D.7 Tasking Restrictions

danger

This Reference Manual output has not been verified, and may contain omissions or errors. Report any problems on the tracking issue

1/3

[This subclause defines restrictions that can be used with a pragma Restrictions (see 13.12) to facilitate the construction of highly efficient tasking run-time systems.]

Static Semantics

1.1/5

A scalar expression within a protected unit is said to be pure-barrier-eligible if it is one of the following:

1.2/5

• a static expression;
  
1.3/5
• a name that statically names (see 4.9) a scalar subcomponent of the immediately enclosing protected unit;
  
1.4/5
• a Count attribute_reference whose prefix statically denotes an entry declaration of the immediately enclosing unit;
  
1.5/5
• a call to a predefined relational operator or boolean logical operator (and, or, xor, not), where each operand is pure-barrier-eligible;
  
1.6/5
• a membership test whose tested_simple_expression is pure-barrier-eligible, and whose membership_choice_list meets the requirements for a static membership test (see 4.9);
  
1.7/5
• a short-circuit control form both of whose operands are pure-barrier-eligible;
  
1.8/5
• a conditional_expression all of whose conditions, selecting_expressions, and dependent_expressions are pure-barrier-eligible; or
  
1.9/5
• a pure-barrier-eligible expression enclosed in parentheses.
  

2

The following restriction_identifiers are language defined:

3/3

No_Task_Hierarchy

No task depends on a master other than the library-level master.

3.a/3

ramification

This is equivalent to saying “no task depends on a master other than the master that is the execution of the body of the environment task of the partition”, but it is much easier to understand. This is a post-compilation check, which can be checked at compile-time.

3.b/3

note

This disallows any function returning an object with a task part or coextension, even if called at the library level, as such a task would temporarily depend on a nested master (the master of the return statement), which is disallowed by this restriction.

4/3

{8652/0042} No_Nested_Finalization

Objects of a type that needs finalization (see 7.6) are declared only at library level. If an access type does not have library-level accessibility, then there are no allocators of the type where the type determined by the subtype_mark of the subtype_indication or qualified_expression needs finalization.

4.a/1

note

This paragraph was deleted.{8652/0042}

4.b/3

ramification

The second sentence prevents the declaration of objects of access types which would require nested finalization. It also prevents the declarations of coextensions that need finalization in a nested scope. The latter cannot be done by preventing the declaration of the objects, as it is not necessarily known if the coextension type needs finalization (it could be a limited view).

5/3

No_Abort_Statements

There are no abort_statements, and there is no use of a name denoting Task_Identification.Abort_Task.

6

No_Terminate_Alternatives

There are no selective_accepts with terminate_alternatives.

7

No_Task_Allocators

There are no allocators for task types or types containing task subcomponents.

7.1/3

In the case of an initialized allocator of an access type whose designated type is class-wide and limited, a check is made that the specific type of the allocated object has no task subcomponents. Program_Error is raised if this check fails.

8

No_Implicit_Heap_Allocations

There are no operations that implicitly require heap storage allocation to be performed by the implementation. The operations that implicitly require heap storage allocation are implementation defined.

8.a

implementation defined

Any operations that implicitly require heap storage allocation.

9/2

No_Dynamic_Priorities

There are no semantic dependences on the package Dynamic_Priorities, and no occurrences of the attribute Priority.

10/3

No_Dynamic_Attachment

There is no use of a name denoting any of the operations defined in package Interrupts (Is_Reserved, Is_Attached, Current_Handler, Attach_Handler, Exchange_Handler, Detach_Handler, and Reference).

10.a/3

ramification

This includes 'Access and 'Address of any of these operations, as well as inherited versions of these operations.

10.1/4

No_Dynamic_CPU_Assignment

No task has the CPU aspect specified to be a non-static expression. Each task (including the environment task) that has the CPU aspect specified as Not_A_Specific_CPU will be assigned to a particular implementation-defined CPU. The same is true for the environment task when the CPU aspect is not specified. [Any other task without a CPU aspect will activate and execute on the same processor as its activating task.]

10.b/4

proof

The processor of a task without a CPU aspect is defined in D.16, and this restriction guarantees that the activator always has a CPU assigned.

10.c/4

reason

This restriction prevents any migration of tasks.

10.d/4

ramification

If no CPU aspects are specified, then the program will run on a single CPU, as all of the tasks will be activated directly or indirectly by the environment task, and the rules require the same CPU to be used as the activating task.

10.d.1/4

implementation defined

When restriction No_Dynamic_CPU_Assignment applies to a partition, the processor on which a task with a CPU value of a Not_A_Specific_CPU will execute.

10.2/3

No_Local_Protected_Objects

Protected objects are declared only at library level.

10.3/3

No_Local_Timing_Events

Timing_Events are declared only at library level.

