Positive but it is but as the actual… sorry.
Screw aspect specifications, your Assert made me find the solution ! pragma Compile_Time_Error.
This pragma can be used to generate additional compile time error messages. It is particularly useful in generics, where errors can be issued for specific problematic instantiations
Gnat-specific but perfect. Extraordinary useful. I just added in the body:
procedure decimal_radix_sort (List: IN OUT ListType) is
pragma Compile_Time_Error (Indextype’Last = Indextype’Base’Last, “indextype too narrow”);
But it forces the user to provide an actual explicitly excluding its base type last element. Neither gnat or spark can prove anything that considers List’s actual range instead of Indextype. Anything like pragma Compile_Time_Error (List'Last = Indextype'Base'Last, "indextype too narrow");
produces “condition is not known at compile time” and the corresponding assertion can not be proved.
Yet in all those cases List’s value is static. It’s bothersome to need to make an index subtype that excludes indextype’Base’Last. There is a loop that increment an index that exceeds List’Last at the end of last iteration. I know I can simply add an exception handler but it’s not fun.
But why can’t Spark see the value of List ? I would have supposed the following could be proved
spark code
procedure main with SPARK_Mode is
generic
type Indextype is (<>);
type ListType IS array (Indextype range <>) of Integer;
procedure decimal_radix_sort (List: ListType);
procedure decimal_radix_sort (List: ListType) is
pragma Assert (List’Last < Indextype’Base’Last);
begin
null;
end decimal_radix_sort;
type PosArray is array (Positive range <>) of Integer;
procedure sort is new decimal_radix_sort (Positive,PosArray);
List: PosArray := (4,87,557,9,0,1);
begin
sort (List);
end main;
Lastly, I would like to suppress Range_Check pr Overflow_check locally with
pragma Suppress (Range_Check);
PlaceInResult := Indextype’Succ (@);
pragma Unsuppress (Range_Check);
… But it has this damn limitation:
A checking pragma is allowed only immediately within a declarative_part, immediately within a package_specification, or as a configuration pragma.
Why ? I don’t want to suppress it everywhere, but just locally !