Skip to main content

A.18 Containers

danger

This Reference Manual output has not been verified, and may contain omissions or errors. Report any problems on the tracking issue

1/2

This clause presents the specifications of the package Containers and several child packages, which provide facilities for storing collections of elements.

1.a/5

Term entry: container — structured object that represents a collection of elements all of the same (potentially class-wide) type, such as a vector or a tree
Note: Several predefined container types are provided by the children of package Ada.Containers (see A.18.1).

2/5

A variety of sequence and associative containers are provided. Each container package defines a cursor type as well as a container type. A cursor is a reference to an element within a container. Many operations on cursors are common to all of the containers. A cursor referencing an element in a container is considered to be overlapping only with the element itself.

2.a/5
reason

The last sentence is intended to clarify that operations that just use a cursor do not interfere if the cursor objects designated different elements of the container in terms of the concurrent call rules of Annex A.

2.b/5
ramification

A cursor is not considered to overlap with other elements of the associated container, thus parallel operations involving a set of cursors each operating on mutually exclusive sets of elements from the same container are expected to work.

2.c/5
discussion

We use the term “container” alone when it is clear from context what kind of entity (package, type, or object) that we are talking about. Otherwise, we use “container package”, “container type”, or “container object”. Note that "container type" is defined in 4.3.5 for a different usage; in all of A.18 we mean “container type” to be one of the primary types declared in the child packages of package Containers, such as Vector, List, or Map.

2.1/5

Some operations of the language-defined child units of Ada.Containers have access-to-subprogram parameters. To ensure such operations are well-defined, they guard against certain actions by the designated subprogram. An action on a container that can add or remove an element is considered to tamper with cursors, and these are prohibited during all such operations. An action on a container that can replace an element with one of a different size is considered to tamper with elements, and these are prohibited during certain of such operations. The details of the specific actions that are considered to tamper with cursors or elements are defined for each child unit of Ada.Containers.

2.2/5

Several of the language-defined child units of Ada.Containers include a nested package named Stable, which provides a view of a container that prohibits any operations that would tamper with elements. By using a Stable view for manipulating a container, the number of tampering checks performed while performing the operations can be reduced. The details of the Stable subpackage are defined separately for each child unit of Ada.Containers that includes such a nested package.

3/2

Within this clause we provide O(X). Presuming f is some function of a length parameter N and t(N) is the time the operation takes (on average or worst case, as specified) for the length N, a complexity of O(f(N)) means that there exists a finite A such that for any N, t(N)/f(N) < A.

3.a/2
discussion

Of course, an implementation can do better than a specified O(f(N)): for example, O(1) meets the requirements for O(log N).

3.b/2

This concept seems to have as many names as there are authors. We used “Landau symbol” because that's what our reference does. But we'd also seen this referred as big-O notation (sometimes written as big-oh), and as Bachmann notation. Whatever the name, it always has the above definition.

4/2

If the advice suggests that the complexity should be less than O(f(N)), then for any arbitrarily small positive real D, there should exist a positive integer M such that for all N > M, t(N)/f(N) < D.

5/5

When a formal function is used to provide an ordering for a container, it is generally required to define a strict weak ordering. A function "<" defines a strict weak ordering if it is irreflexive, asymmetric, transitive, and in addition, if x < y for any values x and y, then for all other values z, (x < z) or (z < y). Elements are in a smallest first order using such an operator if, for every element y with a predecessor x in the order, (y < x) is false.

5.a.1/5
reason

Given a "<" operator that provides a strict weak ordering, knowing that (y < x) is false is enough to know that (x <= y) is true. For a strict weak ordering, (x = y) when both (x < y) and (y < x) are false. Therefore, it is not necessary to use the "=" operator or test (x < y). We only need to discuss adjacent elements since a strict weak ordering is transitive.

Language Design Principles

5.a/3

This subclause provides a number of useful containers for Ada. Only the most useful containers are provided. Ones that are relatively easy to code, redundant, or rarely used are omitted from this set, even if they are generally included in containers libraries.

5.b/2

The containers packages are modeled on the Standard Template Library (STL), an algorithms and data structure library popularized by Alexander Stepanov, and included in the C++ standard library. The structure and terminology differ from the STL where that better maps to common Ada usage. For instance, what the STL calls “iterators” are called “cursors” here.

5.c/2

The following major nonlimited containers are provided:

5.d/2
  • (Expandable) Vectors of any nonlimited type;
  • 5.e/2
  • Doubly-linked Lists of any nonlimited type;
  • 5.f/2
  • Hashed Maps keyed by any nonlimited hashable type, and containing any nonlimited type;
  • 5.g/2
  • Ordered Maps keyed by any nonlimited ordered type, and containing any nonlimited type;
  • 5.h/3
  • Hashed Sets of any nonlimited hashable type;
  • 5.i/3
  • Ordered Sets of any nonlimited ordered type;
  • 5.i.1/3
  • Multiway Trees of any nonlimited type;
  • 5.i.2/3
  • Holders of any (indefinite) nonlimited type;
  • 5.i.3/3
  • Synchronized queues of any definite nonlimited type; and
  • 5.i.4/3
  • Priority queues of any definite nonlimited type.
5.j/3

Separate versions for definite and indefinite element types are provided, as those for definite types can be implemented more efficiently. Similarly, a separate bounded version is provided in order to give more predictable memory usage.

5.k/2

Each container includes a cursor, which is a reference to an element within a container. Cursors generally remain valid as long as the container exists and the element referenced is not deleted. Many operations on cursors are common to all of the containers. This makes it possible to write generic algorithms that work on any kind of container.

5.l/2

The containers packages are structured so that additional packages can be added in the future. Indeed, we hope that these packages provide the basis for a more extensive secondary standard for containers.

5.m/2

If containers with similar functionality (but different performance characteristics) are provided (by the implementation or by a secondary standard), we suggest that a prefix be used to identify the class of the functionality: "Ada.Containers.Bounded_Sets" (for a set with a maximum number of elements); "Ada.Containers.Protected_Maps" (for a map which can be accessed by multiple tasks at one time); "Ada.Containers.Persistent_Vectors" (for a persistent vector which continues to exist between executions of a program) and so on.

5.n/2

Note that the language already includes several requirements that are important to the use of containers. These include:

5.o/5
  • Library packages must allow concurrent calls – multiple tasks can use the packages as long as they operate on separate containers. Thus, it is only necessary for a user to protect a container if a single container needs to be used by multiple tasks and concurrent calls to operations of the container have overlapping parameters.
  • 5.p/2
  • Language-defined types must stream "properly". That means that the stream attributes can be used to implement persistence of containers when necessary, and containers can be passed between partitions of a program.
  • 5.q/2
  • Equality of language-defined types must compose “properly”. This means that the version of "=" directly used by users is the same one that will be used in generics and in predefined equality operators of types with components of the containers and/or cursors. This prevents the abstraction from breaking unexpectedly.
  • 5.q.1/3
  • Redispatching is not allowed (unless it is required). That means that overriding a container operation will not change the behavior of any other predefined container operation. This provides a stable base for extensions.
5.r/5

If a container's element type is controlled, the point at which the element is finalized will depend on the implementation of the container. For certain kinds of containers, we require finalization behavior based on the canonical implementation of the container (see the Implementation Requirements below). For the "normal" containers, we do not specify precisely where this will happen (it will happen no later than the finalization of the container, of course) in order to give implementations flexibility to cache, block, split , or reusethe nodes of the container.

5.s/5
This paragraph was deleted.
5.t/2

The use of controlled types also brings up the possibility of failure of finalization (and thus deallocation) of an element. This is a “serious bug”, as AI95-179 puts it, so we don't try to specify what happens in that case. The implementation should propagate the exception.

5.u/2
implementation note

It is expected that exceptions propagated from these operations do not damage containers. That is, if Storage_Error is propagated because of an allocation failure, or Constraint_Error is propagated by the assignment of elements, the container can continue to be used without further exceptions. The intent is that it should be possible to recover from errors without losing data. We don't try to state this formally in most cases, because it is hard to define precisely what is and is not allowed behavior.

5.v/5
implementation note

When this clause says that the behavior of something is unspecified, we really mean that any result of executing Ada code short of erroneous execution is allowed. We do not mean that memory not belonging to the parameters of the operation can be trashed. When we mean to allow erroneous behavior, we specifically say that execution is erroneous. All this means that, if the containers are written in Ada, checks should not be suppressed or removed assuming some behavior of other code, and that the implementation should take care to avoid creating internal dangling accesses by assuming behavior from generic formals that can't be guaranteed. We don't try to say this normatively because it would be fairly complex, and implementers are unlikely to increase their support costs by fielding implementations that are unstable if given buggy hash functions, et al.

Static Semantics

6/5

Certain subprograms declared within instances of some of the generic packages presented in this clause are said to perform indefinite insertion. These subprograms are those corresponding (in the sense of the copying described in 12.3) to subprograms that have formal parameters of a generic formal indefinite type and that are identified as performing indefinite insertion in the subclause defining the generic package.

7/5

If a subprogram performs indefinite insertion, then certain run-time checks are performed as part of a call to the subprogram; if any of these checks fail, then the resulting exception is propagated to the caller and the container is not modified by the call. These checks are performed for each parameter corresponding (in the sense of the copying described in 12.3) to a parameter in the corresponding generic whose type is a generic formal indefinite type. The checks performed for a given parameter are those checks explicitly specified in 4.8 that would be performed as part of the evaluation of an initialized allocator whose access type is declared immediately within the instance, where:

8/4
  • the value of the qualified_expression is that of the parameter; and
  • 9/4
  • the designated subtype of the access type is the subtype of the parameter; and
  • 10/4
  • finalization of the collection of the access type has started if and only if the finalization of the instance has started.
10.a/5
discussion

The phrase "explicitly specified" means those checks for which 4.8 includes the phrase "<some exception> is raised if ...". It does not refer, for example, to any checks performed as part of any subtype conversion. In particular, this wording includes the checks described in 4.8 to be performed in the case of a class-wide designated type, and of a designated subtype that has access discriminant parts. These checks are needed to prevent containers from outliving their contained (Element_Type or Key_Type) values.

10.b/4
implementation note

These rules have a dual purpose. Mainly, we are requiring checks needed to prevent dangling references. As a side effect, we are also allowing checks needed to permit an implementation of a container generic to make use of access types in a straightforward way. As an example of the second purpose, suppose that an implementation does declare such an access type and suppose further that the finalization of the collection of the access type has started. These rules allow Program_Error to be propagated in this case (as specified in 4.8); this is necessary to allow an all-Ada implementation of these packages.

Implementation Requirements

11/5

For an indefinite container (one whose type is defined in an instance of a child package of Containers whose defining_identifier contains "Indefinite"), each element of the container shall be created when it is inserted into the container and finalized when it is deleted from the container (or when the container object is finalized if the element has not been deleted). For a bounded container (one whose type is defined in an instance of a child package of Containers whose defining_identifier starts with "Bounded") that is not an indefinite container, all of the elements of the capacity of the container shall be created and default initialized when the container object is created; the elements shall be finalized when the container object is finalized. [For other kinds of containers, when elements are created and finalized is unspecified.]

11.a/5
ramification

This allows a user to be able to reason about the behavior of elements that have controlled parts. In most cases, such elements need to be stored in an indefinite container.

11.b/5
implementation note

If the containers are implemented in Ada, this implies that elements for an indefinite container are allocated individually, and that a bounded container contains an array of elements or other data structure that is initialized for the entire capacity of the container when it is created. There is no such restriction on the implementation of the "normal" containers; these can be handled in any way convenient to the implementation — in particular, node reuse is allowed.

12/5

For an instance I of a container package with a container type, the specific type T of the object returned from a function that returns an object of an iterator interface, as well as the primitive operations of T, shall be nonblocking. The Global aspect specified for T and the primitive operations of T shall be (in all, out synchronized) or a specification that allows access to fewer global objects.

12.a/5
implementation note

This requires that the traversal and iteration operations of a container do not create, destroy, or assign any objects of a formal type of I, nor call any formal subprograms of I. Those objects and subprograms might be blocking (depending on the actual parameters). We put similar requirements on the individual traversal operations in the container package definitions.

12.b/5
reason

These requirements allows users to use container iterators inside of parallel constructs, regardless of the actual parameters to the instantiation. If such an iterator allowed blocking, it would be illegal inside of a parallel construct (see 9.5). If such an iterator allowed writing of unsynchronized global objects, it would be illegal when the default conflict checking policy is in effect (see 9.10.1). These requirements include sequential iterators; the iterator does not need to appear in a parallel loop to trigger these requirements.

12.c/5
discussion

We have to give these requirements as a text rule, as there is no place to declare suitable aspects. The specific type of a container iterator is declared by the implementation and is not part of the visible specification (iterator functions just return a value of a class-wide type). The iterator interface itself cannot impose such a requirement since it needs to be able to work with user-defined types that do need to allow blocking. We give this as a global requirement to avoid duplication.

Extensions to Ada 95

12.d/3

This subclause is new. It just provides an introduction to the following subclauses.

Wording Changes from Ada 2005

12.e/3
correction

Added a definition of strict weak ordering.

Extensions to Ada 2012

12.f/5
correction

We now say that a cursor only overlaps with the element it designates, rather than with the whole container. This allows some reading operations to operate on the container in parallel without separate synchronization.

Wording Changes from Ada 2012

12.g/4

Corrigendum: Added a definition of “performs indefinite insertion”. This is used in other subclauses and any resulting inconsistencies are documented there.

12.h/5

Moved the basic description of tampering checks here, to cut duplication in description of the individual containers. Added a description of stable views of containers.

12.i/5

Added a global requirement that iterators returned from containers are nonblocking if the instance is nonblocking.

12.j/5
correction

Defined when objects are created and finalized for Bounded and Indefinite containers, so that these can be used reliably with controlled element types. This is not incompatible as this behavior was previously unspecified; code depending on specific behavior was wrong.

12.k/5

Added a definition of “smallest first” ordering, so that the behavior of the Sort procedures when elements are equal is well-defined.

A.18.1 The Package Containers

1/2

The package Containers is the root of the containers subsystem.

Static Semantics

2/2

The library package Containers has the following declaration:

3/5

package Ada.Containers with Pure is 4/2 type Hash_Type is mod implementation-defined; 5/2 type Count_Type is range 0 .. implementation-defined; 5.1/3

Capacity_Error : exception; 6/2 end Ada.Containers;

7/2

Hash_Type represents the range of the result of a hash function. Count_Type represents the (potential or actual) number of elements of a container.

7.a/2
implementation defined

The value of Containers.Hash_Type'Modulus. The value of Containers.Count_Type'Last.

7.1/3

Capacity_Error is raised when the capacity of a container is exceeded.

Implementation Advice

8/2

Hash_Type'Modulus should be at least 2**32. Count_Type'Last should be at least 2**31–1.

8.a/2
implementation advice

Containers.Hash_Type'Modulus should be at least 2**32. Containers.Count_Type'Last should be at least 2**31–1.

8.b/2
discussion

This is not a requirement so that these types can be declared properly on machines with native sizes that are not 32 bits. For instance, a 24-bit target could use 2**24 for Hash_Type'Modulus.

Extensions to Ada 95

8.c/2

The package Containers is new.

Incompatibilities With Ada 2005

8.d/3

Exception Capacity_Error is added to Containers. If Containers is referenced in a use_clause, and an entity with the name Capacity_Error is defined in a package that is also referenced in a use_clause, the entity Capacity_Error may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

A.18.2 The Generic Package Containers.Vectors

1/2

The language-defined generic package Containers.Vectors provides private types Vector and Cursor, and a set of operations for each type. A vector container allows insertion and deletion at any position, but it is specifically optimized for insertion and deletion at the high end (the end with the higher index) of the container. A vector container also provides random access to its elements.

2/2

A vector container behaves conceptually as an array that expands as necessary as items are inserted. The length of a vector is the number of elements that the vector contains. The capacity of a vector is the maximum number of elements that can be inserted into the vector prior to it being automatically expanded.

3/2

Elements in a vector container can be referred to by an index value of a generic formal type. The first element of a vector always has its index value equal to the lower bound of the formal type.

4/2

A vector container may contain empty elements. Empty elements do not have a specified value.

4.a/2
implementation note

Vectors are not intended to be sparse (that is, there are elements at all defined positions). Users are expected to use other containers (like a Map) when they need sparse structures (there is a Note to this effect at the end of this subclause).

4.b/2

The internal array is a conceptual model of a vector. There is no requirement for an implementation to be a single contiguous array.

Static Semantics

5/2

The generic library package Containers.Vectors has the following declaration:

6/5

with Ada.Iterator_Interfaces; generic type Index_Type is range <>; type Element_Type is private; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Vectors with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

6.a/5
discussion

For the Global aspect, any side-effects of the actual parameters of an instance are ignored. So Global => in out synchronized means that the only global side-effects allowed are associated with the actual generic parameters of the instance or with any synchronized state. Unsynchronized package state is not allowed for any container package, and pure packages do not allow any package state at all (they typically have Global => null).

6.b/5

Similarly, when Nonblocking is set to True for a generic unit, it still includes the blocking effects of the actual parameters to the instance. Thus, the only blocking allowed is that associated with the actual generic parameters. If none of the actual paramerters allow blocking, then no operation of the generic instance may block.

7/2

subtype Extended_Index is Index_Type'Base range Index_Type'First-1 .. Index_Type'Min (Index_Type'Base'Last - 1, Index_Type'Last) + 1; No_Index : constant Extended_Index := Extended_Index'First;

7.a/5
ramification

The base type of a scalar type is always nonblocking and has Global => null. Therefore, so long as this type is used in the implementation, whether or not the actual type for Index_Type allows blocking or side-effects does not matter. Therefore, we require that operations that only operate on the container implementation be nonblocking and have Global => null regardless of the actual parameters.

8/5

type Vector is tagged private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.Vector, Aggregate => (Empty => Empty, Add_Unnamed => Append, New_Indexed => New_Vector, Assign_Indexed => Replace_Element), Stable_Properties => (Length, Capacity, Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited), Default_Initial_Condition => Length (Vector) = 0 and then (not Tampering_With_Cursors_Prohibited (Vector)) and then (not Tampering_With_Elements_Prohibited (Vector)), Preelaborable_Initialization; 9/5

type Cursor is private with Preelaborable_Initialization; 10/2 Empty_Vector : constant Vector; 11/2 No_Element : constant Cursor; 11.1/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

11.a/5
discussion

Any operation that takes a cursor but no vector can read the vector associated with the cursor. We only know that there is some object of type Vector. Since we don't have a global specification that describes all objects of a specific type, we have to allow reading any object by specifying in all. For such functions, we don't allow writing any object, even those associated with generic formal parameters, thus we also specify Use_Formal => null.

11.2/5

function Has_Element (Container : Vector; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

11.b/5
discussion

For operations that do not depend on any of the operations of the generic formal parameters (including those of formal types), we specify that the operation has no side-effects of any kind. This requires specifying that there is no dependence on the generic formal parameters with Use_Formal => null in addition to no usual side-effects with null. We also specify Nonblocking on such operations in order that the operation never blocks even if some of the actual parameters allow blocking.

11.3/5

package Vector_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 12/2 function "=" (Left, Right : Vector) return Boolean; 12.1/5

function Tampering_With_Cursors_Prohibited (Container : Vector) return Boolean with Nonblocking, Global => null, Use_Formal => null; 12.2/5

function Tampering_With_Elements_Prohibited (Container : Vector) return Boolean with Nonblocking, Global => null, Use_Formal => null; 12.3/5

function Maximum_Length return Count_Type with Nonblocking, Global => null, Use_Formal => null; 12.4/5

function Empty (Capacity : Count_Type := implementation-defined) return Vector with Pre => Capacity <= Maximum_Length or else raise Constraint_Error, Post => Capacity (Empty'Result) >= Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0; 13/5

function To_Vector (Length : Count_Type) return Vector with Pre => Length <= Maximum_Length or else raise Constraint_Error, Post => To_Vector'Result.Length = Length and then not Tampering_With_Elements_Prohibited (To_Vector'Result) and then not Tampering_With_Cursors_Prohibited (To_Vector'Result) and then To_Vector'Result.Capacity >= Length; 14/5

function To_Vector (New_Item : Element_Type; Length : Count_Type) return Vector with Pre => Length <= Maximum_Length or else raise Constraint_Error, Post => To_Vector'Result.Length = Length and then not Tampering_With_Elements_Prohibited (To_Vector'Result) and then not Tampering_With_Cursors_Prohibited (To_Vector'Result) and then To_Vector'Result.Capacity >= Length; 14.1/5

function New_Vector (First, Last : Index_Type) return Vector is (To_Vector (Count_Type (Last - First + 1))) with Pre => First = Index_Type'First; 15/5

function "&" (Left, Right : Vector) return Vector with Pre => Length (Left) <= Maximum_Length - Length (Right) or else raise Constraint_Error, Post => Length (Vectors."&"'Result) = Length (Left) + Length (Right) and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= Length (Left) + Length (Right); 16/5

function "&" (Left : Vector; Right : Element_Type) return Vector with Pre => Length (Left) <= Maximum_Length - 1 or else raise Constraint_Error, Post => Vectors."&"'Result.Length = Length (Left) + 1 and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= Length (Left) + 1; 17/5

function "&" (Left : Element_Type; Right : Vector) return Vector with Pre => Length (Right) <= Maximum_Length - 1 or else raise Constraint_Error, Post => Length (Vectors."&"'Result) = Length (Right) + 1 and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= Length (Right) + 1; 18/5

function "&" (Left, Right : Element_Type) return Vector with Pre => Maximum_Length >= 2 or else raise Constraint_Error, Post => Length ("&"'Result) = 2 and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= 2; 19/5

function Capacity (Container : Vector) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 20/5

procedure Reserve_Capacity (Container : in out Vector; Capacity : in Count_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Container.Capacity >= Capacity; 21/5

function Length (Container : Vector) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 22/5

procedure Set_Length (Container : in out Vector; Length : in Count_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length <= Maximum_Length or else raise Constraint_Error), Post => Container.Length = Length and then Capacity (Container) >= Length; 23/5

function Is_Empty (Container : Vector) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0); 24/5

procedure Clear (Container : in out Vector) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0; 25/5

function To_Cursor (Container : Vector; Index : Extended_Index) return Cursor with Post => (if Index in First_Index (Container) .. Last_Index (Container) then Has_Element (Container, To_Cursor'Result) else To_Cursor'Result = No_Element), Nonblocking, Global => null, Use_Formal => null; 26/5

function To_Index (Position : Cursor) return Extended_Index with Nonblocking, Global => in all; 26.1/5

function To_Index (Container : Vector; Position : Cursor) return Extended_Index with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then To_Index'Result = No_Index else To_Index'Result in First_Index (Container) .. Last_Index (Container)), Nonblocking, Global => null, Use_Formal => null; 27/5

function Element (Container : Vector; Index : Index_Type) return Element_Type with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error, Nonblocking, Global => null, Use_Formal => Element_Type;

27.a/5
discussion

Here the Nonblocking and Global contracts are saying that Element depends on the properties of the actual for Element_Type, but not on the properties of the actuals for Index_Type or "=". This is necessary as copying the element may require calling Adjust and Finalize for the actual Element_Type, and those may have side-effects or block.

28/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type; 28.1/5

function Element (Container : Vector; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 29/5

procedure Replace_Element (Container : in out Vector; Index : in Index_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error); 30/5

procedure Replace_Element (Container : in out Vector; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 31/5

procedure Query_Element (Container : in Vector; Index : in Index_Type; Process : not null access procedure (Element : in Element_Type)) with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error; 32/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 32.1/5

procedure Query_Element (Container : in Vector; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 33/5

procedure Update_Element (Container : in out Vector; Index : in Index_Type; Process : not null access procedure (Element : in out Element_Type)) with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error; 34/5

procedure Update_Element (Container : in out Vector; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 34.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

34.a/5
discussion

Finalization of this type will update the tampering counter of an associated container. We know this has to be an object of type Vector, but we don't have a way to specify that. We need this separate Global in case an object of this type is declared to exist separately from the short-lived object associated with a call of the Constant_Reference function.

34.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 34.3/5

function Constant_Reference (Container : aliased in Vector; Index : in Index_Type) return Constant_Reference_Type with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 34.4/5

function Reference (Container : aliased in out Vector; Index : in Index_Type) return Reference_Type with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 34.5/5

function Constant_Reference (Container : aliased in Vector; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 34.6/5

function Reference (Container : aliased in out Vector; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 34.7/5

procedure Assign (Target : in out Vector; Source : in Vector) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Target); 34.8/5

function Copy (Source : Vector; Capacity : Count_Type := 0) return Vector with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity >= (if Capacity = 0 then Length (Source) else Capacity); 35/5

procedure Move (Target : in out Vector; Source : in out Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source)'Old and then Length (Source) = 0 and then Capacity (Target) >= Length (Source)'Old); 36/5

procedure Insert_Vector (Container : in out Vector; Before : in Extended_Index; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container); 37/5

procedure Insert_Vector (Container : in out Vector; Before : in Cursor; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container); 38/5

procedure Insert_Vector (Container : in out Vector; Before : in Cursor; New_Item : in Vector; Position : out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container); 39/5

procedure Insert (Container : in out Vector; Before : in Extended_Index; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container); 40/5

procedure Insert (Container : in out Vector; Before : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container); 41/5

procedure Insert (Container : in out Vector; Before : in Cursor; New_Item : in Element_Type; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container); 42/5

procedure Insert (Container : in out Vector; Before : in Extended_Index; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container); 43/5

procedure Insert (Container : in out Vector; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container); 44/5

procedure Prepend_Vector (Container : in out Vector; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container); 45/5

procedure Prepend (Container : in out Vector; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container); 46/5

procedure Append_Vector (Container : in out Vector; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container); 47/5

procedure Append (Container : in out Vector; New_Item : in Element_Type; Count : in Count_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container); 47.1/5

procedure Append (Container : in out Vector; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - 1 or else raise Constraint_Error), Post => Length (Container)'Old + 1 = Length (Container) and then Capacity (Container) >= Length (Container); 48/5

procedure Insert_Space (Container : in out Vector; Before : in Extended_Index; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container); 49/5

procedure Insert_Space (Container : in out Vector; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container); 50/5

procedure Delete (Container : in out Vector; Index : in Extended_Index; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Index in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error), Post => Length (Container)'Old - Count <= Length (Container); 51/5

procedure Delete (Container : in out Vector; Position : in out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container)'Old - Count <= Length (Container) and then Position = No_Element; 52/5

procedure Delete_First (Container : in out Vector; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container); 53/5

procedure Delete_Last (Container : in out Vector; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container); 54/5

procedure Reverse_Elements (Container : in out Vector) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error; 55/5

procedure Swap (Container : in out Vector; I, J : in Index_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error) and then (J in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error); 56/5

procedure Swap (Container : in out Vector; I, J : in Cursor) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error); 57/5

function First_Index (Container : Vector) return Index_Type with Nonblocking, Global => null, Use_Formal => null, Post => First_Index'Result = Index_Type'First; 58/5

function First (Container : Vector) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element); 59/5

function First_Element (Container : Vector) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 60/5

function Last_Index (Container : Vector) return Extended_Index with Nonblocking, Global => null, Use_Formal => null, Post => (if Length (Container) = 0 then Last_Index'Result = No_Index else Count_Type(Last_Index'Result - Index_Type'First) = Length (Container) - 1); 61/5

function Last (Container : Vector) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element); 62/5

function Last_Element (Container : Vector) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 63/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element); 63.1/5

function Next (Container : Vector; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Has_Element (Container, Next'Result) then To_Index (Container, Next'Result) = To_Index (Container, Position) + 1 elsif Next'Result = No_Element then Position = Last (Container) else False); 64/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 64.1/5

procedure Next (Container : in Vector; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 65/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element); 65.1/5

function Previous (Container : Vector; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Has_Element (Container, Previous'Result) then To_Index (Container, Previous'Result) = To_Index (Container, Position) - 1 elsif Previous'Result = No_Element then Position = First (Container) else False); 66/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 66.1/5

procedure Previous (Container : in Vector; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 67/2 function Find_Index (Container : Vector; Item : Element_Type; Index : Index_Type := Index_Type'First) return Extended_Index; 68/5

function Find (Container : Vector; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 69/2 function Reverse_Find_Index (Container : Vector; Item : Element_Type; Index : Index_Type := Index_Type'Last) return Extended_Index; 70/5

function Reverse_Find (Container : Vector; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Reverse_Find'Result /= No_Element then Has_Element (Container, Reverse_Find'Result)); 71/2 function Contains (Container : Vector; Item : Element_Type) return Boolean; 72/3

This paragraph was deleted. 73/5

procedure Iterate (Container : in Vector; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 74/5

procedure Reverse_Iterate (Container : in Vector; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 74.1/5

function Iterate (Container : in Vector) return Vector_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 74.2/5

function Iterate (Container : in Vector; Start : in Cursor) return Vector_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 75/5

generic with function "<" (Left, Right : Element_Type) return Boolean is <>; package Generic_Sorting with Nonblocking, Global => null is 76/2 function Is_Sorted (Container : Vector) return Boolean; 77/5

procedure Sort (Container : in out Vector) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error; 78/5

procedure Merge (Target : in out Vector; Source : in out Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Length (Target) <= Maximum_Length - Length (Source) or else raise Constraint_Error) and then ((Length (Source) = 0 or else not Target'Has_Same_Storage (Source)) or else raise Program_Error), Post => (declare Result_Length : constant Count_Type := Length (Source)'Old + Length (Target)'Old; begin (Length (Source) = 0 and then Length (Target) = Result_Length and then Capacity (Target) >= Result_Length)); 79/2 end Generic_Sorting; 79.1/5

package Stable is 79.2/5

type Vector (Base : not null access Vectors.Vector) is tagged limited private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Length, Capacity), Global => null, Default_Initial_Condition => Length (Vector) = 0, Preelaborable_Initialization;

79.a/5
discussion

The Global of null assumes that the user of a stable object is including effects associated with the access discriminant. For operations with in parameters (after any overriding), the object designated by the access discriminant is assumed to be read, and for other operations (including initialization and finalization) the object designated by the access discriminant is assumed to be read and updated.

79.3/5

type Cursor is private with Preelaborable_Initialization; 79.4/5

Empty_Vector : constant Vector; 79.5/5

No_Element : constant Cursor; 79.6/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 79.7/5

package Vector_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 79.8/5

procedure Assign (Target : in out Vectors.Vector; Source : in Vector) with Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Target); 79.9/5

function Copy (Source : Vectors.Vector) return Vector with Post => Length (Copy'Result) = Length (Source); 79.10/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 79.11/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 79.12/5

-- Additional subprograms as described in the text -- are declared here. 79.13/5

private 79.14/5

... -- not specified by the language 79.15/5

end Stable; 80/2 private 81/2 ... -- not specified by the language 82/2 end Ada.Containers.Vectors;

83/2

The actual function for the generic formal function "=" on Element_Type values is expected to define a reflexive and symmetric relationship and return the same result value each time it is called with a particular pair of values. If it behaves in some other manner, the functions defined to use it return an unspecified value. The exact arguments and number of calls of this generic formal function by the functions defined to use it are unspecified.

83.a/2
ramification

The “functions defined to use it” are Find, Find_Index, Reverse_Find, Reverse_Find_Index, and "=" for Vectors. This list is a bit too long to give explicitly.

83.b/2

If the actual function for "=" is not symmetric and consistent, the result returned by any of the functions defined to use "=" cannot be predicted. The implementation is not required to protect against "=" raising an exception, or returning random results, or any other “bad” behavior. And it can call "=" in whatever manner makes sense. But note that only the results of the functions defined to use "=" are unspecified; other subprograms are not allowed to break if "=" is bad.

84/2

The type Vector is used to represent vectors. The type Vector needs finalization (see 7.6).

85/2

Empty_Vector represents the empty vector object. It has a length of 0. If an object of type Vector is not otherwise initialized, it is initialized to the same value as Empty_Vector.

86/2

No_Element represents a cursor that designates no element. If an object of type Cursor is not otherwise initialized, it is initialized to the same value as No_Element.

87/5

The primitive "=" operator for type Cursor returns True if both cursors are No_Element, or designate the same element in the same container.

87.a/5

To be honest: “The primitive "=" operator” is the one with two parameters of type Cursor which returns Boolean. We're not talking about some other (hidden) primitive function named "=".

88/2

Execution of the default implementation of the Input, Output, Read, or Write attribute of type Cursor raises Program_Error.

88.a/2
reason

A cursor will probably be implemented in terms of one or more access values, and the effects of streaming access values is unspecified. Rather than letting the user stream junk by accident, we mandate that streaming of cursors raise Program_Error by default. The attributes can always be specified if there is a need to support streaming.

88.1/5

Vector'Write for a Vector object V writes Length(V) elements of the vector to the stream. It may also write additional information about the vector.

88.2/3

Vector'Read reads the representation of a vector from the stream, and assigns to Item a vector with the same length and elements as was written by Vector'Write.

88.b/3
implementation note

The Reference Manual requires streaming of all language-defined nonlimited types (including containers) to "work" (see 13.13.2). In addition, we do not want all of the elements that make up the capacity of the vector streamed, as those beyond the length of the container have undefined contents (and might cause bad things when read back in). This will require a custom stream attribute implementation; the language-defined default implementation will not work (even for a bounded form, as that would most likely stream the entire capacity of the vector). There is a separate requirement that the unbounded and Bounded form use the same streaming representation for the same element type, see A.18.19.

89/2

No_Index represents a position that does not correspond to any element. The subtype Extended_Index includes the indices covered by Index_Type plus the value No_Index and, if it exists, the successor to the Index_Type'Last.

89.a/2
discussion

We require the existence of Index_Type'First – 1, so that No_Index and Last_Index of an empty vector is well-defined. We don't require the existence of Index_Type'Last + 1, as it is only used as the position of insertions (and needs to be allowed only when inserting an empty vector).

90/5

[Some operations check for “tampering with cursors” of a container because they depend on the set of elements of the container remaining constant, and others check for “tampering with elements” of a container because they depend on elements of the container not being replaced.] When tampering with cursors is prohibited for a particular vector object V, Program_Error is propagated by the finalization of V[, as well as by a call that passes V to certain of the operations of this package, as indicated by the precondition of such an operation]. Similarly, when tampering with elements is prohibited for V, Program_Error is propagated by a call that passes V to certain of the other operations of this package, as indicated by the precondition of such an operation.

Paragraphs 91 through 97 are removed as preconditions now describe these rules.

93.a.1/3
ramification

We don't need to explicitly mention assignment_statement, because that finalizes the target object as part of the operation, and finalization of an object is already defined as tampering with cursors.

97.2/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

97.3/3

Returns True if Position designates an element, and returns False otherwise.

97.c/3

To be honest: This function might not detect cursors that designate deleted elements; such cursors are invalid (see below) and the result of calling Has_Element with an invalid cursor is unspecified (but not erroneous).

97.4/5

function Has_Element (Container : Vector; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

97.5/5

Returns True if Position designates an element in Container, and returns False otherwise.

97.d/5
ramification

If Position is No_Element, Has_Element returns False.

98/2

function "=" (Left, Right : Vector) return Boolean;

99/3

If Left and Right denote the same vector object, then the function returns True. If Left and Right have different lengths, then the function returns False. Otherwise, it compares each element in Left to the corresponding element in Right using the generic formal equality operator. If any such comparison returns False, the function returns False; otherwise, it returns True. Any exception raised during evaluation of element equality is propagated.

99.a/2
implementation note

This wording describes the canonical semantics. However, the order and number of calls on the formal equality function is unspecified for all of the operations that use it in this package, so an implementation can call it as many or as few times as it needs to get the correct answer. Specifically, there is no requirement to call the formal equality additional times once the answer has been determined.

99.1/5

function Tampering_With_Cursors_Prohibited (Container : Vector) return Boolean with Nonblocking, Global => null, Use_Formal => null;

99.2/5

Returns True if tampering with cursors or tampering with elements is currently prohibited for Container, and returns False otherwise.

99.b/5
reason

Prohibiting tampering with elements also needs to prohibit tampering with cursors, as deleting an element is similar to replacing it.

99.c/5
implementation note

Various contracts elsewhere in this specification require that this function be implemented with synchronized data. Moreover, it is possible for tampering to be prohibited by multiple operations (sequentially or in parallel). Therefore, tampering needs to be implemented with an atomic or protected counter. The counter is initialized to zero, and is incremented when tampering is prohibited, and decremented when leaving an area that prohibited tampering. Function Tampering_With_Cursors_Prohibited returns True if the counter is nonzero. (Note that any case where the result is not well-defined for one task is incorrect use of shared variables and would be erroneous by the rules of 9.10, so no special protection is needed to read the counter.)

99.3/5

function Tampering_With_Elements_Prohibited (Container : Vector) return Boolean with Nonblocking, Global => null, Use_Formal => null;

99.4/5

Always returns False[, regardless of whether tampering with elements is prohibited].

99.d/5
reason

A definite element cannot change size, so we allow operations that tamper with elements even when tampering with elements is prohibited. That's not true for the indefinite containers, which is why this kind of tampering exists.

99.5/5

function Maximum_Length return Count_Type with Nonblocking, Global => null, Use_Formal => null;

99.6/5

Returns the maximum Length of a Vector, based on the index type.

99.e/5
implementation note

This is just:

99.f

Count_Type (Index_Type'Last - Index_Type'First + 1)

99.g/5

but since the inner calculation can overflow or the type conversion can fail, this can't be evaluated in general with an expression function. Note that if this expression raises Constraint_Error, then the result is Count_Type'Last, since the Capacity of a Vector cannot exceed Count_Type'Last.

99.7/5

function Empty (Capacity : Count_Type := implementation-defined) return Vector with Pre => Capacity <= Maximum_Length or else raise Constraint_Error, Post => Capacity (Empty'Result) >= Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

99.8/5

Returns an empty vector.

100/5

function To_Vector (Length : Count_Type) return Vector with Pre => Length <= Maximum_Length or else raise Constraint_Error, Post => To_Vector'Result.Length = Length and then not Tampering_With_Elements_Prohibited (To_Vector'Result) and then not Tampering_With_Cursors_Prohibited (To_Vector'Result) and then To_Vector'Result.Capacity >= Length;

101/2

Returns a vector with a length of Length, filled with empty elements.

102/5

function To_Vector (New_Item : Element_Type; Length : Count_Type) return Vector with Pre => Length <= Maximum_Length or else raise Constraint_Error, Post => To_Vector'Result.Length = Length and then not Tampering_With_Elements_Prohibited (To_Vector'Result) and then not Tampering_With_Cursors_Prohibited (To_Vector'Result) and then To_Vector'Result.Capacity >= Length;

103/2

Returns a vector with a length of Length, filled with elements initialized to the value New_Item.

104/5

function "&" (Left, Right : Vector) return Vector with Pre => Length (Left) <= Maximum_Length - Length (Right) or else raise Constraint_Error, Post => Length (Vectors."&"'Result) = Length (Left) + Length (Right) and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= Length (Left) + Length (Right);

105/2

Returns a vector comprising the elements of Left followed by the elements of Right.

106/5

function "&" (Left : Vector; Right : Element_Type) return Vector with Pre => Length (Left) <= Maximum_Length - 1 or else raise Constraint_Error, Post => Vectors."&"'Result.Length = Length (Left) + 1 and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= Length (Left) + 1;

107/2

Returns a vector comprising the elements of Left followed by the element Right.

108/5

function "&" (Left : Element_Type; Right : Vector) return Vector with Pre => Length (Right) <= Maximum_Length - 1 or else raise Constraint_Error, Post => Length (Vectors."&"'Result) = Length (Right) + 1 and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= Length (Right) + 1;

109/2

Returns a vector comprising the element Left followed by the elements of Right.

110/5

function "&" (Left, Right : Element_Type) return Vector with Pre => Maximum_Length >= 2 or else raise Constraint_Error, Post => Length ("&"'Result) = 2 and then not Tampering_With_Elements_Prohibited (Vectors."&"'Result) and then not Tampering_With_Cursors_Prohibited (Vectors."&"'Result) and then Vectors."&"'Result.Capacity >= 2;

111/2

Returns a vector comprising the element Left followed by the element Right.

112/5

function Capacity (Container : Vector) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

113/2

Returns the capacity of Container.

114/5

procedure Reserve_Capacity (Container : in out Vector; Capacity : in Count_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Container.Capacity >= Capacity;

115/3

If the capacity of Container is already greater than or equal to Capacity, then Reserve_Capacity has no effect. Otherwise, Reserve_Capacity allocates additional storage as necessary to ensure that the length of the resulting vector can become at least the value Capacity without requiring an additional call to Reserve_Capacity, and is large enough to hold the current length of Container. Reserve_Capacity then, as necessary, moves elements into the new storage and deallocates any storage no longer needed. Any exception raised during allocation is propagated and Container is not modified.

115.a/2
discussion

Expanding the internal array can be done by allocating a new, longer array, copying the elements, and deallocating the original array. This may raise Storage_Error, or cause an exception from a controlled subprogram. We require that a failed Reserve_Capacity does not lose any elements if an exception occurs, but we do not require a specific order of evaluations or copying.

115.b/2

This routine is used to preallocate the internal array to the specified capacity such that future Inserts do not require memory allocation overhead. Therefore, the implementation should allocate the needed memory to make that true at this point, even though the visible semantics could be preserved by waiting until the memory is needed. This doesn't apply to the indefinite element container, because elements will have to be allocated individually.

115.c/2

The implementation does not have to contract the internal array if the capacity is reduced, as any capacity greater than or equal to the specified capacity is allowed.

116/5

function Length (Container : Vector) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

117/2

Returns the number of elements in Container.

118/5

procedure Set_Length (Container : in out Vector; Length : in Count_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length <= Maximum_Length or else raise Constraint_Error), Post => Container.Length = Length and then Capacity (Container) >= Length;

119/3

If Length is larger than the capacity of Container, Set_Length calls Reserve_Capacity (Container, Length), then sets the length of the Container to Length. If Length is greater than the original length of Container, empty elements are added to Container; otherwise, elements are removed from Container.

119.a/2
ramification

No elements are moved by this operation; any new empty elements are added at the end. This follows from the rules that a cursor continues to designate the same element unless the routine is defined to make the cursor ambiguous or invalid; this operation does not do that.

120/5

function Is_Empty (Container : Vector) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0);

121/5

Returns True if Container is empty.

122/5

procedure Clear (Container : in out Vector) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0;

123/2

Removes all the elements from Container. The capacity of Container does not change.

124/5

function To_Cursor (Container : Vector; Index : Extended_Index) return Cursor with Post => (if Index in First_Index (Container) .. Last_Index (Container) then Has_Element (Container, To_Cursor'Result) else To_Cursor'Result = No_Element), Nonblocking, Global => null, Use_Formal => null;

125/5

Returns a cursor designating the element at position Index in Container; returns No_Element if Index does not designate an element. For the purposes of determining whether the parameters overlap in a call to To_Cursor, the Container parameter is not considered to overlap with any object [(including itself)].

125.a/5
reason

Without the preceding rule, concurrent calls to To_Cursor on the same container would interfere by the concurrent call rules in Annex A, since the container object of the concurrent calls would overlap with itself. We want these to not interfere, for example to allow the Vector elements to be split into separate “chunks” for parallel processing.

126/5

function To_Index (Position : Cursor) return Extended_Index with Nonblocking, Global => in all, Use_Formal => null;

127/2

If Position is No_Element, No_Index is returned. Otherwise, the index (within its containing vector) of the element designated by Position is returned.

127.a/2
ramification

This implies that the index is determinable from a bare cursor alone. The basic model is that a vector cursor is implemented as a record containing an access to the vector container and an index value. This does constrain implementations, but it also allows all of the cursor operations to be defined in terms of the corresponding index operation (which should be primary for a vector).

127.1/5

function To_Index (Container : Vector; Position : Cursor) return Extended_Index with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then To_Index'Result = No_Index else To_Index'Result in First_Index (Container) .. Last_Index (Container)), Nonblocking, Global => null, Use_Formal => null;

127.2/5

Returns the index (within Container) of the element designated by Position; returns No_Index if Position does not designate an element. For the purposes of determining whether the parameters overlap in a call to To_Index, the Container parameter is not considered to overlap with any object [(including itself)].

128/5

function Element (Container : Vector; Index : Index_Type) return Element_Type with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error, Nonblocking, Global => null, Use_Formal => Element_Type;

129/5

Element returns the element at position Index.

130/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type;

131/5

Element returns the element designated by Position.

131.1/5

function Element (Container : Vector; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type;

131.2/5

Element returns the element designated by Position in Container.

132/5

procedure Replace_Element (Container : in out Vector; Index : in Index_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error);

133/5

Replace_Element assigns the value New_Item to the element at position Index. Any exception raised during the assignment is propagated. The element at position Index is not an empty element after successful call to Replace_Element. For the purposes of determining whether the parameters overlap in a call to Replace_Element, the Container parameter is not considered to overlap with any object [(including itself)], and the Index parameter is considered to overlap with the element at position Index.

134/5

procedure Replace_Element (Container : in out Vector; Position : in Cursor; New_Item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

135/5

Replace_Element assigns New_Item to the element designated by Position. Any exception raised during the assignment is propagated. The element at Position is not an empty element after successful call to Replace_Element. For the purposes of determining whether the parameters overlap in a call to Replace_Element, the Container parameter is not considered to overlap with any object [(including itself)].

135.a/3
ramification

Replace_Element, Update_Element, and Reference are the only ways that an element can change from empty to nonempty. Also see the note following Update_Element.

136/5

procedure Query_Element (Container : in Vector; Index : in Index_Type; Process : not null access procedure (Element : in Element_Type)) with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error;

137/5

Query_Element calls Process.all with the element at position Index as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

137.a/2
reason

The “tamper with the elements” check is intended to prevent the Element parameter of Process from being replaced or deleted outside of Process. The check prevents data loss (if Element_Type is passed by copy) or erroneous execution (if Element_Type is an unconstrained type in an indefinite container).

138/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error Global => in all;

139/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of the vector that contains the element designated by Position is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

139.1/5

procedure Query_Element (Container : in Vector; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

139.2/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

140/5

procedure Update_Element (Container : in out Vector; Index : in Index_Type; Process : not null access procedure (Element : in out Element_Type)) with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error;

141/5

Update_Element calls Process.all with the element at position Index as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

142/2

If Element_Type is unconstrained and definite, then the actual Element parameter of Process.all shall be unconstrained.

142.a/2
ramification

This means that the elements cannot be directly allocated from the heap; it must be possible to change the discriminants of the element in place.

143/2

The element at position Index is not an empty element after successful completion of this operation.

143.a/2
ramification

Since reading an empty element is a bounded error, attempting to use this procedure to replace empty elements may fail. Use Replace_Element to do that reliably.

144/5

procedure Update_Element (Container : in out Vector; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

145/5

Update_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

146/2

If Element_Type is unconstrained and definite, then the actual Element parameter of Process.all shall be unconstrained.

147/2

The element designated by Position is not an empty element after successful completion of this operation.

147.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 147.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

147.3/3

The types Constant_Reference_Type and Reference_Type need finalization.

147.4/5

This paragraph was deleted.

147.a/3
reason

It is expected that Reference_Type (and Constant_Reference_Type) will be a controlled type, for which finalization will have some action to terminate the tampering check for the associated container. If the object is created by default, however, there is no associated container. Since this is useless, and supporting this case would take extra work, we define it to raise an exception.

147.5/5

function Constant_Reference (Container : aliased in Vector; Index : in Index_Type) return Constant_Reference_Type with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

147.6/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a vector given an index value.

147.7/5

Constant_Reference returns an object whose discriminant is an access value that designates the element at position Index. Tampering with the elements of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

147.8/5

function Reference (Container : aliased in out Vector; Index : in Index_Type) return Reference_Type with Pre => Index in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

147.9/3

This function (combined with the Variable_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read and write access to an individual element of a vector given an index value.

147.10/5

Reference returns an object whose discriminant is an access value that designates the element at position Index. Tampering with the elements of Container is prohibited while the object returned by Reference exists and has not been finalized.

147.11/3

The element at position Index is not an empty element after successful completion of this operation.

147.12/5

function Constant_Reference (Container : aliased in Vector; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

147.13/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a vector given a cursor.

147.14/5

Constant_Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

147.15/5

function Reference (Container : aliased in out Vector; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

147.16/3

This function (combined with the Variable_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read and write access to an individual element of a vector given a cursor.

147.17/5

Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Reference exists and has not been finalized.

147.18/3

The element designated by Position is not an empty element after successful completion of this operation.

147.19/3

procedure Assign (Target : in out Vector; Source : in Vector) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Target);

147.20/3

If Target denotes the same object as Source, the operation has no effect. If the length of Source is greater than the capacity of Target, Reserve_Capacity (Target, Length (Source)) is called. The elements of Source are then copied to Target as for an assignment_statement assigning Source to Target (this includes setting the length of Target to be that of Source).

147.b/3
discussion

This routine exists for compatibility with the bounded vector container. For an unbounded vector, Assign(A, B) and A := B behave identically. For a bounded vector, := will raise an exception if the container capacities are different, while Assign will not raise an exception if there is enough room in the target.

147.21/5

function Copy (Source : Vector; Capacity : Count_Type := 0) return Vector with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity >= (if Capacity = 0 then Length (Source) else Capacity);

147.22/5

Returns a vector whose elements are initialized from the corresponding elements of Source.

148/5

procedure Move (Target : in out Vector; Source : in out Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source)'Old and then Length (Source) = 0 and then Capacity (Target) >= Length (Source)'Old);

149/5

If Target denotes the same object as Source, then the operation has no effect. Otherwise, Move first calls Reserve_Capacity (Target, Length (Source)) and then Clear (Target); then, each element from Source is removed from Source and inserted into Target in the original order.

149.a/2
implementation advice

The idea is that the internal array is removed from Source and moved to Target. (See the for Move). If Capacity (Target) /= 0, the previous internal array may need to be deallocated. We don't mention this explicitly, because it is covered by the "no memory loss" Implementation Requirement.

150/5

procedure Insert_Vector (Container : in out Vector; Before : in Extended_Index; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container);

151/5

If Length(New_Item) is 0, then Insert_Vector does nothing. Otherwise, it computes the new length NL as the sum of the current length and Length (New_Item); if the value of Last appropriate for length NL would be greater than Index_Type'Last, then Constraint_Error is propagated.

152/5

If the current vector capacity is less than NL, Reserve_Capacity (Container, NL) is called to increase the vector capacity. Then Insert_Vector slides the elements in the range Before .. Last_Index (Container) up by Length(New_Item) positions, and then copies the elements of New_Item to the positions starting at Before. Any exception raised during the copying is propagated.

152.a/2
ramification

Moving the elements does not necessarily involve copying. Similarly, since Reserve_Capacity does not require the copying of elements, it does not need to be explicitly called (the implementation can combine the operations if it wishes to).

153/5

procedure Insert_Vector (Container : in out Vector; Before : in Cursor; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container);

154/5

If Length(New_Item) is 0, then Insert_Vector does nothing. If Before is No_Element, then the call is equivalent to Insert_Vector (Container, Last_Index (Container) + 1, New_Item); otherwise, the call is equivalent to Insert_Vector (Container, To_Index (Before), New_Item);

154.a/2
ramification

The check on Before checks that the cursor does not belong to some other Container. This check implies that a reference to the container is included in the cursor value. This wording is not meant to require detection of dangling cursors; such cursors are defined to be invalid, which means that execution is erroneous, and any result is allowed (including not raising an exception).

155/5

procedure Insert_Vector (Container : in out Vector; Before : in Cursor; New_Item : in Vector; Position : out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container);

156/5

If Before equals No_Element, then let T be Last_Index (Container) + 1; otherwise, let T be To_Index (Before). Insert_Vector (Container, T, New_Item) is called, and then Position is set to To_Cursor (Container, T).

156.a/5
discussion

The messy wording is needed because Before is invalidated by Insert_Vector, and we don't want Position to be invalid after this call. An implementation probably only needs to copy Before to Position.

157/5

procedure Insert (Container : in out Vector; Before : in Extended_Index; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container);

158/2

Equivalent to Insert (Container, Before, To_Vector (New_Item, Count));

159/5

procedure Insert (Container : in out Vector; Before : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container);

160/2

Equivalent to Insert (Container, Before, To_Vector (New_Item, Count));

161/5

procedure Insert (Container : in out Vector; Before : in Cursor; New_Item : in Element_Type; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container);

162/2

Equivalent to Insert (Container, Before, To_Vector (New_Item, Count), Position);

162.a/3
ramification

If Count equals 0, Position will designate the element designated by Before, rather than a newly inserted element. Otherwise, Position will designate the first newly inserted element.

163/5

procedure Insert (Container : in out Vector; Before : in Extended_Index; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container);

164/5

If Count is 0, then Insert does nothing. Otherwise, it computes the new length NL as the sum of the current length and Count; if the value of Last appropriate for length NL would be greater than Index_Type'Last, then Constraint_Error is propagated.

165/2

If the current vector capacity is less than NL, Reserve_Capacity (Container, NL) is called to increase the vector capacity. Then Insert slides the elements in the range Before .. Last_Index (Container) up by Count positions, and then inserts elements that are initialized by default (see 3.3.1) in the positions starting at Before.

166/5

procedure Insert (Container : in out Vector; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container);

167/5

If Before equals No_Element, then let T be Last_Index (Container) + 1; otherwise, let T be To_Index (Before). Insert (Container, T, Count) is called, and then Position is set to To_Cursor (Container, T).

167.a/2
reason

This routine exists mainly to ease conversion between Vector and List containers. Unlike Insert_Space, this routine default initializes the elements it inserts, which can be more expensive for some element types.

168/5

procedure Prepend_Vector (Container : in out Vector; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container);

169/2

Equivalent to Insert (Container, First_Index (Container), New_Item).

170/5

procedure Prepend (Container : in out Vector; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container);

171/2

Equivalent to Insert (Container, First_Index (Container), New_Item, Count).

172/5

procedure Append_Vector (Container : in out Vector; New_Item : in Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Length (New_Item) or else raise Constraint_Error), Post => Length (Container)'Old + Length (New_Item) = Length (Container) and then Capacity (Container) >= Length (Container);

173/2

Equivalent to Insert (Container, Last_Index (Container) + 1, New_Item).

174/5

procedure Append (Container : in out Vector; New_Item : in Element_Type; Count : in Count_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container);

175/2

Equivalent to Insert (Container, Last_Index (Container) + 1, New_Item, Count).

175.1/5

procedure Append (Container : in out Vector; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - 1 or else raise Constraint_Error), Post => Length (Container)'Old + 1 = Length (Container) and then Capacity (Container) >= Length (Container);

175.2/5

Equivalent to Insert (Container, Last_Index (Container) + 1, New_Item, 1).

176/5

procedure Insert_Space (Container : in out Vector; Before : in Extended_Index; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Capacity (Container) >= Length (Container);

177/5

If Count is 0, then Insert_Space does nothing. Otherwise, it computes the new length NL as the sum of the current length and Count; if the value of Last appropriate for length NL would be greater than Index_Type'Last, then Constraint_Error is propagated.

178/2

If the current vector capacity is less than NL, Reserve_Capacity (Container, NL) is called to increase the vector capacity. Then Insert_Space slides the elements in the range Before .. Last_Index (Container) up by Count positions, and then inserts empty elements in the positions starting at Before.

179/5

procedure Insert_Space (Container : in out Vector; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Maximum_Length - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position) and then Capacity (Container) >= Length (Container);

180/5

If Before equals No_Element, then let T be Last_Index (Container) + 1; otherwise, let T be To_Index (Before). Insert_Space (Container, T, Count) is called, and then Position is set to To_Cursor (Container, T).

181/5

procedure Delete (Container : in out Vector; Index : in Extended_Index; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Index in First_Index (Container) .. Last_Index (Container) + 1 or else raise Constraint_Error), Post => Length (Container)'Old - Count <= Length (Container);

182/5

If Count is 0, Delete has no effect. Otherwise, Delete slides the elements (if any) starting at position Index + Count down to Index. Any exception raised during element assignment is propagated.

182.a/2
ramification

If Index + Count >= Last_Index(Container), this effectively truncates the vector (setting Last_Index to Index – 1 and consequently sets Length to Index – Index_Type'First).

183/5

procedure Delete (Container : in out Vector; Position : in out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container)'Old - Count <= Length (Container) and then Position = No_Element;

184/5

Delete (Container, To_Index (Position), Count) is called, and then Position is set to No_Element.

185/5

procedure Delete_First (Container : in out Vector; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container);

186/2

Equivalent to Delete (Container, First_Index (Container), Count).

187/5

procedure Delete_Last (Container : in out Vector; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container);

188/3

If Length (Container) <= Count, then Delete_Last is equivalent to Clear (Container). Otherwise, it is equivalent to Delete (Container, Index_Type'Val(Index_Type'Pos(Last_Index (Container)) – Count + 1), Count).

189/5

procedure Reverse_Elements (Container : in out Vector) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error;

190/2

Reorders the elements of Container in reverse order.

190.a/2
discussion

This can copy the elements of the vector — all cursors referencing the vector are ambiguous afterwards and may designate different elements afterwards.

191/5

procedure Swap (Container : in out Vector; I, J : in Index_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error) and then (J in First_Index (Container) .. Last_Index (Container) or else raise Constraint_Error);

192/5

Swap exchanges the values of the elements at positions I and J.

192.a/2

To be honest: The implementation is not required to actually copy the elements if it can do the swap some other way. But it is allowed to copy the elements if needed.

193/5

procedure Swap (Container : in out Vector; I, J : in Cursor) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error);

194/5

Swap exchanges the values of the elements designated by I and J.

194.a/2
ramification

After a call to Swap, I designates the element value previously designated by J, and J designates the element value previously designated by I. The cursors do not become ambiguous from this operation.

194.b/2

To be honest: The implementation is not required to actually copy the elements if it can do the swap some other way. But it is allowed to copy the elements if needed.

195/5

function First_Index (Container : Vector) return Index_Type with Nonblocking, Global => null, Use_Formal => null, Post => First_Index'Result = Index_Type'First;

196/2

Returns the value Index_Type'First.

196.a/2
discussion

We'd rather call this “First”, but then calling most routines in here with First (Some_Vect) would be ambiguous.

197/5

function First (Container : Vector) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element);

198/2

If Container is empty, First returns No_Element. Otherwise, it returns a cursor that designates the first element in Container.

199/5

function First_Element (Container : Vector) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

200/2

Equivalent to Element (Container, First_Index (Container)).

201/5

function Last_Index (Container : Vector) return Extended_Index with Nonblocking, Global => null, Use_Formal => null, Post => (if Length (Container) = 0 then Last_Index'Result = No_Index else Count_Type(Last_Index'Result - Index_Type'First) = Length (Container) - 1);

202/2

If Container is empty, Last_Index returns No_Index. Otherwise, it returns the position of the last element in Container.

203/5

function Last (Container : Vector) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element);

204/2

If Container is empty, Last returns No_Element. Otherwise, it returns a cursor that designates the last element in Container.

205/5

function Last_Element (Container : Vector) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

206/2

Equivalent to Element (Container, Last_Index (Container)).

207/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element);

208/2

If Position equals No_Element or designates the last element of the container, then Next returns the value No_Element. Otherwise, it returns a cursor that designates the element with index To_Index (Position) + 1 in the same vector as Position.

208.1/5

function Next (Container : Vector; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Has_Element (Container, Next'Result) then To_Index (Container, Next'Result) = To_Index (Container, Position) + 1 elsif Next'Result = No_Element then Position = Last (Container) else False);

208.2/5

Returns a cursor designating the next element in Container, if any.

209/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

210/2

Equivalent to Position := Next (Position).

210.1/5

procedure Next (Container : in Vector; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

210.2/5

Equivalent to Position := Next (Container, Position).

211/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element);

212/2

If Position equals No_Element or designates the first element of the container, then Previous returns the value No_Element. Otherwise, it returns a cursor that designates the element with index To_Index (Position) – 1 in the same vector as Position.

212.1/5

function Previous (Container : Vector; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Has_Element (Container, Previous'Result) then To_Index (Container, Previous'Result) = To_Index (Container, Position) - 1 elsif Previous'Result = No_Element then Position = First (Container) else False);

212.2/5

Returns a cursor designating the previous element in Container, if any.

213/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

214/2

Equivalent to Position := Previous (Position).

214.1/5

procedure Previous (Container : in Vector; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

214.2/5

Equivalent to Position := Previous (Container, Position).

215/2

function Find_Index (Container : Vector; Item : Element_Type; Index : Index_Type := Index_Type'First) return Extended_Index;

216/2

Searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at position Index and proceeds towards Last_Index (Container). If no equal element is found, then Find_Index returns No_Index. Otherwise, it returns the index of the first equal element encountered.

217/5

function Find (Container : Vector; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result));

218/5

Find searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at the first element if Position equals No_Element, and at the element designated by Position otherwise. It proceeds towards the last element of Container. If no equal element is found, then Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

219/2

function Reverse_Find_Index (Container : Vector; Item : Element_Type; Index : Index_Type := Index_Type'Last) return Extended_Index;

220/2

Searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at position Index or, if Index is greater than Last_Index (Container), at position Last_Index (Container). It proceeds towards First_Index (Container). If no equal element is found, then Reverse_Find_Index returns No_Index. Otherwise, it returns the index of the first equal element encountered.

221/5

function Reverse_Find (Container : Vector; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Reverse_Find'Result /= No_Element then Has_Element (Container, Reverse_Find'Result));

222/5

Reverse_Find searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at the last element if Position equals No_Element, and at the element designated by Position otherwise. It proceeds towards the first element of Container. If no equal element is found, then Reverse_Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

223/2

function Contains (Container : Vector; Item : Element_Type) return Boolean;

224/2

Equivalent to Has_Element (Find (Container, Item)).

Paragraphs 225 and 226 were moved above.

227/5

procedure Iterate (Container : in Vector; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

228/3

Invokes Process.all with a cursor that designates each element in Container, in index order. Tampering with the cursors of Container is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

228.a/2
discussion

The purpose of the “tamper with the cursors” check is to prevent erroneous execution from the Position parameter of Process.all becoming invalid. This check takes place when the operations that tamper with the cursors of the container are called. The check cannot be made later (say in the body of Iterate), because that could cause the Position cursor to be invalid and potentially cause execution to become erroneous -- defeating the purpose of the check.

228.b/2

There is no check needed if an attempt is made to insert or delete nothing (that is, Count = 0 or Length(Item) = 0).

228.c/2

The check is easy to implement: each container needs a counter. The counter is incremented when Iterate is called, and decremented when Iterate completes. If the counter is nonzero when an operation that inserts or deletes is called, Finalize is called, or one of the other operations in the list occurs, Program_Error is raised.

229/5

procedure Reverse_Iterate (Container : in Vector; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

230/3

Iterates over the elements in Container as per procedure Iterate, except that elements are traversed in reverse index order.

230.1/5

function Iterate (Container : in Vector) return Vector_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

230.2/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the first node and moving the cursor as per the Next function when used as a forward iterator, and starting with the last node and moving the cursor as per the Previous function when used as a reverse iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

230.3/5

function Iterate (Container : in Vector; Start : in Cursor) return Vector_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

230.4/5

Iterate returns a reversible iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the node designated by Start and moving the cursor as per the Next function when used as a forward iterator, or moving the cursor as per the Previous function when used as a reverse iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

230.a/3
discussion

Exits are allowed from the loops created using the iterator objects. In particular, to stop the iteration at a particular cursor, just add

230.b/3

exit when Cur = Stop;

230.c/3

in the body of the loop (assuming that Cur is the loop parameter and Stop is the cursor that you want to stop at).

231/3

The actual function for the generic formal function "<" of Generic_Sorting is expected to return the same value each time it is called with a particular pair of element values. It should define a strict weak ordering relationship (see A.18); it should not modify Container. If the actual for "<" behaves in some other manner, the behavior of the subprograms of Generic_Sorting are unspecified. The number of times the subprograms of Generic_Sorting call "<" is unspecified.

232/2

function Is_Sorted (Container : Vector) return Boolean;

233/2

Returns True if the elements are sorted smallest first as determined by the generic formal "<" operator; otherwise, Is_Sorted returns False. Any exception raised during evaluation of "<" is propagated.

234/5

procedure Sort (Container : in out Vector) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error;

235/2

Reorders the elements of Container such that the elements are sorted smallest first as determined by the generic formal "<" operator provided. Any exception raised during evaluation of "<" is propagated.

235.a/2
implementation advice

This implies swapping the elements, usually including an intermediate copy. This means that the elements will usually be copied. (As with Swap, if the implementation can do this some other way, it is allowed to.) Since the elements are nonlimited, this usually will not be a problem. Note that there is below that the implementation should use a sort that minimizes copying of elements.

235.b/2

The sort is not required to be stable (and the fast algorithm required will not be stable). If a stable sort is needed, the user can include the original location of the element as an extra "sort key". We considered requiring the implementation to do that, but it is mostly extra overhead -- usually there is something already in the element that provides the needed stability.

236/5

procedure Merge (Target : in out Vector; Source : in out Vector) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Length (Target) <= Maximum_Length - Length (Source) or else raise Constraint_Error) and then ((Length (Source) = 0 or else not Target'Has_Same_Storage (Source)) or else raise Program_Error), Post => (declare Result_Length : constant Count_Type := Length (Source)'Old + Length (Target)'Old; begin (Length (Source) = 0 and then Length (Target) = Result_Length and then Capacity (Target) >= Result_Length));

237/5

Merge removes elements from Source and inserts them into Target; afterwards, Target contains the union of the elements that were initially in Source and Target; Source is left empty. If Target and Source are initially sorted smallest first, then Target is ordered smallest first as determined by the generic formal "<" operator; otherwise, the order of elements in Target is unspecified. Any exception raised during evaluation of "<" is propagated.

237.a/2
discussion

It is a bounded error if either of the vectors is unsorted, see below. The bounded error can be recovered by sorting Target after the merge call, or the vectors can be pretested with Is_Sorted.

237.b/2
implementation note

The Merge operation will usually require copying almost all of the elements. One implementation strategy would be to extend Target to the appropriate length, then copying elements from the back of the vectors working towards the front. An alternative approach would be to allocate a new internal data array of the appropriate length, copy the elements into it in an appropriate order, and then replacing the data array in Target with the temporary.

237.1/5

The nested package Vectors.Stable provides a type Stable.Vector that represents a stable vector, which is one that cannot grow and shrink. Such a vector can be created by calling the To_Vector or Copy functions, or by establishing a stabilized view of an ordinary vector.

237.2/5

The subprograms of package Containers.Vectors that have a parameter or result of type Vector are included in the nested package Stable with the same specification, except that the following are omitted:

237.3/5

Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited, Reserve_Capacity, Assign, Move, Insert, Insert_Space, Insert_Vector, Append, Append_Vector, Prepend, Prepend_Vector, Clear, Delete, Delete_First, Delete_Last, and Set_Length

237.4/5

The generic package Generic_Sorting is also included with the same specification, except that Merge is omitted.

237.b.1/5
ramification

The names Vector and Cursor mean the types declared in the nested package in these subprogram specifications.

237.b.2/5
reason

The omitted routines are those that tamper with cursors or elements (or test that state). The model is that it is impossible to tamper with cursors or elements of a stable view since no such operations are included. Thus tampering checks are not needed for a stable view, and we omit the operations associated with those checks.

237.5/5

The operations of this package are equivalent to those for ordinary vectors, except that the calls to Tampering_With_Cursors_Prohibited and Tampering_With_Elements_Prohibited that occur in preconditions are replaced by False, and any that occur in postconditions are replaced by True.

237.6/5

If a stable vector is declared with the Base discriminant designating a pre-existing ordinary vector, the stable vector represents a stabilized view of the underlying ordinary vector, and any operation on the stable vector is reflected on the underlying ordinary vector. While a stabilized view exists, any operation that tampers with elements performed on the underlying vector is prohibited. The finalization of a stable vector that provides such a view removes this restriction on the underlying ordinary vector [(though some other restriction can exist due to other concurrent iterations or stabilized views)].

237.7/5

If a stable vector is declared without specifying Base, the object is necessarily initialized. The initializing expression of the stable vector, [typically a call on To_Vector or Copy], determines the Length of the vector. The Length of a stable vector never changes after initialization.

237.c/5
proof

Initialization is required as the type is indefinite, see 3.3.1.

Bounded (Run-Time) Errors

238/3

Reading the value of an empty element by calling Element, Query_Element, Update_Element, Constant_Reference, Reference, Swap, Is_Sorted, Sort, Merge, "=", Find, or Reverse_Find is a bounded error. The implementation may treat the element as having any normal value (see 13.9.1) of the element type, or raise Constraint_Error or Program_Error before modifying the vector.

238.a/2
ramification

For instance, a default initialized element could be returned. Or some previous value of an element. But returning random junk is not allowed if the type has default initial value(s).

238.b/2

Assignment and streaming of empty elements are not bounded errors. This is consistent with regular composite types, for which assignment and streaming of uninitialized components do not cause a bounded error, but reading the uninitialized component does cause a bounded error.

238.c/2

There are other operations which are defined in terms of the operations listed above.

239/2

Calling Merge in an instance of Generic_Sorting with either Source or Target not ordered smallest first using the provided generic formal "<" operator is a bounded error. Either Program_Error is raised after Target is updated as described for Merge, or the operation works as defined.

239.1/3

It is a bounded error for the actual function associated with a generic formal subprogram, when called as part of an operation of this package, to tamper with elements of any Vector parameter of the operation. Either Program_Error is raised, or the operation works as defined on the value of the Vector either prior to, or subsequent to, some or all of the modifications to the Vector.

239.2/3

It is a bounded error to call any subprogram declared in the visible part of Containers.Vectors when the associated container has been finalized. If the operation takes Container as an in out parameter, then it raises Constraint_Error or Program_Error. Otherwise, the operation either proceeds as it would for an empty container, or it raises Constraint_Error or Program_Error.

240/2

A Cursor value is ambiguous if any of the following have occurred since it was created:

241/5
  • Insert, Insert_Space, Insert_Vector, or Delete has been called on the vector that contains the element the cursor designates with an index value (or a cursor designating an element at such an index value) less than or equal to the index value of the element designated by the cursor; or
  • 242/2
  • The vector that contains the element it designates has been passed to the Sort or Merge procedures of an instance of Generic_Sorting, or to the Reverse_Elements procedure.
243/2

It is a bounded error to call any subprogram other than "=" or Has_Element declared in Containers.Vectors with an ambiguous (but not invalid, see below) cursor parameter. Possible results are:

244/2
  • The cursor may be treated as if it were No_Element;
  • 245/2
  • The cursor may designate some element in the vector (but not necessarily the element that it originally designated);
  • 246/2
  • Constraint_Error may be raised; or
  • 247/2
  • Program_Error may be raised.
247.a/2
reason

Cursors are made ambiguous if an Insert or Delete occurs that moves the elements in the internal array including the designated ones. After such an operation, the cursor probably still designates an element (although it might not after a deletion), but it is a different element. That violates the definition of cursor — it designates a particular element.

247.b/2

For "=" or Has_Element, the cursor works normally (it would not be No_Element). We don't want to trigger an exception simply for comparing a bad cursor.

247.c/2

While it is possible to check for these cases or ensure that cursors survive such operations, in many cases the overhead necessary to make the check (or ensure cursors continue to designate the same element) is substantial in time or space.

Erroneous Execution

248/2

A Cursor value is invalid if any of the following have occurred since it was created:

249/2
  • The vector that contains the element it designates has been finalized;
  • 249.1/3
  • The vector that contains the element it designates has been used as the Target of a call to Assign, or as the target of an assignment_statement;
  • 250/2
  • [The vector that contains the element it designates has been used as the Source or Target of a call to Move;] or
250.a/3
proof

Move has been reworded in terms of Assign and Clear, which are covered by other bullets, so this text is redundant.

251/3
  • The element it designates has been deleted or removed from the vector that previously contained the element.
251.a/3
ramification

An element can be removed via calls to Set_Length, Clear, and Merge; and indirectly via calls to Assign and Move.

252/2

The result of "=" or Has_Element is unspecified if it is called with an invalid cursor parameter. Execution is erroneous if any other subprogram declared in Containers.Vectors is called with an invalid cursor parameter.

252.a/2
discussion

The list above (combined with the bounded error cases) is intended to be exhaustive. In other cases, a cursor value continues to designate its original element. For instance, cursor values survive the appending of new elements.

252.1/3

Execution is erroneous if the vector associated with the result of a call to Reference or Constant_Reference is finalized before the result object returned by the call to Reference or Constant_Reference is finalized.

252.b/3
reason

Each object of Reference_Type and Constant_Reference_Type probably contains some reference to the originating container. If that container is prematurely finalized (which is only possible via Unchecked_Deallocation, as accessibility checks prevent passing a container to Reference that will not live as long as the result), the finalization of the object of Reference_Type will try to access a nonexistent object. This is a normal case of a dangling pointer created by Unchecked_Deallocation; we have to explicitly mention it here as the pointer in question is not visible in the specification of the type. (This is the same reason we have to say this for invalid cursors.)

Implementation Requirements

253/2

No storage associated with a vector object shall be lost upon assignment or scope exit.

254/3

The execution of an assignment_statement for a vector shall have the effect of copying the elements from the source vector object to the target vector object and changing the length of the target object to that of the source object.

254.a/5
implementation note

An assignment of a Vector is a “deep” copy; that is the elements are copied as well as the data structures. We say “effect of” in order to allow the implementation to avoid copying elements immediately if it wishes. For instance, an implementation that avoided copying until one of the containers is modified would be allowed. (Note that such an implementation would require care, as Query_Element and Constant_Reference both could be used to access an element which later needs to be reallocated while the parameter or reference still exists, potentially leaving the parameter or reference pointing at the wrong element.)

Implementation Advice

255/2

Containers.Vectors should be implemented similarly to an array. In particular, if the length of a vector is N, then

256/2
  • the worst-case time complexity of Element should be O(log N);
256.a/2
implementation advice

The worst-case time complexity of Element for Containers.Vector should be O(log N).

257/2
  • the worst-case time complexity of Append with Count=1 when N is less than the capacity of the vector should be O(log N); and
257.a/2
implementation advice

The worst-case time complexity of Append with Count = 1 when N is less than the capacity for Containers.Vector should be O(log N).

258/2
  • the worst-case time complexity of Prepend with Count=1 and Delete_First with Count=1 should be O(N log N).
258.a/2
implementation advice

The worst-case time complexity of Prepend with Count = 1 and Delete_First with Count=1 for Containers.Vectors should be O(N log N).

258.b/2
reason

We do not mean to overly constrain implementation strategies here. However, it is important for portability that the performance of large containers has roughly the same factors on different implementations. If a program is moved to an implementation that takes O(N) time to access elements, that program could be unusable when the vectors are large. We allow O(log N) access because the proportionality constant and caching effects are likely to be larger than the log factor, and we don't want to discourage innovative implementations.

259/2

The worst-case time complexity of a call on procedure Sort of an instance of Containers.Vectors.Generic_Sorting should be O(N**2), and the average time complexity should be better than O(N**2).

259.a/2
implementation advice

The worst-case time complexity of a call on procedure Sort of an instance of Containers.Vectors.Generic_Sorting should be O(N**2), and the average time complexity should be better than O(N**2).

259.b/2
ramification

In other words, we're requiring the use of a better than O(N**2) sorting algorithm, such as Quicksort. No bubble sorts allowed!

260/2

Containers.Vectors.Generic_Sorting.Sort and Containers.Vectors.Generic_Sorting.Merge should minimize copying of elements.

260.a/2
implementation advice

Containers.Vectors.Generic_Sorting.Sort and Containers.Vectors.Generic_Sorting.Merge should minimize copying of elements.

260.b/2

To be honest: We do not mean “absolutely minimize” here; we're not intending to require a single copy for each element. Rather, we want to suggest that the sorting algorithm chosen is one that does not copy items unnecessarily. Bubble sort would not meet this advice, for instance.

261/2

Move should not copy elements, and should minimize copying of internal data structures.

261.a/2
implementation advice

Containers.Vectors.Move should not copy elements, and should minimize copying of internal data structures.

261.b/2
implementation note

Usually that can be accomplished simply by moving the pointer(s) to the internal data structures from the Source vector to the Target vector.

262/2

If an exception is propagated from a vector operation, no storage should be lost, nor any elements removed from a vector unless specified by the operation.

262.a/2
implementation advice

If an exception is propagated from a vector operation, no storage should be lost, nor any elements removed from a vector unless specified by the operation.

262.b/2
reason

This is important so that programs can recover from errors. But we don't want to require heroic efforts, so we just require documentation of cases where this can't be accomplished.

263/5

NOTE 1 All elements of a vector occupy locations in the internal array. If a sparse container is required, a Hashed_Map can be used rather than a vector.

264/2

NOTE 2 If Index_Type'Base'First = Index_Type'First an instance of Ada.Containers.Vectors will raise Constraint_Error. A value below Index_Type'First is required so that an empty vector has a meaningful value of Last_Index.

264.a/2
discussion

This property is the main reason why only integer types (as opposed to any discrete type) are allowed as the index type of a vector. An enumeration or modular type would require a subtype in order to meet this requirement.

Extensions to Ada 95

264.b/2

The package Containers.Vectors is new.

Incompatibilities With Ada 2005

264.c/3

Subprograms Assign and Copy are added to Containers.Vectors. If an instance of Containers.Vectors is referenced in a use_clause, and an entity E with the same defining_identifier as a new entity in Containers.Vectors is defined in a package that is also referenced in a use_clause, the entity E may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

Extensions to Ada 2005

264.d/3

Added iterator, reference, and indexing support to make vector containers more convenient to use.

Wording Changes from Ada 2005

264.e/3

Generalized the definition of Reserve_Capacity and Move. Specified which elements are read/written by stream attributes.

264.f/3
correction

Added a Bounded (Run-Time) Error to cover tampering by generic actual subprograms.

264.g/3
correction

Added a Bounded (Run-Time) Error to cover access to finalized vector containers.

264.h/3
correction

Redefined "<" actuals to require a strict weak ordering; the old definition allowed indeterminant comparisons that would not have worked in a container.

264.i/3
correction

Added a pragma Remote_Types so that containers can be used in distributed programs.

264.j/3
correction

Revised the definition of invalid cursors to cover missing (and new) cases.

264.k/3
correction

Defined when a container prohibits tampering in order to more clearly define where the check is made and the exception raised.

Inconsistencies With Ada 2012

264.l/5

Tampering with elements is now defined to be equivalent to tampering with cursors for ordinary containers. If a program requires tampering detection to work, it might fail in Ada 2022. Specifically, if a program requires Program_Error to be raised by a routine that (only) tampers with elements in Ada 2012 (such as Replace_Element) when called in a context that does not allow tampering with elements (such as Update_Element), the routine will work as defined instead of raising Program_Error in Ada 2022. Needless to say, this shouldn't happen outside of test programs. Note that such contexts still prohibit tampering with cursors, so routines like Insert and Delete will still raise Program_Error in this case.

264.m/5

Trying to insert or concatenate more than Count_Type'Last elements will now raise Constraint_Error rather than Capacity_Error. This is extremely unlikely to happen, as Count_Type'Last is typically at least 2**31-1, so most such vectors will exceed memory before reaching this error.

Incompatibilities With Ada 2012

264.n/5

A number of new subprograms, types, and even a nested package were added to Containers.Vectors to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

264.o/5

Vector objects now support aggregates. This introduces a potential incompatibility for overloaded routines, including the "&" operations defined in this package. If the Element_Type of the vector is a type that allows aggregates (such as a record type), then calls to the "&" operations with an aggregate element will become ambiguous in Ada 2022, while they would have been legal in Ada 2012. This can be fixed by qualifying the aggregate with the element type.

264.p/5
correction

The Insert, Append, and Prepend operations that operate on two vectors have been renamed Insert_Vector, Append_Vector, and Prepend_Vector, respectively. This was done in order to eliminate the aggregate ambiguity for the commonly used single element Append and Insert routines. The renamed routines are rarely used in Ada 2012 code, so the impact should be minimal.

Extensions to Ada 2012

264.q/5
correction

To_Cursor and Replace_Element are now defined such that they can be used concurrently so long as they operate on different elements. This allows some container operations to be used in parallel without separate synchronization.

264.r/5

Vectors now support indexed container aggregates, so aggregate syntax can be used to create Vectors.

264.s/5

The iterator for the entire container now can return a parallel iterator which can be used to process the container in parallel.

Wording Changes from Ada 2012

264.t/4

Corrigendum: Clarified that tampering checks precede all other checks made by a subprogram (but come after those associated with the call).

264.u/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

264.v/5
correction

Split the Append routine into two routines rather than having a single routine with a default parameter, in order that a routine with the appropriate profile for the Aggregate aspect exists. This change should not change the behavior of any existing code.

A.18.3 The Generic Package Containers.Doubly_Linked_Lists

1/2

The language-defined generic package Containers.Doubly_Linked_Lists provides private types List and Cursor, and a set of operations for each type. A list container is optimized for insertion and deletion at any position.

2/2

A doubly-linked list container object manages a linked list of internal nodes, each of which contains an element and pointers to the next (successor) and previous (predecessor) internal nodes. A cursor designates a particular node within a list (and by extension the element contained in that node). A cursor keeps designating the same node (and element) as long as the node is part of the container, even if the node is moved in the container.

3/2

The length of a list is the number of elements it contains.

Static Semantics

4/2

The generic library package Containers.Doubly_Linked_Lists has the following declaration:

5/5

with Ada.Iterator_Interfaces; generic type Element_Type is private; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Doubly_Linked_Lists with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

5.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

6/5

type List is tagged private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.List, Aggregate => (Empty => Empty, Add_Unnamed => Append), Stable_Properties => (Length, Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited), Default_Initial_Condition => Length (List) = 0 and then (not Tampering_With_Cursors_Prohibited (List)) and then (not Tampering_With_Elements_Prohibited (List)), Preelaborable_Initialization; 7/5

type Cursor is private with Preelaborable_Initialization; 8/2 Empty_List : constant List; 9/2 No_Element : constant Cursor; 9.1/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 9.2/5

function Has_Element (Container : List; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 9.3/3

package List_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 10/2 function "=" (Left, Right : List) return Boolean; 10.1/5

function Tampering_With_Cursors_Prohibited (Container : List) return Boolean with Nonblocking, Global => null, Use_Formal => null; 10.2/5

function Tampering_With_Elements_Prohibited (Container : List) return Boolean with Nonblocking, Global => null, Use_Formal => null; 10.3/5

function Empty return List is (Empty_List) with Post => not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0; 11/5

function Length (Container : List) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 12/5

function Is_Empty (Container : List) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0); 13/5

procedure Clear (Container : in out List) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0; 14/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type; 14.1/5

function Element (Container : List; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 15/5

procedure Replace_Element (Container : in out List; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 16/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 16.1/5

procedure Query_Element (Container : in List; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 17/5

procedure Update_Element (Container : in out List; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 17.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 17.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 17.3/5

function Constant_Reference (Container : aliased in List; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.4/5

function Reference (Container : aliased in out List; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.5/5

procedure Assign (Target : in out List; Source : in List) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target); 17.6/5

function Copy (Source : List) return List with Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result); 18/5

procedure Move (Target : in out List; Source : in out List) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0); 19/5

procedure Insert (Container : in out List; Before : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container); 20/5

procedure Insert (Container : in out List; Before : in Cursor; New_Item : in Element_Type; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position); 21/5

procedure Insert (Container : in out List; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position); 22/5

procedure Prepend (Container : in out List; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container); 23/5

procedure Append (Container : in out List; New_Item : in Element_Type; Count : in Count_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container); 23.1/5

procedure Append (Container : in out List; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container)'Old + 1 = Length (Container); 24/5

procedure Delete (Container : in out List; Position : in out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container)'Old - Count <= Length (Container) and then Position = No_Element; 25/5

procedure Delete_First (Container : in out List; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container); 26/5

procedure Delete_Last (Container : in out List; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container); 27/5

procedure Reverse_Elements (Container : in out List) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error; 28/5

procedure Swap (Container : in out List; I, J : in Cursor) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error); 29/5

procedure Swap_Links (Container : in out List; I, J : in Cursor) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error); 30/5

procedure Splice (Target : in out List; Before : in Cursor; Source : in out List) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Target, Before) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Length (Target) <= Count_Type'Last - Length (Source) or else raise Constraint_Error), Post => (if not Target'Has_Same_Storage (Source) then (declare Result_Length : constant Count_Type := Length (Source)'Old + Length (Target)'Old; begin Length (Source) = 0 and then Length (Target) = Result_Length)); 31/5

procedure Splice (Target : in out List; Before : in Cursor; Source : in out List; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Source, Position) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Target, Before) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Length (Target) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Org_Target_Length : constant Count_Type := Length (Target)'Old; Org_Source_Length : constant Count_Type := Length (Source)'Old; begin (if Target'Has_Same_Storage (Source) then Position = Position'Old else Length (Source) = Org_Source_Length - 1 and then Length (Target) = Org_Target_Length + 1 and then Has_Element (Target, Position))); 32/2 procedure Splice (Container: in out List; Before : in Cursor; Position : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old; 33/5

function First (Container : List) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element); 34/5

function First_Element (Container : List) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 35/5

function Last (Container : List) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element); 36/5

function Last_Element (Container : List) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 37/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element); 37.1/5

function Next (Container : List; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result)); 38/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element); 38.1/5

function Previous (Container : List; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Previous'Result = No_Element then Position = First (Container) else Has_Element (Container, Previous'Result)); 39/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 39.1/5

procedure Next (Container : in List; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 40/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 40.1/5

procedure Previous (Container : in List; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 41/5

function Find (Container : List; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 42/5

function Reverse_Find (Container : List; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Reverse_Find'Result /= No_Element then Has_Element (Container, Reverse_Find'Result)); 43/2 function Contains (Container : List; Item : Element_Type) return Boolean; 44/3

This paragraph was deleted. 45/5

procedure Iterate (Container : in List; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 46/5

procedure Reverse_Iterate (Container : in List; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 46.1/5

function Iterate (Container : in List) return List_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 46.2/5

function Iterate (Container : in List; Start : in Cursor) return List_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 47/5

generic with function "<" (Left, Right : Element_Type) return Boolean is <>; package Generic_Sorting with Nonblocking, Global => null is 48/2 function Is_Sorted (Container : List) return Boolean; 49/5

procedure Sort (Container : in out List) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error; 50/5

procedure Merge (Target : in out List; Source : in out List) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Elements_Prohibited (Source) or else raise Program_Error) and then (Length (Target) <= Count_Type'Last - Length (Source) or else raise Constraint_Error) and then ((Length (Source) = 0 or else not Target'Has_Same_Storage (Source)) or else raise Constraint_Error), Post => (declare Result_Length : constant Count_Type := Length (Source)'Old + Length (Target)'Old; begin (Length (Source) = 0 and then Length (Target) = Result_Length)); 51/2 end Generic_Sorting; 51.1/5

package Stable is 51.2/5

type List (Base : not null access Doubly_Linked_Lists.List) is tagged limited private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Length), Global => null, Default_Initial_Condition => Length (List) = 0, Preelaborable_Initialization; 51.3/5

type Cursor is private with Preelaborable_Initialization; 51.4/5

Empty_List : constant List; 51.5/5

No_Element : constant Cursor; 51.6/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 51.7/5

package List_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 51.8/5

procedure Assign (Target : in out Doubly_Linked_Lists.List; Source : in List) with Post => Length (Source) = Length (Target); 51.9/5

function Copy (Source : Doubly_Linked_Lists.List) return List with Post => Length (Copy'Result) = Length (Source); 51.10/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 51.11/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 51.12/5

-- Additional subprograms as described in the text -- are declared here. 51.13/5

private 51.14/5

... -- not specified by the language 51.15/5

end Stable; 52/2 private 53/2 ... -- not specified by the language 54/2 end Ada.Containers.Doubly_Linked_Lists;

55/2

The actual function for the generic formal function "=" on Element_Type values is expected to define a reflexive and symmetric relationship and return the same result value each time it is called with a particular pair of values. If it behaves in some other manner, the functions Find, Reverse_Find, and "=" on list values return an unspecified value. The exact arguments and number of calls of this generic formal function by the functions Find, Reverse_Find, and "=" on list values are unspecified.

55.a/2
ramification

If the actual function for "=" is not symmetric and consistent, the result returned by the listed functions cannot be predicted. The implementation is not required to protect against "=" raising an exception, or returning random results, or any other “bad” behavior. And it can call "=" in whatever manner makes sense. But note that only the results of Find, Reverse_Find, and List "=" are unspecified; other subprograms are not allowed to break if "=" is bad (they aren't expected to use "=").

56/2

The type List is used to represent lists. The type List needs finalization (see 7.6).

57/2

Empty_List represents the empty List object. It has a length of 0. If an object of type List is not otherwise initialized, it is initialized to the same value as Empty_List.

58/2

No_Element represents a cursor that designates no element. If an object of type Cursor is not otherwise initialized, it is initialized to the same value as No_Element.

59/5

The primitive "=" operator for type Cursor returns True if both cursors are No_Element, or designate the same element in the same container.

59.a/5

To be honest: “The primitive "=" operator” is the one with two parameters of type Cursor which returns Boolean. We're not talking about some other (hidden) primitive function named "=".

60/2

Execution of the default implementation of the Input, Output, Read, or Write attribute of type Cursor raises Program_Error.

60.a/2
reason

A cursor will probably be implemented in terms of one or more access values, and the effects of streaming access values is unspecified. Rather than letting the user stream junk by accident, we mandate that streaming of cursors raise Program_Error by default. The attributes can always be specified if there is a need to support streaming.

60.1/5

List'Write for a List object L writes Length(L) elements of the list to the stream. It may also write additional information about the list.

60.2/3

List'Read reads the representation of a list from the stream, and assigns to Item a list with the same length and elements as was written by List'Write.

60.b/3
ramification

Streaming more elements than the container length is wrong. For implementation implications of this rule, see the Implementation Note in A.18.2.

61/5

[Some operations check for “tampering with cursors” of a container because they depend on the set of elements of the container remaining constant, and others check for “tampering with elements” of a container because they depend on elements of the container not being replaced.] When tampering with cursors is prohibited for a particular list object L, Program_Error is propagated by the finalization of L[, as well as by a call that passes L to certain of the operations of this package, as indicated by the precondition of such an operation]. Similarly, when tampering with elements is prohibited for L, Program_Error is propagated by a call that passes L to certain of the other operations of this package, as indicated by the precondition of such an operation.

Paragraphs 62 through 69 are removed as preconditions now describe these rules.

65.a.1/3
ramification

We don't need to explicitly mention assignment_statement, because that finalizes the target object as part of the operation, and finalization of an object is already defined as tampering with cursors.

69.2/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

69.3/3

Returns True if Position designates an element, and returns False otherwise.

69.c/3

To be honest: This function might not detect cursors that designate deleted elements; such cursors are invalid (see below) and the result of calling Has_Element with an invalid cursor is unspecified (but not erroneous).

69.4/5

function Has_Element (Container : List; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

69.5/5

Returns True if Position designates an element in Container, and returns False otherwise.

69.d/5
ramification

If Position is No_Element, Has_Element returns False.

70/2

function "=" (Left, Right : List) return Boolean;

71/3

If Left and Right denote the same list object, then the function returns True. If Left and Right have different lengths, then the function returns False. Otherwise, it compares each element in Left to the corresponding element in Right using the generic formal equality operator. If any such comparison returns False, the function returns False; otherwise, it returns True. Any exception raised during evaluation of element equality is propagated.

71.a/2
implementation note

This wording describes the canonical semantics. However, the order and number of calls on the formal equality function is unspecified for all of the operations that use it in this package, so an implementation can call it as many or as few times as it needs to get the correct answer. Specifically, there is no requirement to call the formal equality additional times once the answer has been determined.

71.1/5

function Tampering_With_Cursors_Prohibited (Container : List) return Boolean with Nonblocking, Global => null, Use_Formal => null;

71.2/5

Returns True if tampering with cursors or tampering with elements is currently prohibited for Container, and returns False otherwise.

71.b/5
reason

Prohibiting tampering with elements also needs to prohibit tampering with cursors, as deleting an element is similar to replacing it.

71.c/5
implementation note

Various contracts elsewhere in this specification require that this function be implemented with synchronized data. Moreover, it is possible for tampering to be prohibited by multiple operations (sequentially or in parallel). Therefore, tampering needs to be implemented with an atomic or protected counter. The counter is initialized to zero, and is incremented when tampering is prohibited, and decremented when leaving an area that prohibited tampering. Function Tampering_With_Cursors_Prohibited returns True if the counter is nonzero. (Note that any case where the result is not well-defined for one task is incorrect use of shared variables and would be erroneous by the rules of 9.10, so no special protection is needed to read the counter.)

71.3/5

function Tampering_With_Elements_Prohibited (Container : List) return Boolean with Nonblocking, Global => null, Use_Formal => null;

71.4/5

Always returns False[, regardless of whether tampering with elements is prohibited].

71.d/5
reason

A definite element cannot change size, so we allow operations that tamper with elements even when tampering with elements is prohibited. That's not true for the indefinite containers, which is why this kind of tampering exists.

72/5

function Length (Container : List) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

73/2

Returns the number of elements in Container.

74/5

function Is_Empty (Container : List) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0);

75/5

Returns True if Container is empty.

76/5

procedure Clear (Container : in out List) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0;

77/2

Removes all the elements from Container.

78/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type;

79/5

Element returns the element designated by Position.

79.1/5

function Element (Container : List; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type;

79.2/5

Element returns the element designated by Position in Container.

80/5

procedure Replace_Element (Container : in out List; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

81/5

Replace_Element assigns the value New_Item to the element designated by Position. For the purposes of determining whether the parameters overlap in a call to Replace_Element, the Container parameter is not considered to overlap with any object [(including itself)].

