You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The private part of the session context contains the current state of the state machine and the state of the memory allocator. The context is a tagged type.
type Private_Context isprivate;
type Context isabstracttaggedlimitedrecord
P : Private_Context;
endrecord;
privatetype Private_Context isrecord
Next_State : State := S_Start;
Slots : Test.Session_Allocator.Slots;
Memory : Test.Session_Allocator.Memory;
endrecord;
User-defined functions are realized as abstract primitives. It must be ensured that a user-defined function does not modify the private part of a session context. Unfortunately, using the Old attribute is not possible in that case:
procedureFoo (Ctx : inout Context; Bar : RFLX.Test.Baz; RFLX_Result : out Boolean) isabstractwith
Post'Class =>
Ctx.P = Ctx.P'Old;
rflx-test-session.ads:30:08: error: equality on access types is not allowed in SPARK 30 | Ctx.P = Ctx.P'Old; | ^~~~~~~~~~~~~~~~~ violation of aspect SPARK_Mode at line 16 16 | SPARK_Mode | ^ hererflx-test-session.ads:30:16: error: prefix of "Old" attribute which is not a function call is not allowed in SPARK (SPARK RM 3.10(13)) 30 | Ctx.P = Ctx.P'Old; | ^~~~~ violation of aspect SPARK_Mode at line 16 16 | SPARK_Mode | ^ here
The text was updated successfully, but these errors were encountered:
One problem with this behavior is that it prevents the proof of the remaining unit. To work around this maybe a ghost variable with an assume can be used in the following way:
Ghost_Context : Private_Context with Ghost;
begin
Ghost_Context := Ctx.P;
Foo (Ctx, Result);
pragma Assume (Ctx.P = Ghost_Context);
One problem is that we might run into the same problem as above that equality on access types is not allowed in SPARK.
After an offline discussion we came to the conclusion that we cannot prove that the private part of a context is unchanged after a platform function call. This change could happen by calling Tick on the context in the platform function. The correct way to go here is to check all required properties after each platform function call.
The private part of the session context contains the current state of the state machine and the state of the memory allocator. The context is a tagged type.
User-defined functions are realized as abstract primitives. It must be ensured that a user-defined function does not modify the private part of a session context. Unfortunately, using the Old attribute is not possible in that case:
The text was updated successfully, but these errors were encountered: