gnat05 option cannot be passed to the compiler 624in ``compile on the fly'' mode, but you can do any of the following: 625@itemize 626@item 627have a ``gnat.adc'' file in the current directory that contains a 628@code{@b{pragma} Ada_05;} (or @code{@b{pragma} Ada_12;}) 629@item 630put a @code{@b{pragma} Ada_05} (or @code{@b{pragma} Ada_12;}) on top 631of every compilation unit that uses Ada-2005/2012 features; 632@item 633generate the tree files manually (@pxref{Generating tree files 634manually}) with the ``-gnat05'' (or ``-gnat12)'') option. Note that 635this allows you to pass any other GNAT option as well. 636@end itemize 637 638Note that if your program is pure Ada-95 and you are using a version 639of GNAT where Ada-2005 is the default (especially GNAT-GPL), and in 640the rare cases where your program would not compile in Ada-2005 mode 641(notably if you have a function that returns a task type), you can 642force Ada-95 the same way by using @code{@b{pragma} Ada_95} instead. 643 644@menu 645* Command line parameters and options:: 646* Return codes:: 647* Environment variable and default settings:: 648* Interactive mode:: 649* Other execution modes:: 650* Running AdaControl from GPS:: 651* Running AdaControl from AdaGide:: 652* Helpful utilities:: 653* Optimizing Adacontrol:: 654* In case of trouble:: 655@end menu 656 657@node Command line parameters and options, Return codes, Program Usage, Program Usage 658@section Command line parameters and options 659@menu 660* Input units:: 661* Commands:: 662* Output file:: 663* Output format:: 664* Output limits:: 665* Project files:: 666* Local disabling control:: 667* Verbose and debug mode:: 668* Treatment of warnings:: 669* Exit on error:: 670* ASIS options:: 671@end menu 672 673@node Input units, Commands, Command line parameters and options, Command line parameters and options 674@subsection Input units 675Units to be processed are given as parameters on the command 676line. Note that they are Ada @emph{compilation unit} names, not 677@emph{file names}: case is not significant, and there should be no 678extension! Child units are allowed following normal Ada naming rules: 679@code{Parent.Child}, but be aware that specifying a child unit will 680automatically include its parent unit in the analysis. Subunits are 681processed during the analysis of the including unit; there is 682therefore no need to specify subunits explicitely. If you do specify a 683subunit explicitly, it will result in the whole enclosing unit being 684analyzed. 685 686However, as a convenience to the user, units can be specified as file 687names, provided they follow the default GNAT naming convention. More 688precisely, if a parameter ends in ``.ads'' or ``.adb'', the unit name 689is extracted from it (and all ``-'' in the name are substituted with 690``.''). File names can include a path; in this case, the path is 691automatically added to the list of directories searched (``-I'' ASIS 692option). The file notation is convenient to process all units in a 693directory, as in the following example: 694@example 695adactl -f my_rules.aru *.adb 696@end example 697 698In the unlikely case where you have a child unit called @code{Ads} or 699@code{Adb}, use the ``-u'' option to force interpretation of all 700parameters as unit names. 701 702By default, both the specification and body of the unit are processed; 703however, it is possible to specify processing of the specification 704only by providing the ``-s'' option. If only file names are given, the 705``-s'' option is assumed if all files are specifications (``.ads'' 706files). It is not possible to specify processing of bodies only, since 707rules dealing with visibility would not work. 708 709The ``-r'' option tells AdaControl to process (recursively) all user 710units that the specified units depend on (including parent units if 711the unit is a child unit or a subunit). Predefined Ada units and units 712belonging to the compiler's run-time library are never processed. 713 714Ex: 715@example 716adactl -r -f my_rules.aru my_main 717@end example 718will process @code{my_main} and all units that @code{my_main} depends 719on. If @code{my_main} is the main procedure, this means that the whole 720program will be processed. 721 722If both options ``-r'' and ``-s'' are given, then AdaControl will 723process all units given on the command line, plus (recursively) the 724specifications (but not the bodies) of all units that the given units 725depend on. In short, it will process the minimal transitive closure of 726all compilation units that are necessary to compile the units given on 727the command line. 728 729It is possible to specify more than one unit (not file) to process in 730a parameter by separating the names with ``+''. Conversely, it is 731possible to specify units that are @i{not} to be processed, separated 732by ``-''. When a unit is subtracted from the unit list, it is never 733processed even if it is included via the recursive option, and all its 734child and separate units are also excluded. This is convenient to 735avoid processing reusable components, that are not part of a 736project. For example, if you want to run AdaControl on itself, you 737should use the following command: 738@example 739adactl -f my_rules_file.aru -r adactl-asis-a4g 740@end example 741This applies the rules from the file @code{my_rules_files.aru} to 742AdaControl itself, but not to units that are part of ASIS (units 743@code{Asis}, @code{A4G}, and their children) that would be found by 744the ``-r'' (recursive) option otherwise. 745 746Alternatively, it is possible to provide units indirectly with a 747parameter consisting of an ``@@'' followed by the name of a file. This 748file must contain a list of unit names (not files), one on each 749line. Only the first ``word'' of the line is considered, 750i.e. everything after the first blank is ignored. This can be useful 751to annotate unit names. All units whose names are given in the file 752will be processed. If a name in the file starts with ``@@'', it will 753also be treated as an indirect file (i.e. the same process will be 754invoked recursively). If a line in the file starts with ``#'' or 755``-@w{}-'', it is ignored. This can be useful to temporarily disable 756the processing of some files or to add comments. 757 758Ex: 759@example 760adactl -f my_rules.aru @@unit_file.txt 761@end example 762 763@node Commands, Output file, Input units, Command line parameters and options 764@subsection Commands 765Commands specify which processing AdaControl should apply to 766units. See @ref{Command language reference} for a detailed description 767of all commands. 768 769Commands can be given directly on the command line with the ``-l'' 770option. A commands list must be quoted with ``"''. 771 772Ex: 773@example 774adactl pack.ads proc.adb -l "check instantiations (My_Generic);" 775@end example 776It is possible to pass several commands separated by ``;'', 777but as a convenience to the user, the last ``;'' may be omitted. 778 779Commands can also be read from a file, whose name is given after the 780``-f'' option (the ``@code{.aru}'' extension is taken by default). As 781a special case, if the file name is ``-'', commands are read from the 782standard input. This is intended to allow AdaControl to be pipelined 783behind something that generates commands; if you want to type commands 784directly to AdaControl, the interactive mode is more 785appropriate. @xref{Interactive mode}. 786 787Ex: 788@example 789adactl -f my_rules.aru proc.adb 790@end example 791 792Note that the ``-l'' and ``-f'' options are @i{not} exclusive: if both 793are specified, the commands to be performed include those in the file 794(first) and then those given on the command line. 795 796@node Output file, Output format, Commands, Command line parameters and options 797@subsection Output file 798Messages produced by controls are output to the output file; by 799default, it is the standard output, but it can be changed by 800specifying the ``-o'' option. 801 802Ex: 803@example 804adactl -f my_rules.aru -o my_output.txt proc.adb 805@end example 806If the output file exists, new messages are appended to it. This 807allows running AdaControl under several directories that make up the 808project, and gathering the results in a single file. However, if the 809``-w'' option is given, AdaControl overwrites the output file if it 810exists. 811 812All other messages, including syntax error messages, units processed 813(in verbose mode), and possible internal error mesages from AdaControl 814itself are output to the standard error file. 815 816@node Output format, Output limits, Output file, Command line parameters and options 817@subsection Output format 818The ``-F'' option selects the output format. It must be followed by 819``Gnat'', ``Gnat_Short'', ``CSV'', ``CSV_Short'', ``Source'', 820``Source_Short'', or ``None'' (case insensitive). By default, the output 821is in ``Gnat'' format. See @ref{Control kinds and report messages} for 822details. 823 824The ``-S'' option selects which statistics are output after each 825run. It must be followed by a value in the range 0..3. See 826@ref{Control kinds and report messages} for details on the various 827statistics levels. 828 829The ``-T'' option prints a summary of timing at the end of each run. This 830indicates how long (in real-time seconds) was spent in processing each rule. 831 832Ex: 833@example 834adactl -F CSV -S 2 -f my_rules.aru -o my_output.csv proc.adb 835@end example 836 837@node Output limits, Project files, Output format, Command line parameters and options 838@subsection Output limits 839The ``-m'' and ``-M'' options are used to limit the output of 840AdaControl. These options are followed by an integer value that 841specifies the maximum number of error messages (``-m'') or warning and 842error messages (``-M''). If the value is omitted, a previous 843limitation (comming for example from a command file) is cancelled. 844 845If the indicated number of messages is exceeded during a run, 846AdaControl stops immediately. 847 848@node Project files, Local disabling control, Output limits, Command line parameters and options 849@subsection Project files 850Starting with version 1.18, AdaControl supports GNAT project files 851(``.gpr''). The ``-p'' option is used to provide the name of a project 852file; Ada units to analyze will be searched in all ``source_dirs'' 853specified in the project file or one of the projects it depends on 854(directly or indirectly). 855 856Ex: 857@example 858adactl -f my_rules.aru -p proj.gpr proc.adb 859@end example 860 861Alternatively, an old emacs project file (the file with a ``.adp'' 862extension used by the Ada mode of Emacs and older versions of 863AdaControl) can also be specified with the `` -p'' option. AdaControl 864will consider all the directories mentioned in ``src_dir'' lines from 865the project file. 866 867@node Local disabling control, Verbose and debug mode, Project files, Command line parameters and options 868@subsection Local disabling control 869The ``-i'' option tells AdaControl to ignore disabling markers in Ada 870source code (@pxref{Disabling controls}); i.e. all controls will be 871performed, regardless of the presence of disabling markers. This is 872equivalent to the command ``@code{set ignore ON;}''. Note that if you 873have many messages, setting this option can speed-up AdaControl 874considerably. It is therefore advisable to always set this option 875when you know that there is no disabling marker in your source code. 876 877The ``-j'' option tells AdaControl to invert the meaning of disabling 878markers, i.e. only messages marked as disabled will be printed. This 879is useful to check which messages have been disabled. This is 880equivalent to the command ``@code{set ignore INVERTED;}''. 881 882@node Verbose and debug mode, Treatment of warnings, Local disabling control, Command line parameters and options 883@subsection Verbose and debug mode 884In the default mode, AdaControl displays only messages from triggered 885controls. It is possible to get more information with the verbose 886option (``-v''). In this mode, AdaControl displays a a progress 887indicator and unit names as they are processed, and its global 888execution time when it finishes. Note that the progress indicator 889includes an indication of the run number if there are more than one 890``go'' command. 891 892The ``-d'' option enables debug mode. This mode provides more 893information in case of an internal program error, and is of little 894interest for the casual user. Note that if you hit Ctrl-C in debug 895mode, AdaControl aborts with a message telling the currently active 896rule and module. This can be useful if you suspect AdaControl to be 897stuck in an infinite loop. 898 899In debug mode, AdaControl may also, in rare occasions (and only with 900some versions of GNAT), display ASIS ``bug boxes''; this does not mean 901that something went wrong with the program, but simply that an ASIS 902failure was properly recovered by AdaControl. 903 904Output of the messages printed by the ``-d'' option can be directed to 905a ``trace'' file (instead of being printed to the standard error 906file). This is done by the ``-t'' option, which must be followed by 907the file name. If the trace file exists, new messages are appended to 908it. 909 910@node Treatment of warnings, Exit on error, Verbose and debug mode, Command line parameters and options 911@subsection Treatment of warnings 912The ``-e'' option tells AdaControl to treat warnings as errors, 913i.e. to report a return code of 1 even if only ``search'' controls 914were triggered. @xref{Return codes}. It does not change the messages 915however. 916 917Conversely, the ``-E'' option tells AdaControl to @i{not} report 918warnings at all, i.e. only errors are reported. However, if you ask 919for statistics, the number of warning messages is still 920counted. @xref{Control kinds and report messages}. 921 922@node Exit on error, ASIS options, Treatment of warnings, Command line parameters and options 923@subsection Exit on error 924If an internal error is encountered during the processing of a unit, 925AdaControl will do its best effort to recover and to continue to 926process other units. However, if the ``-x'' option is given, 927AdaControl will stop on the first error encountered. This option is 928mainly useful if you want to debug AdaControl itself (or your own 929rules). @xref{In case of trouble}. 930 931Ex: 932@example 933adactl -x -f my_rules.aru proc.adb 934@end example 935 936@node ASIS options, , Exit on error, Command line parameters and options 937@subsection ASIS options 938Everything that appears on the command line after ``-@w{}-'' will be 939treated as an ASIS option, as described in the ASIS user manual. 940 941Casual users don't need to care about ASIS options, except in one 942case: if you are running AdaControl from the command line (not from 943GPS), and if the units that you are processing reference other units 944whose source is not in the same directory, AdaControl needs to know 945how to access these units (as GNAT would). This can be done either by 946using a project file with the ``-p'' option (see @ref{Project 947files}), by putting the appropriate directories into the 948ADA_INCLUDE_PATH environment variable, or by passing ``-I'' options to 949ASIS. 950 951It is possible to pass one or several ``-I'' options to ASIS, to 952provide other directories where sources can be found. The syntax is 953the same as the ``-I'' option for GNAT. 954 955Other ASIS options, like the ``-Cx'' and/or ``-Fx'' options, can be 956specified. Most users can ignore this feature; however, specifying 957these options can improve the processing time of big 958projects. @xref{Optimizing Adacontrol}. 959 960@node Return codes, Environment variable and default settings, Command line parameters and options, Program Usage 961@section Return codes 962In order to ease the automation of controlling programs with shell 963scripts, AdaControl returns various error codes depending on how 964successful it was. Values returned are: 965@itemize 966@item 9670: At most ``search'' controls (i.e. warnings) were triggered (no control 968at all with ``-e'' option) 969@item 9701: At least one ``check'' control (i.e. error) was triggered (or at 971least one ``search'' or ``check'' control with ``-e'' option) 972@item 9732: AdaControl was not run due to a syntax error in the rules or in the 974specification of units. 975@item 97610: There was an internal failure of AdaControl. 977@end itemize 978 979@node Environment variable and default settings, Interactive mode, Return codes, Program Usage 980@section Environment variable and default settings 981If the environment variable ``ADACTLINI'' is set, its content is taken 982as a set of commands (separated by semi-colons) that are executed 983before any other command. Although any command can be specified, this 984is intended to allow changing default settings with ``set'' 985commands. @xref{Set command}. 986 987For example, you can set ADACTLINI to ``set format Gnat_Short'' if you 988prefer having you messages in short format rather than the (default) 989long format. 990 991@node Interactive mode, Other execution modes, Environment variable and default settings, Program Usage 992@section Interactive mode 993The ``-I'' option tells AdaControl to operate interactively. In this 994mode, commands specified with ``-l'' or ``-f'' options are first 995processed, then AdaControl prompts for commands on the terminal. Note 996that the ``quit'' command (@pxref{Quit command}) is used to terminate 997AdaControl. 998 999The syntax of commands run interactively is exactly the same as the 1000one used for files; especially, each command must be terminated with a 1001``;''. Note that the prompt (``Command:'') becomes ``.......:'' when 1002AdaControl requires more input because a command is not completely 1003given, and especially if you forget the final ``;''. 1004 1005As with files, it is possible to give several commands on a single 1006line in interactive mode. If a command contains syntax errors, all 1007``go'' commands (@pxref{Go command}) on the same line are temporarily 1008disabled. Other commands that do not have errors are normally 1009processed however. 1010 1011The interactive mode is useful when you want to do some analysis of 1012your code, but don't know beforehand what you want to control. Since 1013the ASIS context is open only once when the program is loaded, queries 1014will be much faster than running AdaControl entirely with a new query 1015given in a ``-l'' option each time. It is also useful to experiment 1016with AdaControl, and to check interactively commands before putting 1017them into a file. 1018 1019@node Other execution modes, Running AdaControl from GPS, Interactive mode, Program Usage 1020@section Other execution modes 1021In addition to normal usage, AdaControl features special options to 1022ease its use; no Ada unit is analyzed when using these options. 1023 1024@menu 1025* Getting help:: 1026* Checking commands syntax:: 1027* Generating a units list:: 1028@end menu 1029 1030@node Getting help, Checking commands syntax, Other execution modes, Other execution modes 1031@subsection Getting help 1032The ``-h'' option provides help about Adacontrol usage. If the ``-h'' 1033option is given, no other option is analyzed and no further processing 1034happens. 1035 1036Syntax: 1037@example 1038adactl -h [<keyword> | <rule name> | variables ["<pattern>"] ...] 1039<keyword> ::= all | commands | license | list | 1040 options | rules | version 1041@end example 1042 1043The ``-h'' option without parameter displays a help message about usage of the 1044AdaControl program, the various options, and the rule names. 1045 1046Otherwise, the ``-h'' must be followed by one or several keywords or 1047rule names (case irrelevant); its effect is: 1048@itemize @bullet 1049@item 1050<rule name>: if <rule name> is exactly the name of rule, display the 1051help message for the indicated rule. Otherwise, <rule name> is 1052interpreted as a pattern, and help messages for all rules that match 1053the pattern is displayed. Patterns are given using the full 1054Regexp syntax. @pxref{Syntax of regular expressions} for details. 1055@item 1056``variables'' lists the values of all variables whose name matches <pattern>, 1057or all variables if there is no <pattern>. Patterns are given using the full 1058Regexp syntax. @pxref{Syntax of regular expressions} for details. 1059@item 1060``all'': display the help message for all rules. 1061@item 1062``commands'': display a summary of all commands 1063@item 1064``license'': display the license information 1065@item 1066``list'': display the names of all rules (note that ``rules'' also 1067displays the list of rules, in a prettier format; the ``list'' option 1068is mainly useful for the integration of AdaControl into GPS). 1069@item 1070``options'': display help about the command-line options 1071@item 1072``rules'': display the names of all rules. 1073@item 1074``version'': display AdaControl and ASIS implementation version numbers. 1075@end itemize 1076 1077Ex: 1078@example 1079adactl -h pragmas Unnecessary_Use_Clause 1080adactl -h all 1081adactl -h version license 1082adactl -h stat 1083@end example 1084Note in the last example that ``stat'' is not the name of a rule; it 1085is therefore interpreted as a pattern, and help will be displayed for 1086all rules that include the string ``stat'' in their name. This can be 1087very convenient to retrieve the name of a rule if you don't remember 1088exactly how it is spelled. 1089 1090@node Checking commands syntax, Generating a units list, Getting help, Other execution modes 1091@subsection Checking commands syntax 1092The ``-C'' option is used to check syntax of commands without 1093executing any control. 1094 1095Syntax: 1096@example 1097adactl -C [-dv] [-f <rules file>] [-l <rules list>] 1098@end example 1099 1100In this mode, AdaControl simply checks the syntax of the commands 1101provided with the ``-l'' option, or of the commands provided in the 1102file named by the ``-f'' option (at least one of these options must be 1103provided). No other processing will happen. 1104 1105AdaControl will exit with a return code of 0 if the syntax is correct, 1106and 2 if any errors are found. A confirming message that no errors 1107were found is output if the ``-v'' option is given. 1108 1109This option is especially useful when you have modified a rules file, 1110before trying it on many units. The way AdaControl works, it must open 1111the ASIS context (a lengthy operation) @i{before} analyzing the 1112rules. This option can therefore save a lot of time if the rules file 1113contains errors. 1114 1115@node Generating a units list, , Checking commands syntax, Other execution modes 1116@subsection Generating a units list 1117The ``-D'' options produces a list of units that can be reused as an 1118indirect file in later runs. 1119 1120Syntax: 1121@example 1122adactl -D [-rsvw] [-o <output file>] [-p <project file>] 1123 @{<unit>[+|-<unit>]|[@@]<file>@} [-- <ASIS options>] 1124@end example 1125In this mode, AdaControl outputs the list of units that would be 1126processed. It is especially useful when used with the ``-r'' option 1127and given the main unit name, since it will then generate the whole 1128dependencies list (hence the name ``D''), i.e. the list of units that 1129are part of the program. However, if -D is used with -s, the list 1130includes only transitive dependencies from the specifications of 1131required units (but not from their bodies). This is the list of all 1132units required to compile the given units. 1133 1134The list can be directed to a file with the ``-o'' option (if the 1135file exists, it won't be overwritten unless the ``-w'' option is 1136specified). This file can then be used in an indirect list of 1137units. @xref{Input units}. Note that it is more efficient to create 1138the list of units once and then use the indirect file than to specify 1139all applicable units or use the ``-r'' option each time AdaControl is 1140run. 1141 1142@subsubsection Limitation 1143If you use the ``-Drs'' option to generate the minimum set of required 1144units to compile the given unit, note that some units may still be 1145missing when the compiler requires the presence of a body due to 1146inlining of subprograms or generic instantiations. These units depend 1147on the compiler and cannot be computed from the text of the program 1148alone. 1149 1150@node Running AdaControl from GPS, Running AdaControl from AdaGide, Other execution modes, Program Usage 1151@section Running AdaControl from GPS 1152AdaControl integrates nicely into GPS, making it even easier to 1153use. It can be launched from menu commands, and parameters can be set 1154like any other GPS project parameters. When run from within GPS, 1155AdaControl will automatically retrieve all needed directories from the 1156current GPS project. 1157 1158After running AdaControl, the ``locations'' panel will open, and you 1159can retrieve the locations of errors from there, just like with a 1160regular compilation. Errors will be marked in red in the source, 1161warning will be marked orange, and you will have corresponding marks 1162showing the places of errors and warnings in the speedbar. Note that 1163AdaControl errors appear under the ``AdaControl'' category, but if 1164there were compilation errors, they will appear under the 1165``Compilation'' category. Final counts from ``count'' control kinds will 1166appear under the ``Counts summary'' category, and statistics under the 1167``Statistics'' category. 1168 1169@menu 1170* The AdaControl menu and buttons:: 1171* Contextual menu:: 1172* AdaControl switches:: 1173* AdaControl preferences:: 1174* AdaControl language:: 1175* AdaControl help:: 1176* Caveat:: 1177@end menu 1178 1179@node The AdaControl menu and buttons, Contextual menu, Running AdaControl from GPS, Running AdaControl from GPS 1180@subsection The AdaControl menu and buttons 1181GPS now features an ``AdaControl'' menu, with several submenus: 1182@itemize @bullet 1183@item 1184``Control Current File (rules file)'' runs AdaControl on the currently 1185edited file, with rules taken from the current rules file; this menu 1186is greyed-out if no rules file is defined, if no file window is 1187currently active, or if the associated language is not ``Ada''. The 1188name of the rules file can be set from the ``Library'' tab from the 1189``Project/Edit Project Properties'' menu. 1190@item 1191``Control Root Project (rules file)'' runs AdaControl on all units 1192that are part of the root project, with rules taken from the current 1193rules file; this menu is greyed-out if no rules file is defined. The 1194name of the rules file can be set from the ``Library'' tab from the 1195``Project/Edit Project Properties'' menu. 1196@item 1197``Control Units from List (rules file)'' runs AdaControls on units 1198given in a indirect file, with rules taken from the current rules 1199file. This menu is greyed-out if no rules file is defined or if no 1200indirect file is defined. The name of the rules file and of the 1201indirect file can be set from the ``Library'' tab from the 1202``Project/Edit Project Properties'' menu. 1203@item 1204``Control Current File (interactive)'' runs AdaControl on the 1205currently edited file, with a rule asked interactively from a pop-up; 1206this menu is greyed-out if no file window is currently active, or if 1207the associated language is not ``Ada''. 1208@item 1209``Control Root Project (interactive)'' runs AdaControl on all units 1210that are part of the root project, with a rule asked interactively 1211from a pop-up. 1212@item 1213``Control Units from List (interactive)'' runs AdaControls on units 1214given in a indirect file, with a rule asked interactively from a 1215pop-up. This menu is greyed-out if no indirect file is defined. The 1216name of the indirect file can be set from the ``Library'' tab from the 1217``Project/Edit Project Properties'' menu. 1218@item 1219``Check Rules File'' checks the syntax of the current rules file. This 1220menu is deactivated if the current window does not contain an 1221AdaControl rules file. 1222@item 1223``Open Rules File'' opens the rules file. This menu is deactivated if 1224there is no current rules file defined. 1225@item 1226``Open Units File'' opens the units file. This menu is deactivated if 1227there is no current units file defined. 1228@item 1229``Create units file'' creates a text file containing all units (not 1230files) names from the current root project. This file is appropriate 1231as an indirect file for the ``... from list'' commands. 1232@item 1233``Create .adp project'' creates an Emacs-style project file from the 1234current GPS project. This is of little interest now that AdaControl 1235accepts GPS project files directly, and is still provided for 1236compatibility with older versions of AdaControl. @xref{Project files}. 1237@item 1238``Delete Tree Files'' removes existing tree files from the current 1239directory. This is convenient when AdaControl complains that the tree 1240files are not up-to-date. Note that you can set the preferences for 1241automatic deletion of tree files after each run (see below). Note that 1242the name of this menu is changed to ``Delete Tree and .ali Files'' if 1243you have chosen to delete .ali files in the preferences (see below). 1244@item 1245``Load results file'' loads in the location window the result file 1246obtained from a previous run of AdaControl. The file must have been 1247produced with the ``Gnat'' or ``Gnat_Short'' format. @xref{Control kinds 1248and report messages}. 1249@end itemize 1250 1251There are also two buttons representing Lady Ada in a magnifier glass 1252in the toolbar, one with a red question mark in the background. These 1253buttons launch AdaControl, by default on the file currently being 1254edited; however, you can change this behaviour from the preferences to 1255control either files from a list, or all files from the project. The 1256button without the question mark uses rules from the current rules 1257file, while the one with the question mark asks for the control to 1258apply interactively. 1259 1260Here are some tips about using the ``interactive'' menus (or the 1261button with the question mark): 1262@itemize @bullet 1263@item 1264When you use the ``interactive'' menus several times, the 1265previously entered command(s) is used as a default. 1266@item 1267You can enter any command from AdaControl's language in the dialog; 1268you can even enter several commands separated by ``;''. 1269@item 1270Especially, if you want to run AdaControl with a rules file that is 1271not the one defined by the switches, you can use one of the 1272``interactive'' commands, and give ``source <file name>'' as the 1273command. 1274@end itemize 1275 1276@node Contextual menu, AdaControl switches, The AdaControl menu and buttons, Running AdaControl from GPS 1277@subsection Contextual menu 1278AdaControl adds two entries to the contextual menus (right click) of 1279Ada files. They call the @code{pfni} utility on the current 1280entity. @xref{pfni}. The entry ``Print full name'' displays the full 1281name of the entity in simple form, while the entry ``Print full name 1282(with overloading)'' ) prints it with overloading information. If the 1283name refers to an entity which is initialized (or to a parameter with 1284a default value), the initial value is printed. If the entity is a 1285discrete type, its range is printed. If the entity is an array type, 1286the ranges of its indices are printed. 1287 1288This is convenient to find how to name entities in rule 1289files. @xref{Specifying an Ada entity name}. It is also convenient to 1290find where an entity is declared, and which of several overloaded 1291entities is being referred to. 1292 1293This is also convenient to find the actual value of a constant from 1294anywhere in the program text, since the printed value is completely 1295evaluated if it is a (static) expression. 1296 1297@node AdaControl switches, AdaControl preferences, Contextual menu, Running AdaControl from GPS 1298@subsection AdaControl switches 1299The tab ``switches'' from the ``Project/Edit Project Properties'' menu 1300includes a page for AdaControl, which allows you to set various 1301parameters. Since the GPS interface analyzes the output of AdaControl, 1302you should not set options directly in the bottom window of this page 1303(the one that displays the actual options passed to AdaControl). 1304 1305@subsubsection Files 1306This section controls the definition of various files used by AdaControl. 1307@itemize @bullet 1308@item 1309``Rules file''. This is the name of a file that contains the 1310definition of the controls to be applied to your project. This file is 1311required for all ``control (rules file)'' commands. 1312@item 1313``Units file''. This is the name of a file that contains the list of 1314units to be controlled. This file is required for all ``control from 1315list'' commands. 1316@end itemize 1317 1318@subsubsection Processing 1319This section offers options that control how units are processed. 1320@itemize @bullet 1321@item 1322``Recursive mode''. This sets the ``-r'' option. @xref{Input units}. 1323@item 1324``Ignore local deactivation''. This sets the ``-i'' 1325option. @xref{Local disabling control}. 1326@item 1327``Process specs only''. This sets the ``-s'' option. @xref{Input 1328units}. 1329@item 1330``Compilation unit mode''. This sets the ``-u'' option. @xref{Input 1331units}. 1332@end itemize 1333 1334@subsubsection Debug 1335This section controls the debugging options of AdaControl. 1336@itemize @bullet 1337@item 1338``Debug messages''. This sets the ``-d'' option. @xref{Verbose and 1339debug mode}. 1340@item 1341``Halt on error''. This sets the ``-x'' option. @xref{Exit on error}. 1342@end itemize 1343 1344@subsubsection Output 1345This section offers options that control where and how the output of 1346AdaControl is displayed. 1347@itemize @bullet 1348@item 1349``Display only errors''. This sets the ``-E'' option. @xref{Treatment 1350of warnings}. 1351@item 1352``Warnings as errors''. This sets the ``-e'' option. @xref{Treatment 1353of warnings}. 1354@item 1355``Statistics''. This sets the ``-S'' option from a pull-down 1356menu. @xref{Control kinds and report messages}. 1357@item 1358``Send results to GPS''. When checked (default), the output of 1359AdaControl is sent to the ``locations'' window of GPS. 1360@item 1361``Send results to File''. When checked, the output of AdaControl is 1362sent to the file indicated in the box below. 1363@item 1364``Send results to File and GPS''. When checked, the output of 1365AdaControl is sent to the file indicated in the box below, and the 1366content of the file is then automatically reloaded in the 1367``locations'' window of GPS. If this option is set, the file format is 1368always ``Gnat'' (the file format option is ignored). 1369@item 1370``File name''. This is the name of the file that will contain the 1371results when sent to ``File'' or ``File and GPS''. If the results are 1372sent to ``File'' and the file exists, AdaControl will ask for the 1373permission to overwrite it. If the results are sent to ``File and 1374GPS'', the result file is always overriden without asking. 1375@item 1376``File format''. This is a pull-down menu that allows you to select 1377the desired format when output is directed to a file (``-F'' option). 1378@xref{Control kinds and report messages}. 1379@end itemize 1380 1381@subsubsection ASIS 1382This section controls the ASIS parameters passed to AdaControl. The 1383content of the input field ``ASIS options'' is used in place of the 1384standard (``-CA -FM'') one. 1385 1386Casual users don't need to change the default ASIS options. For more 1387details, @pxref{ASIS options}. 1388 1389@node AdaControl preferences, AdaControl language, AdaControl switches, Running AdaControl from GPS 1390@subsection AdaControl preferences 1391There is an entry for AdaControl in the ``edit/preferences'' menu: 1392@itemize @bullet 1393@item 1394``delete trees''. If this box is checked, tree files are automatically 1395deleted after each run of AdaControl. This avoids having problems with 1396out-of-date tree files, at the expanse of slightly slowing down 1397AdaControl if you run it several times in a row without changing the 1398source files. 1399@item 1400``Delete .ali files with tree files''. If this box is checked, the 1401``.ali'' files in the current directory will also be deleted together 1402with the tree files (either automatically if the previous box is 1403checked, or when the ``AdaControl/Delete Tree Files'' menu is 1404selected). This is normally what you want, unless the current 1405directory is also used as the object directory for compilations; in 1406the latter case, deleting ``.ali'' files would cause a full 1407recompilation for the next build of the project. 1408@item 1409``Help on rule''. This allows you to select how rule specific help 1410(from the ``Help/AdaControl/Help on rule'' menu) is displayed. If you 1411select ``Pop-up'', a summary of the rule's purpose and syntax is 1412displayed in a pop-up. If you select ``User Guide'', the user guide 1413opens in a browser at the page that explains the rule. (@b{Caveat}: 1414due to a problem in GPS under Windows, the ``User Guide'' option may 1415not work at all, or the browser will not find the right anchor; 1416hopefully, this will be fixed in an upcomming release of GPS. No such 1417problem under Linux). 1418@item 1419``Use separate categories''. If this box is checked, there will be one 1420category (i.e. tree in the locations window) for each rule type or 1421label, otherwise all messages will be grouped under the single 1422category ``AdaControl''. In practice, this means that with the box 1423checked, messages will be sorted by rules first, then by files, while 1424otherwise, the messages will be sorted by files first, then by rules. 1425In any case, compilation errors appear under the ``Compilation'' 1426category, final counts under the ``Counts summary'' category, and 1427statistics under the ``Statistics'' category. 1428@item 1429``Auto save files''. If this box is checked, all modified files are 1430automatically saved without asking before running 1431AdaControl. Otherwise, a dialog appears allowing the user to choose 1432which files to save. 1433@item 1434``Buttons operate on''. This defines the behaviour of the buttons. 1435If ``Current File'' is selected, the buttons operate on the file being 1436currently edited. If ``Root Project'' is selected, the buttons operate 1437on all files that are part of the current project. If ``Units from List'' 1438is selected, the buttons operate on all units from the units file. 1439@item 1440``Display AdaControl run''. If this box is checked, the command line used 1441to launch AdaControl and the output messages are displayed in the ``Messages'' 1442window. 1443@item 1444``Max allowed error messages''. If non zero, run will stop if the 1445number of error messages exceeds this limit. @xref{Output limits}. 1446@item 1447``Max allowed messages (all kinds)''. If non zero, run will stop if 1448the number of error and warning messages exceeds this 1449limit. @xref{Output limits}. 1450@end itemize 1451 1452@node AdaControl language, AdaControl help, AdaControl preferences, Running AdaControl from GPS 1453@subsection AdaControl language 1454If you check ``AdaControl'' in the ``Languages'' tab of the project 1455properties, GPS will recognize files with extension @code{.aru} as 1456AdaControl rules files, and provide appropriate colorization. Remember 1457to check also the corresponding ``no compiler'' checkbox to avoid 1458spurious messages from GPS. 1459 1460@node AdaControl help, Caveat, AdaControl language, Running AdaControl from GPS 1461@subsection AdaControl help 1462The AdaControl User Manual (this manual) and the AdaControl 1463Programmer Manual are available from the "Help/AdaControl" menu of GPS. 1464 1465The "Help on rule" entry displays the list of all rules; if you click 1466on one of them, you get help for the particular rule. Depending on the 1467setting of the ``Help on rule'' preference (see above), it opens a 1468pop-up that displays the rule(s) purpose and the syntax of its 1469parameters, or opens the user guide at the appropriate location. 1470 1471The ``About'' entry displays a popup with AdaControl's version number 1472and license condition. 1473 1474@node Caveat, , AdaControl help, Running AdaControl from GPS 1475@subsection Caveat 1476GPS may crash when the output of a command is too big (i.e. hundreds 1477of messages with AdaControl). If this happens, use the 1478``preferences'' menu to limit the number of messages. 1479 1480@node Running AdaControl from AdaGide, Helpful utilities, Running AdaControl from GPS, Program Usage 1481@section Running AdaControl from AdaGide 1482If you want to use AdaControl from AdaGide, make sure you have copied 1483the necessary file into the required place. @xref{Installing support 1484for AdaGide}. Note that AdaGide does not have all the parameterization 1485facilities of sophisticated environments like GPS, but all AdaControl 1486options, like the name of the rules file or the output format, can 1487easily be changed by editing the tool description file 1488@code{AdaControl.tdf}. 1489 1490AdaGide now features several AdaControl commands from the ``tool'' menu: 1491@itemize @bullet 1492@item 1493``AdaControl'' runs AdaControl on the currently 1494edited file, with rules taken from the file named @code{verif.aru}. 1495@item 1496``AdaControl recursive'' works like the previous command, with the 1497addition of the ``-r'' (recursive) option. When used on the main 1498program, it will analyze the whole set of compilation units in the 1499program. 1500@item 1501``AdaControl interactive'' runs AdaControl on the currently 1502edited file, with a rule asked interactively from a pop-up. 1503@item 1504``AdaControl: delete .adt'' removes existing tree files from the 1505current directory. This is convenient when AdaControl complains that 1506the tree files are not up-to-date. 1507@end itemize 1508 1509@node Helpful utilities, Optimizing Adacontrol, Running AdaControl from AdaGide, Program Usage 1510@section Helpful utilities 1511This section describe utilities that are handy to use in conjunction 1512with AdaControl. 1513 1514@menu 1515* pfni:: 1516* makepat.sed:: 1517* unrepr.sed:: 1518@end menu 1519 1520@node pfni, makepat.sed, Helpful utilities, Helpful utilities 1521@subsection pfni 1522The convention used to refer to entities (as described in 1523@ref{Specifying an Ada entity name}) is very powerful, but it may be 1524difficult to spell out correctly the name of some entities, especially 1525when using the overloaded syntax. 1526 1527@code{pfni} (which stands for @i{Print Full Name Image}) can be used 1528to get the correct spelling for any Ada entity. The syntax of 1529@code{pfni} is: 1530@example 1531pfni [-sofdq] [-p <project-file>] <unit>[:<span>] 1532 [-- <ASIS options>] 1533<span> ::= <line_number> 1534 | [<first_line>]-[<last_line>] 1535 | <line_number>:<column_number> 1536@end example 1537or 1538@example 1539pfni -h 1540@end example 1541If called with the ``-h'' option, @code{pfni} prints a help message 1542and exits. 1543 1544Otherwise, @code{pfni} prints the full name image of all identifiers 1545declared in the indicated unit, unless there is a ``-f'' (full) 1546option, in which case it prints the full name image of all identifiers 1547(i.e. including those that are used, but not declared, in the 1548unit). The image is printed without overloading information, unless 1549the ``-o'' option is given. 1550 1551In addition, @code{pfni} prints the initial value of variables if 1552there is one, the range of discrete types, and the range of the 1553indices of array types. 1554 1555The <unit> is given either as an Ada unit, or as a file name, provided 1556the extension is ``.ads'' or ``.adb'' (as in AdaControl). If a span is 1557given, only identifiers within the span are printed. In the first 1558form, the span includes only the indicated line; in the second form, 1559the span includes all lines from <first_line> to <last_line> (if 1560omitted, they are taken as the first and last line of the file, 1561respectively). In the third form, the span includes only the place at 1562the specified <line_number> and <column_number>. 1563 1564Normally, the source line corresponding to the names is printed above 1565the names. The ``-q'' (quiet) option suppresses this. 1566 1567If the ``-s'' option is given (or the unit is a file name with a 1568``.ads'' extension), the specification of the unit is processed, 1569otherwise the body is processed. The ``-p'' option specifies the name 1570of a project file (``.gpr'' or ``.adp''), and the ``-d'' option is the 1571debug mode, as for AdaControl itself. ASIS options can be passed, like 1572for AdaControl, after a ``-@w{}-'' (but -FS is the 1573default). @xref{ASIS options}. 1574 1575As a side usage of @code{pfni}, if you are calling a subprogram that 1576has several overloadings and you are not sure which one is called, use 1577@code{pfni} with the ``-o'' option on that line: the program will tell 1578you the full name and profile of the called subprogram. 1579 1580@node makepat.sed, unrepr.sed, pfni, Helpful utilities 1581@subsection makepat.sed 1582This file (provided in the ``src'' directory) is a sed script that 1583transforms a text file into a set of correponding regular expressions. 1584It is useful to generate model header files. @xref{Header_Comments}. 1585 1586@node unrepr.sed, , makepat.sed, Helpful utilities 1587@subsection unrepr.sed 1588This file (provided in the ``src'' directory) is a sed script that 1589comments out all representation clauses. It is typically useful if you 1590use a different compiler that accepts representation clauses not 1591supported by GNAT. 1592 1593Typically, you would copy all your sources in a different directory, 1594copy ``unrepr.sed'' in that directory, then run: 1595@example 1596sed -i -f unrepr.sed *.ads *.adb 1597@end example 1598You can now run AdaControl on the patched files. Of course, you won't 1599be able to check rules related to representation clauses any more... 1600 1601Note that the script adds ``-@w{}-UNREPR '' to all representation 1602clauses. Its effect can thus easily be undone with the following 1603commad: 1604@example 1605sed -i -e "s/--UNREPR //" *.ads *.adb 1606@end example 1607 1608@node Optimizing Adacontrol, In case of trouble, Helpful utilities, Program Usage 1609@section Optimizing Adacontrol 1610There are many factors that may influence dramatically the speed of 1611AdaControl when processing many units. For example, on our canonical 1612test (same controls, same units), the extreme points for execution time 1613were 111s. vs 13s.! Unfortunately, this seems to depend on a number of 1614parameters that are beyond AdaControl's control, like the relative 1615speed of the CPU to the speed of the hard-disk, or the caching 1616strategy of the file system. 1617 1618This section will give some hints that may help you increase the speed 1619of AdaControl, but it will not change the output of the program; you 1620don't really need to read it if you just use AdaControl 1621occasionnally. This section is concerned only with the GNAT 1622implementation of ASIS; other implementations work differently. 1623 1624Bear in mind that the best strategy depends heavily on how your 1625program is organized, and on the particular OS and hardware you are 1626using. Therefore, no general rule can be given, you'll have to 1627experiment yourself. Hint: if you specify the ``-v'' option to 1628AdaControl, it will print in the end the elapsed time for running the 1629tests; this is very helpful to make timing comparisons. 1630 1631Note: all options described in this section are ASIS options, 1632i.e. they must appear last on the command line, after a ``-@w{}-''. 1633 1634@menu 1635* Tree files and the ASIS context:: 1636* Generating tree files manually:: 1637* Choosing an appropriate combination of options:: 1638@end menu 1639 1640@node Tree files and the ASIS context, Generating tree files manually, Optimizing Adacontrol, Optimizing Adacontrol 1641@subsection Tree files and the ASIS context 1642Since AdaControl is an ASIS application, it is useful to explain here 1643how ASIS works. ASIS (and therefore AdaControl) works on a set of 1644units constituting a ``context''. Any reference to an Ada entity which 1645is not in the context (nor automatically added, see below) will be 1646ignored; especially, if you specify to AdaControl the name of a unit 1647which is not included in the current context, the unit will simply not 1648be processed. 1649 1650ASIS works by exploring tree files (same name as the corresponding Ada 1651unit, with a ``.adt'' extension), which are ``predigested'' views of 1652the corresponding Ada units. By default, the tree files are generated 1653automatically when needed, and kept after each run, so that subsequent 1654runs do not have to recreate them. 1655 1656A context in ASIS-for-Gnat is a set of tree files. Which trees are 1657part of the context is defined by the ``-C'' option: 1658@itemize 1659@item 1660-C1 Only one tree makes up the context. The name of the tree file must 1661follow the option. 1662@item 1663-CN Several explicit trees make up the context. The name of the tree 1664files must follow the option. 1665@item 1666-CA All available trees make up the context. These are the tree files 1667found in the current directory, and in any directory given with a 1668``-T'' option (which works like the ``-I'' option, but for tree files 1669instead of source files). 1670@end itemize 1671 1672The ``-F'' option specifies what to do if the program tries to access 1673an Ada unit which is not part of the context: 1674@itemize 1675@item 1676-FT Only consider tree files, do not attempt to compile units 1677on-the-fly 1678@item 1679-FS Always compile units on-the-fly, ignore existing tree files 1680@item 1681-FM Compile on-the-fly units for which there is no already existing 1682tree file 1683@end itemize 1684Note that ``-FT'' is the only allowed mode, and @i{must} be specified, 1685with the ``-C1'' and ``-CN'' options. 1686 1687The default combination used by AdaControl is ``-CA -FM''. A 1688consequence of this is that the context is established by first 1689loading all available tree files before starting the analysis, even 1690those that are not necessary. Since tree files are often big and long 1691to load, if you want to check a single unit and have remaining trees 1692from a previous run, it is often more efficient to delete all ``.adt'' 1693files first. 1694 1695More generally, given the current speed of CPUs and the not-so-fast 1696access time of disks, it may happen that recomputing the trees instead 1697of loading them from disk might be faster. Only experiencing will tell 1698you the best procedure to follow. 1699 1700@node Generating tree files manually, Choosing an appropriate combination of options, Tree files and the ASIS context, Optimizing Adacontrol 1701@subsection Generating tree files manually 1702It is also possible to generate the tree files manually before running 1703AdaControl. Although this mode of operation is less practical, it is 1704recommended by AdaCore for any ASIS tool that deals with many 1705compilation units. Some reasons why you might want to generate the 1706tree files manually are: 1707@itemize @bullet 1708@item 1709Your project has several source directories (ASIS had problems with 1710ADA_INCLUDE_PATH, until releases dated later than Sept. 1st, 17112006). Note that an alternative solution is to provide a project file 1712with the -p option, or to specify source directories with the -I 1713option; 1714@item 1715Your project uses some compilation options that cannot be set 1716otherwise (AdaControl just uses the ``source_dirs'' from GPR projects, 1717not other options) 1718@item 1719It is faster to generate tree files once than to use ``compile on the 1720fly'' mode. 1721@end itemize 1722 1723To generate tree files manually, simply recompile your project with 1724the ``-gnatct'' option. This option can be passed to @code{gnatmake} 1725or @code{gprbuild} normally. Of course, you will need all other 1726options needed by your project (like the ``-P'' option if you are 1727using GNAT project files). 1728 1729Tree files may be copied into a different directory if you don't want 1730your current directory to be cluttered by them. In this case, use the 1731``-T'' ASIS option to indicate the directory where the tree files are 1732located. 1733 1734If you chose to generate the tree files manually, you may want to 1735specify the ``-FT'' ASIS option (see above) to prevent from accidental 1736automatic recompilation. 1737 1738@node Choosing an appropriate combination of options, , Generating tree files manually, Optimizing Adacontrol 1739@subsection Choosing an appropriate combination of options 1740In order to optimize the use of AdaControl, it is important to 1741remember that reading tree files is a time-consuming operation. On the 1742other hand, a single tree file contains not only information for the 1743corresponding unit, but also for the @i{specifications} of all units 1744that the given unit depends on. Moreover, our measures showed that 1745reading an existing tree file may be @i{slower} than compiling the 1746corresponding unit on-the-fly (but once again, YMMV). 1747 1748Here are some hints to help you find the most efficient combination of 1749options. 1750@itemize 1751@item 1752If you want to run AdaControl on all units of your program, use the 1753``-D'' option to create a file containing the list of all required 1754units, then use this file as an indirect file. Using the the ``-r'' 1755option (recursive mode) of AdaControl implies an extra pass over the 1756whole program tree to determine the necessary units. 1757@item 1758If you have not disabled any rule (and have many messages), specifying 1759the ``-i'' option (ignore disabling) saves AdaControl the burden of 1760checking whether rules are disabled, which can result in a 1761sensible speed-up. 1762@item 1763Avoid having unnecessary tree files. All tree files in the context are 1764read by ASIS, even if they are not later used. If you don't want to 1765run AdaControl on the whole project, deleting tree files from a 1766previous run can save a lot of time. 1767@item 1768When using an indirect file, the order in which units are given may 1769influence the speed of the program. As a rule of thumb, units that are 1770closely related should appear close to each other in the file. A good 1771starting point is to sort the file in alphabetical order: this way, 1772child units will appear immediately after their parent. You can then 1773reorder units, and measure if it has a significant effect on speed. 1774@item 1775If you want to check a unit individually, try using the ``-C1'' option 1776(especially if the current directory contains many tree files from 1777previous runs). Remember that you must specify the unit to check to 1778AdaControl, and the tree file to ASIS. I.e., if you want to check the 1779unit ``Example'', the command line should look like: 1780@example 1781adactl -f rules_file.aru example -- -FT -C1 example.adt 1782@end example 1783provided the tree file already exists. 