5.5. Specification Features
SPARK contains many features for specifying the intended behavior of programs. Some of these features come from Ada 2012 (Attribute Old and Expression Functions for example). Other features are specific to SPARK (Attribute Loop_Entry and Ghost Code for example). In this section, we describe these features and their impact on execution and formal verification.
5.5.1. Aspect Constant_After_Elaboration
[SPARK]
Aspect Constant_After_Elaboration
can be specified on a library level
variable that has an initialization expression. When specified, the
corresponding variable can only be changed during the elaboration of its
enclosing package. SPARK ensures that users of the package do not change the
variable. This feature can be particularly useful in tasking code since
variables that are Constant_After_Elaboration are guaranteed to prevent
unsynchronized modifications (see Tasks and Data Races).
package CAE is
Var : Integer := 0 with
Constant_After_Elaboration;
-- The following is illegal because users of CAE could call Illegal
-- and that would cause an update of Var after CAE has been
-- elaborated.
procedure Illegal with
Global => (Output => Var);
end CAE;
package body CAE is
procedure Illegal is
begin
Var := 10;
end Illegal;
-- The following subprogram is legal because it is declared inside
-- the body of CAE and therefore it cannot be directly called
-- from a user of CAE.
procedure Legal is
begin
Var := Var + 2;
end Legal;
begin
-- The following statements are legal since they take place during
-- the elaboration of CAE.
Var := Var + 1;
Legal;
end CAE;
5.5.2. Aspect No_Caching
[SPARK]
Aspect No_Caching
can be specified for a volatile type or a volatile
variable to indicate that this type or variable can be analyzed as non-volatile
by GNATprove. This is typically used to hold the value of local variables
guarding the access to some critical section of the code. To defend against
fault injection attacks, a common practice is to duplicate the test guarding
the critical section, and the variable is marked as volatile to prevent the
compiler from optimizing out the duplicate tests. For example:
Cond : Boolean with Volatile, No_Caching := Some_Computation;
if not Cond then
return;
end if;
if not Cond then
return;
end if;
if Cond then
-- here do some critical work
end if;
Without No_Caching
, the volatile variable is assumed to be used for
Interfaces to the Physical World, GNATprove analyses it specially and
one cannot declare it inside a subprogram.
5.5.3. Aspect Relaxed_Initialization
and Ghost Attribute Initialized
[SPARK]
Modes on parameters and data dependency contracts in SPARK have a stricter meaning than in Ada (see Data Initialization Policy). In general, this allows GNATprove to ensure correct initialization of data in a quick and scalable way through flow analysis, without the need for user-supplied annotations. However, in some cases, the initialization policy may be considered too constraining. In particular, it does not permit initializing composite objects by part through different subprograms, or leaving data uninitialized on return if an error occurred.
5.5.3.1. Aspect Relaxed_Initialization
To handle these cases, it is possible to relax the standard data initialization
policy of SPARK using the Relaxed_Initialization
aspect. This aspect can
be used:
on objects, to state that the object should not be subject to the initialization policy of SPARK,
on types, so that it applies to every object or component of the type, or
on subprograms, to annotate the parameters or result.
Here are some examples:
type My_Rec is record
F, G : Positive;
end record;
G : My_Rec with Relaxed_Initialization;
procedure Init_G_If_No_Errors (Error : out Boolean) with
Global => (Output => G);
-- G is only initialized if the Error flag is False
In the snippet above, the aspect Relaxed_Initialization
is used to annotate
the object G
so that SPARK will allow returning from
Init_G_If_No_Errors
with an uninitialized value in G
in case of errors
in the initialization routine.
On a subprogram, the Relaxed_Initialization
aspect expects some parameters
to specify to which objects it applies. For example, the parameter X
of
the procedures below is concerned by the aspect:
procedure Init_Only_F (X : out My_Rec) with
Relaxed_Initialization => X;
-- Initialize the F component of X,
-- X.G should not be read after the call.
procedure Init_Only_G (X : in out My_Rec) with
Relaxed_Initialization => X;
-- Initialize the G component of X,
-- X.F can be read after the call if it was already initialized.
The procedures Init_Only_F
and Init_Only_G
above differ only by the
mode of parameter X
. Just like for Init_G_If_No_Errors
, the
mode out
in Init_Only_F
does not mean that X
should be
entirely initialized by the call. Its purpose is mostly for data dependencies
(see Data Dependencies). It states that the value on entry of the
procedure call should not leak into the parts of the output value which are
read after the call. To ensure that, GNATprove considers that out
parameters may not be copied when entering a procedure call, and so, even for
parameters which are in fact passed by reference.
To exempt the value returned by a function from the data initialization policy
of SPARK, the result attribute can be specified as a parameter of the
Relaxed_Initialization
aspect, as in Read_G
below. It is also
possible to give several objects to the aspect using an aggregate notation:
procedure Copy (Source : My_Rec; Target : out My_Rec) with
Relaxed_Initialization => (Source, Target);
-- Can copy a partially initialized record
function Read_G return My_Rec with
Relaxed_Initialization => Read_G'Result;
-- The result of Read_G might not be initialized
Note
The Relaxed_Initialization
aspect has no effect on subprogram parameters
or function results of a scalar type with relaxed initialization. Indeed,
the Ada semantics mandates a copy of scalars on entry and return of
subprograms, which is considered to be an error if the object was not
initialized.
Finally, if we want to exempt all objects of a type from the data
initialization policy of SPARK, it is possible to specify the
Relaxed_Initialization
aspect on a type. This also allows to exempt a
single component of a record, like in the following example:
type Content_Type is array (Positive range 1 .. 100) of Integer with
Relaxed_Initialization;
type Stack is record
Top : Natural := 0;
Content : Content_Type;
end record
with Predicate => Top in 0 .. 100;
-- Elements located after Top in Content do not need to be initialized
A stack is made of two components: an array Content
storing the actual
content of the stack, and the index Top
of the topmost element currently
allocated on the stack. If the stack is initialized, the Top
component
necessarily holds a meaningful value. However, because of the API of the stack,
it is not possible to read a value stored above the Top
index in
Content
without writing it first. For this reason, it is not necessary to
initialize all elements of the stack at creation. To express that, we use in
the type Stack
, which itself is subject to the standard initialization
policy, an array with the Relaxed_Initialization
aspect for the Content
field.
Note
The Relaxed_Initialization
aspect is not allowed on subtypes, so a
derived type is necessary to add the aspect to an existing type.
5.5.3.2. Ghost Attribute Initialized
As explained above, the standard data initialization policy does not apply to
objects annotated with the Relaxed_Initialization
aspect. As a result, it
becomes necessary to annotate which parts of accessed objects are initialized on
entry and exit of subprograms in contracts. This can be done using the
Initialized
ghost attribute. This attribute can be applied to (parts of)
objects annotated with the Relaxed_Initialization
aspect. If the object is
completely initialized, except possibly for subcomponents of the object whose
type is annotated with the Relaxed_Initialization
aspect, this attribute
evaluates to True
.
Note
It is not true that the Initialized
aspect necessarily evaluates to
False
on uninitialized data. This is to comply with execution, where
some values may happen to be valid even if they have not been initialized.
However, it is not possible to prove that the Initialized
aspect
evaluates to True
if the object has not been entirely initialized.
As an example, let’s add some contracts to the subprograms presented in the
previous example to replace the comments. The case of Init_G_If_No_Errors
is straightforward:
procedure Init_G_If_No_Errors (Error : out Boolean) with
Post => (if not Error then G'Initialized);
It states that if no errors have occurred (Error
is False
on exit),
G
has been initialized by the call.
