1.. _Standard_and_Implementation_Defined_Restrictions: 2 3************************************************ 4Standard and Implementation Defined Restrictions 5************************************************ 6 7All Ada Reference Manual-defined Restriction identifiers are implemented: 8 9* language-defined restrictions (see 13.12.1) 10* tasking restrictions (see D.7) 11* high integrity restrictions (see H.4) 12 13GNAT implements additional restriction identifiers. All restrictions, whether 14language defined or GNAT-specific, are listed in the following. 15 16.. _Partition-Wide_Restrictions: 17 18Partition-Wide Restrictions 19=========================== 20 21There are two separate lists of restriction identifiers. The first 22set requires consistency throughout a partition (in other words, if the 23restriction identifier is used for any compilation unit in the partition, 24then all compilation units in the partition must obey the restriction). 25 26Immediate_Reclamation 27--------------------- 28.. index:: Immediate_Reclamation 29 30[RM H.4] This restriction ensures that, except for storage occupied by 31objects created by allocators and not deallocated via unchecked 32deallocation, any storage reserved at run time for an object is 33immediately reclaimed when the object no longer exists. 34 35Max_Asynchronous_Select_Nesting 36------------------------------- 37.. index:: Max_Asynchronous_Select_Nesting 38 39[RM D.7] Specifies the maximum dynamic nesting level of asynchronous 40selects. Violations of this restriction with a value of zero are 41detected at compile time. Violations of this restriction with values 42other than zero cause Storage_Error to be raised. 43 44Max_Entry_Queue_Length 45---------------------- 46.. index:: Max_Entry_Queue_Length 47 48[RM D.7] This restriction is a declaration that any protected entry compiled in 49the scope of the restriction has at most the specified number of 50tasks waiting on the entry at any one time, and so no queue is required. 51Note that this restriction is checked at run time. Violation of this 52restriction results in the raising of Program_Error exception at the point of 53the call. 54 55.. index:: Max_Entry_Queue_Depth 56 57The restriction ``Max_Entry_Queue_Depth`` is recognized as a 58synonym for ``Max_Entry_Queue_Length``. This is retained for historical 59compatibility purposes (and a warning will be generated for its use if 60warnings on obsolescent features are activated). 61 62Max_Protected_Entries 63--------------------- 64.. index:: Max_Protected_Entries 65 66[RM D.7] Specifies the maximum number of entries per protected type. The 67bounds of every entry family of a protected unit shall be static, or shall be 68defined by a discriminant of a subtype whose corresponding bound is static. 69 70Max_Select_Alternatives 71----------------------- 72.. index:: Max_Select_Alternatives 73 74[RM D.7] Specifies the maximum number of alternatives in a selective accept. 75 76Max_Storage_At_Blocking 77----------------------- 78.. index:: Max_Storage_At_Blocking 79 80[RM D.7] Specifies the maximum portion (in storage elements) of a task's 81Storage_Size that can be retained by a blocked task. A violation of this 82restriction causes Storage_Error to be raised. 83 84Max_Task_Entries 85---------------- 86.. index:: Max_Task_Entries 87 88[RM D.7] Specifies the maximum number of entries 89per task. The bounds of every entry family 90of a task unit shall be static, or shall be 91defined by a discriminant of a subtype whose 92corresponding bound is static. 93 94Max_Tasks 95--------- 96.. index:: Max_Tasks 97 98[RM D.7] Specifies the maximum number of task that may be created, not 99counting the creation of the environment task. Violations of this 100restriction with a value of zero are detected at compile 101time. Violations of this restriction with values other than zero cause 102Storage_Error to be raised. 103 104No_Abort_Statements 105------------------- 106.. index:: No_Abort_Statements 107 108[RM D.7] There are no abort_statements, and there are 109no calls to Task_Identification.Abort_Task. 110 111No_Access_Parameter_Allocators 112------------------------------ 113.. index:: No_Access_Parameter_Allocators 114 115[RM H.4] This restriction ensures at compile time that there are no 116occurrences of an allocator as the actual parameter to an access 117parameter. 118 119No_Access_Subprograms 120--------------------- 121.. index:: No_Access_Subprograms 122 123[RM H.4] This restriction ensures at compile time that there are no 124declarations of access-to-subprogram types. 125 126No_Allocators 127------------- 128.. index:: No_Allocators 129 130[RM H.4] This restriction ensures at compile time that there are no 131occurrences of an allocator. 