1784@item 1785For each strategy, first run AdaControl with the default options 1786(which will create all necessary tree files). Compare execution time 1787with the one you get with ``-FT'' and ``-FS''. This will tell you if 1788compiling on-the-fly is more efficient than loading tree files, or not. 1789@end itemize 1790 1791@node In case of trouble, , Optimizing Adacontrol, Program Usage 1792@section In case of trouble 1793@subsection Known issues 1794If you are using an old version of GNAT and your project includes 1795source files located in several directories, the ADA_INCLUDE_PATH 1796environment variable may not be considered by ASIS, resulting in error 1797messages that tell you that the bodies of some units have not been 1798found (and hence have not been processed). This problem has been fixed 1799in GNAT dated later than Sept. 1st, 2006. If this happens, either 1800provide your source directories as ``-I'' options (@pxref{ASIS 1801options}), or generate the tree files manually (@pxref{Generating tree 1802files manually}). Note that this problem does not happen if you are 1803using a project file (@pxref{Project files}), nor if you are 1804running AdaControl from GPS. 1805 1806@subsection AdaControl or ASIS failure 1807Like any sophisticated piece of software, AdaControl may fail when 1808encountering some special case of construct. ASIS may also fail 1809occasionnally; actually, we discovered several ASIS bugs during the 1810development of AdaControl. These were reported to ACT, and have been 1811corrected in the wavefront version of GNAT - but you may be using an 1812earlier version. In this case, try to upgrade to a newer version of 1813ASIS. If an AdaControl or ASIS problem is not yet solved, AdaControl 1814is designed in such a way that an occasionnal bug won't prevent you 1815from using it. 1816 1817If AdaControl detects an unexpected exception during the processing of 1818a unit (an ASIS error or an internal error), it will abandon the unit, 1819clean up everything, and go on processing the remaining units. This 1820way, an error due to a special case in a unit will @i{not} affect the 1821processing of other units. AdaControl will return a Status of 10 in 1822this case. 1823 1824However, if it is run with the ``-x'' option (eXit on error), it will 1825stop immediately, and no further processing will happen. 1826 1827If you don't want the garbage from a failing rule to pollute your 1828report, you may chose to disable the rule for the unit that has a 1829problem. @xref{Inhibit command}. 1830 1831If you encounter a problem while using AdaControl, you are very 1832welcome to report it through our 1833@url{https://sourceforge.net/p/adacontrol/tickets/,bug tracking 1834system} (under Windows, you can click on ``Report problem'' in the 1835AdaControl Start menu). Please include the exact control and the unit 1836that caused the problem, as well as the captured output of the program 1837(with ``-dx'' option). 1838 1839@node Command language reference, Rules reference, Program Usage, Top 1840@chapter Command language reference 1841AdaControl is about @i{controlling rules}. @i{Rules} are built in 1842AdaControl; each rule has a name, and may require parameters. For the 1843complete description of each rule, @pxref{Rules reference}. 1844 1845To run AdaControl, you need to define which rules you want to apply to 1846your Ada units, what are the parameters, etc. In addition, you may 1847want to define various things, like the file where the results should 1848go, the output format, etc. 1849 1850AdaControl defines a small command language which is used to describe 1851how you want to process your units. Commands can be specified either 1852on the command line or in a file, that we call here a rules 1853file. Commands can also be given interactively; @xref{Interactive 1854mode}. 1855 1856@menu 1857* General:: 1858* Controls:: 1859* Other commands:: 1860* Example of commands:: 1861@end menu 1862 1863@node General, Controls, Command language reference, Command language reference 1864@section General 1865The command language is not case-sensitive, i.e. the case of the 1866keywords, rule names, and parameters is not significant. The layout 1867of commands is free (i.e. a command can extend over several lines, and 1868spaces are freely allowed between syntactic elements). 1869 1870Comments are allowed in and between commands. Comments begin with a 1871``#'' or a ``-@w{}-'', and extend to the end of the line. 1872 1873Since wide characters are allowed in Ada programs, AdaControl accepts 1874wide characters in commands as well. With GNAT, the encoding scheme is 1875Hex ESC encoding (see the GNAT User-Guide/Reference-Manual). This is 1876the prefered method, since few people require wide characters in 1877programs anyway, and that keeping the default bracket encoding would 1878not conveniently allow brackets for regular expressions, like those 1879used by some rules. @xref{Syntax of regular expressions}. 1880 1881If a syntax error is encountered in a command, an appropriate error 1882message is output, and analysis of the rules file continues in order 1883to output all errors, but no analysis of user code will be performed. 1884 1885@node Controls, Other commands, General, Command language reference 1886@section Controls 1887A @i{control command} is a command that declares one (or several) 1888controls. A control defines how a rule is applied to Ada units. The 1889syntax of a control command is as follows: 1890@example 1891<control_command> ::= [<label> ":"] <control> @{"," <control>@} ";" 1892<control> ::= <ctrl_kind> <Rule_Name> [<parameters>] 1893<parameters> ::= "(" [<modifiers>] <value> 1894 @{"," [<modifiers>] <value>@} ")" 1895<ctrl_kind> ::= "check"|"search"|"count" 1896@end example 1897 1898If present, the label gives a name to the control(s); it will be 1899printed whenever each control is activated, and can be used to disable 1900the control(s). @xref{Disabling controls}. If no label is present, 1901the rule name is printed instead. The label must have the syntax of an 1902Ada identifier, or else the label must be included within double 1903quotes (@code{"}), in which case it can contain any character. 1904 1905Each control consists of a <ctrl_kind> followed by a rule name, and 1906(optionally) parameters. Some parameters may be preceded by modifiers 1907(such as ``not'' or ``case_sensitive''). The meaning of the rule 1908parameters and modifiers depends on the rule. 1909 1910Here are some examples of commands: 1911@example 1912check unnecessary_use_clause; 1913All_Imports: search pragmas (Import); 1914"Why do you need that?": check entities (Unchecked_Conversion, 1915 all 'Address); 1916@end example 1917 1918Specifying several controls with the same label is a shorthand which 1919is equivalent to specifying the same label for several controls. It is 1920handy when the label is long, and/or to stress that several controls are 1921part of the same programming rule. For example: 1922@example 1923"Check why this obsolete stuff is still used": 1924 check entities (obsolete_unit_1), -- Note comma here! 1925 check instantiations (some_obsolete_generic); 1926@end example 1927 1928@menu 1929* Control kinds and report messages:: 1930* Parameters:: 1931* Multiple controls:: 1932* Disabling controls:: 1933@end menu 1934 1935@node Control kinds and report messages, Parameters, Controls, Controls 1936@subsection Control kinds and report messages 1937There are three control kinds: ``check'', ``search'', and ``count''. 1938 1939``Check'' is intended to search for rules that must be obeyed in your 1940programs. Normally, if a ``Check'' control fails, you should fix the 1941program. ``Search'' is intended to report some situations, but you 1942should consider what to do on a case-by-case basis. Roughly, use 1943``check'' when you consider that the failure of the control is an 1944error, and ``search'' when you consider it as a warning. AdaControl 1945will exit with a status of 1 if any ``Check'' control is triggered, 1946and a status of 0 if only ``Search'' controls were triggered (or no 1947control was triggered at all). 1948 1949``Count'' works like ``Search'', but instead of printing a message for 1950each control which is triggered, it simply counts occurrences and prints 1951a summary at the end of the run. There is a separate count for each 1952control label (or if no label is given, the rule name is taken instead); 1953if you give the same label to different controls, this allows you to 1954accumulate the counts. 1955 1956A report message (except for the final report of ``count'') comprises 1957the following elements: 1958@itemize 1959@item 1960the file name (where the control matches) 1961@item 1962the line number (where the control matches) 1963@item 1964the column number (where the control matches) 1965@item 1966the label (if there is one) and/or the rule name (the rule that matches). 1967@item 1968a message (why the control matches). A control whose kind is ``check'' 1969will produce an error report message (i.e. containing the keyword 1970``Error'') and a control whose kind is ``search'' will produce a 1971found report message (i.e. containing the keyword ``Found''). 1972@end itemize 1973 1974The formatting of the report message depends on the format option, 1975which can be selected with the ``-F'' command-line option or the ``set 1976format'' command. 1977 1978If the format is ``Gnat'' (the default) or ``Gnat_Short'', items are 1979separated by ':'; this is the same format as the one used by GNAT 1980error messages. Editors (like Emacs or GPS) that recognize this format 1981allow you to go directly to the place of the message by clicking on 1982it. In order to avoid too long messages, only the label appears, 1983unless there is none, in which case it is replaced with the rule name. 1984 1985If the format is ``CSV'' or ``CSV_Short'', items are separated by ',' 1986and surrounded by double quotes. This is the ``Comma Separated 1987Values'' format, which can be read by any known spreadsheet program, 1988except Excel(tm) by default, which uses the semicolon and not the 1989comma to separate fields. Therefore, the formats ``CSVX'' and 1990``CSVX_Short'' do the same thing, but using semi-colons (';') instead 1991of commas. Both the label (replaced by an empty column if there is 1992none) and the rule name appear. Note that when an output file is 1993created in one of the ``CSV'' formats, a title line is issued as the 1994first line, following normal CSV convention. 1995 1996If the format is ``Source'' or ``Source_Short'', the offending source 1997line is output, and the message is output behind it, with a ``!'' 1998pointing to the exact location of the problem. 1999 2000If the format is ``None'', no error message is output at all. This is 2001useful when only the return code of running AdaControl is desired 2002(just to check if a program is OK or not). Note that this does @i{not} 2003prevent the output of statistics, since these are under control of the 2004``-S'' option or the ``set statistics'' command. In this case, 2005statistics are output in CSVX format, since asking for statistics with 2006a ``none'' format is mainly useful for analysing the statistics with a 2007spreadsheet program. 2008 2009With recent versions of GNAT, the file name includes the full path of 2010the source file. If the ``_Short'' form of the format option is used, 2011the file name is stripped from any path. This can make it easier to 2012compare the results of controlling units from various directories. 2013Note that with older versions of GNAT, the file name never includes 2014the full path, and the ``_Short'' form of the format option has no 2015effect. 2016 2017After each run (@pxref{Go command}), statistics may be output, 2018depending on the statistics level which is set with the ``-S'' option 2019or the ``set statistics'' command. The meaning of the various levels 2020is as follows: 2021@itemize 2022@item 20230: No statistics are output (default) 2024@item 20251: A count of error and warning messages is output 2026@item 20272: The rule name and label (if any) of any control @i{not} triggered are 2028output 2029@item 20303: The rule name and label (if any) of every control is output, 2031together with a count of each triggering kind (``check'', ``search'', 2032``count''), or ``not triggered'' if the control was not triggered. 2033@end itemize 2034 2035@node Parameters, Multiple controls, Control kinds and report messages, Controls 2036@subsection Parameters 2037Most rules accept parameters. Parameters can be: 2038@itemize 2039@item 2040a keyword for the rule 2041@item 2042a numerical value 2043@item 2044a character string (often a regular expression) 2045@item 2046an Ada entity name 2047@end itemize 2048 2049A numerical value is given with the syntax of an Ada integer or real 2050literal (underscores and exponents are allowed as in Ada). Based 2051literals are supported for integer values; if somebody can justify a 2052need for supporting them for reals, we'll be happy to add this feature 2053later... 2054 2055A character string is given within double quotes ``"''. As usual, quotes 2056appearing within the string are doubled. The tilde character (``~'') can be 2057used as a replacement delimiter, but the same character must be used at both 2058ends of the string. The latter has been chosen as a character not used 2059by the various shells, and can be useful to pass quoted strings from 2060parameters on the command line (unfortunately, we could not use the 2061percent (``%'') sign, because it plays a special role in DOS/Windows). 2062 2063An Ada entity name is the full name (prefixed with the names of all 2064units that include it) of something declared in a program. It can be 2065followed by overloading information, in order to uniquely identify the 2066Ada entity. If an Ada entity is overloaded and no overloading 2067information is provided, the rule is applied to all (overloaded) Ada 2068entities that match the name. Alternatively, it can be ``all'' 2069followed by a simple name, in wich case it applies to all entities 2070with that name. See @ref{Specifying an Ada entity name} for the full 2071description of the syntax. Here are some examples of entity names: 2072@example 2073Ada.Text_IO.Put -- All Put defined in Ada.Text_IO 2074Ada.Text_IO.Put@{Standard.Character@} -- The Put on Character 2075all Put -- All Put 2076Standard.Integer'Image -- The 'Image function on Integer 2077all 'Image -- All 'Image functions 2078@end example 2079 2080@node Multiple controls, Disabling controls, Parameters, Controls 2081@subsection Multiple controls 2082Most rules can be used in more than one control (with different 2083parameters). There is no difference between a single or a multiple 2084configuration rule use: outputs, efficiency, etc. are the same. 2085 2086The following rules files produce an identical configuration: 2087@example 2088Search Pragmas (Pure, Elaborate_All); 2089@end example 2090and 2091@example 2092Search Pragmas (Pure); 2093Search Pragmas (Elaborate_All); 2094@end example 2095 2096However, the second form can be used to give different labels. Consider: 2097@example 2098Search Pragmas (Pure); 2099No_Elaborate: Search Pragmas (Elaborate_All); 2100@end example 2101 2102The messages for pragma @code{Pure} will contain ``PRAGMAS'', while 2103those for @code{Elaborate_All} will contain ``No_Elaborate''. If a 2104disabling comment mentions @code{pragmas}, it will disable both controls, 2105but a disabling comment that mentions @code{No_Elaborate} will disable 2106only the second one. 2107 2108@node Disabling controls, , Multiple controls, Controls 2109@subsection Disabling controls 2110It is possible to disable controls on parts of the source code by 2111placing markers in the source code. A marker is an Ada comment, where 2112the comment mark (@code{--}) is immediately followed by the special 2113tag ``@code{##}'' (by default). 2114 2115There are two kinds of markers: block markers and line markers. Both 2116kinds specify a list of controls to disable/re-enable. A list of 2117controls is a list of rule names (to disable/re-enable all controls on 2118the indicated rule(s)) or control labels (to disable/re-enable all 2119controls with that label), separated by spaces. Alternatively, the 2120list of controls can be the word ``all'' to disable/re-enable all 2121controls. 2122 2123In a ``@code{--##}'' line, everything appearing after another ``##'' 2124tag (by default) is ignored. This allows the insertion of a comment 2125explaining why the control is disabled at that point. 2126 2127Both tags can be changed with the ``set'' command. @xref{Set command}. 2128 2129@subsubsection Block disabling 2130A control is disabled from a ``rule off'' marker that applies to it 2131until a ``rule on'' marker that applies to it. If there is no 2132appropriate ``rule on'' marker, the control is disabled up to the end 2133of file. 2134 2135Syntax: 2136@example 2137--## rule off <control_list> 2138Ada code block 2139--## rule on <control_list> 2140@end example 2141 2142Ex: 2143@example 2144--## rule off rule1 rule2 ## Authorized by QA ref 1234 2145I := I + 1; 2146Proc (I); 2147--## rule on rule2 2148@end example 2149 2150@subsubsection Line disabling 2151A control is disabled only for the line where a marker that applies to 2152it appears. 2153 2154Syntax: 2155@example 2156Ada code line --## rule line off <rule_list> 2157@end example 2158Ex: 2159@example 2160I := I + 1; --## rule line off rule3 rule_label_1 2161@end example 2162Conversely, it is possible to re-enable a control for just the current 2163line in a block where it is disabled: 2164 2165Syntax: 2166@example 2167Ada code line --## rule line on <rule_list> 2168@end example 2169Ex: 2170@example 2171--## rule off rule1 rule2 2172... 2173I := I + 1; --## rule line on rule2 2174@end example 2175 2176@subsection Limitation 2177Since the disabling is based on special comments, there is a conflict 2178with the rule ``header_comments'' which is based on the content of 2179comments. Line disabling is not possible with this rule, and block 2180disabling needs special care. @xref{Header_Comments}. 2181 2182@node Other commands, Example of commands, Controls, Command language reference 2183@section Other commands 2184In addition to controls, AdaControl recognizes a number 2185of commands. Although these commands are especially useful when using 2186the interactive mode (@pxref{Interactive mode}), they can be used in 2187command files as well. 2188 2189@menu 2190* Go command:: 2191* Quit command:: 2192* Message command:: 2193* Help command:: 2194* Clear command:: 2195* Set command:: 2196* Source command:: 2197* Inhibit command:: 2198@end menu 2199 2200@node Go command, Quit command, Other commands, Other commands 2201@subsection Go command 2202This command starts processing of the controls that have been 2203specified. 2204 2205Syntax: 2206@example 2207go; 2208@end example 2209Controls are @i{not} reset after a ``go'' command; for example, the 2210following program: 2211@example 2212search entities (pack1); 2213go; 2214search entities (pack2); 2215go; 2216@end example 2217will first output all usages of @code{Pack1}, then all usages of both 2218@code{Pack1} and @code{Pack2}. See @ref{Clear command} to reset 2219controls. 2220 2221If not in interactive mode, a ``go'' command is automatically added at 2222the end, therefore it is not required in rules files. 2223 2224@node Quit command, Message command, Go command, Other commands 2225@subsection Quit command 2226This command terminates AdaControl. 2227 2228Syntax: 2229@example 2230quit; 2231@end example 2232If given in a file, all subsequent commands will be ignored. This 2233command is really useful only in interactive mode. @xref{Interactive 2234mode}. 2235 2236@node Message command, Help command, Quit command, Other commands 2237@subsection Message command 2238This command prints a message on the output file. 2239 2240Syntax: 2241@example 2242message "<any string>" [pause]; 2243@end example 2244The length of the message is limited to 250 characters. If the word 2245``pause'' (case irrelevant) is specified after the message, AdaControl 2246will wait for the user to press the Return key before proceeding. 2247 2248Note that the message is syntactically a string, and must therefore be 2249quoted (double quotes). 2250 2251@node Help command, Clear command, Message command, Other commands 2252@subsection Help command 2253This command prints various informations about the rules and AdaControl 2254itself. 2255 2256Syntax: 2257@example 2258Help [<help_item> @{,<help_item>@}] 2259<Help_Item> ::=<keyword> | <rule name> | variables ["<pattern>"] 2260<keyword> ::= all | commands | license | list | options | 2261 rules | version 2262@end example 2263Without any argument, this command prints a summary of all commands 2264and rule names. If given one or more keywords or rule names, it prints the 2265corresponding help message. See @ref{Getting help} for the details. 2266 2267@node Clear command, Set command, Help command, Other commands 2268@subsection Clear command 2269This command command clears (i.e. removes) controls that have been 2270previously given. 2271 2272Syntax: 2273@example 2274Clear all | <rule name>@{,<rule name>@} ; 2275@end example 2276The command clears all controls given for the indicated rules, or for 2277all rules if the @code{all} keyword is given. Rule variables 2278(@pxref{Set command}) associated to cleared rules are returned to 2279their default values. For example, the following program: 2280@example 2281search entities (pack1); 2282go; 2283clear all; 2284search entities (pack2); 2285go; 2286@end example 2287will first output all usages of @code{Pack1}, then all usages of 2288@code{Pack2}. Without the ``clear all'' command, the second ``go'' 2289would output all usages of @code{Pack1} together with all usages of 2290@code{Pack2}. 2291 2292@node Set command, Source command, Clear command, Other commands 2293@subsection Set command 2294This command sets various parameters of AdaControl. 2295 2296Syntax: 2297@example 2298set Format Gnat|Gnat_Short|CSV|CSV_Short|Source|Source_short|None; 2299set Check_Key|Search_Key "<value>" 2300set Max_Errors [<value>]; 2301set Max_Messages [<value>]; 2302set Output|New_Output <output file>; 2303set Statistics <level>; 2304set Tag1|Tag2 "<value>"; 2305set Trace <trace file>; 2306set Debug|Exit_On_Error|Verbose|Warning|Warning_As_Error 2307 On|Off; 2308set Timing On|Off|Global 2309set Ignore On|Off|Inverted; 2310set <Rule_Name>.<Variable> <Value> 2311@end example 2312The ``set format'' command selects the output format for the messages, 2313like the ``-F'' option; see @ref{Control kinds and report messages} for 2314details. 2315 2316The ``set check_key'' command defines a string which is used in place 2317of ``Error'' in messages issued by a ``check'' control. Similarly, the 2318``set search_key'' command defines a string which is used in place of 2319``Found'' in messages issued by a ``search'' control. This can be 2320useful when AdaControl is used, for example, to detect places where 2321manual inspection is required; having the word ``Error'' in the 2322message could be misleading to the persons in charge of the 2323review. Note however that if you set these keys, the GPS interface 2324will not be able to recognize properly the messages. 2325 2326The ``set max_errors'' and ``set max_messages'' limit the output of 2327AdaControl, like the ``-m'' and ``-M'' options; see @ref{Output 2328limits} for details. If no <value> is given after the command name, 2329the corresponding limitation is removed. 2330 2331The ``set output'' and ``set new_output'' commands redirect the output 2332of subsequent controls to the indicated file. If the string 2333@code{console} (case irrelevant) is given as the <output file>, output 2334is redirected to the console. 2335 2336The ``set new_output'' always create a new file (or overwrites an 2337existing file with the same name). 2338 2339The ``set output'' command appends if the file exists, unless the 2340``-w'' option is given, in which case it is overwritten. However, the 2341file is overwritten only the first time it is mentionned in an 2342``output'' command. This means that you can switch forth and back 2343between two output files, all results from the same run will be 2344kept. Note however that for this to work, you need to specify the 2345output file exactly the same way: if you specify it once as 2346``result.txt'', and then as ``./result.txt'', the second one will 2347overwrite the first one. 2348 2349The ``set statistics'' command sets the statistics level, like the 2350``-S'' option; see @ref{Control kinds and report messages} for details. 2351 2352The ``set Tag1|Tag2'' command changes the tags used to disable (or 2353enable) rules. ``Tag1'' is the string that appears immediately after 2354the comment indicator (@code{--}), and ``tag2'' is the tag that 2355terminates the special comment. Note that these tags must be given as 2356strings (in quotes) and that case is relevant. See @ref{Disabling 2357controls} for details. 2358 2359The ``set trace'' command redirects the trace messages of the 2360``-d'' option to the indicated file. If the string @code{console} 2361(case irrelevant) is given as the <trace file>, trace messages are 2362redirected to the console. As with the ``-t'' option, if the file 2363exists, output is appended to it. 2364 2365The ``set Debug|Exit_On_Error|Verbose|Warning|Warning_As_Error'' 2366command activates (``on'') or deactivates (``off'') options. ``Debug'' 2367corresponds to the ``-d'' option, ``Exit_On_Error'' to the ``-x'' 2368option, ``Ignore'' to the ``-i'' option, ``Timing'' to the ``-T'' 2369option, ``Verbose'' to the ``-v'' option, ``Warning'' to the ``-E'' 2370option, and ``Warning_As_Error'' to the ``-e'' option. See 2371@ref{Verbose and debug mode}, @ref{Exit on error}, @ref{Treatment of 2372warnings}, @ref{Output format}, and @ref{Local disabling control} for 2373details. 2374 2375The ``set Timing'' command activates (``on'') or deactivates (``off'') 2376the printing of the time spent in each rule after each ``go'' 2377command. If set to ``global'' instead of ``on'', the timings are 2378accumulated over all ``go'' commands, and output when the program 2379terminates. 2380 2381The ``set Ignore'' command governs handling of disabled messages 2382(@pxref{Disabling controls}). In default mode (``set Ignore Off''), 2383disabled messages are not printed. When set to ``on'' (``set Ignore 2384On''), all messages are printed, including those that are 2385disabled. Setting this option can result in considerable speed-up of 2386the printing of messages. When set to ``Inverted'' (``set Ignore 2387Inverted''), @i{only} disabled messages are printed. This is useful to 2388check which messages have been disabled. 2389 2390Some rules may also have user-settable global variables that affect 2391their behaviour; the last form of the ``set'' command allows changing 2392their value. The variable name is of the form of a qualified name 2393(i.e. ``rule.var''), and the value depends on the variable. The 2394description of the variables (if any) and appropriate values is given 2395for each rule. 2396 2397@node Source command, Inhibit command, Set command, Other commands 2398@subsection Source command 2399This command inputs commands from another file. 2400 2401Syntax: 2402@example 2403Source <input file>; 2404@end example 2405Commands are read and executed from the indicated file, then control 2406is returned to the place after the ``source'' command. There is no 2407restriction on the content of the sourced file; especially, it may 2408itself include other ``source'' commands. 2409 2410If <input file> is a relative file path, it is taken relatively to the 2411file where the ``source'' command is given. Especially, if no path is 2412specified, the sourced file will be taken from the same directory as 2413the sourcing file (irrespectively of where the command is being run 2414from). If the file is not found there, it is searched on the path given 2415by the environment variable @code{ADACTL_PATH}. 2416 2417The default extension is @code{.aru}, i.e. if <input file> is not 2418found as given, AdaControl will retry the same name with @code{.aru} 2419appended. It is a syntax error if the file is not found either. 2420 2421If the string @code{console} (case irrelevant) is given as the <input 2422file>, commands are read from the console until a ``quit'' command is 2423given. This command is of course useful only from files, and allows to 2424pass temporarily control to the user in interactive mode. 2425 2426@node Inhibit command, , Source command, Other commands 2427@subsection Inhibit command 2428This command prevents execution of certain controls on particular units. 2429 2430Syntax: 2431@example 2432Inhibit <rule name>|all ([all] <unit> @{,[all] <unit>@}); 2433@end example 2434Controls refering to the given rule (or all rules if ``all'' is 2435specified in place of a rule name) for the indicated unit(s) are not 2436performed. In addition, if ``all'' is specified in front of the unit 2437name, the unit will not be accessed at all, even from rules that 2438follow call graphs, and could thus access this unit while analyzing 2439other units. 2440 2441There are several reasons why you might want to inhibit a control of 2442a rule for certain units: 2443@itemize 2444@item 2445The unit is known not to obey the rule in many places, and you don't 2446want the output to be cluttered with too many messages (of course, 2447you'll fix the unit in the near future!); 2448@item 2449The unit is known to obey the rule, execution of the rule is 2450time-consuming, and you want to save some processing time; 2451@item 2452The unit is known to raise an ASIS bug, and until you upgrade to the 2453appropriate version of GNAT, you don't want to be bothered by the 2454error messages. 2455@end itemize 2456 2457The ``all'' option for a unit is intended for the last case, to 2458prevent ASIS bugs from spoiling any unit that calls something from an 2459offending unit. 2460 2461@node Example of commands, , Other commands, Command language reference 2462@section Example of commands 2463Below is an example of a file with multiple commands: 2464@example 2465message "Searching Unchecked_Conversion"; 2466search entitities (ada.unchecked_conversion); 2467set output uc_usage.txt; 2468go; 2469clear all; 2470message "Searching 'Address"; 2471search entities (all 'Address); 2472set output address_usage.txt; 2473go; 2474@end example 2475This file will output all usages of @code{Ada.Unchecked_Conversion} 2476into the file @code{uc_usage.txt}, then output all usages of the 2477@code{'Address} attribute into the file 2478@code{address_usage.txt}. Messages are output to tell the user about 2479what's happenning. 2480 2481@node Rules reference, Examples of using AdaControl for common programming rules, Command language reference, Top 2482@chapter Rules reference 2483This chapter describes each rule currently provided by 2484AdaControl. Note that the @code{rules} directory of the distribution 2485contains a file named @code{verif.aru} that contains an example of a 2486set of rules appropriate to check on almost any software. 2487 2488A general limitation applies to all rules. AdaControl is a @i{static} 2489checking tool, and therefore cannot check usages that depend on 2490run-time values. For example, it is not possible to check rules 2491applying to an entity when this entity is aliased and accessed through 2492an access value, or rules applying to subprogram calls when the call 2493is a dispatching call. 2494 2495@menu 2496* Abnormal_Function_Return:: 2497* Allocators:: 2498* Array_Declarations:: 2499* Aspects:: 2500* Assignments:: 2501* Barrier_Expressions:: 2502* Case_Statement:: 2503* Characters:: 2504* Comments:: 2505* Declarations:: 2506* Default_Parameter:: 2507* Dependencies:: 2508* Derivations:: 2509* Directly_Accessed_Globals:: 2510* Duplicate_Initialization_Calls:: 2511* Entities:: 2512* Entity_Inside_Exception:: 2513* Exception_Propagation:: 2514* Expressions:: 2515* Generic_Aliasing:: 2516* Global_References:: 2517* Header_Comments:: 2518* Improper_Initialization:: 2519* Instantiations:: 2520* Insufficient_Parameters:: 2521* Local_Access:: 2522* Local_Hiding:: 2523* Max_Blank_Lines:: 2524* Max_Call_Depth:: 2525* Max_Line_Length:: 2526* Max_Nesting:: 2527* Max_Size:: 2528* Max_Statement_Nesting:: 2529* Movable_Accept_Statements:: 2530* Naming_Convention:: 2531* No_Operator_Usage:: 2532* Non_Static:: 2533* Not_Elaboration_Calls:: 2534* Not_Selected_Name:: 2535* Object_Declarations:: 2536* Parameter_Aliasing:: 2537* Parameter_Declarations:: 2538* Positional_Associations:: 2539* Potentially_Blocking_Operations:: 2540* Pragmas:: 2541* Record_Declarations:: 2542* Reduceable_Scope:: 2543* Representation_Clauses:: 2544* Return_Type:: 2545* Side_Effect_Parameters:: 2546* Silent_Exceptions:: 2547* Simplifiable_Expressions:: 2548* Simplifiable_Statements:: 2549* Statements:: 2550* Style:: 2551* Terminating_Tasks:: 2552* Type_Initial_Values:: 2553* Type_Usage:: 2554* Uncheckable:: 2555* Unit_Pattern:: 2556* Units:: 2557* Unnecessary_Use_Clause:: 2558* Unsafe_Elaboration:: 2559* Unsafe_Paired_Calls:: 2560* Unsafe_Unchecked_Conversion:: 2561* Usage:: 2562* Use_Clauses:: 2563* With_Clauses:: 2564@end menu 2565 2566@node Abnormal_Function_Return, Allocators, Rules reference, Rules reference 2567@section Abnormal_Function_Return 2568This rule controls functions that may not terminate normally, i.e. where 2569@code{Program_Error} could be raised due to reaching the end of the 2570function without encountering a @code{@b{return}} statement. 2571 2572@subsection Syntax 2573@example 2574<control_kind> abnormal_function_return; 2575@end example 2576 2577@subsection Action 2578The rule controls that the sequence of statements of each function 2579body, as well as each of its exception handlers, ends with: 2580@itemize @bullet 2581@item 2582a @code{@b{return}} statement (including extended return statements) 2583@item 2584a @code{@b{raise}} statement (or equivalently, a call to 2585@code{Ada.Exceptions.Raise_Exception} or 2586@code{Ada.Exceptions.Reraise_Occurrence}); 2587@item 2588a call to a procedure which is the target of a @code{@b{pragma} No_Return}; 2589@item 2590a block statement, whose last statement of its sequence and any 2591exception handler is one of these; 2592@item 2593an @code{@b{if}} statement that includes an @code{@b{else}} path, and 2594where the last statement of every path is one of these; 2595@item 2596a @code{@b{case}} statement where the last statement of every path is 2597one of these. 2598@item 2599a plain @code{@b{loop}} statement (not @code{@b{for}} or 2600@code{@b{while}}) without any @code{@b{exit}} or @code{@b{goto}} 2601statement transfering control outside of the loop. 2602@end itemize 2603 2604This is a sufficient (but of course not necessary) condition to ensure 2605that no function raises @code{Program_Error} due to reaching the end 2606of its statements without encountering a @code{@b{return}}. 2607 2608This rule can be specified only once. 2609 2610Ex: 2611@example 2612check abnormal_function_return; 2613@end example 2614 2615@subsection Tips 2616This rule checks that a function always returns correctly, but does not 2617prevent multiple @code{@b{return}} statements in functions. If you want 2618to ensure that there is exactly one @code{@b{return}} statement in functions, 2619and that this statement is always the last one, use this rule together with 2620the rule @code{statements(function_return)}. 2621@xref{Statements}. 2622 2623It is possible to exit from an extended return statement with an 2624@code{@b{exit}} or @code{@b{goto}} statement. If this happens, the 2625return statement is not considered a proper return statement, and an 2626appropriate message is issued. 2627 2628@node Allocators, Array_Declarations, Abnormal_Function_Return, Rules reference 2629@section Allocators 2630This rule controls the use of allocators (i.e. dynamic memory allocation). 2631@subsection Syntax 2632@example 2633<control_kind> allocators [(<target> @{, <target>@})]; 2634<target> ::= [anonymous | inconsistent | not] [<category>|<entity>] 2635<category> ::= () | access | array | delta | digits | 2636 mod | protected | range | record | tagged | task 2637@end example 2638 2639@subsection Action 2640If one or several <entity> or <category> are given, only allocators 2641whose allocated type matches the <entity>, or whose type belongs to 2642the indicated <category>, are controlled; otherwise all allocators are 2643controlled. As usual, the whole syntax for entities is allowed for 2644<entity>. @xref{Specifying an Ada entity name}. The meaning of 2645<category> is: 2646@itemize @bullet 2647@item 2648``()'': The allocated value is of an enumerated type. 2649@item 2650``access'': The allocated value is of an access type. 2651@item 2652``array'': The allocated value is of an array type. 2653@item 2654``delta'': The allocated value is of a fixed point type (it is not currently 2655possible to distinguish ordinary fixed point types from decimal fixed 2656point types). 2657@item 2658``digits'': The allocated value is of a floating point type. 2659@item 2660``mod'': The allocated value is of a modular type. 2661@item 2662``protected'': The allocated value is of a protected type. 2663@item 2664``range'': The allocated value is of a signed integer type. 2665@item 2666``record'': The allocated value is of an (untagged) record type. 2667@item 2668``tagged'': The allocated value is of a tagged type (including type 2669extensions). 2670@item 2671``task'': The allocated value is of a task type. 2672@end itemize 2673 2674This rule is especially useful for finding memory leaks, since it 2675tells all the places where dynamic allocation occurs. 2676 2677If a parameter is preceded by the word ``not'', allocators for the 2678corresponding type or category are not controlled (i.e. they are 2679always allowed). If a control includes only ``not'' parameters, an 2680implicit check for all allocators is assumed. 2681 2682If a parameter is preceded by the word ``anonymous'', only allocators 2683whose expected type is an anonymous access type are controlled. 2684 2685If a parameter is preceded by the word ``inconsistent'', only 2686allocators whose allocator subtype (the name after ``@code{@b{new}}'') 2687is not the same as the designated subtype (from the access type 2688declaration) are controlled. However an allocator is not considered 2689inconsistent when the designated subtype imposes no special 2690constraint: 2691@itemize @bullet 2692@item 2693when it is a class-wide type, since the allocator subtype will 2694generally be of some descendant specific type; 2695@item 2696when it is an unconstrained array type, since the allocated subtype is 2697necessarily constrained; 2698@item 2699when it is a base type (of the form @code{T'Base}). 2700@end itemize 2701 2702Note that if the access type includes a constraint like in the 2703following example: 2704@example 2705 @b{type} Acc @b{is} @b{access} integer @b{range} 1..10; 2706@end example 2707all allocators will necessarilly be inconsistent, since there is no 2708way to repeat the constraint at the place of the allocator. 2709 2710``Inconsistent'' can be given alone, in which case all inconsistent 2711allocators are controlled. 2712 2713Ex: 2714@example 2715search allocators (standard.string); 2716check allocators (T'Class); 2717check allocators (array); 2718check allocators (Inconsistent standard.Integer); 2719check allocators (Inconsistent); 2720 2721 -- all task allocators, except when the type is called "special": 2722check allocators (task, not all Special); 2723@end example 2724 2725@subsection Tips 2726The type given as an <entity> in the rule must be a first named 2727subtype, and the rule will also find allocators that use a subtype of 2728this type. If the type is declared within a generic package, the rule 2729will control all corresponding types from instantiations. 2730 2731The type mentionned in the rule is the one following the 2732@code{@b{new}} keyword, which is not necessarily the same as the 2733expected type in presence of implicit conversions like this: 2734 2735@example 2736 @b{type} T @b{is} @b{tagged} ...; 2737 @b{type} Class_Access @b{is} @b{access} T'Class; 2738 X : Class_Access; 2739begin 2740 X := @b{new} T; 2741@end example 2742 2743This allocator will be found for type @code{T}, not for type @code{T'Class}. 2744 2745For <categories>, note that the rule ``sees through'' derived and 2746private types (i.e. it will trigger if the ultimate type belongs to 2747the indicated category). 2748 2749The reason for the ``inconsistent'' modifier is that inconsistent 2750allocators may cost a double check. Given: 2751@example 2752 @b{type} Acc @b{is} @b{access} Positive; 2753 V : Acc; 2754@b{begin} 2755 V := @b{new} Natural'(...); 2756@end example 2757The compiler will first check the constraint for Natural, then the 2758constraint for Positive. To avoid confusion, it is better to always 2759use the same subtype for the allocator as used in the access type 2760declaration. 2761 2762The reason for the ``anonymous'' modifier is that allocators of 2763an anonymous type (especially access parameters) create a terrible mess in 2764accessibility rules, and are better avoided. 2765@subsection Limitations 2766In some (rare) cases involving anonymous access types as array or 2767record components, ASIS provides no way to determine the target type 2768of the (anonymous) acccess type. Inconsistent allocators will thus not 2769be controlled. Such cases are detected by the rule ``uncheckable''. 2770@xref{Uncheckable}. 2771 2772@node Array_Declarations, Aspects, Allocators, Rules reference 2773@section Array_Declarations 2774This rule controls properties of arrays, by enforcing a consistent 2775value or range of values for the lower or upper bound, or by limiting 2776the possible size. It can also control various aspects of the 2777component type of the array. 2778@subsection Syntax 2779@example 2780<control_kind> array_declarations (first, <value> | <bounds>); 2781<control_kind> array_declarations (last, <value> | <bounds>); 2782<control_kind> array_declarations (dimensions, <value> | <bounds>); 2783<control_kind> array_declarations ([all] length, <bounds>); 2784<control_kind> array_declarations (component, <type> @{,<repr_cond>@}); 2785<control_kind> array_declarations (index, <type> | <> 2786 @{,<type> | <>@}); 2787<bounds> ::= min|max <value> [, min|max <value> ] 2788<type> ::= <entity>|<category> 2789<category > ::= () | access | array | delta | digits | mod | private 2790 | protected | range | record | tagged | task 2791<repr_cond> ::= [not] pack | size | component_size 2792@end example 2793@subsection Action 2794This rule controls properties of the index or component of an array 2795type. The checks are therefore performed on array definitions, i.e. on 2796array (sub)type declarations and single array declarations. However, 2797the ``length'' subrule can be checked on any array variable, see 2798below. 2799 2800The first parameter is a subrule keyword: 2801@itemize 2802@item 2803``First'' and ``Last'' control the lower (respectively upper) bound of 2804each dimension of arrays (even unconstrained array types). If a single 2805value is specified without the ``min'' or ``max'' modifiers, the 2806subrule controls the bounds that are not exactly this value; 2807otherwise, it controls the bounds that are smaller than the given 2808``min'' value or greater than the given ``max'' value. It is possible, 2809but not required to specify both ``min'' and ``max''. If this subrule 2810is given both for ``search'' and for ``check'', the value(s) for 2811``search'' is interpreted as the prefered one, and the value(s) for 2812``check'' is interpreted as an alternative acceptable one; i.e., it is 2813a warning if the value is the one given for ``check'', and an error if 2814it is neither. In short: 2815@example 2816search array_declarations (first, 1); 2817check array_declarations (first, min -1, max 1); 2818@end example 2819will be silent if the lower bound of an array is 1, it will issue a 2820warning if it is in the range -1 .. 1, and an error otherwise. 2821@item 2822``Dimensions''controls the number of dimensions of arrays. If a single 2823value is specified without the ``min'' or ``max'' modifiers, the 2824subrule controls arrays whose number of dimensions is not exactly this 2825value; otherwise, it controls arrays whose number of dimensions are 2826smaller than the given ``min'' value or greater than the given ``max'' 2827value. It is possible, but not required to specify both ``min'' and 2828``max''. If this subrule is given both for ``search'' and for 2829``check'', the value(s) for ``search'' is interpreted as the prefered 2830one, and the value(s) for ``check'' is interpreted as an alternative 2831acceptable one; i.e., it is a warning if the value is the one given 2832for ``check'', and an error if it is neither. In short: 2833@example 2834search array_declarations (Dimensions, 1); 2835check array_declarations (Dimensions, min 2, max 3); 2836@end example 2837will be silent for one-dimensional arrays, it will issue a warning for 28382- and 3-dimensional arrays, and an error otherwise. 2839@item 2840``Length'' controls arrays that have a dimension whose number of 2841elements is smaller than the given ``min'' value or greater than the 2842given ``max'' value (except for unconstrained array types). At least 2843one of ``min'' or ``max'' must be specified, but it is not required to 2844specify both. 2845 2846If the ``all'' modifier is specified, all object declarations of an 2847array type are controlled, even if the declaration does not include 2848an explicit range constraint. This is useful if you want to assess 2849all variables that contain more than a certain number of elements. For 2850example: 2851@example 2852 type Tab is array (Min..Max) of Compo; -- Always checked 2853 subtype Str is String (Min..Max); -- Always checked 2854 V1 : String (Min..Max); -- Always checked 2855 V2 : Str; -- Checked only with "all" 2856@end example 2857 2858@item 2859``Component'' controls arrays whose component type is the indicated 2860<entity>, or whose component type belongs to the indicated 2861<category>. If the <entity> is a subtype, only arrays whose components 2862are of that subtype are controlled. If the indicated <entity> is a 2863type, all arrays whose components are of that type (including 2864subtypes) are controlled. The meaning of <category> is: 2865@itemize @bullet 2866@item 2867``()'': The component is of an enumerated type. 2868@item 2869``access'': The component is of an access type. 2870@item 2871``array'': The component is of an array type. 2872@item 2873``delta'': The component is of a fixed point type (it is not currently 2874possible to distinguish ordinary fixed point types from decimal fixed 2875point types). 2876@item 2877``digits'': The component is of a floating point type. 2878@item 2879``mod'': The component is of a modular type. 2880@item 2881``private'': The component is of a private type (including private 2882extensions). 2883@item 2884``protected'': The component is of a protected type. 2885@item 2886``range'': The component is of a signed integer type. 2887@item 2888``record'': The component is of an (untagged) record type. 2889@item 2890``tagged'': The component is of a tagged type (including type 2891extensions). 2892@item 2893``task'': The component is of a task type. 2894@end itemize 2895If <repr_cond> are specified, the rule controls only arrays to which 2896all the corresponding representation items apply: 2897@itemize @bullet 2898@item 2899``pack'': A pragma Pack applies to the array. 2900@item 2901``not pack'': No pragma Pack applies to the array. 2902@item 2903``size'': A size representation clause applies to the array. 2904@item 2905``not size'': No size representation clause applies to the array. 2906@item 2907``component_size'': A component_size representation clause applies to 2908the array. 2909@item 2910``not component_size'': No component_size representation clause 2911applies to the array. 2912@end itemize 2913 2914@item 2915``index'' controls arrays whose index types are the indicated 2916<entity>, or whose index types belong to the indicated <category>. If 2917the <entity> is a subtype, only arrays whose indexes are of that 2918subtype are controlled. If the indicated <entity> is a type, all 2919arrays whose indexes are of that type (including subtypes) are 2920controlled. The meaning of <category> is the same as for 2921``component'', but obviously only ``()'', ``range'', and ``mod'' are 2922allowed. 2923 2924The number of <entity> given determines the dimensionality of the 2925controlled arrays. If a ``<>'' is given in place of an entity, it 2926means that any type matches at that position. 2927@end itemize 2928 2929This rule can be specified several times for the ``component'' and 2930``index'' subrules. For other subrules, it can be specified at most 2931once for each subrule and for each of ``check'', ``search'' and 2932``count''. It is thus possible for each subrule to have a value 2933considered a warning, and a value considered an error. 2934 2935Ex: 2936@example 2937-- All arrays should start at 1: 2938check array_declarations (first, 1); 2939 2940-- No arrray of more than 100 elements: 2941check array_declarations (length, max 100); 2942 2943-- No empty array: 2944check array_declarations (length, min 1); 2945 2946-- Arrays whose component type is private: 2947check array_declarations (component, private); 2948 2949-- Packed arrays of Character 2950check array_declarations (component, Standard.Character, pack); 2951 2952-- Packed arrays of record without size clause 2953check array_declarations (component, record, packed, not size); 2954 2955-- One-dimensional arrays indexed by Integer 2956check array_declarations (index, standard.integer); 2957 2958-- Three dimensional arrays whose second index is an enumeration 2959check array_declarations (index, <>, (), <>); 2960@end example 2961 2962@subsection Tips 2963The subrule @code{Max_Length} ignores index constraints that are not 2964static. Non static index constraints can be controlled with the rule 2965@code{Non_Static (Index_Constraint)}. @xref{Non_Static}. 2966 2967Requiring the same @i{upper} bound for all arrays is not very useful, but: 2968@example 2969check array_declarations (last, min 1); 2970@end example 2971can be used to check that no array has a negative or zero upper bound. 2972 2973The subrule ``index'' controls a precise pattern of types used as 2974indices. To control the use of a type as an index at any position and 2975irrespectively of the number of indices of the array, use the rule 2976``type_usage''. @xref{Type_Usage}. 2977 2978@node Aspects, Assignments, Array_Declarations, Rules reference 2979@section Aspects 2980This rule controls aspect specifications (new feature in Ada 2012), either 2981all of them or specific ones. 2982@subsection Syntax 2983@example 2984<control_kind> aspects [(all | <aspect mark> @{, <aspect mark>@})]; 2985@end example 2986@subsection Action 2987Without parameters (or if ``all'' is given), controls all aspect 2988specifications. Otherwise, controls only the aspect specifications 2989corresponding to the given aspect marks. 2990 2991Ex: 2992@example 2993search aspects; 2994DBC: check aspects (Pre, Post, Pre'Class, Post'Class); 2995@end example 2996 2997@node Assignments, Barrier_Expressions, Aspects, Rules reference 2998@section Assignments 2999This rule controls various issues related to the assignment 3000statement: assignments that involve array sliding, redundant 3001assignments to the same variable, or groups of assignments that are 3002replaceable by aggregate assignment. 3003 3004@subsection Syntax 3005@example 3006<control_kind> assignments (sliding); 3007<control_kind> assignments (repeated); 3008<control_kind> assignments (groupable, <filter> @{,<filter>@}); 3009<filter> ::= given <min_val> | missing <max_val> | ratio <min_val> | 3010 total <max_val> 3011@end example 3012 3013@subsection Action 3014The first form (keyword ``sliding'') controls array assignments where 3015the target variable has a different lower bound than the assigned 3016expression; this is allowed by the language only in so-called 3017``sliding'' contexts. 3018 3019Other subrules control properties of groups of assignment statements. A 3020group is made of consecutive assignments, without any other 3021intervening kind of statements (except null statements). 3022 3023The second form (keyword ``repeated'') controls when a same variable 3024(or a same subcomponent of a structured variable) is assigned several 3025times in the same group of assignments. This form of the rule can be 3026given only once. 3027 3028The third form (keyword ``groupable'') controls assignments to 3029different subcomponents of a same structured variable; such 3030assignments are often replaceable by a global assignment of an 3031aggregate to the variable. One or several <filter> parameters 3032indicate under which conditions a group is reported: 3033@itemize @bullet 3034@item 3035``given'': <min_val> (an integer value) indicates the minimum number 3036of assigned subcomponents that will trigger the rule (i.e. the rule is 3037triggered if the number of assignments to subcomponents of a same 3038variable is greater or equal to the indicated value). 3039@item 3040``missing'': <max_val> (an integer value) indicates the maximum number 3041of subcomponents not assigned that will trigger the rule (i.e. the 3042rule is triggered if the number of subcomponents not assigned to is 3043lesser or equal to the indicated value). 3044@item 3045``ratio'': <min_val> (an integer value) indicates the minimum 3046percentage of assigned subcomponents that will trigger the rule 3047(i.e. the rule is triggered if the percentage of assigned 3048subcomponents is greater or equal to the indicated value). 3049@item 3050``total'': <max_val> (an integer value) indicates the maximum number 3051of subcomponents of the type that will trigger the rule (i.e. the 3052rule is triggered if the number of subcomponents of the record type is 3053lesser or equal to the indicated value). 3054@end itemize 3055 3056If several filters are given, the rule is triggered if all conditions 3057are met (``and'' logic). Note however that this rule can be given 3058several times, thus achieving ``or'' logic. 3059 3060The rule is @i{not} triggered on an object if a subcomponent of that object 3061is of a limited type, since global assignment would not be allowed in 3062that case. 3063 3064For other structured objects, a subcomponent is counted as assigned if 3065it has been assigned in full, or if it @i{should} have been assigned 3066in full (in other words: if the rule is triggered on those 3067subcomponents as well) - recursively, of course. 3068 3069Ex: 3070@example 3071search Assignments (sliding); 3072check Assignments (repeated); 3073 3074-- Warn if a at least 3 fields are given and at most 3075-- two fields are missing, or if 80% of the fields are given: 3076search assignments (groupable, given 3, missing 2); 3077search assignments (groupable, ratio 80); 3078@end example 3079 3080@subsection Tip 3081The ``sliding'' subrule is not intended to prevent all cases of 3082slidings (the dynamic ones are uncheckable), it is rather an 3083indication of ``obvious'' cases that could be avoided. 3084 3085Note that for the ``groupable'' subrule, it is possible to give 1 for 3086the ``given'' criterion; in this case, any assignment to parts of a 3087structured variable will be reported, only global assignment is 3088allowed. 3089 3090@subsection Limitations 3091As usual, AdaControl can control only static aspects of 3092assignments. Therefore, it cannot control assignments whose target is 3093not statically known (like dynamic indexing of arrays). Slices are 3094always considered dynamic (the cases where it would be useful did not 3095seem worth the additional complexity). 3096 3097For the ``sliding'' subrule, if the assigned expression is a 3098multidimensional aggregate, only the first dimension is checked for 3099sliding, other dimensions are ignored. This is not considered an 3100important issue, since in any case the rule can detect only static 3101cases, and the handling of sliding in multi-dimensional array 3102aggregates is extremely touchy (see RM 4.3.3 for details). 