The postcondition of Read_G
is a
bit more complicated. We want to state that the function returns the value
stored in G
. However, we cannot use equality, as it would evaluate the
components of both operands and fail if G
is not entirely initialized. What
we really want to say is that each component of the result of Read_G
will
be initialized if and only if the corresponding component in G
is
initialized, and then that the values of the components necessarily match in
this case. To
express that, we introduce safe accessors for the record components, which
check whether the field is initialized before returning it. If the component
is not initialized, they return 0
which is an invalid value since both
components of My_Rec
are of type Positive
. This allows to encode both
the initialization status and the value of the field in one go:
function Get_F (X : My_Rec) return Integer is
(if X.F'Initialized then X.F else 0)
with Ghost,
Relaxed_Initialization => X;
function Get_G (X : My_Rec) return Integer is
(if X.G'Initialized then X.G else 0)
with Ghost,
Relaxed_Initialization => X;
Using these accessors, we can define an equality which can safely be called on
uninitialized data, and use it in the postcondition of Read_G
:
function Safe_Eq (X, Y : My_Rec) return Boolean is
(Get_F (X) = Get_F (Y) and Get_G (X) = Get_G (Y))
with Ghost,
Relaxed_Initialization => (X, Y);
function Read_G return My_Rec with
Relaxed_Initialization => Read_G'Result,
Post => Safe_Eq (Read_G'Result, G);
The same safe equality function can be used for the postcondition of Copy
:
procedure Copy (Source : My_Rec; Target : out My_Rec) with
Relaxed_Initialization => (Source, Target),
Post => Safe_Eq (Source, Target);
Remain the procedures Init_Only_F
and Init_Only_G
. We reflect the
asymmetry of their parameter modes in their postconditions:
procedure Init_Only_F (X : out My_Rec) with
Relaxed_Initialization => X,
Post => X.F'Initialized;
procedure Init_Only_G (X : in out My_Rec) with
Relaxed_Initialization => X,
Post => X.G'Initialized and Get_F (X) = Get_F (X)'Old;
The procedure Init_Only_G
preserves the value of X.F
whereas
Init_Only_F
does not preserve X.G
. Note that a postcondition similar
to the one of Init_Only_G
would be proved on Init_Only_F
, but it will be
of no use as out
parameters are considered to be havocked at the beginning
of procedure calls, so Get_G (X)'Old
wouldn’t actually refer to the value
of G
before the call.
Finally, let’s consider the type Stack
defined above. We have annotated
the array type used for its content with the Relaxed_Initialization
aspect,
so that we do not need to initialize all of its components at declaration.
However, we still need to know that elements up to Top
have been
initialized to ensure that poping an element returns an initialized value.
This can be stated by extending the subtype predicate of Stack
in the
following way:
type Stack is record
Top : Natural := 0;
Content : Content_Type;
end record
with Ghost_Predicate => Top in 0 .. 100
and then (for all I in 1 .. Top => Content (I)'Initialized);
Since Content_Type
is annotated with the Relaxed_Initialization
aspect,
references to the attribute Initialized
on an object of type Stack
will
not consider the elements of Content
, so S'Initialized
can evaluate to
True even if the stack S
contains uninitialized elements.
Note
The predicate of type Stack
is now introduced by aspect
Ghost_Predicate
to allow the use of ghost attribute Initialized
.
Note
When the Relaxed_Initialization
aspect is used, correct initialization is verified by proof (--mode=all
or --mode=silver
), and not flow analysis (--mode=flow
or --mode=bronze
).
It is possible to annotate an object with the Relaxed_Initialization
aspect to use proof to verify its initialization. For example, it allows to
workaround limitations in flow analysis with respect to initialization
of arrays. However, if this initialization goes through a loop, using the
Initialized
attribute in a loop invariant might be required for proof to
verify the program.
5.5.4. Aspect Side_Effects
[SPARK]
Unless stated otherwise, functions in SPARK cannot have side effects:
A function must not have an
out
orin out
parameter.A function must not write a global variable.
A function must not raise exceptions.
A function must always terminate.
The aspect Side_Effects
can be used to indicate that a function may in fact
have side effects, among the four possible side effects listed above. A
function with side effects can be called only as the right-hand side of an
assignment, as part of a list of statements where a procedure could be called:
function Increment_And_Return (X : in out Integer) return Integer
with Side_Effects;
procedure Call is
X : Integer := 5;
Y : Integer;
begin
Y := Increment_And_Return (X);
-- The value of X is 6 here
end Call;
Note that a function with side effects could in general be converted into a
procedure with an additional out
parameter for the function’s
result. However, it can be more convenient to use a function with side effects
when binding SPARK code with C code where functions have very often
side effects.
5.5.5. Attribute Loop_Entry
[SPARK]
It is sometimes convenient to refer to the value of variables at loop entry. In
many cases, the variable has not been modified between the subprogram entry and
the start of the loop, so this value is the same as the value at subprogram
entry. But Attribute Old cannot be used in that case. Instead, we can
use attribute Loop_Entry
. For example, we can express that after J
iterations of the loop, the value of parameter array X
at index J
is
equal to its value at loop entry plus one:
procedure Increment_Array (X : in out Integer_Array) is
begin
for J in X'Range loop
X(J) := X(J) + 1;
pragma Assert (X(J) = X'Loop_Entry(J) + 1);
end loop
end Increment_Array;
At run time, a copy of the variable X
is made when entering the loop. This
copy is then read when evaluating the expression X'Loop_Entry
. No copy is
made if the loop is never entered. Because it requires copying the value of
X
, the type of X
cannot be limited.
Attribute Loop_Entry
can only be used in top-level Assertion Pragmas
inside a loop. It is mostly useful for expressing complex Loop Invariants which relate the value of a variable at a given iteration of the
loop and its value at loop entry. For example, we can express that after J
iterations of the loop, the value of parameter array X
at all indexes
already seen is equal to its value at loop entry plus one, and that its value
at all indexes not yet seen is unchanged, using Quantified Expressions:
procedure Increment_Array (X : in out Integer_Array) is
begin
for J in X'Range loop
X(J) := X(J) + 1;
pragma Loop_Invariant (for all K in X'First .. J => X(K) = X'Loop_Entry(K) + 1);
pragma Loop_Invariant (for all K in J + 1 .. X'Last => X(K) = X'Loop_Entry(K));
end loop;
end Increment_Array;
Attribute Loop_Entry
may be indexed by the name of the loop to which it
applies, which is useful to refer to the value of a variable on entry to an
outter loop. When used without loop name, the attribute applies to the closest
enclosing loop. For examples, X'Loop_Entry
is the same as
X'Loop_Entry(Inner)
in the loop below, which is not the same as
X'Loop_Entry(Outter)
(although all three assertions are true):
procedure Increment_Matrix (X : in out Integer_Matrix) is
begin
Outter: for J in X'Range(1) loop
Inner: for K in X'Range(2) loop
X(J,K) := X(J,K) + 1;
pragma Assert (X(J,K) = X'Loop_Entry(J,K) + 1);
pragma Assert (X(J,K) = X'Loop_Entry(Inner)(J,K) + 1);
pragma Assert (X(J,K) = X'Loop_Entry(Outter)(J,K) + 1);
end loop Inner;
end loop Outter;
end Increment_Matrix;
By default, similar restrictions exist for the use of attribute Loop_Entry
and the use of attribute Old
In a Potentially Unevaluated Expression. The same solutions apply here, in particular the use of GNAT
pragma Unevaluated_Use_Of_Old
.
5.5.6. Attribute Old
[Ada 2012]
5.5.6.1. In a Postcondition
Inside Postconditions, attribute Old
refers to the values that
expressions had at subprogram entry. For example, the postcondition of
procedure Increment
might specify that the value of parameter X
upon
returning from the procedure has been incremented:
procedure Increment (X : in out Integer) with
Post => X = X'Old + 1;
At run time, a copy of the variable X
is made when entering the
subprogram. This copy is then read when evaluating the expression X'Old
in
the postcondition. Because it requires copying the value of X
, the type of
X
cannot be limited.