82/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all;

83/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of the list that contains the element designated by Position is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

83.1/5

procedure Query_Element (Container : in List; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

83.2/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

84/5

procedure Update_Element (Container : in out List; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

85/5

Update_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

86/2

If Element_Type is unconstrained and definite, then the actual Element parameter of Process.all shall be unconstrained.

86.a/2
ramification

This means that the elements cannot be directly allocated from the heap; it must be possible to change the discriminants of the element in place.

86.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 86.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

86.3/3

The types Constant_Reference_Type and Reference_Type need finalization.

86.4/5

This paragraph was deleted.

86.b/3
reason

It is expected that Reference_Type (and Constant_Reference_Type) will be a controlled type, for which finalization will have some action to terminate the tampering check for the associated container. If the object is created by default, however, there is no associated container. Since this is useless, and supporting this case would take extra work, we define it to raise an exception.

86.5/5

function Constant_Reference (Container : aliased in List; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

86.6/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a list given a cursor.

86.7/5

Constant_Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

86.8/5

function Reference (Container : aliased in out List; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

86.9/3

This function (combined with the Variable_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read and write access to an individual element of a list given a cursor.

86.10/5

Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Reference exists and has not been finalized.

86.11/5

procedure Assign (Target : in out List; Source : in List) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target);

86.12/3

If Target denotes the same object as Source, the operation has no effect. Otherwise, the elements of Source are copied to Target as for an assignment_statement assigning Source to Target.

86.c/3
discussion

This routine exists for compatibility with the bounded list container. For an unbounded list, Assign(A, B) and A := B behave identically. For a bounded list, := will raise an exception if the container capacities are different, while Assign will not raise an exception if there is enough room in the target.

86.13/5

function Copy (Source : List) return List with Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result);

86.14/3

Returns a list whose elements match the elements of Source.

87/5

procedure Move (Target : in out List; Source : in out List) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0);

88/3

If Target denotes the same object as Source, then the operation has no effect. Otherwise, the operation is equivalent to Assign (Target, Source) followed by Clear (Source).

89/5

procedure Insert (Container : in out List; Before : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container);

90/5

Insert inserts Count copies of New_Item prior to the element designated by Before. If Before equals No_Element, the new elements are inserted after the last node (if any). Any exception raised during allocation of internal storage is propagated, and Container is not modified.

90.a/2
ramification

The check on Before checks that the cursor does not belong to some other Container. This check implies that a reference to the container is included in the cursor value. This wording is not meant to require detection of dangling cursors; such cursors are defined to be invalid, which means that execution is erroneous, and any result is allowed (including not raising an exception).

91/5

procedure Insert (Container : in out List; Before : in Cursor; New_Item : in Element_Type; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position);

92/5

Insert allocates Count copies of New_Item, and inserts them prior to the element designated by Before. If Before equals No_Element, the new elements are inserted after the last element (if any). Position designates the first newly-inserted element, or if Count equals 0, then Position is assigned the value of Before. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

93/5

procedure Insert (Container : in out List; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container) and then Has_Element (Container, Position);

94/5

Insert inserts Count new elements prior to the element designated by Before. If Before equals No_Element, the new elements are inserted after the last node (if any). The new elements are initialized by default (see 3.3.1). Position designates the first newly-inserted element, or if Count equals 0, then Position is assigned the value of Before. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

95/5

procedure Prepend (Container : in out List; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container);

96/2

Equivalent to Insert (Container, First (Container), New_Item, Count).

97/5

procedure Append (Container : in out List; New_Item : in Element_Type; Count : in Count_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - Count or else raise Constraint_Error), Post => Length (Container)'Old + Count = Length (Container);

98/2

Equivalent to Insert (Container, No_Element, New_Item, Count).

98.1/5

procedure Append (Container : in out List; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container)'Old + 1 = Length (Container);

98.2/5

Equivalent to Insert (Container, No_Element, New_Item, 1).

99/5

procedure Delete (Container : in out List; Position : in out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container)'Old - Count <= Length (Container) and then Position = No_Element;

100/5

Delete removes (from Container) Count elements starting at the element designated by Position (or all of the elements starting at Position if there are fewer than Count elements starting at Position). Finally, Position is set to No_Element.

101/5

procedure Delete_First (Container : in out List; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container);

102/3

If Length (Container) <= Count, then Delete_First is equivalent to Clear (Container). Otherwise, it removes the first Count nodes from Container.

103/5

procedure Delete_Last (Container : in out List; Count : in Count_Type := 1) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container)'Old - Count <= Length (Container);

104/3

If Length (Container) <= Count, then Delete_Last is equivalent to Clear (Container). Otherwise, it removes the last Count nodes from Container.

105/5

procedure Reverse_Elements (Container : in out List) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error;

106/2

Reorders the elements of Container in reverse order.

106.a/2
discussion

Unlike the similar routine for a vector, elements should not be copied; rather, the nodes should be exchanged. Cursors are expected to reference the same elements afterwards.

107/5

procedure Swap (Container : in out List; I, J : in Cursor) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error);

108/5

Swap exchanges the values of the elements designated by I and J.

108.a/2
ramification

After a call to Swap, I designates the element value previously designated by J, and J designates the element value previously designated by I. The cursors do not become ambiguous from this operation.

108.b/2

To be honest: The implementation is not required to actually copy the elements if it can do the swap some other way. But it is allowed to copy the elements if needed.

109/5

procedure Swap_Links (Container : in out List; I, J : in Cursor) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error);

110/5

Swap_Links exchanges the nodes designated by I and J.

110.a/2
ramification

Unlike Swap, this exchanges the nodes, not the elements. No copying is performed. I and J designate the same elements after this call as they did before it. This operation can provide better performance than Swap if the element size is large.

111/5

procedure Splice (Target : in out List; Before : in Cursor; Source : in out List) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Target, Before) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Length (Target) <= Count_Type'Last - Length (Source) or else raise Constraint_Error), Post => (if not Target'Has_Same_Storage (Source) then (declare Result_Length : constant Count_Type := Length (Source)'Old + Length (Target)'Old; begin Length (Source) = 0 and then Length (Target) = Result_Length));

112/5

If Source denotes the same object as Target, the operation has no effect. Otherwise, Splice reorders elements such that they are removed from Source and moved to Target, immediately prior to Before. If Before equals No_Element, the nodes of Source are spliced after the last node of Target.

113/5

procedure Splice (Target : in out List; Before : in Cursor; Source : in out List; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Source, Position) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Target, Before) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Length (Target) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Org_Target_Length : constant Count_Type := Length (Target)'Old; Org_Source_Length : constant Count_Type := Length (Source)'Old; begin (if Target'Has_Same_Storage (Source) then Position = Position'Old else Length (Source) = Org_Source_Length - 1 and then Length (Target) = Org_Target_Length + 1 and then Has_Element (Target, Position)));

114/5

If Source denotes the same object as Target, then there is no effect if Position equals Before, else the element designated by Position is moved immediately prior to Before, or, if Before equals No_Element, after the last element. Otherwise, the element designated by Position is removed from Source and moved to Target, immediately prior to Before, or, if Before equals No_Element, after the last element of Target. Position is updated to represent an element in Target.

114.a/2
ramification

If Source is the same as Target, and Position = Before, or Next(Position) = Before, Splice has no effect, as the element does not have to move to meet the postcondition.

115/5

procedure Splice (Container: in out List; Before : in Cursor; Position : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Container, Before) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old;

116/5

If Position equals Before there is no effect. Otherwise, the element designated by Position is moved immediately prior to Before, or, if Before equals No_Element, after the last element.

117/5

function First (Container : List) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element);

118/2

If Container is empty, First returns No_Element. Otherwise, it returns a cursor that designates the first node in Container.

119/5

function First_Element (Container : List) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

120/2

Equivalent to Element (Container, First_Index (Container)).

121/5

function Last (Container : List) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element);

122/2

If Container is empty, Last returns No_Element. Otherwise, it returns a cursor that designates the last node in Container.

123/5

function Last_Element (Container : List) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

124/2

Equivalent to Element (Last (Container)).

125/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element);

126/2

If Position equals No_Element or designates the last element of the container, then Next returns the value No_Element. Otherwise, it returns a cursor that designates the successor of the element designated by Position.

126.1/5

function Next (Container : List; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result));

126.2/5

Returns a cursor designating the successor of the element designated by Position in Container.

127/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element);

128/2

If Position equals No_Element or designates the first element of the container, then Previous returns the value No_Element. Otherwise, it returns a cursor that designates the predecessor of the element designated by Position.

128.1/5

function Previous (Container : List; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Previous'Result = No_Element then Position = First (Container) else Has_Element (Container, Previous'Result));

128.2/5

Returns a cursor designating the predecessor of the element designated by Position in Container, if any.

129/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

130/2

Equivalent to Position := Next (Position).

130.1/5

procedure Next (Container : in List; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

130.2/5

Equivalent to Position := Next (Container, Position).

131/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

132/2

Equivalent to Position := Previous (Position).

132.1/5

procedure Previous (Container : in List; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

132.2/5

Equivalent to Position := Previous (Container, Position).

133/5

function Find (Container : List; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result));

134/5

Find searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at the element designated by Position, or at the first element if Position equals No_Element. It proceeds towards Last (Container). If no equal element is found, then Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

135/5

function Reverse_Find (Container : List; Item : Element_Type; Position : Cursor := No_Element) return Cursor with Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Reverse_Find'Result /= No_Element then Has_Element (Container, Reverse_Find'Result));

136/5

Find searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at the element designated by Position, or at the last element if Position equals No_Element. It proceeds towards First (Container). If no equal element is found, then Reverse_Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

137/2

function Contains (Container : List; Item : Element_Type) return Boolean;

138/2

Equivalent to Find (Container, Item) /= No_Element.

Paragraphs 139 and 140 were moved above.

141/5

procedure Iterate (Container : in List; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

142/3

Iterate calls Process.all with a cursor that designates each node in Container, starting with the first node and moving the cursor as per the Next function. Tampering with the cursors of Container is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

142.a/2
implementation note

The purpose of the tamper with cursors check is to prevent erroneous execution from the Position parameter of Process.all becoming invalid. This check takes place when the operations that tamper with the cursors of the container are called. The check cannot be made later (say in the body of Iterate), because that could cause the Position cursor to be invalid and potentially cause execution to become erroneous -- defeating the purpose of the check.

142.b/2

See Iterate for vectors (A.18.2) for a suggested implementation of the check.

143/5

procedure Reverse_Iterate (Container : in List; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

144/3

Iterates over the nodes in Container as per procedure Iterate, except that elements are traversed in reverse order, starting with the last node and moving the cursor as per the Previous function.

144.1/5

function Iterate (Container : in List) return List_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

144.2/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the first node and moving the cursor as per the Next function when used as a forward iterator, and starting with the last node and moving the cursor as per the Previous function when used as a reverse iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

144.3/5

function Iterate (Container : in List; Start : in Cursor) return List_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

144.4/5

Iterate returns a reversible iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the node designated by Start and moving the cursor as per the Next function when used as a forward iterator, or moving the cursor as per the Previous function when used as a reverse iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

144.a/3
discussion

Exits are allowed from the loops created using the iterator objects. In particular, to stop the iteration at a particular cursor, just add

144.b/3

exit when Cur = Stop;

144.c/3

in the body of the loop (assuming that Cur is the loop parameter and Stop is the cursor that you want to stop at).

145/3

The actual function for the generic formal function "<" of Generic_Sorting is expected to return the same value each time it is called with a particular pair of element values. It should define a strict weak ordering relationship (see A.18); it should not modify Container. If the actual for "<" behaves in some other manner, the behavior of the subprograms of Generic_Sorting are unspecified. The number of times the subprograms of Generic_Sorting call "<" is unspecified.

146/2

function Is_Sorted (Container : List) return Boolean;

147/2

Returns True if the elements are sorted smallest first as determined by the generic formal "<" operator; otherwise, Is_Sorted returns False. Any exception raised during evaluation of "<" is propagated.

148/5

procedure Sort (Container : in out List) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error;

149/2

Reorders the nodes of Container such that the elements are sorted smallest first as determined by the generic formal "<" operator provided. The sort is stable. Any exception raised during evaluation of "<" is propagated.

149.a/2
ramification

Unlike array sorts, we do require stable sorts here. That's because algorithms in the merge sort family (as described by Knuth) can be both fast and stable. Such sorts use the extra memory as offered by the links to provide better performance.

149.b/2

Note that list sorts never copy elements; it is the nodes, not the elements, that are reordered.

150/5

procedure Merge (Target : in out List; Source : in out List) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Elements_Prohibited (Source) or else raise Program_Error) and then (Length (Target) <= Count_Type'Last - Length (Source) or else raise Constraint_Error) and then ((Length (Source) = 0 or else not Target'Has_Same_Storage (Source)) or else raise Constraint_Error), Post => (declare Result_Length : constant Count_Type := Length (Source)'Old + Length (Target)'Old; begin (Length (Source) = 0 and then Length (Target) = Result_Length));

151/5

Merge removes elements from Source and inserts them into Target; afterwards, Target contains the union of the elements that were initially in Source and Target; Source is left empty. If Target and Source are initially sorted smallest first, then Target is ordered smallest first as determined by the generic formal "<" operator; otherwise, the order of elements in Target is unspecified. Any exception raised during evaluation of "<" is propagated.

151.a/2
ramification

It is a bounded error if either of the lists is unsorted, see below. The bounded error can be recovered by sorting Target after the merge call, or the lists can be pretested with Is_Sorted.

151.1/5

The nested package Doubly_Linked_Lists.Stable provides a type Stable.List that represents a stable list, which is one that cannot grow and shrink. Such a list can be created by calling the Copy function, or by establishing a stabilized view of an ordinary list.

151.2/5

The subprograms of package Containers.Doubly_Linked_Lists that have a parameter or result of type List are included in the nested package Stable with the same specification, except that the following are omitted:

151.3/5

Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited, Assign, Move, Insert, Append, Prepend, Clear, Delete, Delete_First, Delete_Last, Splice, Swap_Links, and Reverse_Elements

151.a.1/5
ramification

The names List and Cursor mean the types declared in the nested package in these subprogram specifications.

151.a.2/5
reason

The omitted routines are those that tamper with cursors or elements (or test that state). The model is that it is impossible to tamper with cursors or elements of a stable view since no such operations are included. Thus tampering checks are not needed for a stable view, and we omit the operations associated with those checks.

151.a.3/5

The Generic_Sorting generic is omitted entirely, as only function Is_Sorting does not tamper with cursors. It isn't useful enough by itself to include.

151.4/5

The operations of this package are equivalent to those for ordinary lists, except that the calls to Tampering_With_Cursors_Prohibited and Tampering_With_Elements_Prohibited that occur in preconditions are replaced by False, and any that occur in postconditions are replaced by True.

151.5/5

If a stable list is declared with the Base discriminant designating a pre-existing ordinary list, the stable list represents a stabilized view of the underlying ordinary list, and any operation on the stable list is reflected on the underlying ordinary list. While a stabilized view exists, any operation that tampers with elements performed on the underlying list is prohibited. The finalization of a stable list that provides such a view removes this restriction on the underlying ordinary list [(though some other restriction can exist due to other concurrent iterations or stabilized views)].

151.6/5

If a stable list is declared without specifying Base, the object is necessarily initialized. The initializing expression of the stable list, [typically a call on Copy], determines the Length of the list. The Length of a stable list never changes after initialization.

151.b/5
proof

Initialization is required as the type is indefinite, see 3.3.1.

Bounded (Run-Time) Errors

152/2

Calling Merge in an instance of Generic_Sorting with either Source or Target not ordered smallest first using the provided generic formal "<" operator is a bounded error. Either Program_Error is raised after Target is updated as described for Merge, or the operation works as defined.

152.1/3

It is a bounded error for the actual function associated with a generic formal subprogram, when called as part of an operation of this package, to tamper with elements of any List parameter of the operation. Either Program_Error is raised, or the operation works as defined on the value of the List either prior to, or subsequent to, some or all of the modifications to the List.

152.2/3

It is a bounded error to call any subprogram declared in the visible part of Containers.Doubly_Linked_Lists when the associated container has been finalized. If the operation takes Container as an in out parameter, then it raises Constraint_Error or Program_Error. Otherwise, the operation either proceeds as it would for an empty container, or it raises Constraint_Error or Program_Error.

Erroneous Execution

153/2

A Cursor value is invalid if any of the following have occurred since it was created:

154/2
  • The list that contains the element it designates has been finalized;
  • 154.1/3
  • The list that contains the element it designates has been used as the Target of a call to Assign, or as the target of an assignment_statement;
  • 155/2
  • [The list that contains the element it designates has been used as the Source or Target of a call to Move;] or
155.a/3
proof

Move has been reworded in terms of Assign and Clear, which are covered by other bullets, so this text is redundant.

156/3
  • The element it designates has been removed from the list that previously contained the element.
156.a/3

To be honest: The cursor modified by the four parameter Splice is not invalid, even though the element it designates has been removed from the source list, because that cursor has been modified to designate that element in the target list – the cursor no longer designates an element in the source list.

156.b/3
ramification

This can happen directly via calls to Delete, Delete_Last, Clear, Splice with a Source parameter, and Merge; and indirectly via calls to Delete_First, Assign, and Move.

157/2

The result of "=" or Has_Element is unspecified if it is called with an invalid cursor parameter. Execution is erroneous if any other subprogram declared in Containers.Doubly_Linked_Lists is called with an invalid cursor parameter.

157.a/2
discussion

The list above is intended to be exhaustive. In other cases, a cursor value continues to designate its original element. For instance, cursor values survive the insertion and deletion of other nodes.

157.b/2

While it is possible to check for these cases, in many cases the overhead necessary to make the check is substantial in time or space. Implementations are encouraged to check for as many of these cases as possible and raise Program_Error if detected.

157.1/3

Execution is erroneous if the list associated with the result of a call to Reference or Constant_Reference is finalized before the result object returned by the call to Reference or Constant_Reference is finalized.

157.c/3
reason

Each object of Reference_Type and Constant_Reference_Type probably contains some reference to the originating container. If that container is prematurely finalized (which is only possible via Unchecked_Deallocation, as accessibility checks prevent passing a container to Reference that will not live as long as the result), the finalization of the object of Reference_Type will try to access a nonexistent object. This is a normal case of a dangling pointer created by Unchecked_Deallocation; we have to explicitly mention it here as the pointer in question is not visible in the specification of the type. (This is the same reason we have to say this for invalid cursors.)

Implementation Requirements

158/5

No storage associated with a doubly-linked list object shall be lost upon assignment or scope exit.

159/3

The execution of an assignment_statement for a list shall have the effect of copying the elements from the source list object to the target list object and changing the length of the target object to that of the source object.

159.a/3
implementation note

An assignment of a List is a “deep” copy; that is the elements are copied as well as the data structures. We say “effect of” in order to allow the implementation to avoid copying elements immediately if it wishes. For instance, an implementation that avoided copying until one of the containers is modified would be allowed. (Note that this implementation would require care, see A.18.2 for more.)

Implementation Advice

160/2

Containers.Doubly_Linked_Lists should be implemented similarly to a linked list. In particular, if N is the length of a list, then the worst-case time complexity of Element, Insert with Count=1, and Delete with Count=1 should be O(log N).

160.a/2
implementation advice

The worst-case time complexity of Element, Insert with Count=1, and Delete with Count=1 for Containers.Doubly_Linked_Lists should be O(log N).

160.b/2
reason

We do not mean to overly constrain implementation strategies here. However, it is important for portability that the performance of large containers has roughly the same factors on different implementations. If a program is moved to an implementation that takes O(N) time to access elements, that program could be unusable when the lists are large. We allow O(log N) access because the proportionality constant and caching effects are likely to be larger than the log factor, and we don't want to discourage innovative implementations.

161/2

The worst-case time complexity of a call on procedure Sort of an instance of Containers.Doubly_Linked_Lists.Generic_Sorting should be O(N**2), and the average time complexity should be better than O(N**2).

161.a/2
implementation advice

A call on procedure Sort of an instance of Containers.Doubly_Linked_Lists.Generic_Sorting should have an average time complexity better than O(N**2) and worst case no worse than O(N**2).

161.b/2
ramification

In other words, we're requiring the use of a better than O(N**2) sorting algorithm, such as Quicksort. No bubble sorts allowed!

162/2

Move should not copy elements, and should minimize copying of internal data structures.

162.a/2
implementation advice

Containers.Doubly_Linked_Lists.Move should not copy elements, and should minimize copying of internal data structures.

162.b/2
implementation note

Usually that can be accomplished simply by moving the pointer(s) to the internal data structures from the Source container to the Target container.

163/2

If an exception is propagated from a list operation, no storage should be lost, nor any elements removed from a list unless specified by the operation.

163.a/2
implementation advice

If an exception is propagated from a list operation, no storage should be lost, nor any elements removed from a list unless specified by the operation.

163.b/2
reason

This is important so that programs can recover from errors. But we don't want to require heroic efforts, so we just require documentation of cases where this can't be accomplished.

164/5

NOTE Sorting a list never copies elements, and is a stable sort (equal elements remain in the original order). This is different than sorting an array or vector, which will often copy elements, and hence is probably not a stable sort.

Extensions to Ada 95

164.a/2

The generic package Containers.Doubly_Linked_Lists is new.

Inconsistencies With Ada 2005

164.b/3
correction

The Insert versions that return a Position parameter are now defined to return Position = Before if Count = 0. This was unspecified for Ada 2005; so this will only be inconsistent if an implementation did something else and a program depended on that something else — this should be very rare.

Incompatibilities With Ada 2005

164.c/3

Subprograms Assign and Copy are added to Containers.Doubly_Linked_Lists. If an instance of Containers.Doubly_Linked_Lists is referenced in a use_clause, and an entity E with the same defining_identifier as a new entity in Containers.Doubly_Linked_Lists is defined in a package that is also referenced in a use_clause, the entity E may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

Extensions to Ada 2005

164.d/3

Added iterator, reference, and indexing support to make list containers more convenient to use.

Wording Changes from Ada 2005

164.e/3

Generalized the definition of Move. Specified which elements are read/written by stream attributes.

164.f/3
correction

Added a Bounded (Run-Time) Error to cover tampering by generic actual subprograms.

164.g/3
correction

Added a Bounded (Run-Time) Error to cover access to finalized list containers.

164.h/3
correction

Redefined "<" actuals to require a strict weak ordering; the old definition allowed indeterminant comparisons that would not have worked in a container.

164.i/3
correction

Added a pragma Remote_Types so that containers can be used in distributed programs.

164.j/3
correction

Revised the definition of invalid cursors to cover missing (and new) cases.

164.k/3
correction

Added missing wording to describe the Position after Inserting 0 elements.

164.l/3
correction

Defined when a container prohibits tampering in order to more clearly define where the check is made and the exception raised.

Inconsistencies With Ada 2012

164.m/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for ordinary containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

164.n/5

A number of new subprograms, types, and even a nested package were added to Containers.Doubly_Linked_Lists to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Extensions to Ada 2012

164.o/5

Replace_Element is now defined such that it can be used concurrently so long as it operates on different elements. This allows some container operations to be used in parallel without separate synchronization.

164.p/5

Lists now support positional container aggregates, so aggregate syntax can be used to create Lists.

164.q/5

The iterator for the entire container now can return a parallel iterator which can be used to process the container in parallel.

Wording Changes from Ada 2012

164.r/4

Corrigendum: Clarified that tampering checks precede all other checks made by a subprogram (but come after those associated with the call).

164.s/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

164.t/5
correction

Split the Append routine into two routines rather than having a single routine with a default parameter, in order that a routine with the appropriate profile for the Aggregate aspect exists. This change should not change the behavior of any existing code.

A.18.4 Maps

1/2

The language-defined generic packages Containers.Hashed_Maps and Containers.Ordered_Maps provide private types Map and Cursor, and a set of operations for each type. A map container allows an arbitrary type to be used as a key to find the element associated with that key. A hashed map uses a hash function to organize the keys, while an ordered map orders the keys per a specified relation.

2/3

This subclause describes the declarations that are common to both kinds of maps. See A.18.5 for a description of the semantics specific to Containers.Hashed_Maps and A.18.6 for a description of the semantics specific to Containers.Ordered_Maps.

Static Semantics

3/2

The actual function for the generic formal function "=" on Element_Type values is expected to define a reflexive and symmetric relationship and return the same result value each time it is called with a particular pair of values. If it behaves in some other manner, the function "=" on map values returns an unspecified value. The exact arguments and number of calls of this generic formal function by the function "=" on map values are unspecified.

3.a/2
ramification

If the actual function for "=" is not symmetric and consistent, the result returned by "=" for Map objects cannot be predicted. The implementation is not required to protect against "=" raising an exception, or returning random results, or any other “bad” behavior. And it can call "=" in whatever manner makes sense. But note that only the result of "=" for Map objects is unspecified; other subprograms are not allowed to break if "=" is bad (they aren't expected to use "=").

4/2

The type Map is used to represent maps. The type Map needs finalization (see 7.6).

5/2

A map contains pairs of keys and elements, called nodes. Map cursors designate nodes, but also can be thought of as designating an element (the element contained in the node) for consistency with the other containers. There exists an equivalence relation on keys, whose definition is different for hashed maps and ordered maps. A map never contains two or more nodes with equivalent keys. The length of a map is the number of nodes it contains.

6/2

Each nonempty map has two particular nodes called the first node and the last node (which may be the same). Each node except for the last node has a successor node. If there are no other intervening operations, starting with the first node and repeatedly going to the successor node will visit each node in the map exactly once until the last node is reached. The exact definition of these terms is different for hashed maps and ordered maps.

7/5

[Some operations check for “tampering with cursors” of a container because they depend on the set of elements of the container remaining constant, and others check for “tampering with elements” of a container because they depend on elements of the container not being replaced.] When tampering with cursors is prohibited for a particular map object M, Program_Error is propagated by the finalization of M[, as well as by a call that passes M to certain of the operations of this package, as indicated by the precondition of such an operation]. Similarly, when tampering with elements is prohibited for M, Program_Error is propagated by a call that passes M to certain of the other operations of this package, as indicated by the precondition of such an operation.

Paragraphs 8 through 15 are removed as preconditions now describe these rules.

10.a/3
ramification

We don't need to explicitly mention assignment_statement, because that finalizes the target object as part of the operation, and finalization of an object is already defined as tampering with cursors.

16/2

Empty_Map represents the empty Map object. It has a length of 0. If an object of type Map is not otherwise initialized, it is initialized to the same value as Empty_Map.

17/2

No_Element represents a cursor that designates no node. If an object of type Cursor is not otherwise initialized, it is initialized to the same value as No_Element.

18/5

The primitive "=" operator for type Cursor returns True if both cursors are No_Element, or designate the same element in the same container.

18.a/5

To be honest: “The primitive "=" operator” is the one with two parameters of type Cursor which returns Boolean. We're not talking about some other (hidden) primitive function named "=".

19/2

Execution of the default implementation of the Input, Output, Read, or Write attribute of type Cursor raises Program_Error.

19.a/2
reason

A cursor will probably be implemented in terms of one or more access values, and the effects of streaming access values is unspecified. Rather than letting the user stream junk by accident, we mandate that streaming of cursors raise Program_Error by default. The attributes can always be specified if there is a need to support streaming.

19.1/5

Map'Write for a Map object M writes Length(M) elements of the map to the stream. It may also write additional information about the map.

19.2/3

Map'Read reads the representation of a map from the stream, and assigns to Item a map with the same length and elements as was written by Map'Write.

19.b/3
ramification

Streaming more elements than the container length is wrong. For implementation implications of this rule, see the Implementation Note in A.18.2.

19.3/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

19.4/3

Returns True if Position designates an element, and returns False otherwise.

19.c/3

To be honest: This function might not detect cursors that designate deleted elements; such cursors are invalid (see below) and the result of calling Has_Element with an invalid cursor is unspecified (but not erroneous).

19.5/5

function Has_Element (Container : Map; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

19.6/5

Returns True if Position designates an element in Container, and returns False otherwise.

19.d/5
ramification

If Position is No_element, Has_Element returns False.

20/2

function "=" (Left, Right : Map) return Boolean;

21/2

If Left and Right denote the same map object, then the function returns True. If Left and Right have different lengths, then the function returns False. Otherwise, for each key K in Left, the function returns False if:

22/2
  • a key equivalent to K is not present in Right; or
  • 23/2
  • the element associated with K in Left is not equal to the element associated with K in Right (using the generic formal equality operator for elements).
24/2

If the function has not returned a result after checking all of the keys, it returns True. Any exception raised during evaluation of key equivalence or element equality is propagated.

24.a/2
implementation note

This wording describes the canonical semantics. However, the order and number of calls on the formal equality function is unspecified for all of the operations that use it in this package, so an implementation can call it as many or as few times as it needs to get the correct answer. Specifically, there is no requirement to call the formal equality additional times once the answer has been determined.

24.1/5

function Tampering_With_Cursors_Prohibited (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null;

24.2/5

Returns True if tampering with cursors or tampering with elements is currently prohibited for Container, and returns False otherwise.

24.b/5
reason

Prohibiting tampering with elements also needs to prohibit tampering with cursors, as deleting an element is similar to replacing it.

24.c/5
implementation note

Various contracts elsewhere in this specification require that this function be implemented with synchronized data. Moreover, it is possible for tampering to be prohibited by multiple operations (sequentially or in parallel). Therefore, tampering needs to be implemented with an atomic or protected counter. The counter is initialized to zero, and is incremented when tampering is prohibited, and decremented when leaving an area that prohibited tampering. Function Tampering_With_Cursors_Prohibited returns True if the counter is nonzero. (Note that any case where the result is not well-defined for one task is incorrect use of shared variables and would be erroneous by the rules of 9.10, so no special protection is needed to read the counter.)

24.3/5

function Tampering_With_Elements_Prohibited (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null;

24.4/5

Always returns False[, regardless of whether tampering with elements is prohibited].

24.d/5
reason

A definite element cannot change size, so we allow operations that tamper with elements even when tampering with elements is prohibited. That's not true for the indefinite containers, which is why this kind of tampering exists.

25/5

function Length (Container : Map) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

26/2

Returns the number of nodes in Container.

27/5

function Is_Empty (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0);

28/5

Returns True if Container is empty.

29/5

procedure Clear (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0;

30/2

Removes all the nodes from Container.

31/5

function Key (Position : Cursor) return Key_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Key_Type;

32/5

Key returns the key component of the node designated by Position.

32.1/5

function Key (Container : Map; Position : Cursor) return Key_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Key_Type;

32.2/5

Key returns the key component of the node designated by Position.

33/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type;

34/5

Element returns the element component of the node designated by Position.

34.1/5

function Element (Container : Map; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type;

34.2/5

Element returns the element component of the node designated by Position.

35/5

procedure Replace_Element (Container : in out Map; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

36/5

Replace_Element assigns New_Item to the element of the node designated by Position. For the purposes of determining whether the parameters overlap in a call to Replace_Element, the Container parameter is not considered to overlap with any object [(including itself)].

37/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all;

38/5

Query_Element calls Process.all with the key and element from the node designated by Position as the arguments. Tampering with the elements of the map that contains the element designated by Position is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

38.1/5

procedure Query_Element (Container : in Map; Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

38.2/5

Query_Element calls Process.all with the key and element from the node designated by Position as the arguments. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

39/5

procedure Update_Element (Container : in out Map; Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

40/5

Update_Element calls Process.all with the key and element from the node designated by Position as the arguments. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

41/2

If Element_Type is unconstrained and definite, then the actual Element parameter of Process.all shall be unconstrained.

41.a/2
ramification

This means that the elements cannot be directly allocated from the heap; it must be possible to change the discriminants of the element in place.

41.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global =>in out synchronized, Default_Initial_Condition => (raise Program_Error); 41.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

41.3/3

The types Constant_Reference_Type and Reference_Type need finalization.

41.4/5

This paragraph was deleted.

41.b/3
reason

It is expected that Reference_Type (and Constant_Reference_Type) will be a controlled type, for which finalization will have some action to terminate the tampering check for the associated container. If the object is created by default, however, there is no associated container. Since this is useless, and supporting this case would take extra work, we define it to raise an exception.

41.5/5

function Constant_Reference (Container : aliased in Map; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

41.6/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a Map given a cursor.

41.7/5

Constant_Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

41.8/5

function Reference (Container : aliased in out Map; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

41.9/3

This function (combined with the Variable_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read and write access to an individual element of a Map given a cursor.

41.10/5

Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Reference exists and has not been finalized.

41.11/5

function Constant_Reference (Container : aliased in Map; Key : in Key_Type) return Constant_Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

41.12/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a map given a key value.

41.13/3

Equivalent to Constant_Reference (Container, Find (Container, Key)).

41.14/5

function Reference (Container : aliased in out Map; Key : in Key_Type) return Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

41.15/3

This function (combined with the Variable_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read and write access to an individual element of a map given a key value.

41.16/3

Equivalent to Reference (Container, Find (Container, Key)).

41.17/5

procedure Assign (Target : in out Map; Source : in Map) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target);

41.18/3

If Target denotes the same object as Source, the operation has no effect. Otherwise, the key/element pairs of Source are copied to Target as for an assignment_statement assigning Source to Target.

41.c/3
discussion

This routine exists for compatibility with the bounded map containers. For an unbounded map, Assign(A, B) and A := B behave identically. For a bounded map, := will raise an exception if the container capacities are different, while Assign will not raise an exception if there is enough room in the target.

42/5

procedure Move (Target : in out Map; Source : in out Map) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0);

43/3

If Target denotes the same object as Source, then the operation has no effect. Otherwise, the operation is equivalent to Assign (Target, Source) followed by Clear (Source).

44/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length));

45/2

Insert checks if a node with a key equivalent to Key is already present in Container. If a match is found, Inserted is set to False and Position designates the element with the matching key. Otherwise, Insert allocates a new node, initializes it to Key and New_Item, and adds it to Container; Inserted is set to True and Position designates the newly-inserted node. Any exception raised during allocation is propagated and Container is not modified.

46/5

procedure Insert (Container : in out Map; Key : in Key_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length));

47/2

Insert inserts Key into Container as per the five-parameter Insert, with the difference that an element initialized by default (see 3.3.1) is inserted.

48/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container) = Length (Container)'Old + 1;

49/2

Insert inserts Key and New_Item into Container as per the five-parameter Insert, with the difference that if a node with a key equivalent to Key is already in the map, then Constraint_Error is propagated.

49.a/2
ramification

This is equivalent to:

49.b/2

declare Inserted : Boolean; C : Cursor; begin Insert (Container, Key, New_Item, C, Inserted); if not Inserted then raise Constraint_Error; end if; end;

49.c/2

but doesn't require the hassle of out parameters.

50/5

procedure Include (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length | Original_Length + 1);

51/2

Include inserts Key and New_Item into Container as per the five-parameter Insert, with the difference that if a node with a key equivalent to Key is already in the map, then this operation assigns Key and New_Item to the matching node. Any exception raised during assignment is propagated.

51.a/2
ramification

This is equivalent to:

51.b/2

declare C : Cursor := Find (Container, Key); begin if C = No_Element then Insert (Container, Key, New_Item); else Replace (Container, Key, New_Item); end if; end;

51.c/2

but this avoids doing the search twice.

52/5

procedure Replace (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old;

53/2

Replace checks if a node with a key equivalent to Key is present in Container. If a match is found, Replace assigns Key and New_Item to the matching node; otherwise, Constraint_Error is propagated.

53.a/2
discussion

We update the key as well as the element, as the key might include additional information that does not participate in equivalence. If only the element needs to be updated, use Replace_Element (Find (Container, Key), New_Element).

54/5

procedure Exclude (Container : in out Map; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length);

55/2

Exclude checks if a node with a key equivalent to Key is present in Container. If a match is found, Exclude removes the node from the map.

55.a/2
ramification

Exclude should work on an empty map; nothing happens in that case.

56/5

procedure Delete (Container : in out Map; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1;

57/2

Delete checks if a node with a key equivalent to Key is present in Container. If a match is found, Delete removes the node from the map; otherwise, Constraint_Error is propagated.

58/5

procedure Delete (Container : in out Map; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old - 1 and then Position = No_Element;

59/5

Delete removes the node designated by Position from the map.

59.a/2
ramification

The check on Position checks that the cursor does not belong to some other map. This check implies that a reference to the map is included in the cursor value. This wording is not meant to require detection of dangling cursors; such cursors are defined to be invalid, which means that execution is erroneous, and any result is allowed (including not raising an exception).

60/5

function First (Container : Map) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element);

61/2

If Length (Container) = 0, then First returns No_Element. Otherwise, First returns a cursor that designates the first node in Container.

62/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element);

63/2

Returns a cursor that designates the successor of the node designated by Position. If Position designates the last node, then No_Element is returned. If Position equals No_Element, then No_Element is returned.

63.1/5

function Next (Container : Map; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result));

63.2/5

Returns a cursor designating the successor of the node designated by Position in Container.

64/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

65/2

Equivalent to Position := Next (Position).

65.1/5

procedure Next (Container : in Map; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

65.2/5

Equivalent to Position := Next (Container, Position).

66/5

function Find (Container : Map; Key : Key_Type) return Cursor with Post => (if Find'Result = No_Element then Has_Element (Container, Find'Result));

67/2

If Length (Container) equals 0, then Find returns No_Element. Otherwise, Find checks if a node with a key equivalent to Key is present in Container. If a match is found, a cursor designating the matching node is returned; otherwise, No_Element is returned.

68/2

function Element (Container : Map; Key : Key_Type) return Element_Type;

69/2

Equivalent to Element (Find (Container, Key)).

70/2

function Contains (Container : Map; Key : Key_Type) return Boolean;

71/2

Equivalent to Find (Container, Key) /= No_Element.

Paragraphs 72 and 73 were moved above.

74/5

procedure Iterate (Container : in Map; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

75/3

Iterate calls Process.all with a cursor that designates each node in Container, starting with the first node and moving the cursor according to the successor relation. Tampering with the cursors of Container is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

75.a/2
implementation note

The “tamper with cursors” check takes place when the operations that insert or delete elements, and so on, are called.

75.b/2

See Iterate for vectors (A.18.2) for a suggested implementation of the check.

75.1/5

The nested package Stable provides a type Stable.Map that represents a stable map, which is one that cannot grow and shrink. Such a map can be created by calling the Copy function, or by establishing a stabilized view of an ordinary map.

75.2/5

The subprograms of the map package that have a parameter or result of type Map are included in the nested package Stable with the same specification, except that the following are omitted:

75.3/5

Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited, Assign, Move, Insert, Include, Clear, Delete, Exclude, (for Ordered_Maps) Delete_First and Delete_Last, and (for Hashed_Maps) Reserve_Capacity

75.b.1/5
ramification

The names Map and Cursor mean the types declared in the nested package in these subprogram specifications.

75.b.2/5
reason

The omitted routines are those that tamper with cursors or elements (or test that state). The model is that it is impossible to tamper with cursors or elements of a stable view since no such operations are included. Thus tampering checks are not needed for a stable view, and we omit the operations associated with those checks.

75.4/5

The operations of this package are equivalent to those for ordinary maps, except that the calls to Tampering_With_Cursors_Prohibited and Tampering_With_Elements_Prohibited that occur in preconditions are replaced by False, and any that occur in postconditions are replaced by True.

75.5/5

If a stable map is declared with the Base discriminant designating a pre-existing ordinary map, the stable map represents a stabilized view of the underlying ordinary map, and any operation on the stable map is reflected on the underlying ordinary map. While a stabilized view exists, any operation that tampers with elements performed on the underlying map is prohibited. The finalization of a stable map that provides such a view removes this restriction on the underlying ordinary map [(though some other restriction can exist due to other concurrent iterations or stabilized views)].

75.6/5

If a stable map is declared without specifying Base, the object is necessarily initialized. The initializing expression of the stable map, [typically a call on Copy], determines the Length of the map. The Length of a stable map never changes after initialization.

75.c/5
proof

Initialization is required as the type is indefinite, see 3.3.1.

Bounded (Run-Time) Errors

75.7/3

It is a bounded error for the actual function associated with a generic formal subprogram, when called as part of an operation of a map package, to tamper with elements of any map parameter of the operation. Either Program_Error is raised, or the operation works as defined on the value of the map either prior to, or subsequent to, some or all of the modifications to the map.

75.8/3

It is a bounded error to call any subprogram declared in the visible part of a map package when the associated container has been finalized. If the operation takes Container as an in out parameter, then it raises Constraint_Error or Program_Error. Otherwise, the operation either proceeds as it would for an empty container, or it raises Constraint_Error or Program_Error.

Erroneous Execution

76/2

A Cursor value is invalid if any of the following have occurred since it was created:

77/2
  • The map that contains the node it designates has been finalized;
  • 77.1/3
  • The map that contains the node it designates has been used as the Target of a call to Assign, or as the target of an assignment_statement;
  • 78/2
  • The map that contains the node it designates has been used as the Source or Target of a call to Move; or
  • 79/3
  • The node it designates has been removed from the map that previously contained the node.
79.a/3
ramification

This can happen directly via calls to Clear, Exclude, and Delete.

80/2

The result of "=" or Has_Element is unspecified if these functions are called with an invalid cursor parameter. Execution is erroneous if any other subprogram declared in Containers.Hashed_Maps or Containers.Ordered_Maps is called with an invalid cursor parameter.

80.a/2
discussion

The list above is intended to be exhaustive. In other cases, a cursor value continues to designate its original element. For instance, cursor values survive the insertion and deletion of other nodes.

80.b/2

While it is possible to check for these cases, in many cases the overhead necessary to make the check is substantial in time or space. Implementations are encouraged to check for as many of these cases as possible and raise Program_Error if detected.

80.1/3

Execution is erroneous if the map associated with the result of a call to Reference or Constant_Reference is finalized before the result object returned by the call to Reference or Constant_Reference is finalized.

80.c/3
reason

Each object of Reference_Type and Constant_Reference_Type probably contains some reference to the originating container. If that container is prematurely finalized (which is only possible via Unchecked_Deallocation, as accessibility checks prevent passing a container to Reference that will not live as long as the result), the finalization of the object of Reference_Type will try to access a nonexistent object. This is a normal case of a dangling pointer created by Unchecked_Deallocation; we have to explicitly mention it here as the pointer in question is not visible in the specification of the type. (This is the same reason we have to say this for invalid cursors.)

Implementation Requirements

81/5

No storage associated with a map object shall be lost upon assignment or scope exit.

82/3

The execution of an assignment_statement for a map shall have the effect of copying the elements from the source map object to the target map object and changing the length of the target object to that of the source object.

82.a/3
implementation note

An assignment of a Map is a “deep” copy; that is the elements are copied as well as the data structures. We say “effect of” in order to allow the implementation to avoid copying elements immediately if it wishes. For instance, an implementation that avoided copying until one of the containers is modified would be allowed. (Note that this implementation would require care, see A.18.2 for more.)

Implementation Advice

83/2

Move should not copy elements, and should minimize copying of internal data structures.

83.a/2
implementation advice

Move for a map should not copy elements, and should minimize copying of internal data structures.

83.b/2
implementation note

Usually that can be accomplished simply by moving the pointer(s) to the internal data structures from the Source container to the Target container.

84/2

If an exception is propagated from a map operation, no storage should be lost, nor any elements removed from a map unless specified by the operation.

84.a/2
implementation advice

If an exception is propagated from a map operation, no storage should be lost, nor any elements removed from a map unless specified by the operation.

84.b/2
reason

This is important so that programs can recover from errors. But we don't want to require heroic efforts, so we just require documentation of cases where this can't be accomplished.

Wording Changes from Ada 95

84.c/2

This description of maps is new; the extensions are documented with the specific packages.

Extensions to Ada 2005

84.d/3

Added reference support to make map containers more convenient to use.

Wording Changes from Ada 2005

84.e/3

Added procedure Assign; the extension and incompatibility is documented with the specific packages.

84.f/3

Generalized the definition of Move. Specified which elements are read/written by stream attributes.

84.g/3
correction

Added a Bounded (Run-Time) Error to cover tampering by generic actual subprograms.

84.h/3
correction

Added a Bounded (Run-Time) Error to cover access to finalized map containers.

84.i/3
correction

Revised the definition of invalid cursors to cover missing (and new) cases.

84.j/3
correction

Defined when a container prohibits tampering in order to more clearly define where the check is made and the exception raised.

Inconsistencies With Ada 2012

84.k/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for ordinary containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Extensions to Ada 2012

84.l/5
correction

Replace_Element is now defined such that it can be used concurrently so long as it operates on different elements. This allows some container operations to be used in parallel without separate synchronization.

Wording Changes from Ada 2012

84.m/4
correction

Clarified that tampering checks precede all other checks made by a subprogram (but come after those associated with the call).

84.n/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.5 The Generic Package Containers.Hashed_Maps

Static Semantics

1/2

The generic library package Containers.Hashed_Maps has the following declaration:

2/5

with Ada.Iterator_Interfaces; generic type Key_Type is private; type Element_Type is private; with function Hash (Key : Key_Type) return Hash_Type; with function Equivalent_Keys (Left, Right : Key_Type) return Boolean; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Hashed_Maps with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

3/5

type Map is tagged private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.Map, Aggregate => (Empty => Empty, Add_Named => Insert), Stable_Properties => (Length, Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited), Default_Initial_Condition => Length (Map) = 0 and then (not Tampering_With_Cursors_Prohibited (Map)) and then (not Tampering_With_Elements_Prohibited (Map)), Preelaborable_Initialization;

3.a/5
discussion

Unlike a Vector, the Stable_Properties of a Hashed_Map do not include the Capacity. If we had included it, some of the otherwise shared definitions would need different postconditions for Hashed_Maps and Ordered_Maps. If we were starting these containers from scratch, we probably would have approached the sharing of definitions differently so that we could avoid issues like this, but a major reorganization of this existing material would be too much change.

