Contents   Index   Search   Previous   Next

7.3 Private Types and Private Extensions

   [The declaration (in the visible part of a package) of a type as a private type or private extension serves to separate the characteristics that can be used directly by outside program units (that is, the logical properties) from other characteristics whose direct use is confined to the package (the details of the definition of the type itself). See 3.9.1 for an overview of type extensions. {private types and private extensions} {information hiding: See private types and private extensions} {opaque type: See private types and private extensions} {abstract data type (ADT): See private types and private extensions} {ADT (abstract data type): See private types and private extensions} ]

Language Design Principles

A private (untagged) type can be thought of as a record type with the type of its single (hidden) component being the full view.
A private tagged type can be thought of as a private extension of an anonymous parent with no components. The only dispatching operation of the parent is equality (although the Size attribute, and, if nonlimited, assignment are allowed, and those will presumably be implemented in terms of dispatching).


private_type_declaration ::=
   type defining_identifier [discriminant_partis [[abstracttagged] [limitedprivate;
private_extension_declaration ::=
   type defining_identifier [discriminant_partis
     [abstractnew ancestor_subtype_indication with private;

Legality Rules

   {partial view (of a type)} {requires a completion (declaration of a partial view) [partial]} A private_type_declaration or private_extension_declaration declares a partial view of the type; such a declaration is allowed only as a declarative_item of the visible part of a package, and it requires a completion, which shall be a full_type_declaration that occurs as a declarative_item of the private part of the package. {full view (of a type)} The view of the type declared by the full_type_declaration is called the full view. A generic formal private type or a generic formal private extension is also a partial view.
To be honest: A private type can also be completed by a pragma Import, if supported by an implementation.
Reason: We originally used the term ``private view,'' but this was easily confused with the view provided from the private part, namely the full view.
   [A type shall be completely defined before it is frozen (see 3.11.1 and 13.14). Thus, neither the declaration of a variable of a partial view of a type, nor the creation by an allocator of an object of the partial view are allowed before the full declaration of the type. Similarly, before the full declaration, the name of the partial view cannot be used in a generic_instantiation or in a representation item.]
Proof: This rule is stated officially in 3.11.1, ``Completions of Declarations''.
   [A private type is limited if its declaration includes the reserved word limited; a private extension is limited if its ancestor type is limited.] If the partial view is nonlimited, then the full view shall be nonlimited. If a tagged partial view is limited, then the full view shall be limited. [On the other hand, if an untagged partial view is limited, the full view may be limited or nonlimited.]
   If the partial view is tagged, then the full view shall be tagged. [On the other hand, if the partial view is untagged, then the full view may be tagged or untagged.] In the case where the partial view is untagged and the full view is tagged, no derivatives of the partial view are allowed within the immediate scope of the partial view; [derivatives of the full view are allowed.]
Ramification: Note that deriving from a partial view within its immediate scope can only occur in a package that is a child of the one where the partial view is declared. The rule implies that in the visible part of a public child package, it is impossible to derive from an untagged private type declared in the visible part of the parent package in the case where the full view of the parent type turns out to be tagged. We considered a model in which the derived type was implicitly redeclared at the earliest place within its immediate scope where characteristics needed to be added. However, we rejected that model, because (1) it would imply that (for an untagged type) subprograms explicitly declared after the derived type could be inherited, and (2) to make this model work for composite types as well, several implicit redeclarations would be needed, since new characteristics can become visible one by one; that seemed like too much mechanism.
Discussion: The rule for tagged partial views is redundant for partial views that are private extensions, since all extensions of a given ancestor tagged type are tagged, and limited if the ancestor is limited. We phrase this rule partially redundantly to keep its structure parallel with the other rules.
To be honest: This rule is checked in a generic unit, rather than using the ``assume the best'' or ``assume the worst'' method.
Reason: Tagged limited private types have certain capabilities that are incompatible with having assignment for the full view of the type. In particular, tagged limited private types can be extended with access discriminants and components of a limited type, which works only because assignment is not allowed. Consider the following example:
package P1 is
    type T1 is tagged limited private;
    procedure Foo(X : in T1'Class);
    type T1 is tagged null record; -- Illegal!
        -- This should say ``tagged limited null record''.
end P1;
package body P1 is
    type A is access T1'Class;
    Global : A;
    procedure Foo(X : in T1'Class) is
        Global := new T1'Class'(X);