132 133No_Anonymous_Allocators 134----------------------- 135.. index:: No_Anonymous_Allocators 136 137[RM H.4] This restriction ensures at compile time that there are no 138occurrences of an allocator of anonymous access type. 139 140No_Asynchronous_Control 141----------------------- 142.. index:: No_Asynchronous_Control 143 144[RM J.13] This restriction ensures at compile time that there are no semantic 145dependences on the predefined package Asynchronous_Task_Control. 146 147No_Calendar 148----------- 149.. index:: No_Calendar 150 151[GNAT] This restriction ensures at compile time that there are no semantic 152dependences on package Calendar. 153 154No_Coextensions 155--------------- 156.. index:: No_Coextensions 157 158[RM H.4] This restriction ensures at compile time that there are no 159coextensions. See 3.10.2. 160 161No_Default_Initialization 162------------------------- 163.. index:: No_Default_Initialization 164 165[GNAT] This restriction prohibits any instance of default initialization 166of variables. The binder implements a consistency rule which prevents 167any unit compiled without the restriction from with'ing a unit with the 168restriction (this allows the generation of initialization procedures to 169be skipped, since you can be sure that no call is ever generated to an 170initialization procedure in a unit with the restriction active). If used 171in conjunction with Initialize_Scalars or Normalize_Scalars, the effect 172is to prohibit all cases of variables declared without a specific 173initializer (including the case of OUT scalar parameters). 174 175No_Delay 176-------- 177.. index:: No_Delay 178 179[RM H.4] This restriction ensures at compile time that there are no 180delay statements and no semantic dependences on package Calendar. 181 182No_Dependence 183------------- 184.. index:: No_Dependence 185 186[RM 13.12.1] This restriction ensures at compile time that there are no 187dependences on a library unit. 188 189No_Direct_Boolean_Operators 190--------------------------- 191.. index:: No_Direct_Boolean_Operators 192 193[GNAT] This restriction ensures that no logical operators (and/or/xor) 194are used on operands of type Boolean (or any type derived from Boolean). 195This is intended for use in safety critical programs where the certification 196protocol requires the use of short-circuit (and then, or else) forms for all 197composite boolean operations. 198 199No_Dispatch 200----------- 201.. index:: No_Dispatch 202 203[RM H.4] This restriction ensures at compile time that there are no 204occurrences of ``T'Class``, for any (tagged) subtype ``T``. 205 206No_Dispatching_Calls 207-------------------- 208.. index:: No_Dispatching_Calls 209 210[GNAT] This restriction ensures at compile time that the code generated by the 211compiler involves no dispatching calls. The use of this restriction allows the 212safe use of record extensions, classwide membership tests and other classwide 213features not involving implicit dispatching. This restriction ensures that 214the code contains no indirect calls through a dispatching mechanism. Note that 215this includes internally-generated calls created by the compiler, for example 216in the implementation of class-wide objects assignments. The 217membership test is allowed in the presence of this restriction, because its 218implementation requires no dispatching. 219This restriction is comparable to the official Ada restriction 220``No_Dispatch`` except that it is a bit less restrictive in that it allows 221all classwide constructs that do not imply dispatching. 222The following example indicates constructs that violate this restriction. 223 224 225.. code-block:: ada 226 227 package Pkg is 228 type T is tagged record 229 Data : Natural; 230 end record; 231 procedure P (X : T); 232 233 type DT is new T with record 234 More_Data : Natural; 235 end record; 236 procedure Q (X : DT); 237 end Pkg; 238 239 with Pkg; use Pkg; 240 procedure Example is 241 procedure Test (O : T'Class) is 242 N : Natural := O'Size;-- Error: Dispatching call 243 C : T'Class := O; -- Error: implicit Dispatching Call 244 begin 245 if O in DT'Class then -- OK : Membership test 246 Q (DT (O)); -- OK : Type conversion plus direct call 247 else 248 P (O); -- Error: Dispatching call 249 end if; 250 end Test; 251 252 Obj : DT; 253 begin 254 P (Obj); -- OK : Direct call 255 P (T (Obj)); -- OK : Type conversion plus direct call 256 P (T'Class (Obj)); -- Error: Dispatching call 257 258 Test (Obj); -- OK : Type conversion 259 260 if Obj in T'Class then -- OK : Membership test 261 null; 262 end if; 263 end Example; 264 265 266No_Dynamic_Attachment 267--------------------- 268.. index:: No_Dynamic_Attachment 269 270[RM D.7] This restriction ensures that there is no call to any of the 271operations defined in package Ada.Interrupts 272(Is_Reserved, Is_Attached, Current_Handler, Attach_Handler, Exchange_Handler, 273Detach_Handler, and Reference). 