4/5

type Cursor is private with Preelaborable_Initialization; 5/2 Empty_Map : constant Map; 6/2 No_Element : constant Cursor; 6.1/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 6.2/5

function Has_Element (Container : Map; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 6.3/5

package Map_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 7/2 function "=" (Left, Right : Map) return Boolean; 7.1/5

function Tampering_With_Cursors_Prohibited (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null; 7.2/5

function Tampering_With_Elements_Prohibited (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null; 7.3/5

function Empty (Capacity : Count_Type := implementation-defined) return Map with Post => Capacity (Empty'Result) >= Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0; 8/5

function Capacity (Container : Map) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 9/5

procedure Reserve_Capacity (Container : in out Map; Capacity : in Count_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Container.Capacity >= Capacity; 10/5

function Length (Container : Map) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 11/5

function Is_Empty (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0); 12/5

procedure Clear (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Capacity (Container) = Capacity (Container)'Old and then Length (Container) = 0; 13/5

function Key (Position : Cursor) return Key_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Key_Type; 13.1/5

function Key (Container : Map; Position : Cursor) return Key_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Key_Type; 14/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type; 14.1/5

function Element (Container : Map; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 15/5

procedure Replace_Element (Container : in out Map; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 16/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 16.1/5

procedure Query_Element (Container : in Map; Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 17/5

procedure Update_Element (Container : in out Map; Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 17.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 17.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 17.3/5

function Constant_Reference (Container : aliased in Map; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.4/5

function Reference (Container : aliased in out Map; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.5/5

function Constant_Reference (Container : aliased in Map; Key : in Key_Type) return Constant_Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.6/5

function Reference (Container : aliased in out Map; Key : in Key_Type) return Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.7/5

procedure Assign (Target : in out Map; Source : in Map) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Source); 17.8/5

function Copy (Source : Map; Capacity : Count_Type := 0) return Map with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity); 18/5

procedure Move (Target : in out Map; Source : in out Map) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0); 19/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)) and then Capacity (Container) >= Length (Container); 20/5

procedure Insert (Container : in out Map; Key : in Key_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)) and then Capacity (Container) >= Length (Container); 21/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container) = Length (Container)'Old + 1 and then Capacity (Container) >= Length (Container); 22/5

procedure Include (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length | Original_Length + 1) and then Capacity (Container) >= Length (Container); 23/5

procedure Replace (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old; 24/5

procedure Exclude (Container : in out Map; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length); 25/5

procedure Delete (Container : in out Map; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1; 26/5

procedure Delete (Container : in out Map; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old - 1 and then Position = No_Element; 27/5

function First (Container : Map) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element); 28/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element); 28.1/5

function Next (Container : Map; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result)); 29/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 29.1/5

procedure Next (Container : in Map; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 30/5

function Find (Container : Map; Key : Key_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 31/2 function Element (Container : Map; Key : Key_Type) return Element_Type; 32/2 function Contains (Container : Map; Key : Key_Type) return Boolean; 33/3

This paragraph was deleted. 34/5

function Equivalent_Keys (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all; 35/5

function Equivalent_Keys (Left : Cursor; Right : Key_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all; 36/5

function Equivalent_Keys (Left : Key_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all; 37/5

procedure Iterate (Container : in Map; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 37.1/5

function Iterate (Container : in Map) return Map_Iterator_Interfaces.Parallel_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 37.2/5

package Stable is 37.3/5

type Map (Base : not null access Hashed_Maps.Map) is tagged limited private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Length), Global => null, Default_Initial_Condition => Length (Map) = 0, Preelaborable_Initialization; 37.4/5

type Cursor is private with Preelaborable_Initialization; 37.5/5

Empty_Map : constant Map; 37.6/5

No_Element : constant Cursor; 37.7/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 37.8/5

package Map_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 37.9/5

procedure Assign (Target : in out Hashed_Maps.Map; Source : in Map) with Post => Length (Source) = Length (Target); 37.10/5

function Copy (Source : Hashed_Maps.Map) return Map with Post => Length (Copy'Result) = Length (Source); 37.11/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 37.12/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 37.13/5

-- Additional subprograms as described in the text -- are declared here. 37.14/5

private 37.15/5

... -- not specified by the language 37.16/5

end Stable; 38/2 private 39/2 ... -- not specified by the language 40/2 end Ada.Containers.Hashed_Maps;

41/2

An object of type Map contains an expandable hash table, which is used to provide direct access to nodes. The capacity of an object of type Map is the maximum number of nodes that can be inserted into the hash table prior to it being automatically expanded.

41.a/2
implementation note

The expected implementation for a Map uses a hash table which is grown when it is too small, with linked lists hanging off of each bucket. Note that in that implementation a cursor needs a back pointer to the Map object to implement iteration; that could either be in the nodes, or in the cursor object. To provide an average O(1) access time, capacity would typically equal the number of buckets in such an implementation, so that the average bucket linked list length would be no more than 1.0.

41.b/2

There is no defined relationship between elements in a hashed map. Typically, iteration will return elements in the order that they are hashed in.

42/2

Two keys K1 and K2 are defined to be equivalent if Equivalent_Keys (K1, K2) returns True.

43/2

The actual function for the generic formal function Hash is expected to return the same value each time it is called with a particular key value. For any two equivalent key values, the actual for Hash is expected to return the same value. If the actual for Hash behaves in some other manner, the behavior of this package is unspecified. Which subprograms of this package call Hash, and how many times they call it, is unspecified.

43.a/2
implementation note

The implementation is not required to protect against Hash raising an exception, or returning random numbers, or any other “bad” behavior. It's not practical to do so, and a broken Hash function makes the container unusable.

43.b/2

The implementation can call Hash whenever it is needed; we don't want to specify how often that happens. The result must remain the same (this is logically a pure function), or the behavior is unspecified.

44/2

The actual function for the generic formal function Equivalent_Keys on Key_Type values is expected to return the same value each time it is called with a particular pair of key values. It should define an equivalence relationship, that is, be reflexive, symmetric, and transitive. If the actual for Equivalent_Keys behaves in some other manner, the behavior of this package is unspecified. Which subprograms of this package call Equivalent_Keys, and how many times they call it, is unspecified.

44.a/2
implementation note

As with Hash, the implementation is not required to protect against Equivalent_Keys raising an exception or returning random results. Similarly, the implementation can call this operation whenever it is needed. The result must remain the same (this is a logically pure function), or the behavior is unspecified.

45/2

If the value of a key stored in a node of a map is changed other than by an operation in this package such that at least one of Hash or Equivalent_Keys give different results, the behavior of this package is unspecified.

45.a/2
implementation note

The implementation is not required to protect against changes to key values other than via the operations declared in the Hashed_Maps package.

45.b/2

To see how this could happen, imagine an instance of Hashed_Maps where the key type is an access-to-variable type and Hash returns a value derived from the components of the designated object. Then, any operation that has a key value could modify those components and change the hash value:

45.c/2

Key (Map).Some_Component := New_Value;

45.d/2

This is really a design error on the part of the user of the map; it shouldn't be possible to modify keys stored in a map. But we can't prevent this error anymore than we can prevent someone passing as Hash a random number generator.

46/2

Which nodes are the first node and the last node of a map, and which node is the successor of a given node, are unspecified, other than the general semantics described in A.18.4.

46.a/2
implementation note

Typically the first node will be the first node in the first bucket, the last node will be the last node in the last bucket, and the successor will be obtained by following the collision list, and going to the next bucket at the end of each bucket.

46.1/5

function Empty (Capacity : Count_Type := implementation-defined) return Map with Post => Capacity (Empty'Result) >= Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

46.2/2

Returns an empty map.

47/5

function Capacity (Container : Map) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

48/2

Returns the capacity of Container.

49/5

procedure Reserve_Capacity (Container : in out Map; Capacity : in Count_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Container.Capacity >= Capacity;

50/2

Reserve_Capacity allocates a new hash table such that the length of the resulting map can become at least the value Capacity without requiring an additional call to Reserve_Capacity, and is large enough to hold the current length of Container. Reserve_Capacity then rehashes the nodes in Container onto the new hash table. It replaces the old hash table with the new hash table, and then deallocates the old hash table. Any exception raised during allocation is propagated and Container is not modified.

51/5

This paragraph was deleted.

51.a/2
implementation note

This routine is used to preallocate the internal hash table to the specified capacity such that future Inserts do not require expansion of the hash table. Therefore, the implementation should allocate the needed memory to make that true at this point, even though the visible semantics could be preserved by waiting until enough elements are inserted.

51.b/3

While Reserve_Capacity can be used to reduce the capacity of a map, we do not specify whether an implementation actually supports reduction of the capacity. Since the actual capacity can be anything greater than or equal to Capacity, an implementation never has to reduce the capacity.

51.c/2

Reserve_Capacity tampers with the cursors, as rehashing probably will change the order that elements are stored in the map.

52/5

procedure Clear (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Capacity (Container) = Capacity (Container)'Old and then Length (Container) = 0;

53/2

In addition to the semantics described in A.18.4, Clear does not affect the capacity of Container.

53.1/5

procedure Assign (Target : in out Map; Source : in Map) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Source);

53.2/3

In addition to the semantics described in A.18.4, if the length of Source is greater than the capacity of Target, Reserve_Capacity (Target, Length (Source)) is called before assigning any elements.

53.3/5

function Copy (Source : Map; Capacity : Count_Type := 0) return Map with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity);

53.4/5

Returns a map whose keys and elements are initialized from the keys and elements of Source.

53.a/2
implementation note

In:

53.b/2

procedure Move (Target : in out Map; Source : in out Map);

53.c/2

The intended implementation is that the internal hash table of Target is first deallocated; then the internal hash table is removed from Source and moved to Target.

54/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)) and then Capacity (Container) >= Length (Container);

55/2

In addition to the semantics described in A.18.4, if Length (Container) equals Capacity (Container), then Insert first calls Reserve_Capacity to increase the capacity of Container to some larger value.

55.a/2
implementation note

Insert should only compare keys that hash to the same bucket in the hash table.

55.b/2

We specify when Reserve_Capacity is called to bound the overhead of capacity expansion operations (which are potentially expensive). Moreover, expansion can be predicted by comparing Capacity(Map) to Length(Map). Since we don't specify by how much the hash table is expanded, this only can be used to predict the next expansion, not later ones.

55.c/2
implementation note

In:

55.d/2

procedure Exclude (Container : in out Map; Key : in Key_Type);

55.e/2

Exclude should only compare keys that hash to the same bucket in the hash table.

55.f/2
implementation note

In:

55.g/2

procedure Delete (Container : in out Map; Key : in Key_Type);

55.h/2

Delete should only compare keys that hash to the same bucket in the hash table. The node containing the element may be deallocated now, or it may be saved and reused later.

55.i/2
implementation note

In:

55.j/2

function First (Container : Map) return Cursor;

55.k/2

In a typical implementation, this will be the first node in the lowest numbered hash bucket that contains a node.

55.l/2
implementation note

In:

55.m/2

function Next (Position : Cursor) return Cursor;

55.n/2

In a typical implementation, this will return the next node in a bucket; if Position is the last node in a bucket, this will return the first node in the next nonempty bucket.

55.o/2

A typical implementation will need to a keep a pointer at the map container in the cursor in order to implement this function.

55.p/2
implementation note

In:

55.q/2

function Find (Container : Map; Key : Key_Type) return Cursor;

55.r/2

Find should only compare keys that hash to the same bucket in the hash table.

56/5

function Equivalent_Keys (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all;

57/2

Equivalent to Equivalent_Keys (Key (Left), Key (Right)).

58/5

function Equivalent_Keys (Left : Cursor; Right : Key_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all;

59/2

Equivalent to Equivalent_Keys (Key (Left), Right).

60/5

function Equivalent_Keys (Left : Key_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all;

61/2

Equivalent to Equivalent_Keys (Left, Key (Right)).

61.1/5

function Iterate (Container : in Map) return Map_Iterator_Interfaces.Parallel_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

61.2/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the first node and moving the cursor according to the successor relation when used as a forward iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

Implementation Advice

62/2

If N is the length of a map, the average time complexity of the subprograms Element, Insert, Include, Replace, Delete, Exclude, and Find that take a key parameter should be O(log N). The average time complexity of the subprograms that take a cursor parameter should be O(1). The average time complexity of Reserve_Capacity should be O(N).

62.a/2
implementation advice

The average time complexity of Element, Insert, Include, Replace, Delete, Exclude, and Find operations that take a key parameter for Containers.Hashed_Maps should be O(log N). The average time complexity of the subprograms of Containers.Hashed_Maps that take a cursor parameter should be O(1). The average time complexity of Containers.Hashed_Maps.Reserve_Capacity should be O(N).

62.b/2
reason

We do not mean to overly constrain implementation strategies here. However, it is important for portability that the performance of large containers has roughly the same factors on different implementations. If a program is moved to an implementation for which Find is O(N), that program could be unusable when the maps are large. We allow O(log N) access because the proportionality constant and caching effects are likely to be larger than the log factor, and we don't want to discourage innovative implementations.

Extensions to Ada 95

62.c/2

The generic package Containers.Hashed_Maps is new.

Incompatibilities With Ada 2005

62.d/3

Subprograms Assign and Copy are added to Containers.Hashed_Maps. If an instance of Containers.Hashed_Maps is referenced in a use_clause, and an entity E with the same defining_identifier as a new entity in Containers.Hashed_Maps is defined in a package that is also referenced in a use_clause, the entity E may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

Extensions to Ada 2005

62.e/3

Added iterator and indexing support to make hashed map containers more convenient to use.

Wording Changes from Ada 2005

62.f/3
correction

Added a pragma Remote_Types so that containers can be used in distributed programs.

Incompatibilities With Ada 2012

62.g/5

A number of new subprograms, types, and even a nested package were added to Containers.Hashed_Maps to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Extensions to Ada 2012

62.h/5

Maps now support named container aggregates, so aggregate syntax can be used to create Maps.

62.i/5

The iterator for the container now can return a parallel iterator which can be used to process the container in parallel.

Wording Changes from Ada 2012

62.j/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.6 The Generic Package Containers.Ordered_Maps

Static Semantics

1/2

The generic library package Containers.Ordered_Maps has the following declaration:

2/5

with Ada.Iterator_Interfaces; generic type Key_Type is private; type Element_Type is private; with function "<" (Left, Right : Key_Type) return Boolean is <>; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Ordered_Maps with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

3/5

function Equivalent_Keys (Left, Right : Key_Type) return Boolean is (not ((Left < Right) or (Right < Left))); 4/5

type Map is tagged private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.Map, Aggregate => (Empty => Empty, Add_Named => Insert), Stable_Properties => (Length, Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited), Default_Initial_Condition => Length (Map) = 0 and then (not Tampering_With_Cursors_Prohibited (Map)) and then (not Tampering_With_Elements_Prohibited (Map)), Preelaborable_Initialization; 5/5

type Cursor is private with Preelaborable_Initialization; 6/2 Empty_Map : constant Map; 7/2 No_Element : constant Cursor; 7.1/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 7.2/5

function Has_Element (Container : Map; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 7.3/5

package Map_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 8/2 function "=" (Left, Right : Map) return Boolean; 8.1/5

function Tampering_With_Cursors_Prohibited (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null; 8.2/5

function Tampering_With_Elements_Prohibited (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null; 8.3/5

function Empty return Map is (Empty_Map) with Post => not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0; 9/5

function Length (Container : Map) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 10/5

function Is_Empty (Container : Map) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0); 11/5

procedure Clear (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0; 12/5

function Key (Position : Cursor) return Key_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Key_Type; 12.1/5

function Key (Container : Map; Position : Cursor) return Key_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Key_Type; 13/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => null, Use_Formal => Element_Type; 13.1/5

function Element (Container : Map; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 14/5

procedure Replace_Element (Container : in out Map; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 15/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 15.1/5

procedure Query_Element (Container : in Map; Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 16/5

procedure Update_Element (Container : in out Map; Position : in Cursor; Process : not null access procedure (Key : in Key_Type; Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 16.1/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 16.2/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 16.3/5

function Constant_Reference (Container : aliased in Map; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 16.4/5

function Reference (Container : aliased in out Map; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 16.5/5

function Constant_Reference (Container : aliased in Map; Key : in Key_Type) return Constant_Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 16.6/5

function Reference (Container : aliased in out Map; Key : in Key_Type) return Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 16.7/5

procedure Assign (Target : in out Map; Source : in Map) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target); 16.8/5

function Copy (Source : Map) return Map with Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result); 17/5

procedure Move (Target : in out Map; Source : in out Map) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0); 18/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)); 19/5

procedure Insert (Container : in out Map; Key : in Key_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)); 20/5

procedure Insert (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container) = Length (Container)'Old + 1; 21/5

procedure Include (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length | Original_Length + 1); 22/5

procedure Replace (Container : in out Map; Key : in Key_Type; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old; 23/5

procedure Exclude (Container : in out Map; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length); 24/5

procedure Delete (Container : in out Map; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1; 25/5

procedure Delete (Container : in out Map; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old - 1 and then Position = No_Element; 26/5

procedure Delete_First (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1)); 27/5

procedure Delete_Last (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1)); 28/5

function First (Container : Map) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element); 29/5

function First_Element (Container : Map) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 30/5

function First_Key (Container : Map) return Key_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 31/5

function Last (Container : Map) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element); 32/5

function Last_Element (Container : Map) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 33/5

function Last_Key (Container : Map) return Key_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 34/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element); 34.1/5

function Next (Container : Map; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result)); 35/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 35.1/5

procedure Next (Container : in Map; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 36/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element); 36.1/5

function Previous (Container : Map; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Previous'Result = No_Element then Position = First (Container) else Has_Element (Container, Previous'Result)); 37/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 37.1/5

procedure Previous (Container : in Map; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 38/5

function Find (Container : Map; Key : Key_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 39/2 function Element (Container : Map; Key : Key_Type) return Element_Type; 40/5

function Floor (Container : Map; Key : Key_Type) return Cursor with Post => (if Floor'Result /= No_Element then Has_Element (Container, Floor'Result)); 41/5

function Ceiling (Container : Map; Key : Key_Type) return Cursor with Post => (if Ceiling'Result /= No_Element then Has_Element (Container, Ceiling'Result)); 42/2 function Contains (Container : Map; Key : Key_Type) return Boolean; 43/3

This paragraph was deleted. 44/5

function "<" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all; 45/5

function ">" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all; 46/5

function "<" (Left : Cursor; Right : Key_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all; 47/5

function ">" (Left : Cursor; Right : Key_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all; 48/5

function "<" (Left : Key_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all; 49/5

function ">" (Left : Key_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all; 50/5

procedure Iterate (Container : in Map; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 51/5

procedure Reverse_Iterate (Container : in Map; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 51.1/5

function Iterate (Container : in Map) return Map_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 51.2/5

function Iterate (Container : in Map; Start : in Cursor) return Map_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 51.3/5

package Stable is 51.4/5

type Map (Base : not null access Ordered_Maps.Map) is tagged limited private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Length), Global => null, Default_Initial_Condition => Length (Map) = 0, Preelaborable_Initialization; 51.5/5

type Cursor is private with Preelaborable_Initialization; 51.6/5

Empty_Map : constant Map; 51.7/5

No_Element : constant Cursor; 51.8/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 51.9/5

package Map_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 51.10/5

procedure Assign (Target : in out Ordered_Maps.Map; Source : in Map) with Post => Length (Source) = Length (Target); 51.11/5

function Copy (Source : Ordered_Maps.Map) return Map with Post => Length (Copy'Result) = Length (Source); 51.12/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 51.13/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 51.14/5

-- Additional subprograms as described in the text -- are declared here. 51.15/5

private 51.16/5

... -- not specified by the language 51.17/5

end Stable; 52/2 private 53/2 ... -- not specified by the language 54/2 end Ada.Containers.Ordered_Maps;

55/2

Two keys K1 and K2 are equivalent if both K1 < K2 and K2 < K1 return False, using the generic formal "<" operator for keys. Function Equivalent_Keys returns True if Left and Right are equivalent, and False otherwise.

56/3

The actual function for the generic formal function "<" on Key_Type values is expected to return the same value each time it is called with a particular pair of key values. It should define a strict weak ordering relationship (see A.18). If the actual for "<" behaves in some other manner, the behavior of this package is unspecified. Which subprograms of this package call "<" and how many times they call it, is unspecified.

56.a/2
implementation note

The implementation is not required to protect against "<" raising an exception, or returning random results, or any other “bad” behavior. It's not practical to do so, and a broken "<" function makes the container unusable.

56.b/2

The implementation can call "<" whenever it is needed; we don't want to specify how often that happens. The result must remain the same (this is a logically pure function), or the behavior is unspecified.

57/2

If the value of a key stored in a map is changed other than by an operation in this package such that at least one of "<" or "=" give different results, the behavior of this package is unspecified.

57.a/2
implementation note

The implementation is not required to protect against changes to key values other than via the operations declared in the Ordered_Maps package.

57.b/2

To see how this could happen, imagine an instance of Ordered_Maps package where the key type is an access-to-variable type and "<" returns a value derived from comparing the components of the designated objects. Then, any operation that has a key value (even if the key value is constant) could modify those components and change the result of "<":

57.c/2

Key (Map).Some_Component := New_Value;

57.d/2

This is really a design error on the part of the user of the map; it shouldn't be possible to modify keys stored in a map such that "<" changes. But we can't prevent this error anymore than we can prevent someone passing as "<" a routine that produces random answers.

58/3

The first node of a nonempty map is the one whose key is less than the key of all the other nodes in the map. The last node of a nonempty map is the one whose key is greater than the key of all the other elements in the map. The successor of a node is the node with the smallest key that is larger than the key of the given node. The predecessor of a node is the node with the largest key that is smaller than the key of the given node. All comparisons are done using the generic formal "<" operator for keys.

58.1/5

function Copy (Source : Map) return Map with Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result);

58.2/3

Returns a map whose keys and elements are initialized from the corresponding keys and elements of Source.

59/5

procedure Delete_First (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1));

60/3

If Container is empty, Delete_First has no effect. Otherwise, the node designated by First (Container) is removed from Container. Delete_First tampers with the cursors of Container.

61/5

procedure Delete_Last (Container : in out Map) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1));

62/3

If Container is empty, Delete_Last has no effect. Otherwise, the node designated by Last (Container) is removed from Container. Delete_Last tampers with the cursors of Container.

63/5

function First_Element (Container : Map) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

64/2

Equivalent to Element (First (Container)).

65/5

function First_Key (Container : Map) return Key_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

66/2

Equivalent to Key (First (Container)).

67/5

function Last (Container : Map) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element);

68/2

Returns a cursor that designates the last node in Container. If Container is empty, returns No_Element.

69/5

function Last_Element (Container : Map) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

70/2

Equivalent to Element (Last (Container)).

71/5

function Last_Key (Container : Map) return Key_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

72/2

Equivalent to Key (Last (Container)).

73/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element);

74/3

If Position equals No_Element, then Previous returns No_Element. Otherwise, Previous returns a cursor designating the predecessor node of the one designated by Position. If Position designates the first element, then Previous returns No_Element.

74.1/5

function Previous (Container : Map; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Previous'Result = No_Element then Position = First (Container) else Has_Element (Container, Previous'Result));

74.2/5

Returns a cursor designating the predecessor of the node designated by Position in Container, if any.

75/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

76/2

Equivalent to Position := Previous (Position).

76.1/5

procedure Previous (Container : in Map; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

76.2/5

Equivalent to Position := Previous (Container, Position).

77/5

function Floor (Container : Map; Key : Key_Type) return Cursor with Post => (if Floor'Result /= No_Element then Has_Element (Container, Floor'Result));

78/3

Floor searches for the last node whose key is not greater than Key, using the generic formal "<" operator for keys. If such a node is found, a cursor that designates it is returned. Otherwise, No_Element is returned.

79/5

function Ceiling (Container : Map; Key : Key_Type) return Cursor with Post => (if Ceiling'Result /= No_Element then Has_Element (Container, Ceiling'Result));

80/3

Ceiling searches for the first node whose key is not less than Key, using the generic formal "<" operator for keys. If such a node is found, a cursor that designates it is returned. Otherwise, No_Element is returned.

81/5

function "<" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all;

82/2

Equivalent to Key (Left) < Key (Right).

83/5

function ">" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all;

84/2

Equivalent to Key (Right) < Key (Left).

85/5

function "<" (Left : Cursor; Right : Key_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all;

86/2

Equivalent to Key (Left) < Right.

87/5

function ">" (Left : Cursor; Right : Key_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all;

88/2

Equivalent to Right < Key (Left).

89/5

function "<" (Left : Key_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all;

90/2

Equivalent to Left < Key (Right).

91/5

function ">" (Left : Key_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all;

92/2

Equivalent to Key (Right) < Left.

93/5

procedure Reverse_Iterate (Container : in Map; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

94/3

Iterates over the nodes in Container as per procedure Iterate, with the difference that the nodes are traversed in predecessor order, starting with the last node.

94.1/5

function Iterate (Container : in Map) return Map_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

94.2/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the first node and moving the cursor according to the successor relation when used as a forward iterator, and starting with the last node and moving the cursor according to the predecessor relation when used as a reverse iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

94.3/5

function Iterate (Container : in Map; Start : in Cursor) return Map_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

94.4/5

Iterate returns a reversible iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each node in Container, starting with the node designated by Start and moving the cursor according to the successor relation when used as a forward iterator, or moving the cursor according to the predecessor relation when used as a reverse iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

94.a/3
discussion

Exits are allowed from the loops created using the iterator objects. In particular, to stop the iteration at a particular cursor, just add

94.b/3

exit when Cur = Stop;

94.c/3

in the body of the loop (assuming that Cur is the loop parameter and Stop is the cursor that you want to stop at).

Implementation Advice

95/2

If N is the length of a map, then the worst-case time complexity of the Element, Insert, Include, Replace, Delete, Exclude, and Find operations that take a key parameter should be O((log N)**2) or better. The worst-case time complexity of the subprograms that take a cursor parameter should be O(1).

95.a/2
implementation advice

The worst-case time complexity of Element, Insert, Include, Replace, Delete, Exclude, and Find operations that take a key parameter for Containers.Ordered_Maps should be O((log N)**2) or better. The worst-case time complexity of the subprograms of Containers.Ordered_Maps that take a cursor parameter should be O(1).

95.b/2
implementation note

A balanced (red-black) tree for keys has O(log N) worst-case performance. Note that a O(N) worst-case implementation (like a list) would be wrong.

95.c/2
reason

We do not mean to overly constrain implementation strategies here. However, it is important for portability that the performance of large containers has roughly the same factors on different implementations. If a program is moved to an implementation that takes O(N) to find elements, that program could be unusable when the maps are large. We allow the extra log N factors because the proportionality constant and caching effects are likely to be larger than the log factor, and we don't want to discourage innovative implementations.

Extensions to Ada 95

95.d/2

The generic package Containers.Ordered_Maps is new.

Incompatibilities With Ada 2005

95.e/3

Subprograms Assign and Copy are added to Containers.Ordered_Maps. If an instance of Containers.Ordered_Maps is referenced in a use_clause, and an entity E with the same defining_identifier as a new entity in Containers.Ordered_Maps is defined in a package that is also referenced in a use_clause, the entity E may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

Extensions to Ada 2005

95.f/3

Added iterator and indexing support to make ordered map containers more convenient to use.

Wording Changes from Ada 2005

95.g/3
correction

Redefined "<" actuals to require a strict weak ordering; the old definition allowed indeterminant comparisons that would not have worked in a container.

95.h/3
correction

Added a pragma Remote_Types so that containers can be used in distributed programs.

Incompatibilities With Ada 2012

95.i/5

A number of new subprograms, types, and even a nested package were added to Containers.Ordered_Maps to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Extensions to Ada 2012

95.j/5

Maps now support named container aggregates, so aggregate syntax can be used to create Maps.

95.k/5

The iterator for the entire container now can return a parallel iterator which can be used to process the container in parallel.

Wording Changes from Ada 2012

95.l/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.7 Sets

1/2

The language-defined generic packages Containers.Hashed_Sets and Containers.Ordered_Sets provide private types Set and Cursor, and a set of operations for each type. A set container allows elements of an arbitrary type to be stored without duplication. A hashed set uses a hash function to organize elements, while an ordered set orders its element per a specified relation.

2/3

This subclause describes the declarations that are common to both kinds of sets. See A.18.8 for a description of the semantics specific to Containers.Hashed_Sets and A.18.9 for a description of the semantics specific to Containers.Ordered_Sets.

Static Semantics

3/2

The actual function for the generic formal function "=" on Element_Type values is expected to define a reflexive and symmetric relationship and return the same result value each time it is called with a particular pair of values. If it behaves in some other manner, the function "=" on set values returns an unspecified value. The exact arguments and number of calls of this generic formal function by the function "=" on set values are unspecified.

3.a/2
ramification

If the actual function for "=" is not symmetric and consistent, the result returned by the "=" for Set objects cannot be predicted. The implementation is not required to protect against "=" raising an exception, or returning random results, or any other “bad” behavior. And it can call "=" in whatever manner makes sense. But note that only the result of "=" for Set objects is unspecified; other subprograms are not allowed to break if "=" is bad (they aren't expected to use "=").

4/2

The type Set is used to represent sets. The type Set needs finalization (see 7.6).

5/2

A set contains elements. Set cursors designate elements. There exists an equivalence relation on elements, whose definition is different for hashed sets and ordered sets. A set never contains two or more equivalent elements. The length of a set is the number of elements it contains.

6/2

Each nonempty set has two particular elements called the first element and the last element (which may be the same). Each element except for the last element has a successor element. If there are no other intervening operations, starting with the first element and repeatedly going to the successor element will visit each element in the set exactly once until the last element is reached. The exact definition of these terms is different for hashed sets and ordered sets.

7/5

[Some operations check for “tampering with cursors” of a container because they depend on the set of elements of the container remaining constant and on elements of the container not being replaced.] When tampering with cursors is prohibited for a particular set object S, Program_Error is propagated by the finalization of S[, as well as by a call that passes S to certain of the operations of this package, as indicated by the precondition of such an operation].

7.a/5
discussion

Note that Replace_Element tampers with cursors because it might delete and reinsert the element if it moves in the set. That could change the order of iteration, which is what this check is designed to prevent. Replace also tampers with cursors, as it is defined in terms of Replace_Element.

7.b/5

These inclusions mean that there are no operations that would tamper with elements that do not tamper with cursors. As such, we do not define tampering with elements at all for set containers. Earlier versions of Ada did so just so the description of subprograms are the same between containers, but since we've changed those to pre- and postconditions which are necessarily specific to each container, there no longer seems to be any reason to define tampering with elements for sets.

Paragraphs 8 through 14 are removed as preconditions now describe these rules.

10.a/3
ramification

We don't need to explicitly mention assignment_statement, because that finalizes the target object as part of the operation, and finalization of an object is already defined as tampering with cursors.

15/2

Empty_Set represents the empty Set object. It has a length of 0. If an object of type Set is not otherwise initialized, it is initialized to the same value as Empty_Set.

16/2

No_Element represents a cursor that designates no element. If an object of type Cursor is not otherwise initialized, it is initialized to the same value as No_Element.

17/5

The primitive "=" operator for type Cursor returns True if both cursors are No_Element, or designate the same element in the same container.

17.a/5

To be honest: “The primitive "=" operator” is the one with two parameters of type Cursor which returns Boolean. We're not talking about some other (hidden) primitive function named "=".

18/2

Execution of the default implementation of the Input, Output, Read, or Write attribute of type Cursor raises Program_Error.

18.a/2
reason

A cursor will probably be implemented in terms of one or more access values, and the effects of streaming access values is unspecified. Rather than letting the user stream junk by accident, we mandate that streaming of cursors raise Program_Error by default. The attributes can always be specified if there is a need to support streaming.

18.1/5

Set'Write for a Set object S writes Length(S) elements of the set to the stream. It may also write additional information about the set.

18.2/3

Set'Read reads the representation of a set from the stream, and assigns to Item a set with the same length and elements as was written by Set'Write.

18.b/3
ramification

Streaming more elements than the container length is wrong. For implementation implications of this rule, see the Implementation Note in A.18.2.

18.3/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

18.4/3

Returns True if Position designates an element, and returns False otherwise.

18.c/3

To be honest: This function might not detect cursors that designate deleted elements; such cursors are invalid (see below) and the result of calling Has_Element with an invalid cursor is unspecified (but not erroneous).

18.5/5

function Has_Element (Container : Set; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

18.6/5

Returns True if Position designates an element in Container, and returns False otherwise.

18.d/5
ramification

If Position is No_Element, Has_Element returns False.

19/2

function "=" (Left, Right : Set) return Boolean;

20/2

If Left and Right denote the same set object, then the function returns True. If Left and Right have different lengths, then the function returns False. Otherwise, for each element E in Left, the function returns False if an element equal to E (using the generic formal equality operator) is not present in Right. If the function has not returned a result after checking all of the elements, it returns True. Any exception raised during evaluation of element equality is propagated.

20.a/2
implementation note

This wording describes the canonical semantics. However, the order and number of calls on the formal equality function is unspecified for all of the operations that use it in this package, so an implementation can call it as many or as few times as it needs to get the correct answer. Specifically, there is no requirement to call the formal equality additional times once the answer has been determined.

21/2

function Equivalent_Sets (Left, Right : Set) return Boolean;

22/2

If Left and Right denote the same set object, then the function returns True. If Left and Right have different lengths, then the function returns False. Otherwise, for each element E in Left, the function returns False if an element equivalent to E is not present in Right. If the function has not returned a result after checking all of the elements, it returns True. Any exception raised during evaluation of element equivalence is propagated.

22.1/5

function Tampering_With_Cursors_Prohibited (Container : Set) return Boolean with Nonblocking, Global => null, Use_Formal => null;

22.2/5

Returns True if tampering with cursors is currently prohibited for Container, and returns False otherwise.

22.a/5
implementation note

Various contracts elsewhere in this specification require that this function be implemented with synchronized data. Moreover, it is possible for tampering to be prohibited by multiple operations (sequentially or in parallel). Therefore, tampering needs to be implemented with an atomic or protected counter. The counter is initialized to zero, and is incremented when tampering is prohibited, and decremented when leaving an area that prohibited tampering. Function Tampering_With_Cursors_Prohibited returns True if the counter is nonzero. (Note that any case where the result is not well-defined for one task is incorrect use of shared variables and would be erroneous by the rules of 9.10, so no special protection is needed to read the counter.)

23/5

function To_Set (New_Item : Element_Type) return Set with Post => Length (To_Set'Result) = 1 and then not Tampering_with_Cursors_Prohibited (To_Set'Result);

24/2

Returns a set containing the single element New_Item.

25/5

function Length (Container : Set) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

26/2

Returns the number of elements in Container.

27/5

function Is_Empty (Container : Set) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0);

28/5

Returns True if Container is empty.

29/5

procedure Clear (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0;

30/2

Removes all the elements from Container.

31/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type;

32/5

Element returns the element designated by Position.

32.1/5

function Element (Container : Set; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type;

32.2/5

Element returns the element designated by Position.

33/5

procedure Replace_Element (Container : in out Set; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

34/5

Replace_Element assigns New_Item to the element designated by Position. Any exception raised by the assignment is propagated. For the purposes of determining whether the parameters overlap in a call to Replace_Element, the Container parameter is not considered to overlap with any object [(including itself)].

34.a/2
implementation note

The final assignment may require that the node of the element be moved in the Set's data structures. That could mean that implementing this operation exactly as worded above could require the overhead of searching twice. Implementations are encouraged to avoid this extra overhead when possible, by prechecking if the old element is equivalent to the new one, by inserting a placeholder node while checking for an equivalent element, and similar optimizations.

34.b/2

The cursor still designates the same element after this operation; only the value of that element has changed. Cursors cannot include information about the relative position of an element in a Set (as they must survive insertions and deletions of other elements), so this should not pose an implementation hardship.

35/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all;

36/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of the set that contains the element designated by Position is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

36.1/5

procedure Query_Element (Container : in Set; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

36.2/5

Query_Element calls Process.all with the key and element from the node designated by Position as the arguments. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

36.3/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

36.4/3

The type Constant_Reference_Type needs finalization.

36.5/5

This paragraph was deleted.

36.a/3
reason

It is expected that Constant_Reference_Type will be a controlled type, for which finalization will have some action to terminate the tampering check for the associated container. If the object is created by default, however, there is no associated container. Since this is useless, and supporting this case would take extra work, we define it to raise an exception.

36.6/5

function Constant_Reference (Container : aliased in Set; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

36.7/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a set given a cursor.

36.8/5

Constant_Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the cursors of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

36.9/5

procedure Assign (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target);

36.10/3

If Target denotes the same object as Source, the operation has no effect. Otherwise, the elements of Source are copied to Target as for an assignment_statement assigning Source to Target.

36.b/3
discussion

This routine exists for compatibility with the bounded set containers. For an unbounded set, Assign(A, B) and A := B behave identically. For a bounded set, := will raise an exception if the container capacities are different, while Assign will not raise an exception if there is enough room in the target.

37/5

procedure Move (Target : in out Set; Source : in out Set) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0);

38/3

If Target denotes the same object as Source, then the operation has no effect. Otherwise, the operation is equivalent to Assign (Target, Source) followed by Clear (Source).

39/5

procedure Insert (Container : in out Set; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length));

40/2

Insert checks if an element equivalent to New_Item is already present in Container. If a match is found, Inserted is set to False and Position designates the matching element. Otherwise, Insert adds New_Item to Container; Inserted is set to True and Position designates the newly-inserted element. Any exception raised during allocation is propagated and Container is not modified.

41/5

procedure Insert (Container : in out Set; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container) = Length (Container)'Old + 1;

42/2

Insert inserts New_Item into Container as per the four-parameter Insert, with the difference that if an element equivalent to New_Item is already in the set, then Constraint_Error is propagated.

42.a/2
discussion

This is equivalent to:

42.b/2

declare Inserted : Boolean; C : Cursor; begin Insert (Container, New_Item, C, Inserted); if not Inserted then raise Constraint_Error; end if; end;

42.c/2

but doesn't require the hassle of out parameters.

43/5

procedure Include (Container : in out Set; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length | Original_Length + 1);

44/2

Include inserts New_Item into Container as per the four-parameter Insert, with the difference that if an element equivalent to New_Item is already in the set, then it is replaced. Any exception raised during assignment is propagated.

45/5

procedure Replace (Container : in out Set; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old;

46/2

Replace checks if an element equivalent to New_Item is already in the set. If a match is found, that element is replaced with New_Item; otherwise, Constraint_Error is propagated.

47/5

procedure Exclude (Container : in out Set; Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length);

48/2

Exclude checks if an element equivalent to Item is present in Container. If a match is found, Exclude removes the element from the set.

49/5

procedure Delete (Container : in out Set; Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1;

50/2

Delete checks if an element equivalent to Item is present in Container. If a match is found, Delete removes the element from the set; otherwise, Constraint_Error is propagated.

51/5

procedure Delete (Container : in out Set; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old - 1 and then Position = No_Element;

52/5

Delete removes the element designated by Position from the set.

52.a/2
ramification

The check on Position checks that the cursor does not belong to some other set. This check implies that a reference to the set is included in the cursor value. This wording is not meant to require detection of dangling cursors; such cursors are defined to be invalid, which means that execution is erroneous, and any result is allowed (including not raising an exception).

53/5

procedure Union (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source);

54/2

Union inserts into Target the elements of Source that are not equivalent to some element already in Target.

54.a/2
implementation note

If the objects are the same, the result is the same as the original object. The implementation needs to take care so that aliasing effects do not make the result trash; Union (S, S); must work.

55/5

function Union (Left, Right : Set) return Set with Post => Length (Union'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Union'Result);

56/2

Returns a set comprising all of the elements of Left, and the elements of Right that are not equivalent to some element of Left.

57/5

procedure Intersection (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source);

58/3

Intersection deletes from Target the elements of Target that are not equivalent to some element of Source.

58.a/2
implementation note

If the objects are the same, the result is the same as the original object. The implementation needs to take care so that aliasing effects do not make the result trash; Intersection (S, S); must work.

59/5

function Intersection (Left, Right : Set) return Set with Post => Length (Intersection'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Intersection'Result);

60/2

Returns a set comprising all the elements of Left that are equivalent to the some element of Right.

61/5

procedure Difference (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source);

62/2

If Target denotes the same object as Source, then Difference clears Target. Otherwise, it deletes from Target the elements that are equivalent to some element of Source.

63/5

function Difference (Left, Right : Set) return Set with Post => Length (Difference'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Difference'Result);

64/2

Returns a set comprising the elements of Left that are not equivalent to some element of Right.

65/5

procedure Symmetric_Difference (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source);

66/2

If Target denotes the same object as Source, then Symmetric_Difference clears Target. Otherwise, it deletes from Target the elements that are equivalent to some element of Source, and inserts into Target the elements of Source that are not equivalent to some element of Target.

67/5

function Symmetric_Difference (Left, Right : Set) return Set with Post => Length (Symmetric_Difference'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited ( Symmetric_Difference'Result);

68/2

Returns a set comprising the elements of Left that are not equivalent to some element of Right, and the elements of Right that are not equivalent to some element of Left.

69/2

function Overlap (Left, Right : Set) return Boolean;

70/3

If an element of Left is equivalent to some element of Right, then Overlap returns True. Otherwise, it returns False.

70.a/2
discussion

This operation is commutative. If Overlap returns False, the two sets are disjoint.

71/2

function Is_Subset (Subset : Set; Of_Set : Set) return Boolean;

72/3

If an element of Subset is not equivalent to some element of Of_Set, then Is_Subset returns False. Otherwise, it returns True.

72.a/2
discussion

This operation is not commutative, so we use parameter names that make it clear in named notation which set is which.

73/5

function First (Container : Set) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element);

74/2

If Length (Container) = 0, then First returns No_Element. Otherwise, First returns a cursor that designates the first element in Container.

75/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element);

76/2

Returns a cursor that designates the successor of the element designated by Position. If Position designates the last element, then No_Element is returned. If Position equals No_Element, then No_Element is returned.

76.1/5

function Next (Container : Set; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result));

76.2/5

Returns a cursor designating the successor of the node designated by Position in Container.

77/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

78/2

Equivalent to Position := Next (Position).

78.1/5

procedure Next (Container : in Set; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

78.2/5

Equivalent to Position := Next (Container, Position).

79/3

This paragraph was deleted.

80/5

function Find (Container : Set; Item : Element_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result));

81/2

If Length (Container) equals 0, then Find returns No_Element. Otherwise, Find checks if an element equivalent to Item is present in Container. If a match is found, a cursor designating the matching element is returned; otherwise, No_Element is returned.

82/2

function Contains (Container : Set; Item : Element_Type) return Boolean;

82.1/3

Equivalent to Find (Container, Item) /= No_Element.

Paragraphs 83 and 84 were moved above.

85/5

procedure Iterate (Container : in Set; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

86/3

Iterate calls Process.all with a cursor that designates each element in Container, starting with the first element and moving the cursor according to the successor relation. Tampering with the cursors of Container is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

86.a/2
implementation note

The “tamper with cursors” check takes place when the operations that insert or delete elements, and so on are called.

86.b/2

See Iterate for vectors (A.18.2) for a suggested implementation of the check.

87/2

Both Containers.Hashed_Set and Containers.Ordered_Set declare a nested generic package Generic_Keys, which provides operations that allow set manipulation in terms of a key (typically, a portion of an element) instead of a complete element. The formal function Key of Generic_Keys extracts a key value from an element. It is expected to return the same value each time it is called with a particular element. The behavior of Generic_Keys is unspecified if Key behaves in some other manner.

88/2

A key is expected to unambiguously determine a single equivalence class for elements. The behavior of Generic_Keys is unspecified if the formal parameters of this package behave in some other manner.

89/5

function Key (Position : Cursor) return Key_Type with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all;

90/2

Equivalent to Key (Element (Position)).

90.1/5

function Key (Container : Set; Position : Cursor) return Key_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

90.2/5

Equivalent to Key (Element (Container, Position)).

91/2

The subprograms in package Generic_Keys named Contains, Find, Element, Delete, and Exclude, are equivalent to the corresponding subprograms in the parent package, with the difference that the Key parameter is used to locate an element in the set.

92/5

procedure Replace (Container : in out Set; Key : in Key_Type; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old;

93/2

Equivalent to Replace_Element (Container, Find (Container, Key), New_Item).

94/5

procedure Update_Element_Preserving_Key (Container : in out Set; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

95/5

Update_Element_Preserving_Key uses Key to save the key value K of the element designated by Position. Update_Element_Preserving_Key then calls Process.all with that element as the argument. Tampering with the cursors of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated. After Process.all returns, Update_Element_Preserving_Key checks if K determines the same equivalence class as that for the new element; if not, the element is removed from the set and Program_Error is propagated.

95.a/2
reason

The key check ensures that the invariants of the set are preserved by the modification. The “tampers with the elements” check prevents data loss (if Element_Type is by-copy) or erroneous execution (if element type is unconstrained and indefinite).

96/2

If Element_Type is unconstrained and definite, then the actual Element parameter of Process.all shall be unconstrained.

96.a/2
ramification

This means that the elements cannot be directly allocated from the heap; it must be possible to change the discriminants of the element in place.

96.1/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

96.2/3

The type Reference_Type needs finalization.

96.3/5

This paragraph was deleted.

96.4/5

function Reference_Preserving_Key (Container : aliased in out Set; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

96.5/3

This function (combined with the Implicit_Dereference aspect) provides a convenient way to gain read and write access to an individual element of a set given a cursor.

96.6/5

Reference_Preserving_Key uses Key to save the key value K; then returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the cursors of Container is prohibited while the object returned by Reference_Preserving_Key exists and has not been finalized. When the object returned by Reference_Preserving_Key is finalized, a check is made if K determines the same equivalence class as that for the new element; if not, the element is removed from the set and Program_Error is propagated.

96.7/5

function Constant_Reference (Container : aliased in Set; Key : in Key_Type) return Constant_Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container);

96.8/3

This function (combined with the Implicit_Dereference aspect) provides a convenient way to gain read access to an individual element of a set given a key value.

96.9/3

Equivalent to Constant_Reference (Container, Find (Container, Key)).

96.10/5

function Reference_Preserving_Key (Container : aliased in out Set; Key : in Key_Type) return Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container);

96.11/3

This function (combined with the Implicit_Dereference aspect) provides a convenient way to gain read and write access to an individual element of a set given a key value.

96.12/3

Equivalent to Reference_Preserving_Key (Container, Find (Container, Key)).

96.13/5

The nested package Stable provides a type Stable.Set that represents a stable set, which is one that cannot grow and shrink. Such a set can be created by calling the Copy function, or by establishing a stabilized view of an ordinary set.

96.14/5

The subprograms of the set package that have a parameter or result of type Set are included in the nested package Stable with the same specification, except that the following are omitted:

96.15/5

Tampering_With_Cursors_Prohibited, Assign, Move, Insert, Include, Clear, Delete, Exclude, Replace, Replace_Element, procedures Union, Intersection, Difference, and Symmetric_Difference, (for Ordered_sets) Delete_First and Delete_Last, and (for Hashed_sets) Reserve_Capacity

96.a.1/5
discussion

The Generic_Keys package is not included in the Stable package. The functions Union, Intersection, Difference, and Symmetric_Difference are included in the Stable package.

96.a.2/5
ramification

The names Set and Cursor mean the types declared in the nested package in these subprogram specifications.

96.a.3/5
reason

The omitted routines are those that tamper with cursors (or test that state). The model is that it is impossible to tamper with cursors of a stable view since no such operations are included. Thus tampering checks are not needed for a stable view, and we omit the operations associated with those checks.

96.16/5

The operations of this package are equivalent to those for ordinary sets, except that the calls to Tampering_With_Cursors_Prohibited that occur in preconditions are replaced by False, and any that occur in postconditions are replaced by True.

96.17/5

If a stable set is declared with the Base discriminant designating a pre-existing ordinary set, the stable set represents a stabilized view of the underlying ordinary set, and any operation on the stable set is reflected on the underlying ordinary set. While a stabilized view exists, any operation that tampers with cursors performed on the underlying set is prohibited. The finalization of a stable set that provides such a view removes this restriction on the underlying ordinary set [(though some other restriction can exist due to other concurrent iterations or stabilized views)].

96.18/5

If a stable set is declared without specifying Base, the object is necessarily initialized. The initializing expression of the stable set, [typically a call on Copy], determines the Length of the set. The Length of a stable set never changes after initialization.

96.b/5
proof

Initialization is required as the type is indefinite, see 3.3.1.