Strictly speaking, attribute Old
must apply to a name in Ada syntax, for
example a variable, a component selection, a call, but not an addition like
X + Y
. For expressions that are not names, attribute Old
can be applied
to their qualified version, for example:
procedure Increment_One_Of (X, Y : in out Integer) with
Post => X + Y = Integer'(X + Y)'Old + 1;
Because the compiler unconditionally creates a copy of the expression to which
attribute Old
is applied at subprogram entry, there is a risk that this feature
might confuse users in more complex postconditions. Take the example of a
procedure Extract
, which copies the value of array A
at index J
into
parameter V
, and zeroes out this value in the array, but only if J
is
in the bounds of A
:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Post => (if J in A'Range then V = A(J)'Old); -- INCORRECT
Clearly, the value of A(J)
at subprogram entry is only meaningful if J
is in the bounds of A
. If the code above was allowed, then a copy of
A(J)
would be made on entry to subprogram Extract
, even when J
is
out of bounds, which would raise a run-time error. To avoid this common
pitfall, use of attribute Old
in expressions that are potentially unevaluated
(like the then-part in an if-expression, or the right argument of a shortcut
boolean expression - See Ada RM 6.1.1) is restricted to
plain variables: A
is allowed, but not A(J)
. The GNAT compiler
issues the following error on the code above:
prefix of attribute "Old" that is potentially unevaluated must denote an entity
The correct way to specify the postcondition in the case above is to apply
attribute Old
to the entity prefix A
:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Post => (if J in A'Range then V = A'Old(J));
5.5.6.2. In Contract Cases
The rule for attribute Old
inside Contract Cases is more
permissive. Take for example the same contract as above for procedure
Extract
, expressed with contract cases:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Contract_Cases => ((J in A'Range) => V = A(J)'Old,
others => True);
Only the expressions used as prefixes of attribute Old
in the currently
enabled case are copied on entry to the subprogram. So if Extract
is
called with J
out of the range of A
, then the second case is enabled,
so A(J)
is not copied when entering procedure Extract
. Hence, the above
code is allowed.
It may still be the case that some contracts refer to the value of objects at subprogram entry inside potentially unevaluated expressions. For example, an incorrect variation of the above contract would be:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Contract_Cases => (J >= A'First => (if J <= A'Last then V = A(J)'Old), -- INCORRECT
others => True);
For the same reason that such uses are forbidden by Ada RM inside postconditions, the SPARK RM forbids these uses inside contract cases (see SPARK RM 6.1.3(2)). The GNAT compiler issues the following error on the code above:
prefix of attribute "Old" that is potentially unevaluated must denote an entity
The correct way to specify the consequence expression in the case above is to
apply attribute Old
to the entity prefix A
:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Contract_Cases => (J >= A'First => (if J <= A'Last then V = A'Old(J)),
others => True);
5.5.6.3. In a Potentially Unevaluated Expression
In some cases, the compiler issues the error discussed above (on attribute Old
applied to a non-entity in a potentially unevaluated context) on an expression
that can safely be evaluated on subprogram entry, for example:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Post => (if J in A'Range then V = Get_If_In_Range(A,J)'Old); -- ERROR
where function Get_If_In_Range
returns the value A(J)
when J
is in
the bounds of A
, and a default value otherwise.
In that case, the solution is either to rewrite the postcondition using non-shortcut boolean operators, so that the expression is not potentially evaluated anymore, for example:
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Post => J not in A'Range or V = Get_If_In_Range(A,J)'Old;
or to rewrite the postcondition using an intermediate expression function, so that the expression is not potentially evaluated anymore, for example:
function Extract_Post (A : My_Array; J : Integer; V, Get_V : Value) return Boolean is
(if J in A'Range then V = Get_V);
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Post => Extract_Post (A, J, V, Get_If_In_Range(A,J)'Old);
or to use the GNAT pragma Unevaluated_Use_Of_Old
to allow such uses
of attribute Old
in potentially unevaluated expressions:
pragma Unevaluated_Use_Of_Old (Allow);
procedure Extract (A : in out My_Array; J : Integer; V : out Value) with
Post => (if J in A'Range then V = Get_If_In_Range(A,J)'Old);
GNAT does not issue an error on the code above, and always evaluates the
call to Get_If_In_Range
on entry to procedure Extract
, even if this
value may not be used when executing the postcondition. Note that the formal
verification tool GNATprove correctly generates all required checks to prove
that this evaluation on subprogram entry does not fail a run-time check or a
contract (like the precondition of Get_If_In_Range
if any).
Pragma Unevaluated_Use_Of_Old
applies to uses of attribute Old
both
inside postconditions and inside contract cases. See GNAT RM for a
detailed description of this pragma.
5.5.7. Attribute Result
[Ada 2012]
Inside Postconditions of functions, attribute Result
refers to the
value returned by the function. For example, the postcondition of function
Increment
might specify that it returns the value of parameter X
plus
one:
function Increment (X : Integer) return Integer with
Post => Increment'Result = X + 1;
Contrary to Attribute Old
, attribute Result
does not require copying
the value, hence it can be applied to functions that return a limited
type. Attribute Result
can also be used inside consequence expressions in
Contract Cases.
5.5.8. Aggregates
Aggregates are expressions, and as such can appear in assertions and contracts to specify the value of a composite type (record or array), without having to specify the value of each component of the object separately.
5.5.8.1. Record Aggregates
[Ada 83]
Since the first version, Ada has a compact syntax for expressing the value of a
record type, optionally allowing to name the components. Given the following
declaration of type Point
:
type Point is record
X, Y, Z : Float;
end record;
the value of the origin can be expressed with a named notation:
Origin : constant Point := (X => 0.0, Y => 0.0, Z => 0.0);
or with a positional notation, where the values for components are taken in the
order in which they are declared in type Point
, so the following is
equivalent to the above named notation:
Origin : constant Point := (0.0, 0.0, 0.0);
With named notation, components can be given in any order:
Origin : constant Point := (Z => 0.0, Y => 0.0, X => 0.0);
Positional notation and named notation can be mixed, but, in that case, named associations should always follow positional associations, so positional notation will refer to the first components of the record, and named notation will refer to the last components of the record:
Origin : constant Point := (0.0, Y => 0.0, Z => 0.0);
Origin : constant Point := (0.0, 0.0, Z => 0.0);
Choices can be grouped with the bar symbol |
to denote sets:
Origin : constant Point := (X | Y | Z => 0.0);
The choice others
can be used with a value to refer to all other
components, provided these components have the same type, and the others
choice should come last:
Origin : constant Point := (X => 0.0, others => 0.0);
Origin : constant Point := (Z => 0.0, others => 0.0);
Origin : constant Point := (0.0, others => 0.0); -- positional for X
Origin : constant Point := (others => 0.0);
The box notation <>
can be used instead of an explicit value to denote the
default value of the corresponding type:
Origin : constant Point := (X => <>, Y => 0.0, Z => <>);
In SPARK, this is only allowed if the types of the corresponding components have a default value, for example here:
type Zero_Init_Float is new Float with Default_Value => 0.0;
type Point is record
X : Float := 0.0;
Y : Float;
Z : Zero_Init_Float;
end record;
Note that, when using box notation <>
with an others
choice, it is not
required that these components have the same type.
