From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <poulhies@adacore.com>
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a])
	by sourceware.org (Postfix) with ESMTPS id 4E0C13839DDF
	for <gcc-patches@gcc.gnu.org>; Thu,  6 Oct 2022 09:31:05 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 4E0C13839DDF
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=adacore.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=adacore.com
Received: by mail-wr1-x42a.google.com with SMTP id a3so1822922wrt.0
        for <gcc-patches@gcc.gnu.org>; Thu, 06 Oct 2022 02:31:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=adacore.com; s=google;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=XbsGTcdQWAG/zAKCg56hQUth3THJFp1N5O8t9KmFCPU=;
        b=CNXu7DRiK4b5at3KpFFzcH7kWnmY16+FDeIE/W2iqhNS8dGYTwqW/XIl5Z+sfj7h/I
         smg3Dqlu/5CJpavVh4vhH6crgP8Y3zBN1RHxNkdshUViV4YgTl1F8FPe4B77xe4gA2Wx
         CLUcPr1yc9ilmz6M5WiRjrHB0J/wwgodD3X8JiHlKQNZrgnnQToVFagf8rvn8IVceo92
         I6YfI0MczlTBkFIKwDyBwl6iWZ9WopRbYeOv2LRkhcn/TYclQ3SDsSJm3jurQdKY6sGP
         41ltpxmWj/67ta80Jhj6F4T1zclUun6xSVIBTjUGLpbkL4FLzP3TZp/M0R8qH50XwZ+j
         a2WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=XbsGTcdQWAG/zAKCg56hQUth3THJFp1N5O8t9KmFCPU=;
        b=tC/Xgerg8gfTMyAIexM1xm6DZ1s3uYrA/VQp1rciK6HGFbo9H/IvNVFEBAxignhjI9
         ACKKk+7EJ43f+go1CJKgI+ybinxA7TUeRmEAasqMcSaxsBEAOQ6rVJo5Ei4MCcCaNzjZ
         UW43VK5WKSpnXd3lFZYd+Wci23d6jMvb2xecMsyXgjQ1DaCa3I1XTK8V7DdNEMomWNzd
         xWJWzJ5Wll1BnjvBOVOUvxj+wb9/fNuzcgI4lRingJc4Sd/f+98ZDYG5+ZDytWQrIvSj
         SNdvN1nDPKspzuh50H7816rLnudON1irsnLJLAu2KWGB/4EKB7uOGn65vGkxYAyKJNlU
         I1Sg==
X-Gm-Message-State: ACrzQf3p/jfmwPGwCMHGsUI0BAoX9XXzQoKCULx1GbFettzL3K5AkwYt
	UahWCStZGvyAhfRPm71rqvvR/mR0mNO0V1r1
X-Google-Smtp-Source: AMsMyM4NuWGzVxAI0OK48ae1B0wNiC1tuM8yxKIGhOrdICTplgs0QcUD9y5dO2u1ry4yRZsx25RM7A==
X-Received: by 2002:adf:d1ec:0:b0:22c:dbee:1b95 with SMTP id g12-20020adfd1ec000000b0022cdbee1b95mr2388914wrd.579.1665048664138;
        Thu, 06 Oct 2022 02:31:04 -0700 (PDT)
Received: from poulhies-Precision-5550.lan (static-176-191-105-132.ftth.abo.bbox.fr. [176.191.105.132])
        by smtp.gmail.com with ESMTPSA id m8-20020a05600c3b0800b003c21ba7d7d6sm480907wms.44.2022.10.06.02.31.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 06 Oct 2022 02:31:03 -0700 (PDT)
From: =?UTF-8?q?Marc=20Poulhi=C3=A8s?= <poulhies@adacore.com>
To: gcc-patches@gcc.gnu.org
Cc: Alexandre Oliva <oliva@adacore.com>
Subject: [COMMITED] ada: hardened booleans: exemplify codegen changes
Date: Thu,  6 Oct 2022 11:30:51 +0200
Message-Id: <20221006093051.261719-1-poulhies@adacore.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-13.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc-patches.gcc.gnu.org>

From: Alexandre Oliva <oliva@adacore.com>

Show the sort of code that is to be expected from using hardened
booleans in Ada code.  Mention that C traps instead of raising
exceptions.

gcc/ada/

	* doc/gnat_rm/security_hardening_features.rst: Add examples of
	codegen changes in hardened booleans. Mention that C traps where
	Ada raises exceptions.
	* gnat_rm.texi: Regenerate.

