[Bug ada/94419] New: accepting wrong programs because compiler error

[Bug ada/94419] New: accepting wrong programs because compiler error

[yyelle at rbx dot email]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94419

            Bug ID: 94419
           Summary: accepting wrong programs because compiler error
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: ada
          Assignee: unassigned at gcc dot gnu.org
          Reporter: yyelle at rbx dot email
  Target Milestone: ---

I'm currently studing Ada and using GCC and I found a number of bugs in
compiler. It is about Ada 2012. Example buggy code is here:

package A is
        type tp is private; -- tp here is considered constrained. Users of
public part will see this only, they do not see unconstrained'ness of private
defnition.
        type atp is access all tp;
        function ff1 return atp;
        function ff2 return atp;
        procedure pp1(p: atp);
private
        type dd is range 1..10;
        type tarr is array(dd range <>) of Integer;
        type tp(x : dd := 10) is record -- tp here becomes considered
unconstrained.
                a:  tarr(1..x);
        end record;
end A;
package body A is
        xx : aliased tp; -- unconstrained
        yy : aliased tp(2); -- constrained
        zz : aliased tp(10); -- constrained.
        ax : aliased atp(10); -- access, constrained;
        function ff1 return atp is
        begin
                return yy'Access; -- Conversion from access to constrained to
access unconstrained is errorneous because constrained partial view. Should be
reported but does not by GNAT.
        end ff1;

        function ff2 return atp is
        begin
                return xx'Access; -- ok
        end ff2;

        procedure pp1(a : atp) is
        begin
                ax := a; -- conversion from unconstrained to constrained (and
constraint match). Errorneous again. Should be reporrted, but GNAT doesn't
report. a here will be xx.
        end;

        procedure pp2 is
        begin
                xx := ( x => 2, others => 0);
                ax.all := zz; -- No error by GNAT, but is errorneous. ax.all is
xx.
        end;

end A;

-- User of A:
with A;
procedure Proc is
begin
        A.ff1.all := A.ff2.all; -- No error reported, no error schould be
reported, but it tries to change the discriminant of constrained variable (and
alter the array size). Is bad.
        A.pp1(A.ff2);
        A.pp2;
end;

-- Ever more bad
package B is
        type R is private;
        procedure pp;
private
        type R(x: Integer := 1) is null record;
end B;

with Ada.Text_IO; use Ada.Text_IO;
package body B is
        procedure pp is
                type A is access all R;
                type A1 is access all R(1);
                type A2 is access all R(2);
                xx : aliased R(1);
                yy : aliased R(2);
                zz : aliased R;

                aa1 : A1 := xx'Access;
                aa2 : A2 := yy'Access;
        begin
                Put_Line("xx.x = " & xx.x'Image); -- schould be 1
                aa1.all := aa2.all; -- No error reported by GNAT.
                Put_Line("xx.x = " & xx.x'Image); -- 1 ?
                zz := xx; -- ok
                Put_Line("zz.x = " & zz.x'Image); -- 2.
        end pp;
end B;


-- The following is about accessibility

with Ada.Text_IO; use Ada.Text_IO;
procedure C is
        type R(ad : access Integer) is null record;
        a : access R;
        procedure inner is
                y: aliased integer := 0;
        begin
                a := new R'(ad => y'Access);
        end; -- y lifetime is ended.
begin
        inner;
        Put_Line("a.ad = " & a.ad.all'Image); -- 0
        Put_Line("a.ad = " & a.ad.all'Image); -- 32767 ?
end;

Please, note Ada is not C, Ada is about safety. A program should be checked for
corectness and any errors must be reported almost always, at runtime also.
There are also cases when checks would be too hard to implement, but those
cases are relatively rare, they ever need more arguments, than implementation
complexity. And there is no intent to go to what C language is, Ada is not C.

Another bad thing in GNAT is implementation of "mutable" records, they always
need maximum memory. It is from GNAT manual:
type Rec (D : Positive := 15) is record
       Name : String (1..D);
    end record;

    Too_Large : Rec;

is flagged by the compiler with a warning: an attempt to create
`Too_Large' will raise `Storage_Error', because the required size
includes `Positive'Last' bytes.

It is bad. I think such records should be dynamically reallocatable. GNAT
manual says that such way is improper, but it is not that, it is right. Name in
example above may be allocated and reallocated "in free memory" and record
itself contain address of Name. If, for example, Name are passed as an aliased
parameter to a procedure, discriminant D schould not alter (while the parameter
is in use), this stated by Ada rules (the result is ever "errorneous
execution", which may be unpredictable). Also x.Name'Access will be error.
Really I think there schould be some "representational aspect" to say using
"max memory allocation" (as current implementation), or "dynamic realloc", and
ever latter ("dynamic realloc") schould be default (in this example anyways).
Rationale: above code does not work at all (because Storage_error) in current
implementation, but it is one of Ada feautures.