274 275.. index:: No_Dynamic_Interrupts 276 277The restriction ``No_Dynamic_Interrupts`` is recognized as a 278synonym for ``No_Dynamic_Attachment``. This is retained for historical 279compatibility purposes (and a warning will be generated for its use if 280warnings on obsolescent features are activated). 281 282No_Dynamic_Priorities 283--------------------- 284.. index:: No_Dynamic_Priorities 285 286[RM D.7] There are no semantic dependencies on the package Dynamic_Priorities. 287 288No_Entry_Calls_In_Elaboration_Code 289---------------------------------- 290.. index:: No_Entry_Calls_In_Elaboration_Code 291 292[GNAT] This restriction ensures at compile time that no task or protected entry 293calls are made during elaboration code. As a result of the use of this 294restriction, the compiler can assume that no code past an accept statement 295in a task can be executed at elaboration time. 296 297No_Enumeration_Maps 298------------------- 299.. index:: No_Enumeration_Maps 300 301[GNAT] This restriction ensures at compile time that no operations requiring 302enumeration maps are used (that is Image and Value attributes applied 303to enumeration types). 304 305No_Exception_Handlers 306--------------------- 307.. index:: No_Exception_Handlers 308 309[GNAT] This restriction ensures at compile time that there are no explicit 310exception handlers. It also indicates that no exception propagation will 311be provided. In this mode, exceptions may be raised but will result in 312an immediate call to the last chance handler, a routine that the user 313must define with the following profile: 314 315 316.. code-block:: ada 317 318 procedure Last_Chance_Handler 319 (Source_Location : System.Address; Line : Integer); 320 pragma Export (C, Last_Chance_Handler, 321 "__gnat_last_chance_handler"); 322 323 324The parameter is a C null-terminated string representing a message to be 325associated with the exception (typically the source location of the raise 326statement generated by the compiler). The Line parameter when nonzero 327represents the line number in the source program where the raise occurs. 328 329No_Exception_Propagation 330------------------------ 331.. index:: No_Exception_Propagation 332 333[GNAT] This restriction guarantees that exceptions are never propagated 334to an outer subprogram scope. The only case in which an exception may 335be raised is when the handler is statically in the same subprogram, so 336that the effect of a raise is essentially like a goto statement. Any 337other raise statement (implicit or explicit) will be considered 338unhandled. Exception handlers are allowed, but may not contain an 339exception occurrence identifier (exception choice). In addition, use of 340the package GNAT.Current_Exception is not permitted, and reraise 341statements (raise with no operand) are not permitted. 342 343No_Exception_Registration 344------------------------- 345.. index:: No_Exception_Registration 346 347[GNAT] This restriction ensures at compile time that no stream operations for 348types Exception_Id or Exception_Occurrence are used. This also makes it 349impossible to pass exceptions to or from a partition with this restriction 350in a distributed environment. If this restriction is active, the generated 351code is simplified by omitting the otherwise-required global registration 352of exceptions when they are declared. 353 354No_Exceptions 355------------- 356.. index:: No_Exceptions 357 358[RM H.4] This restriction ensures at compile time that there are no 359raise statements and no exception handlers and also suppresses the 360generation of language-defined run-time checks. 361 362 363No_Finalization 364--------------- 365.. index:: No_Finalization 366 367[GNAT] This restriction disables the language features described in 368chapter 7.6 of the Ada 2005 RM as well as all form of code generation 369performed by the compiler to support these features. The following types 370are no longer considered controlled when this restriction is in effect: 371 372* 373 ``Ada.Finalization.Controlled`` 374* 375 ``Ada.Finalization.Limited_Controlled`` 376* 377 Derivations from ``Controlled`` or ``Limited_Controlled`` 378* 379 Class-wide types 380* 381 Protected types 382* 383 Task types 384* 385 Array and record types with controlled components 386 387The compiler no longer generates code to initialize, finalize or adjust an 388object or a nested component, either declared on the stack or on the heap. The 389deallocation of a controlled object no longer finalizes its contents. 390 391No_Fixed_Point 392-------------- 393.. index:: No_Fixed_Point 394 395[RM H.4] This restriction ensures at compile time that there are no 396occurrences of fixed point types and operations. 