5.5.8.2. Array Aggregates
[Ada 83]
Since the first version, Ada has the same compact syntax for expressing the
value of an array type as for record types, optionally allowing to name the
indexes. Given the following declaration of type Point
:
type Dimension is (X, Y, Z);
type Point is array (Dimension) of Float;
the value of the origin can be expressed with a named notation:
Origin : constant Point := (X => 0.0, Y => 0.0, Z => 0.0);
or with a positional notation, where the values for components are taken in the
order in which they are declared in type Point
, so the following is
equivalent to the above named notation:
Origin : constant Point := (0.0, 0.0, 0.0);
With the difference that named notation and positional notation cannot be mixed
in an array aggregate, all other explanations presented for aggregates of
record type Point
in Record Aggregates are applicable to array
aggregates here, so all the following declarations are valid:
Origin : constant Point := (Z => 0.0, Y => 0.0, X => 0.0);
Origin : constant Point := (X | Y | Z => 0.0);
Origin : constant Point := (X => 0.0, others => 0.0);
Origin : constant Point := (Z => 0.0, others => 0.0);
Origin : constant Point := (0.0, others => 0.0); -- positional for X
Origin : constant Point := (others => 0.0);
while the use of box notation <>
is only allowed in SPARK if array
components have a default value, either through their type, or through aspect
Default_Component_Value
on the array type:
type Point is array (Dimension) of Float
with Default_Component_Value => 0.0;
Note that in many cases, indexes take an integer value rather than an enumeration value:
type Dimension is range 1 .. 3;
type Point is array (Dimension) of Float;
In that case, choices will take an integer value too:
Origin : constant Point := (3 => 0.0, 2 => 0.0, 1 => 0.0);
Origin : constant Point := (1 | 2 | 3 => 0.0);
Origin : constant Point := (1 => 0.0, others => 0.0);
Origin : constant Point := (3 => 0.0, others => 0.0);
Origin : constant Point := (0.0, others => 0.0); -- positional for 1
Origin : constant Point := (others => 0.0);
Note that one can also use X, Y and Z in place of literals 1, 2 and 3 with the prior definition of suitable named numbers:
X : constant := 1;
Y : constant := 2;
Z : constant := 3;
Note that allocators are allowed inside expressions, and that values in aggregates are evaluated for each corresponding choice, so it is possible to write the following without violating the Memory Ownership Policy of SPARK:
type Ptr is access Integer;
type Data is array (1 .. 10) of Ptr;
Database : Data := (others => new Integer'(0));
This would be also possible in a record aggregate, but it is more common in array aggregates.
5.5.8.3. Iterated Component Associations
[Ada 2022]
It is possible to have the value of an association depending on the choice,
with the feature called iterated component associations. Here is how we can
express that Ident
is the identity mapping from values in Index
to
themselves:
type Index is range 1 .. 100;
type Mapping is array (Index) of Index;
Ident : constant Mapping := (for J in Index => J);
Such an iterated component association can appear next to other associations in
an array aggregate using named notation. Here is how we can express that
Saturation
is the identity mapping between 10 and 90, and saturates outside
of this range:
Saturation : constant Mapping :=
(1 .. 10 => 10, for J in 11 .. 89 => J, 90 .. 100 => 90);
5.5.8.4. Initialization Using Array Aggregates
[Ada 83]
Both flow analysis and proof can be used in GNATprove to verify that data is
correctly initialized before being read, following the Data Initialization Policy of SPARK. The decision to use one or the other is based
on the presence or not of aspect Relaxed_Initialization
(see Aspect Relaxed_Initialization and Ghost Attribute Initialized) on types and variables.
When using flow analysis to analyze the initialization of an array object (variable or component), false alarms may be emitted by GNATprove on code that initializes the array cell by cell, or groups of cells by groups of cells, even if the array ends up completely initialized. This is because flow analysis is not value dependent, so it cannot track the value of assigned array indexes. As a result, it cannot separate array cells in its analysis, hence it cannot deduce that such a sequence of partial initializations result in the array being completely initialized. For example, GNATprove issues false alarms on the code:
type Arr is array (1 .. 5) of Integer;
A : Arr;
...
A(1) := 1;
A(2) := 2;
A(3) := 3;
A(4) := 4;
A(5) := 5;
A better way to initialize an array is to use an aggregate (possibly with iterated component associations, if the value of the initialization element for a cell depends on the index of the cell). This makes it clear for both the human reviewer and for GNATprove that the array is completely initialized. For example, the code above can be rewritten as follows using an aggregate:
type Arr is array (1 .. 5) of Integer;
A : Arr;
...
A := (1, 2, 3, 4, 5);
or using an aggregate with an iterated component association:
type Arr is array (1 .. 5) of Integer;
A : Arr;
...
A := (for I in 1..5 => I);
In cases where initializing the array with an aggregate is not possible, the
alternative is to mark the array object or its type as having relaxed
initialization using aspect Relaxed_Initialization
and to use proof to
verify its correct initialization (see Aspect Relaxed_Initialization and Ghost Attribute Initialized).
This should be reserved for cases where using an aggregate is not possible, as
it requires more work for the user to express which parts of variables are
initialized (in contracts and loop invariants typically), and it may be more
difficult to prove.
5.5.8.5. Delta Aggregates
[Ada 2022]
It is quite common in Postconditions to relate the input and output
values of parameters. While this can be as easy as X = X'Old + 1
in the
case of scalar parameters, it is more complex to express for array and record
parameters. Delta aggregates are useful in that case, to denote the updated
value of a composite variable. For example, we can express more clearly that
procedure Zero_Range
zeroes out the elements of its array parameter X
between From
and To
by using a delta aggregate:
procedure Zero_Range (X : in out Integer_Array; From, To : Positive) with
Post => X = (X'Old with delta From .. To => 0);
than with an equivalent postcondition using Quantified Expressions and Conditional Expressions:
procedure Zero_Range (X : in out Integer_Array; From, To : Positive) with
Post => (for all J in X'Range =>
(if J in From .. To then X(J) = 0 else X(J) = X'Old(J)));
Delta aggregates allow to specify a list of associations between indexes
(for arrays) or components (for records) and values. Components can only be
mentioned once, with the semantics that all values are evaluated before any
update. Array indexes may be mentioned more than once, with the semantics that
updates are applied in left-to-right order. For example, the postcondition of
procedure Swap
expresses that the values at indexes J
and K
in
array X
have been swapped:
procedure Swap (X : in out Integer_Array; J, K : Positive) with
Post => X = (X'Old with delta J => X'Old(K), K => X'Old(J));
and the postcondition of procedure Rotate_Clockwize_Z
expresses that the
point P
given in parameter has been rotated 90 degrees clockwise around the
Z axis (thus component Z
is preserved while components X
and Y
are
modified):
procedure Rotate_Clockwize_Z (P : in out Point_3D) with
Post => P = (P'Old with delta X => P.Y'Old, Y => - P.X'Old);
Similarly to their use in combination with attribute Old
in postconditions,
delta aggregates are useful in combination with Attribute Loop_Entry
inside Loop Invariants. For example, we can express the property that,
after iteration J
in the main loop in procedure Zero_Range
, the value
of parameter array X
at all indexes already seen is equal to zero:
procedure Zero_Range (X : in out Integer_Array; From, To : Positive) is
begin
for J in From .. To loop
X(J) := 0;
pragma Loop_Invariant (X = (X'Loop_Entry with delta From .. J => 0));
end loop;
end Zero_Range;
Delta aggregates can also be used outside of assertions. They are particularly
useful in expression functions. For example, the functionality in procedure
Rotate_Clockwize_Z
could be expressed equivalently as an expression
function:
function Rotate_Clockwize_Z (P : Point_3D) return Point_3D is
(P with delta X => P.Y, Y => - P.X);
Because it requires copying the value of P
, the type of P
cannot be
limited.
Note
In SPARK versions up to SPARK 21, delta aggregates are not supported
and an equivalent attribute named Update
can be used instead.
5.5.8.6. Aspect Aggregate
[Ada 2022]
The Aggregate
aspect has been introduced in
Ada 2022.
It allows providing subprograms that can be used to create aggregates of a
particular container type. The required subprograms differ depending on the
kind of aggregate being defined - positional, named, or indexed. Only positional
and named container aggregates are allowed in SPARK. They require supplying
an Empty
function, to create the container, and an Add
procedure to
insert a new element (possibly associated to a key) in the container:
-- We can use positional aggregates for sets
type Set_Type is private
with Aggregate => (Empty => Empty_Set,
Add_Unnamed => Include);
function Empty_Set return Set_Type;
procedure Include (S : in out Set_Type; E : Element_Type);
-- and named aggregates for maps
type Map_Type is private
with Aggregate => (Empty => Empty_Map,
Add_Named => Add_To_Map);
function Empty_Map return Map_Type;
procedure Add_To_Map (M : in out Map_Type;
Key : Key_Type;
Value : Element_Type);
For execution, container aggregates are expanded into a call to the Empty
function, followed by a sequence of calls to the Add
procedure. However,
for proof, this is not appropriate. Due to how VC generation works, instructions
cannot be used to expand expressions occurring in annotations in particular.
