*** Semantic Error : 774 : Interrupt_Priority'First must equal Priority'Last + 1; LRM D.1(10).

Ada 95 requires that task priority types meet the following criteria, the third of which is relevant to this error:

*** Semantic Error : 775 : Interrupt_Priority'Last must equal Any_Priority'Last; LRM D.1(10).

Ada 95 requires that task priority types meet the following criteria, the third of which is relevant to this error:

*** Semantic Error : 776 : In SPARK95 mode, only packages Standard, System, Ada.Real_Time and Ada.Interrupts may be specified in the config file.

In SPARK95 mode, the packages that may be specified in the target configuration file are: Standard, System, Ada.Real_Time and Ada.Interrupts. The latter two are ignored unless the Ravenscar profile is selected.

*** Semantic Error : 777 : In package System, Priority must be an immediate subtype of Integer.

Ada 95, and hence SPARK95, defines Priority as being an immediate subtype of Integer.

*** Semantic Error : 778 : This identifier is not valid at this point in the target configuration file.

The specified identifier cannot be used here; it is most probably either not valid in the target configuration file at all, or might be valid in a different package, but not here.

*** Semantic Error : 779 : Definition of this package in the target configuration file is not allowed in SPARK83 mode.

In SPARK83 mode, only package Standard may be specified in the target configuration file.

*** Semantic Error : 780 : Type XXX must be private.

This type may only be declared as private in the target configuration file.

*** Semantic Error : 781 : The lower bound of a signed integer type declaration must be greater than or equal to System.Min_Int.

This error can only be generated in SPARK95 mode when the configuration file specifies a value for System.Min_Int.

*** Semantic Error : 782 : The upper bound of a signed integer type declaration must be less than or equal to System.Max_Int.

This error can only be generated in SPARK95 mode when the configuration file specifies a value for System.Max_Int.

*** Semantic Error : 783 : Modulus must be less than or equal to System.Max_Binary_Modulus.

This error can only be generated in SPARK95 mode when the configuration file specifies a value for System.Max_Binary_Modulus.

*** Semantic Error : 784 : System.Max_Binary_Modulus must be a positive power of 2.

*** Semantic Error : 785 : The number of digits specified exceeds the value defined for System.Max_Digits.

The maximum decimal precision for a floating point type, where a range specification has not been included, is defined by System.Max_Digits.

*** Semantic Error : 786 : The number of digits specified exceeds the value defined for System.Max_Base_Digits.

The maximum decimal precision for a floating point type, where a range specification has been included, is defined by System.Max_Base_Digits.

*** Semantic Error : 787 : Digits value must be positive.

*** Semantic Error : 788 : Delta value must be positive.

*** Semantic Error : 789 : The only currently supported type attribute in this context is 'Base.

*** Semantic Error : 790 : A base type assertion requires a type here.

*** Semantic Error : 791 : The base type in this assertion must be a predefined type.

Predefined types are those defined either by the language, or in package Standard, using the configuration file mechanism.

*** Semantic Error : 792 : The types in this assertion must both be either floating point or signed integer.

*** Semantic Error : 793 : This base type must have a defined range in the configuration file.

If a predefined type is to be used in a base type assertion or in a derived type declaration, then it must appear in the configuration file and have a well-defined range.

*** Semantic Error : 794 : Range of subtype exceeds range of base type.

*** Semantic Error : 795 : A base type assertion must be in the same declarative region as that of the full type definition.

*** Semantic Error : 796 : This type already has a base type: either it already has a base type assertion, or is explicitly derived, or is a predefined type.

A base type assertion can only be given exactly once. Explicitly derived scalar types and predefined types never need a base type assertion.

*** Semantic Error : 797 : The base type in a floating point base type assertion must have a defined accuracy.

*** Semantic Error : 798 : The accuracy of the base type in a base type assertion must be at least that of the type which is the subject of the assertion.

*** Semantic Error : 799 : Only a simple type can be the subject of a base type assertion .

*** Semantic Error : 800 : Modulus must be a positive power of 2.

In SPARK, modular types must have a modulus which is a positive power of 2.

*** Semantic Error : 801 : Modular types may only be used in SPARK95.

Ada83 (and hence SPARK83) does not include modular types.