397 398No_Floating_Point 399----------------- 400.. index:: No_Floating_Point 401 402[RM H.4] This restriction ensures at compile time that there are no 403occurrences of floating point types and operations. 404 405No_Implicit_Conditionals 406------------------------ 407.. index:: No_Implicit_Conditionals 408 409[GNAT] This restriction ensures that the generated code does not contain any 410implicit conditionals, either by modifying the generated code where possible, 411or by rejecting any construct that would otherwise generate an implicit 412conditional. Note that this check does not include run time constraint 413checks, which on some targets may generate implicit conditionals as 414well. To control the latter, constraint checks can be suppressed in the 415normal manner. Constructs generating implicit conditionals include comparisons 416of composite objects and the Max/Min attributes. 417 418No_Implicit_Dynamic_Code 419------------------------ 420.. index:: No_Implicit_Dynamic_Code 421.. index:: trampoline 422 423[GNAT] This restriction prevents the compiler from building 'trampolines'. 424This is a structure that is built on the stack and contains dynamic 425code to be executed at run time. On some targets, a trampoline is 426built for the following features: ``Access``, 427``Unrestricted_Access``, or ``Address`` of a nested subprogram; 428nested task bodies; primitive operations of nested tagged types. 429Trampolines do not work on machines that prevent execution of stack 430data. For example, on windows systems, enabling DEP (data execution 431protection) will cause trampolines to raise an exception. 432Trampolines are also quite slow at run time. 433 434On many targets, trampolines have been largely eliminated. Look at the 435version of system.ads for your target --- if it has 436Always_Compatible_Rep equal to False, then trampolines are largely 437eliminated. In particular, a trampoline is built for the following 438features: ``Address`` of a nested subprogram; 439``Access`` or ``Unrestricted_Access`` of a nested subprogram, 440but only if pragma Favor_Top_Level applies, or the access type has a 441foreign-language convention; primitive operations of nested tagged 442types. 443 444No_Implicit_Heap_Allocations 445---------------------------- 446.. index:: No_Implicit_Heap_Allocations 447 448[RM D.7] No constructs are allowed to cause implicit heap allocation. 449 450No_Implicit_Protected_Object_Allocations 451---------------------------------------- 452.. index:: No_Implicit_Protected_Object_Allocations 453 454[GNAT] No constructs are allowed to cause implicit heap allocation of a 455protected object. 456 457No_Implicit_Task_Allocations 458---------------------------- 459.. index:: No_Implicit_Task_Allocations 460 461[GNAT] No constructs are allowed to cause implicit heap allocation of a task. 462 463No_Initialize_Scalars 464--------------------- 465.. index:: No_Initialize_Scalars 466 467[GNAT] This restriction ensures that no unit in the partition is compiled with 468pragma Initialize_Scalars. This allows the generation of more efficient 469code, and in particular eliminates dummy null initialization routines that 470are otherwise generated for some record and array types. 471 472No_IO 473----- 474.. index:: No_IO 475 476[RM H.4] This restriction ensures at compile time that there are no 477dependences on any of the library units Sequential_IO, Direct_IO, 478Text_IO, Wide_Text_IO, Wide_Wide_Text_IO, or Stream_IO. 479 480No_Local_Allocators 481------------------- 482.. index:: No_Local_Allocators 483 484[RM H.4] This restriction ensures at compile time that there are no 485occurrences of an allocator in subprograms, generic subprograms, tasks, 486and entry bodies. 487 488No_Local_Protected_Objects 489-------------------------- 490.. index:: No_Local_Protected_Objects 491 492[RM D.7] This restriction ensures at compile time that protected objects are 493only declared at the library level. 494 495No_Local_Timing_Events 496---------------------- 497.. index:: No_Local_Timing_Events 498 499[RM D.7] All objects of type Ada.Real_Time.Timing_Events.Timing_Event are 500declared at the library level. 501 502No_Long_Long_Integers 503--------------------- 504.. index:: No_Long_Long_Integers 505 506[GNAT] This partition-wide restriction forbids any explicit reference to 507type Standard.Long_Long_Integer, and also forbids declaring range types whose 508implicit base type is Long_Long_Integer, and modular types whose size exceeds 509Long_Integer'Size. 510 511No_Multiple_Elaboration 512----------------------- 513.. index:: No_Multiple_Elaboration 514 515[GNAT] When this restriction is active and the static elaboration model is 516used, and -fpreserve-control-flow is not used, the compiler is allowed to 517suppress the elaboration counter normally associated with the unit, even if 518the unit has elaboration code. This counter is typically used to check for 519access before elaboration and to control multiple elaboration attempts. If the 520restriction is used, then the situations in which multiple elaboration is 521possible, including non-Ada main programs and Stand Alone libraries, are not 522permitted and will be diagnosed by the binder. 