In addition, such an expansion would be inefficient in terms of provability, as
it would introduce multiple intermediate values on which the provers need to
reason.
To be able to use container aggregates in proof, additional annotations are necessary. They describe how the information supplied by the aggregate - the elements, the keys, their order, the number of elements… - affects the value of the container after the insertions. It works by supplying additional functions that should be used to describe the container. These functions and their intended usage are recognized using an Annotation for Container Aggregates.
Container aggregates follow the Ada 2022 syntax for homogeous aggregates. The values, or associations for named aggregates, are enclosed in square brackets. As an example, here are a few aggregates for functional and formal containers from the SPARK Libraries.
package Integer_Sets is new SPARK.Containers.Formal.Ordered_Sets (Integer);
S : Integer_Sets.Set := [1, 2, 3, 4, 12, 42];
package String_Lists is new
SPARK.Containers.Formal.Unbounded_Doubly_Linked_Lists (String);
L : String_Lists.List := ["foo", "bar", "foobar"];
package Int_To_String_Maps is new
SPARK.Containers.Functional.Maps (Integer, String);
M : Int_To_String_Maps.Map := [1 => "one", 2 => "two", 3 => "three"];
Note
So the handling is as precisely as possible, SPARK only supports aggregates with distinct values or keys for sets and maps.
5.5.9. Conditional Expressions
[Ada 2012]
A conditional expression is a way to express alternative possibilities in an
expression. It is like the ternary conditional expression cond ? expr1 :
expr2
in C or Java, except more powerful. There are two kinds of conditional
expressions in Ada:
if-expressions are the counterpart of if-statements in expressions
case-expressions are the counterpart of case-statements in expressions
For example, consider the variant of procedure Add_To_Total
seen in
Contract Cases, which saturates at a given threshold. Its postcondition
can be expressed with an if-expression as follows:
procedure Add_To_Total (Incr : in Integer) with
Post => (if Total'Old + Incr < Threshold then
Total = Total'Old + Incr
else
Total = Threshold);
Each branch of an if-expression (there may be one, two or more branches when
elsif
is used) can be seen as a logical implication, which explains why the
above postcondition can also be written:
procedure Add_To_Total (Incr : in Integer) with
Post => (if Total'Old + Incr < Threshold then Total = Total'Old + Incr) and
(if Total'Old + Incr >= Threshold then Total = Threshold);
or equivalently (as the absence of else
branch above is implicitly the same
as else True
):
procedure Add_To_Total (Incr : in Integer) with
Post => (if Total'Old + Incr < Threshold then Total = Total'Old + Incr else True) and
(if Total'Old + Incr >= Threshold then Total = Threshold else True);
If-expressions are not necessarily of boolean type, in which case they must
have an else
branch that gives the value of the expression for cases not
covered in previous conditions (as there is no implicit else True
in such
a case). For example, here is a postcondition equivalent to the above, that
uses an if-expression of Integer
type:
procedure Add_To_Total (Incr : in Integer) with
Post => Total = (if Total'Old + Incr < Threshold then Total'Old + Incr else Threshold);
Although case-expressions can be used to cover cases of any scalar type, they
are mostly used with enumerations, and the compiler checks that all cases are
disjoint and that together they cover all possible cases. For example, consider
a variant of procedure Add_To_Total
which takes an additional Mode
global input of enumeration value Single
, Double
, Negate
or
Ignore
, with the intuitive corresponding leverage effect on the
addition. The postcondition of this variant can be expressed using a
case-expression as follows:
procedure Add_To_Total (Incr : in Integer) with
Post => (case Mode is
when Single => Total = Total'Old + Incr,
when Double => Total = Total'Old + 2 * Incr,
when Ignore => Total = Total'Old,
when Negate => Total = Total'Old - Incr);
Like if-expressions, case-expressions are not necessarily of boolean type. For
example, here is a postcondition equivalent to the above, that uses a
case-expression of Integer
type:
procedure Add_To_Total (Incr : in Integer) with
Post => Total = Total'Old + (case Mode is
when Single => Incr,
when Double => 2 * Incr,
when Ignore => 0,
when Negate => - Incr);
A last case of others
can be used to denote all cases not covered by
previous conditions. If-expressions and case-expressions should always be
parenthesized.
5.5.10. Declare Expressions
[Ada 2022]
Declare expressions are used to factorize parts of an expression. They allow to declare constants and renamings which are local to the expression. A declare expression is made of two parts:
A list of declarations of local constants and renamings
An expression using the names introduced in these declarations.
To match the syntax of declare blocks, the first part is introduced by
declare
and the second by begin
. The scope is delimited by enclosing
parentheses, without end
to close the scope.
As an example, we introduce a Find_First_Zero
function which finds the index
of the first occurrence of 0
in an array of integers and a procedure
Set_Range_To_Zero
which zeros out all elements located between the first
and second occurrence of 0
in the array:
function Has_Zero (A : My_Array) return Boolean is
(for some E of A => E = 0);
function Has_Two_Zeros (A : My_Array) return Boolean is
(for some I in A'Range => A (I) = 0 and
(for some J in A'Range => A (J) = 0 and I /= J));
function Find_First_Zero (A : My_Array) return Natural with
Pre => Has_Zero (A),
Post => Find_First_Zero'Result in A'Range
and A (Find_First_Zero'Result) = 0
and not Has_Zero (A (A'First .. Find_First_Zero'Result - 1));
procedure Set_Range_To_Zero (A : in out My_Array) with
Pre => Has_Two_Zeros (A),
Post =>
A = (A'Old with delta
Find_First_Zero (A'Old) ..
Find_First_Zero
(A'Old (Find_First_Zero (A'Old) + 1 .. A'Last)) => 0);
In the contract of Set_Range_To_Zero
, we use Delta Aggregates to
state that elements of A
located in the range between the first and the
second occurrence of 0
in A
have been set to 0
by the procedure.
The second occurrence is found by calling Find_First_Zero
on the slice of A
starting just after the first occurrence of 0
.
To make the contract of Set_Range_To_Zero
more readable, we can use a
declare expression to introduce constants for the first and second occurrence
of 0
in the array. The explicit names make it easier to understand what the
bounds of the updated slice are supposed to be. It also avoids repeating the
call to Find_First_Zero
on A
in the computation of
the second bound:
procedure Set_Range_To_Zero (A : in out My_Array) with
Pre => Has_Two_Zeros (A),
Post =>
(declare
Fst_Zero : constant Positive := Find_First_Zero (A'Old);
Snd_Zero : constant Positive := Find_First_Zero
(A'Old (Fst_Zero + 1 .. A'Last));
begin
A = (A'Old with delta Fst_Zero .. Snd_Zero => 0));
5.5.11. Expression Functions
[Ada 2012]
An expression function is a function whose implementation is given by a single
expression. For example, the function Increment
can be defined as an
expression function as follows:
function Increment (X : Integer) return Integer is (X + 1);
For compilation and execution, this definition is equivalent to:
function Increment (X : Integer) return Integer is
begin
return X + 1;
end Increment;
For GNATprove, this definition as expression function is equivalent to the same function body as above, plus a postcondition:
function Increment (X : Integer) return Integer with
Post => Increment'Result = X + 1
is
begin
return X + 1;
end Increment;
Thus, a user does not need in general to add a postcondition to an expression function, as the implicit postcondition generated by GNATprove is the most precise one. If a user adds a postcondition to an expression function, GNATprove uses this postcondition to analyze the function’s callers as well as the most precise implicit postcondition.
On the contrary, it may be useful in general to add a precondition to an
expression function, to constrain the contexts in which it can be called. For
example, parameter X
passed to function Increment
should be less than
the maximal integer value, otherwise an overflow would occur. We can specify
this property in Increment
’s precondition as follows:
function Increment (X : Integer) return Integer is (X + 1) with
Pre => X < Integer'Last;
Note that the contract of an expression function follows its expression.