*** Semantic Error : 803 : Unary arithmetic operators are not permitted for modular types.

Unary arithmetic operators are of little value. The "abs" and "+" operators have no effect for modular types, and so are not required. The unary minus operator is a source of potential confusion, and so is not permitted in SPARK.

*** Semantic Error : 804 : Universal expression may not be implicitly converted to a modular type here. Left hand operand requires qualification to type XXX.

A universal expression cannot be used as the left hand operand of a binary operator if the right hand operand is of a modular type. Qualification of the left hand expression is required in this case.

*** Semantic Error : 805 : Universal expression may not be implicitly converted to a modular type here. Right hand operand requires qualification to type XXX.

A universal expression cannot be used as the right hand operand of a binary operator if the left hand operand is of a modular type. Qualification of the right hand expression is required in this case.

*** Semantic Error : 806 : Universal expression may not be implicitly converted to a modular type here. Right hand operand requires qualification.

A universal expression cannot be used as operand of an unary "not" operator if no type can be determined from the context of the expression. Qualification of the operand is required in this case.

*** Semantic Error : 814 : Default_Bit_Order must be of type Bit_Order.

The only possible type for the constant System.Default_Bit_Order is System.Bit_Order when it appears in the configuration file.

*** Semantic Error : 815 : The only allowed values of Default_Bit_Order are Low_Order_First and High_Order_First.

System.Bit_Order is implicity declared in package System when a configuration file is given. This is an enumeration type with only two literals Low_Order_First and High_Order_First.

*** Semantic Error : 820 : Abstract types are not currently permitted in SPARK.

Only non-abstract tagged types are currently supported. It is hoped to lift this restriction in a future Examiner release.

*** Semantic Error : 821 : This type declaration must be a tagged record because it's private type is tagged.

If a type is declared as "tagged private" then its full declaration must be a tagged record.

*** Semantic Error : 822 : XXX is not a tagged type; only tagged types may be extended.

In SPARK, "new" can only be used to declare a type extension; other derived types are not permitted.

*** Semantic Error : 823 : This type may not be extended in the same package in which it is declared.

SPARK only permits types from another library package to be extended. This rule prevents overloading of inherited operations.

*** Semantic Error : 824 : This package already extends a type from package XXX. Only one type extension per package is permitted.

SPARK only permits one type extension per package. This rule prevents overloading of inherited operations.

*** Semantic Error : 825 : Type XXX expected in order to complete earlier private extension.

Since SPARK only permits one type extension per package it follows that the declaration "new XXX with private" in a package visible part must be paired with "new XXX with record..." in its private part. The ancestor type XXX must be the same in both declarations.

*** Semantic Error : 826 : Type extension is not permitted in SPARK 83.

Type extension is an Ada 95 feature not included in Ada or SPARK 83.

*** Semantic Error : 827 : The actual parameter associated with a tagged formal parameter in an inherited operation must be an object not an expression.

There are several reasons for this SPARK rule. Firstly, Ada requires tagged parameters to be passed by reference and so an object must exist at least implicitly. Secondly, in order to perform flow analysis of inherited subprogram calls, the Examiner needs identify what subset of the information available at the point of call is passed to and from the called subprogram. Since information can only flow through objects it follows that actual parameter must be an object.

*** Semantic Error : 828 : Tagged types and tagged type extensions may only be declared in library-level package specifications.

This SPARK rule facilitates the main uses of tagged types while greatly simplifying visibility rules.

*** Semantic Error : 829 : Illegal re-declaration: this subprogram shares the same name as the inheritable root operation XXX but does not override it.

To avoid overloading, SPARK prohibits more than one potentially visible subprogram having the same name.

*** Semantic Error : 830 : A private type may not be implemented as a tagged type or an extension of a tagged type.

This rule means that a private type can only be implemented as a tagged type if the private type itself is tagged.

*** Semantic Error : 831 : Extended tagged types may only be converted in the direction of their root type.

This is an Ada rule: type conversions simply omit unused fields of the extended type. It follows that conversions must be in the direction of the root type.

*** Semantic Error : 832 : Only tagged objects, not expressions, may be converted.

For flow analysis purposes the Examiner needs to know what subset of the information in the unconverted view is available in the converted view. Since information can only flow through objects it follows that only objects can be converted.

