Annotated Ada Reference ManualLegal Information
Contents   Index   References   Search   Previous   Next 

13.11.2 Unchecked Storage Deallocation

[ Unchecked storage deallocation of an object designated by a value of an access type is achieved by a call to an instance of the generic procedure Unchecked_Deallocation.]

Static Semantics

The following language-defined generic library procedure exists: 
{AI05-0229-1} generic
   type Object(<>) is limited private;
   type Name   is access  Object;
procedure Ada.Unchecked_Deallocation(X : in out Name)
   with Convention => Intrinsic;
pragma Convention(Intrinsic, Ada.Unchecked_Deallocation);

pragma Preelaborate(Ada.Unchecked_Deallocation);
Reason: {AI05-0229-1} The aspect pragma Convention implies that the attribute Access is not allowed for instances of Unchecked_Deallocation. 

Legality Rules

  {AI05-0157-1} A call on an instance of Unchecked_Deallocation is illegal if the actual access type of the instance is a type for which the Storage_Size has been specified by a static expression with value zero or is defined by the language to be zero. In addition to the places where Legality Rules normally apply (see 12.3), this rule applies also in the private part of an instance of a generic unit.
Discussion: This rule is the same as the rule for allocators. We could have left the last sentence out, as a call to Unchecked_Deallocation cannot occur in a specification as it is a procedure call, but we left it for consistency and to avoid future maintenance hazards. 

Dynamic Semantics

Given an instance of Unchecked_Deallocation declared as follows: 
procedure Free is
    new Ada.Unchecked_Deallocation(
Procedure Free has the following effect: 
After executing Free(X), the value of X is null.
Free(X), when X is already equal to null, has no effect.
{AI95-00416-01} {AI05-0107-1} Free(X), when X is not equal to null first performs finalization of the object designated by X (and any coextensions of the object — see 3.10.2), as described in 7.6.1 7.6. It then deallocates the storage occupied by the object designated by X (and any coextensions). If the storage pool is a user-defined object, then the storage is deallocated by calling Deallocate as described in 13.11, passing access_to_variable_subtype_name'Storage_Pool as the Pool parameter. Storage_Address is the value returned in the Storage_Address parameter of the corresponding Allocate call. Size_In_Storage_Elements and Alignment are the same values passed to the corresponding Allocate call. There is one exception: if the object being freed contains tasks, the object might not be deallocated. 
Ramification: {AI05-0107-1} Free calls only the specified Deallocate procedure to do deallocation. For any given object deallocation, the number of calls to Free (usually one) will be equal to the number of Allocate calls it took to allocate the object. We do not define the relative order of multiple calls used to deallocate the same object — that is, if the allocator allocated two pieces x and y, then Free might deallocate x and then y, or it might deallocate y and then x. 
 {AI95-00416-01} After Free(X), the object designated by X, and any subcomponents (and coextensions) thereof, no longer exist; their storage can be reused for other purposes. 

Bounded (Run-Time) Errors

It is a bounded error to free a discriminated, unterminated task object. The possible consequences are: 
Reason: This is an error because the task might refer to its discriminants, and the discriminants might be deallocated by freeing the task object. 
No exception is raised.
Program_Error or Tasking_Error is raised at the point of the deallocation.
Program_Error or Tasking_Error is raised in the task the next time it references any of the discriminants. 
Implementation Note: This last case presumes an implementation where the task references its discriminants indirectly, and the pointer is nulled out when the task object is deallocated. 
In the first two cases, the storage for the discriminants (and for any enclosing object if it is designated by an access discriminant of the task) is not reclaimed prior to task termination. 
Ramification: The storage might never be reclaimed. 

Erroneous Execution

 {AI05-0033-1} {AI05-0262-1} Evaluating a name that denotes a nonexistent object, or a protected subprogram or subprogram renaming whose associated object (if any) is nonexistent, is erroneous. The execution of a call to an instance of Unchecked_Deallocation is erroneous if the object was created other than by an allocator for an access type whose pool is Name'Storage_Pool.
Reason: {AI05-0033-1} {AI05-0262-1} The part about a protected subprogram is intended to cover the case of an access-to-protected-subprogram where the associated object has been deallocated. The part about a subprogram renaming is intended to cover the case of a renaming of a prefixed view where the prefix object has been deallocated, or the case of a renaming of an entry or protected subprogram where the associated task or protected object has been deallocated. 
Ramification: {AI05-0157-1} This text does not cover the case of a name that contains a null access value, as null does not denote an object (rather than denoting a nonexistent object). 

Implementation Advice

For a standard storage pool, Free should actually reclaim the storage. 
Implementation Advice: For a standard storage pool, an instance of Unchecked_Deallocation should actually reclaim the storage.
Ramification: {AI95-00114-01} This is not a testable property, since we do not know how much storage is used by a given pool element, nor whether fragmentation can occur. 
   {AI05-0157-1} A call on an instance of Unchecked_Deallocation with a non-null access value should raise Program_Error if the actual access type of the instance is a type for which the Storage_Size has been specified to be zero or is defined by the language to be zero.
Implementation Advice: A call on an instance of Unchecked_Deallocation with a non-null access value should raise Program_Error if the actual access type of the instance is a type for which the Storage_Size has been specified to be zero or is defined by the language to be zero.
Discussion: If the call is not illegal (as in a generic body), we recommend that it raise Program_Error. Since the execution of this call is erroneous (any allocator from the pool will have raised Storage_Error, so the non-null access value must have been allocated from a different pool or be a stack-allocated object), we can't require any behavior — anything at all would be a legitimate implementation. 
31  The rules here that refer to Free apply to any instance of Unchecked_Deallocation.
32  Unchecked_Deallocation cannot be instantiated for an access-to-constant type. This is implied by the rules of 12.5.4.

Wording Changes from Ada 95

{AI95-00416-01} The rules for coextensions are clarified (mainly by adding that term). In theory, this reflects no change from Ada 95 (coextensions existed in Ada 95, they just didn't have a name).

Wording Changes from Ada 2005

{AI05-0033-1} Correction: Added a rule that using an access-to-protected-subprogram is erroneous if the associated object no longer exists. It is hard to imagine an alternative meaning here, and this has no effect on correct programs.
{AI05-0107-1} Correction: Moved the requirements on an implementation-generated call to Deallocate to 13.11, in order to put all of the rules associated with implementation-generated calls to Allocate and Deallocate together.
{AI05-0157-1} Correction: Added wording so that calling an instance of Unchecked_Deallocation is treated similarly to allocators for access types where allocators would be banned. 

Contents   Index   References   Search   Previous   Next 
Ada-Europe Ada 2005 and 2012 Editions sponsored in part by Ada-Europe