3103 3104For the ``groupable'' subrule, if the number of subcomponents is not 3105statically determinable (dynamic arrays, discriminated records), only 3106the ``given'' criterion can be met. 3107 3108@node Barrier_Expressions, Case_Statement, Assignments, Rules reference 3109@section Barrier_Expressions 3110Although the language allows any expression as the barrier of a 3111protected entry, it is generally better to use only ``simple'' 3112expressions. This rule controls the kind of constructs allowed in 3113barrier expressions. 3114@subsection Syntax 3115@example 3116<control_kind> Barrier_Expressions ([<allowable> @{, <allowable>@}]); 3117<allowable> ::= <entity> | <keyword> 3118<keyword> ::= 3119 allocation | any_component | any_variable | 3120 arithmetic_operator | array_aggregate | comparison_operator | 3121 conversion | dereference | indexing | 3122 function_attribute | local_function | logical_operator | 3123 record_aggregate | value_attribute 3124@end example 3125@subsection Action 3126Without parameters, the only elements allowed in barriers are 3127references to boolean components of the protected element and 3128litterals (this corresponds to what is allowed for the Ravenscar 3129profile). Parameters specify other constructs that are allowed: 3130@itemize @bullet 3131@item 3132Any <entity> (like a global variable, a function...) can be specified 3133and is thus allowed. As usual, the whole syntax for entities is allowed for 3134<entity>. @xref{Specifying an Ada entity name}. 3135@item 3136``allocation'' allows use of allocators. 3137@item 3138``any_component'' allows use of protected components that are not of 3139type @code{Standard.Boolean}. 3140@item 3141``any_variable'' allows use of any variable (i.e. variables external to 3142the protected element). 3143@item 3144``arithmetic_operator'' allows use of predefined arithmetic operators 3145(@code{"+"}, @code{"**"}, etc.). 3146@item 3147``array_aggregate'' allows use of array aggregates. 3148@item 3149``comparison_operator'' allows use of predefined comparison and 3150membership operators (@code{"="}, @code{">"}, @code{@b{in}}, etc.). 3151@item 3152``conversion'' allows use of type conversions and type qualifications. 3153@item 3154``dereference'' allows use of dereferencing of access types (both implicit 3155and explicit dereferences). 3156@item 3157``indexing'' allows use of array indexing and slices. 3158@item 3159``function_attribute'' allows use of attributes that are functions 3160(like @code{'Pred}, @code{'Image}, etc.). 3161@item 3162``local_function'' allows use of (protected) functions declared in the 3163same protected object. 3164@item 3165``logical_operator'' allows use of predefined logical operators and 3166short-circuit forms (@code{@b{and}}, @code{@b{or else}}, etc.). 3167@item 3168``record_aggregate'' allows use of record aggregates and extension 3169aggregates. 3170@item 3171``value_attribute'' allows use of attributes that are simple values 3172(like @code{'First}, @code{'Terminated}, etc.). 3173@end itemize 3174 3175This rule can be given only once for each of ``check'', ``search'' and 3176``count''. 3177 3178Ex: 3179@example 3180search barrier_expressions; 3181check barrier_expressions (logical_operator, comparison_operator, 3182 any_component, 3183 Pack.Global_State); 3184@end example 3185 3186@subsection Tips 3187The goal of the ``Simple_Barrier'' restriction from the Ravenscar 3188profile is to ensure that evaluation of barriers never raise 3189exceptions. Even simple things like a qualified expression can raise 3190exceptions, but in practice more than the restriction of the Ravenscar 3191profile can be ``reasonably'' allowed. 3192 3193Note that the various ``operator'' keywords allow only the use of 3194predefined operators. If a user defined operator should be allowed, 3195provide it explicitely as an <entity>. There is no way to allow any 3196function call, since this would boil down to allowing pretty much 3197anything, but you can of course specify explicitely functions that can 3198be called. 3199 3200You can provide this rule both for ``check'' and ``search'', but of 3201course it makes sense only if the set of allowed features for 3202``search'' is a superset of those allowed for ``check''. This way, the 3203use of certain features can be interpreted only as a warning. 3204 3205@node Case_Statement, Characters, Barrier_Expressions, Rules reference 3206@section Case_Statement 3207This rule controls various metrics related to the @code{@b{case}} 3208statement. It is intended for cases where it is desired to limit the 3209complexity of @code{@b{case}} statements. 3210@subsection Syntax 3211@example 3212<control_kind> Case_Statement (<subrule>, <bound> [, <bound>]); 3213<subrule> ::= others_span | paths | range_span | values | 3214 values_if_others 3215<bound> ::= min | max <value> 3216@end example 3217 3218@subsection Action 3219The first parameter is a subrule keyword. The second (and optionnally 3220third) parameter give the minimum and/or maximum allowed values 3221(i.e. the rule will control values outside the indicated interval). If 3222not specified, the minimum value is defaulted to 0 and the maximum 3223value to infinity. The parameters controlled by each subrule are: 3224@itemize 3225@item 3226``others_span'' controls the number of values covered by 3227@code{@b{when}} @code{@b{others}} case alternatives. 3228@item 3229``paths'' controls the number of paths (i.e. @code{@b{when}} branches). 3230@item 3231``range_span'' controls the number of values covered by ranges used as 3232choices. 3233@item 3234``values'' controls the number of values covered by the subtype 3235of the @code{@b{case}} selector. 3236@item 3237``values_if_others'' is like ``values'', but is activated only for 3238@code{@b{case}} statements with a @code{@b{when}} @code{@b{others}} 3239alternative. 3240@end itemize 3241 3242This rule can be specified at most once for each subrule and for each 3243of ``check'', ``search'' and ``count''. It is thus possible for each 3244subrule to have a value considered a warning, and a value considered 3245an error. 3246 3247Ex: 3248@example 3249check Case_Statement (others_span, min 1); 3250search Case_Statement (others_span, min 5); 3251 3252check Case_Statement (values, max 10); 3253check Case_Statement (paths, min 3, max 30); 3254@end example 3255 3256@subsection Tips 3257To control that no range is used as a choice in a @code{@b{case}} 3258statement: 3259@example 3260check case_statement (range_span, max 0); 3261@end example 3262 3263To control ``@code{@b{when}} @code{@b{others}}'' that 3264cover no value at all: 3265@example 3266check case_statement (others_span, min 1); 3267@end example 3268 3269@subsection Limitations 3270If some characteristic of the @code{@b{case}} statement depend on a 3271generic formal type, it is not possible to control some of the 3272features statically. Such cases are detected by the rule 3273``uncheckable''. @xref{Uncheckable}. 3274 3275If the subtype of the selecting expression of the @code{@b{case}} 3276statement, or a subtype in one of its a choice lists, has applicable 3277static predicates, AdaControl is not able to control the features that 3278depend on the number of values of the subtype. Such cases are detected 3279by the rule ``uncheckable''. @xref{Uncheckable}. We hope to be able to 3280remove this limitation in the future, but the problem is quite 3281difficult... 3282 3283@node Characters, Comments, Case_Statement, Rules reference 3284@section Characters 3285This rule makes sure that the program text does not use 3286``undesirable'' characters. 3287@subsection Syntax 3288@example 3289<control_kind> characters [(<subrule> @{, <subrule>@})]; 3290<subrule> ::= control | not_iso_646 | trailing_space | wide 3291@end example 3292 3293@subsection Action 3294The rule controls the occurrence in the source file of characters 3295belonging to the classe(s) defined by the subrules. Without 3296parameters, all classes are controlled. The classes are defined as 3297follows: 3298@itemize @bullet 3299@item 3300``control'': control characters that are allowed by the language 3301(ASCII HT, ASCII VT and ASCII FF). 3302@item 3303``not_iso_646'': characters outside the ISO-646 set (aka ASCII). 3304@item 3305``trailing_space'': space characters appearing at the end of the 3306source line. 3307@item 3308``wide'': wide characters that are not in @code{Standard.Character}. 3309@end itemize 3310 3311This rule can be given only once for each class of characters. 3312 3313Ex: 3314@example 3315check characters (control, trailing_space); 3316search characters (not_iso_646); 3317@end example 3318 3319@subsection Limitations 3320With the ``wide'' subrule, the error message may seem to not always 3321appear at the right place; this depends on the encoding scheme 3322used. For example, if your source contains (using bracket encoding): 3323@example 3324S : Wide_String := "["1041"]["1042"]"; 3325@end example 3326it will appear to AdaControl as a string containing two characters, 3327and therefore the error message for the second wide character will 3328point at two characters after the opening quote of the string. 3329 3330This rule controls only the characters in the source file; other means 3331of having characters in the corresponding classes (like using the 3332@code{'Val} attribute) are not controlled. 3333 3334@node Comments, Declarations, Characters, Rules reference 3335@section Comments 3336This rule controls comments that must, or must not, appear in certain cases. 3337 3338@subsection Syntax 3339@example 3340<control_kind> comments (pattern, "<pattern>" @{, "<pattern>"@}); 3341<control_kind> comments (position, <value> | <bounds>); 3342<control_kind> comments (terminating @{, "<pattern>" | begin | end@}); 3343<control_kind> comments (unnamed_begin, <kind> @{, <kind>@}); 3344<bounds> ::= min|max <value> [, min|max <value> ] 3345<kind> ::= [<condition>] <unit_kind> 3346<condition> ::= always | declaration | program_unit 3347<unit_kind> ::= all | procedure | function | entry | package | task 3348@end example 3349 3350@subsection Action 3351The first parameter is a subrule name which detemines what is being 3352controlled. 3353@itemize @bullet 3354@item 3355``pattern'' controls comments that match one of the given patterns 3356(given as strings). Only the ``useful'' part of the comment is 3357matched against the patterns, i.e. the part after the ``@code{--}'' 3358and spaces following it. Patterns are given using the full Regexp 3359syntax. @pxref{Syntax of regular expressions} for details. Pattern 3360matching is always case insensitive. 3361 3362This subrule is especially useful to find lines with comments like 3363``TBSL'' (To Be Supplied Later) or ``fixme'', which are often used to 3364mark places where something should be done before releasing the 3365program. 3366@item 3367``position'' controls the starting position of comments. If a single 3368value is specified without the ``min'' or ``max'' modifiers, the 3369subrule controls comments that do not start exactly at the indicated 3370column position; otherwise, it controls comments whose starting column 3371is smaller than the given ``min'' value or greater than the given 3372``max'' value. It is possible, but not required to specify both 3373``min'' and ``max''. If this subrule is given both for ``search'' and 3374for ``check'', the value(s) for ``search'' is interpreted as the 3375prefered one, and the value(s) for ``check'' is interpreted as an 3376alternative acceptable one; i.e., it is a warning if the value is the 3377one given for ``check'', and an error if it is neither. In short: 3378@example 3379search comments (position, 1); 3380check comments (position, min 1, max 6); 3381@end example 3382will be silent for comments that start in column 1, it will issue a 3383warning for comments that start at columns 2 to 6, and an error otherwise. 3384 3385@item 3386``terminating'' controls comments that are at the end of an otherwise 3387non empty line (i.e. that appear on the same line as a declaration or 3388statement). If ``begin'' is specified, comments appearing on a line 3389that contains only a @code{@b{begin}} are allowed (not reported); 3390similarly, if ``end'' is specified, comments appearing on a line that 3391contains only an @code{@b{end}} are allowed. Otherwise, the other 3392parameters are patterns that specify forms of comments that are 3393allowed. Patterns are given using the full Regexp syntax. 3394@pxref{Syntax of regular expressions} for details. Pattern matching is 3395always case insensitive. 3396@item 3397``unnamed_begin'' controls @code{@b{begin}} of various constructs that 3398do not have a comment that repeats the name of the program unit 3399associated to the @code{@b{begin}}. Except for spaces, the comment 3400must not contain anything else than the unit name. 3401 3402The <condition> keyword determines circumstances where the comment is required: 3403@itemize 3404@item 3405''always'' (default): the comment is always required. 3406@item 3407``declaration'': the comment is required only if the preceding 3408declaration part is non-empty (not counting pragmas). 3409@item 3410``program_unit'': the comment is required only if the preceding 3411declaration part contains the declarations of other program units 3412(subprograms, packages, protected objects, or tasks). 3413@end itemize 3414 3415The <unit_kind> keyword detemines the kind of program unit to which 3416the rule applies (``all'' stands for all kinds). The subrule can be 3417given only once of each kind of program unit. 3418@end itemize 3419 3420Ex: 3421@example 3422check comments (pattern, "TBSL"); 3423 3424-- Report places where rules are disabled: 3425search comments (pattern, "##.* off"); 3426 3427-- End of line comments are not allowed, except for the 3428-- comment that repeats the name of a procedure on the "begin" 3429-- line, and special AdaControl comments 3430check comments (terminating, begin, "^ *##"); 3431 3432-- Named begin required for packages unless they have no 3433-- declaration, and subprograms if they have nested units 3434check comments (unnamed_begin, declaration package); 3435check comments (unnamed_begin, program_unit procedure); 3436check comments (unnamed_begin, program_unit function); 3437@end example 3438 3439@subsection Tips 3440Remember that a Regexp matches if the pattern matches any part of the 3441identifier. Use ``^'' and ``$'' to match the beginning (resp. end) of 3442the comment, or both. 3443 3444@subsection Limitations 3445This rule does not support wide characters outside the basic Latin-1 set. 3446 3447@node Declarations, Default_Parameter, Comments, Rules reference 3448@section Declarations 3449This rule controls usage of various kinds of declarations, possibly only 3450those occurring at specified locations. 3451@subsection Syntax 3452@example 3453<control_kind> declarations (<subrule> @{, <subrule>@}); 3454<subrule> ::= @{[not] <location_kw>@} <declaration_kw> 3455<location_kw> ::= all | block | library | local | nested | 3456 own | private | public | in_generic | task_body 3457<declaration_kw> ::= 3458 any_declaration | 3459 abstract_function | abstract_operator | 3460 abstract_procedure | abstract_type | 3461 access_all_type | access_constant_type | 3462 access_constrained_array_type | access_def_discriminated_type | 3463 access_formal_Type | access_language_type | 3464 access_nondef_discriminated_type | access_protected_type | 3465 access_subprogram_type | access_task_type | 3466 access_unconstrained_array_type | access_unknown_discriminated_type | 3467 access_type | aliased_array_component | 3468 aliased_constant | aliased_protected_component | 3469 aliased_record_component | aliased_variable | 3470 anonymous_access_component | anonymous_access_constant | 3471 anonymous_access_discriminant | anonymous_access_parameter | 3472 anonymous_access_variable | anonymous_subtype_allocator | 3473 anonymous_subtype_case | anonymous_subtype_declaration | 3474 anonymous_subtype_for | anonymous_subtype_indexing | 3475 array | array_type | 3476 binary_modular_type | box_defaulted_formal_function | 3477 box_defaulted_formal_procedure | character_literal | 3478 child_unit | class_wide_constant | 3479 class_wide_variable | constant | 3480 constrained_array_constant | constrained_array_type | 3481 constrained_array_variable | controlled_type | 3482 decimal_fixed_type | defaulted_discriminant | 3483 defaulted_generic_parameter | defaulted_parameter | 3484 deferred_constant | derived_type | 3485 discriminant | empty_private_part | 3486 empty_visible_part | enumeration_type | 3487 entry | equality_operator | 3488 exception | expression_function | 3489 extension | fixed_type | 3490 float_type | formal_function | 3491 formal_package | formal_procedure | 3492 formal_type | function | 3493 function_call_renaming | function_instantiation | 3494 generic | generic_function | 3495 generic_package | generic_procedure | 3496 handlers | incomplete_type | 3497 in_out_generic_parameter | in_out_parameter | 3498 initialized_protected_component | initialized_record_component | 3499 initialized_variable | instantiation | 3500 integer_type | interface_type | 3501 library_unit_renaming | limited_private_type | 3502 modular_type | multiple_names | 3503 multiple_protected_entries | name_defaulted_formal_function | 3504 name_defaulted_formal_procedure | named_number | 3505 no_spec_function | no_spec_procedure | 3506 non_binary_modular_type | non_identical_operator_renaming | 3507 non_identical_renaming | non_joint_ce_ne_handler | 3508 non_limited_private_type | non_ravenscar_task | 3509 not_operator_renaming | null_defaulted_formal_procedure | 3510 null_extension | null_ordinary_record_type | 3511 null_procedure | null_procedure_body | 3512 null_procedure_declaration | null_tagged_type | 3513 operator | operator_renaming | 3514 ordinary_fixed_type | ordinary_fixed_type_no_small | 3515 ordinary_fixed_type_with_small | ordinary_record_type | 3516 ordinary_record_variable | out_parameter | 3517 package | package_instantiation | 3518 package_statements | predefined_operator | 3519 private_extension | procedure | 3520 procedure_instantiation | protected | 3521 protected_discriminant | protected_entry | 3522 protected_type | protected_variable | 3523 record_type | relay_function | 3524 relay_package | relay_procedure | 3525 renaming | renaming_as_body | 3526 renaming_as_declaration | scalar_variable | 3527 self_calling_function | self_calling_procedure | 3528 separate | signed_type | 3529 single_array | single_protected | 3530 single_task | subtype | 3531 synonym_renaming | tagged_incomplete_type | 3532 tagged_private_type | tagged_type | 3533 tagged_variable | task | 3534 task_discriminant | task_entry | 3535 task_type | task_variable | 3536 type | unconstrained_array_constant | 3537 unconstrained_array_type | unconstrained_array_variable | 3538 unconstrained_subtype | uninitialized_protected_component | 3539 uninitialized_record_component | uninitialized_variable | 3540 unknown_discriminant | variable | 3541 variant_part 3542@end example 3543 3544@subsection Action 3545The <location_kw> restricts the places where the occurrence of the 3546declaration is controlled. If it is preceded by ``not'', the 3547declaration is controlled except at this location. Several 3548<location_kw> can be given, in which case the declaration is 3549controlled at places where all the keywords apply. If there is no 3550<location_kw>, it is assumed to be ``all''. 3551@itemize @bullet 3552@item 3553@code{all}: puts no special restriction to the location. This keyword 3554can be specified for readability purposes, and if specified must 3555appear alone (not with other <location_kw>), and ``not'' is not 3556allowed. 3557@item 3558@code{block}: only declarations appearing in block statements are controlled. 3559@item 3560@code{library}: only library level declarations are controlled. 3561@item 3562@code{local}: only local declarations are controlled (i.e. only declarations 3563appearing in (generic) packages, possibly nested, are allowed). 3564@item 3565@code{own}: only declarations that are local to a (generic) package body 3566are controlled. 3567@item 3568@code{public}: only declarations appearing in the visible part of 3569(generic) packages are controlled. 3570@item 3571@code{private}: only declarations appearing directly in a private 3572part are controlled. 3573@item 3574@code{in_generic}: only declarations appearing directly or indirectly in a generic 3575specification or body are controlled. 3576@item 3577@code{task_body}: only declarations appearing directly in a task body 3578are controlled. Note that it would not make sense to have a 3579<location_kw> for task @i{specifications}, since only entries can 3580appear there, and they cannot appear anywhere else. 3581@end itemize 3582 3583The <declaration_kw> specifies what kind of declaration to control: 3584@itemize @bullet 3585@item 3586Declaration keywords that are Ada keywords match the corresponding Ada 3587declarations. 3588@item 3589@code{any_declaration} controls all declarations. This is of course not 3590intended to forbid all declarations in a program (!), but 3591@emph{counting} all declarations can be quite useful. 3592@item 3593@code{abstract_function}, @code{abstract_operator}, and 3594@code{abstract_procedure} control the declarations of abstract 3595functions, abstract operators, and abstract procedures, respectively. 3596@item 3597@code{abstract_type} controls the declaration of non-formal abstract 3598types. 3599@item 3600@code{access_type} controls all access type declarations, while 3601@code{access_subprogram_type}, @code{access_protected_type}, and 3602@code{access_task_type} control only access to procedures or 3603functions, access to protected types, or access to task types, 3604respectively. Similarly, @code{access_constrained_array_type} and 3605@code{access_unconstrained_array_type} control access to constrained 3606or unconstrained array types, @code{access_def_discriminated_type}, 3607@code{access_nondef_discriminated_type}, and 3608@code{access_unknown_discriminated_type} control access to types with 3609discriminants with default values, without default values, and unknown 3610discriminants, respectively. @code{access_formal_type} controls access 3611to (generic) formal types, @code{access_all_type} control generalized 3612access to variables types (aka "@code{@b{access} @b{all} T}", and 3613@code{access_constant_type} control generalized access to constants 3614types (aka "@code{@b{access} @b{constant} T}"). @code{access_language_type} 3615controls access to language defined private types. 3616@item 3617@code{aliased_variable} and @code{aliased_constant} control the 3618declarations of aliased variables or constants, respectively. 3619@item 3620@code{aliased_array_component} controls the declaration of arrays 3621(array types or single arrays) whose components are declared aliased. 3622@item 3623@code{aliased_record_component} and @code{aliased_protected_component} 3624control the declarations of aliased record (respectively protected) 3625components. 3626@item 3627@code{anonymous_access_component} controls array and record components 3628that are of an anonymous access type (but not discriminants, which are 3629controlled by @code{anonymous_access_discriminant}). Similarly, 3630@code{anonymous_access_constant} and @code{anonymous_access_variable} 3631control constants and variables that are of an anonymous access type 3632(including generic formal @code{@b{in}} and @code{@b{in} @b{out}} 3633parameters, respectively). @code{anonymous_access_parameter} controls 3634subprogram parameters that are of an anonymous access type, the only 3635ones that existed in Ada 95. Note that to avoid unnecessary messages, 3636if a subprogram has an explicit specification, the message for 3637@code{anonymous_access_parameter} is given on the specification and 3638not repeated on the body. 3639@item 3640@code{anonymous_subtype_declaration} controls the declarations of 3641anonymous subtypes and ranges that are part of some other 3642declaration. Similarly, @code{anonymous_subtype_allocator}, 3643@code{anonymous_subtype_case}, @code{anonymous_subtype_for}, and 3644@code{anonymous_subtype_indexing} control anonymous subtype 3645declarations and ranges that are part of allocators, @code{@b{case}} 3646statements (ranges in the @code{@b{when}} path), @code{@b{for}} loop 3647statements, and indexing of slices or array aggregates, respectively. 3648@item 3649@code{array} controls all array definitions (array types and single 3650arrays), while @code{array_type} controls only array types and 3651@code{single_array} controls only single arrays (objects of an 3652anonymous array type). @code{constrained_array_type} controls only 3653constrained array types, while @code{unconstrained_array_type} 3654controls only unconstrained array 3655types. @code{constrained_array_variable} controls variable 3656declarations where the given (or anonymous) array type is constrained, 3657while @code{unconstrained_array variable} controls variable 3658declarations where the given (or anonymous) array type is 3659unconstrained (and the constraint is provided by the initial value). 3660@code{constrained_array_constant} and 3661@code{unconstrained_array_constant} do the same with constants instead 3662of variables. 3663@item 3664@code{character_literal} controls the declaration of new character 3665literals, i.e. character literals defined as part of the values of an 3666enumeration type. 3667@item 3668@code{child_unit} controls the declaration of all child units. 3669@item 3670@code{constant} controls all constants, while 3671@code{class_wide_constant} control the declaration of constants of a 3672class-wide type, and @code{deferred_constant} controls the declaration 3673of deferred constants. 3674@item 3675@code{controlled_type} controls the declaration of controlled types, 3676i.e. descendants of @code{Ada.Finalization.Controlled} or 3677@code{Ada.Finalization.Limited_Controlled}. Note that this includes 3678also private types that are not visibly controlled. 3679@item 3680@code{defaulted_parameter} controls subprogram or entry (@b{in}) 3681parameters that provide a default value, while 3682@code{defaulted_generic_parameter} controls generic formal objects 3683that provide a default value. 3684@item 3685@code{derived_type} controls regular derived types, but not type 3686extensions (derivations of tagged types). These are controlled by 3687@code{extension} and @code{private_extension}. 3688@item 3689@code{discriminant} controls all declarations of types with 3690discriminants, while @code{protected_discriminant} and 3691@code{task_discriminant} control only discriminants of protected types 3692and task types, respectively. @code{defaulted_discriminants} controls 3693only discriminants where default values are 3694provided. @code{unknown_discriminants} controls only unknown 3695discriminants (AKA ``@code{(<>)}'' discriminants). 3696@item 3697@code{empty_private_part} controls package specification with an empty 3698private part, i.e. where the word @code{@b{private}} appears, but the 3699private part contains no declaration (even if it contains pragmas). 3700@item 3701@code{empty_visible_part} controls package specifications that contain 3702no declaration in the visible part (before the word @code{@b{private}} 3703if any), even if it contains pragmas. 3704@item 3705@code{enumeration_type} controls the declaration of enumeration types. 3706@item 3707@code{exception} controls exception declarations. 3708@item 3709@code{expression_function} controls declaration of expression functions 3710@item 3711@code{extension} controls type extensions, i.e. derivations from a tagged type 3712with a @code{@b{with record}} extension part. 3713@item 3714@code{fixed_type} controls all declarations of fixed point types while 3715@code{ordinary_fixed_type} controls only ordinary (binary) fixed point 3716types, @code{ordinary_fixed_type_no_small} controls ordinary fixed 3717point type without a representation clause for @code{'SMALL}, 3718@code{ordinary_fixed_type_with_small} controls ordinary fixed point 3719type with an explicit representation clause for @code{'SMALL}, and 3720@code{decimal_fixed_type} controls only decimal fixed point types 3721(those can never have a representation clause for @code{'SMALL}). 3722@item 3723@code{float_type} controls declarations of floating point types. 3724@item 3725@code{formal_function}, @code{formal_package}, 3726@code{formal_procedure}, and @code{formal_type} control all generic 3727formal functions, packages, procedures, and types, 3728respectively. @code{box_defaulted_formal_function}, 3729@code{box_defaulted_formal_procedure}, @code{name_defaulted_formal_function}, 3730@code{name_defaulted_formal_procedure}, and 3731@code{null_defaulted_formal_procedure} control generic formal 3732functions and procedures with a box default, a name default, and a 3733null default, respectively. 3734@item 3735@code{generic_function}, @code{generic_package}, 3736@code{generic_procedure} control generic function (respectively 3737package, procedure) declarations. 3738@item 3739@code{handlers} controls the presence of exception handlers in any 3740handled sequence of statements. 3741@item 3742@code{in_out_parameter} and @code{out_parameter} control subprogram 3743and entry parameters of modes @code{@b{in}} @code{@b{out}} and 3744@code{@b{out}} (respectively), while @code{in_out_generic_parameter} 3745and @code{out_generic_parameter} do the same for @i{generic} formal 3746parameters. Note that to avoid unnecessary messages, if a subprogram 3747has an explicit specification, the message is given on the 3748specification and not repeated on the body. 3749@item 3750@code{incomplete_type} controls (regular) incomplete type 3751declarations, while @code{tagged_incomplete_type} controls tagged 3752incomplete type declarations (Ada 2005). 3753@item 3754@code{initialized_variable} controls variable declarations that 3755include an initialization expression, unless they are of a class-wide 3756type since initialization is required in that case. 3757@item 3758@code{instantiation} controls all instantiations, while 3759@code{function_instantiation}, @code{package_instantiation}, 3760@code{procedure_instantiation} control function (respectively package, 3761procedure) instantiations. 3762@item 3763@code{integer_type} controls all declarations of integer types, while 3764@code{signed_type} controls only signed integer types, and 3765@code{modular_type} controls only modular types (both kinds); 3766@code{binary_modular_type} controls only modular types whose modulus 3767is a power of 2, and @code{non_binary_modular_type} controls only 3768modular types whose modulus is not a power of 2. 3769@item 3770@code{initialized_record_component} and 3771@code{initialized_protected_component} control the declaration of 3772record (respectively protected) component that include a default 3773initialization, while @code{uninitialized_record_component} and 3774@code{uninitialized_protected_component} control the declaration of record 3775(respectively protected) component that do not include a default 3776initialization, unless they are of a limited type since initialization would 3777not be allowed in that case. 3778@item 3779@code{limited_private_type} controls limited private type 3780declarations, while @code{non_limited_private_type} controls regular 3781(non limited) private type declarations. @code{tagged_private_type} 3782controls tagged private type declarations. 3783@item 3784@code{multiple_names} controls declarations where more than one 3785defining identifier is given in the same declaration. 3786@item 3787@code{multiple_protected_entries} controls protected definitions (from 3788protected types or single protected objects) that have more than one 3789entry declaration. Note that a protected definition with a single 3790entry family declaration is counted as a single entry declaration. 3791@item 3792@code{named_number} controls declarations of named numbers, 3793i.e. untyped constants. 3794@item 3795@code{no_spec_function} and @code{no_spec_procedure} control function 3796and procedure bodies respectively, including body stubs (but not 3797proper bodies since the control is on the stub), that do not have an 3798explicit specification. 3799@item 3800@code{non_joint_CE_NE_handler} controls exception handlers whose 3801choices include @code{Constraint_Error} or @code{Numeric_Error}, but 3802not both. This is intended for legacy Ada 83 code that required to 3803always handle these exceptions together; it makes little sense for 3804Ada95 or Ada2005 code (and to be honnest, this subrule is provided 3805because Gnatcheck has it). 3806@item 3807@code{null_extension} controls record extensions (derived tagged 3808types) that contain no new elements. Similarly, 3809@code{null_ordinary_record_type} and @code{null_tagged_type} control 3810ordinary records and tagged types that contain no elements. Note that 3811the record definitions may be plain ``@code{@b{null}} 3812@code{@b{record}}'' definitions, or full record definitions that 3813contain only null components. However, a definition is not considered 3814null if it contains a variant part. 3815@item 3816@code{null_procedure_body} controls procedure declarations whose 3817sequence of statements contain only @code{@b{null}} statements (or 3818blocks without declarations and containing only @code{@b{null}} 3819statements). @code{null_procedure_declaration} controls Ada2005 null 3820procedure declarations (i.e., ``@b{procedure} P @b{is} 3821@b{null};''). @code{null_procedure} controls both. 3822@item 3823@code{operator} controls the definition of operators (things like 3824@code{"+"}); note that the message is given on the specification if 3825there is an explicit specification, on the body 3826otherwise. @code{equality_operator} controls only equality operators 3827(@code{"="} and @code{"/="}) and @code{predefined_operator} controls 3828only operator definitions that overload a predefined operator (like 3829@code{"+"} on a numeric type, for example). 3830@item 3831@code{package_statements} controls the presence of elaboration 3832statements in the bodies of packages (or generic packages). 3833@item 3834@code{private_extension} controls private extensions, i.e. derivations 3835from a tagged type with a @code{@b{with private}} extension part. 3836@item 3837@code{record_type} controls all record type declarations (tagged or 3838not), while @code{ordinary_record_type} controls only non-tagged 3839record types, and @code{tagged_type} controls only tagged record types. 3840@item 3841@code{interface_type} controls interface type declarations. 3842@item 3843@code{relay_function} controls functions whose statement part includes 3844only a single @code{@b{return}} statement whose expression is another 3845function call; similarly, @code{relay_procedure} controls procedures 3846whose statement part includes only a call to another procedure, and 3847@code{relay_package} controls packages whose visible part includes 3848only the declaration of another package (regular package, 3849instantiation of a generic package, or renaming of package). 3850@item 3851@code{renaming} controls all renaming declarations, while 3852@code{renaming_as_body} controls only those that are renamings as 3853bodies of subprograms, @code{renaming_as_declaration} controls only 3854those that are regular renamings of subprograms (i.e. not as bodies), 3855@code{operator_renaming} controls only those that are renamings of an 3856operator, @code{not_operator_renaming} controls only those that are 3857@emph{not} renamings of an operator, @code{function_call_renaming} 3858controls renaming of the result of a function call, and 3859@code{library_unit_renaming} controls renaming of library units. 3860@code{non_identical_renaming} controls only renamings where the new 3861name and the old name are not the same, and 3862@code{non_identical_operator_renaming} does the same, but only for 3863renamings of operators. @code{synonym_renaming} controls renamings declared in 3864the same declarative part as the entity being renamed (these serve no purpose 3865as far as visibility is concerned, and are thus pure synonyms). 3866@item 3867@code{self_calling_function} controls functions whose body contains 3868only a single (simple) @code{@b{return}} statement, and the return 3869expression is a (recursive) call to the same function. Similarly, 3870@code{self_calling_procedure} controls procedures whose body contains 3871only a single statement which is a (recursive) call to the same 3872procedure. Note that this corresponds to bodies automatically 3873generated by gnatstub. 3874@item 3875@code{subtype} controls all explicit subtype declarations (i.e. not 3876all anonymous subtypes that appear at various places in the 3877language), while @code{unconstrained_subtype} controls only the 3878subtype declarations that do not include a constraint. 3879@item 3880@code{task} controls task type declarations as well as single tasks 3881declarations while @code{single_task} and @code{task_type} control 3882only single task declarations or task type declarations respectively 3883(and similarly for @code{protected}). @code{non_ravenscar_task} controls 3884all task type and task object declarations from a unit to which no 3885@code{pragma Profile (Ravenscar)} applies. 3886@item 3887@code{type} controls all type (but not subtype) declarations. 3888@item 3889@code{uninitialized_variable} controls variable declarations that 3890do not include an initialization expression. Depending on the value of 3891the rule variable ``limited_initialization'' (see below), variables of 3892a limited type, or only variables of a task or protected type, are not 3893reported, since initialization would not be allowed in that case. 3894@item 3895@code{variable} controls all variable declarations. 3896@code{scalar_variable} controls the declarations of variables of a 3897scalar type (integer, enumeration, float, fixed). 3898@code{ordinary_record_variable} controls declarations of variables of 3899an untagged record type. @code{tagged_variable} controls declarations 3900of variables of a tagged type (including class-wide ones), while 3901@code{class_wide_variable} controls only the declarations of variables 3902of a class-wide type. @code{task_variable} and 3903@code{protected_variable} control task and protected objects 3904(respectively), whether given with a named or anonymous type. 3905@item 3906@code{variant_part} controls variant parts in record defintions. 3907@end itemize 3908 3909Ex: 3910@example 3911-- No task, no exception: 3912search declarations (task, exception); 3913 3914-- Don't declare subprograms or packages inside a block: 3915check declarations (block procedure, block function, block package); 3916 3917-- No task in the public part of a package: 3918check declarations (public task); 3919 3920-- Generics allowed only as top-level units 3921check declarations (not library generic); 3922@end example 3923 3924@subsection Variable 3925The rule provides a variable that allows to adjust the handling of 3926limited types for the subrule 3927``uninitialized_variable''. Initialization of variables of a limited 3928type was not permitted until Ada 2005. 3929 3930@need 800 3931@multitable @columnfractions .25 .10 .10 .55 3932@item 3933@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 3934@item 3935Limited_Initialization 3936@tab off@*on 3937@tab off 3938@tab 3939@table @asis 3940@item off 3941uninitialized variables of a limited type are never reported. 3942@item on 3943uninitialized variables of a limited type are are reported like 3944non-limited variables, unless they are of a task or protected type, 3945since no initialization would be allowed in that case. 3946@end table 3947@end multitable 3948 3949@subsection Tips 3950Certain keywords are @i{not} exclusive, and it may be the case that 3951several keywords apply to the same declaration; in this case, they are 3952all reported. For example, if you specify: 3953@example 3954check declarations (record_type, tagged_type); 3955@end example 3956tagged types will be reported both as ``record_type'' and 3957``tagged_type''. 3958 3959There is no subrule for checking functions whose result type is from 3960an anonymous access type; these are controlled by the rule 3961@code{return_type (anonymous_access)}. @xref{Return_Type}. 3962 3963Some of the keyword do not seem very useful; it would be strange to 3964have a programming rule that prevents all type declarations... But 3965bear in mind that the <location_kw> can be used to restrict the check 3966to certain locations; moreover, AdaControl can be used not only for 3967checking, but also for searching; finding all type declarations in a 3968set of units can make sense. As another example, ``search declarations 3969(own variable);'' will find all variables declared directly in package 3970bodies. 3971 3972Some modifiers do not make sense with certain declarations; for 3973example, a ``private out_parameter'' is impossible (a parameter 3974occurs in a subprogram declaration, not @i{directly} in a private 3975part). This is not a problem as far as the rule is concerned, but 3976don't expect to find any... 3977 3978Generally, discriminants are considered components of record 3979types. However, discriminants of an anonymous access type (so-called 3980access discriminants) play such a special role in the language that 3981they deserved their own control 3982(@code{anonymous_access_discriminant}). 3983 3984Private types are normally followed in determining the kind of access 3985type (i.e., an access to a private type will be controlled according 3986to the full declaration). However, this is not done for an access type 3987that designates a private type defined in a language defined unit 3988(since the full type depends on the implementation); these are 3989controlled as ``access_language_type'' instead. Of course, language 3990defined @i{visible} types are controlled normally. 3991 3992@subsection Limitation 3993In some rare cases, AdaControl may not be able to evaluate the modulus 3994of a modular type definition, thus preventing correct operation of 3995``binary_modular_type'' and ``non_binary_modular_type'' subrules. Such 3996cases are detected by the rule ``uncheckable''. @xref{Uncheckable}. 3997 3998@node Default_Parameter, Dependencies, Declarations, Rules reference 3999@section Default_Parameter 4000This rule checks usage (or non-usage) of defaulted parameters. 4001@subsection Syntax 4002@example 4003<control_kind> default_parameter (<place>, <formal>, <usage>); 4004<place> ::= <entity> | calls | instantiations 4005<formal> ::= <formal name> | all 4006<usage> ::= used | positional | not_used 4007@end example 4008 4009@subsection Action 4010The rule controls subprogram calls or generic instantiations that use 4011the default value for the indicated parameter, or conversely don't use 4012it, either in positional notation or in any notation. If a subprogram 4013is called, or a generic instantiated, whose name matches <entity>, and 4014it has a formal whose name is <formal name>, then: 4015@itemize @bullet 4016@item 4017If the string @code{used} (case irrelevant) is given as the third 4018parameter, the rule reports when there is no corresponding actual 4019parameter (i.e. the default value is used for the parameter). 4020@item 4021If the string @code{positional} (case irrelevant) is given as the 4022third parameter, the rule reports when there is an explicit 4023corresponding actual parameter (i.e. the default is not used for the 4024parameter), and the actual uses positional (not named) notation. 4025@item 4026If the string @code{not_used} (case irrelevant) is given as the third 4027parameter, the rule reports when there is an explicit corresponding 4028actual parameter (i.e. the default is not used for the parameter), 4029independently of whether it uses positional or named notation. 4030@end itemize 4031 4032As usual, the whole syntax for entities is allowed for 4033<entity>. @xref{Specifying an Ada entity name}. On the other hand, 4034<formal> is the simple name of the formal parameter. 4035 4036Alternatively, the <entity> can be specified as @code{calls}, to 4037control all calls or @code{instantiations}, to control all 4038instantiations. The <formal name> can be replaced by @code{all}, in 4039which case all formals are controlled. 4040 4041Ex: 4042@example 4043check default_parameter (P, X, used); 4044check default_parameter (P, Y, not used); 4045search default_parameter (calls, all, positional); 4046@end example 4047 4048@subsection Tip 4049If the <entity> is a generic subprogram, it is also possible to give a 4050formal parameter (a parameter of the subprogram, not a generic 4051parameter) as the <formal name>; in this case, all instantiations of 4052the indicated generic subprogram will be controlled for the use of the 4053indicated parameter. 4054 4055@node Dependencies, Derivations, Default_Parameter, Rules reference 4056@section Dependencies 4057This rule controls dependencies of units (i.e. @code{@b{with}} 4058clauses, parents, child units...), either according to a set of 4059allowed/forbidden units, or by count. 4060 4061@subsection Syntax 4062@example 4063<control_kind> dependencies (others, <unit> @{,<unit>@}); 4064<control_kind> dependencies (with, <unit> @{,<unit>@}); 4065<control_kind> dependencies (public_child | private_child); 4066<control_kind> dependencies (<counter>, <bound> [, <bound>]); 4067<counter> ::= raw | direct | parent 4068<bound> ::= min | max <value> 4069@end example 4070 4071@subsection Action 4072The kind of action depends on the specified subrule. 4073 4074The ``others'' subrule controls semantic dependencies to units other 4075than those indicated. This subrule can be specified only once, and at 4076least one unit must be given. 4077 4078The ``with'' subrule controls with clauses that reference the 4079indicated units. At least one unit must be given. 4080 4081Note that for these two rules, renamings are followed: if you give the 4082basic name of a unit, it will be identified even if used with other 4083names. Similarly, if you give the name of a generic, all of its 4084instantiations will also be controlled. 4085 4086``public_child'' and ``private_child'' control units that depend on 4087their own public (respectively private) child units. Since these 4088subrules have no parameters, they can be given only once. 4089 4090Other subrules control that the number of various dependencies is 4091whithin a specified range. The second (and optionnally third) 4092parameter give the minimum and/or maximum allowed values (i.e. the 4093rule will control values outside the indicated interval). If not 4094specified, the minimum value is defaulted to 0 and the maximum value 4095to infinity. 4096@itemize @bullet 4097@item 4098``raw'' controls the number of units textually given in 4099@code{@b{with}} clauses. Redundant @code{@b{with}} clauses are 4100counted, and a child unit counts for one. 4101@item 4102``direct'' controls the number of different units that this unit 4103really depends on: if a unit is mentionned in several @code{@b{with}} 4104clauses, it is counted only once, but if a child unit is mentionned, 4105all parents of this child unit are added to the count. 4106@item 4107``parent'' counts the number of parents of the current unit. A root 4108unit has no parent, a child of a root unit has one parent, etc. 4109@end itemize 4110 4111Ex: 4112@example 4113check dependencies (others, Ada.Text_IO); 4114check dependencies (raw, max 15); 4115 4116-- child units should not be nested more than 5 levels: 4117check dependencies (parent, max 5); 4118 4119-- units that depend on nothing: 4120search dependencies (direct, min 1); 4121 4122-- units that depend on their public children: 4123check dependencies (public_child); 4124@end example 4125 4126@subsection Tips 4127If you give a name that's already a renaming to the ``others'' or 4128``with'' subrules, the rule will only apply to this name, not to what 4129has been renamed. Therefore: 4130@example 4131 -- Allow only Ada.Text_IO: 4132check dependencies (others, Ada.Text_IO); 4133 4134-- But not if the plain name Text_IO is used: 4135check dependencies (with, Text_IO); 4136@end example 4137 4138The notion of public or private for the rules ``public_child'' or 4139``private_child'' refer to the real unit, which is not necessarily the 4140name used in the with clause, if for example you have a private 4141library renaming of a public unit. 4142 4143There is a slight overlap between this rule and the rule 4144``entities'. But ``entities'' will find all uses of an entity (not 4145necessarily a compilation unit), while ``dependencies'' will control 4146occurrences only of compilation units, and only in @code{@b{with}} 4147clauses. @xref{Entities}. 4148 4149In certain contexts, only a set of the Ada predefined units is 4150allowed. For example, it can be useful to forbid units defined in 4151special needs annexes. The @code{rules} directory of Adacontrol 4152contains files with ``Dependencies'' rules that forbid the use of 4153various predefined Ada units. Comment out the lines for the units that 4154you want to allow. You can then simply ``source'' these files from 4155your own rule file (or copy the content) if you want to disallow these 4156units. @xref{Rules files provided with AdaControl}. 4157 4158@node Derivations, Directly_Accessed_Globals, Dependencies, Rules reference 4159@section Derivations 4160This rule controls various properties of the declaration of derived types. 4161 4162@subsection Syntax 4163@example 4164<control_kind> derivations (from, <entity>|<category> 4165 @{, <entity>|<category>@}) 4166<control_kind> derivations (max_parents, <value>) 4167<category> ::= () | access | array | delta | digits | mod | 4168 private | protected | range | record | tagged | task 4169@end example 4170 4171@subsection Action 4172The ``from'' subrule controls derivations according to the parent 4173type and progenitors. 4174 4175If <entity> is a type name, it controls types that are derived 4176(directly or indirectly) from the given type (including interfaces), 4177or one of its subtypes; however, if it is a @i{subtype} name, only 4178types that are derived (directly or indirectly) from the given subtype 4179are controlled. If <entity> is the name of a compilation unit, it 4180controls types that are derived (directly or indirectly) from a type 4181(or subtype) declared inside the given unit. As usual, the whole 4182syntax for entities is allowed for <entity>. @xref{Specifying an Ada 4183entity name}. 4184 4185If <category> is given, it controls derived types whose parent type 4186belongs to the corresponding category. The meaning of <category> is: 4187@itemize @bullet 4188@item 4189``()'': The parent is of an enumerated type. 4190@item 4191``access'': The parent is of an access type. 4192@item 4193``array'': The parent is of an array type. 4194@item 4195``delta'': The parent is of a fixed point type (it is not currently 4196possible to distinguish ordinary fixed point types from decimal fixed 4197point types). 4198@item 4199``digits'': The parent is of a floating point type. 4200@item 4201``mod'': The parent is of a modular type. 4202@item 4203``private'': The parent is of a private type (including private 4204extensions). 4205@item 4206``protected'': The parent is of a protected type. 4207@item 4208``range'': The parent is of a signed integer type. 4209@item 4210``record'': The parent is of an (untagged) record type. 4211@item 4212``tagged'': The parent is of a tagged type (including type 4213extensions). 4214@item 4215``task'': The parent is of a task type. 4216@end itemize 4217 4218It may be the case that several controls apply to a given parent 4219type. In this case, only one message is issued, that corresponds to 4220the most specific control according to the following priority order: 4221@enumerate 4222@item 4223Specific subtype 4224@item 4225Specific type 4226@item 4227Type or subtype from a compilation unit 4228@end enumerate 4229If a category also applies to the parent type, a separate message is 4230always issued. 4231 4232Ex: 4233@example 4234check derivations (from, Standard.Integer); 4235 -- Types derived from Integer 4236 4237search derivations (from, standard); 4238-- Types derived from a type in Standard, except Standard.Integer 4239-- (caught above) 4240 4241search derivations (from, range); 4242-- Types derived from an integer type 4243@end example 4244 4245The ``max_parents'' subrule controls the maximum number of parents in 4246a derivation. The parents are the direct ancestor in a derived type 4247definition, plus all of the progenitors (the interfaces that are 4248implemented by the type). <n> is the maximum number of @i{allowed} 4249parents, i.e. the rule is triggered if the number of parents is 4250strictly greater than <n>. 4251 4252This subrule can be given once for each of check, search, and 4253count. This way, it is possible to have a number of parents 4254considered a warning (search), and one considered an error (check). Of 4255course, this makes sense only if the number for search is less than 4256the one for check. 4257 4258@example 4259check derivations (max_parents, 5); -- error if more than 5 parents 4260search derivations (max_parents, 3); -- warning if more than 3 parents 4261@end example 4262 4263@node Directly_Accessed_Globals, Duplicate_Initialization_Calls, Derivations, Rules reference 4264@section Directly_Accessed_Globals 4265This rule checks that global variables in package bodies are accessed 4266only through dedicated subprograms. Especially, it can be used to 4267prevent race conditions in multi-tasking programs. 4268@subsection Syntax 4269@example 4270<control_kind> directly_accessed_globals [(<kind> @{,<kind>@})]; 4271<kind> ::= plain | accept | protected 4272@end example 4273@subsection Action 4274The rule controls global variables declared directly in (generic) 4275package bodies that are accessed outside of dedicated callable 4276entities (i.e. procedure or function, possibly protected, protected 4277entries, and @code{@b{accept}} statements). 4278 4279This rule can be specified only once. The parameters indicate which 4280kinds of callable entity are allowed: ``plain'' for non-protected 4281subprograms, ``protected'' for protected subprograms, and ``accept'' 4282for @code{@b{accept}} statements). Without parameters, all forms are 4283allowed. 4284 4285More precisely, the rule ensures that the global variables are read 4286from a single callable entity, and written by a single callable 4287entity. Note that the same callable entity can read and write a 4288variable, but in this case no other callable entity is allowed to read 4289or write the variable. 4290@itemize @bullet 4291@item 4292Subprograms used to read/write the variables must be declared at the 4293same level as the variable itself (i.e. not nested), and must not be 4294generic. 4295@item 4296Protected subprograms used to read/write the variables must both be 4297part of the same single protected object, which must be declared at 4298the same level as the variable itself (i.e. not nested); they are not 4299allowed to be declared in a protected @i{type}, since if there are 4300several protected objects of the same type, mutual exclusion would not 4301be enforced. 4302@item 4303@code{@b{accept}} statements used to read/write the variables must 4304both be part of the same single task object, which must be declared at 4305the same level as the variable itself (i.e. not nested); they are not 4306allowed to be declared in a task @i{type}, since if there are several 4307task objects of the same type, mutual exclusion would not be enforced. 4308@end itemize 4309In short, this rule enforces that all global variables are accessed by 4310dedicated access subprograms, and that only those subprograms access 4311the variables directly. If given with the keyword ``protected'' and/or 4312``accept'', it enforces that global variables are accessed only by 4313dedicated protected subprograms or tasks, ensuring that no race condition is 4314possible. 