*** Semantic Error : 833 : Invalid record aggregate: type XXX has a private ancestor.

If an extended type has a private ancestor then an extension aggregate must be used rather than a normal aggregate.

*** Semantic Error : 834 : Null records are only permitted if they are tagged.

An empty record can have no use in a SPARK program others than as a root type from which other types can be derived and extended. For this reason, null records are only allowed if they are tagged.

*** Semantic Error : 835 : XXX is not an extended tagged record type.

An extension aggregate is only appropriate if the record type it is defining is an extended record. A normal aggregate should be used for other record (and array) types.

*** Semantic Error : 836 : This expression does not represent a valid ancestor type of the aggregate XXX.

The expression before the reserved word "with" must be of an ancestor type of the overall aggregate type. In SPARK, the ancestor expression may not be a subtype mark.

*** Semantic Error : 837 : Invalid record aggregate: there is a private ancestor between the type of this expression and the type of the aggregate XXX.

The ancestor type can be an tagged type with a private extension; however, there must be no private extensions between the ancestor type and the type of the aggregate.

*** Semantic Error : 838 : Incomplete aggregate: null record cannot be used here because fields in XXX require values.

The aggregate form "with null record" can only be used if the type of the aggregate is a null record extension of the ancestor type. If any fields are added between the ancestor type and the aggregate type then values need to be supplied for them so "null record" is inappropriate.

*** Semantic Error : 839 : This package already contains a root tagged type or tagged type extension. Only one such declaration per package is permitted.

SPARK permits one root tagged type or one tagged type extension per package, but not both. This rule prevents the declaration of illegal operations with more than one controlling parameter.

*** Semantic Error : 840 : A tagged or extended type may not appear here. SPARK does not permit the declaration of primitive functions with controlling results.

A primitive function controlled by its return result would be almost unusable in SPARK because a data flow error would occur wherever it was used.

*** Semantic Error : 841 : The return type in the declaration of this function contained an error. It is not possible to check the validity of this return type.

Issued when there is an error in the return type on a function's initial declaration. In this situation we cannot be sure what return type is expected in the function's body. It would be misleading to simply report a type mismatch since the types might match perfectly and both be wrong. Instead, the Examiner reports the above error and refuses to analyse the function body until its specification is corrected.

*** Semantic Error : 842 : Pragma Atomic_Components is not permitted in SPARK when the Ravenscar profile is selected.

*** Semantic Error : 843 : Pragma Volatile_Components is not permitted in SPARK when the Ravenscar profile is selected.

*** Semantic Error : 844 : Missing or contradictory overriding_indicator for operation XXX. This operation successfully overrides its parent operation.

In SPARK2005, an operation which successfully overrides a parent operation must be specified as Overriding.

*** Semantic Error : 845 : Subprogram XXX does not successfully override a parent operation.

In SPARK2005, an overriding operation must successfully override an operation inherited from the parent.

*** Semantic Error : 850 : This construct may only be used when the Ravenscar profile is selected.

Support for concurrent features of the SPARK language, including protected objects, tasking, etc. are only supported when the Ravenscar profile is selected.

*** Semantic Error : 851 : The parameter to pragma Atomic must be a simple_name.

The parameter to pragma Atomic must be a simple_name; and may not be passed using a named association.

*** Semantic Error : 852 : pragma Atomic may only appear in the same immediate scope as the type to which it applies.

This is an Ada rule (pragma Atomic takes a local name see LRM 13.1(1)). Note that this precludes the use of pragma Atomic on a predefined type.

*** Semantic Error : 853 : pragma Atomic may only apply to a scalar base type, or to a non-tagged record type with exactly 1 field that is a predefined scalar type.

pragma Atomic may only be applied to base types that are scalar. (i.e. enumeration types, integer types, real types, modular types) or a non-tagged record type with a single field which is a predefined scalar type, such as Integer, Character or Boolean. As an additional special case, a record type with a single field of type System.Address is also allowed.

*** Semantic Error : 854 : pragma Atomic takes exactly one parameter.

*** Semantic Error : 855 : The type of own variable XXX is not consistent with its modifier.

An own variable with a task modifier must be of a task type. A task own variable must have the task modifier. An own variable with a protected modifier must be a protected object, suspension object or pragma atomic type. A protected or suspension object own variable must have the protected modifier.