10.4/2

No_Protected_Type_Allocators

There are no allocators for protected types or types containing protected type subcomponents.

10.5/3

In the case of an initialized allocator of an access type whose designated type is class-wide and limited, a check is made that the specific type of the allocated object has no protected subcomponents. Program_Error is raised if this check fails.

10.6/3

No_Relative_Delay

There are no delay_relative_statements, and there is no use of a name that denotes the Timing_Events.Set_Handler subprogram that has a Time_Span parameter.

10.7/3

No_Requeue_Statements

There are no requeue_statements.

10.8/3

No_Select_Statements

There are no select_statements.

10.9/3

No_Specific_Termination_Handlers

There is no use of a name denoting the Set_Specific_Handler and Specific_Handler subprograms in Task_Termination.

10.10/4

No_Tasks_Unassigned_To_CPU

The CPU aspect is specified for the environment task. No CPU aspect is specified to be statically equal to Not_A_Specific_CPU. If aspect CPU is specified (dynamically) to the value Not_A_Specific_CPU, then Program_Error is raised. If Set_CPU or Delay_Until_And_Set_CPU are called with the CPU parameter equal to Not_A_Specific_CPU, then Program_Error is raised.

10.e/4

ramification

If this restriction is used in a context for which restriction No_Dynamic_CPU_Assignment is in effect, then no runtime check is needed when specifying the CPU aspect. If the restriction is used with the Ravenscar profile, no runtime checks are needed.

10.11/5

Pure_Barriers

The Boolean expression in each protected entry barrier is pure-barrier-eligible.

10.12/5

Simple_Barriers

The Boolean expression in each entry barrier is either a static expression or a name that statically names (see 4.9) a subcomponent of the enclosing protected object.

11

The following restriction_parameter_identifiers are language defined:

12

Max_Select_Alternatives

Specifies the maximum number of alternatives in a selective_accept.

13

Max_Task_Entries

Specifies the maximum number of entries per task. The bounds of every entry family of a task unit shall be static, or shall be defined by a discriminant of a subtype whose corresponding bound is static. [A value of zero indicates that no rendezvous are possible.]

14

Max_Protected_Entries

Specifies the maximum number of entries per protected type. The bounds of every entry family of a protected unit shall be static, or shall be defined by a discriminant of a subtype whose corresponding bound is static.

Dynamic Semantics

15/2

{8652/0076} The following restriction_identifier is language defined:

15.1/2

No_Task_Termination

All tasks are nonterminating. It is implementation-defined what happens if a task attempts to terminate. If there is a fall-back handler (see C.7.3) set for the partition it should be called when the first task attempts to terminate.

15.a.1/2

implementation defined

When restriction No_Task_Termination applies to a partition, what happens when a task terminates.

16

The following restriction_parameter_identifiers are language defined:

17/1

{8652/0076} Max_Storage_At_Blocking

Specifies the maximum portion [(in storage elements)] of a task's Storage_Size that can be retained by a blocked task. If an implementation chooses to detect a violation of this restriction, Storage_Error should be raised; otherwise, the behavior is implementation defined.

17.a.1/2

implementation defined

The behavior when restriction Max_Storage_At_Blocking is violated.

18/1

{8652/0076} Max_Asynchronous_Select_Nesting

Specifies the maximum dynamic nesting level of asynchronous_selects. A value of zero prevents the use of any asynchronous_select and, if a program contains an asynchronous_select, it is illegal. If an implementation chooses to detect a violation of this restriction for values other than zero, Storage_Error should be raised; otherwise, the behavior is implementation defined.

18.a.1/2

implementation defined

The behavior when restriction Max_Asynchronous_Select_Nesting is violated.

19/1

{8652/0076} Max_Tasks

Specifies the maximum number of task creations that may be executed over the lifetime of a partition, not counting the creation of the environment task. A value of zero prevents any task creation and, if a program contains a task creation, it is illegal. If an implementation chooses to detect a violation of this restriction, Storage_Error should be raised; otherwise, the behavior is implementation defined.

19.a

ramification

Note that this is not a limit on the number of tasks active at a given time; it is a limit on the total number of task creations that occur.

19.b

implementation note

We envision an implementation approach that places TCBs or pointers to them in a fixed-size table, and never reuses table elements.

19.b.1/2

implementation defined

The behavior when restriction Max_Tasks is violated.

19.1/2

Max_Entry_Queue_Length

Max_Entry_Queue_Length defines the maximum number of calls that are queued on an entry. Violation of this restriction results in the raising of Program_Error at the point of the call or requeue.

19.2/3

No_Standard_Allocators_After_Elaboration

Specifies that an allocator using a standard storage pool (see 13.11) shall not occur within a parameterless library subprogram, nor within the handled_sequence_of_statements of a task body. For the purposes of this rule, an allocator of a type derived from a formal access type does not use a standard storage pool.