4315 4316Ex: 4317@example 4318check directly_accessed_globals 4319@end example 4320 4321@subsection Tips 4322Note that this rule controls global variables from package @i{bodies}, 4323not those from the specification. This is intended, since it makes 4324little sense to declare a variable in a specification, and then 4325require it not to be accessed directly, but through provided 4326subprograms. Obviously, in this case the variable should be moved to 4327the body. 4328 4329Note that AdaControl can check that no variable is declared in a 4330package specification with the following rule: 4331@example 4332check usage (variable, from_spec); 4333@end example 4334@pxref{Usage} for details. 4335 4336@subsection Limitations 4337AdaControl cannot check entities accessed through dynamic names 4338(dynamic renaming, access on aliased variables). Use of such 4339constructs is detected by the rule ``uncheckable''. 4340@xref{Uncheckable}. 4341 4342Due to a weakness in the ASIS standard, it is not possible to know the 4343mode (@b{in}, @b{out}) of variables used as parameters of dispatching 4344calls. Such variables are considered to be read and written at the 4345point of the call, therefore possibly creating false positives (which 4346is safer than false negatives). Use of such constructs is detected by 4347the rule ``uncheckable''. @xref{Uncheckable}. 4348 4349@node Duplicate_Initialization_Calls, Entities, Directly_Accessed_Globals, Rules reference 4350@section Duplicate_Initialization_Calls 4351This rule checks that some procedures (notably initialization 4352procedures) are not called several times in identical conditions. 4353@subsection Syntax 4354@example 4355<control_kind> duplicate_initialization_calls (<entity> @{, <entity>@}); 4356@end example 4357@subsection Action 4358This rule controls calls to initialization procedures that are 4359duplicated. The <entity> parameters are the initialization procedures 4360to be controlled. As usual, the whole syntax for entities is allowed for 4361<entity>. @xref{Specifying an Ada entity name}. 4362 4363More precisely, the initialization procedures must follow one of these 4364patterns: 4365@itemize @bullet 4366@item 4367The procedure only has @code{@b{in}} parameters. All actual parameters 4368used in calls are static, and not two calls have the same values for 4369all parameters. 4370@item 4371The procedure has exactly one @code{@b{out}} parameter (and no 4372@code{@b{in out}} parameter). Not two calls refer the same actual variable 4373for the @code{@b{out}} parameter. 4374@end itemize 4375 4376The rule controls any violation of these patterns. If a procedure passed as parameter 4377does not have a profile that corresponds to one of the above patterns, it is an error. 4378 4379Ex: 4380@example 4381check duplicate_initialization_calls (pack.init_proc); 4382@end example 4383 4384@subsection Limitation 4385If a variable passed as an @code{@b{out}} parameter is not statically 4386determinable, it is not controlled by the rule. Such a case is 4387detected by the rule ``uncheckable''. @xref{Uncheckable}. 4388 4389@node Entities, Entity_Inside_Exception, Duplicate_Initialization_Calls, Rules reference 4390@section Entities 4391This rule is used to control usage of Ada entities, i.e. any declared 4392element (type, variables, packages, etc). 4393@subsection Syntax 4394@example 4395<control_kind> entities (@{[not] <location>@} [instance] <entity> 4396 @{, @{[not] <location>@} [instance] <entity>@}); 4397<location> ::= block | library | local | nested | own | 4398 private | public | in_generic | task_body 4399 4400@end example 4401 4402@subsection Action 4403This rule controls all uses of the indicated entities,or only those 4404that appear within the specified locations. As usual, the whole syntax 4405for entities is allowed for <entity>. @xref{Specifying an Ada entity 4406name}. 4407 4408When present, the <location_kw> restricts the places where the entity 4409is controlled. If it is preceded by ``not'', the entity is 4410controlled except at this location. Several <location_kw> can be 4411given, in which case the entity is controlled at places where all the 4412keywords apply. 4413@itemize @bullet 4414@item 4415@code{block}: the entity appears in a block statement. 4416@item 4417@code{library}: the entity appears at library level. 4418@item 4419@code{local}: the entity appears in a local scope (i.e. not in 4420(generic) packages, possibly nested) 4421@item 4422@code{own}: the entity appers in a (generic) package body. 4423@item 4424@code{public}: the entity appears in the visible part of a 4425(generic) package. 4426@item 4427@code{private}: the entity appears directly in a private 4428part. 4429@item 4430@code{in_generic}: the entity appears directly or indirectly in a generic 4431specification or body. 4432@item 4433@code{task_body}: the entity appears directly in a task body. 4434@end itemize 4435 4436If the given entity is a generic unit or an 4437entity declared inside a generic unit, all corresponding uses in all 4438instances will be reported. Uses of the generic entity itself will also 4439be reported normally, unless the keyword @code{instance} is given. 4440 4441Note that this rules reports on the use of the @i{entity}, not the 4442@i{name}: if an entity has been renamed, it will be found under its 4443various names. 4444 4445Ex: 4446@example 4447search entities (Debug.Trace); 4448check entities (Ada.Text_IO.Float_IO.Put); 4449check entities (instance Ada.Unchecked_Conversion); 4450@end example 4451The second line will report on any use of a @code{Put} from any 4452instantiation of @code{Float_IO}. The third one will report only 4453on uses of instances of @code{Ada.Unchecked_Conversion}. 4454 4455@subsection Tips 4456This rule is safer than cross-references if you want to check where 4457certain entities are used, since it follows renamings but does not 4458report on homonyms of the intended entity. 4459 4460This rule can also be used to check for all occurrences of certain 4461attributes with the ``@code{all <Attribute>}'' syntax. For example, 4462the following will report on any usage of @code{'Unchecked_Access}: 4463@example 4464check entities (all 'Unchecked_Access); 4465@end example 4466 4467If you want to make sure that certain compilation units are not used, 4468it is preferable to use the rule ``Depencies (with,...)'' rather than 4469``Entities'', because ``Entities'' will control all uses of the unit, 4470while ``Dependencies'' will control only those in @code{@b{with}} 4471clauses (which is of course sufficient). 4472 4473In certain contexts, it can be useful to forbid certain entities, like 4474those from @code{Standard}, @code{System}, or entities defined in 4475special needs annexes packages. The @code{rules} directory of 4476Adacontrol contains files with ``Dependencies'' and ``Entities'' rules 4477that forbid the use of various predefined Ada elements. Comment out 4478the lines for the elements that you want to allow. You can then 4479simply ``source'' these files from your own rule file (or copy the 4480content) if you want to disallow these elements. @xref{Rules files 4481provided with AdaControl}. 4482 4483@subsection Limitation 4484GNAT defines @code{Unchecked_Conversion} and 4485@code{Unchecked_Deallocation} as separate entities, rather than 4486renamings of @code{Ada.Unchecked_Conversion} and 4487@code{Ada.Unchecked_Deallocation}. As a consequence, it is necessary 4488to specify explicitely both forms if you want to make sure that the 4489corresponding generics are not used. 4490 4491@node Entity_Inside_Exception, Exception_Propagation, Entities, Rules reference 4492@section Entity_Inside_Exception 4493This rule controls entities that appear within exception handlers. 4494@subsection Syntax 4495@example 4496<control_kind> entity_inside_exception (<spec> @{, <spec>@}); 4497<spec> ::= [not] <entity> | calls | entry_calls 4498@end example 4499 4500@subsection Action 4501This rule controls exception handlers that contain references to one 4502or several Ada entities specified as parameters. If the keyword 4503``calls'' is given, it stands for all subprogram and entry calls. If 4504the keyword ``entry_calls'' is given, it stands for all entry calls 4505(task or protected). If an <entity> (or ``calls'' or ``entry_calls'') 4506is preceded by the keyword ``not'', it is not included in the list of 4507controlled entities (i.e. the entity is allowed in the exception 4508handler). This allows to make exceptions to a more general 4509specification of an entity, or to allow calls to well-defined 4510procedures if the keyword ``calls'' is given. 4511 4512Ex: 4513@example 4514-- No Put_Line in exception handlers: 4515check entity_inside_exception (ada.text_io.put_line); 4516 4517-- No entry calls in exception handlers: 4518check entity_inside_exception (entry_calls); 4519 4520-- No calls allowed, except to the Report_Exception procedure: 4521check entity_inside_exception (calls, not Reports.Report_Exception); 4522 4523-- No Put allowed, except the one on Strings: 4524check entity_inside_exception (all Put, 4525 not Ada.Text_IO.Put@{Standard.String@}); 4526@end example 4527 4528@node Exception_Propagation, Expressions, Entity_Inside_Exception, Rules reference 4529@section Exception_Propagation 4530This rule controls that certain program units are guaranteed to never 4531propagate exceptions, or that local exceptions cannot propagate out of 4532their scope. 4533@subsection Syntax 4534@example 4535<control_kind> exception_propagation 4536 (local_exception); 4537<control_kind> exception_propagation 4538 ([<level>,] interface, <convention> @{, <convention> @}); 4539<control_kind> exception_propagation 4540 ([<level>,] parameter, <entity> @{, <entity>@}); 4541<control_kind> exception_propagation 4542 ([<level>,] task); 4543<control_kind> exception_propagation 4544 (<level>, declaration); 4545@end example 4546 4547@subsection Action 4548The ``local_exception'' subrule controls a design pattern that ensures 4549that a local exception cannot propagate outside the scope where it is 4550declared. If an exception is declared within a block, a subprogram 4551body, an entry body, or a task body, then this body must have either a 4552handler for this exception or for @code{@b{others}}; this handler must 4553not reraise the exception; and no handler is allowed to raise 4554explicitely the exception. The subrule controls explicit 4555@code{@b{raise}} statements and calls to @code{Raise_Exception} and 4556@code{Reraise_Occurrence}, but it does not control exceptions raised 4557as a consequence of calling other subprograms. 4558 4559The other subrules control subprograms, tasks, or all declarations 4560that can propagate exceptions, while being used in contexts where it 4561is desirable to ensure that no exception can be propagated. 4562 4563A subprogram or task is considered as @emph{not} propagating if: 4564@enumerate 4565@item 4566it has an exception handler with a ``@code{@b{when others}}'' choice 4567@item 4568no exception handler contains a @code{@b{raise}} statement, nor any 4569call to @code{Ada.Exception.Raise_Exception} or 4570@code{Ada.Exception.Reraise_Occurrence}. 4571@item 4572no declaration from its own declarative part propagates exceptions. 4573@end enumerate 4574 4575A declaration is considered propagating if it includes elements that 4576could propagate exceptions. This is impossible to assess fully using 4577only static analysis, therefore the <level> parameter determines how 4578pessimistic (or optimistic) AdaControl is in determining the possibility 4579of exceptions. Possible values of the <level> parameter, and 4580their effect, are: 4581@itemize @bullet 4582@item 45830: expressions in declarative parts are not considered as propagating 4584(anything allowed, this is the default value for ``interface'', 4585``parameter'' and ``task''. Not allowed for ``declaration''). 4586@item 45871: all function calls (including operators) in declarations are 4588considered as potentially propagating exceptions, except those 4589appearing in named number declarations or scalar types declarations, 4590since those are required by the language to be static. 4591@item 45922: same as 1, plus every use of variables in expressions is considered 4593as potentially propagating. 4594@item 45953: same as 2, plus any declaration of objects (constants or variables) 4596is considered potentially propagating (not very useful for 4597``declaration''). 4598@end itemize 4599 4600These subrules serve several purposes: 4601@itemize @bullet 4602@item 4603The ``interface'' subrule analyzes all subprograms to which an 4604@code{Interface} or @code{Export} pragma applies (with the given 4605convention(s)), and reports on those that can propagate 4606exceptions. 4607 4608Since it is dangerous to call an Ada subprogram that can propagate 4609exceptions from a language that has no exception (and especially C), 4610any such subprogram should have a ``catch-all'' exception handler. 4611@item 4612The ``parameter'' subrule accepts one or more fully qualified formal 4613parameter names (i.e. in the form of the parameter name prefixed by 4614the full name of its subprogram, see @ref{Specifying an Ada entity 4615name}). The subrule reports any subprogram that can propagate 4616exceptions and is used as the prefix of a @code{'Access} or 4617@code{'Address} attribute that appears as part of an actual value for 4618the indicated formal. Similarly, the indicated formal can also be the 4619name of a formal procedure or function of a generic. In this case, the 4620rule will report on any subprogram that can propagate exceptions and 4621is used as an actual in an instantiation for the given formal. 4622 4623Many systems (typically windowing systems) use call-back 4624subprograms. Although the native interface is generally hidden behind 4625an Ada binding, the call-back subprograms will eventually be called 4626from another language, and like for the ``interface'' subrule, any 4627such subprogram should have a ``catch-all'' exception handler. 4628@item 4629The ``task'' subrule reports any task that can propagate exceptions. 4630 4631Since tasks die silently if an exception is propagated out of 4632their body, it is generally desirable to ensure that every task has an 4633exception handler that (at least) reports that the task is being 4634completed due to an exception. 4635@item 4636The ``declaration'' subrule reports 4637any declaration that can propagate exceptions, irrespectively of where 4638it appears. In this case, the specification of <level> is required 4639and cannot be 0. 4640 4641It is sometimes desirable to make sure that no declaration raises an 4642exception, ever. 4643@end itemize 4644 4645Ex: 4646@example 4647-- Make sure that C-compatible subprograms don't propagate exceptions: 4648check exception_propagation (interface, C); 4649 4650-- Parameter CB of of procedure Pack.Register is used as a call-back 4651-- Make sure that not procedure passed to it can propagate exceptions. 4652check exception_propagation (parameter, Pack.Register.CB); 4653 4654-- Make sure that tasks do not die silently due to unhandled exception: 4655check exception_propagation (task); 4656 4657-- Make sure that no exception is raised by elaboration of declarations: 4658check exception_propagation (2, declaration); 4659@end example 4660 4661The first example will report on any subprogram to which a 4662@code{@b{pragma} Interface (C,...)} applies that can propagate 4663exceptions. 4664 4665If @code{Proc} is a procedure that can propagate exceptions, the 4666second example will report on every call like: 4667@example 4668Pack.Register (CB => Proc'Access); 4669@end example 4670 4671The third example will report on any task that can terminate silently due 4672to an unhandled exception. 4673 4674The fourth example will report on any declaration that makes use of 4675function calls or variables. 4676 4677@subsection Tips 4678Note that the registration procedure for a call-back can be designated 4679by an access type, but in this case, use the name of the formal for 4680the access type. For example, given: 4681@example 4682@b{package} Pack @b{is} 4683 @b{type} Acc_Proc @b{is} @b{access} @b{procedure}; 4684 @b{type} Acc_Reg @b{is} @b{access} @b{procedure} (CB : Acc_Proc); 4685 ... 4686 Ptr : Acc_Reg := ...; 4687@end example 4688 4689You can give a rule such as: 4690@example 4691check exception_propagation (parameter, Pack.Acc_Reg.CB); 4692@end example 4693All procedures registered by a call to @code{Pack.Ptr.@b{all}} will be considered. 4694 4695The declaration of a @b{for} loop parameter is not checked by this 4696rule. In other words, the rule ``check exception_propagation (2, 4697declaration)'' will not issue a message for: 4698@example 4699@b{for} I @b{in} Positive @b{range} 1 .. X @b{loop} ... 4700@end example 4701although formally the @i{declaration} of I could raise 4702Constraint_Error if X is negative. We consider that for the casual 4703user, Constraint_Error appears to be raised by the @b{for} loop 4704@i{statement}. 4705 4706@subsection Limitations 4707An exception may be raised in a subprogram considered as not 4708propagating by this rule, if an exception handler calls a subprogram 4709that propagates an exception. 4710 4711The rule will not consider subprograms whose body is missing, or that 4712are not statically known (i.e. if a subprogram is registered through a 4713dereference of a pointer to subprogram), like in the following 4714example: 4715@example 4716Pack.Register (CB => Pointer.@b{all}'Access); 4717@end example 4718 4719Due to a weakness of the ASIS standard, references to subprograms that 4720appear in dispatching calls are not considered. This limitation will 4721be removed as soon as we find a way to work around this problem, but 4722the issue is quite difficult! 4723 4724These last two cases are detected by the rule 4725``uncheckable''. @xref{Uncheckable}. 4726 4727@node Expressions, Generic_Aliasing, Exception_Propagation, Rules reference 4728@section Expressions 4729This rule controls usage of various kinds of expressions. 4730@subsection Syntax 4731@example 4732<control_kind> expressions (<subrule> @{, <subrule>@}); 4733<subrule> ::= @{<category>@} <expression_kw> 4734<expression_kw> ::= 4735 and | and_array | 4736 and_binary | and_boolean | 4737 and_then | array_aggregate | 4738 array_named_others | array_non_static_range | 4739 array_others | array_partial_others | 4740 array_positional_others | array_range | 4741 case | complex_parameter | 4742 downward_conversion | dispatching_function_calls | 4743 dynamic_function_calls | extendable_aggregate | 4744 extension_aggregate | explicit_dereference | 4745 fixed_multiplying_op | for_all | 4746 for_some | function_calls | 4747 if | if_elsif | 4748 if_no_else | implicit_dereference | 4749 in | inconsistent_attribute_dimension | 4750 inherited_function_call | mixed_operators | 4751 not | not_in | 4752 or | or_array | 4753 or_binary | or_boolean | 4754 or_else | parameter_view_conversion | 4755 prefixed_operator | real_equality | 4756 record_partial_others | record_aggregate | 4757 record_others | redispatching_function_calls | 4758 slice | static_membership | 4759 type_conversion | upward_conversion | 4760 unconverted_multiplying_op | underived_conversion | 4761 universal_range | unqualified_aggregate | 4762 xor | xor_array | 4763 xor_binary | xor_boolean 4764<category> ::= 4765 <> | () | range | mod | delta | digits | array | 4766 record | tagged | access | new | private | task | protected 4767@end example 4768@subsection Action 4769This rule controls usage of certain forms of expressions. The rule can 4770be specified at most once for each subrule (i.e. subrules that accept 4771categories can be specified once for each combination of categories 4772and expression keyword). 4773 4774Categories are used by certain subrules to further refine the control. 4775They define categories of types to which they apply: 4776@itemize @bullet 4777@item 4778``<>'': Any type 4779@item 4780``()'': Enumerated types 4781@item 4782``range'': Signed integer types 4783@item 4784``mod'': Modular types 4785@item 4786``delta'': Fixed point types (no possibility to differentiate ordinary 4787and decimal fixed point types yet). 4788@item 4789``digits'': Floating point types 4790@item 4791``array'': Array types 4792@item 4793``record'': (untagged) record types 4794@item 4795``tagged'': Tagged types (including type extensions) 4796@item 4797``access'': Access types 4798@item 4799``new'': Derived types 4800@item 4801``private'': Private types 4802@item 4803``task'': Task types 4804@item 4805``protected'': Protected types 4806@end itemize 4807 4808The subrule define the kind of expression being controlled: 4809@itemize @bullet 4810@item 4811@code{not}, @code{and}, @code{or}, @code{xor}, @code{and_then}, 4812@code{or_else}, @code{in}, and @code{not_in} control usage of the 4813corresponding logical operator (or short circuit form, or membership 4814test). 4815@item 4816@code{and_array}, @code{or_array}, and @code{xor_array} do the same, 4817but only for operators whose result type is an array type. 4818@item 4819@code{and_binary}, @code{or_binary}, and @code{xor_binary} do the same, 4820but only for operators whose result type is a modular type. 4821@item 4822@code{and_boolean}, @code{or_boolean}, and @code{xor_boolean} do the same, 4823but only for operators whose result type is @code{Standard.Boolean}. 4824@item 4825@code{array_aggregate} and @code{record_aggregate} control array and 4826record aggregates, respectively, while @code{unqualified_aggregate} 4827controls aggregates (both arrays and records) that do not appear 4828directly within a qualified expression. @code{extension_aggregate} 4829controls extension aggregates, while @code{extendable_aggregate} 4830controls aggregates that are @i{not} extension aggregates, but whose 4831type is a non-root tagged type, or are extension aggregates whose ancestor part 4832is not their immediate parent (such aggregates could be written as 4833extension aggregates). 4834@item 4835@code{array_others} and @code{record_others} control the occurrence of 4836a @code{@b{others} =>} association in array and record 4837aggregates, respectively. 4838@item 4839@code{array_partial_others} and @code{record_partial_others} do the 4840same, but only if there are other associations in addition to the 4841@code{@b{others} =>} in the aggregate. @code{array_named_others} and 4842@code{array_positional_others} do the same, but only for named 4843(respectively positional) array aggregates. 4844@item 4845@code{array_range} controls array aggregates that include a range 4846(i.e. an association like @code{A .. B =>}). 4847@code{array_non_static_range} does the same, but only if (at least) 4848one of the bounds is not static. 4849@item 4850@code{case} controls @b{case} expressions (introduced in Ada 2012). 4851@item 4852@code{complex_parameter} controls complex expressions used as actual 4853parameters in subprogram (or entry) calls. A complex expression is any 4854expression that includes a function call (including operators). This 4855rule is not applied to the parameters of operators, since otherwise 4856it would forbid any expression with more than a single operator. 4857@item 4858@code{explicit_dereference} controls explicit dereferences of access 4859values (i.e. with an explicit @code{.@b{all}}). 4860@item 4861@code{fixed_multiplying_op} controls calls to predefined fixed-point 4862multiplication and division (regular fixed-point or decimal-fixed 4863point). @code{unconverted_fixed_multiplying_op} does the same, but 4864only when both operands are objects (not literals) of a fixed_point 4865type (not Integer); this is when type conversion is required by Ada 486683. 4867@item 4868@code{for_all} and @code{for_some} control the two forms of 4869quantifiers introduced by Ada 2012. 4870@item 4871@code{if} controls all @b{if} expressions (introduced in Ada 2012), 4872while @code{if_elsif} only controls those that have an @b{elsif} part, 4873and @code{if_no_else} only controls those that have no @b{else} part. 4874@item 4875@code{implicit_dereference} controls implicit dereferences of access 4876values (i.e. when the @code{.@b{all}} is omitted). 4877@item 4878@code{inconsistent_attribute_dimension} controls when no dimension is 4879explicitely given for a @code{'First}, @code{'Last}, @code{'Range} or 4880@code{'Length} attribute and the attribute applies to a 4881multi-dimensional array, or conversely, when an explicit dimension is 4882given, but the attribute applies to a one-dimensional array. 4883@item 4884@code{function_call} controls all calls to functions, incuding user 4885defined operators, but not predefined operators (including the latter 4886would generate too much noise). @code{dispatching_function_call} does 4887the same, but only for dispatching calls while 4888@code{redispatching_function_call} does the same, but only for 4889dispatching calls that are (directly or indirectly) inside a primitive 4890operation of a tagged type. @code{dynamic_function_call} does the 4891same, but only for calls through 4892pointers. @code{inherited_function_call} controls calls to functions 4893that have been inherited by a derived type and not redefined. 4894 4895For all @code{*_function_call} subrules, if a category is specified, 4896only calls whose result type belongs to the category are controlled. 4897Derived types are followed, i.e. the ``real'' category from the 4898original type is used for the matching; as a consequence, the ``new'' 4899category cannot be specified for this subrule. In addition, the amount 4900of information displayed can be selected with the rule variable 4901``called_info'' (see below). 4902 4903@item 4904@code{mixed_operators} controls expressions that involve several 4905different operators, without parentheses. In a sense, it extends the 4906language rule that forbids mixing @code{@b{and}} and @code{@b{or}} in 4907logical expressions to all other operators. Note that for the purpose 4908of this subrule, membership tests (@code{@b{in}}, @code{@b{not in}}) 4909and short circuit forms (@code{@b{and then}}, @code{@b{or else}}) are 4910considered operators. 4911@item 4912@code{prefixed_operator} controls calls to operators that use prefixed 4913notation (i.e. @code{"+"(A, B)}). If a category is specified, only 4914calls whose result type belongs to the category are controlled. 4915 4916Derived types are followed, i.e. the ``real'' category from the 4917original type is used for the matching; as a consequence, the ``new'' 4918category cannot be specified for this subrule. 4919@item 4920@code{real_equality} controls usage of predefined exact equality or 4921inequality (``='' or ``/='') between real (floating point or fixed 4922point) values. 4923@item 4924@code{slice} controls usage of array slices. 4925@item 4926@code{static_membership} controls membership tests (@code{@b{in}} and 4927@code{@b{not in}}) where the expression on the left is statically 4928known to belong to the range (or subtype) on the right, and is 4929therefore always True (or false for @code{@b{not in}}). 4930@item 4931@code{type_conversion} controls all (sub)type conversions, while 4932@code{underived_conversion} controls conversions between types that do 4933@i{not} belong to the same derivation 4934family. @code{downward_conversion} and @code{upward_conversion} 4935control conversions between types that belong to the same family, 4936converting away from the root or toward the root, 4937respectively. @code{parameter_view_conversion} controls conversions 4938that appear as @code{@b{out}} or @code{@b{in out}} actual parameters. 4939 4940One or two categories can be specified; if only one category is 4941specified, only conversions whose result type belong to that category 4942are controlled. If two categories are specified, only conversions 4943whose souce type belongs to the first category and whose target type 4944belong to the second category are controlled. 4945 4946Derived types are followed, i.e. the ``real'' category from the 4947original type is used for the matching; as a consequence, the ``new'' 4948category cannot be specified for this subrule. 4949@item 4950@code{universal_range} controls discrete ranges that are a part of an 4951index constraint, constrained array definition, or for-loop parameter 4952specification (but not type or subtype defintions), and whose bounds 4953are both of type universal_integer. 4954@end itemize 4955 4956Ex: 4957@example 4958search expressions (real_equality, slice); 4959check expressions (mixed_operators); 4960 4961-- Find logical operators that could be replaced by short-circuits forms: 4962check expressions (and_boolean, or_boolean); 4963 4964-- Find all conversions between integer and floating point types 4965search expression (range digits type_conversion); 4966 4967-- Find all conversions from a fixed point type: 4968search expressions (delta <> type_conversion); 4969 4970-- Find all view conversions between array types: 4971search expressions (array parameter_view_conversions); 4972 4973-- Find all "structural" conversions between arrays 4974search expressions (array underived_conversion); 4975 4976-- Some think that downward conversions of tagged types are evil: 4977check expressions (tagged downward_conversion); 4978@end example 4979 4980@subsection Variable 4981The rule provides a variable that allows to specify the amount of information 4982displayed with the various *_function_calls subrules. 4983 4984@need 800 4985@multitable @columnfractions .12 .18 .10 .60 4986@item 4987@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 4988@item 4989Called_Info 4990@tab none@*compact@*detailed@*root_detailed 4991@tab none 4992@tab 4993 4994@table @asis 4995@item``none'' 4996No extra information. 4997@item ``compact'' 4998display the name of the called function. 4999@item ``detailed'' 5000display the name of the called function with overloading 5001information. 5002@item ``root_detailed'' 5003display the name of the root called function (i.e. the 5004original function if the called function is a renaming) with overloading 5005information. 5006@end table 5007@end multitable 5008 5009@subsection Tips 5010The @code{real_equality} subrule does not control calls to an equality 5011operator that has been defined by the user; actually, it would make 5012little sense to write a function and then forbid its use! However, if 5013control of calls to such a function is desired, it can be easily 5014accomplished by using the @code{entities} rule. @xref{Entities}. 5015 5016This rule does not check the use of allocators (@code{@b{new}}), use 5017the rule @code{Allocators} instead. @xref{Allocators}. 5018 5019``inherited_function_call'' controls only @i{function} calls. For 5020procedure calls, see rule @ref{Statements}. 5021 5022Specifying @code{array_partial_others} is the same as specifying both 5023@code{array_named_others} and @code{array_positional_others}. It is 5024retained for compatibility, and also for symetry with 5025@code{record_partial_others}. 5026 5027Per language rules, underived conversions are allowed only between 5028numeric types, and between structurally equivalent array types. 5029 5030``static_membership'' is handy for finding a common misuse of 5031membership tests, where the user assigns an external value (obtained 5032with Unchecked_Conversion for example) to a variable, then checks that the 5033variable belongs to its subtype to make sure the value is valid. Such a check 5034can be optimized away by the compiler; the 'Valid attribute should be 5035used instead. 5036 5037@subsection Limitations 5038``static_membership'' does not control the complex membership tests 5039with several choices that are possible with Ada 2012. 5040 5041@node Generic_Aliasing, Global_References, Expressions, Rules reference 5042@section Generic_Aliasing 5043This rule controls instantiations where the same actual is given to 5044more than one formal. 5045@subsection Syntax 5046@example 5047<control_kind> generic_aliasing [(<subrule> @{, <subrule>@})]; 5048<subrule> ::= [<condition>] <entity> 5049<condition> ::= unlikely | possible | certain 5050<entity> ::= all | variable | type | subprogram | package 5051@end example 5052 5053@subsection Action 5054This rule identifies instantiations where the same variable, type, 5055subprogram, or package is given several times (to different formal 5056parameters). Such aliasing of variables is dangerous, since it can 5057induce subtile bugs. Other elements are less dangerous, although often 5058questionable (depending on the generic). 5059 5060The <entity> parameter indicates for which elements aliasing is 5061controlled; ``all'' stands for all kinds of elements. 5062 5063There are many cases where aliasing cannot be determined 5064statically. The optional parameter specifies how aggressively the rule 5065will check for possible aliasings (see @ref{Parameter_Aliasing} for a 5066more detailed description of these modifiers). Possible values are 5067(case irrelevant): 5068@itemize 5069@item 5070Certain (default): Only cases where aliasing is statically certain are 5071output. 5072@item 5073Possible: In addition, cases where aliasing may occur depending on the 5074value of an indexed component are output. This can be specified only 5075for variables. 5076@item 5077Unlikely: In addition, cases where aliasing may occur due to access 5078variables designating the same element are output. This can be 5079specified only for variables and subprograms. 5080@end itemize 5081 5082Without any parameter, the rule is the same as ``certain all''. The 5083rule can be specified only once for each combination of <condition> 5084and <entity>. 5085 5086Ex: 5087@example 5088check generic_aliasing (certain variable); 5089search generic_aliasing (possible variable, type, subprogram, package); 5090@end example 5091 5092@subsection Limitations 5093Due to a limitation of ASIS for Gnat, AdaControl might not be able to 5094differentiate predefined operators of different types, and may thus 5095give false positives if a generic is instantiated with, for example, 5096two different functions that are actually @code{"+"} on Integer and 5097@code{"+"} on Float. This possibility of false positives is detected 5098by the rule ``uncheckable''. @xref{Uncheckable}. 5099 5100@node Global_References, Header_Comments, Generic_Aliasing, Rules reference 5101@section Global_References 5102This rule controls accesses to global elements that may be subject to 5103race conditions, or otherwise shared. 5104 5105@subsection Syntax 5106@example 5107<control_kind> global_references (<subrule> @{, <root>@}); 5108<subrule> ::= all | read | written | multiple | multiple_non_atomic 5109<root> ::= <entity> | function | procedure | task | protected 5110@end example 5111 5112@subsection Action 5113This rule controls access to global variables from several entities 5114(the roots). The @code{<entity>} must be subprograms, task types, 5115single task objects, protected types, or single protected objects. As 5116usual, the whole syntax for entities is allowed for <entity>. 5117@xref{Specifying an Ada entity name}. The special keywords 5118@code{function}, @code{procedure}, @code{task}, and @code{protected} 5119are used to refer to all functions, procedures, tasks, and protected 5120entities, respectively. 5121 5122The <subrule> determines the kind of references that are 5123controlled. If it is @code{all}, all references to global elements 5124from the indicated entities are reported. If <subrule> is @code{read} 5125or @code{written}, only read (respectively write) accesses are 5126reported. If <subrule> is @code{multiple}, only global elements that 5127are accessed by more than one of the indicated entities (i.e. shared 5128elements) are reported. Note however that if a reference is found from 5129a task type or protected type, it is always reported, since there are 5130potentially several objects of the same type. If <subrule> is 5131@code{multiple_non_atomic}, references reported are the same as with 5132@code{multiple}, except that global variables that are @code{atomic} 5133or @code{atomic_components} and written from at most one of the 5134indicated entities are not reported. Note that this latter case 5135corresponds to a safe reader/writer use of atomic variables. 5136 5137This rule follows the call graph, and therefore finds references from 5138subprogram and protected calls made (directly or indirectly) from the 5139indicated entities. However, calls to subprograms from the Ada 5140standard library are not followed. 5141 5142Ex: 5143@example 5144-- Find global variables used by P1 or P2: 5145search global_references (all, P1, P2); 5146 5147-- Find global variables modified by functions: 5148check global_references (written, function); 5149 5150-- Find possible race conditions: 5151check global_references (multiple, task, protected); 5152@end example 5153 5154This rule can be given several times, and conflicts (with 5155@code{multiple}) are reported on a per-rule basis, i.e. given: 5156@example 5157check global_references (multiple, P1, P2); 5158check global_references (multiple, P1, P3); 5159@end example 5160 5161the first rule will report on global variables shared between P1 and 5162P2, and the second rule will report on global variables shared between 5163P1 and P3. 5164 5165@subsection Tips 5166The notion of ``global'' is relative, i.e. it designates every 5167variable whose scope encloses (strictly) the indicated entities. This 5168means that a same reference may or may not be global, depending on the 5169indicated entity. Consider: 5170 5171@example 5172@b{procedure} Outer @b{is} 5173 Inner_V : Integer; 5174 5175 @b{procedure} Inner_P @b{is} 5176 @b{begin} 5177 Inner_V := 1; 5178 @b{end} Inner_P; 5179@b{begin} 5180 Inner_P; 5181@b{end} Outer; 5182@end example 5183 5184The rule 5185@example 5186check global_references (all, outer); 5187@end example 5188will not report any global reference, while the rule 5189@example 5190check global_references (all, outer.inner_p); 5191@end example 5192will report a reference to @code{Inner_V}. This is as it should be, 5193since there is no race condition if several tasks call @code{Outer}, 5194while there is a risk if several tasks (declared inside @code{Outer}) 5195call @code{Inner_P}. 5196 5197Specifying: 5198@example 5199check global_references (all, function); 5200@end example 5201will report on any function that access variables outside of their 5202scope, i.e. all functions that have potential side effects. On the 5203other hand, this check must follow the whole call graph for any 5204function encountered, and can therefore be quite costly in execution 5205time. 5206 5207@subsection Limitations 5208Calls through pointers to subprograms and dispatching calls are 5209unknown statically; they are assumed to not access any global. Such 5210calls are detected by the rule ``uncheckable''. @xref{Uncheckable}. 5211 5212@node Header_Comments, Improper_Initialization, Global_References, Rules reference 5213@section Header_Comments 5214This rule controls that every compilation unit starts with a 5215standardized comment. 5216@subsection Syntax 5217@example 5218<control_kind> header_comments (minimum, <comment lines>); 5219<control_kind> header_comments (model, "<file name>"); 5220@end example 5221@subsection Action 5222If the keyword ``minimum'' is given as first parameter, this rule 5223controls that every compilation unit starts with at least the number 5224of comment lines indicated by the second parameter. If several forms 5225of headers are possible, checking that the headers follow the 5226project's standard requires manual inspection, but this rule is useful 5227to control that unit headers have not been inadvertantly forgotten. 5228 5229If the keyword ``model'' is given as first parameter, the second 5230parameter is a string, interpreted as a file name. If the file name is 5231not an absolute path, it is interpreted as relative to the directory 5232of the file that contains the rule, or to the current directory if the 5233rule is given on the command line. Each line of the indicated file is 5234a regular expression, and the rule controls that the corresponding 5235line of the source file matches the expression. @xref{Syntax of 5236regular expressions}. In addition, it is possible to specify a repetition 5237for a line. If the first character of a line is a @code{'@{'}, the line 5238must have the following syntax: 5239@example 5240@{<min>,[<max>]@} 5241@end example 5242where <min> and <max> specify the minimum and maximum number of 5243occurrences of the pattern in the line that follows this one. <min> 5244must be at least 0, and <max> must be at least 1, and be equal or 5245greater than <min>. If <max> is omitted, it means that the line may 5246occur any number of times. 5247 5248As a convenience, if the first character of a line is a @code{'*'} 5249it means that the next line is a pattern that can occur any number of 5250times (same as @code{@{0,@}}). If the first character is a 5251@code{'+'}, it means that the next line is a pattern that must occur 5252at least once (same as @code{@{1,@}}). If the first character is a 5253@code{'?'}, it means that the next line is an optional pattern (same 5254as @code{@{0,1@}}). 5255 5256Note that the repetition lines all start with a special character 5257which is not allowed at the start of a regular expression; there is 5258therefore no ambiguity. Everything after the special character (or the 5259closing @code{'@}'}) is ignored, and can be used to provide comments. 5260 5261This rule can be given at most once with ``minimum'' for each of 5262``check'', ``search'', and ``count''. The rule can be given only once 5263with ``model'' (but it can be given together with one or more 5264``minimum'' rules). 5265 5266Ex: 5267@example 5268check header_comments (minimum, 10); 5269search header_comments (model, "header.pat"); 5270count header_comments (minimum, 20); 5271@end example 5272This makes an error for every unit that starts with less than 10 5273comment lines, and a warning for units that do not follow the pattern 5274contained in the file @code{header.pat}. A count of units that start 5275with less than 20 comment lines is reported. 5276 5277Example of a pattern file: 5278@example 5279@{1,3@} 1 to 3 occurrences of next line 5280^--$ 5281^-- Author: .+$ 5282^-- Date: \d@{2@}/\d@{2@}/\\d@{4@}$ 5283@end example 5284 5285@subsection Tips 5286Remember that the lines of the file are regular expressions; every 5287character that is specially interpreted (like ``+'', ``*'', etc.) must 5288be quoted with ``\'' if it must appear textually. To ease the process 5289of generating the model file, the directory @code{source} contains a 5290script file for sed named @code{makepat.sed}; if you run this script 5291on a file that contains a standard header, it will produce a pattern 5292file where each line starts with ``^'', ends with ``$'', and every 5293special character is quoted with ``\''. 5294 5295When the model contains an indication of repeated lines (``*''), the 5296repetition is not ``greedy'', i.e. matching will stop as soon as what 5297follows the repetition matches. This is very useful to check header 5298comments that have sections, but where you don't want to impose a 5299precise content to each section. Imagine for example that the structure is: 5300@itemize 5301@item 5302A comment with ``HISTORY'' 5303@item 5304Any number of comment lines 5305@item 5306A comment with ``AUTHORS'' 5307@item 5308Any number of comment lines 5309@end itemize 5310the following pattern will work as expected: 5311@example 5312^-- HISTORY$ 5313* 5314^-- 5315^-- AUTHORS 5316* 5317^-- 5318@end example 5319 5320@subsection Limitation 5321Since the ``model'' subrule analyzes the content of comments, there is 5322a conflict with the disabling mechanism of AdaControl that uses 5323special comments. @xref{Disabling controls}. 5324 5325Specifically, line disabling is not possible at all. Block disabling 5326is possible, provided the disabling line is allowed by the pattern. In 5327short, if you want to be able to disable this rule, the first lines of 5328the model file should be: 5329@example 5330? 5331--## 5332@end example 5333i.e. allow an optional block disabling comment as the first line of 5334the file. Note that there is no need to re-enable this rule, since it 5335is checked only at the start of a compilation unit. 5336 5337@node Improper_Initialization, Instantiations, Header_Comments, Rules reference 5338@section Improper_Initialization 5339This rule enforces a coding pattern that ensures that variables and 5340@code{@b{out}} parameters are properly initialized befor use. 5341@subsection Syntax 5342@example 5343<control_kind> improper_initialization [(<subrule> @{,<subrule>@})] 5344<subrule> ::= @{<extra>@} <target> 5345<extra> ::= access | limited | package | return 5346<target> ::= out_parameter | variable | initialized_variable 5347@end example 5348@subsection Action 5349This rule controls variables and/or @code{@b{out}} parameters that are 5350not ``properly'' initialized, i.e. those that are not ``safely'' 5351initialized, those that have a useless initialization in their 5352declaration, and those where the value is known to be used before 5353having been assigned. The notion of variable includes the return 5354object of an extended return statement (Ada 2005+). 5355 5356A variable (or @code{@b{out}} parameter) is considered safely 5357initialized if there is an initialization expression in its 5358declaration, or if it is given a value in the first statements of the 5359corresponding body, before any ``non-trivial'' statement. The goal is 5360not to perform a complete data-flow analysis, but rather to follow a 5361design pattern where all variables are initialized before entering the 5362``active'' part of the algorithm. This makes it easier to ensure that 5363variables are properly initialized. 5364 5365``Trivial'' statements are: 5366@itemize @bullet 5367@item 5368@code{null} statements; 5369@item 5370assignment statements; 5371@item 5372procedure calls; 5373@item 5374return statements; 5375@item 5376raise statements; 5377@item 5378extended return statements, unless they contain a nested non-trivial 5379statement. 5380@item 5381@code{@b{if}} and @code{@b{case}} statements, unless they contain a 5382nested non-trivial statement. 5383@end itemize 5384The <target> parameters determines what is to be checked: 5385@itemize @bullet 5386@item 5387@code{out_parameter} controls that @code{@b{out}} parameters are 5388safely initialized before the first non-trivial statement, and before 5389every (trivial) @code{@b{return}} statement. Note that @code{@b{out}} 5390parameters are @i{not} checked before @code{@b{raise}} statements, 5391since the language does not guarantee that @code{@b{out}} parameters 5392are transmitted back in the case of exceptions. 5393@item 5394@code{variable} controls that local variables are safely initialized 5395before the first non-trivial statement. If the <extra> modifier 5396@code{return} is specified, only return objects of extended return 5397statements are controlled. 5398@item 5399@code{initialized_variable} controls variables that are safely 5400initialized before the first non-trivial statement, but also have an 5401explicit (and therefore useless) explicit initialization in their 5402declaration. If the modifier @code{return} is specified, only return 5403objects of extended return statements are controlled. 5404@end itemize 5405In all cases, variables used in trivial statements before being 5406initialized are reported. 5407 5408A variable is considered initialized if it is the target of an 5409assignment statement, or if it is used as an actual for an 5410@code{@b{out}} (but not @code{@b{in out}}) parameter of a procedure 5411call. Variables assigned in @code{@b{if}} or @code{@b{case}} 5412statements must receive a value in all paths to be considered 5413initialized after the statement. Note that the variable must be 5414assigned to globally, i.e. assigning to some elements of an array, or 5415some fields of a record, does not count as an initialization of the 5416variable. 5417 5418Some variables are @i{not} controlled, unless the corresponding 5419<extra> modifier is given: 5420@itemize 5421@item 5422Variables declared immediately within a (generic) package 5423specification or body, since in general, package state variables are 5424initialized through calls to dedicated procedures. Use the ``package'' 5425modifier to control also package variables. 5426@item 5427Variables of an access types, or arrays whose components are of an 5428access type, since these are always initialized by the compiler. Use 5429the ``access'' modifier to control also variables of an access type. 5430@item 5431Variables of a limited type, since global assignment is not available 5432for them. Use the ``limited'' modifier to control also variables of a 5433limited type. 5434@end itemize 5435 5436This rule can be given only once for each value of <target>. Without 5437parameters, it is equivalent to giving all, without any <extra>. 5438 5439Ex: 5440@example 5441check improper_initialization (out_parameter); 5442check improper_initialization (access limited variable); 5443search improper_initialization (initialized_variable); 5444@end example 5445 5446@subsection Tips 5447@code{variable} and @code{initialized_variable} control also return 5448objects from extended return statements, since it would be strange to 5449guarantee safe initialization of local variables and not return 5450objects. On the other hand, the design pattern enforced by this rule 5451may seem to limitative for regular variables, but it might be 5452desirable to enforce it for return objects; hence the possibility to 5453limit the rule to return objects by specifying the @code{return} 5454modifier. 5455 5456@subsection Limitations 5457Due to a weakness of the ASIS standard, dispatching calls and calls to 5458procedures that are attributes are not considered for the 5459initialization of variables. Note that for attributes, only 5460@code{'Read} and @code{'Input} have an @code{@b{out}} parameter. 5461 5462In the rare case where a variable is initialized by a dispatching call 5463or an attribute call, this limitation will result in a false 5464positive. Such a case is detected by the rule 5465``uncheckable''. @xref{Uncheckable}. It is then easy to disable the 5466rule for this variable. @xref{Disabling controls}. 5467 5468The rule analyzes only initializations and uses that are directly in 5469the unit, not those from nested units, since these are in the general 5470case not statically checkable. 5471 5472There are other cases where an object is automatically initialized by 5473the declaration, like controlled types that have redefined the 5474@code{Initialize} procedure, records where all components have a 5475default initialization, etc. The rule does not consider these as 5476automatically initialized, as it does for access types. Maybe later... 5477 5478@node Instantiations, Insufficient_Parameters, Improper_Initialization, Rules reference 5479@section Instantiations 5480This rule controls all instantiations of a generic, or only 5481instantiations that are made with specific values of the 5482parameters. Control can be restricted to instantiations in specified 5483places. 5484 5485@subsection Syntax 5486@example 5487<control_kind> instantiations (<generic_spec>); 5488<generic_spec> ::= @{[not] <location_kw>@} <entity> @{, <formal_spec>@} 5489<formal_spec> ::= <entity> | <category> | <> | = 5490<location_kw> ::= all | block | library | local | nested | 5491 own | private | public | in_generic | task_body 5492<category> ::= () | access | array | delta | digits | mod | 5493 private | protected | range | record | tagged | task 5494@end example 5495 5496@subsection Action 5497The rule controls instantiations of the specified <entity>. As usual, 5498the whole syntax for entities is allowed for <entity>. 5499@xref{Specifying an Ada entity name}. 5500 5501The <location_kw> restricts the places where the occurrence of the 5502instantiation is controlled. If it is preceded by ``not'', the 5503instantiation is controlled except at this location. Several 5504<location_kw> can be given, in which case the instantiation is 5505controlled at places where all the keywords apply. If there is no 5506<location_kw>, it is assumed to be ``all''. 5507@itemize @bullet 5508@item 5509@code{all}: puts no special restriction to the location. This keyword 5510can be specified for readability purposes, and if specified must 5511appear alone (not with other <location_kw>), and ``not'' is not 5512allowed. 5513@item 5514@code{block}: only instantiations appearing in block statements are 5515controlled. 5516@item 5517@code{library}: only library level instantiations are controlled. 5518@item 5519@code{local}: only local instantiations are controlled (i.e. only 5520instantiations appearing in (generic) packages, possibly nested, are 5521allowed). 5522@item 5523@code{own}: only instantiations that are local to a (generic) package 5524body are controlled. 5525@item 5526@code{public}: only declarations appearing in the visible part of 5527(generic) packages are controlled. 5528@item 5529@code{private}: only instantiations appearing directly in a private 5530part are controlled. 5531@item 5532@code{in_generic}: only instantiations appearing directly or indirectly in a generic 5533specification or body are controlled. 5534@item 5535@code{task_body}: only instantiations appearing directly in a task 5536body are controlled. Note that it would not make sense to have a 5537<location_kw> for task @i{specifications}, since instantiations are 5538not allowed there. 5539@end itemize 5540 5541An instantiation matches if it appears at a specified location (if 5542any) and either: 5543@enumerate 5544@item 5545No <formal_spec> is given in the rule 5546@item 5547The actual parameters of the instantiation match the corresponding 5548<formal_spec>, in order (there can be more actual parameters in the 5549instantiation than specified in the rule). An actual parameter matches 5550an <entity> at a given place if it is the same entity, or if the 5551<entity> designates a (sub)type and the actual is a subtype of this 5552type. As usual, the whole syntax for entities is allowed for 5553<entity>. @xref{Specifying an Ada entity name}. In addition, it 5554matches if the actual is a type name that belongs to the indicated 5555category: 5556@itemize @bullet 5557@item 5558``()'': The parameter is of an enumerated type. 5559@item 5560``access'': The parameter is of an access type. 5561@item 5562``array'': The parameter is of an array type. 5563@item 5564``delta'': The parameter is of a fixed point type (it is not currently 5565possible to distinguish ordinary fixed point types from decimal fixed 5566point types). 5567@item 5568``digits'': The parameter is of a floating point type. 5569@item 5570``mod'': The parameter is of a modular type. 5571@item 5572``private'': The parameter is of a private type (including private 5573extensions). 5574@item 5575``protected'': The parameter is of a protected type. 5576@item 5577``range'': The parameter is of a signed integer type. 5578@item 5579``record'': The parameter is of an (untagged) record type. 5580@item 5581``tagged'': The parameter is of a tagged type (including type 5582extensions). 5583@item 5584``task'': The parameter is of a task type. 5585@end itemize 5586 5587In addition, two special signs can be given instead of an <entity> (or 5588<category>): a box (@code{<>}) matches any actual parameter 5589(i.e. it stands for any value), and an equal sign (@code{=}) matches 5590if there has been already an instantiation with the same value for 5591this parameter (i.e. it matches the second time it is encountered). 5592@end enumerate 5593 5594Formal @code{@b{in}} parameters cannot be matched, since the actual 5595can be any expression and it is not clear how to specify it in the 5596rule; therefore, the rule should normally specify a box (@code{<>}) at 5597the place of such parameters. 