Bounded (Run-Time) Errors

96.19/3

It is a bounded error for the actual function associated with a generic formal subprogram, when called as part of an operation of a set package, to tamper with elements of any set parameter of the operation. Either Program_Error is raised, or the operation works as defined on the value of the set either prior to, or subsequent to, some or all of the modifications to the set.

96.20/3

It is a bounded error to call any subprogram declared in the visible part of a set package when the associated container has been finalized. If the operation takes Container as an in out parameter, then it raises Constraint_Error or Program_Error. Otherwise, the operation either proceeds as it would for an empty container, or it raises Constraint_Error or Program_Error.

Erroneous Execution

97/2

A Cursor value is invalid if any of the following have occurred since it was created:

98/2
  • The set that contains the element it designates has been finalized;
  • 98.1/3
  • The set that contains the element it designates has been used as the Target of a call to Assign, or as the target of an assignment_statement;
  • 99/2
  • The set that contains the element it designates has been used as the Source or Target of a call to Move; or
  • 100/3
  • The element it designates has been removed from the set that previously contained the element.
100.a/3
ramification

This can happen directly via calls to Clear, Exclude, Delete, and Update_Element_Preserving_Key, and indirectly via calls to procedures Intersection, Difference, and Symmetric_Difference.

101/2

The result of "=" or Has_Element is unspecified if these functions are called with an invalid cursor parameter. Execution is erroneous if any other subprogram declared in Containers.Hashed_Sets or Containers.Ordered_Sets is called with an invalid cursor parameter.

101.a/2
discussion

The list above is intended to be exhaustive. In other cases, a cursor value continues to designate its original element. For instance, cursor values survive the insertion and deletion of other elements.

101.b/2

While it is possible to check for these cases, in many cases the overhead necessary to make the check is substantial in time or space. Implementations are encouraged to check for as many of these cases as possible and raise Program_Error if detected.

101.1/3

Execution is erroneous if the set associated with the result of a call to Reference or Constant_Reference is finalized before the result object returned by the call to Reference or Constant_Reference is finalized.

101.c/3
reason

Each object of Reference_Type and Constant_Reference_Type probably contains some reference to the originating container. If that container is prematurely finalized (which is only possible via Unchecked_Deallocation, as accessibility checks prevent passing a container to Reference that will not live as long as the result), the finalization of the object of Reference_Type will try to access a nonexistent object. This is a normal case of a dangling pointer created by Unchecked_Deallocation; we have to explicitly mention it here as the pointer in question is not visible in the specification of the type. (This is the same reason we have to say this for invalid cursors.)

Implementation Requirements

102/5

No storage associated with a set object shall be lost upon assignment or scope exit.

103/3

The execution of an assignment_statement for a set shall have the effect of copying the elements from the source set object to the target set object and changing the length of the target object to that of the source object.

103.a/3
implementation note

An assignment of a Set is a “deep” copy; that is the elements are copied as well as the data structures. We say “effect of” in order to allow the implementation to avoid copying elements immediately if it wishes. For instance, an implementation that avoided copying until one of the containers is modified would be allowed. (Note that this implementation would require care, see A.18.2 for more.)

Implementation Advice

104/2

Move should not copy elements, and should minimize copying of internal data structures.

104.a/2
implementation advice

Move for sets should not copy elements, and should minimize copying of internal data structures.

104.b/2
implementation note

Usually that can be accomplished simply by moving the pointer(s) to the internal data structures from the Source container to the Target container.

105/2

If an exception is propagated from a set operation, no storage should be lost, nor any elements removed from a set unless specified by the operation.

105.a/2
implementation advice

If an exception is propagated from a set operation, no storage should be lost, nor any elements removed from a set unless specified by the operation.

105.b/2
reason

This is important so that programs can recover from errors. But we don't want to require heroic efforts, so we just require documentation of cases where this can't be accomplished.

Wording Changes from Ada 95

105.c/2

This description of sets is new; the extensions are documented with the specific packages.

Extensions to Ada 2005

105.d/3

Added reference support to make set containers more convenient to use.

Wording Changes from Ada 2005

105.e/3

Added procedure Assign; the extension and incompatibility is documented with the specific packages.

105.f/3

Generalized the definition of Move. Specified which elements are read/written by stream attributes.

105.g/3
correction

Added a Bounded (Run-Time) Error to cover tampering by generic actual subprograms.

105.h/3
correction

Added a Bounded (Run-Time) Error to cover access to finalized set containers.

105.i/3
correction

Revised the definition of invalid cursors to cover missing (and new) cases.

105.j/3
correction

Defined when a container prohibits tampering in order to more clearly define where the check is made and the exception raised.

Inconsistencies With Ada 2012

105.k/5

Procedures Union, Intersection, Difference, and Symmeteric_Difference are now defined to tamper with the cursors of the Target parameter. A program which attempts to use one of these operations while tampering is prohibited will raise Program_Error. However, since the operations do modify the container, the effects would have been unpredictable, so this change will likely fix bugs.

Extensions to Ada 2012

105.l/5
correction

Replace_Element is now defined such that it can be used concurrently so long as it operates on different elements. This allows some container operations to be used in parallel without separate synchronization.

Wording Changes from Ada 2012

105.m/4

Corrigendum: Clarified that tampering checks precede all other checks made by a subprogram (but come after those associated with the call).

105.n/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.8 The Generic Package Containers.Hashed_Sets

Static Semantics

1/2

The generic library package Containers.Hashed_Sets has the following declaration:

2/5

with Ada.Iterator_Interfaces; generic type Element_Type is private; with function Hash (Element : Element_Type) return Hash_Type; with function Equivalent_Elements (Left, Right : Element_Type) return Boolean; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Hashed_Sets with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

3/5

type Set is tagged private with Constant_Indexing => Constant_Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.Set, Aggregate => (Empty => Empty, Add_Unnamed => Include), Stable_Properties => (Length, Tampering_With_Cursors_Prohibited), Default_Initial_Condition => Length (Set) = 0 and then (not Tampering_With_Cursors_Prohibited (Set)), Preelaborable_Initialization;

3.a/5
discussion

Unlike a Vector, the Stable_Properties of a Hashed_Set do not include the Capacity. If we had included it, some of the otherwise shared definitions would need different postconditions for Hashed_Sets and Ordered_Sets. If we were starting these containers from scratch, we probably would have approached the sharing of definitions differently so that we could avoid issues like this, but a major reorganization of this existing material would be too much change.

4/5

type Cursor is private with Preelaborable_Initialization; 5/2 Empty_Set : constant Set; 6/2 No_Element : constant Cursor; 6.1/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 6.2/5

function Has_Element (Container : Set; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 6.3/3

package Set_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 7/2 function "=" (Left, Right : Set) return Boolean; 8/2 function Equivalent_Sets (Left, Right : Set) return Boolean; 8.1/5

function Tampering_With_Cursors_Prohibited (Container : Set) return Boolean with Nonblocking, Global => null, Use_Formal => null; 8.2/5

function Empty (Capacity : Count_Type := implementation-defined) return Set with Post => Capacity (Empty'Result) >= Capacity and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0; 9/5

function To_Set (New_Item : Element_Type) return Set with Post => Length (To_Set'Result) = 1 and then not Tampering_with_Cursors_Prohibited (To_Set'Result); 10/5

function Capacity (Container : Set) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 11/5

procedure Reserve_Capacity (Container : in out Set; Capacity : in Count_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Container.Capacity >= Capacity; 12/5

function Length (Container : Set) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 13/5

function Is_Empty (Container : Set) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0); 14/5

procedure Clear (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Capacity (Container) = Capacity (Container)'Old and then Length (Container) = 0; 15/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type; 15.1/5

function Element (Container : Set; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 16/5

procedure Replace_Element (Container : in out Set; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 17/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 17.1/5

procedure Query_Element (Container : in Set; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 17.2/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 17.3/5

function Constant_Reference (Container : aliased in Set; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 17.4/5

procedure Assign (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Source); 17.5/5

function Copy (Source : Set; Capacity : Count_Type := 0) return Set with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity); 18/5

procedure Move (Target : in out Set; Source : in out Set) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0); 19/5

procedure Insert (Container : in out Set; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)) and then Capacity (Container) >= Length (Container); 20/5

procedure Insert (Container : in out Set; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container) = Length (Container)'Old + 1 and then Capacity (Container) >= Length (Container); 21/5

procedure Include (Container : in out Set; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length | Original_Length + 1) and then Capacity (Container) >= Length (Container); 22/5

procedure Replace (Container : in out Set; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old; 23/5

procedure Exclude (Container : in out Set; Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length); 24/5

procedure Delete (Container : in out Set; Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1; 25/5

procedure Delete (Container : in out Set; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old - 1 and then Position = No_Element; 26/5

procedure Union (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 27/5

function Union (Left, Right : Set) return Set with Post => Length (Union'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Union'Result); 28/2 function "or" (Left, Right : Set) return Set renames Union; 29/5

procedure Intersection (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 30/5

function Intersection (Left, Right : Set) return Set with Post => Length (Intersection'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Intersection'Result); 31/2 function "and" (Left, Right : Set) return Set renames Intersection; 32/5

procedure Difference (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 33/5

function Difference (Left, Right : Set) return Set with Post => Length (Difference'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Difference'Result); 34/2 function "-" (Left, Right : Set) return Set renames Difference; 35/5

procedure Symmetric_Difference (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 36/5

function Symmetric_Difference (Left, Right : Set) return Set with Post => Length (Symmetric_Difference'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited ( Symmetric_Difference'Result); 37/2 function "xor" (Left, Right : Set) return Set renames Symmetric_Difference; 38/2 function Overlap (Left, Right : Set) return Boolean; 39/2 function Is_Subset (Subset : Set; Of_Set : Set) return Boolean; 40/5

function First (Container : Set) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element); 41/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element); 41.1/5

function Next (Container : Set; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result)); 42/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 42.1/5

procedure Next (Container : in Set; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 43/5

function Find (Container : Set; Item : Element_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 44/2 function Contains (Container : Set; Item : Element_Type) return Boolean; 45/3

This paragraph was deleted. 46/5

function Equivalent_Elements (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all; 47/5

function Equivalent_Elements (Left : Cursor; Right : Element_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all; 48/5

function Equivalent_Elements (Left : Element_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all; 49/5

procedure Iterate (Container : in Set; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 49.1/5

function Iterate (Container : in Set) return Set_Iterator_Interfaces.Parallel_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 50/5

generic type Key_Type (<>) is private; with function Key (Element : Element_Type) return Key_Type; with function Hash (Key : Key_Type) return Hash_Type; with function Equivalent_Keys (Left, Right : Key_Type) return Boolean; package Generic_Keys with Nonblocking, Global => null is 51/5

function Key (Position : Cursor) return Key_Type with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 51.1/5

function Key (Container : Set; Position : Cursor) return Key_Type with Pre => (Position = No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 52/2 function Element (Container : Set; Key : Key_Type) return Element_Type; 53/5

procedure Replace (Container : in out Set; Key : in Key_Type; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old; 54/5

procedure Exclude (Container : in out Set; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length); 55/5

procedure Delete (Container : in out Set; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1; 56/5

function Find (Container : Set; Key : Key_Type) return Cursor with Post => (if Find'Result = No_Element then Has_Element (Container, Find'Result)); 57/2 function Contains (Container : Set; Key : Key_Type) return Boolean; 58/5

procedure Update_Element_Preserving_Key (Container : in out Set; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 58.1/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 58.2/5

function Reference_Preserving_Key (Container : aliased in out Set; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 58.3/5

function Constant_Reference (Container : aliased in Set; Key : in Key_Type) return Constant_Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container); 58.4/5

function Reference_Preserving_Key (Container : aliased in out Set; Key : in Key_Type) return Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container); 59/2 end Generic_Keys; 59.1/5

package Stable is 59.2/5

type Set (Base : not null access Hashed_Sets.Set) is tagged limited private with Constant_Indexing => Constant_Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Length), Global => null, Default_Initial_Condition => Length (Set) = 0, Preelaborable_Initialization; 59.3/5

type Cursor is private with Preelaborable_Initialization; 59.4/5

Empty_Set : constant Set; 59.5/5

No_Element : constant Cursor; 59.6/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 59.7/5

package Set_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 59.8/5

procedure Assign (Target : in out Hashed_Sets.Set; Source : in Set) with Post => Length (Source) = Length (Target); 59.9/5

function Copy (Source : Hashed_Sets.Set) return Set with Post => Length (Copy'Result) = Length (Source); 59.10/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 59.11/5

-- Additional subprograms as described in the text -- are declared here. 59.12/5

private 59.13/5

... -- not specified by the language 59.14/5

end Stable; 60/2 private 61/2 ... -- not specified by the language 62/2 end Ada.Containers.Hashed_Sets;

63/2

An object of type Set contains an expandable hash table, which is used to provide direct access to elements. The capacity of an object of type Set is the maximum number of elements that can be inserted into the hash table prior to it being automatically expanded.

64/2

Two elements E1 and E2 are defined to be equivalent if Equivalent_Elements (E1, E2) returns True.

65/2

The actual function for the generic formal function Hash is expected to return the same value each time it is called with a particular element value. For any two equivalent elements, the actual for Hash is expected to return the same value. If the actual for Hash behaves in some other manner, the behavior of this package is unspecified. Which subprograms of this package call Hash, and how many times they call it, is unspecified.

66/2

The actual function for the generic formal function Equivalent_Elements is expected to return the same value each time it is called with a particular pair of Element values. It should define an equivalence relationship, that is, be reflexive, symmetric, and transitive. If the actual for Equivalent_Elements behaves in some other manner, the behavior of this package is unspecified. Which subprograms of this package call Equivalent_Elements, and how many times they call it, is unspecified.

66.1/3

If the actual function for the generic formal function "=" returns True for any pair of nonequivalent elements, then the behavior of the container function "=" is unspecified.

67/2

If the value of an element stored in a set is changed other than by an operation in this package such that at least one of Hash or Equivalent_Elements give different results, the behavior of this package is unspecified.

67.a/2
discussion

See A.18.5, “The Generic Package Containers.Hashed_Maps” for a suggested implementation, and for justification of the restrictions regarding Hash and Equivalent_Elements. Note that sets only need to store elements, not key/element pairs.

68/2

Which elements are the first element and the last element of a set, and which element is the successor of a given element, are unspecified, other than the general semantics described in A.18.7.

68.1/5

function Empty (Capacity : Count_Type := implementation-defined) return Set with Post => Capacity (Empty'Result) >= Capacity and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

68.2/2

Returns an empty set.

69/5

function Capacity (Container : Set) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

70/2

Returns the capacity of Container.

71/5

procedure Reserve_Capacity (Container : in out Set; Capacity : in Count_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Container.Capacity >= Capacity;

72/2

Reserve_Capacity allocates a new hash table such that the length of the resulting set can become at least the value Capacity without requiring an additional call to Reserve_Capacity, and is large enough to hold the current length of Container. Reserve_Capacity then rehashes the elements in Container onto the new hash table. It replaces the old hash table with the new hash table, and then deallocates the old hash table. Any exception raised during allocation is propagated and Container is not modified.

73/5

This paragraph was deleted.

73.a/2
reason

Reserve_Capacity tampers with the cursors, as rehashing probably will change the relationships of the elements in Container.

74/5

procedure Clear (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Capacity (Container) = Capacity (Container)'Old and then Length (Container) = 0;

75/2

In addition to the semantics described in A.18.7, Clear does not affect the capacity of Container.

75.1/5

procedure Assign (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target) and then Capacity (Target) >= Length (Source);

75.2/3

In addition to the semantics described in A.18.7, if the length of Source is greater than the capacity of Target, Reserve_Capacity (Target, Length (Source)) is called before assigning any elements.

75.3/5

function Copy (Source : Set; Capacity : Count_Type := 0) return Set with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity);

75.4/5

Returns a set whose elements are initialized from the elements of Source.

76/5

procedure Insert (Container : in out Set; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)) and then Capacity (Container) >= Length (Container);

77/2

In addition to the semantics described in A.18.7, if Length (Container) equals Capacity (Container), then Insert first calls Reserve_Capacity to increase the capacity of Container to some larger value.

78/2

function First (Container : Set) return Cursor;

79/2

If Length (Container) = 0, then First returns No_Element. Otherwise, First returns a cursor that designates the first hashed element in Container.

80/5

function Equivalent_Elements (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all;

81/2

Equivalent to Equivalent_Elements (Element (Left), Element (Right)).

82/5

function Equivalent_Elements (Left : Cursor; Right : Element_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all;

83/2

Equivalent to Equivalent_Elements (Element (Left), Right).

84/5

function Equivalent_Elements (Left : Element_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all;

85/2

Equivalent to Equivalent_Elements (Left, Element (Right)).

85.1/5

function Iterate (Container : in Set) return Set_Iterator_Interfaces.Parallel_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

85.2/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each element in Container, starting with the first element and moving the cursor according to the successor relation when used as a forward iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

86/2

For any element E, the actual function for the generic formal function Generic_Keys.Hash is expected to be such that Hash (E) = Generic_Keys.Hash (Key (E)). If the actuals for Key or Generic_Keys.Hash behave in some other manner, the behavior of Generic_Keys is unspecified. Which subprograms of Generic_Keys call Generic_Keys.Hash, and how many times they call it, is unspecified.

87/2

For any two elements E1 and E2, the boolean values Equivalent_Elements (E1, E2) and Equivalent_Keys (Key (E1), Key (E2)) are expected to be equal. If the actuals for Key or Equivalent_Keys behave in some other manner, the behavior of Generic_Keys is unspecified. Which subprograms of Generic_Keys call Equivalent_Keys, and how many times they call it, is unspecified.

Implementation Advice

88/2

If N is the length of a set, the average time complexity of the subprograms Insert, Include, Replace, Delete, Exclude, and Find that take an element parameter should be O(log N). The average time complexity of the subprograms that take a cursor parameter should be O(1). The average time complexity of Reserve_Capacity should be O(N).

88.a/2
implementation advice

The average time complexity of the Insert, Include, Replace, Delete, Exclude, and Find operations of Containers.Hashed_Sets that take an element parameter should be O(log N). The average time complexity of the subprograms of Containers.Hashed_Sets that take a cursor parameter should be O(1). The average time complexity of Containers.Hashed_Sets.Reserve_Capacity should be O(N).

88.b/2
implementation note

See A.18.5, “The Generic Package Containers.Hashed_Maps” for implementation notes regarding some of the operations of this package.

Extensions to Ada 95

88.c/2

The generic package Containers.Hashed_Sets is new.

Incompatibilities With Ada 2005

88.d/3

Subprograms Assign and Copy are added to Containers.Hashed_Sets. If an instance of Containers.Hashed_Sets is referenced in a use_clause, and an entity E with the same defining_identifier as a new entity in Containers.Hashed_Sets is defined in a package that is also referenced in a use_clause, the entity E may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

Extensions to Ada 2005

88.e/3

Added iterator and indexing support to make hashed set containers more convenient to use.

Wording Changes from Ada 2005

88.f/3
correction

Added wording to require the formal function be such that equal elements are also equivalent.

88.g/3
correction

Added a pragma Remote_Types so that containers can be used in distributed programs.

Incompatibilities With Ada 2012

88.h/5

A number of new subprograms, types, and even a nested package were added to Containers.Hashed_Sets to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Extensions to Ada 2012

88.i/5

Sets now support positional container aggregates, so aggregate syntax can be used to create Sets.

88.j/5

The iterator for the container now can return a parallel iterator which can be used to process the container in parallel.

Wording Changes from Ada 2012

88.k/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.9 The Generic Package Containers.Ordered_Sets

Static Semantics

1/2

The generic library package Containers.Ordered_Sets has the following declaration:

2/5

with Ada.Iterator_Interfaces; generic type Element_Type is private; with function "<" (Left, Right : Element_Type) return Boolean is <>; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Ordered_Sets with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

3/2

function Equivalent_Elements (Left, Right : Element_Type) return Boolean; 4/5

type Set is tagged private with Constant_Indexing => Constant_Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.Set, Aggregate => (Empty => Empty, Add_Unnamed => Include), Stable_Properties => (Length, Tampering_With_Cursors_Prohibited), Default_Initial_Condition => Length (Set) = 0 and then (not Tampering_With_Cursors_Prohibited (Set)), Preelaborable_Initialization; 5/5

type Cursor is private with Preelaborable_Initialization; 6/2 Empty_Set : constant Set; 7/2 No_Element : constant Cursor; 7.1/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 7.2/5

function Has_Element (Container : Set; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 7.3/3

package Set_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 8/2 function "=" (Left, Right : Set) return Boolean; 9/2 function Equivalent_Sets (Left, Right : Set) return Boolean; 9.1/5

function Tampering_With_Cursors_Prohibited (Container : Set) return Boolean with Nonblocking, Global => null, Use_Formal => null; 9.2/5

function Empty return Set is (Empty_Set) with Post => not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0; 10/5

function To_Set (New_Item : Element_Type) return Set with Post => Length (To_Set'Result) = 1 and then not Tampering_with_Cursors_Prohibited (To_Set'Result); 11/5

function Length (Container : Set) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 12/5

function Is_Empty (Container : Set) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Length (Container) = 0); 13/5

procedure Clear (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = 0; 14/5

function Element (Position : Cursor) return Element_Type with Pre => Position /= No_Element or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => Element_Type; 14.1/5

function Element (Container : Set; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 15/5

procedure Replace_Element (Container : in out Set; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 16/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 16.1/5

procedure Query_Element (Container : in Set; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 16.2/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 16.3/5

function Constant_Reference (Container : aliased in Set; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 16.4/5

procedure Assign (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Source) = Length (Target); 16.5/5

function Copy (Source : Set) return Set with Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Cursors_Prohibited (Copy'Result); 17/5

procedure Move (Target : in out Set; Source : in out Set) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Length (Target) = Length (Source'Old) and then Length (Source) = 0); 18/5

procedure Insert (Container : in out Set; New_Item : in Element_Type; Position : out Cursor; Inserted : out Boolean) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Has_Element (Container, Position) and then (if Inserted then Length (Container) = Original_Length + 1 else Length (Container) = Original_Length)); 19/5

procedure Insert (Container : in out Set; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => Length (Container) = Length (Container)'Old + 1; 20/5

procedure Include (Container : in out Set; New_Item : in Element_Type) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Length (Container) <= Count_Type'Last - 1 or else raise Constraint_Error), Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length | Original_Length + 1); 21/5

procedure Replace (Container : in out Set; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old; 22/5

procedure Exclude (Container : in out Set; Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length); 23/5

procedure Delete (Container : in out Set; Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1; 24/5

procedure Delete (Container : in out Set; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Length (Container) = Length (Container)'Old - 1 and then Position = No_Element; 25/5

procedure Delete_First (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1)); 26/5

procedure Delete_Last (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1)); 27/5

procedure Union (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 28/5

function Union (Left, Right : Set) return Set with Post => Length (Union'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Union'Result); 29/2 function "or" (Left, Right : Set) return Set renames Union; 30/5

procedure Intersection (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 31/5

function Intersection (Left, Right : Set) return Set with Post => Length (Intersection'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Intersection'Result); 32/2 function "and" (Left, Right : Set) return Set renames Intersection; 33/5

procedure Difference (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 34/5

function Difference (Left, Right : Set) return Set with Post => Length (Difference'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited (Difference'Result); 35/2 function "-" (Left, Right : Set) return Set renames Difference; 36/5

procedure Symmetric_Difference (Target : in out Set; Source : in Set) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Length (Target) <= Length (Target)'Old + Length (Source); 37/5

function Symmetric_Difference (Left, Right : Set) return Set with Post => Length (Symmetric_Difference'Result) <= Length (Left) + Length (Right) and then not Tampering_With_Cursors_Prohibited ( Symmetric_Difference'Result); 38/2 function "xor" (Left, Right : Set) return Set renames Symmetric_Difference; 39/2 function Overlap (Left, Right : Set) return Boolean; 40/2 function Is_Subset (Subset : Set; Of_Set : Set) return Boolean; 41/5

function First (Container : Set) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, First'Result) else First'Result = No_Element); 42/5

function First_Element (Container : Set) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 43/5

function Last (Container : Set) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element); 44/5

function Last_Element (Container : Set) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error); 45/5

function Next (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next'Result = No_Element); 45.1/5

function Next (Container : Set; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Next'Result = No_Element elsif Next'Result = No_Element then Position = Last (Container) else Has_Element (Container, Next'Result)); 46/5

procedure Next (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 46.1/5

procedure Next (Container : in Set; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 47/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element); 47.1/5

function Previous (Container : Set; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Previous'Result = No_Element then Position = First (Container) else Has_Element (Container, Previous'Result)); 48/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 48.1/5

procedure Previous (Container : in Set; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 49/5

function Find (Container : Set; Item : Element_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 50/2 function Floor (Container : Set; Item : Element_Type) return Cursor with Post => (if Floor'Result /= No_Element then Has_Element (Container, Floor'Result)); 51/2 function Ceiling (Container : Set; Item : Element_Type) return Cursor with Post => (if Ceiling'Result /= No_Element then Has_Element (Container, Ceiling'Result)); 52/2 function Contains (Container : Set; Item : Element_Type) return Boolean; 53/3

This paragraph was deleted. 54/5

function "<" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all; 55/5

function ">" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all; 56/5

function "<" (Left : Cursor; Right : Element_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all; 57/5

function ">" (Left : Cursor; Right : Element_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all; 58/5

function "<" (Left : Element_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all; 59/5

function ">" (Left : Element_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all; 60/5

procedure Iterate (Container : in Set; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 61/5

procedure Reverse_Iterate (Container : in Set; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 61.1/5

function Iterate (Container : in Set) return Set_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 61.2/5

function Iterate (Container : in Set; Start : in Cursor) return Set_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 62/5

generic type Key_Type (<>) is private; with function Key (Element : Element_Type) return Key_Type; with function "<" (Left, Right : Key_Type) return Boolean is <>; package Generic_Keys with Nonblocking, Global => null is 63/2 function Equivalent_Keys (Left, Right : Key_Type) return Boolean; 64/5

function Key (Position : Cursor) return Key_Type with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 64.1/5

function Key (Container : Set; Position : Cursor) return Key_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 65/2 function Element (Container : Set; Key : Key_Type) return Element_Type; 66/5

procedure Replace (Container : in out Set; Key : in Key_Type; New_Item : in Element_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old; 67/5

procedure Exclude (Container : in out Set; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin Length (Container) in Original_Length - 1 | Original_Length); 68/5

procedure Delete (Container : in out Set; Key : in Key_Type) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Length (Container) = Length (Container)'Old - 1; 69/5

function Find (Container : Set; Key : Key_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 70/5

function Floor (Container : Set; Key : Key_Type) return Cursor with Post => (if Floor'Result /= No_Element then Has_Element (Container, Floor'Result)); 71/5

function Ceiling (Container : Set; Key : Key_Type) return Cursor with Post => (if Ceiling'Result /= No_Element then Has_Element (Container, Ceiling'Result)); 72/2 function Contains (Container : Set; Key : Key_Type) return Boolean; 73/5

procedure Update_Element_Preserving_Key (Container : in out Set; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 73.1/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 73.2/5

function Reference_Preserving_Key (Container : aliased in out Set; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);; 73.3/5

function Constant_Reference (Container : aliased in Set; Key : in Key_Type) return Constant_Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container);; 73.4/5

function Reference_Preserving_Key (Container : aliased in out Set; Key : in Key_Type) return Reference_Type with Pre => Find (Container, Key) /= No_Element or else raise Constraint_Error, Post => Tampering_With_Cursors_Prohibited (Container);; 74/2 end Generic_Keys; 74.1/5

package Stable is 74.2/5

type Set (Base : not null access Ordered_Sets.Set) is tagged limited private with Constant_Indexing => Constant_Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Length), Global => null, Default_Initial_Condition => Length (Set) = 0, Preelaborable_Initialization; 74.3/5

type Cursor is private with Preelaborable_Initialization; 74.4/5

Empty_Set : constant Set; 74.5/5

No_Element : constant Cursor; 74.6/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 74.7/5

package Set_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 74.8/5

procedure Assign (Target : in out Ordered_Sets.Set; Source : in Set) with Post => Length (Source) = Length (Target); 74.9/5

function Copy (Source : Ordered_Sets.Set) return Set with Post => Length (Copy'Result) = Length (Source); 74.10/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Use_Formal => null, Default_Initial_Condition => (raise Program_Error); 74.11/5

-- Additional subprograms as described in the text -- are declared here. 74.12/5

private 74.13/5

... -- not specified by the language 74.14/5

end Stable; 75/2 private 76/2 ... -- not specified by the language 77/2 end Ada.Containers.Ordered_Sets;

78/2

Two elements E1 and E2 are equivalent if both E1 < E2 and E2 < E1 return False, using the generic formal "<" operator for elements. Function Equivalent_Elements returns True if Left and Right are equivalent, and False otherwise.

79/3

The actual function for the generic formal function "<" on Element_Type values is expected to return the same value each time it is called with a particular pair of key values. It should define a strict weak ordering relationship (see A.18). If the actual for "<" behaves in some other manner, the behavior of this package is unspecified. Which subprograms of this package call "<" and how many times they call it, is unspecified.

79.1/3

If the actual function for the generic formal function "=" returns True for any pair of nonequivalent elements, then the behavior of the container function "=" is unspecified.

80/2

If the value of an element stored in a set is changed other than by an operation in this package such that at least one of "<" or "=" give different results, the behavior of this package is unspecified.

80.a/2
discussion

See A.18.6, “The Generic Package Containers.Ordered_Maps” for a suggested implementation, and for justification of the restrictions regarding "<" and "=". Note that sets only need to store elements, not key/element pairs.

81/3

The first element of a nonempty set is the one which is less than all the other elements in the set. The last element of a nonempty set is the one which is greater than all the other elements in the set. The successor of an element is the smallest element that is larger than the given element. The predecessor of an element is the largest element that is smaller than the given element. All comparisons are done using the generic formal "<" operator for elements.

81.1/5

function Copy (Source : Set) return Set with Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Cursors_Prohibited (Copy'Result);

81.2/3

Returns a set whose elements are initialized from the corresponding elements of Source.

82/5

procedure Delete_First (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1));

83/3

If Container is empty, Delete_First has no effect. Otherwise, the element designated by First (Container) is removed from Container. Delete_First tampers with the cursors of Container.

84/5

procedure Delete_Last (Container : in out Set) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => (declare Original_Length : constant Count_Type := Length (Container)'Old; begin (if Original_Length = 0 then Length (Container) = 0 else Length (Container) = Original_Length - 1));

85/3

If Container is empty, Delete_Last has no effect. Otherwise, the element designated by Last (Container) is removed from Container. Delete_Last tampers with the cursors of Container.

86/5

function First_Element (Container : Set) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

87/2

Equivalent to Element (First (Container)).

88/5

function Last (Container : Set) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => (if not Is_Empty (Container) then Has_Element (Container, Last'Result) else Last'Result = No_Element);

89/2

Returns a cursor that designates the last element in Container. If Container is empty, returns No_Element.

90/5

function Last_Element (Container : Set) return Element_Type with Pre => (not Is_Empty (Container) or else raise Constraint_Error);

91/2

Equivalent to Element (Last (Container)).

92/5

function Previous (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous'Result = No_Element);

93/3

If Position equals No_Element, then Previous returns No_Element. Otherwise, Previous returns a cursor designating the predecessor element of the one designated by Position. If Position designates the first element, then Previous returns No_Element.

93.1/5

function Previous (Container : Set; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position = No_Element then Previous'Result = No_Element elsif Previous'Result = No_Element then Position = First (Container) else Has_Element (Container, Previous'Result));

93.2/5

Returns a cursor designating the predecessor of the node designated by Position in Container, if any.

94/5

procedure Previous (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

95/2

Equivalent to Position := Previous (Position).

95.1/5

procedure Previous (Container : in Set; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Position = No_Element or else Has_Element (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

95.2/5

Equivalent to Position := Previous (Container, Position).

96/5

function Floor (Container : Set; Item : Element_Type) return Cursor with Post => (if Floor'Result /= No_Element then Has_Element (Container, Floor'Result));

97/3

Floor searches for the last element which is not greater than Item. If such an element is found, a cursor that designates it is returned. Otherwise, No_Element is returned.

98/5

function Ceiling (Container : Set; Item : Element_Type) return Cursor with Post => (if Ceiling'Result /= No_Element then Has_Element (Container, Ceiling'Result));

99/3

Ceiling searches for the first element which is not less than Item. If such an element is found, a cursor that designates it is returned. Otherwise, No_Element is returned.

100/5

function "<" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all;

101/2

Equivalent to Element (Left) < Element (Right).

102/5

function ">" (Left, Right : Cursor) return Boolean with Pre => (Left /= No_Element and then Right /= No_Element) or else raise Constraint_Error, Global => in all;

103/2

Equivalent to Element (Right) < Element (Left).

104/5

function "<" (Left : Cursor; Right : Element_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all;

105/2

Equivalent to Element (Left) < Right.

106/5

function ">" (Left : Cursor; Right : Element_Type) return Boolean with Pre => Left /= No_Element or else raise Constraint_Error, Global => in all;

107/2

Equivalent to Right < Element (Left).

108/5

function "<" (Left : Element_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all;

109/2

Equivalent to Left < Element (Right).

110/5

function ">" (Left : Element_Type; Right : Cursor) return Boolean with Pre => Right /= No_Element or else raise Constraint_Error, Global => in all;

111/2

Equivalent to Element (Right) < Left.

112/5

procedure Reverse_Iterate (Container : in Set; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

113/3

Iterates over the elements in Container as per procedure Iterate, with the difference that the elements are traversed in predecessor order, starting with the last element.

113.1/5

function Iterate (Container : in Set) return Set_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

113.2/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each element in Container, starting with the first element and moving the cursor according to the successor relation when used as a forward iterator, and starting with the last element and moving the cursor according to the predecessor relation when used as a reverse iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

113.3/5

function Iterate (Container : in Set; Start : in Cursor) return Set_Iterator_Interfaces.Reversible_Iterator'Class with Pre => (Start /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Start) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

113.4/5

Iterate returns a reversible iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each element in Container, starting with the element designated by Start and moving the cursor according to the successor relation when used as a forward iterator, or moving the cursor according to the predecessor relation when used as a reverse iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

113.a/3
discussion

Exits are allowed from the loops created using the iterator objects. In particular, to stop the iteration at a particular cursor, just add

113.b/3

exit when Cur = Stop;

113.c/3

in the body of the loop (assuming that Cur is the loop parameter and Stop is the cursor that you want to stop at).

114/2

For any two elements E1 and E2, the boolean values (E1 < E2) and (Key(E1) < Key(E2)) are expected to be equal. If the actuals for Key or Generic_Keys."<" behave in some other manner, the behavior of this package is unspecified. Which subprograms of this package call Key and Generic_Keys."<", and how many times the functions are called, is unspecified.

115/2

In addition to the semantics described in A.18.7, the subprograms in package Generic_Keys named Floor and Ceiling, are equivalent to the corresponding subprograms in the parent package, with the difference that the Key subprogram parameter is compared to elements in the container using the Key and "<" generic formal functions. The function named Equivalent_Keys in package Generic_Keys returns True if both Left < Right and Right < Left return False using the generic formal "<" operator, and returns True otherwise.

Implementation Advice

116/2

If N is the length of a set, then the worst-case time complexity of the Insert, Include, Replace, Delete, Exclude, and Find operations that take an element parameter should be O((log N)**2) or better. The worst-case time complexity of the subprograms that take a cursor parameter should be O(1).

116.a/2
implementation advice

The worst-case time complexity of the Insert, Include, Replace, Delete, Exclude, and Find operations of Containers.Ordered_Sets that take an element parameter should be O((log N)**2). The worst-case time complexity of the subprograms of Containers.Ordered_Sets that take a cursor parameter should be O(1).

116.b/2
implementation note

See A.18.6, “The Generic Package Containers.Ordered_Maps” for implementation notes regarding some of the operations of this package.

Extensions to Ada 95

116.c/2

The generic package Containers.Ordered_Sets is new.

Incompatibilities With Ada 2005

116.d/3

Subprograms Assign and Copy are added to Containers.Ordered_Sets. If an instance of Containers.Ordered_Sets is referenced in a use_clause, and an entity E with the same defining_identifier as a new entity in Containers.Ordered_Sets is defined in a package that is also referenced in a use_clause, the entity E may no longer be use-visible, resulting in errors. This should be rare and is easily fixed if it does occur.

Extensions to Ada 2005

116.e/3

Added iterator and indexing support to make ordered set containers more convenient to use.

Wording Changes from Ada 2005

116.f/3
correction

Added wording to require the formal function be such that equal elements are also equivalent.

116.g/3
correction

Redefined "<" actuals to require a strict weak ordering; the old definition allowed indeterminant comparisons that would not have worked in a container.

116.h/3
correction

Added a pragma Remote_Types so that containers can be used in distributed programs.

Incompatibilities With Ada 2012

116.i/5

A number of new subprograms, types, and even a nested package were added to Containers.Ordered_Sets to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Extensions to Ada 2012

116.j/5

Sets now support positional container aggregates, so aggregate syntax can be used to create Sets.

116.k/5

The iterator for the entire container now can return a parallel iterator which can be used to process the container in parallel.

Wording Changes from Ada 2012

116.l/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.10 The Generic Package Containers.Multiway_Trees

1/3

The language-defined generic package Containers.Multiway_Trees provides private types Tree and Cursor, and a set of operations for each type. A multiway tree container is well-suited to represent nested structures.

1.a/3
discussion

This tree just provides a basic structure, and make no promises about balancing or other automatic organization. In this sense, it is different than the indexed (Map, Set) forms. Rather, it provides a building block on which to construct more complex and more specialized tree containers.

2/4

A multiway tree container object manages a tree of nodes, consisting of a root node and a set of internal nodes; each internal node contains an element and pointers to the parent, first child, last child, next (successor) sibling, and previous (predecessor) sibling internal nodes. A cursor designates a particular node within a tree (and by extension the element contained in that node, if any). A cursor keeps designating the same node (and element) as long as the node is part of the container, even if the node is moved within the container.

3/4

A subtree is a particular node (which roots the subtree) and all of its child nodes (including all of the children of the child nodes, recursively). The root node is always present and has neither an associated element value nor any parent node; it has pointers to its first child and its last child, if any. The root node provides a place to add nodes to an otherwise empty tree and represents the base of the tree.

4/3

A node that has no children is called a leaf node. The ancestors of a node are the node itself, its parent node, the parent of the parent node, and so on until a node with no parent is reached. Similarly, the descendants of a node are the node itself, its child nodes, the children of each child node, and so on.

5/3

The nodes of a subtree can be visited in several different orders. For a depth-first order, after visiting a node, the nodes of its child list are each visited in depth-first order, with each child node visited in natural order (first child to last child).

5.a/3
ramification

For the depth-first order, when each child node is visited, the child list of the child node is visited before the next sibling of the child node is visited.

Static Semantics

6/3

The generic library package Containers.Multiway_Trees has the following declaration:

7/5

with Ada.Iterator_Interfaces; generic type Element_Type is private; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Multiway_Trees with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

7.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

8/5

type Tree is tagged private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Iterator_View => Stable.Tree, Stable_Properties => (Node_Count, Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited), Default_Initial_Condition => Node_Count (Tree) = 1 and then (not Tampering_With_Cursors_Prohibited (Tree)) and then (not Tampering_With_Elements_Prohibited (Tree)), Preelaborable_Initialization; 9/5

type Cursor is private with Preelaborable_Initialization; 10/3 Empty_Tree : constant Tree; 11/3 No_Element : constant Cursor; 11.1/5

function Equal_Element (Left, Right : Element_Type) return Boolean renames "="; 12/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 12.1/5

function Has_Element (Container : Tree; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 13/3

package Tree_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 14/3 function Equal_Subtree (Left_Position : Cursor; Right_Position: Cursor) return Boolean; 15/3 function "=" (Left, Right : Tree) return Boolean; 15.1/5

function Tampering_With_Cursors_Prohibited (Container : Tree) return Boolean with Nonblocking, Global => null, Use_Formal => null; 15.2/5

function Tampering_With_Elements_Prohibited (Container : Tree) return Boolean with Nonblocking, Global => null, Use_Formal => null; 15.3/5

function Empty return Tree is (Empty_Tree) with Post => not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Node_Count (Empty'Result) = 1; 16/5

function Is_Empty (Container : Tree) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Node_Count (Container) = 1); 17/5

function Node_Count (Container : Tree) return Count_Type with Nonblocking, Global => null, Use_Formal => null; 18/5

function Subtree_Node_Count (Position : Cursor) return Count_Type with Nonblocking, Global => in all, Use_Formal => null; 18.1/5

function Subtree_Node_Count (Container : Tree; Position : Cursor) return Count_Type with Pre => Meaningful_For (Container, Position) or else raise Program_Error, Nonblocking, Global => null, Use_Formal => null; 19/5

function Depth (Position : Cursor) return Count_Type with Nonblocking, Global => in all, Use_Formal => null; 19.1/5

function Depth (Container : Tree; Position : Cursor) return Count_Type with Pre => Meaningful_For (Container, Position) or else raise Program_Error, Nonblocking, Global => null, Use_Formal => null; 20/5

function Is_Root (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 20.1/5

function Is_Root (Container : Tree; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null; 21/5

function Is_Leaf (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 21.1/5

function Is_Leaf (Container : Tree; Position : Cursor) return Boolean with Pre => Meaningful_For (Container, Position) or else raise Program_Error, Nonblocking, Global => null, Use_Formal => null; 21.2/5

function Is_Ancestor_Of (Container : Tree; Parent : Cursor; Position : Cursor) return Boolean with Pre => (Meaningful_For (Container, Position) or else raise Program_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => null; 22/5

function Root (Container : Tree) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => Root'Result /= No_Element and then not Has_Element (Container, Root'Result); 22.1/5

function Meaningful_For (Container : Tree; Position : Cursor) return Boolean is (Position = No_Element or else Is_Root (Container, Position) or else Has_Element (Container, Position)) with Nonblocking, Global => null, Use_Formal => null;

22.a/5
reason

When this function is true, the Position can be meaningfully used with operations for Container. We define this because many operations allow the root (which does not have an element, so Has_Element returns False), so many preconditions get unwieldy. We allow No_Element as it is allowed by many queries, and for existing routines, it raises a different exception (Constraint_Error rather than Program_Error) than a cursor for the wrong container does.