19.3/3

At run time, Storage_Error is raised if an allocator using a standard storage pool is evaluated after the elaboration of the library_items of the partition has completed.

20

It is implementation defined whether the use of pragma Restrictions results in a reduction in executable program size, storage requirements, or execution time. If possible, the implementation should provide quantitative descriptions of such effects for each restriction.

20.a/2

implementation defined

Whether the use of pragma Restrictions results in a reduction in program code or data size or execution time.

Implementation Advice

21

When feasible, the implementation should take advantage of the specified restrictions to produce a more efficient implementation.

21.a/2

implementation advice

When feasible, specified restrictions should be used to produce a more efficient implementation.

22

note

NOTE 1 The above Storage_Checks can be suppressed with pragma Suppress.

Incompatibilities With Ada 95

22.a/2

correction

Amendment The No_Nested_Finalization is now defined in terms of types that need finalization. These types include a variety of language-defined types that might be implemented with a controlled type. If the restriction No_Nested_Finalization (see D.7) applies to the partition, and one of these language-defined types does not have a controlled part, it will not be allowed in local objects in Ada 2005 whereas it would be allowed in original Ada 95. Such code is not portable, as other Ada compilers may have had a controlled part, and thus would be illegal under the restriction.

Extensions to Ada 95

22.b/2

note

Restrictions No_Dynamic_Attachment, No_Local_Protected_Objects, No_Protected_Type_Allocators, No_Local_Timing_Events, No_Relative_Delay, No_Requeue_Statement, No_Select_Statements, No_Specific_Termination_Handlers, No_Task_Termination, Max_Entry_Queue_Length, and Simple_Barriers are newly added to Ada.

Wording Changes from Ada 95

22.c/2

note

{8652/0042} Corrigendum: Clarified that No_Nested_Finalization covered task and protected parts as well.

22.d/2

note

{8652/0076} Corrigendum: Changed the description of Max_Tasks and Max_Asynchronous_Select_Nested to eliminate conflicts with the High Integrity Annex (see H.4).

22.e/2

note

Added using of the new Priority attribute to the restriction No_Dynamic_Priorities.

22.f/2

note

Restriction No_Asynchronous_Control is now obsolescent.

Incompatibilities With Ada 2005

22.g/3

correction

Changed so that coextensions of types that require nested finalization are also prohibited; this is done by prohibiting allocators rather than objects of specific access types. It seems unlikely that any program depending on this restriction would violate it in this blatant manner, so it is expected that very few programs will be affected by this change.

22.h/3

correction

The restriction No_Relative_Delay was changed to include the Timing_Events routine that uses a relative delay. This means that a program that uses that routine and this restriction will now be rejected. However, such a program violates the spirit and intent of the restriction and as such the program should never have been allowed. Moreover, it is unlikely that any program depending on this restriction would violate it in such an obvious manner, so it is expected that very few programs will be affected by this change.

22.i/3

correction

A number of restrictions were changed from "no calls" on some subprogram to "no use of a name that denotes" that subprogram. This closes a hole where renames, uses as the prefix of 'Access, and the like, would not be rejected by the restriction, possibly allowing backdoor access to the prohibited subprogram. A program that uses one of these restrictions and using such backdoor access will now be rejected; however, it is extremely unlikely that any program that relies on these restrictions would also use an end-run around the restriction, so it is expected that very few programs will be affected by this change.

Extensions to Ada 2005

22.j/3

note

Restriction No_Standard_Allocators_After_Elaboration is newly added to Ada.

Wording Changes from Ada 2005

22.k/3

correction

Improved the wording of various restrictions to make it clearer that they prohibit things that would otherwise be legal, and to word them as definitions, not Legality Rules;.

22.l/3

correction

Added wording to explain how No_Task_Allocators and No_Protected_Type_Allocators are checked for class-wide types. This might be an extension if the compiler assumed the worst in the past (it is now a runtime check).

Extensions to Ada 2012

22.m/4

note

Corrigendum: Restriction No_Dynamic_CPU_Assignment is newly added to Ada, for use as part of the Ravenscar profile (see D.13).

22.n/4

note

Corrigendum: Restriction No_Tasks_Unassigned_To_CPU is newly added to Ada; it ensures that no task is running on an implementation-defined CPU so that task scheduling can be analyzed.

22.o/5

note

Restriction Pure_Barriers is newly added to Ada; it allows the Jorvik profile to use more expressive barriers than the Ravenscar profile without having to worry about exceptions or side-effects.

22.p/5

note

Restriction Simple_Barriers (which is part of the Ravenscar profile) is extended to allow statically named record and array subcomponents; this allows common static analysis patterns to be used with Ravenscar.