5598 5599Ex: 5600@example 5601-- Check all instantiations of Unchecked_Deallocation: 5602search instantiations (ada.unchecked_deallocation); 5603 5604-- Check all instantiations of Unchecked_Conversion from or to String: 5605check instantiations (ada.unchecked_conversion, standard.string); 5606check instantiations (ada.unchecked_conversion, <>, standard.string); 5607 5608-- Check all instantiations of Unchecked_Conversion from address 5609-- to an integer type: 5610check instantiations (ada.unchecked_conversion, system.address, range); 5611 5612-- Check that Unchecked_Conversion is instantiated only once 5613-- for any pair of arguments: 5614check instantiations (ada.unchecked_conversion, =, =); 5615@end example 5616 5617@subsection Tips 5618The various forms of <formal_spec> make the rule quite powerful. For 5619example: 5620@example 5621-- Not two instantiations of Gen with the same first parameter: 5622check instantations (Gen, =); 5623 5624-- Not two instantiations of Gen with same first and third parameters: 5625check instantiations (Gen, =, <>, =); 5626 5627-- Not two instantiations of Gen with the same first parameter if the 5628-- second parameter is Pack.Proc: 5629check instantiations (Gen, =, Pack.Proc); 5630 5631-- Not two instantiations of Gen with the same first parameter if the 5632-- second parameter is any procedure named Proc: 5633check instantiations (Gen, =, all Proc); 5634@end example 5635 5636Note that a generic actual wich is a subtype matches all types (and subtypes) 5637above it. Therefore, 5638@example 5639check instantiations (ada.unchecked_deallocation (standard.natural)); 5640@end example 5641will find only instantiations that use @code{Natural}, while: 5642@example 5643check instantiations (ada.unchecked_deallocation (standard.integer)); 5644@end example 5645will find instantiations that use either @code{Integer}, 5646@code{Positive}, or @code{Natural}. 5647 5648If an equal sign (@code{=}) is provided for a formal @code{@b{in}} 5649parameter, it is @i{not} part of the comparison of existing 5650instantiations (it behaves like a box (@code{<>})), i.e. given: 5651@example 5652generic 5653 type T1 is private; 5654 Val : String := ""; 5655package Gen; 5656 5657package body Gen is ... end Gen; 5658 5659package Inst1 is new Gen (Float, "Some Message"); 5660package Inst2 is new Gen (Float, "Some Other Message"); 5661@end example 5662and the rule: 5663@example 5664check instantiations (Gen, =, =); 5665@end example 5666Adacontrol will issue a message for Inst2 that it has already been 5667instantiated with the same parameters, although the second 5668(@code{@b{in}}) parameter is different. 5669 5670@subsection Limitation 5671GNAT defines @code{Unchecked_Conversion} and 5672@code{Unchecked_Deallocation} as separate entities, rather than 5673renamings of @code{Ada.Unchecked_Conversion} and 5674@code{Ada.Unchecked_Deallocation}. As a consequence, it is necessary 5675to specify explicitely both forms if you want to make sure that the 5676corresponding generics are not instantiated. 5677 5678@node Insufficient_Parameters, Local_Access, Instantiations, Rules reference 5679@section Insufficient_Parameters 5680This rule controls calls to subprograms and entries where the values 5681of parameters does not provide sufficient information to the reader to 5682correctly identify the parameter's purpose. 5683 5684@subsection Syntax 5685@example 5686<control_kind> insufficient_parameters (<max_allowed> @{, <entity>@}); 5687@end example 5688@subsection Action 5689<max_allowed> is the maximum number of allowed ``insufficient'' 5690parameters (can be 0). The <entity> parameters designate enumeration 5691types whose values should be included in the check. As usual, the 5692whole syntax for entities is allowed for <entity>. @xref{Specifying an 5693Ada entity name}. 5694 5695An actual parameter is deemed "insufficient" if it is given in 5696positional (as opposed to named) notation, it is an expression whose 5697primaries are all numeric literals, or enumeration literals belonging 5698to one of the types passed as parameters to the rule 5699(@code{Standard.Boolean} for example). 5700 5701This rule can be given once for each of check, search, and count. This 5702way, it is possible to have a level considered a warning (search), and 5703one considered an error (check). 5704 5705Ex: 5706@example 5707search Insufficient_Parameters (1, Standard.Boolean); 5708check Insufficient_Parameters (2, Standard.Boolean); 5709@end example 5710 5711@subsection Tips 5712This rule does not apply to operators that use infix notation, nor to 5713calls to subprograms that are attributes, since named notation is not 5714allowed for these. 5715 5716This rule controls the use of positional parameters according to their 5717values; it is also possible to control the use of positional 5718parameters according to the number of parameters with the rule 5719@code{positional_associations}. @xref{Positional_Associations}. 5720 5721Note also that this rules applies only to calls, while 5722@code{positional_associations} applies to all forms of associations. 5723 5724@node Local_Access, Local_Hiding, Insufficient_Parameters, Rules reference 5725@section Local_Access 5726This rule controls the taking of access values (through the @code{'Access}, 5727 @code{'Unchecked_Access}, or the GNAT specific @code{'Unrestricted_Access} 5728attributes) of local (i.e. non global) entities. 5729 5730@subsection Syntax 5731@example 5732<control_kind> local_access [(<subrule> @{,<subrule>@})]; 5733<subrule> ::= constant | variable | procedure | function | 5734 protected_procedure | protected_function 5735@end example 5736 5737@subsection Action 5738Without parameters, the rule controls all entities given as prefixes 5739of @code{'Access}, @code{'Unchecked_Access}, or 5740@code{'Unrestricted_Access} attributes and reports on those that are 5741not global, i.e. not defined in (possibly nested) library packages. 5742 5743If parameters are specified, only entities belonging to the 5744corresponding categories are controlled. 5745 5746Ex: 5747@example 5748Dangerous_Objects: check local_access (Constant, Variable); 5749@end example 5750 5751@subsection Tips 5752In Ada 95, accessibility rules make sure that taking the 5753@code{'Access} of an entity cannot create dangling pointers, but this 5754check can be circumvented by using @code{'Unchecked_Access} (but not 5755on subprograms), or in GNAT, by using 5756@code{'Unrestricted_Access}. Moreover, Ada 2005 generalized anonymous 5757access types create more cases where accessibility levels are 5758dynamically checked. 5759 5760Taking an access value on a global entity is never a risk, but every 5761use of access values designating local entities has a potential of a 5762failing dynamic accessibility check or even of a dangling 5763pointer. This rule is helpful in finding the places that need careful 5764inspection - or for disallowing taking accesses on anything but global 5765entities. 5766 5767@node Local_Hiding, Max_Blank_Lines, Local_Access, Rules reference 5768@section Local_Hiding 5769This rule controls declarations that hide an outer declaration with 5770the same name. 5771 5772@subsection Syntax 5773@example 5774<control_kind> local_hiding [(<subrule> @{,"<allowed pattern>"@})]; 5775<subrule> ::= @{<exception>@} strict | overloading 5776<exception> ::= not_operator | not_enumeration | 5777 not_identical_renaming | not_different_families 5778@end example 5779 5780@subsection Action 5781If ``strict'' is given (or if there is no subrule), the rule controls 5782strict hiding (an inner subprogram that overloads an outer one is not 5783considered hiding). If ``overloading'' is given, only subprograms that 5784overload another subprogram in the same scope or in an outer scope are 5785controlled. Note that following the normal Ada model, the declarations 5786of enumeration literals are considered functions (and thus 5787controlled). 5788 5789Modifiers are used to exclude some controls (i.e. to allow the corresponding hiding): 5790@itemize @bullet 5791@item 5792``not_operator'': the subrule does not apply to the declarations of 5793operators (i.e. things like ``@code{"+"}''). 5794@item 5795``not_enumeration'': the subrule does not apply to the 5796hiding/overloading of enumeration literals by other enumeration 5797literals (the rule still applies to the hiding/overloading of 5798functions by enumeration litterals, for example). 5799@item 5800``not_identical_renaming'' (only allowed with ``strict''): the subrule 5801does not apply to renamings where the renaming name is the same as the 5802name of the renamed entity. Such renamings are commonly used to 5803provide visibility of identifiers in a controlled way. 5804@item 5805``not_different_families'' (only allowed with ``strict''): the subrule 5806does not apply if the hiding identifier and the hidden one do not 5807belong to the same ``family''. Families are either data (constant, 5808variables, numbers, etc.), types, subprograms (including entries), 5809packages, generics, exceptions, and labels (including block and loop 5810names). 5811@end itemize 5812If one or more <allowed pattern> are given, hiding (or overloading) of 5813identifiers that match one of the patterns are not reported. The whole 5814syntax for regular expressions is allowed for the pattern, but the 5815matching is always case insensitive. @xref{Syntax of regular 5816expressions}. 5817 5818This rule can be given only once for ``strict'' and once for 5819``overloading''. 5820 5821Ex: 5822@example 5823Hiding: check local_hiding (strict); 5824Overloading: search local_hiding (not_operator overloading); 5825@end example 5826 5827@subsection Variable 5828The rule provides a variable that allows to adjust the verbosity 5829of messages for the subrule ``overloading''. 5830 5831@need 800 5832@multitable @columnfractions .23 .15 .12 .50 5833@item 5834@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 5835@item 5836Overloading_Report 5837@tab compact@*detailed 5838@tab detailed 5839@tab when the ``overloading'' subrule encounters a construct that 5840overloads several other constructs: 5841@table @asis 5842@item detailed 5843issue a message for each overloaded construct 5844@item compact 5845issue a single message mentionning how many constructs are overloaded, 5846and a pointer to the last one. 5847@end table 5848@end multitable 5849 5850@subsection Tips 5851If you have a naming convention like having all tagged types named 5852``instance'' (with a meaningful name for the enclosing package), and 5853if in addition your package structure follows the inheritance 5854hierarchy (i.e. a descendent class is in a child package), then all 5855``instance'' will hide each other - but this is of course 5856intended. Specifying ``@code{^instance$}'' as an allowed pattern will 5857prevent error messages for these declarations. 5858 5859Note that the name is given between ``@code{^}'' and 5860``@code{$}''. Otherwise, following normal regexp syntax, any 5861identifier @i{containing} ``instance'' would be allowed. 5862 5863A confusion between names belonging to different ``families'' (as 5864defined here) always leads to a compilation error; it may be 5865acceptable to allow local hiding of names belonging to different 5866families, since there is no risk involved. 5867 5868@node Max_Blank_Lines, Max_Call_Depth, Local_Hiding, Rules reference 5869@section Max_Blank_Lines 5870This rule controls excessive spacing in the program text. 5871 5872@subsection Syntax 5873@example 5874<control_kind> max_blank_lines (<max allowed blank lines>); 5875@end example 5876 5877@subsection Action 5878This rule controls the occurrence of more than the indicated number of 5879consecutive blank lines (empty lines, or lines that contain only 5880spaces). This rule can be given once for each of check, search, and 5881count. This way, it is possible to have a number of blank lines 5882considered a warning (search), and one considered an error (check). Of 5883course, this makes sense only if the number for search is less than 5884the one for check. 5885 5886Ex: 5887@example 5888search max_blank_lines (2); 5889check max_blank_lines (5); 5890@end example 5891 5892@node Max_Call_Depth, Max_Line_Length, Max_Blank_Lines, Rules reference 5893@section Max_Call_Depth 5894This rule controls the maximum depth of subprograms (or entry) calls. 5895@subsection Syntax 5896@example 5897<control_kind> max_call_depth (<allowed depth> | finite @{, <entity>@}); 5898@end example 5899@subsection Action 5900Roughly speaking, the call depth is the number of frames that are 5901stacked by a call: if you call a subprogram that calls another 5902subprogram that calls nothing, then the call depth is 2. Note that a 5903call to a task (not protected) entry has always a depth of 1, since 5904the accept body that corresponds to the entry is executed on a 5905different stack. 5906 5907The value of the first parameter is the maximum @i{allowed} depth, 5908i.e. the rule will trigger if the call depth is strictly greater than 5909the indicated value. A call to a (directly or indirectly) recursive 5910procedure is considered of infinite depth, and will be therefore 5911signaled (with an appropriate message) for any value of <allowed 5912depth>. Alternatively, the keyword ``finite'' can be given in place of 5913the <allowed depth>: in this case, only calls to recursive subprograms 5914will be signalled. 5915 5916If entity names are given after the first parameter, they are 5917interpreted as callable entities that are not to be analyzed, and 5918assumed of depth 0 (not calling anything else). As usual, the whole 5919syntax for entities is allowed for <entity>. @xref{Specifying an Ada 5920entity name}. This can be useful, for example, when a subprogram 5921appears to be recursive (but is not, due to the algorithm), to prevent 5922all those who call it to be flagged as having infinite call depth. 5923 5924This rule can be given once for each of check, search, and count. This 5925way, it is possible to have a call depth considered a warning 5926(search), and one considered an error (check). Of course, this makes 5927sense only if the number for search is less than the one for check. 5928 5929Ex: 5930@example 5931search max_call_depth (9); 5932check max_call_depth (finite); 5933@end example 5934 5935@subsection Variable 5936The rule provides a variable that allows to specify how to handle 5937expression functions (Ada 2012). 5938 5939@need 800 5940@multitable @columnfractions .25 .10 .10 .55 5941@item 5942@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 5943@item 5944Count_Expr_Fun_Calls 5945@tab on@*off 5946@tab on 5947@tab 5948@table @asis 5949@item on 5950calls to expression functions are counted like regular calls 5951@item off 5952calls to expression functions are assumed to be inlined and do not add 5953an extra depth level. 5954@end table 5955@end multitable 5956 5957@subsection Tip 5958It is possible to give the value 0 for <allowed depth>. Of course, 5959it would not make sense to forbid all subprogram calls in an Ada program, 5960but this can be useful for inspection purposes, since every call will be 5961reported, and the message indicates the depth of the call. 5962 5963If the message says that the call depth ``is N'', it is exactly N. If 5964the message says that the call depth is ``at least N'', it means that 5965the call chain includes a call to a subprogram whose depth is unknown 5966(see ``Limitations'' below); ``N'' is the call depth if this 5967subprogram does not call anything else. Of course, the rule issues a 5968message if this minimal value is greater than the maximum allowed 5969value. 5970 5971There is only one set of entities that are forced to depth 0; 5972therefore, if the control is given several times, each with various 5973<entity>, all controls will use the union of all entities given. 5974 5975@subsection Limitations 5976Calls to subprograms that are attributes are assumed to have a depth 5977of 1. Calls to predefined operators are assumed to be in-lined (i.e. a 5978depth of 0). 5979 5980Calls through pointers to subprograms and dispatching calls are 5981unknown statically; in addition, some subprograms may not have a body 5982available for analysis, like imported subprograms, or possibly 5983subprograms from the standard library; they are all assumed to have a 5984depth of 1. Such calls are detected by the rule 5985``uncheckable''. @xref{Uncheckable}. 5986 5987@node Max_Line_Length, Max_Nesting, Max_Call_Depth, Rules reference 5988@section Max_Line_Length 5989This rule controls that no line exceeds a given length. 5990 5991@subsection Syntax 5992@example 5993<control_kind> max_line_length (<max allowed length>); 5994@end example 5995 5996@subsection Action 5997This rule controls the maximum length of source lines. This rule can 5998be given once for each of check, search, and count. This way, it 5999is possible to have a length considered a warning (search), and one 6000considered an error (check). Of course, this makes sense only if the 6001length for search is less than the one for check. 6002 6003Ex: 6004@example 6005search max_line_length (80); 6006check max_line_length (120); 6007@end example 6008 6009@node Max_Nesting, Max_Size, Max_Line_Length, Rules reference 6010@section Max_Nesting 6011This rule controls excessive nesting of declarations. 6012 6013@subsection Syntax 6014@example 6015<control_kind> max_nesting ([<subrule>,] <max allowed depth>); 6016<subrule> ::= all | generic | separate | task 6017@end example 6018 6019@subsection Action 6020If ``all'' (or no subrule) is given as the first parameter, this rule 6021controls the nesting of declarative constructs (like subprograms, 6022packages, generics, block statements@dots{}) that exceed a given 6023depth. Nesting of statements (@code{@b{loop}}, @code{@b{case}}) is not 6024considered. 6025 6026If ``generic'' is given as the first parameter, this rule controls the 6027nesting of generics, ignoring all non-generic units. 6028 6029If ``separate'' is given as the first parameter, this rule controls the 6030nesting of separate bodies. 6031 6032If ``task'' is given as the first parameter, this rule controls the 6033nesting of tasks (task types and single task objects), ignoring all 6034non-task units. 6035 6036This rule can be given once for each subrule and each of check, 6037search, and count. This way, it is possible to have a level considered 6038a warning (search), and one considered an error (check). Of course, 6039this makes sense only if the level for search is less than the one for 6040check. 6041 6042Note that the value given is the maximum @i{allowed} nesting; f.e. if the 6043value given for ``generic'' is 1, it means that a generic inside a 6044generic is allowed, but not more. 6045 6046Ex: 6047@example 6048search max_nesting (5); 6049check max_nesting (all, 7); 6050check max_nesting (generic, 1); 6051check max_nesting (separate, 0); -- Do not allow separate in separate 6052check max_nesting (task, 0); -- Do not allow a task in another task 6053@end example 6054 6055@node Max_Size, Max_Statement_Nesting, Max_Nesting, Rules reference 6056@section Max_Size 6057This rule controls the maximum size, in source lines of code, of 6058various statements and declarations. 6059 6060@subsection Syntax 6061@example 6062<control_kind> max_size (<subrule>, <max allowed lines>); 6063<subrule> ::= accept | block | case | case_branch | 6064 if | if_branch | loop | simple_block | 6065 unnamed_block | unnamed_loop | 6066 package_spec | package_body | procedure_body | 6067 function_body | protected_spec | protected_body | 6068 entry_body | task_spec | task_body | 6069 unit 6070@end example 6071@subsection Action 6072The first parameter is a subrule keyword that determines which 6073elements are controlled: 6074@itemize @bullet 6075@item 6076``accept'' controls accept statements. 6077@item 6078``block'' controls all block statements, while ``simple_block'' 6079controls only blocks without a @code{@b{declare}} part, and 6080``unnamed_block'' controls only blocks without a name. 6081@item 6082``loop'' controls all loop statement, while ``unnamed_loop'' controls 6083only loops without a name. 6084@item 6085``if_branch'' and ``case_branch'' control the length of each 6086alternative of an @code{@b{if}} (respectively @code{@b{case}}) 6087statement. 6088@item 6089``package_spec'', ``package_body'', ``procedure_body'', 6090``function_body'', ``protected_spec'', ``protected_body'', 6091``entry_body'', ``task_spec'', and ``task_body'' control the length of 6092the declaration of the corresponding element. 6093@item 6094``unit'' controls the whole length of compilation units. 6095@end itemize 6096 6097For each kind of element, the indicated value is the maximum allowed 6098size of the full element; however, for branches (``if_branch'' and 6099``case_branch'') it is the maximum size of the sequence of statements 6100in the branch (i.e., the line that contains the @code{@b{elsif}} is 6101not counted as part of an ``if_branch''). 6102 6103This rule can be given once for each of check, search, and count for 6104each kind of element. This way, it is possible to have a level 6105considered a warning (search), and one considered an error (check). Of 6106course, this makes sense only if the number of lines for search is 6107less than the one for check. 6108 6109Ex: 6110@example 6111check Max_Size (if_branch, 30); 6112search Max_Size (if_branch, 50); 6113check Max_Size (unnamed_loop, 20); 6114@end example 6115 6116@subsection Tip 6117Note that ``procedure_body'' and ``function_body'' apply to protected 6118subprograms as well as regular ones, and that there is no subrule for 6119the length of the declaration of subprograms. Such fine specifications 6120didn't seem useful, but could be added if someone expresses a need for 6121it. 6122 6123@node Max_Statement_Nesting, Movable_Accept_Statements, Max_Size, Rules reference 6124@section Max_Statement_Nesting 6125This rule controls the nesting of compound statements. 6126 6127@subsection Syntax 6128@example 6129<control_kind> max_statement_nesting (<subrule>, <max allowed depth>); 6130<subrule> ::= block | case | if | loop | all 6131@end example 6132@subsection Action 6133If one of ``block'', ``case'', ``if'', or ``loop'' is specified, it 6134controls the nesting of statements of the same kind, i.e. an 6135@code{@b{if}} within a @code{@b{loop}} within an @code{@b{if}} counts 6136only 2 for the ``if'' keyword. If ``all'' is specified, all kinds of 6137compound statements are counted together, i.e. an @code{@b{if}} within 6138a @code{@b{loop}} within an @code{@b{if}} counts for 3. This rule can 6139be given once for each of check, search, and count, and for each of 6140the subrules. This way, it is possible to have a level considered a 6141warning (search), and one considered an error(check). Of course, this 6142makes sense only if the level for search is less than the one for 6143check. 6144 6145Ex: 6146@example 6147check max_statement_nesting (loop, 3); 6148search max_statement_nesting (all, 5); 6149@end example 6150 6151@node Movable_Accept_Statements, Naming_Convention, Max_Statement_Nesting, Rules reference 6152@section Movable_Accept_Statements 6153This rule controls statements that are inside accept statements and 6154could safely be moved outside. 6155 6156@subsection Syntax 6157@example 6158<control_kind> movable_accept_statements (certain|possible @{, <entity>@}) 6159@end example 6160@subsection Action 6161Since it is good practice to block a client for the shortest time 6162possible, any action that does not depend on the accept parameters 6163should not be part of an accept statement. 6164 6165Statements that involve synchronisation (delay statements, accept or 6166entry calls...) are not movable. Statements (including compound 6167statements) that reference the parameters of the enclosing accept are 6168not movable. In addition, statements that use one of the <entity> 6169given as parameters are never considered movable. As usual, the whole 6170syntax for entities is allowed for <entity>. @xref{Specifying an Ada 6171entity name}. Note that if a generic entity, or an entity declared in 6172a generic package, is given, all statements that use the corresponding 6173instantiated entity are considered not movable. 6174 6175If the first parameter of the rule is @code{certain}, only statements 6176after the last non-movable statement are reported. If the first 6177parameter is @code{possible}, a simple data flow analysis is 6178performed, and every statement that does not reference a variable that 6179appears to depend (directly or indirectly) on a parameter is also 6180reported. 6181 6182Ex: 6183@example 6184check movable_accept_statements (possible, Log.Report_Rendezvous); 6185@end example 6186 6187@subsection Tips 6188The list of <entity> given to the rule can be, for example, procedures 6189whose execution must be part of the accept statement for logical 6190reasons. They can also be global variables, when the rendezvous is 6191intended to prevent concurrent access to these variables. 6192 6193@node Naming_Convention, No_Operator_Usage, Movable_Accept_Statements, Rules reference 6194@section Naming_Convention 6195This rule controls the form of identifiers to make sure that they 6196follow the project's naming conventions. Different naming conventions 6197can be specified, depending on the kind of Ada entity that the name is 6198refering to. 6199 6200@subsection Syntax 6201@example 6202<control_kind> naming_convention 6203 ([root] [others] @{<location>@} [<type_spec>] <filter_kind>, 6204 [case_sensitive|case_insensitive] [not] "<pattern>" 6205 @{, ...@}); 6206<location> ::= global | local | unit 6207<type_spec> ::= <entity> | @{<category>@} 6208<category> ::= () | access | array | delta | digits | mod | 6209 private | protected | range | record | tagged | task 6210<filter_kind> ::= All | 6211 Type | 6212 Discrete_Type | 6213 Enumeration_Type | 6214 Integer_Type | 6215 Signed_Integer_Type | 6216 Modular_Integer_Type | 6217 Floating_Point_Type | 6218 Fixed_Point_Type | 6219 Binary_Fixed_Point_Type | 6220 Decimal_Fixed_Point_Type | 6221 Array_Type | 6222 Record_Type | 6223 Regular_Record_Type | 6224 Tagged_Type | 6225 Interface_Type | 6226 Class_Type | 6227 Access_Type | 6228 Access_To_Regular_Type | 6229 Access_To_Tagged_Type | 6230 Access_To_Class_Type | 6231 Access_To_SP_Type | 6232 Access_To_Task_Type | 6233 Access_To_Protected_Type | 6234 Private_Type | 6235 Private_Extension | 6236 Generic_Formal_Type | 6237 Variable | 6238 Regular_Variable | 6239 Field | 6240 Discriminant | 6241 Record_Field | 6242 Protected_Field | 6243 Procedure_Formal_Out | 6244 Procedure_Formal_In_Out | 6245 Generic_Formal_In_Out | 6246 Constant | 6247 Regular_Constant | 6248 Regular_Static_Constant | 6249 Regular_Nonstatic_Constant | 6250 Named_Number | 6251 Integer_Number | 6252 Real_Number | 6253 Enumeration | 6254 Sp_Formal_In | 6255 Generic_Formal_In | 6256 Loop_Control | 6257 Occurrence_Name | 6258 Entry_Index | 6259 Label | 6260 Stmt_Name | 6261 Loop_Name | 6262 Block_Name | 6263 Subprogram | 6264 Procedure | 6265 Regular_Procedure | 6266 Protected_Procedure | 6267 Generic_Formal_Procedure | 6268 Function | 6269 Regular_Function | 6270 Protected_Function | 6271 Generic_Formal_Function | 6272 Entry | 6273 Task_Entry | 6274 Protected_Entry | 6275 Package | 6276 Regular_Package | 6277 Generic_Formal_Package | 6278 Task | 6279 Task_Type | 6280 Task_Object | 6281 Protected | 6282 Protected_Type | 6283 Protected_Object | 6284 Exception | 6285 Generic | 6286 Generic_Package | 6287 Generic_Sp | 6288 Generic_Procedure | 6289 Generic_Function | 6290 Renaming | 6291 Object_Renaming | 6292 Exception_Renaming | 6293 Package_Renaming | 6294 Subprogram_Renaming | 6295 Procedure_Renaming | 6296 Function_Renaming | 6297 Generic_Renaming | 6298 Generic_Package_Renaming | 6299 Generic_Sp_Renaming | 6300 Generic_Procedure_Renaming | 6301 Generic_Function_Renaming 6302@end example 6303 6304@subsection Action 6305The first parameter defines the kind of declaration to which the rule 6306is applicable, and other parameters are strings, interpreted as 6307regular expressions that define the patterns that must be 6308matched (or not). @xref{Syntax of regular expressions}. 6309 6310If one or more <location> keyword is specified, the pattern applies 6311only to identifiers declared at the corresponding place. Otherwise, 6312the pattern applies to all identifiers, irrespectively of where they 6313are declared. The definition of locations is as follows: 6314@itemize @bullet 6315@item 6316``unit'': The identifier is the defining name of a compilation unit. 6317@item 6318``global'': The identifier is declared in a package or a generic 6319package, possibly nested in other packages or generic packages. 6320@item 6321``local'': All other cases. 6322@end itemize 6323 6324In the case of objects (corresponding to filters in the ``variable'' 6325and ``constant'' families) and functions (in the ``function'' family), 6326it is possible to be more specific, depending on the type of the 6327object (or the return type of the function), as specified by the 6328<type_spec> modifier. The <type_spec> modifier is either a single 6329<entity> giving the type of the object or one or more <category> 6330keywords. As usual, the whole syntax for entities is allowed for 6331<entity>. @xref{Specifying an Ada entity name}. The meaning of 6332<category> is: 6333@itemize @bullet 6334@item 6335``()'': The object is of an enumerated type. 6336@item 6337``access'': The object is of an access type. 6338@item 6339``array'': The object is of an array type. 6340@item 6341``delta'': The object is of a fixed point type (it is not currently 6342possible to distinguish ordinary fixed point types from decimal fixed 6343point types). 6344@item 6345``digits'': The object is of a floating point type. 6346@item 6347``mod'': The object is of a modular type. 6348@item 6349``private'': The object is of a private type (including private 6350extensions). 6351@item 6352``protected'': The object is of a protected type. 6353@item 6354``range'': The object is of a signed integer type. 6355@item 6356``record'': The object is of an (untagged) record type. 6357@item 6358``tagged'': The object is of a tagged type (including type 6359extensions). 6360@item 6361``task'': The object is of a task type. 6362@end itemize 6363 6364For a given layer of the hierarchy (i.e. ``variable'', 6365``regular_variable''), only the most specific filter is applicable, 6366i.e. ``standard.boolean variable'' will apply to all boolean 6367variables, while plain ``variable'' will apply to other variables. See 6368examples below. 6369 6370If ``case_sensitive'' is specified, pattern matching considers 6371casing. Otherwise (``case_insensitive''), casing is irrelevant. The 6372default is ``case_insensitive'', and can be changed by setting the 6373rule variable ``Default_Case_Sensitivity'', see below. Note that the 6374rule checks the name only at the place where it is declared; casing 6375might be different when the name is used later. 6376 6377If a pattern is preceded by ``not'', then the pattern must @i{not} be 6378matched (i.e. the rule reports when there is a match). 6379 6380The rule will be activated if an identifier is declared that does not 6381match any of the ``positive'' patterns (the ones without ``not''), or 6382if it matches any of the ''negative'' patterns (the ones with a 6383``not''). If only negative patterns are given, it is implicitely 6384assumed that all other identifiers are OK. In other words, accepted 6385identifiers must have the form of (at least) one of the ``positive'' 6386patterns (if any), but not the form of one of the ``negative'' 6387patterns. 6388 6389The filter kinds are organized hierarchically, as reflected by 6390indentation in the syntax above. To be valid, the name must match the 6391patterns specified for its own filter, and for all filters above it in 6392the hierarchy. For example, a modular type declaration must follow 6393the rules (if specified) for ``all'', ``type'',''discrete_type'', 6394``integer_type'' and ``modular_integer_type''. However, if a filter 6395kind is preceded by ``others'', the rule will apply only if there is 6396no applicable positive pattern deeper in the hierarchy; similarly, if 6397a filter kind is preceded by ``root'', no rule above it in the 6398hierarchy is considered (neither for itself nor its children). This is 6399useful to make exceptions to a more general rule. For example: 6400 6401@example 6402-- All identifiers must have at least 3 characters: 6403check naming_convention (all, "..."); 6404-- And start with an upper-case letter 6405-- (will not apply to types and access types, because of "others" and 6406-- other rules given below) 6407check naming_convention (others all, case_sensitive "^[A-Z]"); 6408 6409-- Exception to the rule for "all": 6410-- No minimum length for "for loop" identifiers, but must be 6411-- all uppercase 6412check naming_convention (root loop_control, case_sensitive "^[A-Z]+$"); 6413 6414-- Types must start with "t", then an upper-case letter: 6415-- (will not apply to access types, because of "others" and 6416-- other rule given below) 6417check naming_convention (others type, case_sensitive "^t[A-Z]"); 6418 6419-- Access types must start with "ta", then an upper-case letter: 6420check naming_convention (access_type, case_sensitive "^ta[A-Z]"); 6421 6422-- Boolean variables, and only these, must start with "Is_" or 6423-- "Has_": 6424check naming_convention (variable, not "^Is_", not "^Has_"); 6425check naming_convention (standard.boolean variable, "^Is_", "^Has_"); 6426 6427-- Functions returning Wide_String must start with "Wide_", and 6428-- similarly for Wide_Wide_String, and no other: 6429check naming_convention (standard.wide_string function, 6430 "^Wide_", 6431 not "^Wide_Wide_"); 6432check naming_convention (standard.wide_wide_string function, 6433 "^Wide_Wide_"); 6434check naming_convention (function, not "^Wide_"); 6435@end example 6436 6437It is of course not necessary to specify all the filter kinds, nor to 6438specify filters down to the deepest level; if you specify a rule for 6439``type'', it will be applied to all type declarations, whether there 6440is a more specific rule or not. 6441 6442Subtypes and derived types must follow the rule for their respective 6443original (full) type. Incomplete type declarations are @i{not} 6444checked, since their corresponding full declaration is (normally) 6445checked. Private types (including of course the full declaration of a 6446private type) follow the rule for private types, @i{not} the rules for 6447their full type view (otherwise it would be privacy breaking). 6448 6449Renamings are treated specially: if there is no explicit rule for a 6450given renaming, the applicable rule is the one for the renamed entity. 6451 6452Ex: 6453@example 6454-- Predefined name is forbidden: 6455check naming_convention (all, not "Integer"); 6456 6457-- Types must either start or end with T 6458check naming_convention (type, case_sensitive "^T_", 6459 case_sensitive "_T$"); 6460 6461-- "Upper_Initials" naming convention: 6462check naming_convention 6463 (all, case_sensitive "^[A-Z][a-z0-9]*(_[A-Z0-9][a-z0-9]*)*$"); 6464 6465-- All global variables must start with "G_" 6466check naming_convention (global variable, "G_"); 6467@end example 6468 6469@subsection Variable 6470The rule provides a variable that allows to specify the default 6471casing. 6472 6473@need 800 6474@multitable @columnfractions .25 .10 .10 .55 6475@item 6476@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 6477@item 6478Default_Case_Sensitivity 6479@tab on@*off 6480@tab off 6481@tab 6482@table @asis 6483@item on 6484controls that do not explicitely specify case sensitivity are case sensitive. 6485@item off 6486controls that do not explicitely specify case sensitivity are not case sensitive. 6487@end table 6488@end multitable 6489 6490@subsection Tips 6491The rule only checks the casing of identifiers at the place where they 6492are declared. A useful companion rule is ``style (casing_identifier, 6493original)'', which ensures that every use of the identifier will use 6494the same casing as in the declaration. @xref{Style}. Similarly, in 6495the case of a subprogram and its parameters, the check is not done on 6496the body if there is an explicit specification (since specification 6497and body have to match anyway). 6498 6499The rule does @i{not} check the names of operators, since it would 6500make little sense to have naming conventions for things whose name is 6501imposed. If you want to prevent the definition of operators, refer to 6502the rule ``declarations'' and its subrules ``operator'', 6503``equality_operator'', and``predefined_operator''. 6504@xref{Declarations}. 6505 6506Remember that a Regexp matches if the pattern matches any part of the 6507identifier. Use ``^'' and ``$'' to match the beginning (resp. end) of 6508the name, or both. 6509 6510A constant is considered static for the purpose of 6511``Regular_Static_Constant'' and ``Regular_Nonstatic_Constant'' if it 6512is of a discrete type initialized by a static expression, or if it is 6513an aggregate whose components all have static values. This is 6514different from the official definition of ``static'' in the language, 6515but corresponds to what most users would expect. 6516 6517``class_type'' is applicable to subtypes that designate a class-wide 6518type. Similarly, ``access_to_class_type'' is applicable to access 6519types whose designated type is class-wide. 6520 6521If you don't want any special rule for renamings (not even the one that 6522applies to the renamed entity), specify: 6523@example 6524check naming_convention (renaming, ""); 6525@end example 6526This imposes no constraint on renamings, but since it is specified 6527explicitely, the implicit rule for the renamed entity won't apply. 6528 6529The @code{rules} directory of Adacontrol contains two files named 6530@code{no_standard_entity.aru} and @code{no_system_entity.aru}. These 6531are files that contain a naming_convention rule that forbids the 6532declaration of names declared in packages @code{Standard} and @code{System}, 6533respectively. You can simply ``source'' these files from your own rule 6534file (or copy the content) if you want to disallow these identifiers. 6535 6536Like usual, naming_convention rule can be given multiple times, and 6537can be disabled. However, consider the following: 6538@example 6539Rule1 : check naming_convention (constant, "^c_"); 6540Rule2 : check naming_convention (constant, "^const_"); 6541@end example 6542The rule will trigger if a constant is declared that does not start 6543with either ``c_'' or ``const_''. But here, we have two different 6544rule labels. The message will refer to the first label encountered in the 6545rule file; this is the label that must be mentionned in a disabling 6546comment, unless you simply disable ``naming_convention''. 6547 6548@subsection Limitations 6549This rule does not support wide characters outside the basic Latin-1 set. 6550 6551@node No_Operator_Usage, Non_Static, Naming_Convention, Rules reference 6552@section No_Operator_Usage 6553This rule controls integer types that do not use any arithmetic 6554operators, which indicates that they might be replaceable with other 6555kinds of types. 6556@subsection Syntax 6557@example 6558<control_kind> no_operator_usage [([<category>] <parameter> 6559 [,<parameter>])]; 6560<category> ::= range | mod 6561<parameter> ::= [<filter>] <observed> 6562<filter> ::= not | ignore | report 6563<observed> ::= relational | logical | indexing 6564@end example 6565@subsection Action 6566This rule controls integer types where no arithmetic operator of the 6567type is used in the program. If the <category> is @code{range}, the 6568control applies only to signed integer types; if it is @code{mod}, it 6569applies only to modular integer types; otherwise, it applies to both. 6570 6571When such a type is found, it migh be interesting to find out other 6572usages to determine a possible better kind of type. ``relational'' 6573means that relational operators (@code{<}, @code{<=}, @code{>}, 6574@code{>=}, @code{@b{in}}, @code{@b{not in}}) are used, ``logical'' 6575means that logical operators (@code{@b{and}}, @code{@b{or}}, 6576@code{@b{xor}}) are used, and ``indexing'' means that the type is 6577used as an index in some array type. 6578 6579If an <observed> property is given as parameter, only types that 6580feature the property are controlled, or those that do @i{not} feature 6581the property if the <observed> is preceded by ``not''. If the 6582<observed> is preceded by ``ignore'' the type is controlled 6583irrrespectively of the property, and the message does not mention it 6584at all, while if it is preceded by ``report'', the message still 6585mentions whether the <observed> is used or not. 6586 6587Without parameters, the rule is equivalent to ``ignore relational, 6588ignore logical, ignore indexing'' (i.e. it controls all types that do 6589not use any arithmetic operator). 6590 6591This rule can be given only once for each combination of values of the 6592parameters. 6593 6594Ex: 6595@example 6596-- Simply report types that don't use arithmetic operators: 6597check no_operator_usage; 6598 6599-- Do the same, but mention if indexing/logical ops are used: 6600check no_operator_usage (report indexing, report logical); 6601 6602-- Find modular integer types that use only logical operators: 6603check no_operator_usage (mod logical); 6604 6605-- Find integer types that don't use artihmetic operators and are 6606-- not used for indexing nor in relational operators: 6607check no_operator_usage (not indexing, not relational); 6608@end example 6609 6610@subsection Tips 6611An integer type that uses no operator at all is a good candidate to be 6612replaced by an enumerated type. A modular type where only logical 6613operators are used is likely to be used as a bit field or a set, and 6614is a good canditate for being replaced by an array of booleans. 6615 6616The rule does not make a distinction between predefined and 6617user-defined operators. On the other hand, only calls to operators are 6618considered, operators used for example as actual generic parameters in 6619instantiations are not considered. 6620 6621The rule applies also to private types whose full declaration is an 6622integer type. 6623 6624@node Non_Static, Not_Elaboration_Calls, No_Operator_Usage, Rules reference 6625@section Non_Static 6626This rule controls that expressions used in certain contexts are 6627static. 6628@subsection Syntax 6629@example 6630<control_kind> non_static [(<subrule> @{, <subrule>@})]; 6631<subrule> ::= constant_initialization | variable_initialization | 6632 index_constraint | discriminant_constraint | 6633 instantiation | index_check 6634@end example 6635 6636@subsection Action 6637The <subrule> defines the elements that are required to be static: 6638@itemize @bullet 6639@item 6640``constant_initialization'': expressions used as initial value in 6641constant declarations. 6642@item 6643``variable_initialization'': expressions used as initial value in 6644variable declarations. 6645@item 6646``index_constraint'': expressions used in index constraints (aka array 6647sizes). 6648@item 6649``discriminant_constraint'': expressions used in discriminant 6650constraints 6651@item 6652``instantiation'': expressions used as generic actual parameters in 6653instantiations. 6654@item 6655``index_check'': expressions used as indices must satisfy statically 6656the index check. I.e., the expression needs not be static, but it 6657should be statically provable that the index check cannot fail. 6658@end itemize 6659 6660If no keyword is given, all contexts are controlled. 6661 6662Ex: 6663@example 6664check non_static (index_constraint); 6665@end example 6666 6667@subsection Limitations 6668Currently, ``constant_initialization'' and ``variable_initialization'' 6669do not control structured (record and array) variables. For access 6670variables, the initial value is considered static only if it is a plain 6671@code{@b{null}}. This may improve in future versions of AdaControl. 6672 6673@subsection Tips 6674If all index and discriminant constraints are static, the space 6675occupied by data structures is computable from the program text. This 6676rule is useful to enforce this in contexts where the memory space must 6677be statically determined. 6678 6679@node Not_Elaboration_Calls, Not_Selected_Name, Non_Static, Rules reference 6680@section Not_Elaboration_Calls 6681This rule controls that certain subprograms (or allocators) are called 6682only during program initialization. 6683@subsection Syntax 6684@example 6685<control_kind> not_elaboration_calls (<entity>|new @{, <entity>|new@}); 6686@end example 6687 6688@subsection Action 6689The <entity> parameters are callable entities (procedure, function or 6690entry calls). As usual, the whole syntax for entities is allowed for 6691<entity>. @xref{Specifying an Ada entity name}. This rule controls 6692calls to the indicated callable entities, or allocators if ``new'' is 6693given, that are performed at any time except during the elaboration of 6694library packages. 6695 6696Ex: 6697@example 6698search not_elaboration_calls (Data.Initialize, new); 6699@end example 6700 6701@subsection Limitations 6702Due to an (allowed by ASIS standard) limitation of ASIS-for-Gnat, the 6703rule will not detect calls to subprograms that are implicitely 6704defined, like calling a @code{"+"} on @code{Integer}. Fortunately, 6705it is very unlikely that the user would want to forbid that kind of 6706calls in non-elaboration code. 6707 6708Note also that calls that cannot be statically determined, like calls 6709to dispatching operations or calls through pointers to subprograms 6710cannot be detected either. 6711 6712@node Not_Selected_Name, Object_Declarations, Not_Elaboration_Calls, Rules reference 6713@section Not_Selected_Name 6714This rule controls that certain entities are always refered to using 6715selected notation, even in the presence of @code{@b{use}} clauses. 6716@subsection Syntax 6717@example 6718<control_kind> not_selected_name 6719 (<exception places>, <entity> @{, <entity>@}); 6720<exception places> ::= none | unit | compilation | family 6721@end example 6722@subsection Action 6723A name is ``selected'' if it is prefixed by the name of the construct 6724where it is declared. Only one level of prefix is required, unless the 6725prefix itself is the target of a not_selected_name rule. 6726 6727The first parameter specifies places where the rule is @i{not} 6728enforced, i.e. where simple notation is allowed: 6729@itemize @bullet 6730@item 6731``none'': selected notation is always required. 6732@item 6733``unit'': selected notation is not required within the program unit 6734where the entity is declared. 6735@item 6736``compilation'': selected notation is not required within the 6737compilation unit where the entity is declared. 6738@item 6739``family'': selected notation is not required within the compilation 6740unit where the entity is declared, nor within its (direct or indirect) 6741children. 6742@end itemize 6743 6744Other parameters indicate the <entity> to which the rule applies. As 6745usual, the whole syntax for entities is allowed for <entity>. 6746@xref{Specifying an Ada entity name}. 6747 6748Ex: 6749@example 6750check not_selected_name (unit, all Instance); 6751search not_selected_name (none, Pack.T); 6752@end example 6753 6754@subsection Tip 6755Note that, as usual, the entity can be given in the form ``all 6756name''. This is especially useful for types that must always be 6757declared with a special name (like @code{Instance}, @code{Object}, 6758@code{T}) and are intended to be always used with the name of the 6759enclosing package. 6760 6761@node Object_Declarations, Parameter_Aliasing, Not_Selected_Name, Rules reference 6762@section Object_Declarations 6763This rule controls various aspects of object (constants and variables) 6764declarations. 6765 6766@subsection Syntax 6767@example 6768<control_kind> object_declarations (min_integer_span, <min_spec> 6769 @{, <min_spec>@}); 6770<control_kind> object_declarations (type, <type_spec> @{, <type_spec>@}); 6771<control_kind> object_declarations (volatile_no_address); 6772<control_kind> object_declarations (address_not_volatile); 6773<min_spec> ::= [constant | variable] <value> 6774<type_spec> ::= [constant | variable] <entity> 6775@end example 6776 6777@subsection Action 6778The action depends on the subrule. 6779@itemize @bullet 6780@item 6781``min_integer_span'': controls that every object of an integer type 6782has a subtype that covers at least the indicated number of 6783values. Different values can be specified for variables and constants; 6784if no modifier (``constant'' or ``variable'') is supplied, the value 6785applies to both. 6786 6787This subrule can be given only once for each combination of 6788check/search/count and constant/variable. 6789@item 6790``type'': controls every object whose (sub)type matches <entity>. As usual, 6791the whole syntax for entities is allowed for 6792<entity>. @xref{Specifying an Ada entity name}. If the <entity> is a 6793subtype, only objects of that exact subtype are controlled; if the 6794<entity> is a type, objects declared with the type or any subtype of 6795it are controlled. The control can be restricted to only variables or 6796only constants; if no modifier (``constant'' or ``variable'') is 6797supplied, both are controlled. 6798 6799This subrule can be given only once for each combination of <entity> 6800and constant/variable. 6801@item 6802``volatile_no_address'': controls variables that are the target of a 6803pragma volatile, but have no address clause. Constants are not 6804controlled, since it would be very strange to have a volatile 6805constant... 6806 6807Since this subrule has no parameters, it can be given only once. 6808@item 6809``address_not_volatile'': controls variables that have an address 6810clause, but are not the target of a pragma volatile. Constants are not 6811controlled, since it would be very strange to have a volatile 6812constant... 6813 6814Since this subrule has no parameters, it can be given only once. 6815@end itemize 6816 6817Ex: 6818@example 6819check object_declarations (min_integer_span, variable 5, constant 10); 6820 6821count object_declarations (min_integer_span, 8); 6822-- Same value for variables and constants 6823 6824search object_declarations (volatile_no_address); 6825search object_declarations (address_not_volatile); 6826@end example 6827 6828@subsection Tip 6829The ``min_integer_span'' rule can be useful for detecting variables 6830that should use an enumerated type rather than an integer type. 6831 6832@subsection Limitation 6833Due to a shortcomming of the ASIS interface, the subrules 6834``volatile_no_address'' and ``address_not_volatile'' will not detect 6835variables of a class-wide type that are volatile due to a pragma 6836volatile applying to the class-wide type. If the pragma applies to the 6837variable, the subrule will work correctly. A pragma volatile applied 6838to a class-wide type is detected by the rule 6839``uncheckable''. @xref{Uncheckable}. 6840 6841Declaring a class-wide @emph{type} as volatile seems very peculiar 6842anyway... 6843 6844@node Parameter_Aliasing, Parameter_Declarations, Object_Declarations, Rules reference 6845@section Parameter_Aliasing 6846This rule controls aliased use of variables in subprogram 6847calls. 6848 6849@subsection Syntax 6850@example 6851<control_kind> parameter_aliasing [([with_in] <level>)]; 6852<level> ::= Certain | Possible | Unlikely 6853@end example 6854 6855@subsection Action 6856This rule identifies calls where the same variable is given as an 6857actual to more than one @code{@b{out}} or @code{@b{in out}} parameter, 6858like in the following example: 6859@example 6860@b{procedure} Proc (X, Y : @b{out} Integer); 6861 ... 6862Proc (X => V, Y => V); 6863@end example 6864 6865If the modifier ``@code{with_in}'' is given, aliasing between 6866@code{@b{out}} or @code{@b{in out}} parameters and @code{@b{in}} 6867parameters is also considered (unless the @code{@b{in}} parameter is 6868of a user-defined by-copy type). Although aliasing of @code{@b{in}} 6869parameters is generally considered less of an issue, it can lead to 6870unexpected results when the parameter is passed by reference. 6871 6872There are many cases where aliasing cannot be determined 6873statically. The optional parameter specifies how aggressively the 6874rule will check for possible aliasings. Possible values are (case 6875irrelevant): 6876@itemize 6877@item 6878Certain (default): Only cases where aliasing is statically certain are 6879output. 6880@item 6881Possible: In addition, cases where aliasing may occur depending on 6882the value of an indexed component are output. These may or may not be 6883true aliasing, depending on the algorithm. For example, given: 6884@example 6885Swap (Tab (I), Tab (J)); 6886@end example 6887there is no aliasing, unless @code{I} equals @code{J}. 6888 6889If all expressions used for indexing in both variables are static, the 6890rule will be able to eliminate the diagnosis of aliasing (if the 6891values are different). This avoids unnecessary messages in cases like: 6892@example 6893Swap (Tab (1), Tab (2)); 6894@end example 6895 6896@item 6897Unlikely: In addition, cases where aliasing may occur due to access 6898variables pointing to the same variable are output. These may or may 6899not be true aliasing, depending on the algorithm, but should normally 6900occur only as the result of very strange practices, like in the 6901following example: 6902@example 6903@b{type} R @b{is} 6904 @b{record} 6905 X : @b{aliased} Integer; 6906 @b{end} @b{record}; 6907X : R; 6908Y : Access_All_Integer := R.X'access; 6909 ... 6910P (X, Y.all); 6911@end example 6912@end itemize 6913There will be no false positive with ``Certain''. There will be no 6914false negative with ``Unlikely'' (but many false 6915positives). ``Possible'' is somewhere in-between. 6916 6917The rule may be specified at most once for each value of the 6918parameter. This allows for example to ``check'' for ``Certain'' and 6919``search'' for ``Possible''. 6920 6921Ex: 6922@example 6923check parameter_aliasing (with_in certain); 6924search parameter_aliasing (Possible); 6925@end example 6926 6927Note that the rule is quite clever: it will consider partial aliasing 6928(like a record variable as one parameter, and one of its components as 6929another parameter), and will not be fooled by renamings. 6930 6931@subsection Limitation 6932Due to a weakness of the ASIS standard, dispatching calls are not 6933analyzed. Some calls cannot obviously have aliasing (if there is only 6934one parameter, or if there are no variables in the parameters f.e.); 6935other calls are detected by the rule ``uncheckable''. @xref{Uncheckable}. 6936 6937@node Parameter_Declarations, Positional_Associations, Parameter_Aliasing, Rules reference 6938@section Parameter_Declarations 6939This rule controls various characteristics of the declaration of parameters 6940for all callable entities (i.e. functions, procedures and entries). 6941 6942@subsection Syntax 6943@example 6944<control_kind> parameter_declarations (<subrule> [,<bounds>] 6945 @{,<callable>@}); 6946<subrule> ::= all_parameters | in_parameters | 6947 defaulted_parameters | out_parameters | 6948 in_out_parameters | access_parameters | 6949 tagged_parameters | class_wide_parameters | 6950 single_out_parameter 6951<bounds> ::= min|max <value> [, min|max <value> ] 6952<callable> ::= function | procedure | 6953 dispatching_function | dispatching_procedure | 6954 protected_function | protected_procedure | 6955 protected_entry | task_entry 6956@end example 6957 6958@subsection Action 6959The first parameter is a subrule keyword. ``single_out_parameter'' has 6960no parameter; all other subrules require one or two bounds. 6961@itemize @bullet 6962@item 6963``all_parameters'': Controls callable entities whose number of 6964parameters is less than the given ``min'' or greater than the given 6965``max''. ``min'' defaults to 0 and ``max'' to infinity. 6966@item 6967``in_parameters'', ``out_parameters'', ``in_out_parameters'': Do the 6968same, counting only parameters of modes @code{@b{in}}, 6969@code{@b{out}}, or @code{@b{in out}} respectively. 