Expression functions can be defined in package declarations, hence they are
well suited for factoring out common properties that are referred to in
contracts. For example, consider the procedure Increment_Array
that
increments each element of its array parameter X
by one. Its precondition
can be expressed using expression functions as follows:
package Increment_Utils is
function Not_Max (X : Integer) return Boolean is (X < Integer'Last);
function None_Max (X : Integer_Array) return Boolean is
(for all J in X'Range => Not_Max (X(J)));
procedure Increment_Array (X : in out Integer_Array) with
Pre => None_Max (X);
end Increment_Utils;
Expression functions can be defined over private types, and still be used in the contracts of publicly visible subprograms of the package, by declaring the function publicly and defining it in the private part. For example:
package Increment_Utils is
type Integer_Array is private;
function None_Max (X : Integer_Array) return Boolean;
procedure Increment_Array (X : in out Integer_Array) with
Pre => None_Max (X);
private
type Integer_Array is array (Positive range <>) of Integer;
function Not_Max (X : Integer) return Boolean is (X < Integer'Last);
function None_Max (X : Integer_Array) return Boolean is
(for all J in X'Range => Not_Max (X(J)));
end Increment_Utils;
If an expression function is defined in a unit spec, GNATprove can use its implicit postcondition at every call. If an expression function is defined in a unit body, GNATprove can use its implicit postcondition at every call in the same unit, but not at calls inside other units. This is true even if the expression function is declared in the unit spec and defined in the unit body.
5.5.12. Ghost Code
[SPARK]
Sometimes, the variables and functions that are present in a program are not
sufficient to specify intended properties and to verify these properties with
GNATprove. In such a case, it is possible in SPARK to insert in the program
additional code useful for specification and verification, specially identified
with the aspect Ghost
so that it can be discarded during
compilation. So-called ghost code in SPARK are these parts of the code that
are only meant for specification and verification, and have no effect on the
functional behavior of the program.
Note that assertions (including contracts) are not necessarily ghost code. A
contract on a ghost entity is considered as ghost code, while a contract on a
non-ghost entity is not. Depending on the corresponding value of
Assertion_Policy
(of kind Ghost
for ghost code, of kind Assertions
for all assertions, or of more specific assertion kinds like Pre
and
Post
), ghost code and assertions are executed or ignored at runtime.
Various kinds of ghost code are useful in different situations:
Ghost functions are typically used to express properties used in contracts.
Global ghost variables are typically used to keep track of the current state of a program, or to maintain a log of past events of some type. This information can then be referred to in contracts.
Local ghost variables are typically used to hold intermediate values during computation, which can then be referred to in assertion pragmas like loop invariants.
Ghost types are those types only useful for defining ghost variables.
Ghost procedures can be used to factor out common treatments on ghost variables. Ghost procedures should not have non-ghost outputs, either output parameters or global outputs.
Ghost packages provide a means to encapsulate all types and operations for a specific kind of ghost code.
Imported ghost subprograms are used to provide placeholders for properties that are defined in a logical language, when using manual proof.
Ghost generic formal parameters are used to pass on ghost entities (types, objects, subprograms, packages) as parameters in a generic instantiation.
When the program is compiled with assertions (for example with switch
-gnata
in GNAT), ghost code is executed like normal code. Ghost code
can also be selectively enabled by setting pragma Assertion_Policy
as
follows:
pragma Assertion_Policy (Ghost => Check);
GNATprove checks that ghost code cannot have an effect on the behavior of the program. GNAT compiler also performs some of these checks, although not all of them. Apart from these checks, GNATprove treats ghost code like normal code during its analyses.
5.5.12.1. Ghost Functions
Ghost functions are useful to express properties only used in contracts, and to
factor out common expressions used in contracts. For example, function
Get_Total
introduced in State Abstraction and Functional Contracts
to retrieve the value of variable Total
in the contract of Add_To_Total
could be marked as a ghost function as follows:
function Get_Total return Integer with Ghost;
and still be used exactly as seen in State Abstraction and Functional Contracts:
procedure Add_To_Total (Incr : in Integer) with
Pre => Incr >= 0 and then Get_Total in 0 .. Integer'Last - Incr,
Post => Get_Total = Get_Total'Old + Incr;
The definition of Get_Total
would be also the same:
Total : Integer;
function Get_Total return Integer is (Total);
Although it is more common to define ghost functions as Expression Functions, a regular function might be used too:
function Get_Total return Integer is
begin
return Total;
end Get_Total;
In that case, GNATprove uses only the contract of Get_Total
(either
user-specified or the default one) when analyzing its callers, like for a
non-ghost regular function. (The same exception applies as for regular
functions, when GNATprove can analyze a subprogram in the context of its
callers, as described in Contextual Analysis of Subprograms Without Contracts.)
All functions which are only used in specification can be marked as ghost, but
most don’t need to. However, there are cases where marking a specification-only
function as ghost really brings something. First, as ghost entities are not
allowed to interfere with normal code, marking a function as ghost avoids having
to break state abstraction for the purpose of specification. For example,
marking Get_Total
as ghost will prevent users of the package Account
from accessing the value of Total
from non-ghost code.
Then, in the usual context where ghost code is not kept in the final executable, the user is given more freedom to use in ghost code constructs that are less efficient than in normal code, which may be useful to express rich properties. For example, the ghost functions defined in the Formal Containers Library in the SPARK library typically copy the entire content of the argument container, which would not be acceptable for non-ghost functions.
5.5.12.2. Ghost Variables
Ghost variables are useful to keep track of local or global information during the computation, which can then be referred to in contracts or assertion pragmas.
Case 1: Keeping Intermediate Values
Local ghost variables are commonly used to keep intermediate values. For
example, we can define a local ghost variable Init_Total
to hold the
initial value of variable Total
in procedure Add_To_Total
, which allows
checking the relation between the initial and final values of Total
in an
assertion:
procedure Add_To_Total (Incr : in Integer) is
Init_Total : Integer := Total with Ghost;
begin
Total := Total + Incr;
pragma Assert (Total = Init_Total + Incr);
end Add_To_Total;
Case 2: Keeping Memory of Previous State
Global ghost variables are commonly used to memorize the value of a previous
state. For example, we can define a global ghost variable Last_Incr
to hold
the previous value passed in argument when calling procedure Add_To_Total
,
which allows checking in its precondition that the sequence of values passed in
argument is non-decreasing:
Last_Incr : Integer := Integer'First with Ghost;
procedure Add_To_Total (Incr : in Integer) with
Pre => Incr >= Last_Incr;
procedure Add_To_Total (Incr : in Integer) is
begin
Total := Total + Incr;
Last_Incr := Incr;
end Add_To_Total;
Case 3: Logging Previous Events
Going beyond the previous case, global ghost variables can be used to store a
complete log of events. For example, we can define global ghost variables
Log
and Log_Size
to hold the sequence of values passed in argument to
procedure Add_To_Total
, as in State Abstraction:
Log : Integer_Array with Ghost;
Log_Size : Natural with Ghost;
procedure Add_To_Total (Incr : in Integer) with
Post => Log_Size = Log_Size'Old + 1 and Log = (Log'Old with delta Log_Size => Incr);
procedure Add_To_Total (Incr : in Integer) is
begin
Total := Total + Incr;
Log_Size := Log_Size + 1;
Log (Log_Size) := Incr;
end Add_To_Total;
The postcondition of Add_To_Total
above expresses that Log_Size
is
incremented by one at each call, and that the current value of parameter
Incr
is appended to Log
at each call (using Attribute Old and
Delta Aggregates).