*** Semantic Error : 858 : A variable that appears in a protects property list may not appear in a refinement clause.

A variable in a protects list is effectively protected and hence cannot be refined.

*** Semantic Error : 859 : A protected own variable may not appear in a refinement clause.

Protected state cannot be refined or be used as refinement constituents.

*** Semantic Error : 860 : Own variable XXX appears in a protects list and hence must appear in the initializes clause.

Protected state (including all refinement constituents) must be initialized.

*** Semantic Error : 861 : Both abstract own variable XXX and refinement constitutent YYY must have an Integrity property.

If an abstract own variable has an Integrity property, then so must all its refinement constituents, and vice-versa.

*** Semantic Error : 862 : Both abstract own variable XXX and refinement constitutent YYY must have the same Integrity value.

If both an abstract own variable and a refinement constituent have Integrity properties specified, then the value of the Integrity must be the same.

*** Semantic Error : 863 : Own variable XXX is protected and may not appear in an initializes clause.

Protected own variables must always be initialized, and should not appear in initializes annotations.

*** Semantic Error : 864 : Unexpected initialization specification - all own variables of this package are either implicitly initialized, or do not require initialization.

An own variable initialization clause and that of its refinement constituents must be consistent.

*** Semantic Error : 865 : Field XXX is part of the ancestor part of this aggregate and does not require a value here.

An extension aggregate must supply values for all fields that are part of the overall aggregate type but not those which are part of the ancestor part.

*** Semantic Error : 866 : The expression in a delay_until statement must be of type Ada.Real_Time.Time.

When the Ravenscar Profile is selected, the delay until statement may be used. The argument of this statement must be of type Ada.Real_Time.Time.

*** Semantic Error : 867 : Subprogram XXX contains a delay statement but does not have a delay property.

Any subprogram that may call delay until must have a delay property in a declare annotation. Your subprogram is directly or indirectly making a call to delay until.

*** Semantic Error : 868 : Protected object XXX may only be declared immediately within a library package.

This error message is issued if a type mark representing a protected type appears anywhere other than in a library level variable declaration or library-level own variable type announcement.

*** Semantic Error : 869 : Protected type XXX already contains an Entry declaration; only one Entry is permitted.

The Ravenscar profile prohibits a protected type from declaring more than one entry.

*** Semantic Error : 870 : Protected type XXX does not have any operations, at least one operation must be declared.

A protected type which provides no operations can never be used so SPARK requires the declaration of at least one.

*** Semantic Error : 871 : A type can only be explicitly derived from a predefined Integer or Floating Point type or from a tagged record type.

*** Semantic Error : 872 : Variable XXX is not protected; only protected items may be globally accessed by protected operations.

In order to avoid the possibility of shared data corruption, SPARK prohibits protected operations from accessing unprotected data items.

*** Semantic Error : 873 : This subprogram requires a global annotation which references the protected type name XXX.

In order to statically-detect certain bounded errors defined by the Ravenscar profile, SPARK requires every visible operation of protected type to globally reference the abstract state of the type.

*** Semantic Error : 874 : Protected state XXX must be initialized at declaration.

Because there is no guarantee that a concurrent thread that initializes a protected object will be executed before one that reads it, the only way we can be sure that a protected object is properly initialized is to do so at the point of declaration. You have either declared some protected state and not included an initialization or you have tried to initialize some protected state in package body elaboration.

*** Semantic Error : 875 : Protected type expected; access discriminants may only refer to protected types in SPARK.

Access discriminants have been allowed in SPARK solely to allow devices made up of co-operating Ravenscar-compliant units to be constructed. For this reason only protected types may appear in access discriminants.

*** Semantic Error : 876 : This protected type or task declaration must include either a pragma Priority or pragma Interrupt_Priority.

To allow the static detection of certain bounded errors defined by the Ravenscar profile, SPARK requires an explicitly-set priority for each protected type, task type or object of those types. The System.Default_Priority may used explicitly provided package System has been defined in the configuration file.

*** Semantic Error : 877 : Priority values require an argument which is an expression of type integer.

*** Semantic Error : 878 : This protected type declaration contains a pragma Attach_Handler and must therefore also include a pragma Interrupt_Priority.