6970@item 6971``defaulted_parameters'': Does the same, counting only parameters 6972declared with an explicit default expression. 6973@item 6974``access_parameters'': Does the same, counting only (anonymous) access 6975parameters. 6976@item 6977``tagged_parameters'': Does the same, counting only parameters of 6978a specific tagged type. 6979@item 6980``class_wide_parameters'': Does the same, counting only parameters of 6981a class-wide type. 6982@item 6983``single_out_parameter'': Controls callable entities that have exactly 6984one @code{@b{out}} parameter. Procedures with a single @code{@b{out}} 6985parameter might be candidates to becoming functions. 6986@end itemize 6987 6988If one or more <callable_kind> is specified after the <value>, the 6989rule applies only to the corresponding declaration(s), otherwise it 6990applies to all callable entities. ``dispatching_function'' and 6991``dispatching_procedure'' allow different counts for dispatching 6992subprograms (i.e. primitive subprograms of a tagged type). If 6993``dispatching_function'' or ``dispatching_procedure'' is not 6994explicitely specified, ``function'' (conversely ``procedure'') applies 6995also to dispatching functions (conversely dispatching procedures). 6996 6997This rule can be given once for each of check, search, and count for 6998each subrule and each kind of entity. This way, it is possible to have 6999a level considered a warning (search), and one considered an error 7000(check). 7001 7002Ex: 7003@example 7004-- Callable entities should preferably not have more than 5 7005-- parameters, and in any case not have more that 10 parameters, 7006check parameter_declarations (all_parameters, max 10); 7007search parameter_declarations (all_parameters, max 5); 7008 7009-- All functions must have parameters and no out or in out 7010-- parameters (allowed in Ada 2012): 7011check parameter_declarations (all_parameters, min 1, function); 7012check parameter_declarations (out_parameters, max 0, function); 7013check parameter_declarations (in_out_parameters, max 0, function); 7014 7015-- A regular (not protected) procedure with one out parameter 7016-- should be replaced by a function 7017check parameter_declarations (single_out_parameter, procedure); 7018 7019-- Find all callable entities with class-wide parameters: 7020search parameter_declarations (class_wide_parameters, max 0); 7021 7022-- Dispatching operations may have only one parameter of a tagged type: 7023check parameter_declarations (tagged_parameter, 7024 max 1, 7025 dispatching_function, 7026 dispatching_procedure); 7027@end example 7028 7029@subsection Tips 7030This rule applies to generic subprograms as well as to regular ones. 7031On the other hand, it does not apply to generic formal subprograms, 7032since instantiations would only be possible with subprograms which 7033are supposed to have been already controlled. 7034 7035Instantiations are also controlled; the number of parameters is taken 7036from the corresponding generic. 7037 7038Note that this rule controls only ``regular'' parameters, not generic 7039formal parameters. 7040 7041Note that dispatching operations have necessarily at least one tagged 7042parameter, although a ``max 0'' could be specified in the example 7043above. If you do this, all declarations of dispatching subprograms 7044will be controlled. Maybe that's what you want... 7045 7046@node Positional_Associations, Potentially_Blocking_Operations, Parameter_Declarations, Rules reference 7047@section Positional_Associations 7048This rule controls the use of positional associations (as opposed to 7049named associations) in all kinds of associations. 7050 7051@subsection Syntax 7052@example 7053<control_kind> positional_associations [(<subrule>, <max_allowed> 7054 [, <category> @{, <entity>@}])]; 7055<subrule> ::= all | all_positional | same_type 7056<category> ::= [not_operator] call | discriminant | pragma | 7057 array_aggregate | record_aggregate | instantiation | 7058 enumeration_representation 7059@end example 7060 7061@subsection Action 7062The rule controls pragmas, discriminants, calls, aggregates, or 7063instantiations that use too many positional associations. The 7064definition of ``too many'' depends on the subrule: 7065@itemize 7066@item 7067``all'': when positional associations are given in a place where there 7068is more than <max_allowed> associations (both positional and named). 7069@item 7070``all_positional'': when there is more than <max_allowed> positional 7071associations. 7072@item 7073``same_type'': when more than <max_allowed> positional parameters are 7074of the same type. 7075@end itemize 7076 7077In addition, a <category> can be specified to restrict the rule to 7078specific kinds of associations; if not specified, all associations are 7079controlled. The categories carry their obvious meaning, with the 7080distinction that ``array_aggregate'' applies only to ``true'' array 7081aggregates, while ``enumeration_representation'' applies to the 7082special array aggregate used in enumeration representation 7083clauses. Note that the ``same_type'' subrule is not allowed for the 7084``pragma'' category. For ``pragma'', ''call'', and ``instantiation'', 7085entities can also be specified; such entities are exempted from the 7086rule (i.e. the rule will not control these entities). See examples 7087below. 7088 7089For calls, positional association is @i{not} reported for operators 7090that use infix notation (since named notation is not possible); in 7091addition, if the ``not_operator'' modifier is specified before the 7092``call'' keyword (not allowed elsewhere), positional association is 7093never reported for operators, even if they are called with the syntax 7094of a normal function call (i.e. @code{Pack."+" (A,B)}). Calls to 7095subprograms that are attributes are not reported either, since named 7096notation is not allowed for them. 7097 7098This rule can be specified once for each combination of <subrule>, 7099<category>, and <control_kind>. This way, it is possible to have a 7100number of positional associations considered a warning (search), and 7101one considered an error (check). Of course, this makes sense only if 7102<max_allowed> for search is greater than the one for check. It is also 7103possible to have different criteria for each category. 7104 7105If no parameter is given, it is equivalent to 7106``@code{positional_associations (all, 0)}'', i.e. all positional 7107associations are controlled. 7108 7109Ex: 7110@example 7111 -- All positional associations: 7112check positional_associations; 7113 7114-- All positional associations in aggregates: 7115check positional_associations(all, 0, array_aggregate); 7116check positional_associations(all, 0, record_aggregate); 7117 7118 -- All positional associations with more than 3 elements: 7119search positional_associations (all, 3); 7120 7121-- Positional associations in calls 7122-- with more than 3 params of the same type 7123search positional_associations (same_type, 3, call); 7124 7125-- Positional associations in calls with more than 2 elements (except 7126-- calls to any subprogram called Put) 7127search positional_associations(all, 2, call, all put); 7128@end example 7129 7130@subsection Tips 7131There are two kinds of calls where the rule does not complain about 7132usage of positional association: infix operator calls (since requiring 7133named notation would not allow infix notation any more), and calls to 7134subprograms that are attributes (since named notation is not allowed 7135for these). 7136 7137For the purpose of the ``same_type'' subrule, integer literals are 7138considered of the same type as any parameter of an integer type, and 7139similarly for other universal values. The reason is that this rule is 7140intended to avoid confusion between parameters, when strong typing 7141would not detect an inversion of parameters for example; such a case 7142would happen between parameters of a universal type. 7143 7144For calls, another rule controls positional associations according to 7145the value of parameters rather than their number: 7146@xref{Insufficient_Parameters}. 7147 7148@node Potentially_Blocking_Operations, Pragmas, Positional_Associations, Rules reference 7149@section Potentially_Blocking_Operations 7150This rule controls usage of potentially blocking operations (as 7151defined in LRM 9.5.1 (8..16)) from within protected operations. 7152 7153@subsection Syntax 7154@example 7155<control_kind> potentially_blocking_operations; 7156@end example 7157 7158@subsection Action 7159The rule follows the call graph, starting from every protected 7160operation, and identifies all (direct and indirect) potentially 7161blocking operations encountered. All protected types in the program 7162are controlled. 7163 7164Of course, calls to standard subprograms (notably IOs) that are 7165defined to be potentially blocking are recognized. 7166 7167Ex: 7168@example 7169check potentially_blocking_operation; 7170@end example 7171 7172@subsection Tips 7173This rule is very clever at finding potentially blocking operations 7174resulting from external calls (or requeues) to the current protected 7175object, even if this happens through a long chain of subprogram 7176calls. Typically, this happens when a protected operation calls a 7177subprogram, which in turn makes a call to an operation of the same 7178protected object. Such calls generally result in dead-locks. 7179 7180Therefore, it is advisable to run this rule on any program that 7181exhibits mysterious (and hard to find) deadlocks that seem to involve 7182protected objects. 7183 7184When a single protected object is being analyzed, the rule will 7185diagnose a circularity if there is a call to an operation of the same 7186object in the call chain; however, if a protected type is being 7187analyzed, the rule will diagnose a circularity if there is a call to 7188any object of the same type in the call chain. Although it is possible 7189to construct examples of this latter case where there is no risk of 7190deadlock, it is so contrieved that it certainly deserves being looked 7191at. But since the call is not 100% certain to be potentially blocking, 7192the message will tell ``possible external call'' instead of ``external 7193call'' in this case. 7194 7195@subsection Limitation 7196There is one case defined in LRM E.4(17) which is not recognized: 7197remote subprograms calls. 7198 7199Calls through pointers to subprograms, dispatching calls and calls to 7200generic formal subprograms are unknown statically; they are assumed to 7201be non potentially blocking. Such calls are detected by the rule 7202``uncheckable''. @xref{Uncheckable}. 7203 7204@node Pragmas, Record_Declarations, Potentially_Blocking_Operations, Rules reference 7205@section Pragmas 7206This rule controls usage of one or several specific pragmas. 7207 7208@subsection Syntax 7209@example 7210<control_kind> pragmas (<pragma spec> @{, <pragma spec>@}); 7211<pragma spec> ::= [multiple] all|nonstandard|<pragma name> 7212@end example 7213 7214@subsection Action 7215If the special name ``nonstandard'' is given, then all 7216implementation-defined and unrecognized pragmas will be controlled. 7217If the special name ``all'' is given, then all pragmas will be 7218controlled. Otherwise, the parameters are the names of pragmas to be 7219controlled. Note that <pragma name> must be the simple name of the 7220pragma, since pragma names are predefined and do not follow the rules 7221for regular Ada entities. 7222 7223If ``multiple'' is specified before the pragma spec (or the special 7224name), the corresponding pragma(s) are controlled only if they apply 7225to multiple entities, because one of the parameters is an overloaded 7226name. 7227 7228Ex: 7229@example 7230check pragmas (elaborate_all, elaborate_body); 7231 7232-- Search pragma Convention that apply to several entities: 7233search pragmas (multiple convention); 7234@end example 7235 7236@subsection Tips 7237If ``all'' and/or ``nonstandard'' is given together with a specific 7238pragma name in a ``search'' or ``check'' rule, a message is issued 7239only for the most specific occurrence. However, for ``count'', all 7240appropriate occurrences are counted, i.e. given the following rules: 7241@example 7242C1 : count pragmas (annotate); 7243C2 : count pragmas (nonstandard); 7244C3 : count pragmas (all); 7245@end example 7246Counter C1 will report the number of occurrences of @code{@b{pragma} 7247Annotate} (a non-standard GNAT pragma), counter C2 will report the 7248number of non-standard pragmas (including occurrences of 7249@code{Annotate}), and counter C3 will report the total number of 7250pragmas (including occurrences of @code{Annotate}). 7251 7252@node Record_Declarations, Reduceable_Scope, Pragmas, Rules reference 7253@section Record_Declarations 7254This rule controls various aspects of the components of records. 7255 7256@subsection Syntax 7257@example 7258<control_kind> record_declarations (component, <compo_kind> 7259 @{,<repr_cond>@}); 7260<compo_kind> ::= <entity>|<category> 7261<category> ::= () | access | array | delta | digits | mod | 7262 private | protected | range | record | tagged | task 7263<repr_cond> ::= [not] in_variant | aligned | initialized | packed | 7264 sized 7265@end example 7266 7267@subsection Action 7268The first parameter is a subrule keyword: 7269@itemize 7270@item 7271``Component'' controls record components whose type is the indicated 7272<entity>, or whose type belongs to the indicated <category>. If the 7273<entity> is a subtype, only record components that are of that subtype 7274are controlled. If the indicated <entity> is a type, all record 7275components that are of that type (including subtypes) are 7276controlled. The meaning of <category> is: 7277@itemize @bullet 7278@item 7279``()'': The component is of an enumerated type. 7280@item 7281``access'': The component is of an access type. 7282@item 7283``array'': The component is of an array type. 7284@item 7285``delta'': The component is of a fixed point type (it is not currently 7286possible to distinguish ordinary fixed point types from decimal fixed 7287point types). 7288@item 7289``digits'': The component is of a floating point type. 7290@item 7291``mod'': The component is of a modular type. 7292@item 7293``private'': The component is of a private type (including private 7294extensions). 7295@item 7296``protected'': The component is of a protected type. 7297@item 7298``range'': The component is of a signed integer type. 7299@item 7300``record'': The component is of an (untagged) record type. 7301@item 7302``tagged'': The component is of a tagged type (including type 7303extensions). 7304@item 7305``task'': The component is of a task type. 7306@end itemize 7307If <repr_cond> are specified, the rule controls only record components 7308to which all the corresponding representation items apply: 7309@itemize @bullet 7310@item 7311``in_variant'': The component appears inside the variant part of the 7312record. 7313@item 7314``not in_variant'': The component appears inside the fixed part of the 7315record. 7316@item 7317``aligned'': Either no component clause applies to the component, or 7318the corresponding first bit is a multiple of @code{Storage_Unit}. 7319@item 7320``not aligned'': A component clause applies to the component, and the 7321corresponding first bit is not a multiple of @code{Storage_Unit}. 7322@item 7323``initialized'': The component has a default initialization 7324expression. 7325@item 7326``not initialized'': The component has no default initialization 7327expression. 7328@item 7329``packed'': A pragma Pack applies to the component type. 7330@item 7331``not packed'': No pragma Pack applies to the component type. 7332@item 7333``sized'': A component clause applies to the component (therefore 7334imposing the size). 7335@item 7336``not sized'': No component clause applies to the component. 7337@end itemize 7338@end itemize 7339 7340This rule can be specified several times for the ``component'' 7341subrule. 7342 7343Ex: 7344@example 7345-- All record components of a discrete type should be initialized: 7346check record_declarations (component, (), not initialized); 7347 7348-- The size of all components of type HW_Types.Squeezed must 7349-- have a component clause: 7350check record_declarations (component, HW_Types.Squeezed, not sized); 7351 7352-- Find unaligned components of a packed array type: 7353check record_declarations (component, array, packed, not aligned); 7354@end example 7355 7356@subsection Tips 7357It may seem strange to have a rule with only one subrule, but we 7358expect to add more in the near future. Stay tuned... 7359 7360@subsection Limitations 7361If ``[not] aligned'' is specified, there are some rare cases where 7362AdaControl cannot evaluate whether a component is aligned or not; in 7363this case, it will ``assume the worse'' (i.e. report as if the 7364component had the specified alignment), thus creating possible false 7365positives. Such cases are detected by the rule ``uncheckable''. 7366@xref{Uncheckable}. 7367 7368@node Reduceable_Scope, Representation_Clauses, Record_Declarations, Rules reference 7369@section Reduceable_Scope 7370This rule controls declarations that could be moved to some inner 7371scope. 7372 7373@subsection Syntax 7374@example 7375<control_kind> reduceable_scope [(<subrule> @{, <subrule>@})]; 7376<subrule> ::= @{<restriction>@} all | variable | constant | 7377 subprogram | type | package | 7378 exception | generic | use 7379<restriction> ::= no_blocks | to_body 7380@end example 7381@subsection Action 7382The rule reports on any declaration that is referenced only from a 7383single, inner scope, or in the case of @code{@b{use}} clauses, it will 7384report on packages named in a @code{@b{use}} clause whose elements are 7385used only in a single, inner scope. For entitities declared in package 7386specifications, the rule reports if they are used only from the 7387corresponding package body. 7388 7389The initialization of an object is considered a usage of the object at 7390the place where it is declared, thus preventing it from being 7391moved. Therefore, constants and initialized variables are never 7392reported as being movable to inner scopes; they are reported as being 7393movable to package bodies however. Entities that are used as prefixes 7394of a 'Access or 'Address attribute are never reported, since moving 7395them would change their accessibility level. Similarly, task objects 7396are not reported since moving them would change their master. Finally, 7397dispatching operations (primitive operations of tagged types) are not 7398reported either, since they can be the target of an ``invisible'' 7399(dispatching) call. 7400 7401If no <subrule> is given, or the <subrule> is ``all'', all declarations 7402are controlled. If @code{no_blocks} is specified in front of a 7403<subrule>, the rule will not consider blocks as possible targets for a 7404reduced scope for the corresponding category. If @code{to_body} is 7405specified in front of a <subrule>, the rule will report only elements 7406declared in a package specification that could be moved into the body. 7407Specifying ``all'' explicitely is only useful in the case where there 7408is a <restriction>. 7409 7410As a side effect, the rule will report about entities that are 7411declared but not used (i.e. whose scope reduces to nothing). 7412 7413Ex: 7414@example 7415-- Types and variables shall be declared in the innermost scope 7416-- where they are useful: 7417check reduceable_scope (variable, type); 7418 7419-- Packages and subprograms shall be declared in the innermost 7420-- scope where they are useful, but they are not allowed in blocks: 7421check reduceable_scope (no_blocks subprogram, no_blocks package); 7422 7423-- Use clause should be as restricted as possible: 7424search reduceable_scope (use); 7425@end example 7426 7427@subsection Tips 7428If you think that @code{@b{use}} clauses are acceptable, but should be 7429limited to the smallest possible scope, you would generally specify: 7430@example 7431check unnecessary_use_clause; 7432check reduceable_scope (use); 7433@end example 7434 7435@subsection Limitation 7436Currently, the rule does not report @code{@b{use}} clauses declared in 7437a package specification that could be moved to the body. Such clauses 7438appear as ``unused'' (but of course, the compiler will complain on the 7439body if the clause is removed). 7440 7441@node Representation_Clauses, Return_Type, Reduceable_Scope, Rules reference 7442@section Representation_Clauses 7443This rule controls usage of representation clause. 7444 7445@subsection Syntax 7446@example 7447<control_kind> representation_clauses [(<subrule> @{, <subrule>@})]; 7448<subrule> ::= @{<category>@} <repr_kw> | [global] [object] <attribute> 7449<repr_kw> ::= 7450 at | at_mod | enumeration | 7451 fractional_size | incomplete_layout | layout | 7452 non_aligned_component | non_contiguous_layout | non_power2_size | 7453 no_bit_order_layout | overlay 7454<category> ::= 7455 () | range | mod | delta | digits | array | record | 7456 tagged | extension | access | new | private | task | protected 7457@end example 7458 7459@subsection Action 7460Without parameter, the rule controls all representation clauses, 7461otherwise it will control the representation clauses given as 7462parameter. 7463 7464If a representation keyword or attribute is preceded by one or several 7465categories, the rule controls only the representation items that apply 7466to types belonging to the categories (the type of the component for 7467the @code{non_aligned_component} subrule): 7468@itemize @bullet 7469@item 7470``()'': Enumerated types 7471@item 7472``range'': Signed integer types 7473@item 7474``mod'': Modular types 7475@item 7476``delta'': Fixed point types (no possibility to differentiate ordinary 7477and decimal fixed point types yet). 7478@item 7479``digits'': Floating point types 7480@item 7481``array'': Array types 7482@item 7483``record'': (untagged) record types 7484@item 7485``tagged'': Root tagged types 7486@item 7487``extension'': Type extensions (tagged derived types) 7488@item 7489``access'': Access types 7490@item 7491``new'': Derived types 7492@item 7493``private'': Private types 7494@item 7495``task'': Task types 7496@item 7497``protected'': Protected types 7498@end itemize 7499 7500The meaning of the representation keywords is: 7501@itemize @bullet 7502@item 7503``at'' controls address clauses given in Ada 83 style (``for XXX use 7504at''). 7505@item 7506``at_mod'' controls alignment clauses given in Ada 83 style (``for T 7507use record at mod XX;''). 7508@item 7509``enumeration'' controls enumeration representation clauses. 7510@item 7511``fractional_size'' controls size clauses whose value is not an 7512integral multiple of @code{System.Storage_Unit}. ``non_power2_size'' 7513controls size clauses whose value in @code{System.Storage_Unit} is not 7514a power of 2 (i.e. for most machines, it will mean a value different 7515from 8, 16, 32, and 64). 7516@item 7517``incomplete_layout'' controls record representation clauses that miss 7518the specification of some components of the record's type. 7519@item 7520``layout'' controls all record representation clauses, while 7521``no_bit_order_layout'' controls record representation clauses whose 7522type is not also the target of a bit_order attribute specification 7523(such types have a non-portable representation). 7524@item 7525``non_aligned_component'' controls components that do not start on a 7526storage unit boundary. The message gives the offset (in bits) relative 7527to the closest storage unit boundary. 7528@item 7529``non_contiguous_layout'' controls record representation clauses where 7530there are unused bits between components (or before the first 7531component). A message is issued for each ``gap'' between 7532components. In addition, if a size clause is given for the type, the 7533rule will report if there are unused bits at the end of the component 7534(i.e. the size clause is bigger than the end of the last 7535component). In the case of variant records, there can be 7536overlapping fields; the rule will control only the bits that belong to 7537no variant at all. 7538@item 7539``overlay'' controls address clauses (given in either style), where the value 7540given is the @code{'Address} of some other element. 7541@end itemize 7542 7543In addition to these keyword, any specifiable attribute can be given 7544(including the initial ``@code{'}''); the rule will control 7545specifications of this attribute. If the modifier ``global'' is given 7546before the attribute, only attribute specifications for global 7547entities are controlled. If the modifier ``object'' is given before 7548the attribute, only attribute specifications for objects are 7549controlled (as opposed to types for example). Note that double 7550attributes (like ``@code{'CLASS'INPUT}'') can be given, and are 7551considered different from the simple attribute (``@code{'INPUT}''). It 7552is of course possible to specify both. 7553 7554Ex: 7555@example 7556All_Addresses: check representation_clauses (at, 'address); 7557All_Input: check representation_clauses ('input, 'class'input); 7558Sized_Objects: check representation_clauses (object 'size); 7559count representation_clauses ('SIZE); 7560 7561-- check layout clauses for derived types: 7562check representation_clauses (new layout); 7563 7564-- check layout clauses for root tagged types and type extensions: 7565check representation_clauses (tagged extension layout); 7566@end example 7567 7568@subsection Limitation 7569For the ``fractional_size'' and ``non_contiguous_layout'' subrules, 7570there are some rare cases where AdaControl cannot evaluate the given 7571size or elements of the record representation clause, and thus not 7572detect the corresponding situation. Such cases are detected by the 7573rule ``uncheckable''. @xref{Uncheckable}. 7574 7575@subsection Tips 7576The specifiable attributes (the ones that can be given as parameters 7577to this rule) are @code{'Address}, @code{'Size}, 7578@code{'Component_Size}, @code{'Alignment}, @code{'External_Tag}, 7579@code{'Small}, @code{'Bit_Order}, @code{'Storage_Pool}, 7580@code{'Storage_Size}, @code{'Write}, @code{'Output}, @code{'Read}, 7581@code{'Input}, and @code{'Machine_Radix}. See Ada Reference Manual 758213.3(77). 7583 7584Ada allows partial record representation clauses, i.e. it does not 7585require all fields to be specified. This means that if you add a field 7586to a record and forget to update the associated representation clause, 7587there will be no compilation error. The ``incomplete_record'' subrule 7588is handy for making sure that this does not happen. 7589 7590Derived types with a representation clause may suffer an efficiency 7591penalty, since calling an inherited subrograms requires a change of 7592representation. Representation clauses for tagged types are dubious, 7593since these types have hidden fields added by the compiler. 7594 7595@node Return_Type, Side_Effect_Parameters, Representation_Clauses, Rules reference 7596@section Return_Type 7597This rule controls that certain form of types are not used for 7598function results. 7599 7600@subsection Syntax 7601@example 7602<control_kind> return_type [(<subrule> @{, <subrule>@})]; 7603<subrule> ::= class_wide | limited_class_wide | 7604 constrained_array | protected | 7605 task | unconstrained_array | 7606 unconstrained_discriminated | anonymous_access 7607@end example 7608 7609@subsection Action 7610This rule controls functions whose return type belongs to one of the 7611indicated type kinds: 7612@itemize @bullet 7613@item 7614@code{class_wide} controls all class-wide types, while 7615@code{limited_class_wide} controls only limited class-wide types. 7616@item 7617@code{constrained_array} controls constrained array types 7618@item 7619@code{unconstrained_discriminated} controls types with discriminants 7620(but not constrained subtypes of such types) 7621@item 7622@code{unconstrained_array} controls unconstrained array types 7623@item 7624@code{task} controls task types, or composite types that include tasks 7625as subcomponents. 7626@item 7627@code{protected} controls protected types, or composite types that include protected 7628objects as subcomponents. 7629@item 7630@code{anonymous_access} controls anonymous access types. 7631@end itemize 7632 7633If no subrule is specified, all type kinds are controlled. Note that 7634more than one kind may apply to a type: for example, a function can 7635return a class-wide type with discriminants that includes tasks and 7636protected objects as subcomponents. In this case, several messages are 7637issued for the same type. 7638 7639Ex: 7640@example 7641check return_type (unconstrained_discriminated, unconstrained_array); 7642@end example 7643 7644@node Side_Effect_Parameters, Silent_Exceptions, Return_Type, Rules reference 7645@section Side_Effect_Parameters 7646This rule controls calls that may depend on the order of evaluation of 7647parameters. 7648 7649@subsection Syntax 7650@example 7651<control_kind> side_effect_parameters (<entity> @{, <entity>@}); 7652@end example 7653 7654@subsection Action 7655This rule controls subprogram calls or generic instantiations where 7656different actual parameters call functions known to have side 7657effects. This is dangerous practice, since correct behaviour may 7658depend on a certain evaluation order of parameters, which is not 7659specified by the language. 7660 7661All <entity> are functions that are assumed to interfere, i.e. the 7662rule will signal if any of these functions is called more than once in 7663the parameters of a call. As usual, the whole syntax for entities is 7664allowed for <entity>. @xref{Specifying an Ada entity name}. 7665 7666It is allowed to give the name of a generic function, or of a function 7667declared in a generic package; in this case, all functions resulting 7668from instantiations of these generics will be considered. 7669 7670In the case of renamings, you must give the name of the original 7671function; the rule will work correctly if the call is made through a 7672renaming of this function. 7673 7674Ex: 7675@example 7676check side_effect_parameters (F1); 7677check side_effect_parameters (G1, G2); 7678@end example 7679 7680Here, F1 has a side effect, and the rule will signal if it is called 7681more than once. G1 and G2 are assumed to interfere, and therefore the 7682rule will signal if either is called more than once, or if both are 7683called. However, having a call that mentions F1 and G2 is OK. 7684 7685@subsection Limitation 7686Due to the size of internal structures, this rule may not be given 7687more than 100 times. 7688 7689Due to an unimplemented feature of ASIS-for-Gnat, this rule will not 7690process defaulted parameters, and hence not detect interferences due 7691to calling a side-effect function through the default value. 7692 7693@node Silent_Exceptions, Simplifiable_Expressions, Side_Effect_Parameters, Rules reference 7694@section Silent_Exceptions 7695This rule controls exception handlers that can cause exceptions to 7696silently disappear. 7697 7698@subsection Syntax 7699@example 7700<control_kind> silent_exceptions (<element> @{, <element>@}); 7701element ::= <control-item> | <report-item> 7702control-item ::= not | with <entity> | others 7703report-item ::= raise | explicit_raise | reraise | return | 7704 requeue | <entity> 7705@end example 7706 7707@subsection Action 7708The rule controls handlers that do @i{not} call one of the given 7709subprograms (for example a reporting procedure) nor perform other 7710required operations, like returning, requeuing, or re-raising an 7711exception. 7712 7713A parameter that starts with ``not'' or ``with'' is a <control-item> 7714and defines wich exceptions are controlled; the <entity> should be 7715either an exception, or the name of a library unit (in which case, it 7716applies to all exceptions declared in the library unit). As usual, the 7717whole syntax for entities is allowed here. @xref{Specifying an Ada 7718entity name}. If the <entity> is (part of) a generic, then it applies 7719to all exceptions from all corresponding instantiations. If there is 7720no <control-item>, then all exceptions are controlled. 7721 7722If several <control-item> are given, the ones with ``with'' add 7723exceptions to the set of controlled exceptions, and the ones with 7724``not'' remove exceptions, in order, starting from the empty set if 7725the first <control-item> is a ``with'', or starting from the set of 7726all exceptions if the first <control-item> is a ``not''. See examples 7727below. 7728 7729``@code{@b{when others}}'' handlers are always controlled, unless 7730there is an explicit ``not others'' <control-item>. A ``with others'' 7731<control-item> can be specified to check @emph{only} ``@code{@b{when 7732others}}'' handlers. 7733 7734The other parameters are <report-item> and define the constructs 7735considered ``reporting''. <entity> should correspond to an Ada 7736callable entity or generic package; as usual, the whole syntax for 7737entities is allowed here. @xref{Specifying an Ada entity name}. If a 7738generic procedure or function is given, then all corresponding 7739instances are considered reporting subprograms. If a generic package 7740is given, any instantiation (in an inner block of the handler) is 7741considered reporting. In addition, the special names 7742``explicit_raise'', ``reraise'', ``return'' and ``requeue'' mark raise 7743statements with an explicit exception name, raise statements without 7744an exception name, return statements (including extended return 7745statements), and requeue statements (respectively) as 7746reporting. ``raise'' is a shorthand for both ``explicit_raise'' and 7747``reraise''. 7748 7749If ``explicit_raise'' is given as a parameter, the procedure 7750@code{Ada.Exceptions.Raise_Exception} is automatically added to the 7751list of procedures for both Check and Search, unless it is 7752explicitely specified as a parameter in a rule; and similarly 7753@code{Ada.Exceptions.Reraise_Occurrence} is added for ``reraise''. 7754This way, it is possible to consider them as reporting procedures for 7755Check (for example) and not for Search. 7756 7757A handler where @emph{all} exceptions are uncontrolled is not 7758controlled at all (i.e. it is allowed to be non reporting). Otherwise, 7759the rule reports if the handler does not contain at least one of the 7760<report-item> in each possible path of the handler. If the 7761<report-item> appear only in @code{@b{if}} or @code{@b{case}} 7762statements, but not in all possible paths, or if they appear only in 7763the body of @code{@b{loop}} statements, the rule will issue a message 7764asking for a manual verification, since it cannot be statically 7765determined whether the proper treatment happens in every case. 7766 7767Note that the purpose of this rule is to require the reporting calls 7768to be ``eye-visible'', i.e. textually written in the exception 7769handler. For example, the rule will accept a call to a procedure 7770inside the sequence of statements of a package body declared in some 7771inner block; however, it will not accept the same call if it is in the 7772sequence of statements of a package instantiation (unless the generic 7773package is itself mentionned as reporting), because the call is not 7774``eye-visible''. For the same reason, a call to a reporting function 7775which happens as the default value of an omitted parameter in some 7776other call will not be accepted. 7777 7778This rule can be given once for each of check, search and count. This 7779way, it is possible to have a level considered a warning (search), and 7780one considered an error (check). 7781 7782Ex: 7783@example 7784-- Make an error if exception is not reraised and does not call 7785-- Reports.Trace, but make it only a warning if the exception is an 7786-- IO exception or Constraint_Error: 7787check silent_exceptions (not ada.io_exceptions, 7788 not standard.constraint_error, 7789 raise, 7790 reports.trace); 7791search silent_exceptions (raise, reports.trace); 7792 7793-- check handlers that do not reraise the exception, except for 7794-- IO exceptions: 7795check silent_exceptions (not Ada.IO_Exceptions, reraise); 7796 7797-- Same for predefined exceptions, except Constraint_Error: 7798check silent_exceptions (not Standard, with Standard.Constraint_Error, 7799 reraise); 7800 7801-- Same for all exceptions named User_Error, wherever they are declared, 7802-- and no others 7803check silent_exceptions (with all User_Error, reraise); 7804 7805-- Same for "when others" handlers 7806check silent_exceptions (with others, reraise); 7807 7808@end example 7809 7810@subsection Limitations 7811Currently, ``return'' includes all return statements. It would be nice 7812to separate function returns from procedure or accept returns. This is 7813expected to be done in some future version of AdaControl. 7814 7815There are two cases that are not statically checkable, and 7816thus may not be identified by this rule: if an exception is raised in 7817an inner block statement and handled locally, and if the exception 7818handler aborts the current task. 7819 7820If a reporting function is given, there are a few cases where the 7821calls will not be recognized: 7822@itemize @bullet 7823@item 7824inside a pragma 7825@item 7826in a representation clause 7827@item 7828in a code statement (i.e. as a field of a machine code instruction) 7829@end itemize 7830This limitation is intentional: these are such weird places to call a 7831reporting function that it seems better to draw attention to it... 7832 7833@node Simplifiable_Expressions, Simplifiable_Statements, Silent_Exceptions, Rules reference 7834@section Simplifiable_Expressions 7835This rule controls expressions that can be simplified in various ways. 7836 7837@subsection Syntax 7838@example 7839<control_kind> simplifiable_expressions [(<subrule> @{, <subrule>@})]; 7840<subrule> ::= conversion | logical | logical_false | logical_not | 7841 logical_true | parentheses | range 7842@end example 7843 7844@subsection Action 7845Without parameters, all kinds of simplifiable expressions are 7846controlled; otherwise, the controlled expressions depend on the 7847subrule: 7848@itemize @bullet 7849@item 7850``conversion'' controls type conversions where the expression is of a 7851universal type (a litteral or named number), or where the target 7852subtype is either the same as the expression's subtype, or the first 7853named subtype of the expression. 7854@item 7855``logical_true'' controls redundant boolean expressions of the form 7856@code{<expr> = True} (or @code{/=}), and ``logical_false'' does the 7857same for comparisons with @code{false}. 7858@item 7859``logical_not'' controls @code{@b{not}} operators whose argument is a 7860comparison (which could be inverted). 7861@item 7862 ``logical'' is the same as specifying ``logical_true'', 7863``logical_false'' and ``logical_not''. 7864@item 7865``parentheses'' controls unnecessary parentheses like those 7866surrounding the expression of an assignment, an ``if'' or a ``case'' 7867statement, or those that are not required by operators precedence 7868rules. 7869@item 7870``range'' controls expressions of the form @code{T'First .. T'Last} 7871that should be @code{T'range} (or even simply @code{T}). 7872@end itemize 7873 7874This rule can be given at most once for each subrule. 7875 7876Ex: 7877@example 7878search simplifiable_expressions (parentheses); 7879check simplifiable_expressions (range, logical); 7880@end example 7881 7882@subsection Tips 7883There are cases where parentheses may seem unnecessary, but are 7884(purposedly) not reported by this rule. Consider for example: 7885@example 7886 X := A + (B + C); 7887@end example 7888Removing the parentheses would change the expression to mean: 7889@example 7890 X := (A + B) + C; 7891@end example 7892If the @code{"+"} operator has be redefined and is no more 7893associative, this would actually change the meaning of the program. In 7894a less contrieved example, note that: 7895@example 7896 X mod (A*B) 7897@end example 7898is @i{not} the same as: 7899@example 7900 X mod A * B 7901@end example 7902For these reasons, and to make the rule easier to understand for the 7903user, the rule does not report unnecessary parentheses between 7904operators of identical priority levels. 7905 7906Conversion of universal value is never necessary, however there are 7907cases where overloading resolution may require the conversion to be 7908replaced by a qualification, rather than being simply removed. 7909 7910@node Simplifiable_Statements, Statements, Simplifiable_Expressions, Rules reference 7911@section Simplifiable_Statements 7912This rule controls statements that can be removed or simplified in 7913various ways without changing the meaning of the program. 7914 7915@subsection Syntax 7916@example 7917<control_kind> simplifiable_statements [(<subrule> @{, <subrule>@})]; 7918<subrule> ::= block | dead | handler | if | 7919 if_for_case | if_not | loop | loop_for_while | 7920 nested_path | null 7921@end example 7922@subsection Action 7923Without parameter, all kinds of simplifiable statements are 7924controlled; otherwise, the controlled statements depend on the 7925subrule: 7926@itemize @bullet 7927@item 7928@code{block} controls block statements that have no labels, no 7929declarations, and no exception handlers. 7930@item 7931@code{dead} controls dead code, i.e. statements that are statically 7932known to be never executed. This includes statements that follow a 7933@code{@b{return}}, @code{@b{requeue}}, or @code{@b{goto}} statement, 7934or an @code{@b{exit}} statement that is either unconditional or whose 7935condition is statically known to be true. It includes also 7936@code{@b{while}} statements and @code{@b{if}} statements (including 7937@code{@b{elsif}} paths) whose condition is statically false, and 7938@code{@b{for}} loops whose range is statically empty. 7939@item 7940@code{handler} controls ``trivial'' exception handlers, i.e. handlers 7941whose sequence of statements includes only a single @code{@b{raise}} 7942statement without an exception name. However, a handler is not 7943reported if there is also a non trivial handler for @code{@b{others}}. 7944These examples show the situation: 7945@example 7946@b{exception} 7947 @b{when} Constraint_Error => --Reported (no when others) 7948 @b{raise}; 7949@b{end}; 7950 7951@b{exception} 7952 @b{when} Constraint_Error => --Reported (trivial when others) 7953 @b{raise}; 7954 @b{when} @b{others} => --Reported 7955 @b{raise}; 7956@b{end}; 7957 7958@b{exception} 7959 @b{when} Constraint_Error => --Not reported (non trivial when others) 7960 @b{raise}; 7961 @b{when} @b{others} => 7962 Put_Line ("Error"); 7963@b{end}; 7964@end example 7965@item 7966@code{if} controls @code{@b{if}} statements with an @code{@b{else}} 7967path that contains only @code{@b{null}} statements (and can thus be 7968removed). 7969@item 7970@code{if_for_case} controls usage of @code{@b{if}} statements that 7971could be replaced by @code{@b{case}} statements. An @code{@b{if}} 7972statement is assumed to be replaceable if it has at least one 7973@code{@b{elsif}} and all conditions are comparisons (or membership 7974tests, possibly connected by logical operators) of the same discrete 7975variable with static values. Typically, this subrule will spot 7976constructs like: 7977@example 7978 @b{if} X = 1 @b{then} 7979 ... 7980 @b{elsif} X = 2 or X = 3 or X = 4 @b{then} 7981 ... 7982 @b{elsif} X >= 5 and X <= 10 @b{then} 7983 ... 7984 @b{elsif} X in 11 .. 20 @b{then} 7985 ... 7986 @b{else} 7987 ... 7988 @b{end} @b{if}; 7989@end example 7990@item 7991@code{if_not} controls @code{@b{if}} statements with an 7992@code{@b{else}} path and no @code{@b{elsif}} path, and where the 7993condition is given in negative form (i.e. it is a @code{@b{not}}, or a 7994@code{"/="} comparison). Such statements could be made positive (and 7995thus less error-prone) by interverting the @code{@b{if}} and 7996@code{@b{else}} paths. 7997@item 7998@code{nested_path} controls paths from @code{@b{if}} statements that 7999can be moved outside. This happens if the @code{@b{if}} has only 8000@code{@b{then}} and @code{@b{else}} paths, and either of them ends 8001with a ``breaking'' statement (@code{@b{raise}}, @code{@b{return}}, 8002@code{@b{exit}} or @code{@b{goto}}); in this case, the other path 8003needs not be nested inside the @code{@b{if}} statement. However, if 8004both paths end with the @i{same} ``breaking'' statement, no error is 8005reported. In short, the rule signals the following examples: 8006@example 8007@b{if} Cond @b{then} 8008 @b{return}; 8009@b{else} 8010 I := 1; 8011@b{end} @b{if}; 8012 8013@b{if} Cond @b{then} 8014 I := 1; 8015@b{else} 8016 @b{return}; 8017@b{end} @b{if}; 8018@end example 8019because they can be changed to: 8020@example 8021@b{if} Cond @b{then} 8022 @b{return}; 8023@b{end} @b{if}; 8024I := 1; 8025 8026@b{if} @b{not} Cond @b{then} 8027 @b{return}; 8028@b{end} @b{if}; 8029I := 1; 8030@end example 8031The rule will not signal the following example, where both paths end 8032with the same ``breaking'' statement (@code{@b{return}}), because it 8033would break the symetry of the statement: 8034@example 8035@b{if} Cond @b{then} 8036 @b{return} 1; 8037@b{else} 8038 @b{return} 2; 8039@b{end} @b{if}; 8040@end example 8041@item 8042@code{null} controls @code{@b{null}} statements that serve no purpose 8043and can be removed. Note that if a @code{@b{null}} statement carries 8044a label, it is not considered simplifiable. 8045@item 8046@code{loop} controls @code{while} loop statements where the condition 8047is a plain @code{True}, and can thus be changed to simple loops. 8048@item 8049@code{loop_for_while} controls simple loop statements whose first 8050statement is an @code{@b{exit}} (for the same loop), and which can 8051therefore be turned into a @code{while} loop. 8052@end itemize 8053 8054This rule can be given at most once for each subrule. 8055 8056Ex: 8057@example 8058check simplifiable_statements (block, null); 8059search simplifiable_statements (if); 8060@end example 8061 8062@subsection Tips 8063@code{loop} may seem a strange thing to check, since no Ada 8064programmer is supposed to write this. However, experience shows that 8065it is a good indicator of code written by people who did not get 8066proper Ada training. Such code is certainly worth a peer review... 8067 8068@node Statements, Style, Simplifiable_Statements, Rules reference 8069@section Statements 8070This rule controls usage of certain Ada statements. 8071 8072@subsection Syntax 8073@example 8074<control_kind> statements (<subrule> @{, <subrule>@}; 8075 8076<subrule> ::= 8077 any_statement | abort | 8078 accept | accept_return | 8079 assignment | asynchronous_select | 8080 block | case | 8081 case_others | case_others_null | 8082 code | conditional_entry_call | 8083 declare_block | delay | 8084 delay_until | dispatching_call | 8085 dynamic_procedure_call | effective_declare_block | 8086 entry_call | entry_return | 8087 exception_others | exception_others_null | 8088 exit | exit_expanded_name | 8089 exit_for_loop | exit_outer_loop | 8090 exit_plain_loop | exit_while_loop | 8091 exited_extended_return | extended_return | 8092 for_in_loop | for_iterator_loop | 8093 for_of_loop | function_return | 8094 goto | if | 8095 if_elsif | inherited_procedure_call | 8096 labelled | loop_return | 8097 multiple_exits | named_exit | 8098 no_else | null | 8099 procedure_call | procedure_return | 8100 raise | raise_locally_handled | 8101 raise_nonpublic | raise_standard | 8102 redispatching_call | reraise | 8103 requeue | selective_accept | 8104 simple_block | simple_loop | 8105 terminate | timed_entry_call | 8106 unconditional_exit | unnamed_block | 8107 unnamed_exit | unnamed_loop_exited | 8108 unnamed_for_loop | unnamed_multiple_loop | 8109 unnamed_simple_block | unnamed_simple_loop | 8110 unnamed_while_loop | untyped_for | 8111 untyped_for_in | untyped_for_of | 8112 while_loop 8113@end example 8114 8115@subsection Action 8116Subrules that are Ada keywords control the corresponding Ada 8117statements. The meaning of other subrules is as follows: 8118@itemize @bullet 8119@item 8120@code{any_statement} controls all statements. This is of course not 8121intended to forbid all statements in a program (!), but 8122@emph{counting} all statements can be quite useful. 8123@item 8124@code{accept_return} controls return statements that return from an 8125@code{@b{accept}} statement, @code{entry_return} controls return 8126statements that return from a (protected) entry body, and 8127@code{procedure_return} controls return statements that return from a 8128procedure. @code{loop_return} controls return statements (including 8129extended return statements) that appear inside a @code{@b{loop}} 8130statement. 8131@item 8132@code{assignment} controls all assignment statements. 8133@item 8134@code{asynchronous_select} controls the @code{@b{select}} 8135... @code{@b{then abort}} statement. @code{conditional_entry_call} 8136controls the @code{@b{select}} ... @code{@b{else}} 8137statement. @code{timed_entry_call} controls the @code{@b{select}} 8138... @code{@b{or delay}} statement. @code{selective_accept} controls 8139the regular @code{@b{select}} statement. 8140@item 8141@code{block} controls all block statements, while @code{unnamed_block} 8142controls blocks without a name, @code{declare_block} controls blocks 8143with an explicit @code{@b{declare}} (even if the declarative part is 8144empty), and @code{effective_declare_block} controls blocks with a 8145declarative part that includes anything else than @code{@b{use}} 8146clauses and pragmas. @code{simple_block} controls block statements 8147that have no declarative part (or an empty declarative part) and no 8148exception handlers, and @code{unnamed_simple_block} does the same, 8149but only for blocks without a name. 8150@item 8151@code{case} controls all @code{case} statements. 8152@item 8153@code{case_others} controls any @code{@b{when others}} path in a 8154@code{@b{case}} statement, while @code{case_others_null} controls only 8155@code{@b{when others}} paths in a @code{@b{case}} statement that 8156contain only @code{@b{null}} statements. 8157@item 8158@code{code} controls code statements. 8159@item 8160@code{delay} controls only relative @code{@b{delay}} statements, while 8161@code{delay_until} controls absolute @code{@b{delay until}} 8162statements. 8163@item 8164@code{entry_call} controls all entry call statements, including those 8165that are part of a conditional or timed entry call statement. 8166@item 8167@code{exit} controls all exit statements, while @code{exit_for_loop}, 8168@code{exit_while_loop}, and @code{exit_plain_loop} control 8169@code{@b{exit}} statements that terminate @code{@b{for}} loops, 8170@code{@b{while}} loops, and plain (neither @code{@b{for}} nor 8171@code{@b{while}}) loops, respectively. @code{unconditional_exit} 8172controls @code{@b{exit}} statements without a @code{@b{when}} 8173condition. @code{multiple_exits} controls loop that have more than 8174one @code{@b{exit}} statement. @code{unnamed_loop_exited} controls 8175exit statements that terminate an unnamed loop. @code{exit_outer_loop} 8176controls @code{@b{exit}} statements that exit from an outer loop 8177(i.e. not the innermost one). @code{exit_expanded_name} controls named 8178@code{@b{exit}} statements where the name is given as an expanded 8179name. 8180@item 8181@code{exception_others} controls any @code{@b{when others}} exception 8182handler, while @code{exception_others_null} controls only 8183@code{@b{when others}} exception handlers that contain only 8184@code{@b{null}} statements. 8185@item 8186@code{extended_return} controls extended return statements (i.e. the 8187Ada 2005 construct ``@code{@b{return} V : T @b{do} ... @b{end} 8188@b{return}}''). @code{exited_extended_return} controls extended 8189return statements that can be left without actually returning due to 8190an @b{exit} or @b{goto} statement within their sequence of 8191statements. 8192@item 8193@code{for_loop} controls all @code{@b{for}} loops, while 8194@code{for_in_loop} controls only the traditional form of 8195@code{@b{for}} loop (@code{@b{for} I @b{in} @i{range} @b{loop}}), 8196@code{for_iterator_loop} controls the iterator form (@code{@b{for} I 8197@b{in} @i{Iterator} @b{loop}}), and @code{for_of_loop} controls the 8198components form (@code{@b{for} V @b{of} ... @b{loop}}) (the three 8199latter forms are not available with the old gnat version of 8200AdaControl). 8201@item 8202@code{function_return} controls return statements (including extended 8203return statements) from functions. Obviously, return statements cannot 8204be forbidden in functions; this keyword controls that there is only 8205one return statement in the body of functions, and at most one return 8206statement in each exception handler of the exception part of 8207functions. 8208@item 8209@code{if} controls all @code{@b{if}} statements. 8210@item 8211@code{if_elsif} controls @code{@b{if}} statements that have at least 8212one @code{@b{elsif}}. 8213@item 8214@code{labelled} controls statements with a label (true statement 8215labels, not block and loop names). 8216@item 8217@code{named_exit} controls @code{@b{exit}} statements with a loop 8218name. 8219@item 8220@code{no_else} controls @code{@b{if}} statements that have no @code{@b{else}} 8221path. 8222@item 8223@code{null} controls all @code{@b{null}} statements. 8224@item 8225@code{procedure_call} controls all calls to 8226procedures. @code{dispatching_call} does the same, but only for 8227dispatching calls, while @code{redispatching_call} does the same, but 8228only for dispatching calls that are (directly or indirectly) inside a 8229primitive operation of a tagged type. @code{dynamic_procedure_call} 8230does the same, but only for calls through pointers. 8231@code{inherited_procedure_call} controls calls to procedures that have 8232been inherited by a derived type and not redefined. 8233@item 8234@code{raise} controls all @code{@b{raise}} statements. 8235@item 8236@code{reraise} controls @code{@b{raise}} statements in exception 8237handlers that reraise the same exception, and calls to the 8238@code{Ada.Exceptions.Reraise_Occurrence} procedure. 8239@item 8240@code{raise_standard} controls @code{@b{raise}} statements that raise 8241one of the predefined exceptions (those declared in package 8242@code{Standard}). @code{raise_nonpublic} controls statements that 8243raise exceptions that are neither predefined nor defined in the 8244visible part of a package. @code{raise_foreign} controls statements 8245that raise exceptions that are neither predefined nor declared in the 8246same program unit (or an ancestor of the unit) as the statement that 8247raises the exception. @code{raise_locally_handled} controls 8248statements that raise an exception which is handled by a handler in 8249the same subprogram body as the statement. 8250 8251Note that for these subrules, the exception can be raised either by a 8252@code{@b{raise}} statement, or by a call to 8253@code{Ada.Exceptions.Raise_Exception} where the raised exception is 8254statically determinable. 8255@item 8256@code{simple_loop} controls simple loops, i.e. those that are neither 8257@code{@b{while}} nor @code{@b{for}} loops. 8258@item 8259@code{unnamed_exit} controls @code{@b{exit}} statements without a 8260loop name that exits from a named loop. 8261@item 8262@code{unnamed_for_loop}, @code{unnamed_simple_loop}, and 8263@code{unnamed_while_loop} control loops of the given kind that are not 8264named. 8265@item 8266@code{unnamed_multiple_loop} controls nested loops that are not named 8267(i.e. under this rule, only loops that contain no inner loop, and are 8268not nested in another loop, are allowed not to be named). The kind of 8269loop (plain, @code{@b{for}}, @code{@b{while}}) is not considered. 