Case 4: Expressing Existentially Quantified Properties
In SPARK, universal quantification is only allowed in restricted cases (over integer ranges and over the content of a container). To express the existence of a particular object, it is sometimes easier to simply provide it. This can be done using a global ghost variable. This can be used in particular to split the specification of a complex procedure into smaller parts:
X_Interm : T with Ghost;
procedure Do_Two_Thing (X : in out T) with
Post => First_Thing_Done (X'Old, X_Interm) and then
Second_Thing_Done (X_Interm, X)
is
X_Init : constant T := X with Ghost;
begin
Do_Something (X);
pragma Assert (First_Thing_Done (X_Init, X));
X_Interm := X;
Do_Something_Else (X);
pragma Assert (Second_Thing_Done (X_Interm, X));
end Do_Two_Things;
More complicated uses can also be envisioned, up to constructing ghost data structures reflecting complex properties. For example, we can express that two arrays are a permutation of each other by constructing a permutation from one to the other:
Perm : Permutation with Ghost;
procedure Permutation_Sort (A : Nat_Array) with
Post => A = Apply_Perm (Perm, A'Old)
is
begin
-- Initalize Perm with the identity
Perm := Identity_Perm;
for Current in A'First .. A'Last - 1 loop
Smallest := Index_Of_Minimum_Value (A, Current, A'Last);
if Smallest /= Current then
Swap (A, Current, Smallest);
-- Update Perm each time we permute two elements in A
Permute (Perm, Current, Smallest);
end if;
end loop;
end Permutation_Sort;
5.5.12.3. Ghost Types
Ghost types can only be used to define ghost variables. For example, we can
define ghost types Log_Type
and Log_Size_Type
that specialize the types
Integer_Array
and Natural
for ghost variables:
subtype Log_Type is Integer_Array with Ghost;
subtype Log_Size_Type is Natural with Ghost;
Log : Log_Type with Ghost;
Log_Size : Log_Size_Type with Ghost;
5.5.12.4. Ghost Procedures
Ghost procedures are useful to factor out common treatments on ghost
variables. For example, we can define a ghost procedure Append_To_Log
to
append a value to the log as seen previously.
Log : Integer_Array with Ghost;
Log_Size : Natural with Ghost;
procedure Append_To_Log (Incr : in Integer) with
Ghost,
Post => Log_Size = Log_Size'Old + 1 and Log = (Log'Old with delta Log_Size => Incr);
procedure Append_To_Log (Incr : in Integer) is
begin
Log_Size := Log_Size + 1;
Log (Log_Size) := Incr;
end Append_To_Log;
Then, this procedure can be called in Add_To_Total
as follows:
procedure Add_To_Total (Incr : in Integer) is
begin
Total := Total + Incr;
Append_To_Log (Incr);
end Add_To_Total;
5.5.12.5. Ghost Packages
Ghost packages are useful to encapsulate all types and operations for a
specific kind of ghost code. For example, we can define a ghost package
Logging
to deal with all logging operations on package Account
:
package Logging with
Ghost
is
Log : Integer_Array;
Log_Size : Natural;
procedure Append_To_Log (Incr : in Integer) with
Post => Log_Size = Log_Size'Old + 1 and Log = (Log'Old with delta Log_Size => Incr);
...
end Logging;
The implementation of package Logging
is the same as if it was not a ghost
package. In particular, a Ghost
aspect is implicitly added to all
declarations in Logging
, so it is not necessary to specify it explicitly.
Logging
can be defined either as a local ghost package or as a separate
unit. In the latter case, unit Account
needs to reference unit Logging
in a with-clause like for a non-ghost unit:
with Logging;
package Account is
...
end Account;
5.5.12.6. Imported Ghost Subprograms
When using manual proof (see GNATprove and Manual Proof), it may be more
convenient to define some properties in the logical language of the prover
rather than in SPARK. In that case, ghost functions might be marked as
imported, so that no implementation is needed. For example, the ghost procedure
Append_To_Log
seen previously may be defined equivalently as a ghost
imported function as follows:
function Append_To_Log (Log : Log_type; Incr : in Integer) return Log_Type with
Ghost,
Import;
where Log_Type
is an Ada type used also as placeholder for a type in the
logical language of the prover. To avoid any inconsistency between the
interpretations of Log_Type
in GNATprove and in the manual prover, it is
preferable in such a case to mark the definition of Log_Type
as not in
SPARK, so that GNATprove does not make any assumptions on its content. This
can be achieved by defining Log_Type
as a private type and marking the
private part of the enclosing package as not in SPARK:
package Logging with
SPARK_Mode,
Ghost
is
type Log_Type is private;
function Append_To_Log (Log : Log_type; Incr : in Integer) return Log_Type with
Import;
...
private
pragma SPARK_Mode (Off);
type Log_Type is new Integer; -- Any definition is fine here
end Logging;
A ghost imported subprogram cannot be executed, so calls to Append_To_Log
above should not be enabled during compilation, otherwise a compilation error
is issued. Note also that GNATprove will not attempt proving the contract of
a ghost imported subprogram, as it does not have its body.
5.5.12.7. Ghost Generic Formal Parameters
Non-ghost generic units may depend on ghost entities for the specification and proof of their instantiations. In such a case, the ghost entities can be passed on as ghost generic formal parameters:
generic
type T is private with Ghost;
Var_Input : T with Ghost;
Var_Output : in out T with Ghost;
with function F return T with Ghost;
with procedure P (X : in out T) with Ghost;
with package Pack is new Gen with Ghost;
package My_Generic with
SPARK_Mode
is
...
At the point of instantiation of My_Generic
, actual parameters for ghost
generic formal parameters may be ghost, and in three cases, they must actually
be ghost: the actual for a mutable ghost generic formal object, a ghost generic
formal procedure, or a ghost generic formal package, must be ghost. Otherwise,
writing to a ghost variable or calling a ghost procedure could have an effect
on non-ghost variables.
package My_Instantiation is
new My_Generic (T => ... -- ghost or not
Var_Input => ... -- ghost or not
Var_Output => ... -- must be ghost
F => ... -- ghost or not
P => ... -- must be ghost
Pack => ... -- must be ghost
5.5.12.8. Ghost Models
When specifying a program, it is common to use a model, that is, an alternative, simpler view of a part of the program. As they are only used in annotations, models can be computed using ghost code.
Models of Control Flow
Global variables can be used to enforce properties over call cahains in the
program. For example, we may want to express that Total
cannot be
incremented twice in a row without registering the transaction in between. This
can be done by introducing a ghost global variable
Last_Transaction_Registered
, used to encode whether Register_Transaction
was called since the last call to Add_To_Total
:
Last_Transaction_Registered : Boolean := True with Ghost;
procedure Add_To_Total (Incr : Integer) with
Pre => Last_Transaction_Registered,
Post => not Last_Transaction_Registered;
procedure Register_Transaction with
Post => Last_Transaction_Registered;
The value of Last_Transaction_Registered should also be updated in the body of
Add_To_Total
and Register_Transaction
to reflect their contracts:
procedure Add_To_Total (Incr : in Integer) is
begin
Total := Total + Incr;
Last_Transaction_Registered := False;
end Add_To_Total;
More generally, the expected control flow of a program can be modeled using an
automaton. We can take as an example a mailbox containing only one message.
The expected way Receive
and Send
should be interleaved can be expressed
as a two state automaton. The mailbox can either be full, in which case
Receive
can be called but not Send
, or it can be empty, in which case it
is Send
that can be called and not Receive
. To express this property, we
can define a ghost global variable of a ghost enumeration type to hold the
state of the automaton:
type Mailbox_Status_Kind is (Empty, Full) with Ghost;
Mailbox_Status : Mailbox_Status_Kind := Empty with Ghost;
procedure Receive (X : out Message) with
Pre => Mailbox_Status = Full,
Post => Mailbox_Status = Empty;
procedure Send (X : Message) with
Pre => Mailbox_Status = Empty,
Post => Mailbox_Status = Full;
Like before, Receive
and Send
should update Mailbox_Status
in their
bodies.
Note that all the transitions of the automaton need not be specified, only the
part which are relevant to the properties we want to express.