            -- This would be illegal if the full view of
            -- T1 were limited, like it's supposed to be.
    end Foo A;
end P1;
with P1;
package P2 is
    type T2(D : access Integer) -- Trouble!
            is new P1.T1 with
            My_Task : Some_Task_Type; -- More trouble!
        end record;
end P2;
with P1;
with P2;
procedure Main is
    Local : aliased Integer;
    Y : P2.T2(D A => Local'Access);
end Main;
If the above example were legal, we would have succeeded in making an access value that points to Main.Local after Main has been left, and we would also have succeeded in doing an assignment of a task object, both of which are supposed to be no-no's.
This rule is not needed for private extensions, because they inherit their limitedness from their ancestor, and there is a separate rule forbidding limited components of the corresponding record extension if the parent is nonlimited.
Ramification: A type derived from an untagged private type is untagged, even if the full view of the parent is tagged, and even at places that can see the parent:
package P is
    type Parent is private;
    type Parent is tagged
            X: Integer;
        end record;
end P;
with P;
package Q is
    type T is new P. Parent;
end Q;
with Q; use Q;
package body P is
    ... T'Class ... -- Illegal!
    Object: T;
    ... Object.X ... -- Illegal!
    ... Parent(Object).X ... -- OK.
end P;
The declaration of T declares an untagged view. This view is always untagged, so T'Class is illegal, it would be illegal to extend T, and so forth. The component name X is never visible for this view, although the component is still there -- one can get one's hands on it via a type_conversion.
   {ancestor subtype (of a private_extension_declaration)} The ancestor subtype of a private_extension_declaration is the subtype defined by the ancestor_subtype_indication; the ancestor type shall be a specific tagged type. The full view of a private extension shall be derived (directly or indirectly) from the ancestor type. In addition to the places where Legality Rules normally apply (see 12.3), the requirement that the ancestor be specific applies also in the private part of an instance of a generic unit.
Reason: This rule allows the full view to be defined through several intermediate derivations, possibly from a series of types produced by generic_instantiations.
   If the declaration of a partial view includes a known_discriminant_part, then the full_type_declaration shall have a fully conforming [(explicit)] known_discriminant_part [(see 6.3.1, ``Conformance Rules'')]. {full conformance (required)} [The ancestor subtype may be unconstrained; the parent subtype of the full view is required to be constrained (see 3.7).]
Discussion: If the ancestor subtype has discriminants, then it is usually best to make it unconstrained.
Ramification: If the partial view has a known_discriminant_part, then the full view has to be a composite, non-array type, since only such types may have known discriminants. Also, the full view cannot inherit the discriminants in this case; the known_discriminant_part has to be explicit.
That is, the following is illegal:
package P is
    type T(D : Integer) is private;
    type T is new Some_Other_Type; -- Illegal!
end P;
even if Some_Other_Type has an integer discriminant called D.
It is a ramification of this and other rules that in order for a tagged type to privately inherit unconstrained discriminants, the private type declaration has to have an unknown_discriminant_part.
    If a private extension inherits known discriminants from the ancestor subtype, then the full view shall also inherit its discriminants from the ancestor subtype, and the parent subtype of the full view shall be constrained if and only if the ancestor subtype is constrained.
Reason: The first part ensures that the full view has the same discriminants as the partial view. The second part ensures that if the partial view is unconstrained, then the full view is also unconstrained; otherwise, a client might constrain the partial view in a way that conflicts with the constraint on the full view.
    [If a partial view has unknown discriminants, then the full_type_declaration may define a definite or an indefinite subtype, with or without discriminants.]
    If a partial view has neither known nor unknown discriminants, then the full_type_declaration shall define a definite subtype.
    If the ancestor subtype of a private extension has constrained discriminants, then the parent subtype of the full view shall impose a statically matching constraint on those discriminants. {statically matching (required) [partial]}
Ramification: If the parent type of the full view is not the ancestor type, but is rather some descendant thereof, the constraint on the discriminants of the parent type might come from the declaration of some intermediate type in the derivation chain between the ancestor type and the parent type.
Reason: This prevents the following:
package P is
    type T2 is new T1(Discrim => 3) with private;
    type T2 is new T1(Discrim => 999) -- Illegal!
        with record ...;
end P;
The constraints in this example do not statically match.
If the constraint on the parent subtype of the full view depends on discriminants of the full view, then the ancestor subtype has to be unconstrained:
type One_Discrim(A: Integer) is tagged ...;
package P is
    type Two_Discrims(B: Boolean; C: Integer) is new One_Discrim with private;
    type Two_Discrims(B: Boolean; C: Integer) is new One_Discrim(A => C) with
        end record;
end P;
The above example would be illegal if the private extension said ``is new One_Discrim(A => C);'', because then the constraints would not statically match. (Constraints that depend on discriminants are not static.)