8270@item 8271@code{untyped_for_in} controls regular @code{@b{for} .. @b{in}} loops 8272that use a range without an explicitely named type (i.e. @code{@b{for} 8273I @b{in} 1..10 @b{loop}}). Using a @code{'Range} attribute is 8274OK. @code{untyped_for_of} controls @code{@b{for} .. @b{of}} loops that 8275have no subtype indication. @code{untyped_for} controls both. Note 8276that generalized iterators are @i{not} controlled, since the syntax 8277does not allow the specification of an explicit subtype for them. 8278@item 8279@code{while_loop} controls all @code{@b{while}} loops. 8280@end itemize 8281 8282Ex: 8283@example 8284search statements (delay); 8285check statements (goto, abort); 8286check statements (case_others_null, exception_others_null); 8287@end example 8288 8289@subsection Variable 8290The rule provides a variable that allows to specify the amount of information 8291displayed with the ``procedure_call'' and ``entry_call'' subrules. 8292 8293@need 800 8294@multitable @columnfractions .12 .18 .10 .60 8295@item 8296@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 8297@item 8298Called_Info 8299@tab none@*compact@*detailed@*root_detailed 8300@tab none 8301@tab 8302 8303@table @asis 8304@item``none'' 8305No extra information. 8306@item ``compact'' 8307display the name of the called procedure or entry. 8308@item ``detailed'' 8309display the name of the called procedure or entry with overloading 8310information. 8311@item ``root_detailed'' 8312display the name of the root called procedure or entry (i.e. the 8313original procedure if the called procedure is a renaming) with overloading 8314information. 8315@end table 8316@end multitable 8317 8318@subsection Tips 8319It may seem strange to control things like @code{@b{if}} or 8320@code{@b{case}} statements, since no coding standard would prohibit 8321their use. However, this may be useful, especially with ``count'', for 8322statistical purposes, like measuring the ratio of @code{@b{if}} to 8323@code{@b{case}} statements. 8324 8325The plain ``raise'' subrule controls the @code{@b{raise}} statement, and 8326only this one. If you want to check all places where exceptions can be 8327raised, use also the ``entities'' rule like this: 8328@example 8329"all raise": check statements (raise), 8330 check entities (Ada.Exceptions.Raise_Exception, 8331 Ada.Exceptions.Reraise_Occurrence); 8332@end example 8333 8334Other subrules of the ``raise'' family are more about which kind of 8335exception is being raised, and therefore control also exceptions 8336raised by calling the procedures from @code{Ada.Exceptions}. 8337 8338``inherited_procedure_call'' controls only @i{procedure} calls. For 8339function calls, see rule @ref{Expressions}. 8340 8341@node Style, Terminating_Tasks, Statements, Rules reference 8342@section Style 8343This rules controls usage of various ``general'' Ada coding style. 8344 8345@subsection Syntax 8346@example 8347<control_kind> style; 8348<control_kind> style (casing_attribute, <casing_kw> @{,<casing_kw>@}); 8349<control_kind> style (casing_identifier, <casing_kw> @{,<casing_kw>@}); 8350<control_kind> style (casing_keyword, <casing_kw> @{,<casing_kw>@}); 8351<control_kind> style (casing_pragma, <casing_kw> @{,<casing_kw>@}); 8352<control_kind> style (compound_statement); 8353<control_kind> style (default_in); 8354<control_kind> style (exposed_literal, <type_kw>, @{, <value_place>@}); 8355<control_kind> style (formal_parameter_order @{, <mode list>@}); 8356<control_kind> style (multiple_elements @{,<element_kw>@}); 8357<control_kind> style (negative_condition); 8358<control_kind> style (no_closing_name [, <max_lines>]); 8359<control_kind> style (numeric_literal, [not] <base> [, <block_size>]); 8360<control_kind> style (parameter_order @{, <mode list>@}); 8361<control_kind> style (renamed_entity); 8362 8363<casing_kw> ::= uppercase | lowercase | titlecase | original 8364<element_kw> ::= [flexible] clause | declaration | statement | 8365 handler | begin | end | then | when | 8366 else | is | loop | do | keywords 8367<mode_list> ::= <mode> @{| <mode>@} 8368<mode> ::= in | defaulted_in | access | in_out | out | 8369 type | procedure | function | package 8370<type_kw> ::= integer | real | character | string 8371<value_place> ::= <value> | <place> 8372<value> ::= [max] <integer number> | <real number> | "<pattern>" 8373<place> ::= constant | exponent | index | number | pragma | 8374 repr_clause | var_init | type 8375@end example 8376 8377@subsection Action 8378The first parameter specifies which style aspect is to be checked: 8379 8380@itemize @bullet 8381@item 8382``casing_attribute'', ``casing_keyword'', ``casing_identifier'', and 8383``casing_pragma'' control that attributes (respectively keywords, 8384identifiers, or pragmas) use the appropriate casing. ``original'' 8385(which is allowed only for identifiers) means that identifiers must 8386use the same casing as in their declaration. 8387 8388If more than one <casing_kw> is given, it means that any of them is 8389allowed. 8390@item 8391``compound_statement'' controls that compound statements span at least 8392a minimum number of lines: 3 for @code{@b{if}} statements, 8393@code{@b{loop}} statements, block statements, and @code{@b{accept}} 8394statements with a body; 4 for @code{@b{case}} statements, selective 8395@code{@b{accept}} statements, and timed entry call statements; and 5 8396for conditional entry call statements and asynchronous select 8397statements. 8398@item 8399``default_in'' controls subprograms, entries and generics declarations 8400that omit an explicit @code{in} mode for a parameter. Access 8401parameters are not reported, since an an explicit @code{in} is not 8402allowed in that case. 8403@item 8404``exposed_literal'' controls the usage of literals (aka ``magic 8405values''), that appear outside of allowed places. The second parameter 8406tells to which kind of literals the rule applies. The (optional) 8407indicated values that follow are allowed at any place; for integers, a 8408single value can be preceded by ``max'', to indicate that all literals 8409whose (absolute) value is less or equal are allowed; for strings, the 8410values are regular expressions. @xref{Syntax of regular 8411expressions}. Commonly allowed values are 0 and 1 for integer 8412literals, 1.0 and 0.0 for real literals and "^$" (the empty string) 8413for string literals. At most 20 values of each kind may be 8414specified. In addition, one or several <place> keyword can be used to 8415specify constructs where any literal is allowed: ``declaration'' 8416stands for any declaration, ``constant'' for constant declarations, 8417``exponent'' for the right parameter of an exponentiation 8418(i.e. @code{"**"}) function call, ``index'' for array indexing, 8419``number'' for named number declarations, ``pragma'' for pragma 8420arguments, ``repr_clause'' for representation clauses, ``type'' for 8421type (and subtype) declarations, and ``var_init'' for the 8422initialization expression of variable declarations. If no <place> is 8423given, it is taken as @code{number, constant}, i.e. any literal is 8424allowed in named numbers and constant declarations. 8425@item 8426``multiple_elements'' controls clauses, declarations, statements, and 8427handlers that do not start on a line of their own (i.e. when there are 8428more than one of these on the same line). Similarly, 8429@code{@b{begin}}, @code{@b{end}}, @code{@b{then}} and @code{@b{when}} 8430are required to be on a line of their own, together with the possible 8431keyword or identifier attached to them and the semi-colon. In addition, 8432the @code{@b{is}}, @code{@b{loop}} or @code{@b{do}} that terminates 8433the first part of some declarations or statements is required to be on 8434the same line as the begining of the element, or on a line of its own. 8435 8436Extra parameters specify which kind of element to check; if not 8437specified, all kind of elements are controlled. ``keywords'' is a 8438shorthand for specifying all keywords. If ``flexible'' is specified in 8439front of ``clause'' (not allowed otherwise), it allows a 8440@code{@b{use}} clause to be on the same line as a @code{@b{with}} 8441clause, provided all packages named in the @code{@b{use}} clause are 8442also named in the preceding @code{@b{with}} clause. 8443@item 8444``negative_condition'' controls ``if'' statements with an ``else'' 8445part and no ``elsif'', where the condition starts with a 8446@code{@b{not}}, and should therefore preferably be expressed 8447positively. 8448@item 8449``no_closing_name'' controls declarations, like package or subprograms, 8450that allow (but do not require) repeating the name at the end of the 8451declaration, and where the closing name is omitted (which is 8452considered bad style in general). However, it can be acceptable to 8453allow the omission of closing names for very short constructs; 8454therefore this rule has an optional parameter specifying the maximum 8455number of lines of a construct for which omitting the closing name is 8456allowed. This rule can be given only once for each of check, search 8457and count. This way, it is possible to have a length considered a 8458warning (search), and one considered an error (check). Of course, this 8459makes sense only if the length for search is less than the one for 8460check. If no length is specified, all occurrences of missing closing 8461names are signaled. 8462@item 8463``numeric_literal'' controls the presentation of numeric literals, depending 8464on the base (wich, as required by Ada rules, must be in the range 84652..16). If ``not <base>'' is specified as the second parameter, the 8466given base may not be used for based literals. Otherwise, there must 8467be a third (integer) parameter to specify the size of blocks of digits 8468for that base, i.e. there must be an underscore character to separate 8469digits every <block_size> position. Typically, <block_size> is 3 for 8470base 10, 4 for base 2, etc. 8471@item 8472``parameter_order'' and ``formal_parameter_order'' control the order 8473of the declarations of parameters or generic formal parameters, 8474respectively. Each parameter of the rule consists in one or several of 8475the ``mode'' keywords, and describes, in order, which kind of 8476parameter is allowed. All modes not specified explicitely are allowed 8477after the ones that are specified. See examples below. 8478 8479If no parameter is given, the order for regular parameters is ``in'' 8480or ``access'' first, then ``in_out'', then ``out'', then 8481``defaulted_in''. The order for formal_parameters is ``type'' first, 8482then ``in'' ``defaulted_in'' and ``access'', then ``in_out'', then 8483``procedure'' and ``function'', then ``package''. 8484@item 8485``renamed_entity'' controls occurrences of identifiers within the scope 8486of a renaming declaration for them; i.e. it enforces that when an entity 8487has been renamed, the original name should not be used anymore. 8488@end itemize 8489 8490Ex: 8491@example 8492search style (no_closing_name); 8493search style (no_closing_name, 5); 8494check style (casing_identifier, original); 8495check style (default_in); 8496check style (numeric_literal, 10, 3); 8497check style (exposed_literal, integer, 0, 1); 8498check style (exposed_literal, real, 0.0, 1.0); 8499 8500 -- in parameters (with or without default) and access 8501 -- parameters must be first, then in out parameters, then 8502 -- out parameters. In parameters are allowed last if they 8503 -- have defaults. 8504check style (parameter_order, 8505 in | defaulted_in | access, 8506 in_out, 8507 out 8508 defaulted_in); 8509 8510 -- For generics, formal objects must come first, then formal 8511 -- types, then formal subprograms, then formal package: 8512check style (formal_parameter_order, 8513 in | in_out, 8514 type, 8515 procedure | function, 8516 package); 8517 8518@end example 8519 8520Without parameter, the rule will control all style aspects with 8521parameter values that correspond to the most commonly used cases, 8522i.e. it is equivalent to the following: 8523@example 8524style (no_closing_name); 8525style (casing_attribute, titlecase); 8526style (casing_keyword, lowercase); 8527style (casing_identifier, original); 8528style (casing_pragma, titlecase); 8529style (default_in); 8530style (negative_condition) 8531style (multiple_elements) 8532style (literal, 10, 3); 8533style (exposed_literal, integer, 0, 1) 8534style (exposed_literal, real, 0.0, 1.0); 8535@end example 8536 8537@subsection Tips 8538For the ``Casing_Identifier'' subrule, if the value is ``original'', 8539subprogram and parameter names from the body are checked against those 8540from the specification (if any). This is what the user would expect, 8541although strictly speaking it is not a usage of the name. 8542 8543Note that operators always follow the casing rule for keywords, even 8544for calls that use the infix notation (i.e. in @code{"and"(A, B)}). 8545 8546Having more than one allowed casing is useful if for example you want 8547to require Titlecase, but accept that the original casing be used 8548(maybe because your editor or pretty-printer forces it). 8549 8550For the ``Exposed_Literal'' subrule, negative values can be specified as 8551being allowed; negative numbers are handled as if they were 8552literals. This is what the casual user would expect, but to the 8553language lawyer, ``-1'' is not a negative literal, it is a unary minus 8554operator applied to the positive value ``1''. 8555 8556``compound_statement'' was a simplistic way of finding badly laid-out 8557statements, at a time when ``multiple_elements'' did not control the 8558end or intermediate parts of declarations and statements. It is of 8559little use now that ``multiple_elements'' has been enhanced. 8560 8561@subsection Limitations 8562If a predefined operator or an attribute is renamed, the 8563``renamed_entity'' subrule cannot check that the original entity is not 8564used in the scope of the renaming. Such cases are 8565detected by the rule ``uncheckable''. @xref{Uncheckable}. 8566 8567@node Terminating_Tasks, Type_Initial_Values, Style, Rules reference 8568@section Terminating_Tasks 8569This rule controls tasks that can terminate. 8570 8571@subsection Syntax 8572@example 8573<control_kind> terminating_tasks 8574@end example 8575 8576@subsection Action 8577A task is considered a terminating task if its last statement is not 8578an unconditional loop, or this if this loop is exited. It is also 8579considered terminating if it contains a selective accept with a 8580@code{@b{terminate}} alternative. 8581 8582Since this rule has no parameters, it can be given only once. 8583 8584Ex: 8585@example 8586check terminating_tasks; 8587@end example 8588 8589@subsection Tips 8590There is still one case where a task terminates, which is not reported 8591by this rule: when a task is aborted. This is intended, since there 8592are cases (like mode changes) where a logically non-terminating task 8593is aborted. 8594 8595If aborts are also to be reported, use the rule ``statements 8596(abort)''. @xref{Statements}. 8597 8598@node Type_Initial_Values, Type_Usage, Terminating_Tasks, Rules reference 8599@section Type_Initial_Values 8600This rule controls that a special constant is declared together with 8601each type, for example to serve as a default initial value. 8602 8603@subsection Syntax 8604@example 8605<control_kind> type_initial_values [("<pattern>")]; 8606@end example 8607@subsection Action 8608This rule controls types that do not feature an initialization 8609constant declared in the same declarative part as the type. If no 8610<pattern> is given, any constant is considered an initialization 8611constant for its type; otherwise, only constants whose name matches 8612the given pattern are considered initialization constants. 8613 8614Ex: 8615@example 8616check type_initial_values ("^C_Init_"); 8617@end example 8618The above example will ensure that every declared type features a 8619constant of the type whose name starts with ``C_Init_''. 8620 8621@node Type_Usage, Uncheckable, Type_Initial_Values, Rules reference 8622@section Type_Usage 8623This rule controls usage of indicated types, either individually 8624or by category. 8625 8626@subsection Syntax 8627@example 8628<control_kind> type_usage (<attribute>, <category> @{, <aspect>@}]); 8629<control_kind> type_usage (index, <entity>|<category> @{, <aspect>@}]); 8630<category> ::= () | access | array | delta | digits | 8631 mod | protected | range | record | tagged | task 8632<aspect> ::= [not] representation | pack | size | component_size 8633@end example 8634 8635@subsection Action 8636If the first parameter is an attribute (a name starting with a simple 8637quote), the rule controls all occurrences of the attribute where the 8638prefix designates a type belonging to the <category> given as second 8639parameter. 8640 8641If the first parameter is ``index'', the rule controls all array types 8642that have an index of the type given by <entity>, or belonging to the 8643<category> given as second parameter. As usual, the whole syntax for 8644entities is allowed for <entity>. @xref{Specifying an Ada entity 8645name}. 8646 8647For both subrules, if one or several <aspect> are given, only types 8648featuring (or not featuring if ``not'' is given) the provided aspects 8649are controlled. 8650 8651The meaning of <category> is: 8652@itemize @bullet 8653@item 8654``()'': The type is an enumerated type. 8655@item 8656``access'': The type is an access type. 8657@item 8658``array'': The type is an array type. 8659@item 8660``delta'': The type is a fixed point type (it is not currently 8661possible to distinguish ordinary fixed point types from decimal fixed 8662point types). 8663@item 8664``digits'': The type is a floating point type. 8665@item 8666``mod'': The type is a modular type. 8667@item 8668``protected'': The type is a protected type. 8669@item 8670``range'': The type is a signed integer type. 8671@item 8672``record'': The type is an (untagged) record type. 8673@item 8674``tagged'': The type is a tagged type (including type 8675extensions). 8676@item 8677``task'': The type is a task type. 8678@end itemize 8679 8680The meaning of <aspect> is: 8681@itemize @bullet 8682@item 8683``representation'': the type has an enumeration representation clause 8684or a record representation clause. 8685@item 8686``pack'': the type is the target of a pack @code{@b{pragma}}. 8687@item 8688``size'' and ``component_size'': the type has the corresponding 8689attribute specified. 8690@end itemize 8691 8692Ex: 8693@example 8694-- Don't use 'Pos attribute on enumerated types with a representation 8695check type_usage ('Pos, (), representation); 8696 8697-- Don't use modular type for array indexes 8698check type_usage (index, mod); 8699@end example 8700 8701@subsection Tips 8702The subrule ``index'' controls the use of a type as an index at any 8703position and irrespectively of the number of indices of the array. To 8704control a precise pattern of types used as indices, use the rule 8705``array_declarations''. @xref{Array_Declarations}. 8706 8707The subrule that uses attribute names does not allow an <entity>. To 8708control occurrences of an attribute on a precise type, use the rule 8709``entities''. @xref{Entities}. 8710 8711@node Uncheckable, Unit_Pattern, Type_Usage, Rules reference 8712@section Uncheckable 8713This rules controls cases where it is not possible to guarantee the 8714accuracy of checks performed by AdaControl, and where manual 8715inspection may be required. 8716 8717@subsection Syntax 8718@example 8719<control_kind> uncheckable [(<subrule> [,<subrule>])]; 8720<subrule> ::= false_positive | false_negative | missing_unit 8721@end example 8722 8723@subsection Action 8724If the keyword ``missing_unit'' is given, this rule controls missing 8725units, i.e. units given on the command line that are not found (and 8726therefore not controlled) will result in an usual error message. 8727 8728Otherwise, this rule controls constructs that are not static 8729and prevent other rules from being fully reliable. This rule is 8730special, since it really affects the way other rules behave when they 8731encounter a statically uncheckable construct. Therefore, if a label is 8732given, the message will include the label as usual, with an indication 8733of the rule that triggered the message; if no label is given, the 8734message will include the name of the rule that detected the 8735uncheckable construct, not ``uncheckable'' itself. 8736 8737If the keyword ``false_negative'' is given, the rule will control 8738constructs that could result in false negatives, i.e. possible 8739violations that would go undected, while if the keyword 8740``false_positive'' is given, it will control constructs that could 8741result in false positives, i.e. error messages when the rule is not 8742really violated. If no keyword is given, both occurrences are 8743controlled. 8744 8745As far as statistics are concerned (see @ref{Control kinds and report 8746messages}), ``uncheckable'' messages from rules are counted under the 8747corresponding rule's statistics (like other messages), but there will 8748be also a count of all ``uncheckable'' messages under the rule 8749``UNCHECKABLE'', and also subtotals corresponding to the number of 8750``uncheckables'' for each rule. 8751 8752This rule can be given only once for each of value of the parameters. 8753 8754Ex: 8755@example 8756check uncheckable (false_negative); 8757search uncheckable (false_positive); 8758check uncheckable (missing_unit); 8759@end example 8760 8761@subsection Tips 8762This rule is especially important when AdaControl is used in safety 8763critical software, since it will detect constructs that could escape 8764verification. Such constructs should be either disallowed, or require 8765manual inspection. On the other hand, in casual software, it may lead 8766to many messages, since for example dispatching calls are uncheckable 8767with many rules. 8768 8769@subsection Limitation 8770With ``missing_unit'', the message does not include a reference to a 8771source location, since there is no place in the source which can be 8772considered as the origin of the error. If you run AdaControl from 8773GPS, there will always be a separate category (``Uncheckable'') in the 8774locations window, under which the message will appear, with a file 8775name of ``none''. Don't try to click on the error message, since GPS 8776will find no file named ``none''! 8777 8778@node Unit_Pattern, Units, Uncheckable, Rules reference 8779@section Unit_Pattern 8780This rule controls various usage patterns of program units and 8781elements declared in them. 8782 8783@subsection Syntax 8784@example 8785<control_kind> unit_pattern (Single_Tagged_Type); 8786<control_kind> unit_pattern (Tagged_Type_Hierarchy); 8787<control_kind> unit_pattern (Context_Clauses_Order @{, <clause_list>@}); 8788<control_kind> unit_pattern (Declarations_Order, <target>, 8789 @{, <decl_list>@}); 8790 8791<clause_list> ::= <clause> @{| <clause>@} 8792<clause> ::= with | use | use_type | pragma 8793<target> ::= package_public | package_private | package_body | 8794 subprogram 8795<decl_list> ::= <declaration> @{| <declaration>@} 8796<declaration> ::= use | use_type | 8797 use_all_type | number | 8798 constant | variable | 8799 private_type | full_type | 8800 subtype | subprogram_spec | 8801 package_spec | generic_subprogram_spec | 8802 generic_package_spec | task_spec | 8803 protected_spec | subprogram_body | 8804 package_body | generic_subprogram_body | 8805 generic_package_body | task_body | 8806 protected_body | object_renaming | 8807 subprogram_renaming | package_renaming | 8808 exception_renaming | subprogram_instantiation | 8809 package_instantiation | exception | 8810 others 8811@end example 8812 8813@subsection Action 8814The checked pattern depends on the given subrule: 8815@itemize @bullet 8816@item 8817``single_tagged_type'' controls that at most one tagged type is 8818declared in any package. 8819@item 8820``tagged_type_hierarchy'' controls that tagged types follow packages 8821hierarchy, i.e. that the parent of a type extension (derivation of a tagged 8822type) is declared in the parent unit of the one that declared the 8823derivation. 8824@item 8825``context_clauses_order'' controls the order of context clauses (and 8826pragmas) given on top of the unit. Each parameter of the rule consists 8827in one or several of the <clause> keywords, and describes, in order, 8828which kind of clause is allowed. Note that ``use_type'' covers only 8829the regular @code{@b{use type}} clause, specify also ``use_all_type'' 8830to include the Ada 2012 @code{@b{use all type}} clause as well. Note 8831that all <clause>s not specified explicitely have no place, and thus 8832are not allowed at all. 8833@item 8834``declarations_order'' controls the order of declarations (and use clauses) 8835given in various parts, depending on the second parameter: 8836@itemize 8837@item 8838``package_public'' controls elements in the visible part of a package specification; 8839@item 8840``package_private'' controls elements in the private part of a package 8841specification; 8842@item 8843``package_body'' controls elements in the body of a package; 8844@item 8845``subprogram'' controls elements in the body of subprograms 8846(procedures and functions) and entries. 8847@end itemize 8848Each parameter of the rule consists in one or several of the 8849<declaration> keywords, and describes, in order, which kind of 8850declaration is allowed. Note that all <declaration>s not specified 8851explicitely have no place, and thus are not allowed at all, unless 8852``others'' is given as the last parameter, in which case it covers all 8853elements not part of any of the preceding parameters. See example 8854below. 8855@end itemize 8856Ex: 8857@example 8858check unit_pattern (single_tagged_type); 8859check unit_pattern (tagged_type_hierarchy); 8860 8861-- All with clauses must come first, then use and use type clauses 8862-- (freely mixed), then pragmas 8863check unit_pattern (context_clauses_order, 8864 with, 8865 use | use_type | use_all_type, 8866 pragma); 8867 8868-- In the public part of a package, declare constants and named numbers 8869-- first,then private types, then any of regular types, constants, and 8870-- variables, then subprograms specifications (including generics and 8871-- instantiations), then anything else: 8872check unit_pattern (declarations_order, package_public, 8873 number | constant, 8874 private_type, 8875 full_type | constant | variable, 8876 subprogram_spec | generic_subprogram_spec | subprogram_instantiation, 8877 others); 8878@end example 8879 8880@subsection Tips 8881For ``context_clauses_order'' and ``declarations_order'', elements 8882given as part of the same parameter (i.e. with a vertical bar between 8883them) can be freely mixed, then followed by any of the elements of the 8884next parameter, etc. An element may appear several times in different 8885parameters. If the last parameter is ``others'', any element not 8886mentionned at all is allowed after the ones for which you specify an 8887order; this way, it is possible to specify an order for just some 8888elements, and then don't care for the rest. 8889 8890Expression functions and null procedures are classified as 8891``subprogram_spec'' unless they are the completion of an explicit 8892specification, in which case they are classified as 8893``subprogram_body''. 8894 8895If you don't want a declaration to appear at all, you can also use the 8896rule ``declarations''. @xref{Declarations}. 8897 8898@node Units, Unnecessary_Use_Clause, Unit_Pattern, Rules reference 8899@section Units 8900This rule controls that all necessary units, and only those, are 8901processed by AdaControl. 8902 8903@subsection Syntax 8904@example 8905<control_kind> units [(<subrule> [,<subrule>])]; 8906<subrule> ::= unreferenced | unchecked 8907@end example 8908 8909@subsection Action 8910If the keyword @code{unreferenced} is given, the rule controls 8911compilation units that are part of the set of analyzed units, but 8912withed by no other unit. If the keyword @code{unchecked} is given, the 8913rule controls compilation units that are withed by other unit(s), but 8914not part of the set of controlled units (except standard units). 8915 8916This rule can only be given once for each of the subrules. 8917 8918Ex: 8919@example 8920check units (unchecked); 8921search units (unreferenced); 8922@end example 8923 8924@subsection Tip 8925The main program will appear as unreferenced, since it is normally part of 8926the controlled units, and not withed by any other unit. As usual, the corresponding 8927message can be disabled by putting the comment: 8928@example 8929--## rule line off units 8930@end example 8931on the main program. 8932 8933@node Unnecessary_Use_Clause, Unsafe_Elaboration, Units, Rules reference 8934@section Unnecessary_Use_Clause 8935This rule controls @code{@b{use}} clauses that do not serve any 8936purpose. 8937 8938@subsection Syntax 8939@example 8940<control_kind> unnecessary_use_clause [(<subrule> @{,<subrule>@})]; 8941<subrule> ::= unused | qualified | operator | nested | movable 8942@end example 8943 8944@subsection Action 8945The rule controls @code{@b{use}} clauses that can safely be removed, 8946moved, or changed to a @code{@b{use type}} clause. This happens in the 8947following cases: 8948@itemize 8949@item 8950``unused'': a @code{@b{use}} clause is given, but no element from the 8951corresponding package is mentionned in its scope. The message starts 8952with ``unused:''. 8953 8954In this case, the @code{@b{use}} clause can safely be removed. 8955@item 8956``qualified'': a @code{@b{use}} clause is given, but all elements from the 8957corresponding package are refered to using a qualified name 8958(i.e. prefixed by the name of the package). The message starts with 8959``all uses qualified:''. 8960 8961In this case, the @code{@b{use}} clause can safely be removed, but you 8962may want to keep it for documentation purposes, since the package is 8963actually used within this scope. 8964@item 8965``operator'': a @code{@b{use}} clause is given, but the only elements 8966that do not use a qualified name are operators. The message starts 8967with ``only used for operators:''. 8968 8969In this case, and except for some pathological cases (definition of 8970operators that are not primitive operations of the corresponding 8971type), the @code{@b{use}} clause can be replaced by one or several 8972@code{@b{use type}} clause(s). 8973@item 8974``nested'': a @code{@b{use}} clause is given within the scope of an 8975enclosing @code{@b{use}} clause for the same package. The message 8976tells the location of the other @code{@b{use}} clause. 8977 8978If you also have a message that the outer @code{@b{use}} clause is 8979unnecessary, this means that all references to the package appear 8980inside the inner @code{@b{use}} clauses, and that the outer one can be 8981removed. If not, you can either remove the inner @code{@b{use}} 8982clauses, or remove the outer one and add more local @code{@b{use}} 8983clauses where necessary. 8984@item 8985``movable'': a @code{@b{use}} clause is given in a package 8986specification, but all uses are from the corresponding body. The 8987message starts with ``use clause can be moved to body:''. 8988 8989In this case, the @code{@b{use}} clause can safely be moved to the 8990body, unless it appears in a library package, and there are 8991unqualified references to its elements from child units. 8992@end itemize 8993 8994If no parameter is given, all cases are controlled, otherwise only 8995cases corresponding to the specified keyword(s) are controlled. This 8996rule can be given only once for each value of the parameters. 8997 8998Ex: 8999@example 9000remove: search unnecessary_use_clause (unused); 9001use_type: check unnecessary_use_clause (operator); 9002@end example 9003 9004@subsection Tip 9005This rule checks only usage of @code{@b{use}} clauses. The rule 9006``reduceable_scope'' can be used to check that @code{@b{use}} clauses 9007do not span unnecessarily to wide a scope. @xref{Reduceable_Scope}. 9008 9009@subsection Limitations 9010There are some rare cases where the rule may signal that a 9011@code{@b{use}} clause is not necessary, where it actually is. There is 9012no risk associated to this since if you remove the @code{@b{use}} 9013clause, the program will not compile. 9014 9015The first one comes from a limitation of the ASIS standard: if the 9016@i{only} use of the @code{@b{use}} clause is for making the ``root'' 9017definition of a dispatching call visible. 9018 9019The second one comes from a limitation in ASIS-for-Gnat. This happens 9020when the @i{only} use of the @code{@b{use}} clause is for making an 9021implicitely declared operation (an operation which is declared by the 9022compiler as part of a type derivation) visible, and when: 9023@itemize 9024@item 9025the operation is the target of a renaming declaration; 9026@item 9027or the operation is passed as an actual to a generic instantiation; 9028@item 9029or all operands of the operation are universal (i.e. untyped). 9030@end itemize 9031 9032Since these problems come from intrinsic limitations of ASIS, there is 9033nothing we can do about it. When this happens, you can disable the 9034unnecessary_use_clause rule using the line (or block) disabling 9035feature. @xref{Disabling controls}. Note that for the third alternative 9036of the second case, you can also qualify one of the parameters, so it 9037is not universal any more. 9038 9039@node Unsafe_Elaboration, Unsafe_Paired_Calls, Unnecessary_Use_Clause, Rules reference 9040@section Unsafe_Elaboration 9041This rule controls (generic) packages that may be subject to 9042elaboration order dependencies. 9043 9044@subsection Syntax 9045@example 9046<control_kind> unsafe_elaboration; 9047@end example 9048 9049@subsection Action 9050The rule controls library packages (or generic packages) whose 9051elaboration calls or instantiates elements from other units (except 9052language defined units) that are not subject to a @code{@b{pragma}} 9053@code{Elaborate} or @code{Elaborate_All}. The elaboration of such 9054packages may depend on elaboration order. 9055 9056Since this rule has no parameters, it can be given only once. 9057 9058Ex: 9059@example 9060check unsafe_elaboration; 9061@end example 9062 9063@subsection Tips 9064If the package contains tasks, they are considered as being part of 9065the elaboration code of the package, since tasks could be started by 9066the elaboration of the package. This is somehow pessimistic in the 9067unlikely case where a package would contain a local task type (whose 9068specification is not part of the package specification) and no task 9069object of that type is declared. Anyway, this could create only false 9070positives, therefore there is no risk associated to it. 9071 9072@node Unsafe_Paired_Calls, Unsafe_Unchecked_Conversion, Unsafe_Elaboration, Rules reference 9073@section Unsafe_Paired_Calls 9074This rule controls usage of calls to operations that are normally 9075paired (like P/V operations) and do not follow a "safe" coding 9076pattern. 9077 9078@subsection Syntax 9079@example 9080<control_kind> unsafe_paired_calls 9081 (<opening procedure>, <closing procedure> [, <lock type>]); 9082<opening procedure> ::= <entity> 9083<closing procedure> ::= <entity> 9084<lock type> ::= <entity> 9085@end example 9086 9087@subsection Action 9088The following explanations are given in terms of 9089``locks'' since this is the primary use of this rule, however the rule 9090can be used for any calls that need to be properly paired. 9091 9092The rule can deal with three different kinds of locks: 9093@itemize @bullet 9094@item 9095@i{abstract state machines}: There is no ``lock'' object, locking is 9096done directly inside the procedures. The <lock type> parameter of the 9097rule must not be provided in that case. 9098@item 9099@i{object abstract data types}: The procedure operates on an object 9100(generally of a private type) representing the ``lock'' object, passed 9101as an ``in out'' parameter. The third parameter must be the 9102corresponding type, and the rule will control that all matching pairs of 9103calls refer statically to the same variable. 9104@item 9105@i{reference abstract data types}: The procedure operates on a 9106reference that designates the ``lock'' object, passed as an 9107``in''parameter. The third parameter must be the corresponding type, 9108which must be discrete or access, and the rule will control that all 9109matching pairs of calls refer statically to the same value (for 9110discrete types) or to the same constant (for access types). 9111@end itemize 9112 9113As usual, the whole syntax for entities is allowed for 9114<entity>. @xref{Specifying an Ada entity name}. 9115 9116An @i{opening block} is either a call to the first procedure given to 9117the rule, or an if statement whose condition is a simple reference to 9118a boolean constant (that needs not be static) and whose if path or 9119else path is itself an opening block, possibly followed by @b{exit}, 9120@b{return}, and @b{null} statements (and no others). 9121 9122Similarly, a @i{closing block} is either a call to the second 9123procedure given to the rule, or an if statement whose condition is a 9124simple reference to a boolean constant (that needs not be static) and 9125whose if path or else path is itself a closing block, possibly 9126followed by @b{exit}, @b{return}, and @b{null} statements (and no 9127others). 9128 9129An opening and a closing block match if: 9130@itemize @bullet 9131@item 9132corresponding calls to the 9133procedures of a pair use the appropriate value for the ``lock'' 9134parameter (if any), as explained above 9135@item 9136if statements have their conditions refer to the 9137same constant, and their if and else paths contain matching blocks. 9138@end itemize 9139 9140The "safe" coding pattern is defined as follows: 9141@itemize @bullet 9142@item 9143An opening block is the first statement of a 9144handled sequence of statements; 9145@item 9146A closing block is the last statement of the same handled sequence of 9147statements, except for possible @b{exit}, @b{return}, and @b{null} 9148statements following it. 9149@item 9150The opening and closing blocks match. 9151@item 9152There is no other call to either operation in the statements of the 9153handled sequence of statements, except in nested blocks or accept 9154statements; calls in such inner statements shall not reference the 9155same values or variables as outer ones. 9156@item 9157There is an exception handler for "others" in the 9158handled sequence of statements. 9159@item 9160Every exception handler of the handled sequence of statements includes 9161a single closing block matching the opening block at the top of the 9162sequence of statements. 9163@end itemize 9164 9165Typically, the ``safe'' pattern corresponds to the following structures: 9166@example 9167-- Abstract state machine 9168@b{begin} 9169 P; 9170 -- Do something 9171 V; 9172@b{exception} 9173 @b{when} @b{others} => 9174 V; 9175 -- handle exception 9176@b{end}; 9177 9178-- Object abstract data type 9179@b{declare} 9180 My_Lock : Lock_Type; 9181@b{begin} 9182 P (My_Lock); 9183 -- Do something 9184 V (My_Lock); 9185@b{exception} 9186 @b{when} @b{others} => 9187 V (My_Lock); 9188 -- handle exception 9189@b{end}; 9190 9191-- Reference abstract data type 9192@b{declare} 9193 Lock_Ptr : @b{constant} Lock_Access := Get_Lock; 9194@b{begin} 9195 P (Lock_Ptr); 9196 -- Do something 9197 V (Lock_Ptr); 9198@b{exception} 9199 @b{when} @b{others} => 9200 V (Lock_Ptr); 9201 -- handle exception 9202@b{end}; 9203 9204-- Conditional blocks 9205@b{declare} 9206 Lockable : @b{constant} Boolean := ...; 9207 Lock1 : @b{constant} Boolean := ...; 9208@b{begin} 9209 @b{if} Lockable @b{then} 9210 @b{if} Lock1 @b{then} 9211 Lock (V1); 9212 @b{else} 9213 Lock (V2); 9214 @b{end} @b{if}; 9215 @b{end} @b{if}; 9216 -- Do something 9217 @b{if} Lockable @b{then} 9218 @b{if} Lock1 @b{then} 9219 Unlock (V1); 9220 @b{return}; 9221 @b{else} 9222 Unlock (V2); 9223 @b{exit}; 9224 @b{end} @b{if}; 9225 @b{end} @b{if}; 9226@b{end}; 9227@end example 9228 9229Ex: 9230@example 9231check unsafe_paired_calls (Sema.P, Sema.V, Sema.Lock_Access); 9232@end example 9233 9234@subsection Variable 9235The rule provides a variable that allows to control whether opening 9236and closing blocks can contain @b{if} statements, or just calls to the 9237procedures. 9238 9239@need 800 9240@multitable @columnfractions .25 .10 .10 .55 9241@item 9242@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 9243@item 9244Conditionals_Allowed 9245@tab off@*on 9246@tab on 9247@tab 9248@table @asis 9249@item off 9250only direct calls to the indicated procedures are allowed as opening 9251and closing blocks 9252@item on 9253calls can be nested in if statements as described above. 9254@end table 9255@end multitable 9256 9257@subsection Tips 9258If the <Lock type> parameter is provided, both procedures must have a 9259single parameter of the given type, it must not correspond to an 9260``out'' parameter, and if it corresponds to an ``in'' parameter, the 9261type must be discrete or access. 9262 9263This rule can be specified several times, and it is possible to have 9264the same procedure belonging to several rules. For example, if you 9265have a @code{Mask_Interrupt} procedure that should be matched by 9266either @code{Unmask_Interrupt} or @code{General_Reset} (all declared 9267in package @code{IT_Driver}), you can specify: 9268@example 9269check unsafe_paired_calls (IT_Driver.Mask_Interrupt, 9270 IT_Driver.Unmask_Interrupt); 9271check unsafe_paired_calls (IT_Driver.Mask_Interrupt, 9272 IT_Driver.General_Reset); 9273@end example 9274 9275Normally, the legality of a rule is checked when the rules file is 9276parsed, and execution does not start if there is any error. However, 9277the legality of the provided type can be checked only during the 9278analysis. If the type is incorrect for some reason, a proper error 9279message is issued and execution stops immediately. 9280 9281@subsection Limitation 9282Due to a weakness of the ASIS standard, dispatching calls are not 9283considered. Especially, this means that the <Lock type> cannot be 9284class-wide. Such calls are detected by the rule ``uncheckable''. 9285@xref{Uncheckable}. 9286 9287Due to a size limitation of internal data structures, this rule can be 9288specified at most 32 times. 9289 9290@node Unsafe_Unchecked_Conversion, Usage, Unsafe_Paired_Calls, Rules reference 9291@section Unsafe_Unchecked_Conversion 9292This rule controls unchecked conversions between types which are not 9293statically known to have identical sizes. 9294@subsection Syntax 9295@example 9296<control_kind> unsafe_unchecked_conversion 9297@end example 9298@subsection Action 9299This rule controls instances of @code{Unchecked_Conversion} between 9300types where the following conditions are not met: 9301@itemize @bullet 9302@item 9303A size clause has been specified for both types 9304@item 9305Both sizes are equal 9306@end itemize 9307 9308Moreover, a special message is given if any of the types is a class-wide 9309type (certainly a very questionable construct!). 9310 9311Ex: 9312@example 9313check unsafe_unchecked_conversion 9314@end example 9315 9316@subsection Limitation 9317There are cases where a size clause is given for a type, but 9318AdaControl is unable to evaluate it. This happens especially if the 9319size clause refers to a size attribute of a predefined type, like: 9320@example 9321@b{for} T'Size @b{use} Integer'size; 9322@end example 9323 9324This can lead to false positives (i.e. detection of instantiations of 9325@code{Unchecked_Conversion} that are actually OK). Such cases are 9326detected by the rule ``uncheckable''. @xref{Uncheckable}. 9327 9328@node Usage, Use_Clauses, Unsafe_Unchecked_Conversion, Rules reference 9329@section Usage 9330This rule controls how certain entitities (variables, constants, 9331types, procedures, functions, exceptions, tasks, protected objects, 9332and generics) are used. 9333@subsection Syntax 9334@example 9335<control_kind> usage 9336 (variable|object @{,[not] <location> | read | written | initialized@}); 9337<control_kind> usage 9338 (constant @{,[not] <location> | read@}); 9339<control_kind> usage 9340 (type @{,[not] <location> | used@}); 9341<control_kind> usage 9342 (procedure @{,[not] <location> | called | accessed@}); 9343<control_kind> usage 9344 (function @{,[not] <location> | called | accessed@}); 9345<control_kind> usage 9346 (exception @{,[not] <location> | raised | handled@}); 9347<control_kind> usage 9348 (task @{,[not] <location> | called | aborted@}); 9349<control_kind> usage 9350 (protected @{,[not] <location> | called@}); 9351<control_kind> usage 9352 (generic @{,[not] <location> | instantiated@}); 9353<control_kind> usage 9354 (all @{,[not] <location>@}); 9355 9356<location> ::= from_visible | from_private | from_spec 9357@end example 9358 9359@subsection Action 9360The first parameter defines the class of entities to be controlled. 9361``object'' stands for both ``constant'' and ``variable'', ``type'' 9362stands for both types and subtypes, and ``all'' stands for all 9363classes. 9364 9365If only one parameter is given, usage of all entities belonging to the 9366indicated class are reported . Otherwise, other parameter(s) are 9367keyword that restrict the kind of usage being controlled. 9368 9369``[not] from_visible'', ``[not] from_private'', and ``[not] 9370from_spec'' restrict entities being checked to those that appear (or 9371not) in (generic) package specifications, in the visible part, in the 9372private part, or in any part, respectively. ``accessed'' (available 9373for subprograms only) restricts entities being checked to those that 9374appear as the prefix of a @code{'Access} or @code{'Address} 9375attribute. Other keywords carry their obvious meaning, and are allowed 9376only where appropriate. The rule will output the information only for 9377objects that match all the conditions given. A combination of 9378parameters can be given only once for each of ``check'', ``search'', 9379and ``count''. 9380 9381The report includes the kind of unit that declares the entity (normal 9382unit, instantiation, or generic unit), the part where it is declared 9383(visible or private) if it is declared in a (generic) package, and 9384whether the entity is known to be initialized, read, written, raised, 9385handled, called, or aborted, depending on the entity's class. Some 9386combinations give an extra useful message (for example, a variable 9387which is initialized and read but not written will produce a ``could 9388be declared constant'' message). 9389 9390Variables of an access type and variables of an array type whose 9391components are of an access type (or arrays of an access type, etc.) 9392are always considered initialized, since they are initialized to 9393@code{null} by the compiler. 9394 9395Variables that cannot be assigned to (i.e. variables of an array type 9396with some null dimension, or variables of a discrete type whose range 9397includes no values) are specially recognized as ``pseudo-constants'': 9398there is no message that they are not written to (since it is not 9399possible), but there is an indication that they are pseudo-constants. 9400 9401The subrules ``procedure'' and ``function'' check only regular 9402subprograms, not protected ones. On the other hand, the subrule 9403``protected'' controls all calls to any protected subprogram or entry. 9404 9405Exceptions raised by calling @code{Raise_Exception} and tasks aborted by 9406calling @code{Abort_Task} are properly recognized as exceptions being 9407raised and tasks being aborted, respectively. 9408 9409In the case of entities declared in generic packages, the rule will 9410report on usage of the entities for each instantiation, as well as on 9411global usage for the generic itself. Usage for an instantiation will 9412include usage in the generic itself (i.e. if the generic writes to a 9413variable, the variable will be marked as ``written'' for each 9414instantiation). Usage for the generic itself is the union of all 9415usages in all instantiations (i.e., if a variable from any 9416instantiation is written to, the variable from the generic will be 9417marked as written). Therefore, if the rule reports that a variable in 9418a generic package can be declared constant, it means that no instance 9419of this variable from any instantiation is being written to. But bear 9420in mind that this can be trusted only if all units from the program 9421are analyzed. @xref{limitation}. 9422 9423Note that usage of entities whose declaration is not processed (like, 9424typically, elements declared in standard packages like 9425@code{Ada.Text_IO}), is not reported. For the same reason, it is not 9426possible to control usage of predefined operators (since they have no 9427declaration). 9428 9429Ex: 9430@example 9431-- No variable in package spec; check usage otherwise 9432Package_Variable: check usage (variable, from_spec); 9433Constantable : search usage (variable, not from_spec, read, 9434 initialized, not written); 9435Uninitialized : check usage (variable, not from_spec, read, 9436 not initialized, not written); 9437Removable : search usage (object, not from_spec, not read); 9438 9439-- Check exceptions that are never raised 9440-- generics that are never instantiated 9441-- and protected objects that are never called 9442check usage (exception, not raised); 9443check usage (generic, not instantiated); 9444check usage (protected, not called); 9445 9446-- Find how many tasks are declared, and report those 9447-- that may be aborted 9448count usage (task); 9449check usage (task, aborted); 9450@end example 9451 9452@subsection Tips 9453Constants that are never used, exceptions that are never raised or 9454handled, tasks that are never called, etc. are suspicious. Moreover, 9455some useful compiler warnings (like those about variables that should 9456be declared constants) are not output for variables declared in 9457library packages, and even in some other contexts (at least with 9458GNAT). This rule can check these kind of things, project wide. 9459 9460Some of these checks make sense only for entities declared in package 9461specifications; for example, variables are often discouraged in 9462package specifications, or need at least some extra control. That's 9463why it can be useful to restrict some checks to package specifications. 9464 9465Note that an unspecified parameter in a rule stands for two rules 9466(positive and negative form of the missing parameter). I.e.: 9467@example 9468search usage (variable, from_spec, read, written); 9469@end example 9470is the same as: 9471@example 9472search usage (variable, from_spec, read, written, initialized); 9473search usage (variable, from_spec, read, written, not initialized); 9474@end example 9475Therefore, the following example will complain on the second line that 9476the rule has already been given for this combination of parameters: 9477@example 9478search usage (variable, from_spec, read, written); 9479search usage (variable, from_spec, read, written, not initialized); 9480@end example 9481 9482Note that the notion of constants for this rule includes named numbers. 9483 9484@anchor{limitation} 9485@subsection Limitations 9486The report of this rule is output at the end of the run, and is 9487meaningful only for the units that have been processed; i.e., if it 9488reports ``variable not read'', it should be understood as ``not read 9489by the units given''. In order to have meaningful results, it is 9490therefore advisable to use this rule on the complete closure of the 9491program. 9492 9493An exception can be raised by passing its @code{'Identity} to a 9494procedure that will in turn call @code{Raise_Exception} (and similarly 9495for @code{Abort_Task}). These cases are not statically determinable, 9496and therefore not recognized by AdaControl. However, these cases can 9497be identified by searching the use of the @code{'Identity} attribute 9498with the following rule: 9499@example 9500check entity (all 'Identity); 9501@end example 9502 9503If an object is the prefix of a @code{'Access}, 9504@code{'Unchecked_Access}, or @code{'Address} attribute, it can be used 9505through the access (or address) value in ways that are not statically 9506analyzable. The same happens if objects are targets of dynamic 9507renamings. Such cases are detected by the rule 9508``uncheckable''. @xref{Uncheckable}. 9509 9510Due to a weakness of the ASIS standard, it is not possible to know the 9511mode (@b{in}, @b{out}) of variables used as parameters of dispatching 9512calls. Such variables are considered to be read and written at the 9513point of the call, therefore possibly creating false positives (which 9514is safer than false negatives). Use of such constructs is detected by 9515the rule ``uncheckable''. @xref{Uncheckable}. 9516 9517@node Use_Clauses, With_Clauses, Usage, Rules reference 9518@section Use_Clauses 9519This rule controls usage of @code{@b{use}} clauses. 9520 9521@subsection Syntax 9522@example 9523<control_kind> use_clauses 9524 [([<subrule>,] <package name> @{, <package name>@})]; 9525<subrule> ::= package | local | global | type | type_local | type_global 9526@end example 9527 9528@subsection Action 9529The rule controls every @code{@b{use}} or @code{@b{use type}} clause, 9530@i{except} those that name one of the mentioned packages/types. It is 9531therefore possible to allow @code{@b{use}} or @code{@b{use type}} 9532clauses just for certain packages/types. 9533 9534If the keyword ``package'' is given (or no keyword at all), all 9535package @code{@b{use}} clauses are controlled. If the keyword 9536``global'' is given, only @code{@b{use}} clauses that appear in 9537context clauses (i.e. together with the @code{@b{with}} clauses) are 9538controlled; if the keyword ``local'' is given, only @code{@b{use}} 9539clauses that appear as declarations are controlled. 9540 9541If the keyword ``type'' is given, all @code{@b{use type}} clauses are 9542controlled. If the keyword ``type_global'' is given, only @code{@b{use 9543type}} clauses that appear in context clauses (i.e. together with the 9544@code{@b{with}} clauses) are controlled; if the keyword ``type_local'' 9545is given, only @code{@b{use type}} clauses that appear as declarations 9546are controlled. 9547 9548This rule can be given at most once for each of check, search and 9549count. This way, it is possible to have a level considered a warning 9550(search), and one considered an error (check). 9551 9552Ex: 9553@example 9554-- Global use clauses are disallowed, local ones only for IO: 9555check use_clauses (global); 9556check use_clauses (local, Ada.Text_IO, Ada.Wide_Text_IO); 9557 9558-- No use type in context clauses, count types that are "use type"'d 9559check (type_global); 9560count (type); 9561@end example 9562 9563@node With_Clauses, , Use_Clauses, Rules reference 9564@section With_Clauses 9565This rule controls @code{@b{with}} clauses that should be removed or 9566moved to a better place. 9567 9568@subsection Syntax 9569@example 9570<control_kind> with_clauses [(<subrule> [, <subrule>])]; 9571<subrule> ::= multiple_names | reduceable | inherited 9572@end example 9573 9574@subsection Action 9575The parameters are subrule keywords that determine which kind of 9576control is performed: 9577@itemize @bullet 9578@item 9579@code{multiple_names} controls any @code{@b{with}} clause that 9580mentions more than one unit name. 9581@item 9582@code{reduceable} reports: 9583@itemize @bullet 9584@item 9585Redundant @code{@b{with}} clauses, i.e. clauses given more than once 9586for the same unit. This includes the case where the same 9587@code{@b{with}} clause is given in a specification and the 9588corresponding body, and the case of renamings of a same unit 9589(i.e. @code{Text_IO} and @code{Ada.Text_IO}). Note that giving a 9590@code{@b{with}} clause in a unit, and repeating it in a child unit (or 9591subunit) is @i{not} considered redundant. 9592@item 9593Unused @code{@b{with}} clauses, i.e. when nothing from the withed unit 9594is referenced in the corresponding unit. The rule signals when a withed 9595unit is not used in a unit, but used in one or more of its subunits. If 9596an unused @code{@b{with}} clause is given on a package specification, the 9597message reminds that it migh be useful for child units. 