1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
------------------------------------------------------------------------------
-- --
-- GNAT COMPILER COMPONENTS --
-- --
-- I N T E R F A C E S . C . S T R I N G S --
-- --
-- S p e c --
-- --
-- Copyright (C) 1993-2025, Free Software Foundation, Inc. --
-- --
-- This specification is derived from the Ada Reference Manual for use with --
-- GNAT. The copyright notice above, and the license provisions that follow --
-- apply solely to the contents of the part following the private keyword. --
-- --
-- GNAT is free software; you can redistribute it and/or modify it under --
-- terms of the GNU General Public License as published by the Free Soft- --
-- ware Foundation; either version 3, or (at your option) any later ver- --
-- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
-- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
-- or FITNESS FOR A PARTICULAR PURPOSE. --
-- --
-- As a special exception under Section 7 of GPL version 3, you are granted --
-- additional permissions described in the GCC Runtime Library Exception, --
-- version 3.1, as published by the Free Software Foundation. --
-- --
-- You should have received a copy of the GNU General Public License and --
-- a copy of the GCC Runtime Library Exception along with this program; --
-- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see --
-- <http://www.gnu.org/licenses/>. --
-- --
-- GNAT was originally developed by the GNAT team at New York University. --
-- Extensive contributions were provided by Ada Core Technologies Inc. --
-- --
------------------------------------------------------------------------------
-- This package declares types and subprograms that allow the allocation,
-- reference, update and deallocation of C-style strings, as defined by
-- ARM B.3.1.
-- Preconditions in this unit are meant for analysis only, not for run-time
-- checking, so that the expected exceptions are raised. This is enforced by
-- setting the corresponding assertion policy to Ignore. These preconditions
-- protect from Constraint_Error, Dereference_Error and Update_Error, but not
-- from Storage_Error.
pragma Assertion_Policy (Pre => Ignore);
package Interfaces.C.Strings with
SPARK_Mode => On,
Abstract_State => (C_Memory),
Initializes => (C_Memory),
Always_Terminates
is
pragma Preelaborate;
-- Definitions for C character arrays
type char_array_access is access all char_array;
for char_array_access'Size use System.Parameters.ptr_bits;
pragma No_Strict_Aliasing (char_array_access);
-- Since this type is used for external interfacing, with the pointer
-- coming from who knows where, it seems a good idea to turn off any
-- strict aliasing assumptions for this type.
type chars_ptr is private;
pragma Preelaborable_Initialization (chars_ptr);
type chars_ptr_array is array (size_t range <>) of aliased chars_ptr;
Null_Ptr : constant chars_ptr;
-- Null value for private type chars_ptr
function To_Chars_Ptr
(Item : char_array_access;
Nul_Check : Boolean := False) return chars_ptr
with
SPARK_Mode => Off; -- To_Chars_Ptr'Result is aliased with Item
-- Extract raw chars_ptr from char_array access type
function New_Char_Array (Chars : char_array) return chars_ptr with
Volatile_Function,
Post => New_Char_Array'Result /= Null_Ptr,
Global => (Input => C_Memory);
-- Copy the contents of Chars into a newly allocated chars_ptr
function New_String (Str : String) return chars_ptr with
Volatile_Function,
Post => New_String'Result /= Null_Ptr,
Global => (Input => C_Memory);
-- Copy the contents of Str into a newly allocated chars_ptr
procedure Free (Item : in out chars_ptr) with
SPARK_Mode => Off;
-- When deallocation is prohibited (eg: cert runtimes) this routine
-- will raise Program_Error.
Dereference_Error : exception;
-- This exception is raised when a subprogram of this unit tries to
-- dereference a chars_ptr with the value Null_Ptr.
-- The Value functions copy the contents of a chars_ptr object
-- into a char_array/String.
-- There is a guard for a storage error on an object declaration for
-- an array type with a modular index type with the size of
-- Long_Long_Integer. The special processing is needed in this case
-- to compute reliably the size of the object, and eventually, to
-- raise Storage_Error, when wrap-around arithmetic might compute
-- a meangingless size for the object.
--
-- The guard raises Storage_Error when
--
-- (Arr'Last / 2 - Arr'First / 2) > (2 ** 30)
--
function Value (Item : chars_ptr) return char_array with
Pre => Item /= Null_Ptr,
Global => (Input => C_Memory);
function Value
(Item : chars_ptr;
Length : size_t) return char_array
with
Pre => Item /= Null_Ptr and then Length /= 0,
Global => (Input => C_Memory);
function Value (Item : chars_ptr) return String with
Pre => Item /= Null_Ptr,
Global => (Input => C_Memory);
function Value
(Item : chars_ptr;
Length : size_t) return String
with
Pre => Item /= Null_Ptr and then Length /= 0,
Global => (Input => C_Memory);
function Strlen (Item : chars_ptr) return size_t with
Pre => Item /= Null_Ptr,
Global => (Input => C_Memory);
-- Return the length of a string contained in a chars_ptr
-- Update the contents of a chars_ptr with a char_array/String. If the
-- update exceeds the original length of the chars_ptr the Update_Error
-- exception is raised.
procedure Update
(Item : chars_ptr;
Offset : size_t;
Chars : char_array;
Check : Boolean := True)
with
Pre =>
Item /= Null_Ptr
and then (Chars'First /= 0 or else Chars'Last /= size_t'Last)
and then Chars'Length <= size_t'Last - Offset
and then Chars'Length + Offset <= Strlen (Item),
Global => (In_Out => C_Memory);
procedure Update
(Item : chars_ptr;
Offset : size_t;
Str : String;
Check : Boolean := True)
with
Pre =>
Item /= Null_Ptr
and then Str'Length <= size_t'Last - Offset
and then Str'Length + Offset <= Strlen (Item),
Global => (In_Out => C_Memory);
Update_Error : exception;
private
pragma SPARK_Mode (Off);
type chars_ptr is access all Character;
for chars_ptr'Size use System.Parameters.ptr_bits;
pragma No_Strict_Aliasing (chars_ptr);
-- Since this type is used for external interfacing, with the pointer
-- coming from who knows where, it seems a good idea to turn off any
-- strict aliasing assumptions for this type.
Null_Ptr : constant chars_ptr := null;
end Interfaces.C.Strings;
|