[Bug ada/94419] accepting wrong programs because compiler error

[ebotcazou at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94419

Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |WAITING
                 CC|                            |ebotcazou at gcc dot gnu.org
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2020-04-04

--- Comment #1 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
> Please, note Ada is not C, Ada is about safety. A program should be checked
> for corectness and any errors must be reported almost always, at runtime
> also. There are also cases when checks would be too hard to implement, but
> those cases are relatively rare, they ever need more arguments, than
> implementation complexity.

Well, GNAT passes 100% of the tests of the ACATS testsuites, which contain
thousands of correctness tests, so finding some bugs cannot be a pretext for
depreciating it as you do.  Every complex software has bugs, a compiler is a
complex software, ergo it has bugs.

You don't cite the clauses of the Ada RM that would make your program illegal
and you don't say which version of GNAT you use so there isn't much we can do.

> Another bad thing in GNAT is implementation of "mutable" records, they
> always need maximum memory. It is from GNAT manual:
> type Rec (D : Positive := 15) is record
>        Name : String (1..D);
>     end record;
> 
>     Too_Large : Rec;
> 
> is flagged by the compiler with a warning: an attempt to create
> `Too_Large' will raise `Storage_Error', because the required size
> includes `Positive'Last' bytes.
> 
> It is bad. I think such records should be dynamically reallocatable. GNAT
> manual says that such way is improper, but it is not that, it is right.

No, it's just a trade off and GNAT has selected this implementation.  But you
can certainly write your own Ada compiler with another implementation.

[Bug ada/94419] accepting wrong programs because compiler error

[yyelle at rbx dot email]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94419

--- Comment #2 from Uriy <yyelle at rbx dot email> ---
Thank you for reply.
Recently I test gcc 9.3.0 and it report some errors in the example code. But I
modify it slightly and it works with no errors.
I think the code is enough clear to see what exact clauses RM are violated. For
example there is conversion from access to constrained to access to
unconstrained type, and the type have a constrained partial view, while
legality rules for conversions requires for such case that any partial view
were unconstrained. There is also assignments of different subtypes (which have
no common values).

It is very sad if compiler makers doesn't understand Ada enough to see what
exact is wrong in this specially example code. And "thousands tests" will
really not help. But I apologise and send corrected code which works against
(currently recent) gcc 9.3.0.

> you can certainly write your own Ada compiler with another implementation.

Yes. But it seems to me that it was more important to say this to you (because
gcc, not my compiler, currently does not provide discussed feature of Ada
language.) In principle it seems to

[Bug ada/94419] accepting wrong programs because compiler error

[yyelle at rbx dot email]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94419

--- Comment #3 from Uriy <yyelle at rbx dot email> ---
Created attachment 48205
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48205&action=edit
example code

[Bug ada/94419] accepting wrong programs because compiler error

[yyelle at rbx dot email]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94419

Uriy <yyelle at rbx dot email> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #48205|0                           |1
        is obsolete|                            |

--- Comment #4 from Uriy <yyelle at rbx dot email> ---
Created attachment 48206
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=48206&action=edit
example code for gcc 9.3.0

Thank you for reply.
Recently I test gcc 9.3.0 and it report some errors in the example code. But I
modify it slightly and it works with no errors.
I think the code is enough clear to see what exact clauses RM are violated. For
example there is conversion from access to constrained to access to
unconstrained type, and the type have a constrained partial view, while
legality rules for conversions requires for such case that any partial view
were unconstrained. There is also assignments of different subtypes (which have
no common values).

It is very sad if compiler makers doesn't understand Ada enough to see what
exact is wrong in this specially example code. And "thousands tests" will
really not help. But I apologise and send corrected code which works against
(currently recent) gcc 9.3.0.

> you can certainly write your own Ada compiler with another implementation.

Yes. But it seems to me that it was more important to say this to you (because
gcc, not my compiler, currently does not provide discussed feature of Ada
language.) In principle it seems to me that the only real problem here is
"errorneous execution" but it can be avoided by some additional bit which will
mark that altering a discriminant is disabled.

P. S. Excuse me, previous comment was somehow sent while not finished (and I
cannot to do anything with it).

[Bug ada/94419] missing errors for constraints on access types

[ebotcazou at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94419

Eric Botcazou <ebotcazou at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |NEW
            Summary|accepting wrong programs    |missing errors for
                   |because compiler error      |constraints on access types

--- Comment #5 from Eric Botcazou <ebotcazou at gcc dot gnu.org> ---
> Recently I test gcc 9.3.0 and it report some errors in the example code. But
> I modify it slightly and it works with no errors.
> I think the code is enough clear to see what exact clauses RM are violated.
> For example there is conversion from access to constrained to access to
> unconstrained type, and the type have a constrained partial view, while
> legality rules for conversions requires for such case that any partial view
> were unconstrained. There is also assignments of different subtypes (which
> have no common values).

Yes, some errors are indeed missing.  The thing is, constraints on access types
have been historically problematic in Ada from an implementation point of view
and there even have been talks about removing them.