To allow the static detection of certain bounded errors defined by the Ravenscar profile, SPARK requires an explicitly-set priority for each protected type or object. The System.Default_Priority may used explicitly provided package System has been defined in the configuration file.

*** Semantic Error : 879 : Unexpected pragma XXX: this pragma may not appear here.

pragma Interrupt_Priority must be the first item in a protected type declaration or task type declaration; pragma Priority must be the first item in a protected type declaration, task type declaration or the main program.

*** Semantic Error : 880 : Pragma Priority or Interrupt_Priority expected here.

Issued when a pragma other than Priority or Interrupt_Priority appears as the first item in a protected type or task type declaration.

*** Semantic Error : 881 : The priority of XXX must be in the range YYY.

See LRM D.1(17).

*** Semantic Error : 882 : Integrity property requires an argument which is an expression of type Natural.

*** Semantic Error : 883 : Pragma Interrupt_Handler may not be used; SPARK does not support the dynamic attachment of interrupt handlers [LRM C3.1(9)].

Interrupt_Handler is of no use unless dynamic attachment of interrupt handlers is to be used.

*** Semantic Error : 884 : Pragma Attach_Handler is only permitted immediately after the corresponding protected procedure declaration in a protected type declaration.

Pragma Attach_Handler may only be used within a protected type declaration. Furthermore, it must immediately follow a protected procedure declaration with the same name as the first argument to the pragma.

*** Semantic Error : 885 : Pragma Attach_Handler may only be applied to a procedure with no parameters.

See LRM C.3.1(5).

*** Semantic Error : 887 : A discriminant may only appear alone, not in an expression.

Issued when a task or protected type priority is set using an expression involving a discriminant. The use of such an expression greatly complicates the static evaluation of the priority of task or protected subtypes thus preventing the static elimination of certain Ravenscar bounded errors.

*** Semantic Error : 888 : Unexpected Delay, XXX already has a Delay property.

A procedure may only have a maximum of one delay annotation.

*** Semantic Error : 889 : The own variable XXX must have the suspendable property.

The type used to declare this object must be a protected type with and entry or a suspension object type.

*** Semantic Error : 890 : The name XXX already appears in the suspends list.

Items may not appear more than once in an a suspends list.

*** Semantic Error : 891 : Task type or protected type required.

Issued in a subtype declaration where the constraint is a discriminant constraint. Only task and protected types may take a discriminant constraint as part of a subtype declaration.

*** Semantic Error : 892 : Array type, task type or protected type required.

Issued in a subtype declaration where the constraint is a either a discriminant constraint or an index constraint (these two forms cannot always be distinguished syntactically). Only task and protected types may take a discriminant constraint and only array types may take an index constraint as part of a subtype declaration.

*** Semantic Error : 893 : Number of discriminant constraints differs from number of known discriminants of type XXX.

Issued in a subtype declaration if too many or two few discriminant constraints are supplied.

*** Semantic Error : 894 : Only variables of a protected type may be aliased.

SPARK supports the keyword aliased in variable declarations only so that protected and task types can support access discriminants. Since it has no other purpose it may not be used except in a protected object declaration.

*** Semantic Error : 895 : Attribute Access may only be applied to variables which are declared as aliased, variable XXX is not aliased.

This is a slightly annoying Ada issue. Marking a variable as aliased prevents it being placed in a register which would make pointing at it hazardous; however, SPARK only permits 'Access on protected types which are limited and therefore always passed by reference anyway and immune from register optimization. Requiring aliased on protected objects that will appear in discriminant constraints is therefore unwanted syntactic sugar only.

*** Semantic Error : 896 : The task type XXX does not have an associated body.

Issued at the end of a package body if a task type declared in its specification contains neither a body nor a body stub for it.

*** Semantic Error : 897 : The protected type XXX does not have an associated body.

Issued at the end of a package body if a protected type declared in its specification contains neither a body nor a body stub for it.

*** Semantic Error : 898 : XXX is not a protected or task type which requires a body.

Issued if a body or body stub for a task or protected type is encountered and there is no matching specification.

*** Semantic Error : 899 : A body for type XXX has already been declared.

Issued if a body or body stub for a task or protected type is encountered and an earlier body has already been encountered.

*** Semantic Error : 901 : Suspension object XXX may only be declared immediately within a library package specification or body.