If the program also has some regular state, an invariant can be used to link
the value of this state to the value of the ghost state of the automaton. For
example, in our mailbox, we may have a regular variable Message_Content
holding the content of the current message, which is only known to be valid
after a call to Send
. We can introduce a ghost function linking the value
of Message_Content
to the value of Mailbox_Status
, so that we can
ensure that Message_Content
is always valid when accessed from Receive
:
function Invariant return Boolean is
(if Mailbox_Status = Full then Valid (Message_Content))
with Ghost;
procedure Receive (X : out Message) with
Pre => Invariant and then Mailbox_Status = Full,
Post => Invariant and then Mailbox_Status = Empty
and then Valid (X)
is
X := Message_Content;
end Receive;
Models of Data Structures
For specifying programs that use complex data structures (doubly-linked lists,
maps…), it can be useful to supply a model for the data structure. A model
is an alternative, simpler view of the data-structure which allows to write
properties more easily. For example, a ring buffer, or a doubly-linked list, can
be modeled using an array containing the elements from the buffer or the list in
the right order. Typically, though simpler to reason with, the model is less
efficient than the regular data structure. For example, inserting an element at
the beginning of a doubly-linked list or at the beginning of a ring buffer can
be done in constant time whereas inserting an element at the beginning of an
array requires to slide all the elements to the right. As a result, models of
data structures are usually supplied using ghost code. As an example, the
package Ring_Buffer
offers an implementation of a single instance ring
buffer. A ghost variable Buffer_Model
is used to write the specification of
the Enqueue
procedure:
package Ring_Buffer is
function Get_Model return Nat_Array with Ghost;
procedure Enqueue (E : Natural) with
Post => Get_Model = E & Get_Model'Old (1 .. Max – 1);
private
Buffer_Content : Nat_Array;
Buffer_Top : Natural;
Buffer_Model : Nat_Array with Ghost;
function Get_Model return Nat_Array is (Buffer_Model);
end Ring_Buffer;
Then, just like for models of control flow, an invariant should be supplied to link the regular data structure to its model:
package Ring_Buffer is
function Get_Model return Nat_Array with Ghost;
function Invariant return Boolean with Ghost;
procedure Enqueue (E : Natural) with
Pre => Invariant,
Post => Invariant and then Get_Model = E & Get_Model'Old (1 .. Max – 1);
private
Buffer_Content : Nat_Array;
Buffer_Top : Natural;
Buffer_Model : Nat_Array with Ghost;
function Get_Model return Nat_Array is (Buffer_Model);
function Invariant return Boolean is
(Buffer_Model = Buffer_Content (Buffer_Top .. Max)
& Buffer_Content (1 .. Buffer_Top - 1));
end Ring_Buffer;
If a data structure type is defined, a ghost function can be provided to compute a model for objects of the data structure type, and the invariant can be stated as a postcondition of this function:
package Ring_Buffer is
type Buffer_Type is private;
subtype Model_Type is Nat_Array with Ghost;
function Invariant (X : Buffer_Type; M : Model_Type) return Boolean with
Ghost;
function Get_Model (X : Buffer_Type) return Model_Type with
Ghost,
Post => Invariant (X, Get_Model'Result);
procedure Enqueue (X : in out Buffer_Type; E : Natural) with
Post => Get_Model (X) = E & Get_Model (X)'Old (1 .. Max – 1);
private
type Buffer_Type is record
Content : Nat_Array;
Top : Natural;
end record;
end Ring_Buffer;
More complex examples of models of data structure can be found in the Formal Containers Library.
5.5.12.9. Removal of Ghost Code
By default, GNAT completely discards ghost code during compilation, so that no ghost code is present in the object code or the executable. This ensures that, even if parts of the ghost could have side effects when executed (writing to variables, performing system calls, raising exceptions, etc.), by default the compiler ensures that it cannot have any effect on the behavior of the program.
This is also essential in domains submitted to certification where all instructions in the object code should be traceable to source code and requirements, and where testing should ensure coverage of the object code. As ghost code is not present in the object code, there is no additional cost for maintaining its traceability and ensuring its coverage by tests.
GNAT provides an easy means to check that no ignored ghost code is
present in a given object code or executable, which relies on the property
that, by definition, each ghost declaration or ghost statement mentions at
least one ghost entity. GNAT prefixes all names of such ignored ghost
entities in the object code with the string ___ghost_
(except for names of
ghost compilation units). The initial triple underscore ensures that this
substring cannot appear anywhere in the name of non-ghost entities or ghost
entities that are not ignored. Thus, one only needs to check that the substring
___ghost_
does not appear in the list of names from the object code or
executable.
On Unix-like platforms, this can done by checking that the following command does not output anything:
nm <object files or executable> | grep ___ghost_
The same can be done to check that a ghost compilation unit called my_unit
(whatever the capitalization) is not included at all (entities in that unit
would have been detected by the previous check) in the object code or
executable. For example on Unix-like platforms:
nm <object files or executable> | grep my_unit
5.5.13. Quantified Expressions
[Ada 2012]
A quantified expression is a way to express a property over a collection, either an array or a container (see Formal Containers Library):
a universally quantified expression using
for all
expresses a property that holds for all elements of a collectionan existentially quantified expression using
for some
expresses a property that holds for at least one element of a collection
Quantified expressions should always be parenthesized.
5.5.13.1. Iteration Over Content vs. Over Positions
Iteration can be expressed either directly over the content of the collection,
or over the range of positions of elements in the collection. The former is
preferred when the property involved does not refer to the position of elements
in the collection or to the previous value of the element at the same position
in the collection (e.g. in a postcondition). Otherwise, the latter is
needed. For example, consider the procedure Nullify_Array
that sets each
element of its array parameter X
to zero. Its postcondition can be
expressed using a universally quantified expression iterating over the content
of the array as follows:
procedure Nullify_Array (X : out Integer_Array) with
Post => (for all E in X => E = 0);
or using a universally quantified expression iterating over the range of the array as follows:
procedure Nullify_Array (X : out Integer_Array) with
Post => (for all J in X'Range => X(J) = 0);
Quantification over formal containers can similarly iterate over their content,
using the syntax for .. of
, or their positions, using the syntax
for .. in
, see examples in Loop Examples.
Iteration over positions is needed when the property refers to the position of
elements in the collection. For example, consider the procedure
Initialize_Array
that sets each element of its array parameter X
to its
position. Its postcondition can be expressed using a universally quantified
expression as follows:
procedure Initialize_Array (X : out Integer_Array) with
Post => (for all J in X'Range => X(J) = J);
Iteration over positions is also needed when the property refers to the
previous value of the element at the same position in the collection.
For example, consider the procedure Increment_Array
that increments each
element of its array parameter X
by one. Its postcondition can be expressed
using a universally quantified expression as follows:
procedure Increment_Array (X : in out Integer_Array) with
Post => (for all J in X'Range => X(J) = X'Old(J) + 1);
The negation of a universal property being an existential property (the opposite is true too), the postcondition above can be expressed also using an existentially quantified expression as follows:
procedure Increment_Array (X : in out Integer_Array) with
Post => not (for some J in X'Range => X(J) /= X'Old(J) + 1);
5.5.13.2. Execution vs. Proof
At run time, a quantified expression is executed like a loop, which exits as
soon as the value of the expression is known: if the property does not hold
(resp. holds) for a given element of a universally (resp. existentially)
quantified expression, execution of the loop does not proceed with remaining
elements and returns the value False
(resp. True
) for the expression.
When a quantified expression is analyzed with GNATprove, it uses the logical counterpart of the quantified expression. GNATprove also checks that the expression is free from run-time errors. For this checking, GNATprove checks that the enclosed expression is free from run-time errors over the entire range of the quantification, not only at points that would actually be reached at run time. As an example, consider the following expression:
(for all I in 1 .. 10 => 1 / (I - 3) > 0)
This quantified expression cannot raise a run-time error, because the enclosed
expression 1 / (I - 3) > 0
is false for the first value of the range I =
1
, so the execution of the loop exits immediately with the value False
for the quantified expression. GNATprove is stricter and requires the
enclosed expression 1 / (I - 3) > 0
to be free from run-time errors over
the entire range I in 1 .. 10
(including I = 3
) so it issues a check
message for a possible division by zero in this case.
5.5.13.3. Iterator Filters
The set of values or positions over which iteration is performed can be
filtered with an iterator filter introduced by the keyword when
. For
example, we can express a property for all prime numbers in a given range as
follows:
(for all N in 1 .. 1000 when Is_Prime (N) => ...)