523 524No_Nested_Finalization 525---------------------- 526.. index:: No_Nested_Finalization 527 528[RM D.7] All objects requiring finalization are declared at the library level. 529 530No_Protected_Type_Allocators 531---------------------------- 532.. index:: No_Protected_Type_Allocators 533 534[RM D.7] This restriction ensures at compile time that there are no allocator 535expressions that attempt to allocate protected objects. 536 537No_Protected_Types 538------------------ 539.. index:: No_Protected_Types 540 541[RM H.4] This restriction ensures at compile time that there are no 542declarations of protected types or protected objects. 543 544No_Recursion 545------------ 546.. index:: No_Recursion 547 548[RM H.4] A program execution is erroneous if a subprogram is invoked as 549part of its execution. 550 551No_Reentrancy 552------------- 553.. index:: No_Reentrancy 554 555[RM H.4] A program execution is erroneous if a subprogram is executed by 556two tasks at the same time. 557 558No_Relative_Delay 559----------------- 560.. index:: No_Relative_Delay 561 562[RM D.7] This restriction ensures at compile time that there are no delay 563relative statements and prevents expressions such as ``delay 1.23;`` from 564appearing in source code. 565 566No_Requeue_Statements 567--------------------- 568.. index:: No_Requeue_Statements 569 570[RM D.7] This restriction ensures at compile time that no requeue statements 571are permitted and prevents keyword ``requeue`` from being used in source 572code. 573 574.. index:: No_Requeue 575 576The restriction ``No_Requeue`` is recognized as a 577synonym for ``No_Requeue_Statements``. This is retained for historical 578compatibility purposes (and a warning will be generated for its use if 579warnings on oNobsolescent features are activated). 580 581No_Secondary_Stack 582------------------ 583.. index:: No_Secondary_Stack 584 585[GNAT] This restriction ensures at compile time that the generated code 586does not contain any reference to the secondary stack. The secondary 587stack is used to implement functions returning unconstrained objects 588(arrays or records) on some targets. Suppresses the allocation of 589secondary stacks for tasks (excluding the environment task) at run time. 590 591No_Select_Statements 592-------------------- 593.. index:: No_Select_Statements 594 595[RM D.7] This restriction ensures at compile time no select statements of any 596kind are permitted, that is the keyword ``select`` may not appear. 597 598No_Specific_Termination_Handlers 599-------------------------------- 600.. index:: No_Specific_Termination_Handlers 601 602[RM D.7] There are no calls to Ada.Task_Termination.Set_Specific_Handler 603or to Ada.Task_Termination.Specific_Handler. 604 605No_Specification_of_Aspect 606-------------------------- 607.. index:: No_Specification_of_Aspect 608 609[RM 13.12.1] This restriction checks at compile time that no aspect 610specification, attribute definition clause, or pragma is given for a 611given aspect. 612 613No_Standard_Allocators_After_Elaboration 614---------------------------------------- 615.. index:: No_Standard_Allocators_After_Elaboration 616 617[RM D.7] Specifies that an allocator using a standard storage pool 618should never be evaluated at run time after the elaboration of the 619library items of the partition has completed. Otherwise, Storage_Error 620is raised. 621 622No_Standard_Storage_Pools 623------------------------- 624.. index:: No_Standard_Storage_Pools 625 626[GNAT] This restriction ensures at compile time that no access types 627use the standard default storage pool. Any access type declared must 628have an explicit Storage_Pool attribute defined specifying a 629user-defined storage pool. 630 631No_Stream_Optimizations 632----------------------- 633.. index:: No_Stream_Optimizations 634 635[GNAT] This restriction affects the performance of stream operations on types 636``String``, ``Wide_String`` and ``Wide_Wide_String``. By default, the 637compiler uses block reads and writes when manipulating ``String`` objects 638due to their superior performance. When this restriction is in effect, the 639compiler performs all IO operations on a per-character basis. 640 641No_Streams 642---------- 643.. index:: No_Streams 644 645[GNAT] This restriction ensures at compile/bind time that there are no 646stream objects created and no use of stream attributes. 