Static Semantics

    {private type [partial]} A private_type_declaration declares a private type and its first subtype. {private extension [partial]} Similarly, a private_extension_declaration declares a private extension and its first subtype.
Discussion: {package-private type} A package-private type is one declared by a private_type_declaration; that is, a private type other than a generic formal private type. {package-private extension} Similarly, a package-private extension is one declared by a private_extension_declaration. These terms are not used in the RM95 version of this document.
    A declaration of a partial view and the corresponding full_type_declaration define two views of a single type. The declaration of a partial view together with the visible part define the operations that are available to outside program units; the declaration of the full view together with the private part define other operations whose direct use is possible only within the declarative region of the package itself. {characteristics} Moreover, within the scope of the declaration of the full view, the characteristics of the type are determined by the full view; in particular, within its scope, the full view determines the classes that include the type, which components, entries, and protected subprograms are visible, what attributes and other predefined operations are allowed, and whether the first subtype is static. See 7.3.1.
    A private extension inherits components (including discriminants unless there is a new discriminant_part specified) and user-defined primitive subprograms from its ancestor type, in the same way that a record extension inherits components and user-defined primitive subprograms from its parent type (see 3.4).
To be honest: If an operation of the parent type is abstract, then the abstractness of the inherited operation is different for nonabstract record extensions than for nonabstract private extensions (see 3.9.3).

Dynamic Semantics

    {elaboration (private_type_declaration) [partial]} The elaboration of a private_type_declaration creates a partial view of a type. {elaboration (private_extension_declaration) [partial]} The elaboration of a private_extension_declaration elaborates the ancestor_subtype_indication, and creates a partial view of a type.
5  The partial view of a type as declared by a private_type_declaration is defined to be a composite view (in 3.2). The full view of the type might or might not be composite. A private extension is also composite, as is its full view.
6  Declaring a private type with an unknown_discriminant_part is a way of preventing clients from creating uninitialized objects of the type; they are then forced to initialize each object by calling some operation declared in the visible part of the package. If such a type is also limited, then no objects of the type can be declared outside the scope of the full_type_declaration, restricting all object creation to the package defining the type. This allows complete control over all storage allocation for the type. Objects of such a type can still be passed as parameters, however.
Discussion: {generic contract/private type contract analogy} Packages with private types are analogous to generic packages with formal private types, as follows: The declaration of a package-private type is like the declaration of a formal private type. The visible part of the package is like the generic formal part; these both specify a contract (that is, a set of operations and other things available for the private type). The private part of the package is like an instantiation of the generic; they both give a full_type_declaration that specifies implementation details of the private type. The clients of the package are like the body of the generic; usage of the private type in these places is restricted to the operations defined by the contract.
In other words, being inside the package is like being outside the generic, and being outside the package is like being inside the generic; a generic is like an ``inside-out'' package.
This analogy also works for private extensions in the same inside-out way.
Many of the legality rules are defined with this analogy in mind. See, for example, the rules relating to operations of [formal] derived types.
The completion rules for a private type are intentionally quite similar to the matching rules for a generic formal private type.
This analogy breaks down in one respect: a generic actual subtype is a subtype, whereas the full view for a private type is always a new type. (We considered allowing the completion of a private_type_declaration to be a subtype_declaration, but the semantics just won't work.) This difference is behind the fact that a generic actual type can be class-wide, whereas the completion of a private type always declares a specific type.
7  The ancestor type specified in a private_extension_declaration and the parent type specified in the corresponding declaration of a record extension given in the private part need not be the same -- the parent type of the full view can be any descendant of the ancestor type. In this case, for a primitive subprogram that is inherited from the ancestor type and not overridden, the formal parameter names and default expressions (if any) come from the corresponding primitive subprogram of the specified ancestor type, while the body comes from the corresponding primitive subprogram of the parent type of the full view. See 3.9.2.


    Examples of private type declarations:
type Key is private;
type File_Name is limited private;
    Example of a private extension declaration:
type List is new Ada.Finalization.Controlled with private;

Extensions to Ada 83

{extensions to Ada 83} The syntax for a private_type_declaration is augmented to allow the reserved word tagged.
In Ada 83, a private type without discriminants cannot be completed with a type with discriminants. Ada 95 allows the full view to have discriminants, so long as they have defaults (that is, so long as the first subtype is definite). This change is made for uniformity with generics, and because the rule as stated is simpler and easier to remember than the Ada 83 rule. In the original version of Ada 83, the same restriction applied to generic formal private types. However, the restriction was removed by the ARG for generics. In order to maintain the ``generic contract/private type contract analogy'' discussed above, we have to apply the same rule to package-private types. Note that a private untagged type without discriminants can be completed with a tagged type with discriminants only if the full view is constrained, because discriminants of tagged types cannot have defaults.

Wording Changes from Ada 83

RM83-7.4.1(4), ``Within the specification of the package that declares a private type and before the end of the corresponding full type declaration, a restriction applies....'', is subsumed (and corrected) by the rule that a type shall be completely defined before it is frozen, and the rule that the parent type of a derived type declaration shall be completely defined, unless the derived type is a private extension.

Contents   Index   Search   Previous   Next   Legal