1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
------------------------------------------------------------------------------
-- --
-- GNAT COMPILER COMPONENTS --
-- --
-- I N T E R F A C E S . C . S T R I N G S --
-- --
-- S p e c --
-- --
-- Copyright (C) 1993-2023, Free Software Foundation, Inc. --
-- --
-- This specification is derived from the Ada Reference Manual for use with --
-- GNAT. The copyright notice above, and the license provisions that follow --
-- apply solely to the contents of the part following the private keyword. --
-- --
-- GNAT is free software; you can redistribute it and/or modify it under --
-- terms of the GNU General Public License as published by the Free Soft- --
-- ware Foundation; either version 3, or (at your option) any later ver- --
-- sion. GNAT is distributed in the hope that it will be useful, but WITH- --
-- OUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY --
-- or FITNESS FOR A PARTICULAR PURPOSE. --
-- --
-- As a special exception under Section 7 of GPL version 3, you are granted --
-- additional permissions described in the GCC Runtime Library Exception, --
-- version 3.1, as published by the Free Software Foundation. --
-- --
-- You should have received a copy of the GNU General Public License and --
-- a copy of the GCC Runtime Library Exception along with this program; --
-- see the files COPYING3 and COPYING.RUNTIME respectively. If not, see --
-- <http://www.gnu.org/licenses/>. --
-- --
-- GNAT was originally developed by the GNAT team at New York University. --
-- Extensive contributions were provided by Ada Core Technologies Inc. --
-- --
------------------------------------------------------------------------------
-- Preconditions in this unit are meant for analysis only, not for run-time
-- checking, so that the expected exceptions are raised. This is enforced by
-- setting the corresponding assertion policy to Ignore. These preconditions
-- protect from Constraint_Error, Dereference_Error and Update_Error, but not
-- from Storage_Error.
pragma Assertion_Policy (Pre => Ignore);
package Interfaces.C.Strings with
SPARK_Mode => On,
Abstract_State => (C_Memory),
Initializes => (C_Memory),
Always_Terminates
is
pragma Preelaborate;
type char_array_access is access all char_array;
for char_array_access'Size use System.Parameters.ptr_bits;
pragma No_Strict_Aliasing (char_array_access);
-- Since this type is used for external interfacing, with the pointer
-- coming from who knows where, it seems a good idea to turn off any
-- strict aliasing assumptions for this type.
type chars_ptr is private;
pragma Preelaborable_Initialization (chars_ptr);
type chars_ptr_array is array (size_t range <>) of aliased chars_ptr;
Null_Ptr : constant chars_ptr;
function To_Chars_Ptr
(Item : char_array_access;
Nul_Check : Boolean := False) return chars_ptr
with
SPARK_Mode => Off; -- To_Chars_Ptr'Result is aliased with Item
function New_Char_Array (Chars : char_array) return chars_ptr with
Volatile_Function,
Post => New_Char_Array'Result /= Null_Ptr,
Global => (Input => C_Memory);
function New_String (Str : String) return chars_ptr with
Volatile_Function,
Post => New_String'Result /= Null_Ptr,
Global => (Input => C_Memory);
procedure Free (Item : in out chars_ptr) with
SPARK_Mode => Off;
-- When deallocation is prohibited (eg: cert runtimes) this routine
-- will raise Program_Error
Dereference_Error : exception;
function Value (Item : chars_ptr) return char_array with
Pre => Item /= Null_Ptr,
Global => (Input => C_Memory);
function Value
(Item : chars_ptr;
Length : size_t) return char_array
with
Pre => Item /= Null_Ptr and then Length /= 0,
Global => (Input => C_Memory);
function Value (Item : chars_ptr) return String with
Pre => Item /= Null_Ptr,
Global => (Input => C_Memory);
function Value
(Item : chars_ptr;
Length : size_t) return String
with
Pre => Item /= Null_Ptr and then Length /= 0,
Global => (Input => C_Memory);
function Strlen (Item : chars_ptr) return size_t with
Pre => Item /= Null_Ptr,
Global => (Input => C_Memory);
procedure Update
(Item : chars_ptr;
Offset : size_t;
Chars : char_array;
Check : Boolean := True)
with
Pre =>
Item /= Null_Ptr
and then (Chars'First /= 0 or else Chars'Last /= size_t'Last)
and then Chars'Length <= size_t'Last - Offset
and then Chars'Length + Offset <= Strlen (Item),
Global => (In_Out => C_Memory);
procedure Update
(Item : chars_ptr;
Offset : size_t;
Str : String;
Check : Boolean := True)
with
Pre =>
Item /= Null_Ptr
and then Str'Length <= size_t'Last - Offset
and then Str'Length + Offset <= Strlen (Item),
Global => (In_Out => C_Memory);
Update_Error : exception;
private
pragma SPARK_Mode (Off);
type chars_ptr is access all Character;
for chars_ptr'Size use System.Parameters.ptr_bits;
pragma No_Strict_Aliasing (chars_ptr);
-- Since this type is used for external interfacing, with the pointer
-- coming from who knows where, it seems a good idea to turn off any
-- strict aliasing assumptions for this type.
Null_Ptr : constant chars_ptr := null;
end Interfaces.C.Strings;
|