647This restriction does not forbid dependences on the package 648``Ada.Streams``. So it is permissible to with 649``Ada.Streams`` (or another package that does so itself) 650as long as no actual stream objects are created and no 651stream attributes are used. 652 653Note that the use of restriction allows optimization of tagged types, 654since they do not need to worry about dispatching stream operations. 655To take maximum advantage of this space-saving optimization, any 656unit declaring a tagged type should be compiled with the restriction, 657though this is not required. 658 659No_Task_Allocators 660------------------ 661.. index:: No_Task_Allocators 662 663[RM D.7] There are no allocators for task types 664or types containing task subcomponents. 665 666No_Task_At_Interrupt_Priority 667----------------------------- 668.. index:: No_Task_At_Interrupt_Priority 669 670[GNAT] This restriction ensures at compile time that there is no 671Interrupt_Priority aspect or pragma for a task or a task type. As 672a consequence, the tasks are always created with a priority below 673that an interrupt priority. 674 675No_Task_Attributes_Package 676-------------------------- 677.. index:: No_Task_Attributes_Package 678 679[GNAT] This restriction ensures at compile time that there are no implicit or 680explicit dependencies on the package ``Ada.Task_Attributes``. 681 682.. index:: No_Task_Attributes 683 684The restriction ``No_Task_Attributes`` is recognized as a synonym 685for ``No_Task_Attributes_Package``. This is retained for historical 686compatibility purposes (and a warning will be generated for its use if 687warnings on obsolescent features are activated). 688 689No_Task_Hierarchy 690----------------- 691.. index:: No_Task_Hierarchy 692 693[RM D.7] All (non-environment) tasks depend 694directly on the environment task of the partition. 695 696No_Task_Termination 697------------------- 698.. index:: No_Task_Termination 699 700[RM D.7] Tasks that terminate are erroneous. 701 702No_Tasking 703---------- 704.. index:: No_Tasking 705 706[GNAT] This restriction prevents the declaration of tasks or task types 707throughout the partition. It is similar in effect to the use of 708``Max_Tasks => 0`` except that violations are caught at compile time 709and cause an error message to be output either by the compiler or 710binder. 711 712No_Terminate_Alternatives 713------------------------- 714.. index:: No_Terminate_Alternatives 715 716[RM D.7] There are no selective accepts with terminate alternatives. 717 718No_Unchecked_Access 719------------------- 720.. index:: No_Unchecked_Access 721 722[RM H.4] This restriction ensures at compile time that there are no 723occurrences of the Unchecked_Access attribute. 724 725No_Unchecked_Conversion 726----------------------- 727.. index:: No_Unchecked_Conversion 728 729[RM J.13] This restriction ensures at compile time that there are no semantic 730dependences on the predefined generic function Unchecked_Conversion. 731 732No_Unchecked_Deallocation 733------------------------- 734.. index:: No_Unchecked_Deallocation 735 736[RM J.13] This restriction ensures at compile time that there are no semantic 737dependences on the predefined generic procedure Unchecked_Deallocation. 738 739No_Use_Of_Entity 740---------------- 741.. index:: No_Use_Of_Entity 742 743[GNAT] This restriction ensures at compile time that there are no references 744to the entity given in the form :: 745 746 No_Use_Of_Entity => Name 747 748where ``Name`` is the fully qualified entity, for example :: 749 750 No_Use_Of_Entity => Ada.Text_IO.Put_Line 751 752Pure_Barriers 753------------- 754.. index:: Pure_Barriers 755 756[GNAT] This restriction ensures at compile time that protected entry 757barriers are restricted to: 758 759* components of the protected object (excluding selection from dereferences), 760* constant declarations, 761* named numbers, 762* enumeration literals, 763* integer literals, 764* real literals, 765* character literals, 766* implicitly defined comparison operators, 767* uses of the Standard."not" operator, 768* short-circuit operator, 769* the Count attribute 770 771This restriction is a relaxation of the Simple_Barriers restriction, 772but still ensures absence of side effects, exceptions, and recursion 773during the evaluation of the barriers. 774 775Simple_Barriers 776--------------- 777.. index:: Simple_Barriers 778 779[RM D.7] This restriction ensures at compile time that barriers in entry 780declarations for protected types are restricted to either static boolean 781expressions or references to simple boolean variables defined in the private 782part of the protected type. No other form of entry barriers is permitted. 783 784.. index:: Boolean_Entry_Barriers 785 786The restriction ``Boolean_Entry_Barriers`` is recognized as a 787synonym for ``Simple_Barriers``. This is retained for historical 788compatibility purposes (and a warning will be generated for its use if 789warnings on obsolescent features are activated). 