23/5

procedure Clear (Container : in out Tree) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Node_Count (Container) = 1; 24/5

function Element (Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Position) or else raise Program_Error), Nonblocking, Global => in all, Use_Formal => Element_Type; 24.1/5

function Element (Container : Tree; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type; 25/5

procedure Replace_Element (Container : in out Tree; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 26/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Position) or else raise Program_Error), Global => in all; 26.1/5

procedure Query_Element (Container : in Tree; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 27/5

procedure Update_Element (Container : in out Tree; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error); 28/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 29/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 30/5

function Constant_Reference (Container : aliased in Tree; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 31/5

function Reference (Container : aliased in out Tree; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 32/5

procedure Assign (Target : in out Tree; Source : in Tree) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Node_Count (Source) = Node_Count (Target); 33/5

function Copy (Source : Tree) return Tree with Post => Node_Count (Copy'Result) = Node_Count (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result); 34/5

procedure Move (Target : in out Tree; Source : in out Tree) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Node_Count (Target) = Node_Count (Source'Old) and then Node_Count (Source) = 1); 35/5

procedure Delete_Leaf (Container : in out Tree; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error) and then (Is_Leaf (Container, Position) or else raise Constraint_Error), Post => Node_Count (Container)'Old = Node_Count (Container)+1 and then Position = No_Element; 36/5

procedure Delete_Subtree (Container : in out Tree; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Node_Count (Container)'Old = Node_Count (Container) + Subtree_Node_Count (Container, Position)'Old and then Position = No_Element; 37/5

procedure Swap (Container : in out Tree; I, J : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error); 38/5

function Find (Container : Tree; Item : Element_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result)); 39/5

function Find_In_Subtree (Position : Cursor; Item : Element_Type) return Cursor with Pre => Position /= No_Element or else raise Constraint_Error, Post => (if Find_In_Subtree'Result = No_Element then Has_Element (Find_In_Subtree'Result)), Global => in all; 39.1/5

function Find_In_Subtree (Container : Tree; Position : Cursor; Item : Element_Type) return Cursor with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error), Post => (if Find_In_Subtree'Result /= No_Element then Has_Element (Container, Find_In_Subtree'Result)); 40/5

function Ancestor_Find (Position : Cursor; Item : Element_Type) return Cursor with Pre => Position /= No_Element or else raise Constraint_Error, Post => (if Ancestor_Find'Result = No_Element then Has_Element (Ancestor_Find'Result)), Global => in all; 40.1/5

function Ancestor_Find (Container : Tree; Position : Cursor; Item : Element_Type) return Cursor with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error), Post => (if Ancestor_Find'Result = No_Element then Has_Element (Container, Ancestor_Find'Result)); 41/3 function Contains (Container : Tree; Item : Element_Type) return Boolean; 42/5

procedure Iterate (Container : in Tree; Process : not null access procedure (Position : in Cursor)) with Allows_Exit; 43/5

procedure Iterate_Subtree (Position : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 43.1/5

procedure Iterate_Subtree (Container : in Tree; Position : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error); 44/5

function Iterate (Container : in Tree) return Tree_Iterator_Interfaces.Parallel_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container); 45/5

function Iterate_Subtree (Position : in Cursor) return Tree_Iterator_Interfaces.Parallel_Iterator'Class with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all; 45.1/5

function Iterate_Subtree (Container : in Tree; Position : in Cursor) return Tree_Iterator_Interfaces.Parallel_Iterator'Class with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 46/5

function Child_Count (Parent : Cursor) return Count_Type with Post => (if Parent = No_Element then Child_Count'Result = 0), with Nonblocking, Global => in all, Use_Formal => null; 46.1/5

function Child_Count (Container : Tree; Parent : Cursor) return Count_Type with Pre => Meaningful_For (Container, Parent) or else raise Program_Error, Post => (if Parent = No_Element then Child_Count'Result = 0), Nonblocking, Global => null, Use_Formal => null; 47/5

function Child_Depth (Parent, Child : Cursor) return Count_Type with Pre => (Parent = No_Element and then Child = No_Element) or else raise Constraint_Error, with Nonblocking, Global => in all, Use_Formal => null; 47.1/5

function Child_Depth (Container : Tree; Parent, Child : Cursor) return Count_Type with Pre => ((Parent = No_Element and then Child = No_Element) or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Child) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => null; 48/5

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) = Parent or else raise Constraint_Error), Post => Node_Count (Container) = Node_Count (Container)'Old + Count; 49/5

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; New_Item : in Element_Type; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) = Parent or else raise Constraint_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old + Count) and then Has_Element (Container, Position); 50/5

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) = Parent or else raise Constraint_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old + Count) and then Has_Element (Container, Position); 51/5

procedure Prepend_Child (Container : in out Tree; Parent : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Node_Count (Container) = Node_Count (Container)'Old + Count; 52/5

procedure Append_Child (Container : in out Tree; Parent : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Node_Count (Container) = Node_Count (Container)'Old + Count; 53/5

procedure Delete_Children (Container : in out Tree; Parent : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old - Child_Count (Container, Parent)'Old) and then Child_Count (Container, Parent) = 0; 54/5

procedure Copy_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) = Parent or else raise Constraint_Error) and then (not Is_Root (Source) or else raise Constraint_Error), Post => Node_Count (Target) = Node_Count (Target)'Old + Subtree_Node_Count (Source), Global => in all; 54.1/5

procedure Copy_Local_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) = Parent or else raise Constraint_Error) and then (Meaningful_For (Target, Source) or else raise Program_Error) and then (not Is_Root (Source) or else raise Constraint_Error), Post => Node_Count (Target) = Node_Count (Target)'Old + Subtree_Node_Count (Target, Source); 54.2/5

procedure Copy_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in Tree; Subtree : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) = Parent or else raise Constraint_Error) and then (Meaningful_For (Source, Subtree) or else raise Program_Error) and then (not Is_Root (Source, Subtree) or else raise Constraint_Error), Post => Node_Count (Target) = Node_Count (Target)'Old + Subtree_Node_Count (Source, Subtree); 55/5

procedure Splice_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in out Tree; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) /= Parent or else raise Constraint_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Source, Position) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Position = Before or else Is_Ancestor_Of (Target, Position, Parent) or else raise Constraint_Error), Post => (declare Org_Sub_Count renames Subtree_Node_Count (Source, Position)'Old; Org_Target_Count renames Node_Count (Target)'Old; begin (if not Target'Has_Same_Storage (Source) then Node_Count (Target) = Org_Target_Count + Org_Sub_Count and then Node_Count (Source) = Node_Count (Source)'Old - Org_Sub_Count and then Has_Element (Target, Position) else Target.Parent (Position) = Parent and then Node_Count (Target) = Org_Target_Count)); 56/5

procedure Splice_Subtree (Container: in out Tree; Parent : in Cursor; Before : in Cursor; Position : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) /= Parent or else raise Constraint_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error) and then (Position = Before or else Is_Ancestor_Of (Container, Position, Parent) or else raise Constraint_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old and then Container.Parent (Position) = Parent); 57/5

procedure Splice_Children (Target : in out Tree; Target_Parent : in Cursor; Before : in Cursor; Source : in out Tree; Source_Parent : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Target_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Target_Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Source_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Source, Source_Parent) or else raise Program_Error) and then (Before = No_Element or else Parent (Target, Before) /= Target_Parent or else raise Constraint_Error) and then (Target'Has_Same_Storage (Source) or else Target_Parent = Source_Parent or else Is_Ancestor_Of (Target, Source_Parent, Target_Parent) or else raise Constraint_Error), Post => (declare Org_Child_Count renames Child_Count (Source, Source_Parent)'Old; Org_Target_Count renames Node_Count (Target)'Old; begin (if not Target'Has_Same_Storage (Source) then Node_Count (Target) = Org_Target_Count + Org_Child_Count and then Node_Count (Source) = Node_Count (Source)'Old - Org_Child_Count else Node_Count (Target) = Org_Target_Count)); 58/5

procedure Splice_Children (Container : in out Tree; Target_Parent : in Cursor; Before : in Cursor; Source_Parent : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Target_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Target_Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Source_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Source_Parent) or else raise Program_Error) and then (Before = No_Element or else Parent (Container, Before) /= Target_Parent or else raise Constraint_Error) and then (Target_Parent = Source_Parent or else Is_Ancestor_Of (Container, Source_Parent, Target_Parent) or else raise Constraint_Error), Post => Node_Count (Container) = Node_Count (Container)'Old; 59/5

function Parent (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element or else Is_Root (Position) then Parent'Result = No_Element); 59.1/5

function Parent (Container : Tree; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Position = No_Element or else Is_Root (Container, Position) then Parent'Result = No_Element else Has_Element (Container, Parent'Result)); 60/5

function First_Child (Parent : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Pre => Parent /= No_Element or else raise Constraint_Error; 60.1/5

function First_Child (Container : Tree; Parent : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => First_Child'Result = No_Element or else Has_Element (Container, First_Child'Result); 61/5

function First_Child_Element (Parent : Cursor) return Element_Type with Nonblocking, Global => in all, Use_Formal => Element_Type, Pre => (Parent /= No_Element and then Last_Child (Parent) /= No_Element) or else raise Constraint_Error; 61.1/5

function First_Child_Element (Container : Tree; Parent : Cursor) return Element_Type with Nonblocking, Global => null, Use_Formal => Element_Type, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (First_Child (Container, Parent) /= No_Element or else raise Constraint_Error); 62/5

function Last_Child (Parent : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Pre => Parent /= No_Element or else raise Constraint_Error; 62.1/5

function Last_Child (Container : Tree; Parent : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Last_Child'Result = No_Element or else Has_Element (Container, Last_Child'Result); 63/5

function Last_Child_Element (Parent : Cursor) return Element_Type with Nonblocking, Global => in all, Use_Formal => Element_Type, Pre => (Parent /= No_Element and then Last_Child (Parent) /= No_Element) or else raise Constraint_Error; 63.1/5

function Last_Child_Element (Container : Tree; Parent : Cursor) return Element_Type with Nonblocking, Global => null, Use_Formal => Element_Type, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Last_Child (Container, Parent) /= No_Element or else raise Constraint_Error); 64/5

function Next_Sibling (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next_Sibling'Result = No_Element); 64.1/5

function Next_Sibling (Container : Tree; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Next_Sibling'Result = No_Element then Position = No_Element or else Is_Root (Container, Position) or else Last_Child (Container, Parent (Container, Position)) = Position else Has_Element (Container, Next_Sibling'Result)); 65/5

procedure Next_Sibling (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 65.1/5

procedure Next_Sibling (Container : in Tree; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 66/5

function Previous_Sibling (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous_Sibling'Result = No_Element); 66.1/5

function Previous_Sibling (Container : Tree; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Previous_Sibling'Result = No_Element then Position = No_Element or else Is_Root (Container, Position) or else First_Child (Container, Parent (Container, Position)) = Position else Has_Element (Container, Previous_Sibling'Result)); 67/5

procedure Previous_Sibling (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null; 67.1/5

procedure Previous_Sibling (Container : in Tree; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position)); 68/5

procedure Iterate_Children (Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => Parent /= No_Element or else raise Constraint_Error, Global => in all, Use_Formal => null; 68.1/5

procedure Iterate_Children (Container : in Tree; Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error); 69/5

procedure Reverse_Iterate_Children (Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => Parent /= No_Element or else raise Constraint_Error, Global => in all, Use_Formal => null; 69.1/5

procedure Reverse_Iterate_Children (Container : in Tree; Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error); 70/5

function Iterate_Children (Container : in Tree; Parent : in Cursor) return Tree_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container); 70.1/5

package Stable is 70.2/5

type Tree (Base : not null access Multiway_Trees.Tree) is tagged limited private with Constant_Indexing => Constant_Reference, Variable_Indexing => Reference, Default_Iterator => Iterate, Iterator_Element => Element_Type, Stable_Properties => (Node_Count), Global => null, Default_Initial_Condition => Node_Count (Tree) = 1, Preelaborable_Initialization; 70.3/5

type Cursor is private with Preelaborable_Initialization; 70.4/5

Empty_Tree : constant Tree; 70.5/5

No_Element : constant Cursor; 70.6/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null; 70.7/5

package Tree_Iterator_Interfaces is new Ada.Iterator_Interfaces (Cursor, Has_Element); 70.8/5

procedure Assign (Target : in out Multiway_Trees.Tree; Source : in Tree) with Post => Node_Count (Source) = Node_Count (Target); 70.9/5

function Copy (Source : Multiway_Trees.Tree) return Tree with Post => Node_Count (Copy'Result) = Node_Count (Source); 70.10/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Default_Initial_Condition => (raise Program_Error); 70.11/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => null, Default_Initial_Condition => (raise Program_Error); 70.12/5

-- Additional subprograms as described in the text -- are declared here. 70.13/5

private 70.14/5

... -- not specified by the language 70.15/5

end Stable; 71/3 private ... -- not specified by the language end Ada.Containers.Multiway_Trees;

72/3

The actual function for the generic formal function "=" on Element_Type values is expected to define a reflexive and symmetric relationship and return the same result value each time it is called with a particular pair of values. If it behaves in some other manner, the functions Find, Reverse_Find, Equal_Subtree, and "=" on tree values return an unspecified value. The exact arguments and number of calls of this generic formal function by the functions Find, Reverse_Find, Equal_Subtree, and "=" on tree values are unspecified.

73/3

The type Tree is used to represent trees. The type Tree needs finalization (see 7.6).

74/3

Empty_Tree represents the empty Tree object. It contains only the root node (Node_Count (Empty_Tree) returns 1). If an object of type Tree is not otherwise initialized, it is initialized to the same value as Empty_Tree.

75/3

No_Element represents a cursor that designates no element. If an object of type Cursor is not otherwise initialized, it is initialized to the same value as No_Element.

76/5

The primitive "=" operator for type Cursor returns True if both cursors are No_Element, or designate the same element in the same container.

76.a/5

To be honest: “The primitive "=" operator” is the one with two parameters of type Cursor which returns Boolean. We're not talking about some other (hidden) primitive function named "=".

77/3

Execution of the default implementation of the Input, Output, Read, or Write attribute of type Cursor raises Program_Error.

78/5

Tree'Write for a Tree object T writes Node_Count(T) - 1 elements of the tree to the stream. It may also write additional information about the tree.

79/3

Tree'Read reads the representation of a tree from the stream, and assigns to Item a tree with the same elements and structure as was written by Tree'Write.

79.a/3
ramification

Streaming more elements than the container holds is wrong. For implementation implications of this rule, see the Implementation Note in A.18.2.

80/5

[Some operations check for “tampering with cursors” of a container because they depend on the set of elements of the container remaining constant, and others check for “tampering with elements” of a container because they depend on elements of the container not being replaced.] When tampering with cursors is prohibited for a particular tree object T, Program_Error is propagated by the finalization of T[, as well as by a call that passes T to certain of the operations of this package, as indicated by the precondition of such an operation]. Similarly, when tampering with elements is prohibited for T, Program_Error is propagated by a call that passes T to certain of the other operations of this package, as indicated by the precondition of such an operation.

Paragraphs 81 through 90 are removed as preconditions now describe these rules.

85.a.1/3
ramification

We don't need to explicitly mention assignment_statement, because that finalizes the target object as part of the operation, and finalization of an object is already defined as tampering with cursors.

91/5

function Has_Element (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

92/3

Returns True if Position designates an element, and returns False otherwise. [In particular, Has_Element returns False if the cursor designates a root node or equals No_Element.]

92.a/3

To be honest: This function might not detect cursors that designate deleted elements; such cursors are invalid (see below) and the result of calling Has_Element with an invalid cursor is unspecified (but not erroneous).

92.1/5

function Has_Element (Container : Tree; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

92.2/5

Returns True if Position designates an element in Container, and returns False otherwise. [In particular, Has_Element returns False if the cursor designates a root node or equals No_Element.]

93/3

function Equal_Subtree (Left_Position : Cursor; Right_Position: Cursor) return Boolean;

94/3

If Left_Position or Right_Position equals No_Element, propagates Constraint_Error. If the number of child nodes of the element designated by Left_Position is different from the number of child nodes of the element designated by Right_Position, the function returns False. If Left_Position designates a root node and Right_Position does not, the function returns False. If Right_Position designates a root node and Left_Position does not, the function returns False. Unless both cursors designate a root node, the elements are compared using the generic formal equality operator. If the result of the element comparison is False, the function returns False. Otherwise, it calls Equal_Subtree on a cursor designating each child element of the element designated by Left_Position and a cursor designating the corresponding child element of the element designated by Right_Position. If any such call returns False, the function returns False; otherwise, it returns True. Any exception raised during the evaluation of element equality is propagated.

94.a/3
ramification

Left_Position and Right_Position do not need to be from the same tree.

94.b/3
implementation note

This wording describes the canonical semantics. However, the order and number of calls on the formal equality function is unspecified for all of the operations that use it in this package, so an implementation can call it as many or as few times as it needs to get the correct answer. Similarly, a global rule (see the introduction of Annex A) says that language-defined routines are not affected by overriding of other language-defined routines. This means that no reasonable program can tell how many times Equal_Subtree is called, and thus an implementation can call it as many or as few times as it needs to get the correct answer. Specifically, there is no requirement to call the formal equality or Equal_Subtree additional times once the answer has been determined.

95/3

function "=" (Left, Right : Tree) return Boolean;

96/3

If Left and Right denote the same tree object, then the function returns True. Otherwise, it calls Equal_Subtree with cursors designating the root nodes of Left and Right; the result is returned. Any exception raised during the evaluation of Equal_Subtree is propagated.

96.a/3
implementation note

Similar considerations apply here as apply to Equal_Subtree. The actual number of calls performed is unspecified.

96.1/5

function Tampering_With_Cursors_Prohibited (Container : Tree) return Boolean with Nonblocking, Global => null, Use_Formal => null;

96.2/5

Returns True if tampering with cursors or tampering with elements is currently prohibited for Container, and returns False otherwise.

96.b/5
reason

Prohibiting tampering with elements also needs to prohibit tampering with cursors, as deleting an element is similar to replacing it.

96.c/5
implementation note

Various contracts elsewhere in this specification require that this function be implemented with synchronized data. Moreover, it is possible for tampering to be prohibited by multiple operations (sequentially or in parallel). Therefore, tampering needs to be implemented with an atomic or protected counter. The counter is initialized to zero, and is incremented when tampering is prohibited, and decremented when leaving an area that prohibited tampering. Function Tampering_With_Cursors_Prohibited returns True if the counter is nonzero. (Note that any case where the result is not well-defined for one task is incorrect use of shared variables and would be erroneous by the rules of 9.10, so no special protection is needed to read the counter.)

96.3/5

function Tampering_With_Elements_Prohibited (Container : Tree) return Boolean with Nonblocking, Global => null, Use_Formal => null;

96.4/5

Always returns False[, regardless of whether tampering with elements is prohibited].

96.d/5
reason

A definite element cannot change size, so we allow operations that tamper with elements even when tampering with elements is prohibited. That's not true for the indefinite containers, which is why this kind of tampering exists.

96.5/5

function Is_Empty (Container : Tree) return Boolean with Nonblocking, Global => null, Use_Formal => null, Post => Is_Empty'Result = (Node_Count (Container) = 1);

96.6/5

Returns True if Container is empty.

96.e/5
ramification

An empty tree contains just the root node.

97/5

function Node_Count (Container : Tree) return Count_Type with Nonblocking, Global => null, Use_Formal => null;

98/3

Node_Count returns the number of nodes in Container.

98.a/3
ramification

Since all tree objects have a root node, this can never return a value of 0. Node_Count (Some_Tree) should always equal Subtree_Node_Count (Root (Some_Tree)).

99/5

function Subtree_Node_Count (Position : Cursor) return Count_Type with Nonblocking, Global => in all, Use_Formal => null);

100/3

If Position is No_Element, Subtree_Node_Count returns 0; otherwise, Subtree_Node_Count returns the number of nodes in the subtree that is rooted by Position.

101/5

function Subtree_Node_Count (Container : Tree; Position : Cursor) return Count_Type with Pre => Meaningful_For (Container, Position) or else raise Program_Error, Nonblocking, Global => null, Use_Formal => null;

102/5

If Position is No_Element, Subtree_Node_Count returns 0; otherwise, Subtree_Node_Count returns the number of nodes in the subtree of Container that is rooted by Position.

102.a/5
This paragraph was deleted.
102.b/5
reason

We raise Program_Error if Position belongs to some other container because we have promised to read only the container passed to this function. Determining the answer requires reading the container that Position belongs to, which we've promised not to do if it is not Container. We don't make this check for functions like Has_Element and Is_Root which do not require reading another container to determine the answer, but we do make it for most functions.

103/5

function Depth (Position : Cursor) return Count_Type with Nonblocking, Global => in all, Use_Formal => null;

104/3

If Position equals No_Element, Depth returns 0; otherwise, Depth returns the number of ancestor nodes of the node designated by Position (including the node itself).

104.a/3
ramification

Depth (Root (Some_Tree)) = 1.

104.1/5

function Depth (Container : Tree; Position : Cursor) return Count_Type with Pre => Meaningful_For (Container, Position) or else raise Program_Error, Nonblocking, Global => null, Use_Formal => null;

104.2/5

If Position equals No_Element, Depth returns 0; otherwise, Depth returns the number of ancestor nodes of the node of Container designated by Position (including the node itself).

105/5

function Is_Root (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

106/3

Is_Root returns True if the Position designates the root node of some tree; and returns False otherwise.

106.1/5

function Is_Root (Container : Tree; Position : Cursor) return Boolean with Nonblocking, Global => null, Use_Formal => null;

106.2/5

Is_Root returns True if the Position designates the root node of Container; and returns False otherwise.

106.a/5
ramification

The two parameter Is_Root returns False even if Position is the root of some other tree than Container.

107/5

function Is_Leaf (Position : Cursor) return Boolean with Nonblocking, Global => in all, Use_Formal => null;

108/3

Is_Leaf returns True if Position designates a node that does not have any child nodes; and returns False otherwise.

108.a/3
ramification

Is_Leaf returns False if passed No_Element, since No_Element does not designate a node. Is_Leaf can be passed a cursor that designates the root node; Is_Leaf will return True if passed the root node of an empty tree.

108.1/5

function Is_Leaf (Container : Tree; Position : Cursor) return Boolean with Pre => Meaningful_For (Container, Position) or else raise Program_Error, Nonblocking, Global => null, Use_Formal => null;

108.2/5

Is_Leaf returns True if Position designates a node in Container that does not have any child nodes; and returns False otherwise.

108.3/5

function Is_Ancestor_Of (Container : Tree; Parent : Cursor; Position : Cursor) return Boolean with Pre => (Meaningful_For (Container, Position) or else raise Program_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => null;

108.4/5

Is_Ancestor_Of returns True if Parent designates an ancestor node of Position (including Position itself), and returns False otherwise.

109/5

function Root (Container : Tree) return Cursor with Nonblocking, Global => null, Use_Formal => null, Post => Root'Result /= No_Element and then not Has_Element (Container, Root'Result);

110/3

Root returns a cursor that designates the root node of Container.

110.a/3
ramification

There is always a root node, even in an empty container, so this function never returns No_Element.

111/5

procedure Clear (Container : in out Tree) with Pre => not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error, Post => Node_Count (Container) = 1;

112/3

Removes all the elements from Container.

112.a/3
ramification

The root node is not removed; all trees have a root node.

113/5

function Element (Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Position) or else raise Program_Error), Nonblocking, Global => in all, Use_Formal => Element_Type;

114/5

Element returns the element designated by Position.

114.a/3
ramification

The root node does not contain an element, so that value cannot be read or written.

114.1/5

function Element (Container : Tree; Position : Cursor) return Element_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => Element_Type;

114.2/5

Element returns the element designated by Position in Container.

115/5

procedure Replace_Element (Container : in out Tree; Position : in Cursor; New_item : in Element_Type) with Pre => (not Tampering_With_Elements_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

116/5

Replace_Element assigns the value New_Item to the element designated by Position. For the purposes of determining whether the parameters overlap in a call to Replace_Element, the Container parameter is not considered to overlap with any object [(including itself)].

117/5

procedure Query_Element (Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Position) or else raise Program_Error), Global => in all;

118/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of the tree that contains the element designated by Position is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

118.1/5

procedure Query_Element (Container : in Tree; Position : in Cursor; Process : not null access procedure (Element : in Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

118.2/5

Query_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

119/5

procedure Update_Element (Container : in out Tree; Position : in Cursor; Process : not null access procedure (Element : in out Element_Type)) with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error);

120/5

Update_Element calls Process.all with the element designated by Position as the argument. Tampering with the elements of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

121/3

If Element_Type is unconstrained and definite, then the actual Element parameter of Process.all shall be unconstrained.

121.a/3
ramification

This means that the elements cannot be directly allocated from the heap; it must be possible to change the discriminants of the element in place.

122/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 123/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

124/3

The types Constant_Reference_Type and Reference_Type need finalization.

125/5

This paragraph was deleted.

125.a/3
reason

It is expected that Reference_Type (and Constant_Reference_Type) will be a controlled type, for which finalization will have some action to terminate the tampering check for the associated container. If the object is created by default, however, there is no associated container. Since this is useless, and supporting this case would take extra work, we define it to raise an exception.

126/5

function Constant_Reference (Container : aliased in Tree; Position : in Cursor) return Constant_Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

127/3

This function (combined with the Constant_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read access to an individual element of a tree given a cursor.

128/5

Constant_Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

129/5

function Reference (Container : aliased in out Tree; Position : in Cursor) return Reference_Type with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

130/3

This function (combined with the Variable_Indexing and Implicit_Dereference aspects) provides a convenient way to gain read and write access to an individual element of a tree given a cursor.

131/5

Reference returns an object whose discriminant is an access value that designates the element designated by Position. Tampering with the elements of Container is prohibited while the object returned by Reference exists and has not been finalized.

132/5

procedure Assign (Target : in out Tree; Source : in Tree) with Pre => not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error, Post => Node_Count (Source) = Node_Count (Target);

133/3

If Target denotes the same object as Source, the operation has no effect. Otherwise, the elements of Source are copied to Target as for an assignment_statement assigning Source to Target.

133.a/3
ramification

Each element in Target has a parent element that corresponds to the parent element of the Source element, and has child elements that correspond to the child elements of the Source element.

133.b/3
discussion

This routine exists for compatibility with the bounded tree container. For an unbounded tree, Assign(A, B) and A := B behave identically. For a bounded tree, := will raise an exception if the container capacities are different, while Assign will not raise an exception if there is enough room in the target.

134/5

function Copy (Source : Tree) return Tree with Post => Node_Count (Copy'Result) = Node_Count (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result);

135/3

Returns a tree with the same structure as Source and whose elements are initialized from the corresponding elements of Source.

136/5

procedure Move (Target : in out Tree; Source : in out Tree) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Node_Count (Target) = Node_Count (Source'Old) and then Node_Count (Source) = 1);

137/3

If Target denotes the same object as Source, then the operation has no effect. Otherwise, Move first calls Clear (Target). Then, the nodes other than the root node in Source are moved to Target (in the same positions). After Move completes, Node_Count (Target) is the number of nodes originally in Source, and Node_Count (Source) is 1.

138/5

procedure Delete_Leaf (Container : in out Tree; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error) and then (Is_Leaf (Container, Position) or else raise Constraint_Error), Post => Node_Count (Container)'Old = Node_Count (Container) + 1 and then Position = No_Element;

139/5

Delete_Leaf removes (from Container) the element designated by Position, and Position is set to No_Element.

139.a/3
ramification

The check on Position checks that the cursor does not belong to some other Container. This check implies that a reference to the container is included in the cursor value. This wording is not meant to require detection of dangling cursors; such cursors are defined to be invalid, which means that execution is erroneous, and any result is allowed (including not raising an exception).

139.b/3

The root node cannot be deleted.

140/5

procedure Delete_Subtree (Container : in out Tree; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error), Post => Node_Count (Container)'Old = Node_Count (Container) + Subtree_Node_Count (Container, Position)'Old and then Position = No_Element;

141/5

Delete_Subtree removes (from Container) the subtree designated by Position (that is, all descendants of the node designated by Position including the node itself), and Position is set to No_Element.

141.a/3
ramification

The root node cannot be deleted. To delete the entire contents of the tree, call Clear(Container).

142/5

procedure Swap (Container : in out Tree; I, J : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (I /= No_Element or else Constraint_Error) and then (J /= No_Element or else Constraint_Error) and then (Has_Element (Container, I) or else raise Program_Error) and then (Has_Element (Container, J) or else raise Program_Error);

143/5

Swap exchanges the values of the elements designated by I and J.

143.a/3
ramification

After a call to Swap, I designates the element value previously designated by J, and J designates the element value previously designated by I. The position of the elements do not change; for instance, the parent node and the first child node of I are unchanged by the operation.

143.b/3

The root nodes do not contain element values, so they cannot be swapped.

143.c/3

To be honest: The implementation is not required to actually copy the elements if it can do the swap some other way. But it is allowed to copy the elements if needed.

144/5

function Find (Container : Tree; Item : Element_Type) return Cursor with Post => (if Find'Result /= No_Element then Has_Element (Container, Find'Result));

145/3

Find searches the elements of Container for an element equal to Item (using the generic formal equality operator). The search starts at the root node. The search traverses the tree in a depth-first order. If no equal element is found, then Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

146/5

function Find_In_Subtree (Position : Cursor; Item : Element_Type) return Cursor with Pre => Position /= No_Element or else raise Constraint_Error, Post => (if Find_In_Subtree'Result = No_Element then Has_Element (Find_In_Subtree'Result)), Global => in all;

147/5

Find_In_Subtree searches the subtree rooted by Position for an element equal to Item (using the generic formal equality operator). The search starts at the element designated by Position. The search traverses the subtree in a depth-first order. If no equal element is found, then Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

147.a/3
ramification

Find_In_Subtree does not check any siblings of the element designated by Position. The root node does not contain an element, and therefore it can never be returned, but it can be explicitly passed to Position.

147.1/5

function Find_In_Subtree (Container : Tree; Position : Cursor; Item : Element_Type) return Cursor with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error), Post => (if Find_In_Subtree'Result = No_Element then Has_Element (Container, Find_In_Subtree'Result));

147.2/5

Find_In_Subtree searches the subtree of Container rooted by Position for an element equal to Item (using the generic formal equality operator). The search starts at the element designated by Position. The search traverses the subtree in a depth-first order. If no equal element is found, then Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

148/5

function Ancestor_Find (Position : Cursor; Item : Element_Type) return Cursor with Pre => Position /= No_Element or else raise Constraint_Error, Post => (if Ancestor_Find'Result = No_Element then Has_Element (Container, Ancestor_Find'Result)), Global => in all;

149/5

Ancestor_Find searches for an element equal to Item (using the generic formal equality operator). The search starts at the node designated by Position, and checks each ancestor proceeding toward the root of the subtree. If no equal element is found, then Ancestor_Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

149.a/3
ramification

No_Element is returned if Position is the root node.

149.1/5

function Ancestor_Find (Container : Tree; Position : Cursor; Item : Element_Type) return Cursor with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error), Post => (if Ancestor_Find'Result = No_Element then Has_Element (Container, Ancestor_Find'Result));

149.2/5

Ancestor_Find searches for an element equal to Item (using the generic formal equality operator). The search starts at the node designated by Position in Container, and checks each ancestor proceeding toward the root of the subtree. If no equal element is found, then Ancestor_Find returns No_Element. Otherwise, it returns a cursor designating the first equal element encountered.

150/3

function Contains (Container : Tree; Item : Element_Type) return Boolean;

151/3

Equivalent to Find (Container, Item) /= No_Element.

152/5

procedure Iterate (Container : in Tree; Process : not null access procedure (Position : in Cursor)) with Allows_Exit;

153/4

Iterate calls Process.all with a cursor that designates each element in Container, starting from the root node and proceeding in a depth-first order. Tampering with the cursors of Container is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

153.a/3
ramification

Process is not called with the root node, which does not have an associated element.

153.b/3
implementation note

The purpose of the tamper with cursors check is to prevent erroneous execution from the Position parameter of Process.all becoming invalid. This check takes place when the operations that tamper with the cursors of the container are called. The check cannot be made later (say in the body of Iterate), because that could cause the Position cursor to be invalid and potentially cause execution to become erroneous — defeating the purpose of the check.

153.c/3

See Iterate for vectors (A.18.2) for a suggested implementation of the check.

154/5

procedure Iterate_Subtree (Position : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => Position /= No_Element or else raise Constraint_Error, Global => in all;

155/5

Iterate_Subtree calls Process.all with a cursor that designates each element in the subtree rooted by the node designated by Position, starting from the node designated by Position and proceeding in a depth-first order. Tampering with the cursors of the tree that contains the element designated by Position is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

155.a/3
ramification

Position can be passed a cursor designating the root node; in that case, Process is not called with the root node, which does not have an associated element.

155.1/5

procedure Iterate_Subtree (Container : in Tree; Position : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error);

155.2/5

Iterate_Subtree calls Process.all with a cursor that designates each element in the subtree rooted by the node designated by Position in Container, starting from the node designated by Position and proceeding in a depth-first order. Tampering with the cursors of the tree that contains the element designated by Position is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

156/5

function Iterate (Container : in Tree) return Tree_Iterator_Interfaces.Parallel_Iterator'Class with Post => Tampering_With_Cursors_Prohibited (Container);

157/5

Iterate returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each element in Container, starting from the root node and proceeding in a depth-first order when used as a forward iterator, and processing all nodes concurrently when used as a parallel iterator. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

157.a/3
discussion

Exits are allowed from the loops created using the iterator objects. In particular, to stop the iteration at a particular cursor, just add

157.b/3

exit when Cur = Stop;

157.c/3

in the body of the loop (assuming that Cur is the loop parameter and Stop is the cursor that you want to stop at).

158/5

function Iterate_Subtree (Position : in Cursor) return Tree_Iterator_Interfaces.Parallel_Iterator'Class with Pre => Position /= No_Element or else raise Constraint_Error, Global => in all;

159/5

Iterate_Subtree returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each element in the subtree rooted by the node designated by Position, starting from the node designated by Position and proceeding in a depth-first order when used as a forward iterator, and processing all nodes in the subtree concurrently when used as a parallel iterator. Tampering with the cursors of the container that contains the node designated by Position is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

159.1/5

function Iterate_Subtree (Container : in Tree; Position : in Cursor) return Tree_Iterator_Interfaces.Parallel_Iterator'Class with Pre => (Position /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Position) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

159.2/5

Iterate_Subtree returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each element in the subtree rooted by the node designated by Position in Container, starting from the node designated by Position and proceeding in a depth-first order when used as a forward iterator, and processing all nodes in the subtree concurrently when used as a parallel iterator. Tampering with the cursors of the container that contains the node designated by Position is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

160/5

function Child_Count (Parent : Cursor) return Count_Type with Post => (if Parent = No_Element then Child_Count'Result = 0), Nonblocking, Global => in all, Use_Formal => null;

161/3

Child_Count returns the number of child nodes of the node designated by Parent.

161.1/5

function Child_Count (Container : Tree; Parent : Cursor) return Count_Type with Pre => Meaningful_For (Container, Parent) or else raise Program_Error, Post => (if Parent = No_Element then Child_Count'Result = 0), Nonblocking, Global => null, Use_Formal => null;

161.2/5

Child_Count returns the number of child nodes of the node designated by Parent in Container.

162/5

function Child_Depth (Parent, Child : Cursor) return Count_Type with Pre => (Parent /= No_Element and then Child /= No_Element) or else raise Constraint_Error, Nonblocking, Global => in all, Use_Formal => null;

163/5

Child_Depth returns the number of ancestor nodes of Child (including Child itself), up to but not including Parent; Program_Error is propagated if Parent is not an ancestor of Child.

163.a/3
ramification

Program_Error is propagated if Parent and Child are nodes in different containers.

163.b/3

Child_Depth (Root (Some_Tree), Child) + 1 = Depth (Child) as the root is not counted.

163.1/5

function Child_Depth (Container : Tree; Parent, Child : Cursor) return Count_Type with Pre => ((Parent /= No_Element and then Child /= No_Element) or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Child) or else raise Program_Error), Nonblocking, Global => null, Use_Formal => null;

163.2/5

Child_Depth returns the number of ancestor nodes of Child within Container (including Child itself), up to but not including Parent; Program_Error is propagated if Parent is not an ancestor of Child.

164/5

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) = Parent or else raise Constraint_Error), Post => Node_Count (Container) = Node_Count (Container)'Old + Count;

165/5

Insert_Child allocates Count nodes containing copies of New_Item and inserts them as children of Parent. If Parent already has child nodes, then the new nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the new nodes are inserted after the last existing child node of Parent. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

166/5

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; New_Item : in Element_Type; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) = Parent or else raise Constraint_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old + Count) and then Has_Element (Container, Position);

167/5

Insert_Child allocates Count nodes containing copies of New_Item and inserts them as children of Parent. If Parent already has child nodes, then the new nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the new nodes are inserted after the last existing child node of Parent. Position designates the first newly-inserted node, or if Count equals 0, then Position is assigned the value of Before. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

168/5

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) = Parent or else raise Constraint_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old + Count) and then Has_Element (Container, Position);

169/5

Insert_Child allocates Count nodes, the elements contained in the new nodes are initialized by default (see 3.3.1), and the new nodes are inserted as children of Parent. If Parent already has child nodes, then the new nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the new nodes are inserted after the last existing child node of Parent. Position designates the first newly-inserted node, or if Count equals 0, then Position is assigned the value of Before. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

170/5

procedure Prepend_Child (Container : in out Tree; Parent : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Node_Count (Container) = Node_Count (Container)'Old + Count;

171/3

Equivalent to Insert_Child (Container, Parent, First_Child (Container, Parent), New_Item, Count).

172/5

procedure Append_Child (Container : in out Tree; Parent : in Cursor; New_Item : in Element_Type; Count : in Count_Type := 1) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Node_Count (Container) = Node_Count (Container)'Old + Count;

173/3

Equivalent to Insert_Child (Container, Parent, No_Element, New_Item, Count).

174/5

procedure Delete_Children (Container : in out Tree; Parent : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old - Child_Count (Container, Parent)'Old) and then Child_Count (Container, Parent) = 0;

175/5

Delete_Children removes (from Container) all of the descendants of Parent other than Parent itself.

175.a/3
discussion

This routine deletes all of the child subtrees of Parent at once. Use Delete_Subtree to delete an individual subtree.

176/5

procedure Copy_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) = Parent or else raise Constraint_Error) and then (not Is_Root (Source) or else raise Constraint_Error), Post => Node_Count (Target) = Node_Count (Target)'Old + Subtree_Node_Count (Source), Global => in all;

177/5

If Source is equal to No_Element, then the operation has no effect. Otherwise, the subtree rooted by Source (which can be from any tree; it does not have to be a subtree of Target) is copied (new nodes are allocated to create a new subtree with the same structure as the Source subtree, with each element initialized from the corresponding element of the Source subtree) and inserted into Target as a child of Parent. If Parent already has child nodes, then the new nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the new nodes are inserted after the last existing child node of Parent. The parent of the newly created subtree is set to Parent, and the overall count of Target is incremented by Subtree_Node_Count (Source). Any exception raised during allocation of internal storage is propagated, and Container is not modified.

177.a/5
discussion

We only need one routine here, as the source object is not modified, so we can use the same routine for both copying within and between containers. However, that requires a contract that allows reading of any container of the correct type, so we provide two other routines wuth more restrictive contracts.

177.b/3
ramification

We do not allow copying a subtree that includes a root node, as that would require inserting a node with no value in the middle of the target tree. To copy an entire tree to another tree object, use Copy.

177.1/5

procedure Copy_Local_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) = Parent or else raise Constraint_Error) and then (Meaningful_For (Target, Source) or else raise Program_Error) and then (not Is_Root (Source) or else raise Constraint_Error), Post => Node_Count (Target) = Node_Count (Target)'Old + Subtree_Node_Count (Target, Source);

177.2/5

If Source is equal to No_Element, then the operation has no effect. Otherwise, the subtree rooted by Source in Target is copied (new nodes are allocated to create a new subtree with the same structure as the Source subtree, with each element initialized from the corresponding element of the Source subtree) and inserted into Target as a child of Parent. If Parent already has child nodes, then the new nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the new nodes are inserted after the last existing child node of Parent. The parent of the newly created subtree is set to Parent. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

177.3/5

procedure Copy_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in Tree; Subtree : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) = Parent or else raise Constraint_Error) and then (Meaningful_For (Source, Subtree) or else raise Program_Error) and then (not Is_Root (Source, Subtree) or else raise Constraint_Error), Post => Node_Count (Target) = Node_Count (Target)'Old + Subtree_Node_Count (Source, Subtree);

177.4/5

If Subtree is equal to No_Element, then the operation has no effect. Otherwise, the subtree rooted by Subtree in Source is copied (new nodes are allocated to create a new subtree with the same structure as the Subtree, with each element initialized from the corresponding element of the Subtree) and inserted into Target as a child of Parent. If Parent already has child nodes, then the new nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the new nodes are inserted after the last existing child node of Parent. The parent of the newly created subtree is set to Parent. Any exception raised during allocation of internal storage is propagated, and Container is not modified.

178/5

procedure Splice_Subtree (Target : in out Tree; Parent : in Cursor; Before : in Cursor; Source : in out Tree; Position : in out Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Before = No_Element or else Target.Parent (Before) /= Parent or else raise Constraint_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Source, Position) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Position = Before or else Is_Ancestor_Of (Target, Position, Parent) or else raise Constraint_Error), Post => (declare Org_Sub_Count renames Subtree_Node_Count (Source, Position)'Old; Org_Target_Count renames Node_Count (Target)'Old; begin (if not Target'Has_Same_Storage (Source) then Node_Count (Target) = Org_Target_Count + Org_Sub_Count and then Node_Count (Source) = Node_Count (Source)'Old - Org_Sub_Count and then Has_Element (Target, Position) else Target.Parent (Position) = Parent and then Node_Count (Target) = Org_Target_Count));

179/5

If Source denotes the same object as Target, then: if Position equals Before there is no effect; otherwise, the subtree rooted by the element designated by Position is moved to be a child of Parent. If Parent already has child nodes, then the moved nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the moved nodes are inserted after the last existing child node of Parent. In each of these cases, Position and the count of Target are unchanged, and the parent of the element designated by Position is set to Parent.

179.a/3
reason

We can't allow moving the subtree of Position to a proper descendant node of the subtree, as the descendant node will be part of the subtree being moved. The result would be a circularly linked tree, or one with inaccessible nodes. Thus we have to check Position against Parent, even though such a check is O(Depth(Source)).

180/3

Otherwise (if Source does not denote the same object as Target), the subtree designated by Position is removed from Source and moved to Target. The subtree is inserted as a child of Parent. If Parent already has child nodes, then the moved nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the moved nodes are inserted after the last existing child node of Parent. In each of these cases, the count of Target is incremented by Subtree_Node_Count (Position), and the count of Source is decremented by Subtree_Node_Count (Position), Position is updated to represent an element in Target.

180.a/3
ramification

If Source is the same as Target, and Position = Before, or Next_Sibling(Position) = Before, Splice_Subtree has no effect, as the subtree does not have to move to meet the postcondition.

180.b/3

We do not allow splicing a subtree that includes a root node, as that would require inserting a node with no value in the middle of the target tree. Splice the children of the root node instead.

180.c/3

For this reason there is no operation to splice an entire tree, as that would necessarily involve splicing a root node.

181/5

procedure Splice_Subtree (Container: in out Tree; Parent : in Cursor; Before : in Cursor; Position : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Before = No_Element or else Container.Parent (Before) /= Parent or else raise Constraint_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Container, Position) or else raise Program_Error) and then (Position = Before or else Is_Ancestor_Of (Container, Position, Parent) or else raise Constraint_Error), Post => (Node_Count (Container) = Node_Count (Container)'Old and then Container.Parent (Position) = Parent);

182/5

If Position equals Before, there is no effect. Otherwise, the subtree rooted by the element designated by Position is moved to be a child of Parent. If Parent already has child nodes, then the moved nodes are inserted prior to the node designated by Before, or, if Before equals No_Element, the moved nodes are inserted after the last existing child node of Parent. The parent of the element designated by Position is set to Parent.

182.a/3
reason

We can't allow moving the subtree of Position to a proper descendant node of the subtree, as the descendant node will be part of the subtree being moved.

183/5

procedure Splice_Children (Target : in out Tree; Target_Parent : in Cursor; Before : in Cursor; Source : in out Tree; Source_Parent : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Target_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Target, Target_Parent) or else raise Program_Error) and then (Meaningful_For (Target, Before) or else raise Program_Error) and then (Source_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Source, Source_Parent) or else raise Program_Error) and then (Before = No_Element or else Parent (Target, Before) /= Target_Parent or else raise Constraint_Error) and then (Target'Has_Same_Storage (Source) or else Target_Parent = Source_Parent or else Is_Ancestor_Of (Target, Source_Parent, Target_Parent) or else raise Constraint_Error), Post => (declare Org_Child_Count renames Child_Count (Source, Source_Parent)'Old; Org_Target_Count renames Node_Count (Target)'Old; begin (if not Target'Has_Same_Storage (Source) then Node_Count (Target) = Org_Target_Count + Org_Child_Count and then Node_Count (Source) = Node_Count (Source)'Old - Org_Child_Count else Node_Count (Target) = Org_Target_Count));

184/5

This paragraph was deleted.

185/3

If Source denotes the same object as Target, then:

186/3
  • if Target_Parent equals Source_Parent there is no effect; else
  • 187/5
  • This paragraph was deleted.
  • 188/3
  • the child elements (and the further descendants) of Source_Parent are moved to be child elements of Target_Parent. If Target_Parent already has child elements, then the moved elements are inserted prior to the node designated by Before, or, if Before equals No_Element, the moved elements are inserted after the last existing child node of Target_Parent. The parent of each moved child element is set to Target_Parent.
188.a/3
reason

We can't allow moving the children of Source_Parent to a proper descendant node, as the descendant node will be part of one of the subtrees being moved.

189/3

Otherwise (if Source does not denote the same object as Target), the child elements (and the further descendants) of Source_Parent are removed from Source and moved to Target. The child elements are inserted as children of Target_Parent. If Target_Parent already has child elements, then the moved elements are inserted prior to the node designated by Before, or, if Before equals No_Element, the moved elements are inserted after the last existing child node of Target_Parent. In each of these cases, the overall count of Target is incremented by Subtree_Node_Count (Source_Parent)-1, and the overall count of Source is decremented by Subtree_Node_Count (Source_Parent)-1.

189.a/3
ramification

The node designated by Source_Parent is not moved, thus we never need to update Source_Parent.

189.b/3

Move (Target, Source) could be written Splice_Children (Target, Target.Root, No_Element, Source, Source.Root);

190/5

procedure Splice_Children (Container : in out Tree; Target_Parent : in Cursor; Before : in Cursor; Source_Parent : in Cursor) with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Target_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Target_Parent) or else raise Program_Error) and then (Meaningful_For (Container, Before) or else raise Program_Error) and then (Source_Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Source_Parent) or else raise Program_Error) and then (Before = No_Element or else Parent (Container, Before) /= Target_Parent or else raise Constraint_Error) and then (Target_Parent = Source_Parent or else Is_Ancestor_Of (Container, Source_Parent, Target_Parent) or else raise Constraint_Error), Post => Node_Count (Container) = Node_Count (Container)'Old;

191/5

If Target_Parent equals Source_Parent there is no effect. Otherwise, the child elements (and the further descendants) of Source_Parent are moved to be child elements of Target_Parent. If Target_Parent already has child elements, then the moved elements are inserted prior to the node designated by Before, or, if Before equals No_Element, the moved elements are inserted after the last existing child node of Target_Parent. The parent of each moved child element is set to Target_Parent.

192/5

function Parent (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element or else Is_Root (Position) then Parent'Result = No_Element);

193/5

Returns a cursor designating the parent node of the node designated by Position.

193.1/5

function Parent (Container : Tree; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Position = No_Element or else Is_Root (Container, Position) then Parent'Result = No_Element else Has_Element (Container, Parent'Result));

193.2/5

Returns a cursor designating the parent node of the node designated by Position in Container.

194/5

function First_Child (Parent : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Pre => Parent /= No_Element or else raise Constraint_Error;

195/5

First_Child returns a cursor designating the first child node of the node designated by Parent; if there is no such node, No_Element is returned.

195.1/5

function First_Child (Container : Tree; Parent : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => First_Child'Result = No_Element or else Has_Element (Container, First_Child'Result);

195.2/5

First_Child returns a cursor designating the first child node of the node designated by Parent in Container; if there is no such node, No_Element is returned.

196/5

function First_Child_Element (Parent : Cursor) return Element_Type with Nonblocking, Global => in all, Use_Formal => Element_Type, Pre => (Parent /= No_Element and then Last_Child (Parent) /= No_Element) or else raise Constraint_Error;

197/3

Equivalent to Element (First_Child (Parent)).

197.1/5

function First_Child_Element (Container : Tree; Parent : Cursor) return Element_Type with Nonblocking, Global => null, Use_Formal => Element_Type, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (First_Child (Container, Parent) /= No_Element or else raise Constraint_Error);

197.2/5

Equivalent to Element (Container, First_Child (Container, Parent)).

198/5

function Last_Child (Parent : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Pre => Parent /= No_Element or else raise Constraint_Error;

199/5

Last_Child returns a cursor designating the last child node of the node designated by Parent; if there is no such node, No_Element is returned.

199.1/5

function Last_Child (Container : Tree; Parent : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Last_Child'Result = No_Element or else Has_Element (Container, Last_Child'Result);

199.2/5

Last_Child returns a cursor designating the last child node of the node designated by Parent in Container; if there is no such node, No_Element is returned.

200/5

function Last_Child_Element (Parent : Cursor) return Element_Type with Nonblocking, Global => in all, Use_Formal => Element_Type, Pre => (Parent /= No_Element and then Last_Child (Parent) /= No_Element) or else raise Constraint_Error;

201/3

Equivalent to Element (Last_Child (Parent)).

201.1/5

function Last_Child_Element (Container : Tree; Parent : Cursor) return Element_Type with Nonblocking, Global => null, Use_Formal => Element_Type, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error) and then (Last_Child (Container, Parent) /= No_Element or else raise Constraint_Error);

201.2/5

Equivalent to Element (Container, Last_Child (Container, Parent)).

202/5

function Next_Sibling (Position : Cursor) return Cursor with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Next_Sibling'Result = No_Element);

203/3

If Position equals No_Element or designates the last child node of its parent, then Next_Sibling returns the value No_Element. Otherwise, it returns a cursor that designates the successor (with the same parent) of the node designated by Position.

203.1/5

function Next_Sibling (Container : Tree; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Next_Sibling'Result = No_Element then Position = No_Element or else Is_Root (Container, Position) or else Last_Child (Container, Parent (Container, Position)) = Position else Has_Element (Container, Next_Sibling'Result));

203.2/5

Next_Sibling returns a cursor that designates the successor (with the same parent) of the node designated by Position in Container.

204/5

function Previous_Sibling (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null, Post => (if Position = No_Element then Previous_Sibling'Result = No_Element);

205/3

If Position equals No_Element or designates the first child node of its parent, then Previous_Sibling returns the value No_Element. Otherwise, it returns a cursor that designates the predecessor (with the same parent) of the node designated by Position.

205.1/5

function Previous_Sibling (Container : Tree; Position : Cursor) return Cursor with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Previous_Sibling'Result = No_Element then Position = No_Element or else Is_Root (Container, Position) or else First_Child (Container, Parent (Container, Position)) = Position else Has_Element (Container, Previous_Sibling'Result));

205.2/5

Previous_Sibling returns a cursor that designates the predecessor (with the same parent) of the node designated by Position in Container.