9598@item 9599Moveable @code{@b{with}} clauses, i.e. when the withed unit is not 9600used in the specification, but only in the body, and should be moved 9601to the body, or when the withed unit is only used in the private part, 9602and could be replaced by a @code{@b{private}} @code{@b{with}}. 9603@end itemize 9604@item 9605@code{inherited} controls child units and subunits that reference a 9606unit which is not directly withed, i.e. when withed only from a parent 9607(or enclosing) unit. Although Ada rules imply that a @code{@b{with}} 9608clause carries on to child units and subunits, it can be considered 9609better practice to ensure that every compilation unit withes directly 9610the units it needs. 9611@end itemize 9612 9613Each of the keywords can be given at most once. If no keyword is 9614given, both @code{reduceable} and @code{inherited} are assumed. 9615 9616Ex: 9617@example 9618check with_clauses (multiple_names, reduceable); 9619search with_clauses (inherited); 9620@end example 9621 9622@subsection Variables 9623@multitable @columnfractions .25 .10 .10 .55 9624@item 9625@b{Variable} @tab @b{Values} @tab @b{Default} @tab @b{Effect} 9626@item 9627Check_Private_With 9628@tab off@*on 9629@tab on 9630@tab 9631@table @asis 9632@item on 9633issues a message when a @code{@b{with}} can be 9634replaced with a @code{@b{private}} @code{@b{with}}. 9635@item off 9636do not issue a message when a @code{@b{with}} can be replaced with a 9637@code{@b{private}} @code{@b{with}} (useful in Ada 95 mode). 9638@end table 9639@item 9640Ignore_Use_Clause 9641@tab off/on 9642@tab on 9643@tab 9644@table @asis 9645@item on 9646package names appearing in use clauses are not considered as a usage 9647of the package. 9648@item off 9649names appearing in use clauses are treated like any other identifier 9650(see tip below). 9651@end table 9652@end multitable 9653 9654@subsection Tips 9655A @code{@b{with}} clause can safely be removed if it is unused, and no 9656child unit (or subunit) reports that the unit is inherited. 9657 9658Normally, use of a package name in a @code{@b{use}} clause is @i{not} 9659considered a usage of the package; clearly, the @code{@b{with}} clause 9660can (and should) be removed (or moved) if the only use of the package 9661is in @code{@b{use}} clauses (removing or moving the @code{@b{use}} 9662clauses by the same token). However, some programming rules may require 9663placing @code{@b{use}} clauses in certain places, forcing the corresponding 9664@code{@b{with}} clause. Set the variable @code{Ignore_Use_Clause} to 9665@code{off} to make sure that a @code{@b{use}} clause does mark the 9666@code{@b{with}} clause as necessary. 9667 9668@node Examples of using AdaControl for common programming rules, Specifying an Ada entity name, Rules reference, Top 9669@chapter Examples of using AdaControl for common programming rules 9670 9671In most projects, there are @i{programming rules} that define the way 9672a program should be written. AdaControl performs controls, i.e. it 9673finds occurrences of certain kinds of constructs. In this chapter, we 9674give examples of commonly found programming rules, and how the 9675corresponding controls can be written. 9676 9677@menu 9678* Migrating from Gnatcheck:: 9679* Rules files provided with AdaControl:: 9680* Automatically checkable rules:: 9681* Rules that need manual inspection:: 9682@end menu 9683 9684@node Migrating from Gnatcheck, Rules files provided with AdaControl, Examples of using AdaControl for common programming rules, Examples of using AdaControl for common programming rules 9685@section Migrating from Gnatcheck 9686The file @code{gnatcheck.aru} in directory @code{rules} gives the 9687AdaControl equivalents of rules checked by Gnatcheck. This version of 9688AdaControl covers most of Gnatcheck rules. For rules where Gnatcheck 9689requires a parameter, the AdaControl rule is given for the default 9690value, or with an example value. Small differences in semantics are 9691indicated by a comment that starts with "Difference:". 9692 9693This file is not intended to be used directly, but as an example on 9694how to convert Gnatcheck rules into AdaControl rules. Note that in 9695many cases, AdaControl is much more general than Gnatcheck. The file 9696follows as strictly as possible the rules as defined by Gnatcheck, but 9697if you are migrating from Gnatcheck to AdaControl, you may want to use 9698the more powerful forms provided by AdaControl. 9699 9700@node Rules files provided with AdaControl, Automatically checkable rules, Migrating from Gnatcheck, Examples of using AdaControl for common programming rules 9701@section Rules files provided with AdaControl 9702The @code{rules} directory provides also rules files that can be 9703sourced to enforce some commonly encountered general rules. 9704 9705@rule{Identifiers from Standard shall not be redefined} 9706 9707Use file @code{no_standard_entity.aru}. 9708 9709@rule{Identifiers from System shall not be redefined} 9710 9711Use file @code{no_system_entity.aru}. 9712 9713@rule{Predefined IO packages shall not be used} 9714 9715Use file @code{no_io.aru}. 9716 9717@rule{Standard package XXX shall not be used} 9718 9719File @code{no_standard_unit.aru} controls usage of @i{all} standard 9720packages. Comment out those that you do want to allow. 9721 9722@rule{Obsolescent features shall not be used} 9723 9724Use file @code{no_obsolescent_features.aru}. Not all obsolescent features are 9725controlled, but most of them (those that are most worth checking) are. 9726 9727@rule{Gnat specific attributes shall not be used} 9728 9729Use file @code{no_gnat_attribute.aru} 9730 9731@rule{Features from annex X shall not be used} 9732 9733Use file @code{no_annex_X.aru}. 9734 9735@rule{The Ravenscar profile shall be enforced} 9736 9737Use file @code{ravenscar.aru}. 9738 9739Note that not all of the restrictions of the Ravenscar profile are 9740currently controlled, but many are, and we expect later releases of 9741AdaControl to increase the number of controlled features. In some 9742cases (like ``Detect_Blocking''), AdaControl does a better job than 9743the profile, since it can detect statically situations that the 9744profile only requires to be detected at run-time. The rule file is 9745also slightly more restrictive than the profile; for example, the 9746restriction ``no_task_allocation'' only disallows task allocators, 9747while this rule file controls the declaration of access types on tasks. 9748 9749@rule{NASA coding guidelines shall be enforced} 9750 9751Use file @code{nasa.aru}. This file is an example of how to convert guidelines (available from @url{http://fsw.gsfc.nasa.gov/gds/code_standards_ada.pdf}) into an AdaControl rules file. 9752 9753@rule{Ada 83 unit names shall not be used (i.e. use @code{Ada.Text_IO}, not @code{Text_IO})} 9754 9755Use file @code{no_83_unit_name.aru}. 9756 9757@rule{New reserved words of Ada 2005/2012 shall not be used} 9758 9759Use file @code{reserved_2005.aru}. (the file name mentions only 2005, 9760but it checks also for 2012 - after all, there is only one extra 9761reserved word). 9762 9763@rule{Measurements for the SQALE method} 9764 9765AdaControl can provide measurements required by the SQALE quality 9766measurement method. The corresponding file is @code{SQALE.aru}. 9767 9768For information about the SQALE method, please refer to J-P Rosen's paper at 9769@url{http://www.adalog.fr/publicat/sqale.pdf} 9770 9771@node Automatically checkable rules, Rules that need manual inspection, Rules files provided with AdaControl, Examples of using AdaControl for common programming rules 9772@section Automatically checkable rules 9773Below are examples of rules that can be directly checked by AdaControl. 9774 9775@rule{Goto statement shall not be used} 9776@example 9777check statements (goto); 9778@end example 9779 9780@rule{Functions shall not have @code{@b{out}} or @code{@b{in out}} parameters (Ada 2012)} 9781@example 9782check parameter_declarations (out_parameters, max 0, function); 9783check parameter_declarations (in_out_parameters, max 0, function); 9784@end example 9785 9786@rule{Short circuit forms should be preferred over corresponding logical operators} 9787@example 9788Use_Short_Circuit: search expressions (and, or); 9789@end example 9790 9791@rule{Aggregates should be used for full assignments to structured variables, unless it is a record with a single component} 9792@example 9793check multiple_assignments (groupable, given 2, ratio 100); 9794@end example 9795 9796@rule{All loops that contain exit statements must be named, and the name must be given in the exit statement} 9797@example 9798check statements (unnamed_loop_exited); 9799check statements (unnamed_exit); 9800@end example 9801 9802@rule{All type names must start with ``T_''} 9803@example 9804check naming_convention (type, "^T_"); 9805@end example 9806 9807@rule{All program units must repeat their name after the ``end''} 9808@example 9809check style (no_closing_name); 9810@end example 9811 9812@rule{Pragma Suppress is not allowed} 9813@example 9814check pragmas (suppress); 9815@end example 9816 9817@rule{Ada tasking must not be used} 9818@example 9819check declarations (task); 9820@end example 9821 9822@rule{``='' and ``/='' shall not be used between real types} 9823@example 9824check expressions (real_equality); 9825@end example 9826 9827@rule{All tasks must provide an exception handler that calls ``Failure'' in 9828the case of an unhandled exception} 9829@example 9830check exception_propagation (task); 9831check silent_exceptions (failure); 9832@end example 9833 9834@rule{Unchecked_Conversion shall not be used} 9835@example 9836check entities (ada.unchecked_conversion); 9837@end example 9838 9839@rule{No global variable shall be declared in the visible part of a package 9840specification} 9841@example 9842check usage (variable, from_spec); 9843@end example 9844 9845@rule{Predefined numeric types of the language shall not be used} 9846@example 9847check entities (standard.Integer, 9848 standard.short_integer, 9849 standard.long_integer, 9850 standard.Float, 9851 standard.short_float, 9852 standard.long_float); 9853@end example 9854 9855@rule{Access to subprograms shall not be used} 9856@example 9857check declarations (access_to_sp); 9858@end example 9859 9860@rule{Abort statements shall not be used} 9861@example 9862check statements (abort); 9863@end example 9864 9865@rule{There shall be only one instantiation of 9866Ada.Numerics.Generic_Elementary_Functions for each floating point type} 9867@example 9868-- Put a --##RULE LINE OFF GEF 9869-- for the one which is allowed 9870GEF: check Instantiations (Ada.Numerics.Generic_Elementary_Functions); 9871@end example 9872 9873@rule{A local item shall not hide an outer one with the same name} 9874@example 9875check Local_Hiding; 9876@end example 9877 9878@rule{There shall be no IOs in exception handlers} 9879@example 9880check entity_inside_exception (ada.Text_IO.put, ada.Text_IO.put_line, 9881 ada.Text_IO.get, ada.Text_IO.get_line); 9882@end example 9883Note that this checks for all overloaded procedures, but only those 9884dealing with characters and strings (those defined directly within 9885Ada.Text_IO). If the names ``get'' and ``put'' are not used for 9886anything else than IOs, a more general form can be given as: 9887@example 9888check entity_inside_exception (all get, all put, 9889 all get_line, all put_line); 9890@end example 9891This will check that no entity with the corresponding names appear in 9892exception handlers. 9893 9894@rule{Exceptions shall not be used} 9895@example 9896No_Exception: check declarations (exception, handlers); 9897No_Exception: check statements (raise); 9898No_Exception: check entities (Ada.Exceptions); 9899@end example 9900 9901This will check that no exception is declared, no exception handler is 9902provided, and no exception is raised, not even through the services of 9903the package @code{Ada.Exceptions}. 9904 9905@rule{No procedure exported to C shall propagate exceptions} 9906@example 9907check exception_propagation (interface, C); 9908@end example 9909 9910@rule{There shall be no Unchecked_Conversion to or from Address} 9911@example 9912check instantiations (ada.unchecked_conversion, system.address); 9913check instantiations (ada.unchecked_conversion, <>, system.address); 9914@end example 9915 9916@rule{There shall be no use clause except for Text_IO} 9917@example 9918check use_clauses(ada.text_IO); 9919@end example 9920 9921@rule{Use explicit list of values in case statements rather than ``when others''if the ``when others'' would cover less than 10 values} 9922@example 9923check Case_Statement(min_others_span, 10); 9924@end example 9925 9926@rule{If a block is more than 20 lines long, it must be named} 9927@example 9928check Max_Size(unnamed_block, 20); 9929@end example 9930 9931@rule{Exceptions shall not be handled except by main program} 9932@example 9933check declaration (handlers) 9934@end example 9935This check will be disabled for the exception handler of the main program. 9936 9937@rule{Each unit has a header starting with a fixed format, and must contain at least 10 lines of comments} 9938@example 9939check header_comments (model, "header.txt"); 9940check header_comments (minimum, 10); 9941@end example 9942The file @code{header.txt} contains the required header (as regexps), like: 9943@example 9944^--*@{50@}$ 9945^-- This is a header$ 9946@end example 9947 9948@node Rules that need manual inspection, , Automatically checkable rules, Examples of using AdaControl for common programming rules 9949@section Rules that need manual inspection 9950Below are examples of rules that require manual inspection, but where 9951AdaControl can be used to identify suspicious areas. 9952 9953@rule{All usages of the 'ADDRESS attribute shall be justified and documented} 9954@example 9955search entities (all 'address); 9956@end example 9957 9958@rule{Specifying an address for a variable shall be restricted to hardware interfacing} 9959@example 9960search representation_clauses(address); 9961@end example 9962 9963@rule{There shall be no memory leakage} 9964@example 9965search Allocators; 9966@end example 9967This rule identifies all allocations, and thus can be used to check 9968that all allocated elements are properly deallocated. 9969 9970@node Specifying an Ada entity name, Syntax of regular expressions, Examples of using AdaControl for common programming rules, Top 9971@appendix Specifying an Ada entity name 9972 9973@menu 9974* General syntax:: 9975* Overloaded names:: 9976* Enumeration literals:: 9977* Operators:: 9978* Attributes:: 9979* Anonymous constructs and extended return statements:: 9980* Record and protected types components:: 9981* Formals of access to subprogram types:: 9982* Limitation:: 9983@end menu 9984 9985@node General syntax, Overloaded names, Specifying an Ada entity name, Specifying an Ada entity name 9986@section General syntax 9987Many rules can take Ada entities as parameters. Each time a rule uses 9988the category <entity>, it refers to an Ada entity that can be 9989specified with the following syntax: 9990@example 9991<entity> ::= <full_name> | "all" <simple_name> | "all" <attribute> 9992@end example 9993@code{<full_name>} is the full name of the Ada entity, using normal 9994Ada dot notation (with some extensions, see below). Full name means 9995that you give the full expanded name, starting from a compilation 9996unit. This name must be the actual full name, i.e. it must not include 9997any renaming (otherwise the name will not be recognized). For example, 9998the usual @code{Put_Line} must be given as 9999@code{Ada.Text_IO.Put_Line}, not as 10000@code{Text_IO.Put_Line}. Predefined elements (@code{Integer}, 10001@code{Constraint_Error}) must be given in the form 10002@code{Standard.Integer} or @code{Standard.Constraint_Error}, since 10003they are logically declared in the package @code{Standard}. 10004 10005@code{<simple_name>} is a single identifier, possibly followed by 10006overloading information. No qualification is allowed. 10007 10008@code{<Attribute>} is an attribute name, including the quote. No 10009overloading information is allowed. 10010 10011@code{<full_name>} designates a single entity or several overloaded 10012entities declared in the same place (as identified by the prefix), 10013while @code{all <simple_name>} designates all identifiers with the 10014given name in the program, irrespectively of where they 10015appear. @code{all <Attribute>} designates all occurrences of the given 10016attribute, irrespectively of what the attribute applies to. 10017 10018A utility is provided with AdaControl to help you find the full name 10019of an entity. @xref{pfni}. If you are using GPS with AdaControl 10020plug-ins, it can be accessed directly from the contextual 10021menu. @xref{Contextual menu}. 10022 10023@node Overloaded names, Enumeration literals, General syntax, Specifying an Ada entity name 10024@section Overloaded names 10025In Ada, names can be overloaded. This means that you can have several 10026procedures @code{P} in package @code{ Pack}, if they differ by the 10027types of the parameters. If you just give the name @code{Pack.P} as 10028the <entity>, the corresponding rule will be applied to all 10029elements named @code{P} from package @code{Pack}. If you want to 10030distinguish between overloaded names, you can specify a profile after 10031the element's name. A profile has the syntax: 10032 10033@example 10034"@{" [ ["access"] <type-name> 10035 @{ ";" ["access"] <type-name> @} ] 10036 ["return" <type-name>] "@}" 10037@end example 10038 10039You must specify the @i{type} name, even if the <entity> 10040declaration uses a subtype of the type; this is because Ada uses types 10041for overloading resolution, not subtypes. Anonymous access parameters 10042are specified by putting @code{access} in front of the type name. An 10043overloaded name for a procedure without parameters uses just a pair of 10044empty brackets. If the subprogram is a function, you must provide the 10045@code{return <type-name>} part for the return type of the 10046function. The types must also be given as a unique name, 10047i.e. including the full path: if the type is @code{T} declared in 10048package @code{Pack}, you must specify it as @code{Pack.T}. As a 10049convenience, the @code{Standard.} is optional for predefined types, so 10050you can write @code{Standard.Integer} as @code{Integer}. There is no 10051ambiguity, since a type is always declared within some construct. Note 10052that omitting @code{Standard} works only for @i{types} that are part 10053of the profile used to distinguish between overloaded Ada entities but 10054that the @i{Ada entity name} must always contain Standard if it is a 10055predefined element. 10056 10057Overloaded names can be also be used with the @code{all <simple_name>} 10058form of the <entity>. In this case, the rule will be applied to 10059all names that are subprograms with the given identifier and matching 10060the given profile, irrespectively of where they appear. 10061 10062Note that if you use an overloaded name, all overloadable names that 10063are part of the <entity>, including those of the profile, must 10064use the overloaded syntax. For example, given the following program 10065@example 10066@b{procedure} P @b{is} 10067 @b{procedure} Q (I : Integer) @b{is} 10068 ... 10069 @b{end} Q; 10070 @b{procedure} Q (F : Float) @b{is} 10071 ... 10072 @b{end} Q; 10073@b{begin} 10074 ... 10075@b{end} P; 10076@end example 10077 10078If you want to distinguish between the two procedures @code{Q}, you 10079must specify them as @code{P@{@}.Q@{Integer@}} and 10080@code{P@{@}.Q@{Float@}} (note the @code{P@{@}} which specifies an 10081overloaded name for a procedure @code{P} without parameters). 10082 10083The names of entities which can not be overloaded (like package, 10084exception, @dots{}) must not be suffixed by braces 10085(e.g. @code{Ada.Text_IO.Put_Line@{Standard.String@}}). 10086 10087@node Enumeration literals, Operators, Overloaded names, Specifying an Ada entity name 10088@section Enumeration literals 10089Following normal Ada rules, an enumeration literal is considered a 10090parameterless function. If you want to distinguish between overloaded 10091enumeration literals, you can use overloaded names for them. For 10092example, given: 10093@example 10094@b{package} Pack @b{is} 10095 @b{type} T1 @b{is} (A, B); 10096 @b{type} T2 @b{is} (B, C); 10097@b{end} Pack; 10098@end example 10099 10100Ada entities names are: 10101@itemize 10102@item 10103@code{Pack.B@{return Pack.T1@}} 10104@item 10105@code{Pack.B@{return Pack.T2@}} 10106@end itemize 10107 10108@node Operators, Attributes, Enumeration literals, Specifying an Ada entity name 10109@section Operators 10110AdaControl handles operators (i.e. functions like @code{"+"}) 10111correctly. Of course, you must specify such operations using normal 10112Ada syntax: if you define the integer type @code{T} in package 10113@code{Pack}, an overloaded name for the addition would be 10114@code{Pack."+"@{Pack.T; Pack.T return Pack.T@}}. 10115 10116@node Attributes, Anonymous constructs and extended return statements, Operators, Specifying an Ada entity name 10117@section Attributes 10118It is also possible to designate attributes of entities, using the 10119normal notation (i.e. @code{Standard.Integer'First}). If the name of 10120an attribute which is a function appears in a name that uses the 10121overloaded syntax, it is not necessary (and actually not allowed) to 10122provide its profile, since there is no possible ambiguity in that 10123case. For example, given: 10124 10125@example 10126@b{procedure} P (I : Integer) @b{is} 10127 @b{type} T @b{is} @b{range} 1 .. 10; 10128@b{begin} 10129 ... 10130@b{end} P; 10131@end example 10132 10133You can designate the @code{'Image} attribute for type @code{T} as 10134@code{P@{Standard.Integer@}.T'Image} (the profile of the @code{'Image} 10135function is not given, as would be necessary for a normal function). 10136 10137To designate all occurrences of an attribute, use @code{@b{all}} in 10138front of the attribute. To designate only occurrences of an attribute 10139whose prefix is a (sub) type (but any type or subtype), give it as 10140@code{type'Attr} (i.e. the keyword ``type'' is put in front of the 10141quote). 10142 10143@code{@b{all}} may be used in place of an attribute name to mean ``any 10144attribute''. See examples below. 10145 10146@example 10147check entities (all 'Image); -- Find all occurrences of 'Image 10148check entities (all type'Length); -- Find all occurrences of 'Length 10149 -- applied to a type 10150 10151check entities (Standard.Integer'all); -- Find all attributes applied 10152 -- to type Integer 10153Check entities (all type'all); -- Find all attributes applied 10154 -- to a type 10155check entities (all 'all); -- Find all attributes 10156@end example 10157 10158@node Anonymous constructs and extended return statements, Record and protected types components, Attributes, Specifying an Ada entity name 10159@section Anonymous constructs and extended return statements 10160There is a special case for elements that are defined (directly or 10161indirectly) within unnamed loops or block statements. Everything 10162happens as if the unnamed construct was named 10163@code{_anonymous_}. Therefore if you have the following program: 10164@example 10165@b{procedure} P @b{is} 10166@b{begin} 10167 @b{for} I @b{in} 1..10 @b{loop} 10168 @b{declare} 10169 J : Integer; 10170 @b{begin} 10171 ... 10172 @b{end}; 10173 @b{end} @b{loop}; 10174@b{end} P; 10175@end example 10176You can refer to @code{I} as @code{P._anonymous_.I}, and to @code{J} 10177as @code{P._anonymous_._anonymous_.J}. 10178 10179Similarly, an extended return statement is considered ``named'' @code{return}. 10180 Therefore if you have the following program: 10181@example 10182@b{function} F @b{return} Integer @b{is} 10183 I : Integer; 10184@b{begin} 10185 @b{return} I : Integer @b{do} 10186 ... 10187 @b{end} @b{return}; 10188@b{end} F; 10189@end example 10190You can refer to the @code{I} declared in @code{F} as @code{F.I}, and 10191to the return object @code{I} as @code{F.return.I}. 10192 10193@node Record and protected types components, Formals of access to subprogram types, Anonymous constructs and extended return statements, Specifying an Ada entity name 10194@section Record and protected types components 10195You can designate the name of a record or protected type component (a 10196``field'' name), but to identify it uniquely, you must precede its name 10197by the name of the type. This is a small extension to Ada syntax, but 10198it is the simplest and most natural way to deal with this case. For 10199example, given: 10200@example 10201@b{procedure} P @b{is} 10202 @b{type} T @b{is} 10203 @b{record} 10204 Name : Integer; 10205 @b{end} @b{record}; 10206 ... 10207@end example 10208 10209The Ada entity name is @code{P.T.Name}. 10210 10211@node Formals of access to subprogram types, Limitation, Record and protected types components, Specifying an Ada entity name 10212@section Formals of access to subprogram types 10213Similarly, you can designate the formal of an access to subprogram 10214type by prefixing it by the access type. For example, given: 10215@example 10216@b{procedure} P @b{is} 10217 @b{type} T @b{is} @b{access} @b{procedure} (X : Integer); 10218 ... 10219@end example 10220 10221The Ada entity name of the formal is @code{P.T.X}. 10222 10223@node Limitation, , Formals of access to subprogram types, Specifying an Ada entity name 10224@section Limitation 10225Due to a limitation of ASIS for GNAT, it is not possible to specify 10226a profile with predefined operators; predefined operators without 10227a profile work normally. 10228@example 10229-- This will not recognize "<" on Standard.Integer: 10230check entities (Standard."<"@{Standard.Integer, 10231 Standard.Integer 10232 return Standard.Boolean@}); 10233 10234-- This will correctly recognize all predefined "<": 10235check entities (Standard."<"); 10236@end example 10237 10238@node Syntax of regular expressions, Non upward-compatible changes, Specifying an Ada entity name, Top 10239@appendix Syntax of regular expressions 10240The following syntax gives the complete definition of regular 10241expressions, as used by several rules. It is taken from the 10242specification of the package @code{gnat.regpat}, where additional 10243information is available. 10244 10245@example 10246regexp ::= expr 10247 ::= ^ expr -- anchor at the beginning of string 10248 ::= expr $ -- anchor at the end of string 10249 10250expr ::= term 10251 ::= term | term -- alternation (term or term ...) 10252 10253term ::= item 10254 ::= item item ... -- concatenation (item then item) 10255 10256item ::= elmt -- match elmt 10257 ::= elmt * -- zero or more elmt's 10258 ::= elmt + -- one or more elmt's 10259 ::= elmt ? -- matches elmt or nothing 10260 ::= elmt *? -- zero or more times, minimum number 10261 ::= elmt +? -- one or more times, minimum number 10262 ::= elmt ?? -- zero or one time, minimum number 10263 ::= elmt @{ num @} -- matches elmt exactly num times 10264 ::= elmt @{ num , @} -- matches elmt at least num times 10265 ::= elmt @{ num , num2 @} -- matches between num and num2 times 10266 ::= elmt @{ num @}? -- matches elmt exactly num times 10267 ::= elmt @{ num , @}? -- matches elmt at least num times 10268 non-greedy version 10269 ::= elmt @{ num , num2 @}? -- matches between num and num2 times 10270 non-greedy version 10271 10272elmt ::= nchr -- matches given character 10273 ::= [range range ...] -- matches any character listed 10274 ::= [^ range range ...] -- matches any character not listed 10275 ::= . -- matches any single character 10276 -- except newlines 10277 ::= ( expr ) -- parens used for grouping 10278 ::= \ num -- reference to num-th parenthesis 10279 10280range ::= char - char -- matches chars in given range 10281 ::= nchr 10282 ::= [: posix :] -- any character in the POSIX range 10283 ::= [:^ posix :] -- not in the POSIX range 10284 10285posix ::= alnum -- alphanumeric characters 10286 ::= alpha -- alphabetic characters 10287 ::= ascii -- ascii characters (0 .. 127) 10288 ::= cntrl -- control chars (0..31, 127..159) 10289 ::= digit -- digits ('0' .. '9') 10290 ::= graph -- graphic chars (32..126, 160..255) 10291 ::= lower -- lower case characters 10292 ::= print -- printable characters (32..127) 10293 ::= punct -- printable, except alphanumeric 10294 ::= space -- space characters 10295 ::= upper -- upper case characters 10296 ::= word -- alphanumeric characters 10297 ::= xdigit -- hexadecimal chars (0..9, a..f) 10298 10299char ::= any character, including special characters 10300 ASCII.NUL is not supported. 10301 10302nchr ::= any character except \()[].*+?^ or \char to match char 10303 \n means a newline (ASCII.LF) 10304 \t means a tab (ASCII.HT) 10305 \r means a return (ASCII.CR) 10306 \b matches the empty string at the beginning or end of a 10307 word. A word is defined as a set of alphanumerical 10308 characters (see \w below). 10309 \B matches the empty string only when *not* at the 10310 beginning or end of a word. 10311 \d matches any digit character ([0-9]) 10312 \D matches any non digit character ([^0-9]) 10313 \s matches any white space character. This is equivalent 10314 to [ \t\n\r\f\v] (tab, form-feed, vertical-tab,... 10315 \S matches any non-white space character. 10316 \w matches any alphanumeric character or underscore. 10317 This include accented letters, as defined in the 10318 package Ada.Characters.Handling. 10319 \W matches any non-alphanumeric character. 10320 \A match the empty string only at the beginning of the 10321 string, whatever flags are used for Compile (the 10322 behavior of ^ can change, see Regexp_Flags below). 10323 \G match the empty string only at the end of the 10324 string, whatever flags are used for Compile (the 10325 behavior of $ can change, see Regexp_Flags below). 10326... ::= is used to indication repetition (one or more terms) 10327@end example 10328 10329Embedded newlines are not matched by the ^ operator. It is possible 10330to retrieve the substring matched a parenthesis expression. Although 10331the depth of parenthesis is not limited in the regexp, only the first 103329 substrings can be retrieved. 10333 10334The operators '*', '+', '?' and '@{@}' always match the longest possible 10335substring. They all have a non-greedy version (with an extra ? after 10336the operator), which matches the shortest possible substring. 10337 10338For instance: 10339@example 10340 regexp="<.*>" string="<h1>title</h1>" matches="<h1>title</h1>" 10341 regexp="<.*?>" string="<h1>title</h1>" matches="<h1>" 10342@end example 10343 10344'@{' and '@}' are only considered as special characters if they appear 10345in a substring that looks exactly like '@{n@}', '@{n,m@}' or '@{n,@}', where 10346n and m are digits. No space is allowed. In other contexts, the curly 10347braces will simply be treated as normal characters. 10348 10349Note that if you compiled AdaControl with the 10350@code{String_Matching_Portable} package, only basic wildcards are 10351available, i.e. only ``*'' and ``?'' are supported, where ``*'' 10352matches any string of character and ``?'' matches a single character. 10353 10354@node Non upward-compatible changes, , Syntax of regular expressions, Top 10355@appendix Non upward-compatible changes 10356This chapter is intended to users of a previous version of AdaControl, 10357who want to migrate rule files to the latest version. Although we 10358understand the burden of non upward-compatible changes, we consider 10359that making AdaControl more powerful and easier to use is sometimes 10360more important than strict compatibility. Moreover, in most cases the 10361changes are very straightforward and can be done easily by hand, or 10362with scripts if many files are involved. 10363 10364@section Migrating from 1.17r3 10365@subsection Statements 10366The subrules @code{dispatching_call} and @code{redispatching_call} do 10367not control @i{function} calls anymore, since these are controlled (more 10368appropriately) by subrules of the @code{expressions} rule. In short, change: 10369@example 10370check statements (dispatching_call, redispatching_call); 10371@end example 10372to: 10373@example 10374check statements (dispatching_call, redispatching_call); 10375check expressions (dispatching_function_call, 10376 redispatching_function_call); 10377@end example 10378 10379The subrule @code{raise_nonpublic} does not control any more the 10380raising of exceptions declared in visible parts of packages other than 10381the one that contains the @code{@b{raise}} statement; these are now 10382controlled by the subrule @code{raise_foreign}. It also now accepts 10383(i.e. does not control) exceptions declared in the visible part of an 10384ancestor of the package that contains @code{@b{raise}} statement. 10385 10386@subsection Use of command line options -r and -s 10387Previous versions mentionned in the command line syntax that ``-r'' 10388and ``-s'' could be used together, but the effect of this combination 10389was not documented. It has now a documented (and slightly different, 10390but more useful) effect. See @ref{Input units} and @ref{Generating a 10391units list}. 10392 10393@section Migrating from 1.16r11 10394@subsection Declarations, Entities, Instantiations 10395These rules use the concept of ``location'' to restrict the places 10396where some constructs are controlled. It is now possible to specify 10397``not'' in front of a location keyword. As a consequence, the 10398keyword ``nested'' has been removed, as it was the same thing 10399as ``not library''. In short, change: 10400@example 10401check declarations (nested procedure); 10402@end example 10403to: 10404@example 10405check declarations (not library procedure); 10406@end example 10407 10408@section Migrating from 1.15r5 10409@subsection Array_Declarations 10410The extension of aspects to more rules required a slight change in the 10411syntax of the ``component'' subrule: the keywords ``packed'', 10412``sized'', and ``component_sized'' have been changed to ``pack'', 10413``size'', and ``component_size'', respectively. 10414 10415@subsection Multiple_Assignments 10416Due to new functionalities, and expecting more in the future, the rule 10417has been renamed to ``Assignments''. 10418 10419@subsection No_Operator_Usage 10420The syntax has been changed, due to the introduction of 10421``indexing''. Moreover, the rule was not consistent, in that the 10422result of ``none'' was affected by the presence or absence of 10423``logical'' (without ``logical'', ``none'' included all types, while 10424with it, it counted only those not counted with ``logical''). If you 10425want that exact same behaviour (which might not be desirable), 10426change: 10427@example 10428-- (1) 10429check no_operator_usage (none); 10430 10431-- (2) 10432check no_operator_usage (logical); 10433 10434-- (3) 10435check no_operator_usage (none, logical) 10436 -- or no parameters 10437@end example 10438to: 10439@example 10440-- (1) 10441check no_operator_usage(ignore indexing, ignore logical); 10442 -- or no parameters 10443 10444-- (2) 10445check no_operator_usage (logical); 10446 10447-- (3) 10448check no_operator_usage (not logical), 10449check no_operator_usage (logical); 10450@end example 10451 10452@subsection Object_Declarations 10453Due to the necessity of avoiding a syntactic ambiguity in the new 10454subrule ``type'', the keyword ``all'' is no more allowed in the syntax 10455for the subrule ``min_integer_span'' (specifying neither ``variable'' 10456or ``constant'' still means the subrule applies to both, as 10457before). Change: 10458@example 10459count object_declarations (min_integer_span, all 8); 10460@end example 10461to: 10462@example 10463count object_declarations (min_integer_span, 8); 10464@end example 10465 10466@subsection Statements 10467The subrule ``exit'' was documented as controlling all exit 10468statements, but it did not report exits from @code{@b{for}} and 10469@code{@b{while}} loops if ``exit_for_loop'' (respectively 10470``exit_while_loop'') was also specified. It now behaves as documented, 10471i.e. it controls all @code{@b{exit}} statements. 10472 10473Note that if you want separate messages for each kind of loop, the new 10474rule ``exit_plain_loop'' controls exit from plain loops. 10475 10476@subsection Style 10477The subrule ``positional_association'' is now a rule of its own, 10478``positional_associations''. The order of parameters is different, due 10479to various subrules of the new rule. Typically, change: 10480@example 10481check style (parameter_association, call, 1); 10482@end example 10483to: 10484@example 10485check parameter_associations (all, 1, call); 10486@end example 10487 10488Note that the new rule distinguishes between regular array aggregates 10489and aggregates used for enumeration representation clauses. 10490 10491Modes of the subrules ``parameter_order'' and 10492``formal_parameter_order'' are now separated by ``|''. With the 10493previous syntax, forgetting a comma was changing the meaning of the 10494rule without introducing a syntax error. Typically, change: 10495@example 10496check style (parameter_order, in defaulted_in, out in_out); 10497@end example 10498to: 10499@example 10500check style (parameter_order, in | defaulted_in, out | in_out); 10501@end example 10502 10503@section Migrating from 1.14r9 10504@subsection Local_Hiding 10505Due to the introduction of extra parameters for allowed patterns, it 10506is no more possible to specify the rule several times in the same 10507command. Change: 10508@example 10509check local_hiding (strict, overloading); 10510@end example 10511to: 10512@example 10513check local_hiding (strict); 10514check local_hiding (overloading); 10515@end example 10516The special subrule ``overloading_short'' has been replaced by a rule 10517variable to choose the report format. Change: 10518@example 10519check local_hiding (overloading_short); 10520@end example 10521to: 10522@example 10523set local_hiding.overloading_report compact; 10524check local_hiding (overloading); 10525@end example 10526 10527@subsection Max_Nesting 10528The value given is now the @i{nesting} level (consistent with the rule name), 10529no more the maximum @i{depth}. This is more natural (Max_Nesting(1) means 10530that the construct can be nested once), but it is one less than in previous 10531versions. For example, change: 10532@example 10533check Max_Nesting (5); 10534@end example 10535to: 10536@example 10537check Max_Nesting (4); 10538@end example 10539 10540@subsection Parameter_Declarations 10541The subrules have been generalized, using the same syntax for bounds 10542as other rules. Change: 10543@example 10544check parameter_declarations (min_parameters, 1); 10545check parameter_declarations (max_parameters, 5); 10546check parameter_declarations (max_defaulted_parameters, 3); 10547@end example 10548to: 10549@example 10550check parameter_declarations (all_parameters, min 1, max 5); 10551check parameter_declarations (defaulted_parameters, max 3); 10552@end example 10553 10554@section Migrating from 1.11r4 10555@subsection Expressions 10556The subrule @code{Real_Equality} does not control user-defined 10557equality operators any more. This is intended to be more of an 10558improvement than an incompatibily. 10559 10560@subsection Special_Comments 10561Since the number of subrules is growing, and do not only address `special'' 10562comments, this rule has been renamed to ``comments''. 10563 10564@section Migrating from 1.10r10 10565@subsection GPS integration 10566Due to a bug/feature of the GPS interface, if a units file was 10567specified, it did not reappear later in the corresponding box of the 10568Switch/AdaControl dialog. This has been fixed, but you must reenter 10569the units file name in the dialog. 10570 10571@subsection Representation_Clauses 10572The introduction of categories made some subrules syntactically 10573ambiguous or redundant. In consequence, the subrules 10574``derived_record'', ``extension_record'', and ``tagged_record'' have 10575been removed, and the subrules ``record'', ``incomplete_record'', and 10576``non_contiguous_record'' have been renamed as ``layout'', 10577``incomplete_layout'', and ``non_contiguous_layout'' respectively. Change: 10578@example 10579check representation_clause (derived_record); 10580check representation_clause (extension_record); 10581check representation_clause (tagged_record); 10582check representation_clause (record); 10583check representation_clause (incomplete_record); 10584check representation_clause (non_contiguous_record); 10585@end example 10586to: 10587@example 10588check representation_clause (new layout); 10589check representation_clause (extension layout); 10590check representation_clause (tagged layout); 10591check representation_clause (layout); 10592check representation_clause (incomplete_layout); 10593check representation_clause (non_contiguous_layout); 10594@end example 10595 10596@section Migrating from 1.9r4 10597@subsection Array_Declarations 10598The subrule ``Max_Length'' has been changed to ``Length'', with the possibility to specify both min and max 10599values. Change: 10600@example 10601check array_declarations (max_length, 100); 10602@end example 10603to: 10604@example 10605check array_declarations (length, max 100); 10606@end example 10607 10608@subsection Declarations 10609The subrule names ``initialized_record_field'', 10610``uninitialized_record_field'', ``initialized_protected_field'', and 10611``uninitialized_protected_field'' have been changed to 10612``initialized_record_component'', ``uninitialized_record_component'', 10613``initialized_protected_component'', and 10614``uninitialized_protected_component'', respectively, to be more 10615consistent with official Ada terminology. Change: 10616@example 10617check declarations (initialized_record_field, 10618 uninitialized_record_field, 10619 initialized_protected_field, 10620 uninitialized_protected_field); 10621@end example 10622to: 10623@example 10624check declarations (initialized_record_component, 10625 uninitialized_record_component, 10626 initialized_protected_component, 10627 uninitialized_protected_component); 10628@end example 10629 10630The subrule ``aliased'' has been split into ``aliased_constant'' and 10631``aliased_variable''. The old rule controlled both at the same time, 10632but did not control aliased components (there are now other subrules 10633to that effect). Change: 10634@example 10635check declarations (aliased); 10636@end example 10637to: 10638@example 10639check declarations (aliased_constant, aliased_variable); 10640@end example 10641 10642@subsection Default_Parameter 10643The <place> is no more allowed to be ``all'', because it was ambiguous 10644with the ``all <name>'' syntax of <entity>. If you used ``all'', 10645duplicate the control with ``calls'' and ``instantiations''. Change: 10646@example 10647My_label : check default_parameter (all, ...); 10648@end example 10649to: 10650@example 10651My_label : check default_parameter (calls, ...), 10652 check default_parameter (instantiations, ...); 10653@end example 10654 10655@subsection Improper_Initialization 10656By default, variables declared directly within (generic) package 10657specifications and bodies are no more checked. To get the previous 10658behaviour, add the ``package'' modifier. Change: 10659@example 10660check improper_initialization (variable); 10661@end example 10662to: 10663@example 10664check improper_initialization (package variable); 10665@end example 10666 10667@section Migrating from 1.8r8 10668@subsection CSV(X) format 10669If the output format is CSV or CSVX, the file name, line number and 10670column number are generated as three different spreadsheet columns, 10671instead of forming a single message. This makes it easier to use a 10672spreadsheet program for per-file statistics. 10673 10674@subsection Default_Parameter 10675Due to the introduction of the ``positional'' keyword, ``not used'' is 10676now spelled ``not_used''. Change: 10677@example 10678check default_parameter (proc, param, not used); 10679@end example 10680to: 10681@example 10682check default_parameter (proc, param, not_used); 10683@end example 10684 10685@subsection Other_Dependencies 10686This rule has been changed into a subrule of the (new) rule 10687``Dependencies''. Change: 10688@example 10689check Other_Dependencies (pack1, pack2); 10690@end example 10691to: 10692@example 10693check Dependencies (others, pack1, pack2); 10694@end example 10695 10696@subsection Special_Comments 10697Due to the introduction of another subrule, add ``pattern'' as the first parameter 10698to the rule. Change: 10699@example 10700check Special_Comments ("TBSL"); 10701@end example 10702to: 10703@example 10704check Special_Comments (pattern, "TBSL"); 10705@end example 10706 10707@subsection Statements 10708The ``raise'' subrule now reports all occurrences of the @code{@b{raise}} 10709statement, even if another control is applicable to the same statement. 10710 10711The ``reraise'' subrule now reports calls to 10712@code{Ada.Exceptions.Reraise_Occurrence}. 10713 10714The ``raise_standard'' subrule now reports exceptions raised by calls to 10715@code{Ada.Exceptions.Raise_Exception}. 10716 10717@section Migrating from 1.7r9 10718@subsection Case_Statement 10719This rule now allows the specification of both min and max values for 10720each subrule. Subrule names have been changed accordingly. Change: 10721@example 10722check Case_Statement (max_range_span, 5); 10723check Case_Statement (max_values, 10); 10724check Case_Statement (min_others_span, 4); 10725check Case_Statement (min_paths, 6); 10726@end example 10727to: 10728@example 10729check Case_Statement (range_span, max 5); 10730check Case_Statement (values, max 10); 10731check Case_Statement (others_span, min 4); 10732check Case_Statement (paths, min 6); 10733@end example 10734 10735@subsection Max_Parameters 10736This rule has been changed into a subrule of the (new) rule 10737``Parameter_Declarations''. Change: 10738@example 10739check Max_Parameters (10); 10740@end example 10741to: 10742@example 10743check Parameter_Declarations (Max_Parameters, 10); 10744@end example 10745 10746@section Migrating from 1.6r8 10747@subsection ``message'' command 10748The message is now syntactically a string, and must always be enclosed 10749in double quotes (quotes were optional in previous versions). 10750 10751@subsection ``source'' command 10752If a ``source'' command is given in a rules file, and the sourced file 10753is given with a relative path, it is interpreted relatively to the 10754sourcing file (it was interpreted relatively to the current directory 10755previously). This should make ``chained'' sourcing easier, since the 10756interpretation does not depend on where the sourcing file is being 10757called from. 10758 10759@subsection Control_Characters 10760This rule is now called ``Characters'' and can process other kinds of 10761characters in addition to control characters. Control characters 10762correspond to the ``control'' parameter of the rule. Change: 10763@example 10764check control_characters; 10765@end example 10766to: 10767@example 10768check characters (control); 10769@end example 10770 10771@subsection If_For_Case 10772This rule has been changed into a subrule of the (new) rule 10773``simplifiable_statements''. Change: 10774@example 10775check if_for_case; 10776@end example 10777to: 10778@example 10779check simplifiable_statements (if_for_case); 10780@end example 10781 10782@subsection Instantiations 10783The rule does not print the number of instantiations any more, since the same 10784effect can be achieved with the ``count'' control kind. 10785 10786@subsection Local_Instantiation 10787This rule has been removed, since its effect can now be achieved with other rules: 10788the rule ``declarations'' to check for local instantiations of any generic, and the rule 10789``instantiations'' to check for local instantiations of specified generics. 10790Change: 10791@example 10792R1: check Local_Instantiation; 10793R2: search Local_Instantiation (Ada.Unchecked_Conversion); 10794@end example 10795to: 10796@example 10797R1: check declarations (local instantiation); 10798R2: search Instantiations (local Ada.Unchecked_Conversion); 10799@end example 10800 10801@subsection Naming_Convention 10802Quotes are no more optional around patterns. 10803 10804The <location> modifier is now before the <filter_kind> (it was before the 10805pattern previously). This may require splitting the rule in two in some cases. 10806For example, change: 10807@example 10808check naming_convention (object, local "^L_", global "^G_"); 10809@end example 10810to: 10811@example 10812check naming_convention (local object, "^L_"); 10813check naming_convention (global object, "^G_"); 10814@end example 10815 10816@subsection No_Safe_Initialization 10817The name of this rule has been changed to ``improper_initialization'', 10818since it now controls other cases of improper initialization. 10819 10820@subsection Special_Comments 10821Quotes are no more optional around patterns. 10822 10823@subsection Statements 10824Two subrules of this rule have migrated to the new rule 10825``simplifiable_statements'' (with slightly different names). Change: 10826@example 10827check statements (unnecessary_null); 10828check statements (while_true); 10829@end example 10830to: 10831@example 10832check simplifiable_statements (null); 10833check simplifiable_statements (loop); 10834@end example 10835 10836@section Migrating from 1.5r24 10837@subsection Declarations 10838The subrule ``Formal_In_Out'' has been renamed as 10839``In_Out_Generic_Parameter'', for consistency with the new 10840``In_Out_Parameter'' subrule. 10841 10842The subrules ``renames'' and ``not_operator_renames'' have been renamed 10843to ``renaming'' and ``not_operator_renaming''. 10844 10845As a consequence of being able to specify the location of any 10846construct, the subrules ``nested_function_instantiation'', 10847``nested_generic_function'', ``nested_generic_package'', 10848``nested_generic_procedure'', ``nested_package'', 10849``nested_package_instantiation'', and 10850``nested_procedure_instantiation'' have been removed and replaced with 10851the corresponding general construct (without ``nested_''). You can 10852have the same effect by specifying the ``nested'' modifier in front of 10853them. I.e., change: 10854@example 10855check declarations (nested_generic_function); 10856@end example 10857to: 10858@example 10859check declarations (nested generic_function); 10860@end example 10861 10862@subsection Naming_Convention 10863The <location> keyword is placed before the <Filter_Kind> keyword instead of 10864before the <Pattern>, which looks more natural. The ``Any'' keyword has been removed, 10865since omitting the <location> keyword has the same effect. Change: 10866@example 10867check naming_convention (variable, global "^G_"); 10868check naming_convention (package, any "^Pack_"); 10869@end example 10870to: 10871@example 10872check naming_convention (global variable, "^G_"); 10873check naming_convention (package, "^Pack_"); 10874@end example 10875 10876@subsection Non_Static_Constraint 10877This rule is now called Non_Static, since it is no more restricted to 10878constraints. The parameters ``index'' and ``discriminant'' have been 10879changed to ``index_constraint'' and ``discriminant_constraint'', 10880respectively. Change: 10881@example 10882check non_static_constraint (index, discriminant); 10883@end example 10884to: 10885@example 10886check non_static (index_constraint, discriminant_constraint); 10887@end example 10888 10889@subsection Positional_Parameters 10890This rule has been renamed to @code{Insufficient_Parameters}, since it does no more 10891handle the ``maximum'' subrule. Controlling positional parameters according to their number 10892is now done by the rule @code{style (positional_association)}. Change: 10893@example 10894check positional_parameters (maximum, 3); 10895check positional_parameters (insufficient, 2, Boolean); 10896@end example 10897to: 10898@example 10899check style (positional_association, call, 3); 10900check insufficient_parameters (2, Boolean); 10901@end example 10902 10903@subsection Real_Operator 10904This rule is no more a rule of its own, it is a subrule of the (new) 10905rule Expressions, whose name is Real_Equality. Change: 10906@example 10907check Real_Operators; 10908@end example 10909to: 10910@example 10911check expressions (Real_Equality); 10912@end example 10913 10914@subsection Style 10915The name of the subrule ``casing'' has been changed to 10916``casing_identifier'' since the casing of attributes and pragmas can 10917now also be checked. The casing style is no more optional. 10918 10919The name of the subrule ``literal'' has been changed to 10920``numeric_literal'' (since characters and strings are also literals, 10921but are not handled by this subrule). 10922 10923The subrule ``exposed_literal'' now requires an extra parameter to 10924tell whether it applies to integer literals, real literals, character 10925literals or string literals. Allowed values are provided after this 10926parameter, and must of course be of the appropriate type. In short, if 10927you had: 10928@example 10929check style (exposed_literal, 0, 1, 0.0, 1.0); 10930@end example 10931you must change it to: 10932@example 10933check style (exposed_literal, integer, 0, 1) 10934check style (exposed_literal, real, 0.0, 1.0); 10935@end example 10936 10937The ``aggregate'' parameter of the subrule ``positional_association'' 10938has been split into ``array_aggregate'' and ``record_aggregate''. For example, 10939change: 10940@example 10941check style (positional_association, aggregate); 10942@end example 10943into: 10944@example 10945check style (positional_association, record_aggregate, array_aggregate); 10946@end example 10947 10948 10949@section Migrating from 1.4r20 10950@subsection GPS integration 10951The XML file used to describe AdaControl features to GPS used to be 10952called @code{adactl.xml}. It is now called @code{zadactl.xml}, since 10953GPS processes its initialization files in alphabetical order. This 10954avoids shuffling the menus when AdaControl support is activated. 10955 10956Make sure to remove the old @code{adactl.xml} file from the GPS 10957plug-ins directory before installing the new version. 10958 10959@subsection Declarations 10960The parameters ``access'' and ``access_subprogram'' have been changed 10961to ``access_type'' and ``access_subprogram_type'', for consistency 10962with the new parameters. 10963 10964@subsection Header_Comments 10965A keyword has been added to specify the required number of comment lines. 10966Change: 10967@example 10968check Header_Comments (10); 10969@end example 10970to: 10971@example 10972check Header_Comments (minimum, 10); 10973@end example 10974 10975@subsection No_Closing_Name 10976This rule is now part of the ``style'' rule. Change: 10977@example 10978check|search|count No_Closing_Name; 10979@end example 10980to: 10981@example 10982check|search|count Style (No_Closing_Name); 10983@end example 10984 10985@subsection Specification_Objects 10986This rule is now part of the ``usage'' rule. Change: 10987@example 10988check|search|count Specification_Objects (<parameters>); 10989@end example 10990to: 10991@example 10992check|search|count Usage (Object, From_Spec, <parameters>); 10993@end example 10994 10995@subsection Statement 10996Name changed from ``statement'' to ``statements'' (added an 's'), to 10997be consistent with other rules. 10998 10999@subsection When_Others_Null 11000This rule is now part of the ``statements'' rule. Change: 11001@example 11002check|search|count When_Others_Null (case); 11003check|search|count When_Others_Null (exception); 11004@end example 11005to: 11006@example 11007check|search|count Statements (case_others_null); 11008check|search|count Statements (exception_others_null); 11009@end example 11010@bye 11011