790 791Static_Priorities 792----------------- 793.. index:: Static_Priorities 794 795[GNAT] This restriction ensures at compile time that all priority expressions 796are static, and that there are no dependences on the package 797``Ada.Dynamic_Priorities``. 798 799Static_Storage_Size 800------------------- 801.. index:: Static_Storage_Size 802 803[GNAT] This restriction ensures at compile time that any expression appearing 804in a Storage_Size pragma or attribute definition clause is static. 805 806.. _Program_Unit_Level_Restrictions: 807 808 809Program Unit Level Restrictions 810=============================== 811 812The second set of restriction identifiers 813does not require partition-wide consistency. 814The restriction may be enforced for a single 815compilation unit without any effect on any of the 816other compilation units in the partition. 817 818No_Elaboration_Code 819------------------- 820.. index:: No_Elaboration_Code 821 822[GNAT] This restriction ensures at compile time that no elaboration code is 823generated. Note that this is not the same condition as is enforced 824by pragma ``Preelaborate``. There are cases in which pragma 825``Preelaborate`` still permits code to be generated (e.g., code 826to initialize a large array to all zeroes), and there are cases of units 827which do not meet the requirements for pragma ``Preelaborate``, 828but for which no elaboration code is generated. Generally, it is 829the case that preelaborable units will meet the restrictions, with 830the exception of large aggregates initialized with an others_clause, 831and exception declarations (which generate calls to a run-time 832registry procedure). This restriction is enforced on 833a unit by unit basis, it need not be obeyed consistently 834throughout a partition. 835 836In the case of aggregates with others, if the aggregate has a dynamic 837size, there is no way to eliminate the elaboration code (such dynamic 838bounds would be incompatible with ``Preelaborate`` in any case). If 839the bounds are static, then use of this restriction actually modifies 840the code choice of the compiler to avoid generating a loop, and instead 841generate the aggregate statically if possible, no matter how many times 842the data for the others clause must be repeatedly generated. 843 844It is not possible to precisely document 845the constructs which are compatible with this restriction, since, 846unlike most other restrictions, this is not a restriction on the 847source code, but a restriction on the generated object code. For 848example, if the source contains a declaration: 849 850 851.. code-block:: ada 852 853 Val : constant Integer := X; 854 855 856where X is not a static constant, it may be possible, depending 857on complex optimization circuitry, for the compiler to figure 858out the value of X at compile time, in which case this initialization 859can be done by the loader, and requires no initialization code. It 860is not possible to document the precise conditions under which the 861optimizer can figure this out. 862 863Note that this the implementation of this restriction requires full 864code generation. If it is used in conjunction with "semantics only" 865checking, then some cases of violations may be missed. 866 867When this restriction is active, we are not requesting control-flow 868preservation with -fpreserve-control-flow, and the static elaboration model is 869used, the compiler is allowed to suppress the elaboration counter normally 870associated with the unit. This counter is typically used to check for access 871before elaboration and to control multiple elaboration attempts. 872 873No_Dynamic_Sized_Objects 874------------------------ 875.. index:: No_Dynamic_Sized_Objects 876 877[GNAT] This restriction disallows certain constructs that might lead to the 878creation of dynamic-sized composite objects (or array or discriminated type). 879An array subtype indication is illegal if the bounds are not static 880or references to discriminants of an enclosing type. 881A discriminated subtype indication is illegal if the type has 882discriminant-dependent array components or a variant part, and the 883discriminants are not static. In addition, array and record aggregates are 884illegal in corresponding cases. Note that this restriction does not forbid 885access discriminants. It is often a good idea to combine this restriction 886with No_Secondary_Stack. 887 888No_Entry_Queue 889-------------- 890.. index:: No_Entry_Queue 891 892[GNAT] This restriction is a declaration that any protected entry compiled in 893the scope of the restriction has at most one task waiting on the entry 894at any one time, and so no queue is required. This restriction is not 895checked at compile time. A program execution is erroneous if an attempt 896is made to queue a second task on such an entry. 