206/5

procedure Next_Sibling (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

207/3

Equivalent to Position := Next_Sibling (Position);

207.1/5

procedure Next_Sibling (Container : in Tree; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position));

207.2/5

Equivalent to Position := Next_Sibling (Container, Position);

208/5

procedure Previous_Sibling (Position : in out Cursor) with Nonblocking, Global => in all, Use_Formal => null;

209/3

Equivalent to Position := Previous_Sibling (Position);

209.1/5

procedure Previous_Sibling (Container : in Tree; Position : in out Cursor) with Nonblocking, Global => null, Use_Formal => null, Pre => Meaningful_For (Container, Position) or else raise Program_Error, Post => (if Position /= No_Element then Has_Element (Container, Position);

209.2/5

Equivalent to Position := Previous_Sibling (Container, Position);

210/5

procedure Iterate_Children (Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => Parent /= No_Element or else raise Constraint_Error, Global => in all, Use_Formal => null;

211/5

This paragraph was deleted.

212/3

Iterate_Children calls Process.all with a cursor that designates each child node of Parent, starting with the first child node and moving the cursor as per the Next_Sibling function.

213/3

Tampering with the cursors of the tree containing Parent is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

213.1/5

procedure Iterate_Children (Container : in Tree; Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error);

213.2/5

Iterate_Children calls Process.all with a cursor that designates each child node of Container and Parent, starting with the first child node and moving the cursor as per the Next_Sibling function.

213.3/5

Tampering with the cursors of the tree containing Parent is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

214/5

procedure Reverse_Iterate_Children (Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => Parent /= No_Element or else raise Constraint_Error, Global => in all, Use_Formal => null;

215/5

This paragraph was deleted.

216/3

Reverse_Iterate_Children calls Process.all with a cursor that designates each child node of Parent, starting with the last child node and moving the cursor as per the Previous_Sibling function.

217/3

Tampering with the cursors of the tree containing Parent is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

217.1/5

procedure Reverse_Iterate_Children (Container : in Tree; Parent : in Cursor; Process : not null access procedure (Position : in Cursor)) with Allows_Exit, Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error);

217.2/5

Reverse_Iterate_Children calls Process.all with a cursor that designates each child node of Container and Parent, starting with the last child node and moving the cursor as per the Previous_Sibling function.

217.3/5

Tampering with the cursors of the tree containing Parent is prohibited during the execution of a call on Process.all. Any exception raised by Process.all is propagated.

218/5

function Iterate_Children (Container : in Tree; Parent : in Cursor) return Tree_Iterator_Interfaces.Parallel_Reversible_Iterator'Class with Pre => (Parent /= No_Element or else raise Constraint_Error) and then (Meaningful_For (Container, Parent) or else raise Program_Error), Post => Tampering_With_Cursors_Prohibited (Container);

219/5

Iterate_Children returns an iterator object (see 5.5.1) that will generate a value for a loop parameter (see 5.5.2) designating each child node of Parent. When used as a forward iterator, the nodes are designated starting with the first child node and moving the cursor as per the function Next_Sibling; when used as a reverse iterator, the nodes are designated starting with the last child node and moving the cursor as per the function Previous_Sibling; when used as a parallel iterator, processing all child nodes concurrently. Tampering with the cursors of Container is prohibited while the iterator object exists (in particular, in the sequence_of_statements of the loop_statement whose iterator_specification denotes this object). The iterator object needs finalization.

219.1/5

The nested package Multiway_Trees.Stable provides a type Stable.Tree that represents a stable tree, which is one that cannot grow and shrink. Such a tree can be created by calling the Copy function, or by establishing a stabilized view of an ordinary tree.

219.2/5

The subprograms of package Containers.Multiway_Trees that have a parameter or result of type tree are included in the nested package Stable with the same specification, except that the following are omitted:

219.3/5

Tampering_With_Cursors_Prohibited, Tampering_With_Elements_Prohibited, Assign, Move, Clear, Delete_Leaf, Insert_Child, Delete_Children, Delete_Subtree, Copy_Subtree, Copy_Local_Subtree, Splice_Subtree, and Splice_Children

219.a.1/5
ramification

The names Tree and Cursor mean the types declared in the nested package in these subprogram specifications.

219.a.2/5
reason

The omitted routines are those that tamper with cursors or elements (or test that state). The model is that it is impossible to tamper with cursors or elements of a stable view since no such operations are included. Thus tampering checks are not needed for a stable view, and we omit the operations associated with those checks.

219.4/5

The operations of this package are equivalent to those for ordinary trees, except that the calls to Tampering_With_Cursors_Prohibited and Tampering_With_Elements_Prohibited that occur in preconditions are replaced by False, and any that occur in postconditions are replaced by True.

219.5/5

If a stable tree is declared with the Base discriminant designating a pre-existing ordinary tree, the stable tree represents a stabilized view of the underlying ordinary tree, and any operation on the stable tree is reflected on the underlying ordinary tree. While a stabilized view exists, any operation that tampers with elements performed on the underlying tree is prohibited. The finalization of a stable tree that provides such a view removes this restriction on the underlying ordinary tree [(though some other restriction can exist due to other concurrent iterations or stabilized views)].

219.6/5

If a stable tree is declared without specifying Base, the object is necessarily initialized. The initializing expression of the stable tree, [typically a call on Copy], determines the Node_Count of the tree. The Node_Count of a stable tree never changes after initialization.

219.a/5
proof

Initialization is required as the type is indefinite, see 3.3.1.

Bounded (Run-Time) Errors

220/3

It is a bounded error for the actual function associated with a generic formal subprogram, when called as part of an operation of this package, to tamper with elements of any Tree parameter of the operation. Either Program_Error is raised, or the operation works as defined on the value of the Tree either prior to, or subsequent to, some or all of the modifications to the Tree.

221/3

It is a bounded error to call any subprogram declared in the visible part of Containers.Multiway_Trees when the associated container has been finalized. If the operation takes Container as an in out parameter, then it raises Constraint_Error or Program_Error. Otherwise, the operation either proceeds as it would for an empty container, or it raises Constraint_Error or Program_Error.

Erroneous Execution

222/3

A Cursor value is invalid if any of the following have occurred since it was created:

223/3
  • The tree that contains the element it designates has been finalized;
  • 224/3
  • The tree that contains the element it designates has been used as the Source or Target of a call to Move;
  • 225/3
  • The tree that contains the element it designates has been used as the Target of a call to Assign or the target of an assignment_statement;
  • 226/3
  • The element it designates has been removed from the tree that previously contained the element.
226.a/3
reason

We talk about which tree the element was removed from in order to handle splicing nodes from one tree to another. The node still exists, but any cursors that designate it in the original tree are now invalid. This bullet covers removals caused by calls to Clear, Delete_Leaf, Delete_Subtree, Delete_Children, Splice_Children, and Splice_Subtree.

227/3

The result of "=" or Has_Element is unspecified if it is called with an invalid cursor parameter. Execution is erroneous if any other subprogram declared in Containers.Multiway_Trees is called with an invalid cursor parameter.

227.a/3
discussion

The list above is intended to be exhaustive. In other cases, a cursor value continues to designate its original element (or the root node). For instance, cursor values survive the insertion and deletion of other nodes.

227.b/3

While it is possible to check for these cases, in many cases the overhead necessary to make the check is substantial in time or space. Implementations are encouraged to check for as many of these cases as possible and raise Program_Error if detected.

228/3

Execution is erroneous if the tree associated with the result of a call to Reference or Constant_Reference is finalized before the result object returned by the call to Reference or Constant_Reference is finalized.

228.a/3
reason

Each object of Reference_Type and Constant_Reference_Type probably contains some reference to the originating container. If that container is prematurely finalized (which is only possible via Unchecked_Deallocation, as accessibility checks prevent passing a container to Reference that will not live as long as the result), the finalization of the object of Reference_Type will try to access a nonexistent object. This is a normal case of a dangling pointer created by Unchecked_Deallocation; we have to explicitly mention it here as the pointer in question is not visible in the specification of the type. (This is the same reason we have to say this for invalid cursors.)

Implementation Requirements

229/3

No storage associated with a multiway tree object shall be lost upon assignment or scope exit.

230/3

The execution of an assignment_statement for a tree shall have the effect of copying the elements from the source tree object to the target tree object and changing the node count of the target object to that of the source object.

230.a/3
implementation note

An assignment of a Tree is a “deep” copy; that is the elements are copied as well the data structures. We say “effect of” in order to allow the implementation to avoid copying elements immediately if it wishes. For instance, an implementation that avoided copying until one of the containers is modified would be allowed. (Note that this implementation would require care, see A.18.2 for more.)

Implementation Advice

231/3

Containers.Multiway_Trees should be implemented similarly to a multiway tree. In particular, if N is the overall number of nodes for a particular tree, then the worst-case time complexity of Element, Parent, First_Child, Last_Child, Next_Sibling, Previous_Sibling, Insert_Child with Count=1, and Delete should be O(log N).

231.a/3
implementation advice

The worst-case time complexity of the Element, Parent, First_Child, Last_Child, Next_Sibling, Previous_Sibling, Insert_Child with Count=1, and Delete operations of Containers.Multiway_Trees should be O(log N).

231.b/3
reason

We do not mean to overly constrain implementation strategies here. However, it is important for portability that the performance of large containers has roughly the same factors on different implementations. If a program is moved to an implementation that takes O(N) time to access elements, that program could be unusable when the trees are large. We allow O(log N) access because the proportionality constant and caching effects are likely to be larger than the log factor, and we don't want to discourage innovative implementations.

232/3

Move should not copy elements, and should minimize copying of internal data structures.

232.a/3
implementation advice

Containers.Multiway_Trees.Move should not copy elements, and should minimize copying of internal data structures.

232.b/3
implementation note

Usually that can be accomplished simply by moving the pointer(s) to the internal data structures from the Source container to the Target container.

233/3

If an exception is propagated from a tree operation, no storage should be lost, nor any elements removed from a tree unless specified by the operation.

233.a/3
implementation advice

If an exception is propagated from a tree operation, no storage should be lost, nor any elements removed from a tree unless specified by the operation.

233.b/3
reason

This is important so that programs can recover from errors. But we don't want to require heroic efforts, so we just require documentation of cases where this can't be accomplished.

Extensions to Ada 2005

233.c/3

The generic package Containers.Multiway_Trees is new.

Inconsistencies With Ada 2012

233.d/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for ordinary containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

233.e/5

A number of new subprograms, types, and even a nested package were added to Containers.Multiway_Trees to better support contracts and stable views. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Extensions to Ada 2012

233.f/5
correction

Replace_Element is now defined such that it can be used concurrently so long as it operates on different elements. This allows some container operations to be used in parallel without separate synchronization.

233.g/5

Most iterators can now return parallel iterators, to be used in parallel constructs.

Wording Changes from Ada 2012

233.h/4

Corrigendum: Fixed the function Iterate so it is clear that the root node is never visited.

233.i/4

Corrigendum: The definition of node is clarified so that it it doesn't appear to say all nodes have an element.

233.j/4

Corrigendum: Clarified that tampering checks precede all other checks made by a subprogram (but come after those associated with the call).

233.k/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.11 The Generic Package Containers.Indefinite_Vectors

1/2

The language-defined generic package Containers.Indefinite_Vectors provides a private type Vector and a set of operations. It provides the same operations as the package Containers.Vectors (see A.18.2), with the difference that the generic formal Element_Type is indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Vectors has the same contents and semantics as Containers.Vectors except:

3/2
  • The generic formal Element_Type is indefinite.
  • 4/2
  • The procedures with the profiles:
5/2

procedure Insert (Container : in out Vector; Before : in Extended_Index; Count : in Count_Type := 1); 6/2 procedure Insert (Container : in out Vector; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1);

7/2
  • are omitted.
7.a/2
discussion

These procedures are omitted because there is no way to create a default-initialized object of an indefinite type. Note that Insert_Space can be used instead of this routine in most cases. Omitting the routine completely allows any problems to be diagnosed by the compiler when converting from a definite to indefinite vector.

8/2
  • The actual Element parameter of access subprogram Process of Update_Element may be constrained even if Element_Type is unconstrained.
  • 9/4
  • The operations "&", Append, Insert, Prepend, Replace_Element, and To_Vector that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
  • 10/5
  • The description of Tampering_With_Elements_Prohibited is replaced by:
11/5

Returns True if tampering with elements is prohibited for Container, and False otherwise.

11.a/5
reason

Complete replacement of an element can cause its memory to be deallocated while another operation is holding onto a reference to it. That can't be allowed. However, a simple modification of (part of) an element is not a problem, so Update_Element does not cause a problem.

12/5
  • Tampering_With_Cursors_Prohibited is replaced by Tampering_With_Elements_Prohibited in the postcondition for the operations Reference and Constant_Reference.
  • 13/5
  • The operations Replace_Element, Reverse_Elements, and Swap, and the nested generic unit Generic_Sorting are omitted from the nested package Stable.

Extensions to Ada 95

13.a/2

The generic package Containers.Indefinite_Vectors is new.

Inconsistencies With Ada 2012

13.b/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely, as it would require that the package was not implemented in Ada (an Ada allocator would raise Program_Error in these circumstances), and that a program inserted a more nested tagged type (or access discriminant) into a container, and then used that object before its type or discriminant went out of scope. All known implementations are implemented in Ada, so we believe there is no practical incompatibility. As such, we mention this only for completeness.

13.c/5

Defined the Iterator_View aspect, so that the stable view is used for container element iterators. This means that tampering with elements is prohibited during the entire loop, rather than tampering with cursors being prohibited during the loop, and tampering with elements being prohibited only during the lifetimes of references to the loop parameter. Thus, if a container element iterator does an operation that tampers with elements on the iterated container, that operation will fail a tampering check in Ada 2022 (and thus raise Program_Error), while it would have worked in Ada 2012 so long as the loop parameter is not involved. We believe this to be a dubious loop structure that should be rare. Note that this issue only occurs for the indefinite container form, the ordinary and bounded containers allow such operations at any time in Ada 2022.

A.18.12 The Generic Package Containers.Indefinite_Doubly_Linked_Lists

1/2

The language-defined generic package Containers.Indefinite_Doubly_Linked_Lists provides private types List and Cursor, and a set of operations for each type. It provides the same operations as the package Containers.Doubly_Linked_Lists (see A.18.3), with the difference that the generic formal Element_Type is indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Doubly_Linked_Lists has the same contents and semantics as Containers.Doubly_Linked_Lists except:

3/2
  • The generic formal Element_Type is indefinite.
  • 4/2
  • The procedure with the profile:
5/2

procedure Insert (Container : in out List; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1);

6/2
  • is omitted.
6.a/2
discussion

This procedure is omitted because there is no way to create a default-initialized object of an indefinite type. We considered having this routine insert an empty element similar to the empty elements of a vector, but rejected this possibility because the semantics are fairly complex and very different from the existing definite container. That would make it more error-prone to convert a container from a definite type to an indefinite type; by omitting the routine completely, any problems will be diagnosed by the compiler.

7/2
  • The actual Element parameter of access subprogram Process of Update_Element may be constrained even if Element_Type is unconstrained.
  • 8/4
  • The operations Append, Insert, Prepend, and Replace_Element that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
  • 9/5
  • The description of Tampering_With_Elements_Prohibited is replaced by:
10/5

Returns True if tampering with elements is prohibited for Container, and False otherwise.

10.a/5
reason

Complete replacement of an element can cause its memory to be deallocated while another operation is holding onto a reference to it. That can't be allowed. However, a simple modification of (part of) an element is not a problem.

11/5
  • Tampering_With_Cursors_Prohibited is replaced by Tampering_With_Elements_Prohibited in the postcondition for the operations Reference and Constant_Reference.
  • 12/5
  • The operations Replace_Element and Swap are omitted from the nested package Stable.

Extensions to Ada 95

12.a/2

The generic package Containers.Indefinite_Doubly_Linked_Lists is new.

Inconsistencies With Ada 2012

12.b/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

12.c/5

Defined the Iterator_View aspect, so that the stable view is used for container element iterators. This leads to a rare situation where Program_Error will be raised in Ada 2022 for code that would have worked in Ada 2012. See Inconsistencies With Ada 2012 in A.18.11 for details.

A.18.13 The Generic Package Containers.Indefinite_Hashed_Maps

1/2

The language-defined generic package Containers.Indefinite_Hashed_Maps provides a map with the same operations as the package Containers.Hashed_Maps (see A.18.5), with the difference that the generic formal types Key_Type and Element_Type are indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Hashed_Maps has the same contents and semantics as Containers.Hashed_Maps except:

3/2
  • The generic formal Key_Type is indefinite.
  • 4/2
  • The generic formal Element_Type is indefinite.
  • 5/2
  • The procedure with the profile:
6/2

procedure Insert (Container : in out Map; Key : in Key_Type; Position : out Cursor; Inserted : out Boolean);

7/2
  • is omitted.
7.a/2
discussion

This procedure is omitted because there is no way to create a default-initialized object of an indefinite type. We considered having this routine insert an empty element similar to the empty elements of a vector, but rejected this possibility because the semantics are fairly complex and very different from the existing case. That would make it more error-prone to convert a container from a definite type to an indefinite type; by omitting the routine completely, any problems will be diagnosed by the compiler.

8/2
  • The actual Element parameter of access subprogram Process of Update_Element may be constrained even if Element_Type is unconstrained.
  • 9/4
  • The operations Include, Insert, Replace, and Replace_Element that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
9.a/4
discussion

Some of the named operations also have a formal of the indefinite formal type Key_Type and perform indefinite insertion using that value, but it is sufficient to mention the formal of type Element_Type to cover those.

10/5
  • The description of Tampering_With_Elements_Prohibited is replaced by:
11/5

Returns True if tampering with elements is prohibited for Container, and False otherwise.

11.a/5
reason

Complete replacement of an element can cause its memory to be deallocated while another operation is holding onto a reference to it. That can't be allowed. However, a simple modification of (part of) an element is not a problem.

12/5
  • Tampering_With_Cursors_Prohibited is replaced by Tampering_With_Elements_Prohibited in the postcondition for the operations Reference and Constant_Reference.
  • 13/5
  • The operations Replace and Replace_Element are omitted from the nested package Stable.

Extensions to Ada 95

13.a/2

The generic package Containers.Indefinite_Hashed_Maps is new.

Inconsistencies With Ada 2012

13.b/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

13.c/5

Defined the Iterator_View aspect, so that the stable view is used for container element iterators. This leads to a rare situation where Program_Error will be raised in Ada 2022 for code that would have worked in Ada 2012. See Inconsistencies With Ada 2012 in A.18.11 for details.

A.18.14 The Generic Package Containers.Indefinite_Ordered_Maps

1/2

The language-defined generic package Containers.Indefinite_Ordered_Maps provides a map with the same operations as the package Containers.Ordered_Maps (see A.18.6), with the difference that the generic formal types Key_Type and Element_Type are indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Ordered_Maps has the same contents and semantics as Containers.Ordered_Maps except:

3/2
  • The generic formal Key_Type is indefinite.
  • 4/2
  • The generic formal Element_Type is indefinite.
  • 5/2
  • The procedure with the profile:
6/2

procedure Insert (Container : in out Map; Key : in Key_Type; Position : out Cursor; Inserted : out Boolean);

7/2
  • is omitted.
7.a/2
discussion

This procedure is omitted because there is no way to create a default-initialized object of an indefinite type. We considered having this routine insert an empty element similar to the empty elements of a vector, but rejected this possibility because the semantics are fairly complex and very different from the existing case. That would make it more error-prone to convert a container from a definite type to an indefinite type; by omitting the routine completely, any problems will be diagnosed by the compiler.

8/2
  • The actual Element parameter of access subprogram Process of Update_Element may be constrained even if Element_Type is unconstrained.
  • 9/4
  • The operations Include, Insert, Replace, and Replace_Element that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
9.a/4
discussion

Some of the named operations also have a formal of the indefinite formal type Key_Type and perform indefinite insertion using that value, but it is sufficient to mention the formal of type Element_Type to cover those.

10/5
  • The description of Tampering_With_Elements_Prohibited is replaced by:
11/5

Returns True if tampering with elements is prohibited for Container, and False otherwise.

11.a/5
reason

Complete replacement of an element can cause its memory to be deallocated while another operation is holding onto a reference to it. That can't be allowed. However, a simple modification of (part of) an element is not a problem.

12/5
  • Tampering_With_Cursors_Prohibited is replaced by Tampering_With_Elements_Prohibited in the postcondition for the operations Reference and Constant_Reference.
  • 13/5
  • The operations Replace and Replace_Element are omitted from the nested package Stable.

Extensions to Ada 95

13.a/2

The generic package Containers.Indefinite_Ordered_Maps is new.

Inconsistencies With Ada 2012

13.b/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

13.c/5

Defined the Iterator_View aspect, so that the stable view is used for container element iterators. This leads to a rare situation where Program_Error will be raised in Ada 2022 for code that would have worked in Ada 2012. See Inconsistencies With Ada 2012 in A.18.11 for details.

A.18.15 The Generic Package Containers.Indefinite_Hashed_Sets

1/2

The language-defined generic package Containers.Indefinite_Hashed_Sets provides a set with the same operations as the package Containers.Hashed_Sets (see A.18.8), with the difference that the generic formal type Element_Type is indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Hashed_Sets has the same contents and semantics as Containers.Hashed_Sets except:

3/2
  • The generic formal Element_Type is indefinite.
  • 4/2
  • The actual Element parameter of access subprogram Process of Update_Element_Preserving_Key may be constrained even if Element_Type is unconstrained.
  • 5/4
  • The operations Include, Insert, Replace, Replace_Element, and To_Set that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
5.a/4
ramification

This includes the procedure Replace declared in the nested generic package Generic_Keys, as well as the routines declared directly in the Containers.Indefinite_Hashed_Sets package.

5.b/5
discussion

Unlike the other containers, a Hashed_Set has no operations that tamper with elements without tampering with cursors. Modifying the contents of a element of a set can change its position in the set, so those operations tamper with cursors.

5.c/5

Because of this characteristic, this subclause is missing the rules that other indefinite containers have modifying the definition and use of Tampering_with_Elements, and the definition of the Stable subpackaage is the same as the definite version.

Extensions to Ada 95

5.d/2

The generic package Containers.Indefinite_Hashed_Sets is new.

Inconsistencies With Ada 2012

5.e/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

A.18.16 The Generic Package Containers.Indefinite_Ordered_Sets

1/2

The language-defined generic package Containers.Indefinite_Ordered_Sets provides a set with the same operations as the package Containers.Ordered_Sets (see A.18.9), with the difference that the generic formal type Element_Type is indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Ordered_Sets has the same contents and semantics as Containers.Ordered_Sets except:

3/2
  • The generic formal Element_Type is indefinite.
  • 4/2
  • The actual Element parameter of access subprogram Process of Update_Element_Preserving_Key may be constrained even if Element_Type is unconstrained.
  • 5/4
  • The operations Include, Insert, Replace, Replace_Element, and To_Set that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
5.a/4
ramification

This includes the procedure Replace declared in the nested generic package Generic_Keys, as well as the routines declared directly in the Containers.Indefinite_Ordered_Sets package.

5.b/5
discussion

Unlike the other containers, a Ordered_Set has no operations that tamper with elements without tampering with cursors. Modifying the contents of a element of a set can change its position in the set, so those operations tamper with cursors.

5.c/5

Because of this characteristic, this subclause is missing the rules that other indefinite containers have modifying the definition and use of Tampering_with_Elements, and the definition of the Stable subpackaage is the same as the definite version.

Extensions to Ada 95

5.d/2

The generic package Containers.Indefinite_Ordered_Sets is new.

Inconsistencies With Ada 2012

5.e/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

A.18.17 The Generic Package Containers.Indefinite_Multiway_Trees

1/3

The language-defined generic package Containers.Indefinite_Multiway_Trees provides a multiway tree with the same operations as the package Containers.Multiway_Trees (see A.18.10), with the difference that the generic formal Element_Type is indefinite.

Static Semantics

2/3

The declaration of the generic library package Containers.Indefinite_Multiway_Trees has the same contents and semantics as Containers.Multiway_Trees except:

3/3
  • The generic formal Element_Type is indefinite.
  • 4/3
  • The procedure with the profile:
5/3

procedure Insert_Child (Container : in out Tree; Parent : in Cursor; Before : in Cursor; Position : out Cursor; Count : in Count_Type := 1);

6/3
  • is omitted.
6.a/3
discussion

This procedure is omitted because there is no way to create a default-initialized object of an indefinite type. We considered having this routine insert an empty element similar to the empty elements of a vector, but rejected this possibility because the semantics are fairly complex and very different from the existing case. That would make it more error-prone to convert a container from a definite type to an indefinite type; by omitting the routine completely, any problems will be diagnosed by the compiler.

7/3
  • The actual Element parameter of access subprogram Process of Update_Element may be constrained even if Element_Type is unconstrained.
  • 8/4
  • The operations Append_Child, Insert_Child, Prepend_Child, and Replace_Element that have a formal parameter of type Element_Type perform indefinite insertion (see A.18).
  • 9/5
  • The description of Tampering_With_Elements_Prohibited is replaced by:
10/5

Returns True if tampering with elements is prohibited for Container, and False otherwise.

10.a/5
reason

Complete replacement of an element can cause its memory to be deallocated while another operation is holding onto a reference to it. That can't be allowed. However, a simple modification of (part of) an element is not a problem.

11/5
  • Tampering_With_Cursors_Prohibited is replaced by Tampering_With_Elements_Prohibited in the postcondition for the operations Reference and Constant_Reference.
  • 12/5
  • The operations Replace_Element and Swap are omitted from the nested package Stable.

Extensions to Ada 2005

12.a/3

The generic package Containers.Indefinite_Multiway_Trees is new.

Inconsistencies With Ada 2012

12.b/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

12.c/5

Defined the Iterator_View aspect, so that the stable view is used for container element iterators. This leads to a rare situation where Program_Error will be raised in Ada 2022 for code that would have worked in Ada 2012. See Inconsistencies With Ada 2012 in A.18.11 for details.

A.18.18 The Generic Package Containers.Indefinite_Holders

1/3

The language-defined generic package Containers.Indefinite_Holders provides a private type Holder and a set of operations for that type. A holder container holds a single element of an indefinite type.

2/3

A holder container allows the declaration of an object that can be used like an uninitialized variable or component of an indefinite type.

3/3

A holder container may be empty. An empty holder does not contain an element.

Static Semantics

4/3

The generic library package Containers.Indefinite_Holders has the following declaration:

5/5

generic type Element_Type (<>) is private; with function "=" (Left, Right : Element_Type) return Boolean is <>; package Ada.Containers.Indefinite_Holders with Preelaborate, Remote_Types, Nonblocking, Global => in out synchronized is

5.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects in this generic package, see the notes on the equivalent operations in the specification of the Containers.Vectors package (see A.18.2).

6/5

type Holder is tagged private with Stable_Properties => (Is_Empty, Tampering_With_The_Element_Prohibited), Default_Initial_Condition => Is_Empty (Holder), Preelaborable_Initialization; 7/3 Empty_Holder : constant Holder; 7.1/5

function Equal_Element (Left, Right : Element_Type) return Boolean renames "="; 8/3 function "=" (Left, Right : Holder) return Boolean; 8.1/5

function Tampering_With_The_Element_Prohibited (Container : Holder) return Boolean with Nonblocking, Global => null, Use_Formal => null; 8.2/5

function Empty return Holder is (Empty_Holder) with Post => not Tampering_With_The_Element_Prohibited (Empty'Result) and then Is_Empty (Empty'Result); 9/5

function To_Holder (New_Item : Element_Type) return Holder with Post => not Is_Empty (To_Holder'Result); 10/5

function Is_Empty (Container : Holder) return Boolean with Global => null, Use_Formal => null; 11/5

procedure Clear (Container : in out Holder) with Pre => not Tampering_With_The_Element_Prohibited (Container) or else raise Program_Error, Post => Is_Empty (Container); 12/5

function Element (Container : Holder) return Element_Type with Pre => not Is_Empty (Container) or else raise Constraint_Error, Global => null, Use_Formal => Element_Type; 13/5

procedure Replace_Element (Container : in out Holder; New_Item : in Element_Type) with Pre => not Tampering_With_The_Element_Prohibited (Container) or else raise Program_Error, Post => not Is_Empty (Container); 14/5

procedure Query_Element (Container : in Holder; Process : not null access procedure (Element : in Element_Type)) with Pre => not Is_Empty (Container) or else raise Constraint_Error; 15/5

procedure Update_Element (Container : in out Holder; Process : not null access procedure (Element : in out Element_Type)) with Pre => not Is_Empty (Container) or else raise Constraint_Error; 16/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 17/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 18/5

function Constant_Reference (Container : aliased in Holder) return Constant_Reference_Type with Pre => not Is_Empty (Container) or else raise Constraint_Error, Post => Tampering_With_The_Element_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 19/5

function Reference (Container : aliased in out Holder) return Reference_Type with Pre => not Is_Empty (Container) or else raise Constraint_Error, Post => Tampering_With_The_Element_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null; 20/5

procedure Assign (Target : in out Holder; Source : in Holder) with Post => (Is_Empty (Source) = Is_Empty (Target)); 21/5

function Copy (Source : Holder) return Holder with Post => (Is_Empty (Source) = Is_Empty (Copy'Result)); 22/5

procedure Move (Target : in out Holder; Source : in out Holder) with Pre => (not Tampering_With_The_Element_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_The_Element_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Is_Empty (Source) and then (not Is_Empty (Target))); 22.1/5 procedure Swap (Left, Right : in out Holder) with Pre => (not Tampering_With_The_Element_Prohibited (Left) or else raise Program_Error) and then (not Tampering_With_The_Element_Prohibited (Right) or else raise Program_Error), Post => Is_Empty (Left) = Is_Empty (Right)'Old and then Is_Empty (Right) = Is_Empty (Left)'Old; 23/3 private 24/3 ... -- not specified by the language 25/3 end Ada.Containers.Indefinite_Holders;

26/3

The actual function for the generic formal function "=" on Element_Type values is expected to define a reflexive and symmetric relationship and return the same result value each time it is called with a particular pair of values. If it behaves in some other manner, the function "=" on holder values returns an unspecified value. The exact arguments and number of calls of this generic formal function by the function "=" on holder values are unspecified.

26.a/3
ramification

If the actual function for "=" is not symmetric and consistent, the result returned by any of the functions defined to use "=" cannot be predicted. The implementation is not required to protect against "=" raising an exception, or returning random results, or any other "bad" behavior. And it can call "=" in whatever manner makes sense. But note that only the results of the function "=" is unspecified; other subprograms are not allowed to break if "=" is bad.

27/3

The type Holder is used to represent holder containers. The type Holder needs finalization (see 7.6).

28/3

Empty_Holder represents an empty holder object. If an object of type Holder is not otherwise initialized, it is initialized to the same value as Empty_Holder.

29/5

[Some operations check for “tampering with the element” of a container because they depend on the element of the container not being replaced.] When tampering with the element is prohibited for a particular holder object H, Program_Error is propagated by the finalization of H[, as well as by a call that passes H to certain of the operations of this package, as indicated by the precondition of such an operation].

Paragraphs 30 through 35 are removed as preconditions now describe these rules.

34.a/3
reason

Complete replacement of an element can cause its memory to be deallocated while another operation is holding onto a reference to it. That can't be allowed. However, a simple modification of (part of) an element is not a problem, so Update_Element does not cause a problem.

36/3

function "=" (Left, Right : Holder) return Boolean;

37/3

If Left and Right denote the same holder object, then the function returns True. Otherwise, it compares the element contained in Left to the element contained in Right using the generic formal equality operator, returning the result of that operation. Any exception raised during the evaluation of element equality is propagated.

37.a/3
implementation note

This wording describes the canonical semantics. However, the order and number of calls on the formal equality function is unspecified, so an implementation need not call the equality function if the correct answer can be determined without doing so.

37.1/5

function Tampering_With_The_Element_Prohibited (Container : Holder) return Boolean with Nonblocking, Global => null, Use_Formal => null;

37.2/5

Returns True if tampering with the element is currently prohibited for Container, and returns False otherwise.

38/5

function To_Holder (New_Item : Element_Type) return Holder with Post => not Is_Empty (To_Holder'Result);

39/4

Returns a nonempty holder containing an element initialized to New_Item. To_Holder performs indefinite insertion (see A.18).

40/5

function Is_Empty (Container : Holder) return Boolean with Global => null, Use_Formal => null;

41/3

Returns True if Container is empty, and False if it contains an element.

42/5

procedure Clear (Container : in out Holder) with Pre => not Tampering_With_The_Element_Prohibited (Container) or else raise Program_Error, Post => Is_Empty (Container);

43/5

Removes the element from Container.

44/5

function Element (Container : Holder) return Element_Type with Pre => not Is_Empty (Container) or else raise Constraint_Error, Global => null, Use_Formal => Element_Type;

45/5

Returns the element stored in Container.

46/5

procedure Replace_Element (Container : in out Holder; New_Item : in Element_Type) with Pre => not Tampering_With_The_Element_Prohibited (Container) or else raise Program_Error, Post => not Is_Empty (Container);

47/5

Replace_Element assigns the value New_Item into Container, replacing any preexisting content of Container; Replace_Element performs indefinite insertion (see A.18).

48/5

procedure Query_Element (Container : in Holder; Process : not null access procedure (Element : in Element_Type)) with Pre => not Is_Empty (Container) or else raise Constraint_Error, Global => null, Use_Formal => null;

49/5

Query_Element calls Process.all with the contained element as the argument. Tampering with the element of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

49.a/3
implementation note

The “tamper with the element” check is intended to prevent the Element parameter of Process from being replaced or deleted outside of Process. The check prevents data loss (if Element_Type is passed by copy) or erroneous execution (if Element_Type is an unconstrained type).

50/5

procedure Update_Element (Container : in out Holder; Process : not null access procedure (Element : in out Element_Type)) with Pre => not Is_Empty (Container) or else raise Constraint_Error;

51/5

Update_Element calls Process.all with the contained element as the argument. Tampering with the element of Container is prohibited during the execution of the call on Process.all. Any exception raised by Process.all is propagated.

51.a/3
implementation note

The Element parameter of Process.all may be constrained even if Element_Type is unconstrained.

52/5

type Constant_Reference_Type (Element : not null access constant Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error); 53/5

type Reference_Type (Element : not null access Element_Type) is private with Implicit_Dereference => Element, Nonblocking, Global => in out synchronized, Default_Initial_Condition => (raise Program_Error);

54/3

The types Constant_Reference_Type and Reference_Type need finalization.

55/5

This paragraph was deleted.

55.a/3
reason

It is expected that Reference_Type (and Constant_Reference_Type) will be a controlled type, for which finalization will have some action to terminate the tampering check for the associated container. If the object is created by default, however, there is no associated container. Since this is useless, and supporting this case would take extra work, we define it to raise an exception.

56/5

function Constant_Reference (Container : aliased in Holder) return Constant_Reference_Type with Pre => not Is_Empty (Container) or else raise Constraint_Error, Post => Tampering_With_The_Element_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

57/3

This function (combined with the Implicit_Dereference aspect) provides a convenient way to gain read access to the contained element of a holder container.

58/5

Constant_Reference returns an object whose discriminant is an access value that designates the contained element. Tampering with the element of Container is prohibited while the object returned by Constant_Reference exists and has not been finalized.

59/5

function Reference (Container : aliased in out Holder) return Reference_Type with Pre => not Is_Empty (Container) or else raise Constraint_Error, Post => Tampering_With_The_Element_Prohibited (Container), Nonblocking, Global => null, Use_Formal => null;

60/3

This function (combined with the Implicit_Dereference aspects) provides a convenient way to gain read and write access to the contained element of a holder container.

61/5

Reference returns an object whose discriminant is an access value that designates the contained element. Tampering with the element of Container is prohibited while the object returned by Reference exists and has not been finalized.

62/5

procedure Assign (Target : in out Holder; Source : in Holder) with Post => (Is_Empty (Source) = Is_Empty (Target));

63/3

If Target denotes the same object as Source, the operation has no effect. If Source is empty, Clear (Target) is called. Otherwise, Replace_Element (Target, Element (Source)) is called.

63.a/3
discussion

This routine exists for compatibility with the other containers. For a holder, Assign(A, B) and A := B behave effectively the same. (Assign Clears the Target, while := finalizes the Target, but these should have similar effects.)

64/5

function Copy (Source : Holder) return Holder with Post => (Is_Empty (Source) = Is_Empty (Copy'Result));

65/3

If Source is empty, returns an empty holder container; otherwise, returns To_Holder (Element (Source)).

66/5

procedure Move (Target : in out Holder; Source : in out Holder) with Pre => (not Tampering_With_The_Element_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_The_Element_Prohibited (Source) or else raise Program_Error), Post => (if not Target'Has_Same_Storage (Source) then Is_Empty (Source) and then (not Is_Empty (Target)));

67/5

If Target denotes the same object as Source, then the operation has no effect. Otherwise, the element contained by Source (if any) is removed from Source and inserted into Target, replacing any preexisting content.

67.1/5

procedure Swap (Left, Right : in out Holder) with Pre => (not Tampering_With_The_Element_Prohibited (Left) or else raise Program_Error) and then (not Tampering_With_The_Element_Prohibited (Right) or else raise Program_Error), Post => Is_Empty (Left) = Is_Empty (Right)'Old and then Is_Empty (Right) = Is_Empty (Left)'Old;

67.2/5

If Left denotes the same object as Right, then the operation has no effect. Otherwise, operation exchanges the elements (if any) contained by Left and Right.

Bounded (Run-Time) Errors

68/3

It is a bounded error for the actual function associated with a generic formal subprogram, when called as part of an operation of this package, to tamper with the element of any Holder parameter of the operation. Either Program_Error is raised, or the operation works as defined on the value of the Holder either prior to, or subsequent to, some or all of the modifications to the Holder.

69/3

It is a bounded error to call any subprogram declared in the visible part of Containers.Indefinite_Holders when the associated container has been finalized. If the operation takes Container as an in out parameter, then it raises Constraint_Error or Program_Error. Otherwise, the operation either proceeds as it would for an empty container, or it raises Constraint_Error or Program_Error.

Erroneous Execution

70/3

Execution is erroneous if the holder container associated with the result of a call to Reference or Constant_Reference is finalized before the result object returned by the call to Reference or Constant_Reference is finalized.

70.a/3
reason

Each object of Reference_Type and Constant_Reference_Type probably contains some reference to the originating container. If that container is prematurely finalized (which is only possible via Unchecked_Deallocation, as accessibility checks prevent passing a container to Reference that will not live as long as the result), the finalization of the object of Reference_Type will try to access a nonexistent object. This is a normal case of a dangling pointer created by Unchecked_Deallocation; we have to explicitly mention it here as the pointer in question is not visible in the specification of the type. (This is the same reason we have to say this for invalid cursors.)

Implementation Requirements

71/3

No storage associated with a holder object shall be lost upon assignment or scope exit.

72/3

The execution of an assignment_statement for a holder container shall have the effect of copying the element (if any) from the source holder object to the target holder object.

72.a/3
implementation note

An assignment of a holder container is a “deep” copy; that is the element is copied as well as any data structures. We say “effect of” in order to allow the implementation to avoid copying the element immediately if it wishes. For instance, an implementation that avoided copying until one of the containers is modified would be allowed. (Note that this implementation would require care, see A.18.2 for more.)

Implementation Advice

73/5

Move and Swap should not copy any elements, and should minimize copying of internal data structures.

73.a.1/5
implementation advice

Move and Swap in Containers.Indefinite_Holders should not copy any elements, and should minimize copying of internal data structures.

73.a/5
implementation note

Usually that can be accomplished simply by moving the pointer(s) to the internal data structures appropriately.

74/3

If an exception is propagated from a holder operation, no storage should be lost, nor should the element be removed from a holder container unless specified by the operation.

74.a.1/3
implementation advice

If an exception is propagated from a holder operation, no storage should be lost, nor should the element be removed from a holder container unless specified by the operation.

74.a/3
reason

This is important so that programs can recover from errors. But we don't want to require heroic efforts, so we just require documentation of cases where this can't be accomplished.

Extensions to Ada 2005

74.b/3

The generic package Containers.Indefinite_Holders is new.

Inconsistencies With Ada 2012

74.c/4

Corrigendum: Defined some routines to “perform indefinite insertion”. This could mean that some calls to those routines would now raise Program_Error where they previously worked. However, this is extremely unlikely; see Inconsistencies With Ada 2012 in A.18.11 for details.

Incompatibilities With Ada 2012

74.d/5

A number of new subprograms and types were added to Containers.Indefinite_Holders to better support contracts and provide additional functionality. Therefore, a use clause conflict is possible; see the introduction of Annex A for more on this topic.

Wording Changes from Ada 2012

74.e/4

Corrigendum: Clarified that tampering checks precede all other checks made by a subprogram (but come after those associated with the call).

74.f/5

Added contracts to this container. This includes describing some of the semantics with pre- and postconditions, rather than English text. Note that the preconditions can be Suppressed (see 11.5).

A.18.19 The Generic Package Containers.Bounded_Vectors

1/3

The language-defined generic package Containers.Bounded_Vectors provides a private type Vector and a set of operations. It provides the same operations as the package Containers.Vectors (see A.18.2), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Vectors has the same contents and semantics as Containers.Vectors except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
3.a/5
ramification

The Global aspect for a Pure package is null (see 6.1.2), so we don't need to give it explicitly.

4/3
  • The type Vector is declared with a discriminant that specifies the capacity:
5/5

type Vector (Capacity : Count_Type) is tagged private...

5.1/5
  • The aspect_definition for Preelaborable_Initialization for type Vector is changed to:
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization

6/3
  • The type Vector needs finalization if and only if type Element_Type needs finalization.
6.a/3
implementation note

The type Vector cannot depend on package Ada.Finalization unless the element type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • Capacity is omitted from the Stable_Properties of type Vector.
6.b/5
reason

The capacity is a discriminant here, so it can't be changed by most routines; thus including it in the stable properties adds no information.

6.2/5
  • In function Empty, the postcondition is altered to:
6.3/5

Post => Empty'Result.Capacity = Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

7/5
  • In function Copy, the postcondition is altered to:
7.1/5

Post => Length (Copy'Result) = Length (Source) and then (if Capacity > Length (Source) then Copy'Result.Capacity = Capacity else Copy'Result.Capacity >= Length (Source));

8/3
  • The description of Reserve_Capacity is replaced with:
8.1/5

procedure Reserve_Capacity (Container : in out Vector; Capacity : in Count_Type) with Pre => Capacity <= Container.Capacity or else raise Capacity_Error;

9/5

This operation has no effect, [other than checking the precondition].

9.1/5
  • The portion of the postcondition checking the capacity is omitted from subprograms Set_Length, Assign, Insert, Insert_Space, Prepend, Append, and Delete.
  • 9.2/5
  • For procedures Insert, Insert_Space, Prepend, and Append, the part of the precondition reading:
9.3/5

(<some length> <= Maximum_Length - <some other length> or else raise Constraint_Error)

9.4/5
  • is replaced by:
9.5/5

(<some length> <= Maximum_Length - <some other length> or else raise Constraint_Error) and then (<some length> <= Container.Capacity - <some other length> or else raise Capacity_Error)

Bounded (Run-Time) Errors

10/3

It is a bounded error to assign from a bounded vector object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

10.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

11/3

When a bounded vector object V is finalized, if tampering with cursors is prohibited for V other than due to an assignment from another vector, then execution is erroneous.

11.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

12/3

For each instance of Containers.Vectors and each instance of Containers.Bounded_Vectors, if the two instances meet the following conditions, then the output generated by the Vector'Output or Vector'Write subprograms of either instance shall be readable by the Vector'Input or Vector'Read of the other instance, respectively:

13/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 14/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters); and
  • 15/3
  • the preceding two conditions also hold for the Index_Type parameters of the instances.

Implementation Advice

16/3

Bounded vector objects should be implemented without implicit pointers or dynamic allocation.

16.a.1/3
implementation advice

Bounded vector objects should be implemented without implicit pointers or dynamic allocation.

17/3

The implementation advice for procedure Move to minimize copying does not apply.

17.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded vectors.

Extensions to Ada 2005

17.a/3

The generic package Containers.Bounded_Vectors is new.

Inconsistencies With Ada 2012

17.b/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for bounded containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

17.c/5
correction

A bounded vector now only has Preelaborable_Initialization (abbreviated PI in this note) when the actual for the Element_Type has PI. If an program used a vector whose actual Element_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.20 The Generic Package Containers.Bounded_Doubly_Linked_Lists

1/3

The language-defined generic package Containers.Bounded_Doubly_Linked_Lists provides a private type List and a set of operations. It provides the same operations as the package Containers.Doubly_Linked_Lists (see A.18.3), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Doubly_Linked_Lists has the same contents and semantics as Containers.Doubly_Linked_Lists except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
3.a/5
ramification

The Global aspect for a Pure package is null (see 6.1.2), so we don't need to give it explicitly.

4/3
  • The type List is declared with a discriminant that specifies the capacity (maximum number of elements) as follows:
5/5

type List (Capacity : Count_Type) is tagged private...

5.1/5
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization

6/3
  • The type List needs finalization if and only if type Element_Type needs finalization.
6.a/3
implementation note

The type List cannot depend on package Ada.Finalization unless the element type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • The function Empty is replaced by:
6.2/5

function Empty (Capacity : Count_Type := implementation-defined) return List with Post => Empty'Result.Capacity = Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

7/5
  • For procedures Insert, Prepend, Append, Merge, and the three-parameter Splice whose parameter Source has type List, the part of the precondition reading:
7.1/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error)

7.2/5
  • is replaced by:
7.3/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error) and then (<some length> <= Container.Capacity - <some other length> or else raise Capacity_Error)

8/5
  • In procedure Assign, the precondition is altered to:
8.1/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Length (Source) <= Target.Capacity or else raise Capacity_Error),

9/3
  • The function Copy is replaced with:
10/5

function Copy (Source : List; Capacity : Count_Type := 0) return List with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity);

11/5

Returns a list whose elements have the same values as the elements of Source.

12/5
  • This paragraph was deleted.
  • 13/5
  • In the four-parameter procedure Splice, the precondition is altered to:
13.1/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (not Tampering_With_Cursors_Prohibited (Source) or else raise Program_Error) and then (Position /= No_Element or else raise Constraint_Error) and then (Has_Element (Source, Position) or else raise Program_Error) and then (Before = No_Element or else Has_Element (Target, Before) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Length (Target) /= Count_Type'Last or else raise Constraint_Error) and then (Target'Has_Same_Storage (Source) or else Length (Target) /= Target.Capacity or else raise Capacity_Error),

Bounded (Run-Time) Errors

14/3

It is a bounded error to assign from a bounded list object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

14.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

15/3

When a bounded list object L is finalized, if tampering with cursors is prohibited for L other than due to an assignment from another list, then execution is erroneous.

15.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

16/3

For each instance of Containers.Doubly_Linked_Lists and each instance of Containers.Bounded_Doubly_Linked_Lists, if the two instances meet the following conditions, then the output generated by the List'Output or List'Write subprograms of either instance shall be readable by the List'Input or List'Read of the other instance, respectively:

17/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 18/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters).