Tested on x86_64-pc-linux-gnu, committed on master.

---
 .../gnat_rm/security_hardening_features.rst   | 29 ++++++++++++++++---
 gcc/ada/gnat_rm.texi                          | 26 +++++++++++++++--
 2 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/gcc/ada/doc/gnat_rm/security_hardening_features.rst b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
index e36d47517dc..d8ea849c032 100644
--- a/gcc/ada/doc/gnat_rm/security_hardening_features.rst
+++ b/gcc/ada/doc/gnat_rm/security_hardening_features.rst
@@ -265,19 +265,40 @@ further remove checks found to be redundant.
 For additional hardening, the ``hardbool`` :samp:`Machine_Attribute`
 pragma can be used to annotate boolean types with representation
 clauses, so that expressions of such types used as conditions are
-checked even when compiling with :switch:`-gnatVT`.
+checked even when compiling with :switch:`-gnatVT`:
 
 .. code-block:: ada
 
    pragma Machine_Attribute (HBool, "hardbool");
 
+   function To_Boolean (X : HBool) returns Boolean is (Boolean (X));
+
+
+is compiled roughly like:
+
+.. code-block:: ada
+
+   function To_Boolean (X : HBool) returns Boolean is
+   begin
+     if X not in True | False then
+       raise Constraint_Error;
+     elsif X in True then
+       return True;
+     else
+       return False;
+     end if;
+   end To_Boolean;
+
 
 Note that :switch:`-gnatVn` will disable even ``hardbool`` testing.
 
 Analogous behavior is available as a GCC extension to the C and
-Objective C programming languages, through the ``hardbool`` attribute.
-For usage and more details on that attribute, see :title:`Using the
-GNU Compiler Collection (GCC)`.
+Objective C programming languages, through the ``hardbool`` attribute,
+with the difference that, instead of raising a Constraint_Error
+exception, when a hardened boolean variable is found to hold a value
+that stands for neither True nor False, the program traps.  For usage
+and more details on that attribute, see :title:`Using the GNU Compiler
+Collection (GCC)`.
 
 
 .. Control Flow Redundancy:
diff --git a/gcc/ada/gnat_rm.texi b/gcc/ada/gnat_rm.texi
index ff1845661a4..dad0092713e 100644
--- a/gcc/ada/gnat_rm.texi
+++ b/gcc/ada/gnat_rm.texi
@@ -28920,17 +28920,37 @@ further remove checks found to be redundant.
 For additional hardening, the @code{hardbool} @code{Machine_Attribute}
 pragma can be used to annotate boolean types with representation
 clauses, so that expressions of such types used as conditions are
-checked even when compiling with @code{-gnatVT}.
+checked even when compiling with @code{-gnatVT}:
 
 @example
 pragma Machine_Attribute (HBool, "hardbool");
+
+function To_Boolean (X : HBool) returns Boolean is (Boolean (X));
+@end example
+
+is compiled roughly like:
+
+@example
+function To_Boolean (X : HBool) returns Boolean is
+begin
+  if X not in True | False then
+    raise Constraint_Error;
+  elsif X in True then
+    return True;
+  else
+    return False;
+  end if;
+end To_Boolean;
 @end example
 
 Note that @code{-gnatVn} will disable even @code{hardbool} testing.
 
 Analogous behavior is available as a GCC extension to the C and
-Objective C programming languages, through the @code{hardbool} attribute.
-For usage and more details on that attribute, see @cite{Using the GNU Compiler Collection (GCC)}.
+Objective C programming languages, through the @code{hardbool} attribute,
+with the difference that, instead of raising a Constraint_Error
+exception, when a hardened boolean variable is found to hold a value
+that stands for neither True nor False, the program traps.  For usage
+and more details on that attribute, see @cite{Using the GNU Compiler Collection (GCC)}.
 
 @c Control Flow Redundancy:
 
-- 
2.34.1