897 898No_Implementation_Aspect_Specifications 899--------------------------------------- 900.. index:: No_Implementation_Aspect_Specifications 901 902[RM 13.12.1] This restriction checks at compile time that no 903GNAT-defined aspects are present. With this restriction, the only 904aspects that can be used are those defined in the Ada Reference Manual. 905 906No_Implementation_Attributes 907---------------------------- 908.. index:: No_Implementation_Attributes 909 910[RM 13.12.1] This restriction checks at compile time that no 911GNAT-defined attributes are present. With this restriction, the only 912attributes that can be used are those defined in the Ada Reference 913Manual. 914 915No_Implementation_Identifiers 916----------------------------- 917.. index:: No_Implementation_Identifiers 918 919[RM 13.12.1] This restriction checks at compile time that no 920implementation-defined identifiers (marked with pragma Implementation_Defined) 921occur within language-defined packages. 922 923No_Implementation_Pragmas 924------------------------- 925.. index:: No_Implementation_Pragmas 926 927[RM 13.12.1] This restriction checks at compile time that no 928GNAT-defined pragmas are present. With this restriction, the only 929pragmas that can be used are those defined in the Ada Reference Manual. 930 931No_Implementation_Restrictions 932------------------------------ 933.. index:: No_Implementation_Restrictions 934 935[GNAT] This restriction checks at compile time that no GNAT-defined restriction 936identifiers (other than ``No_Implementation_Restrictions`` itself) 937are present. With this restriction, the only other restriction identifiers 938that can be used are those defined in the Ada Reference Manual. 939 940No_Implementation_Units 941----------------------- 942.. index:: No_Implementation_Units 943 944[RM 13.12.1] This restriction checks at compile time that there is no 945mention in the context clause of any implementation-defined descendants 946of packages Ada, Interfaces, or System. 947 948No_Implicit_Aliasing 949-------------------- 950.. index:: No_Implicit_Aliasing 951 952[GNAT] This restriction, which is not required to be partition-wide consistent, 953requires an explicit aliased keyword for an object to which 'Access, 954'Unchecked_Access, or 'Address is applied, and forbids entirely the use of 955the 'Unrestricted_Access attribute for objects. Note: the reason that 956Unrestricted_Access is forbidden is that it would require the prefix 957to be aliased, and in such cases, it can always be replaced by 958the standard attribute Unchecked_Access which is preferable. 959 960No_Implicit_Loops 961----------------- 962.. index:: No_Implicit_Loops 963 964[GNAT] This restriction ensures that the generated code of the unit marked 965with this restriction does not contain any implicit ``for`` loops, either by 966modifying the generated code where possible, or by rejecting any construct 967that would otherwise generate an implicit ``for`` loop. If this restriction is 968active, it is possible to build large array aggregates with all static 969components without generating an intermediate temporary, and without generating 970a loop to initialize individual components. Otherwise, a loop is created for 971arrays larger than about 5000 scalar components. Note that if this restriction 972is set in the spec of a package, it will not apply to its body. 973 974No_Obsolescent_Features 975----------------------- 976.. index:: No_Obsolescent_Features 977 978[RM 13.12.1] This restriction checks at compile time that no obsolescent 979features are used, as defined in Annex J of the Ada Reference Manual. 980 981No_Wide_Characters 982------------------ 983.. index:: No_Wide_Characters 984 985[GNAT] This restriction ensures at compile time that no uses of the types 986``Wide_Character`` or ``Wide_String`` or corresponding wide 987wide types 988appear, and that no wide or wide wide string or character literals 989appear in the program (that is literals representing characters not in 990type ``Character``). 991 992Static_Dispatch_Tables 993---------------------- 994.. index:: Static_Dispatch_Tables 995 996[GNAT] This restriction checks at compile time that all the artifacts 997associated with dispatch tables can be placed in read-only memory. 998 999SPARK_05 1000-------- 1001.. index:: SPARK_05 1002 1003[GNAT] This restriction no longer has any effect and is superseded by 1004SPARK 2014, whose restrictions are checked by the tool GNATprove. To check that 1005a codebase respects SPARK 2014 restrictions, mark the code with pragma or 1006aspect ``SPARK_Mode``, and run the tool GNATprove at Stone assurance level, as 1007follows:: 1008 1009 gnatprove -P project.gpr --mode=stone 1010 1011or equivalently:: 1012 1013 gnatprove -P project.gpr --mode=check_all 1014 1015