Implementation Advice

19/3

Bounded list objects should be implemented without implicit pointers or dynamic allocation.

19.a.1/3
implementation advice

Bounded list objects should be implemented without implicit pointers or dynamic allocation.

20/3

The implementation advice for procedure Move to minimize copying does not apply.

20.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded lists.

Extensions to Ada 2005

20.a/3

The generic package Containers.Bounded_Doubly_Linked_Lists is new.

Inconsistencies With Ada 2012

20.b/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for bounded containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

20.c/5
correction

A bounded list now only has Preelaborable_Initialization (abbreviated PI in this note) when the actual for the Element_Type has PI. If an program used a list whose actual Element_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.21 The Generic Package Containers.Bounded_Hashed_Maps

1/3

The language-defined generic package Containers.Bounded_Hashed_Maps provides a private type Map and a set of operations. It provides the same operations as the package Containers.Hashed_Maps (see A.18.5), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Hashed_Maps has the same contents and semantics as Containers.Hashed_Maps except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
  • 4/3
  • The type Map is declared with discriminants that specify both the capacity (number of elements) and modulus (number of distinct hash values) of the hash table as follows:
5/5

type Map (Capacity : Count_Type; Modulus : Hash_Type) is tagged private...

5.1/5
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization and Key_Type'Preelaborable_Initialization

6/3
  • The type Map needs finalization if and only if type Key_Type or type Element_Type needs finalization.
6.a/3
implementation note

The type Map cannot depend on package Ada.Finalization unless the element or key type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • In function Empty, the postcondition is altered to:
6.2/5

Post => Empty'Result.Capacity = Capacity and then Empty'Result.Modulus = Default_Modulus (Capacity) and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

7/3
  • The description of Reserve_Capacity is replaced with:
7.1/5

procedure Reserve_Capacity (Container : in out Map; Capacity : in Count_Type) with Pre => Capacity <= Container.Capacity or else raise Capacity_Error;

8/5

This operation has no effect, [other than checking the precondition].

9/3
  • An additional operation is added immediately following Reserve_Capacity:
10/3

function Default_Modulus (Capacity : Count_Type) return Hash_Type;

11/3

Default_Modulus returns an implementation-defined value for the number of distinct hash values to be used for the given capacity (maximum number of elements).

11.1/5
  • For procedures Insert and Include, the part of the precondition reading:
11.2/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error)

11.3/5
  • is replaced by:
11.4/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error) and then (<some length> > Container.Capacity - <some other length> or else raise Capacity_Error)

11.5/5
  • In procedure Assign, the precondition is altered to:
11.6/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Length (Source) <= Target.Capacity or else raise Capacity_Error),

12/3
  • The function Copy is replaced with:
13/5

function Copy (Source : Map; Capacity : Count_Type := 0; Modulus : Hash_Type := 0) return Map with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity) and then Copy'Result.Modulus = (if Modulus = 0 then Default_Modulus (Capacity) else Modulus);

14/5

Returns a map with key/element pairs initialized from the values in Source.

Bounded (Run-Time) Errors

15/3

It is a bounded error to assign from a bounded map object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

15.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

16/3

When a bounded map object M is finalized, if tampering with cursors is prohibited for M other than due to an assignment from another map, then execution is erroneous.

16.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

17/3

For each instance of Containers.Hashed_Maps and each instance of Containers.Bounded_Hashed_Maps, if the two instances meet the following conditions, then the output generated by the Map'Output or Map'Write subprograms of either instance shall be readable by the Map'Input or Map'Read of the other instance, respectively:

18/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 19/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters); and
  • 20/3
  • the preceding two conditions also hold for the Key_Type parameters of the instances.

Implementation Advice

21/3

Bounded hashed map objects should be implemented without implicit pointers or dynamic allocation.

21.a.1/3
implementation advice

Bounded hashed map objects should be implemented without implicit pointers or dynamic allocation.

22/3

The implementation advice for procedure Move to minimize copying does not apply.

22.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded hashed maps.

Extensions to Ada 2005

22.a/3

The generic package Containers.Bounded_Hashed_Maps is new.

Inconsistencies With Ada 2012

22.b/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for bounded containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

22.c/5
correction

A bounded map now only has Preelaborable_Initialization (abbreviated PI in this note) when the actuals for the Element_Type and the Key_Type have PI. If an program used a map whose actual Element_Type or Key_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.22 The Generic Package Containers.Bounded_Ordered_Maps

1/3

The language-defined generic package Containers.Bounded_Ordered_Maps provides a private type Map and a set of operations. It provides the same operations as the package Containers.Ordered_Maps (see A.18.6), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Ordered_Maps has the same contents and semantics as Containers.Ordered_Maps except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
  • 4/3
  • The type Map is declared with a discriminant that specifies the capacity (maximum number of elements) as follows:
5/5

type Map (Capacity : Count_Type) is tagged private...

5.1/5
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization and Key_Type'Preelaborable_Initialization

6/3
  • The type Map needs finalization if and only if type Key_Type or type Element_Type needs finalization.
6.a/3
implementation note

The type Map cannot depend on package Ada.Finalization unless the element type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • The function Empty is replaced by:
6.2/5

function Empty (Capacity : Count_Type := implementation-defined) return Map with Post => Empty'Result.Capacity = Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

7/5
  • For procedures Insert and Include, the part of the precondition reading:
7.1/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error)

7.2/5
  • is replaced by:
7.3/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error) and then (<some length> <= Container.Capacity - <some other length> or else raise Capacity_Error)

8/5
  • In procedure Assign, the precondition is altered to:
8.1/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Length (Source) <= Target.Capacity or else raise Capacity_Error),

9/3
  • The function Copy is replaced with:
10/5

function Copy (Source : Map; Capacity : Count_Type := 0) return Map with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity);

11/5

Returns a map with key/element pairs initialized from the values in Source.

Bounded (Run-Time) Errors

12/3

It is a bounded error to assign from a bounded map object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

12.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

13/3

When a bounded map object M is finalized, if tampering with cursors is prohibited for M other than due to an assignment from another map, then execution is erroneous.

13.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

14/3

For each instance of Containers.Ordered_Maps and each instance of Containers.Bounded_Ordered_Maps, if the two instances meet the following conditions, then the output generated by the Map'Output or Map'Write subprograms of either instance shall be readable by the Map'Input or Map'Read of the other instance, respectively:

15/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 16/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters); and
  • 17/3
  • the preceding two conditions also hold for the Key_Type parameters of the instances.

Implementation Advice

18/3

Bounded ordered map objects should be implemented without implicit pointers or dynamic allocation.

18.a.1/3
implementation advice

Bounded ordered map objects should be implemented without implicit pointers or dynamic allocation.

19/3

The implementation advice for procedure Move to minimize copying does not apply.

19.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded ordered maps.

Extensions to Ada 2005

19.a/3

The generic package Containers.Bounded_Ordered_Maps is new.

Inconsistencies With Ada 2012

19.b/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for bounded containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

19.c/5
correction

A bounded map now only has Preelaborable_Initialization (abbreviated PI in this note) when the actuals for the Element_Type and the Key_Type have PI. If an program used a map whose actual Element_Type or Key_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.23 The Generic Package Containers.Bounded_Hashed_Sets

1/3

The language-defined generic package Containers.Bounded_Hashed_Sets provides a private type Set and a set of operations. It provides the same operations as the package Containers.Hashed_Sets (see A.18.8), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Hashed_Sets has the same contents and semantics as Containers.Hashed_Sets except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
  • 4/3
  • The type Set is declared with discriminants that specify both the capacity (number of elements) and modulus (number of distinct hash values) of the hash table as follows:
5/5

type Set (Capacity : Count_Type; Modulus : Hash_Type) is tagged private...

5.1/5
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization

6/3
  • The type Set needs finalization if and only if type Element_Type needs finalization.
6.a/3
implementation note

The type Set cannot depend on package Ada.Finalization unless the element or key type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • In function Empty, the postcondition is altered to:
6.2/5

Post => Empty'Result.Capacity = Capacity and then Empty'Result.Modulus = Default_Modulus (Capacity) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

7/3
  • The description of Reserve_Capacity is replaced with:
7.1/5

procedure Reserve_Capacity (Container : in out Set; Capacity : in Count_Type) with Pre => Capacity <= Container.Capacity or else raise Capacity_Error;

8/5

This operation has no effect, [other than checking the precondition].

9/3
  • An additional operation is added immediately following Reserve_Capacity:
10/3

function Default_Modulus (Capacity : Count_Type) return Hash_Type;

11/3

Default_Modulus returns an implementation-defined value for the number of distinct hash values to be used for the given capacity (maximum number of elements).

11.1/5
  • For procedures Insert and Include, the part of the precondition reading:
11.2/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error)

11.3/5
  • is replaced by:
11.4/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error) and then (<some length> <= Container.Capacity - <some other length> or else raise Capacity_Error)

11.5/5
  • In procedure Assign, the precondition is altered to:
11.6/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Length (Source) <= Target.Capacity or else raise Capacity_Error),

12/3
  • The function Copy is replaced with:
13/5

function Copy (Source : Set; Capacity : Count_Type := 0; Modulus : Hash_Type := 0) return Map with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity) and then Copy'Result.Modulus = (if Modulus = 0 then Default_Modulus (Capacity) else Modulus);

14/5

Returns a set with key/element pairs initialized from the values in Source.

Bounded (Run-Time) Errors

15/3

It is a bounded error to assign from a bounded set object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

15.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

16/3

When a bounded set object S is finalized, if tampering with cursors is prohibited for S other than due to an assignment from another set, then execution is erroneous.

16.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

17/3

For each instance of Containers.Hashed_Sets and each instance of Containers.Bounded_Hashed_Sets, if the two instances meet the following conditions, then the output generated by the Set'Output or Set'Write subprograms of either instance shall be readable by the Set'Input or Set'Read of the other instance, respectively:

18/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 19/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters).

Implementation Advice

20/3

Bounded hashed set objects should be implemented without implicit pointers or dynamic allocation.

20.a.1/3
implementation advice

Bounded hashed set objects should be implemented without implicit pointers or dynamic allocation.

21/3

The implementation advice for procedure Move to minimize copying does not apply.

21.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded hashed sets.

Extensions to Ada 2005

21.a/3

The generic package Containers.Bounded_Hashed_Sets is new.

Incompatibilities With Ada 2012

21.b/5
correction

A bounded set now only has Preelaborable_Initialization (abbreviated PI in this note) when the actual for the Element_Type has PI. If an program used a set whose actual Element_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.24 The Generic Package Containers.Bounded_Ordered_Sets

1/3

The language-defined generic package Containers.Bounded_Ordered_Sets provides a private type Set and a set of operations. It provides the same operations as the package Containers.Ordered_Sets (see A.18.9), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Ordered_Sets has the same contents and semantics as Containers.Ordered_Sets except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
  • 4/3
  • The type Set is declared with a discriminant that specifies the capacity (maximum number of elements) as follows:
5/5

type Set (Capacity : Count_Type) is tagged private...

5.1/5
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization

6/3
  • The type Set needs finalization if and only if type Element_Type needs finalization.
6.a/3
implementation note

The type Set cannot depend on package Ada.Finalization unless the element type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • The function Empty is replaced by:
6.2/5

function Empty (Capacity : Count_Type := implementation-defined) return Set with Post => Empty'Result.Capacity = Capacity and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Length (Empty'Result) = 0;

7/5
  • For procedures Insert and Include, the part of the precondition reading:
7.1/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error)

7.2/5
  • is replaced by:
7.3/5

(<some length> <= Count_Type'Last - <some other length> or else raise Constraint_Error) and then (<some length> <= Container.Capacity - <some other length> or else raise Capacity_Error)

8/5
  • In procedure Assign, the precondition is altered to:
8.1/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Length (Source) <= Target.Capacity or else raise Capacity_Error),

9/3
  • The function Copy is replaced with:
10/5

function Copy (Source : Set; Capacity : Count_Type := 0) return Map with Pre => Capacity = 0 or else Capacity >= Length (Source) or else raise Capacity_Error, Post => Length (Copy'Result) = Length (Source) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Length (Source) else Capacity);

11/5

Returns a set with key/element pairs initialized from the values in Source.

Bounded (Run-Time) Errors

12/3

It is a bounded error to assign from a bounded set object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

12.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

13/3

When a bounded set object S is finalized, if tampering with cursors is prohibited for S other than due to an assignment from another set, then execution is erroneous.

13.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

14/3

For each instance of Containers.Ordered_Sets and each instance of Containers.Bounded_Ordered_Sets, if the two instances meet the following conditions, then the output generated by the Set'Output or Set'Write subprograms of either instance shall be readable by the Set'Input or Set'Read of the other instance, respectively:

15/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 16/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters).

Implementation Advice

17/3

Bounded ordered set objects should be implemented without implicit pointers or dynamic allocation.

17.a.1/3
implementation advice

Bounded ordered set objects should be implemented without implicit pointers or dynamic allocation.

18/3

The implementation advice for procedure Move to minimize copying does not apply.

18.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded ordered sets.

Extensions to Ada 2005

18.a/3

The generic package Containers.Bounded_Ordered_Sets is new.

Incompatibilities With Ada 2012

18.b/5
correction

A bounded set now only has Preelaborable_Initialization (abbreviated PI in this note) when the actual for the Element_Type has PI. If an program used a set whose actual Element_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.25 The Generic Package Containers.Bounded_Multiway_Trees

1/3

The language-defined generic package Containers.Bounded_Multiway_Trees provides a private type Tree and a set of operations. It provides the same operations as the package Containers.Multiway_Trees (see A.18.10), with the difference that the maximum storage is bounded.

Static Semantics

2/3

The declaration of the generic library package Containers.Bounded_Multiway_Trees has the same contents and semantics as Containers.Multiway_Trees except:

3/5
  • The aspect Preelaborate is replaced with aspect Pure. Aspect Global is deleted.
  • 4/3
  • The type Tree is declared with a discriminant that specifies the capacity (maximum number of elements) as follows:
5/5

type Tree (Capacity : Count_Type) is tagged private...

5.1/5
5.2/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization

6/3
  • The type Tree needs finalization if and only if type Element_Type needs finalization.
6.a/3
implementation note

The type Tree cannot depend on package Ada.Finalization unless the element type depends on that package. The objects returned from the Iterator and Reference functions probably do depend on package Ada.Finalization. Restricted environments may need to avoid use of those functions and their associated types.

6.1/5
  • The function Empty is replaced by:
6.2/5

function Empty (Capacity : Count_Type := implementation-defined) return Tree with Post => Empty'Result.Capacity = Capacity and then not Tampering_With_Elements_Prohibited (Empty'Result) and then not Tampering_With_Cursors_Prohibited (Empty'Result) and then Node_Count (Empty'Result) = 1;

7/5
  • For procedures Insert_Child, Prepend_Child, and Append_Child, the initial subexpression of the precondition is replaced with:
7.1/5

with Pre => (not Tampering_With_Cursors_Prohibited (Container) or else raise Program_Error) and then (Node_Count (Container) - 1 <= Container.Capacity - Count or else raise Capacity_Error)

8/5
  • In procedure Assign, the precondition is altered to:
8.1/5

Pre => (not Tampering_With_Cursors_Prohibited (Target) or else raise Program_Error) and then (Node_Count (Source) - 1 <= Target.Capacity or else raise Capacity_Error),

9/3
  • Function Copy is declared as follows:
10/4

function Copy (Source : Tree; Capacity : Count_Type := 0) return Tree with Pre => Capacity = 0 or else Capacity >= Node_Count (Source) - 1 or else raise Capacity_Error, Post => Node_Count (Copy'Result) = Node_Count (Source) and then not Tampering_With_Elements_Prohibited (Copy'Result) and then not Tampering_With_Cursors_Prohibited (Copy'Result) and then Copy'Result.Capacity = (if Capacity = 0 then Node_Count (Source) - 1 else Capacity);

11/5

Returns a list whose elements have the same values as the elements of Source.

11.1/5
  • In the four-parameter procedure Copy_Subtree, the last or else of the precondition is replaced by:
11.2/5

(not Is_Root (Source) or else raise Constraint_Error) and then (Node_Count (Target) - 1 + Subtree_Node_Count (Source) <= Target.Capacity or else raise Capacity_Error),

11.3/5
  • In the five-parameter procedure Copy_Subtree, the last or else of the precondition is replaced by:
11.4/5

(not Is_Root (Source, Subtree) or else raise Constraint_Error) and then (Node_Count (Target) - 1 + Subtree_Node_Count (Source, Subtree) <= Target.Capacity or else raise Capacity_Error),

11.5/5
  • In Copy_Local_Subtree, the last or else of the precondition is replaced by:
11.6/5

(not Is_Root (Source, Subtree) or else raise Constraint_Error) and then (Node_Count (Target) - 1 + Subtree_Node_Count (Target, Source) <= Target.Capacity or else raise Capacity_Error),

12/5
  • In the five-parameter procedure Splice_Subtree, the penultimate or else of the precondition is replaced by:
12.1/5

(Has_Element (Source, Position) or else raise Program_Error) and then (Target'Has_Same_Storage (Source) or else Node_Count (Target) - 1 + Subtree_Node_Count (Source, Position) <= Target.Capacity or else raise Capacity_Error) and then

13/5
  • In the five-parameter procedure Splice_Children, the penultimate elsif of the precondition is replaced by:
13.1/5

(Before = No_Element or else Parent (Target, Before) /= Target_Parent or else raise Constraint_Error) and then (Target'Has_Same_Storage (Source) or else Node_Count (Target) - 1 + Child_Count (Source, Source_Parent) <= Target.Capacity or else raise Capacity_Error) and then

Bounded (Run-Time) Errors

14/3

It is a bounded error to assign from a bounded tree object while tampering with elements [or cursors] of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements [or cursors], or execution proceeds normally.

14.a/3
proof

Tampering with elements includes tampering with cursors, so we only really need to talk about tampering with elements here; we mention cursors for clarity.

Erroneous Execution

15/3

When a bounded tree object T is finalized, if tampering with cursors is prohibited for T other than due to an assignment from another tree, then execution is erroneous.

15.a/3
reason

This is a tampering event, but since the implementation is not allowed to use Ada.Finalization, it is not possible in a pure Ada implementation to detect this error. (There is no Finalize routine that will be called that could make the check.) Since the check probably cannot be made, the bad effects that could occur (such as an iterator going into an infinite loop or accessing a nonexistent element) cannot be prevented and we have to allow anything. We do allow re-assigning an object that only prohibits tampering because it was copied from another object as that cannot cause any negative effects.

Implementation Requirements

16/3

For each instance of Containers.Multiway_Trees and each instance of Containers.Bounded_Multiway_Trees, if the two instances meet the following conditions, then the output generated by the Tree'Output or Tree'Write subprograms of either instance shall be readable by the Tree'Input or Tree'Read of the other instance, respectively:

17/3
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 18/3
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters).

Implementation Advice

19/3

Bounded tree objects should be implemented without implicit pointers or dynamic allocation.

19.a.1/3
implementation advice

Bounded tree objects should be implemented without implicit pointers or dynamic allocation.

20/3

The implementation advice for procedure Move to minimize copying does not apply.

20.a.1/3
implementation advice

The implementation advice for procedure Move to minimize copying does not apply to bounded trees.

Extensions to Ada 2005

20.a/3

The generic package Containers.Bounded_Multiway_Trees is new.

Inconsistencies With Ada 2012

20.b/5
correction

Tampering with elements is now defined to be equivalent to tampering with cursors for bounded containers. If a program requires tampering detection to work, it might fail in Ada 2022. Needless to say, this shouldn't happen outside of test programs. See Inconsistencies With Ada 2012 in A.18.2 for more details.

Incompatibilities With Ada 2012

20.c/5
correction

A bounded tree now only has Preelaborable_Initialization (abbreviated PI in this note) when the actual for the Element_Type has PI. If an program used a tree whose actual Element_Type does not have PI in a context when PI is required (such as a library-level object in a preelaborated unit or as a component of a type with PI), the program would be illegal in Ada 2022 but legal in original Ada 2012. This situation is unlikely, especially as some existing Ada 2012 implementations reject the instance in this case.

A.18.26 Array Sorting

1/3

The language-defined generic procedures Containers.Generic_Array_Sort, Containers.Generic_Constrained_Array_Sort, and Containers.Generic_Sort provide sorting on arbitrary array types.

Static Semantics

2/2

The generic library procedure Containers.Generic_Array_Sort has the following declaration:

3/5

generic type Index_Type is (<>); type Element_Type is private; type Array_Type is array (Index_Type range <>) of Element_Type; with function "<" (Left, Right : Element_Type) return Boolean is <>; procedure Ada.Containers.Generic_Array_Sort (Container : in out Array_Type) with Pure, Nonblocking, Global => null;

3.a/5
discussion

Global => null means that the only global side-effects allowed are associated with the actual generic parameters. Similarly, when Nonblocking is set to True for a generic unit, the only blocking allowed is that associated with the actual generic parameters.

4/2

Reorders the elements of Container such that the elements are sorted smallest first as determined by the generic formal "<" operator provided. Any exception raised during evaluation of "<" is propagated.

5/3

The actual function for the generic formal function "<" of Generic_Array_Sort is expected to return the same value each time it is called with a particular pair of element values. It should define a strict weak ordering relationship (see A.18); it should not modify Container. If the actual for "<" behaves in some other manner, the behavior of the instance of Generic_Array_Sort is unspecified. The number of times Generic_Array_Sort calls "<" is unspecified.

5.a/2
ramification

This implies swapping the elements, usually including an intermediate copy. This of course means that the elements will be copied. Since the elements are nonlimited, this usually will not be a problem. Note that there is Implementation Advice below that the implementation should use a sort that minimizes copying of elements.

5.b/2

The sort is not required to be stable (and the fast algorithm required will not be stable). If a stable sort is needed, the user can include the original location of the element as an extra "sort key". We considered requiring the implementation to do that, but it is mostly extra overhead -- usually there is something already in the element that provides the needed stability.

6/2

The generic library procedure Containers.Generic_Constrained_Array_Sort has the following declaration:

7/5

generic type Index_Type is (<>); type Element_Type is private; type Array_Type is array (Index_Type) of Element_Type; with function "<" (Left, Right : Element_Type) return Boolean is <>; procedure Ada.Containers.Generic_Constrained_Array_Sort (Container : in out Array_Type) with Pure, Nonblocking, Global => null;

7.a/5
discussion

Global => null means that the only global side-effects allowed are associated with the actual generic parameters. Similarly, when Nonblocking is set to True for a generic unit, the only blocking allowed is that associated with the actual generic parameters.

8/2

Reorders the elements of Container such that the elements are sorted smallest first as determined by the generic formal "<" operator provided. Any exception raised during evaluation of "<" is propagated.

9/3

The actual function for the generic formal function "<" of Generic_Constrained_Array_Sort is expected to return the same value each time it is called with a particular pair of element values. It should define a strict weak ordering relationship (see A.18); it should not modify Container. If the actual for "<" behaves in some other manner, the behavior of the instance of Generic_Constrained_Array_Sort is unspecified. The number of times Generic_Constrained_Array_Sort calls "<" is unspecified.

9.1/3

The generic library procedure Containers.Generic_Sort has the following declaration:

9.2/5

generic type Index_Type is (<>); with function Before (Left, Right : Index_Type) return Boolean; with procedure Swap (Left, Right : in Index_Type); procedure Ada.Containers.Generic_Sort (First, Last : Index_Type'Base) with Pure, Nonblocking, Global => null;

9.a/5
discussion

Global => null means that the only global side-effects allowed are associated with the actual generic parameters. Similarly, when Nonblocking is set to True for a generic unit, the only blocking allowed is that associated with the actual generic parameters.

9.3/3

Reorders the elements of an indexable structure, over the range First .. Last, such that the elements are sorted in the ordering determined by the generic formal function Before; Before should return True if Left is to be sorted before Right. The generic formal Before compares the elements having the given indices, and the generic formal Swap exchanges the values of the indicated elements. Any exception raised during evaluation of Before or Swap is propagated.

9.4/3

The actual function for the generic formal function Before of Generic_Sort is expected to return the same value each time it is called with index values that identify a particular pair of element values. It should define a strict weak ordering relationship (see A.18); it should not modify the elements. The actual function for the generic formal Swap should exchange the values of the indicated elements. If the actual for either Before or Swap behaves in some other manner, the behavior of Generic_Sort is unspecified. The number of times the Generic_Sort calls Before or Swap is unspecified.

Implementation Advice

10/2

The worst-case time complexity of a call on an instance of Containers.Generic_Array_Sort or Containers.Generic_Constrained_Array_Sort should be O(N**2) or better, and the average time complexity should be better than O(N**2), where N is the length of the Container parameter.

10.a/2
implementation advice

Containers.Generic_Array_Sort and Containers.Generic_Constrained_Array_Sort should have an average time complexity better than O(N**2) and worst case no worse than O(N**2).

10.b/2
discussion

In other words, we're requiring the use of a sorting algorithm better than O(N**2), such as Quicksort. No bubble sorts allowed!

11/2

Containers.Generic_Array_Sort and Containers.Generic_Constrained_Array_Sort should minimize copying of elements.

11.a/2
implementation advice

Containers.Generic_Array_Sort and Containers.Generic_Constrained_Array_Sort should minimize copying of elements.

11.b/2

To be honest: We do not mean “absolutely minimize” here; we're not intending to require a single copy for each element. Rather, we want to suggest that the sorting algorithm chosen is one that does not copy items unnecessarily. Bubble sort would not meet this advice, for instance.

12/3

The worst-case time complexity of a call on an instance of Containers.Generic_Sort should be O(N**2) or better, and the average time complexity should be better than O(N**2), where N is the difference between the Last and First parameters plus 1.

12.a.1/3
implementation advice

Containers.Generic_Sort should have an average time complexity better than O(N**2) and worst case no worse than O(N**2).

13/3

Containers.Generic_Sort should minimize calls to the generic formal Swap.

13.a.1/3
implementation advice

Containers.Generic_Sort should minimize calls to the generic formal Swap.

Extensions to Ada 95

13.a/2

The generic procedures Containers.Generic_Array_Sort and Containers.Generic_Constrained_Array_Sort are new.

Extensions to Ada 2005

13.b/3

The generic procedure Containers.Generic_Sort is new.

Wording Changes from Ada 2005

13.c/3
correction

Redefined "<" actuals to require a strict weak ordering; the old definition allowed indeterminant comparisons that would not have worked in a sort.

Wording Changes from Ada 2012

13.d/5

Added contracts to these procedures.

A.18.27 The Generic Package Containers.Synchronized_Queue_Interfaces

1/3

The language-defined generic package Containers.Synchronized_Queue_Interfaces provides interface type Queue, and a set of operations for that type. Interface Queue specifies a first-in, first-out queue.

Static Semantics

2/3

The generic library package Containers.Synchronized_Queue_Interfaces has the following declaration:

3/5

generic type Element_Type is private; package Ada.Containers.Synchronized_Queue_Interfaces with Pure, Nonblocking, Global => null is

3.a/5
discussion

Global => null means that the only global side-effects allowed are associated with the actual generic parameters. Similarly, when Nonblocking is set to True for a generic unit, the only blocking allowed is that associated with the actual generic parameters.

4/3

type Queue is synchronized interface; 5/5

procedure Enqueue (Container : in out Queue; New_Item : in Element_Type) is abstract with Synchronization => By_Entry, Nonblocking => False, Global'Class=> in out synchronized; 6/5

procedure Dequeue (Container : in out Queue; Element : out Element_Type) is abstract with Synchronization => By_Entry, Nonblocking => False, Global'Class=> in out synchronized; 7/5

function Current_Use (Container : Queue) return Count_Type is abstract with Nonblocking, Global'Class => null, Use_Formal => null; function Peak_Use (Container : Queue) return Count_Type is abstract with Nonblocking, Global'Class => null, Use_Formal => null, Post'Class => Peak_Use'Result >= Current_Use (Container); 8/3 end Ada.Containers.Synchronized_Queue_Interfaces;

8.1/5

The subprogram behavior descriptions given below are the semantics for the corresponding callable entities found in the language-defined generic packages that have a formal package named Queue_Interfaces.

9/5

procedure Enqueue (Container : in out Queue; New_Item : in Element_Type) is abstract with Synchronization => By_Entry Nonblocking => False, Global'Class=> in out synchronized;

10/3

A queue type that implements this interface is allowed to have a bounded capacity. If the queue object has a bounded capacity, and the number of existing elements equals the capacity, then Enqueue blocks until storage becomes available; otherwise, Enqueue does not block. In any case, it then copies New_Item onto the queue.

11/5

procedure Dequeue (Container : in out Queue; Element : out Element_Type) is abstract with Synchronization => By_Entry Nonblocking => False, Global'Class=> in out synchronized;

12/3

If the queue is empty, then Dequeue blocks until an item becomes available. In any case, it then assigns the element at the head of the queue to Element, and removes it from the queue.

13/5

function Current_Use (Container : Queue) return Count_Type is abstract with Nonblocking, Global'Class=> null, Use_Formal => null;

14/3

Returns the number of elements currently in the queue.

15/5

function Peak_Use (Container : Queue) return Count_Type is abstract with Nonblocking, Global'Class=> null, Use_Formal => null, Post'Class => Peak_Use'Result >= Current_Use (Container);

16/3

Returns the maximum number of elements that have been in the queue at any one time.

17/3

NOTE Unlike other language-defined containers, there are no queues whose element types are indefinite. Elements of an indefinite type can be handled by defining the element of the queue to be a holder container (see A.18.18) of the indefinite type, or to be an explicit access type that designates the indefinite type.

17.a/3
reason

There are no indefinite queues, as a useful definition for Dequeue is not possible. Dequeue cannot be a function, as Ada does not have entries that are functions (thus conditional and timed calls would not be possible). Moreover, protected functions do not allow modifying the queue object (thus it doesn't work even if we decided we didn't care about conditional and timed calls). If Dequeue is an entry, then the dequeued object would have to be an out parameter and that would require the queue client to guess the tag and constraints of the value that will be dequeued (otherwise Constraint_Error would be raised), and that is rarely going to be possible.

Extensions to Ada 2005

17.b/3

The generic package Containers.Synchronized_Queue_Interfaces is new.

A.18.28 The Generic Package Containers.Unbounded_Synchronized_Queues

Static Semantics

1/3

The language-defined generic package Containers.Unbounded_Synchronized_Queues provides type Queue, which implements the interface type Containers.Synchronized_Queue_Interfaces.Queue.

2/5

with System; with Ada.Containers.Synchronized_Queue_Interfaces; generic with package Queue_Interfaces is new Ada.Containers.Synchronized_Queue_Interfaces (<>); Default_Ceiling : System.Any_Priority := System.Priority'Last; package Ada.Containers.Unbounded_Synchronized_Queues with Preelaborate, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects of this generic package, see the notes on the specification of the Containers.Vectors package (see A.18.2).

3/3

package Implementation is ... -- not specified by the language end Implementation; 4/3 protected type Queue (Ceiling : System.Any_Priority := Default_Ceiling) with Priority => Ceiling is new Queue_Interfaces.Queue with 5/3 overriding entry Enqueue (New_Item : in Queue_Interfaces.Element_Type); overriding entry Dequeue (Element : out Queue_Interfaces.Element_Type); 6/5

overriding function Current_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; overriding function Peak_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; 7/3 private ... -- not specified by the language end Queue; 8/3 private 9/3 ... -- not specified by the language 10/3 end Ada.Containers.Unbounded_Synchronized_Queues;

11/3

The type Queue is used to represent task-safe queues.

12/3

The capacity for instances of type Queue is unbounded.

12.a/3
ramification

Enqueue never blocks; if more storage is needed for a new element, it is allocated dynamically. We don't need to explicitly specify that Queue needs finalization, because it is visibly protected.

12.b/3
discussion

Nested package Implementation can be used to declare the types needed to implement the protected type Queue. This nested package is necessary as types cannot be declared in the private part of a protected type, and the types have to be declared within the generic unit in order to depend on the types imported with package Queue_Interfaces. Clients should never depend on the contents of nested package Implementation.

Extensions to Ada 2005

12.c/3

The generic package Containers.Unbounded_Synchronized_Queues is new.

A.18.29 The Generic Package Containers.Bounded_Synchronized_Queues

Static Semantics

1/3

The language-defined generic package Containers.Bounded_Synchronized_Queues provides type Queue, which implements the interface type Containers.Synchronized_Queue_Interfaces.Queue.

2/5

with System; with Ada.Containers.Synchronized_Queue_Interfaces; generic with package Queue_Interfaces is new Ada.Containers.Synchronized_Queue_Interfaces (<>); Default_Capacity : Count_Type; Default_Ceiling : System.Any_Priority := System.Priority'Last; package Ada.Containers.Bounded_Synchronized_Queues with Preelaborate, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects of this generic package, see the notes on the specification of the Containers.Vectors package (see A.18.2).

3/3

package Implementation is ... -- not specified by the language end Implementation; 4/3 protected type Queue (Capacity : Count_Type := Default_Capacity; Ceiling : System.Any_Priority := Default_Ceiling) with Priority => Ceiling is new Queue_Interfaces.Queue with 5/3 overriding entry Enqueue (New_Item : in Queue_Interfaces.Element_Type); overriding entry Dequeue (Element : out Queue_Interfaces.Element_Type); 6/5

overriding function Current_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; overriding function Peak_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; 7/3 private ... -- not specified by the language end Queue; 8/3 private 9/3 ... -- not specified by the language 10/3 end Ada.Containers.Bounded_Synchronized_Queues;

11/3

The semantics are the same as for Unbounded_Synchronized_Queues, except:

12/3
  • The capacity for instances of type Queue is bounded and specified by the discriminant Capacity.
12.a/3
ramification

Since this type has a bounded capacity, Enqueue might block if the queue is full.

Implementation Advice

13/3

Bounded queue objects should be implemented without implicit pointers or dynamic allocation.

13.a.1/3
implementation advice

Bounded queue objects should be implemented without implicit pointers or dynamic allocation.

Extensions to Ada 2005

13.a/3

The generic package Containers.Bounded_Synchronized_Queues is new.

A.18.30 The Generic Package Containers.Unbounded_Priority_Queues

Static Semantics

1/3

The language-defined generic package Containers.Unbounded_Priority_Queues provides type Queue, which implements the interface type Containers.Synchronized_Queue_Interfaces.Queue.

2/5

with System; with Ada.Containers.Synchronized_Queue_Interfaces; generic with package Queue_Interfaces is new Ada.Containers.Synchronized_Queue_Interfaces (<>); type Queue_Priority is private; with function Get_Priority (Element : Queue_Interfaces.Element_Type) return Queue_Priority is <>; with function Before (Left, Right : Queue_Priority) return Boolean is <>; Default_Ceiling : System.Any_Priority := System.Priority'Last; package Ada.Containers.Unbounded_Priority_Queues with Preelaborate, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects of this generic package, see the notes on the specification of the Containers.Vectors package (see A.18.2).

3/3

package Implementation is ... -- not specified by the language end Implementation; 4/3 protected type Queue (Ceiling : System.Any_Priority := Default_Ceiling) with Priority => Ceiling is new Queue_Interfaces.Queue with 5/3 overriding entry Enqueue (New_Item : in Queue_Interfaces.Element_Type); overriding entry Dequeue (Element : out Queue_Interfaces.Element_Type); 6/3

not overriding procedure Dequeue_Only_High_Priority (At_Least : in Queue_Priority; Element : in out Queue_Interfaces.Element_Type; Success : out Boolean); 7/5

overriding function Current_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; overriding function Peak_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; 8/3 private ... -- not specified by the language end Queue; 9/3 private 10/3 ... -- not specified by the language 11/3 end Ada.Containers.Unbounded_Priority_Queues;

12/3

The type Queue is used to represent task-safe priority queues.

13/3

The capacity for instances of type Queue is unbounded.

14/3

Two elements E1 and E2 are equivalent if Before(Get_Priority(E1), Get_Priority(E2)) and Before(Get_Priority(E2), Get_Priority(E1)) both return False.

15/3

The actual functions for Get_Priority and Before are expected to return the same value each time they are called with the same actuals, and should not modify their actuals. Before should define a strict weak ordering relationship (see A.18). If the actual functions behave in some other manner, the behavior of Unbounded_Priority_Queues is unspecified.

16/3

Enqueue inserts an item according to the order specified by the Before function on the result of Get_Priority on the elements; Before should return True if Left is to be inserted before Right. If the queue already contains elements equivalent to New_Item, then it is inserted after the existing equivalent elements.

16.a/3
ramification

Enqueue never blocks; if more storage is needed for a new element, it is allocated dynamically. We don't need to explicitly specify that Queue needs finalization, because it is visibly protected.

17/3

For a call on Dequeue_Only_High_Priority, if the head of the nonempty queue is E, and the function Before(At_Least, Get_Priority(E)) returns False, then E is assigned to Element and then removed from the queue, and Success is set to True; otherwise, Success is set to False and Element is unchanged.

17.a/3
ramification

Unlike Dequeue, Dequeue_Only_High_Priority is not blocking; it always returns immediately.

17.b/3
reason

The use of Before is "backwards" so that it acts like ">=" (it is defined similarly to ">"); thus we dequeue only when it is False.

Extensions to Ada 2005

17.c/3

The generic package Containers.Unbounded_Priority_Queues is new.

A.18.31 The Generic Package Containers.Bounded_Priority_Queues

Static Semantics

1/3

The language-defined generic package Containers.Bounded_Priority_Queues provides type Queue, which implements the interface type Containers.Synchronized_Queue_Interfaces.Queue.

2/5

with System; with Ada.Containers.Synchronized_Queue_Interfaces; generic with package Queue_Interfaces is new Ada.Containers.Synchronized_Queue_Interfaces (<>); type Queue_Priority is private; with function Get_Priority (Element : Queue_Interfaces.Element_Type) return Queue_Priority is <>; with function Before (Left, Right : Queue_Priority) return Boolean is <>; Default_Capacity : Count_Type; Default_Ceiling : System.Any_Priority := System.Priority'Last; package Ada.Containers.Bounded_Priority_Queues with Preelaborate, Nonblocking, Global => in out synchronized is

2.a/5
discussion

For discussion on the reasons and meaning of the specifications of the Global and Nonblocking aspects of this generic package, see the notes on the specification of the Containers.Vectors package (see A.18.2).

3/3

package Implementation is ... -- not specified by the language end Implementation; 4/3 protected type Queue (Capacity : Count_Type := Default_Capacity; Ceiling : System.Any_Priority := Default_Ceiling) with Priority => Ceiling is new Queue_Interfaces.Queue with 5/3 overriding entry Enqueue (New_Item : in Queue_Interfaces.Element_Type); overriding entry Dequeue (Element : out Queue_Interfaces.Element_Type); 6/3

not overriding procedure Dequeue_Only_High_Priority (At_Least : in Queue_Priority; Element : in out Queue_Interfaces.Element_Type; Success : out Boolean); 7/5

overriding function Current_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; overriding function Peak_Use return Count_Type with Nonblocking, Global => null, Use_Formal => null; 8/3 private ... -- not specified by the language end Queue; 9/3 private 10/3 ... -- not specified by the language 11/3 end Ada.Containers.Bounded_Priority_Queues;

12/3

The semantics are the same as for Unbounded_Priority_Queues, except:

13/3
  • The capacity for instances of type Queue is bounded and specified by the discriminant Capacity.
13.a/3
ramification

Since this type has a bounded capacity, Enqueue might block if the queue is full.

Implementation Advice

14/3

Bounded priority queue objects should be implemented without implicit pointers or dynamic allocation.

14.a.1/3
implementation advice

Bounded priority queue objects should be implemented without implicit pointers or dynamic allocation.

Extensions to Ada 2005

14.a/3

The generic package Containers.Bounded_Priority_Queues is new.

A.18.32 The Generic Package Containers.Bounded_Indefinite_Holders

1/5

The language-defined generic package Containers.Bounded_Indefinite_Holders provides a private type Holder and a set of operations for that type. It provides the same operations as the package Containers.Indefinite_Holders (see A.18.18), with the difference that the maximum storage is bounded.

Static Semantics

2/5

The declaration of the generic library package Containers.Bounded_Indefinite_Holders has the same contents and semantics as Containers.Indefinite_Holders except:

3/5
  • The following is added to the context clause:
4/5

with System.Storage_Elements; use System.Storage_Elements;

5/5
  • An additional generic parameter follows Element_Type:
6/5

Max_Element_Size_in_Storage_Elements : Storage_Count;

6.a/5
reason

This value is in Storage_Elements so that it can be used as a discriminant on a storage pool object in the implementation of the object; Ada doesn't allow discriminant dependent components to use formulas.

6.b/5

This is a generic parameter as it is a property of the Element_Type; the largest possible object of Element_Type is unlikely to be different for different containers, so making it a discriminant (as Capacity is) provides no useful capability.

7/5
  • The aspect_definition for Preelaborable_Initialization for type Holder is changed to:
8/5

Preelaborable_Initialization => Element_Type'Preelaborable_Initialization

9/5
  • Add to the precondition of To_Holder and Replace_Element:
10/5

and then (New_Item'Size <= Max_Element_Size_in_Storage_Elements * System.Storage_Unit or else raise Program_Error)

10.a/5
reason

This ensures that an object that won't fit is not inserted into the container.

Bounded (Run-Time) Errors

11/5

It is a bounded error to assign from a bounded holder object while tampering with elements of that object is prohibited. Either Program_Error is raised by the assignment, execution proceeds with the target object prohibiting tampering with elements, or execution proceeds normally.

Implementation Requirements

12/5

For each instance of Containers.Indefinite_Holders and each instance of Containers.Bounded_Indefinite_Holders, if the two instances meet the following conditions, then the output generated by the Holder'Output or Holder'Write subprograms of either instance shall be readable by the Holder'Input or Holder'Read of the other instance, respectively:

13/5
  • the Element_Type parameters of the two instances are statically matching subtypes of the same type; and
  • 14/5
  • the output generated by Element_Type'Output or Element_Type'Write is readable by Element_Type'Input or Element_Type'Read, respectively (where Element_Type denotes the type of the two actual Element_Type parameters).

Implementation Advice

15/5

Bounded holder objects should be implemented without dynamic allocation and any finalization should be trivial unless Element_Type needs finalization.

15.a.1/5
implementation advice

Bounded holder objects should be implemented without dynamic allocation.

15.a/5

To be honest: Implementation of this container in Ada will probably require the use of a special storage pool. When we say "without dynamic allocation", we mean that this pool does not use heap memory and has a trivial finalization routine (that is, procedures Adjust and Finalize are null procedures). All storage pools are controlled, so we can't reasonably say that a bounded holder will not need finalization.

15.b/5
implementation note

If the implementation supports discontiguous objects that require multiple calls to Allocate in a storage pool, the storage pool will need to support such allocations. The storage pool implementation can assume that all Allocate calls occur together, and similarly for Deallocate calls, thus simplifying the pool implementation so that allocation only occurs at a high-water mark location.

16/5

The about the Move and Swap operations is deleted for bounded holders; these operations can copy elements as necessary.

16.a/5
reason

The memory of a bounded indefinite holder belongs directly to the container, so it cannot be moved with the element. If the element type contains any internal pointers, moving it without calling Adjust would leave such pointers pointing to the wrong holder object. Thus, a full copy is needed, including any associated finalization and adjustments.

Extensions to Ada 2012

16.b/5

The generic package Containers.Bounded_Indefinite_Holders is new.

A.18.33 Example of Container Use

Examples

1/3

The following example is an implementation of Dijkstra's shortest path algorithm in a directed graph with positive distances. The graph is represented by a map from nodes to sets of edges.

2/3

with Ada.Containers.Vectors; with Ada.Containers.Doubly_Linked_Lists; use Ada.Containers; generic type Node is range <>; package Shortest_Paths is type Distance is new Float range 0.0 .. Float'Last; type Edge is record To, From : Node; Length : Distance; end record; 3/3 package Node_Maps is new Vectors (Node, Node); -- The algorithm builds a map to indicate the node used to reach a given -- node in the shortest distance. 4/3 package Adjacency_Lists is new Doubly_Linked_Lists (Edge); use Adjacency_Lists; 5/3 package Graphs is new Vectors (Node, Adjacency_Lists.List); 6/3 package Paths is new Doubly_Linked_Lists (Node); 7/3 function Shortest_Path (G : Graphs.Vector; Source : Node; Target : Node) return Paths.List with Pre => G (Source) /= Adjacency_Lists.Empty_List; 8/3 end Shortest_Paths; 9/5

package body Shortest_Paths is function Shortest_Path (G : Graphs.Vector; Source : Node; Target : Node) return Paths.List is use Node_Maps, Paths, Graphs; Reached : array (Node) of Boolean := (others => False); -- The set of nodes whose shortest distance to the source is known. 10/3

Reached_From : array (Node) of Node; So_Far : array (Node) of Distance := (others => Distance'Last); The_Path : Paths.List := Paths.Empty_List; Nearest_Distance : Distance; Next : Node; begin So_Far(Source) := 0.0; 11/3 while not Reached(Target) loop Nearest_Distance := Distance'Last; 12/3 -- Find closest node not reached yet, by iterating over all nodes. -- A more efficient algorithm uses a priority queue for this step. 13/3 Next := Source; for N in Node'First .. Node'Last loop if not Reached(N) and then So_Far(N) < Nearest_Distance then Next := N; Nearest_Distance := So_Far(N); end if; end loop; 14/3

if Nearest_Distance = Distance'Last then -- No next node found, graph is not connected return Paths.Empty_List; 15/3 else Reached(Next) := True; end if; 16/3 -- Update minimum distance to newly reachable nodes. 17/3

for E of G (Next) loop if not Reached(E.To) then Nearest_Distance := E.Length + So_Far(Next); 18/3 if Nearest_Distance < So_Far(E.To) then Reached_From(E.To) := Next; So_Far(E.To) := Nearest_Distance; end if; end if; end loop; end loop; 19/3 -- Rebuild path from target to source. 20/5

declare N : Node := Target; begin Prepend (The_Path, N); while N /= Source loop N := Reached_From(N); Prepend (The_Path, N); end loop; end; 21/3 return The_Path; end; end Shortest_Paths;

22/3

Note that the effect of the Constant_Indexing aspect (on type Vector) and the Implicit_Dereference aspect (on type Reference_Type) is that

23/3

G (Next)

24/5

is a convenient shorthand for

25/3

G.Constant_Reference (Next).Element.all

26/3

Similarly, the effect of the loop:

27/3

for E of G (Next) loop if not Reached(E.To) then ... end if; end loop;

28/3

is the same as:

29/4

for C in G (Next).Iterate loop declare E : Edge renames G (Next)(C); begin if not Reached(E.To) then ... end if; end; end loop;

30/3

which is the same as:

31/4

declare L : Adjacency_Lists.List renames G (Next); C : Adjacency_Lists.Cursor := L.First; begin while Has_Element (C) loop declare E : Edge renames L(C); begin if not Reached(E.To) then ... end if; end; C := L.Next (C); end loop; end;

Wording Changes from Ada 2005

31.a/3

This example of container use is new.