Suspension objects must be declared at library level. They cannot be used in protected type state or as local variables in subprograms.

*** Semantic Error : 902 : Recursive use of typemark XXX in known descriminant.

*** Semantic Error : 903 : Protected or suspension object types cannot be used to declare constants.

Protected and suspension objects are used to ensure integrity of shared objects. If it is necessary to share constant data then these constructs should not be used.

*** Semantic Error : 904 : Protected or suspension objects cannot be used as subprogram parameters.

SPARK does not currently support this feature.

*** Semantic Error : 905 : Protected or suspension objects cannot be returned from functions.

SPARK does not currently support this feature.

*** Semantic Error : 906 : Protected or suspension objects cannot be used in composite types.

Protected and suspension objects cannot be used in record or array structures.

*** Semantic Error : 907 : Delay until must be called from a task or unprotected procedure body.

You are calling delay until from an invalid construct. Any construct that calls delay until must have a delay property in the declare annotation. This construct must be one of a task or procedure body.

*** Semantic Error : 908 : Blocking properties are not allowed in protected scope.

Procedures in protected scope must not block and therefore blocking properties are prohibited.

*** Semantic Error : 909 : Object XXX cannot suspend.

You are either applying the suspendable property to an own variable that cannot suspend or you have declared a variable (whose own variable has the suspendable property) which cannot suspend. Or you have used an item in a suspends list that does not have the suspendable property. An object can only suspend if it is a suspension object or a protected type with an entry.

*** Semantic Error : 910 : Name XXX must appear in the suspends list property for the enclosing unit.

Protected entry calls and calls to Ada.Synchronous_Task_Control.Suspend_Until_True may block the currently executing task. SPARK requires you announce this fact by placing the actual callee name in the suspends list for the enclosing unit.

*** Semantic Error : 911 : The argument in pragma Priority for the main program must be an integer literal or a local constant of static integer value.

If the main program priority is not an integer literal then you should declare a constant that has the required value in the declarative part of the main program prior to the position of the pragma.

*** Semantic Error : 912 : This call contains a delay property that is not propagated to the enclosing unit.

The call being made has a declare annotation that contains a delay property. SPARK requires that this property is propagated up the call chain and hence must appear in a declare annotation for the enclosing unit.

*** Semantic Error : 913 : This call has a name in its suspends list which is not propagated to the enclosing unit.

The call being made has a declare annotation that contains a suspends list. SPARK requires that the entire list is propagated up the call chain and hence must appear in a declare annotation for the enclosing unit.

*** Semantic Error : 914 : The name XXX specified in the suspends list can never be called.

You have specified the name of a protected or suspension object in the suspends list that can never be called by this procedure or task.

*** Semantic Error : 915 : Procedure XXX has a delay property but cannot delay.

You have specified a delay property for this procedure but delay until can never be called from it.

*** Semantic Error : 916 : Protected object XXX has a circular dependency in subprogram YYY.

The type of the protected object mentions the protected object name in the derives list for the given subprogram.

*** Semantic Error : 917 : Procedure XXX cannot be called from a protected action.

The procedure being called may block and hence cannot be called from a protected action.

*** Semantic Error : 918 : The delay property is not allowed for XXX.

The delay property may only be applied to a procedure.

*** Semantic Error : 919 : The priority property is not allowed for XXX.

The priority property can only be applied to protected own variables which are type announced. If the type has been declared it must be a protected type.

*** Semantic Error : 920 : The suspends property is not allowed for XXX.

The suspends property may only be applied to task type specifications and procedures.

*** Semantic Error : 921 : The identifier XXX is not recognised as a component of a property list.

The property list can only specify the reserved word delay, suspends or priority.

*** Semantic Error : 922 : The own variable XXX must have the priority property.

In order to perform the ceiling priority checks the priority property must be given to all own variables of protected type.

*** Semantic Error : 923 : The procedure XXX cannot be called from a function as it has a blocking side effect.

Blocking is seen as a side effect and hence procedures that potentially block cannot be called from functions.

*** Semantic Error : 924 : The suspendable property is not allowed for XXX.

Objects that suspend must be declared as own protected variables.

*** Semantic Error : 925 : The own variable or task XXX must have a type announcement.

Own variables of protected type and own tasks must have a type announcement.

*** Semantic Error : 926 : Illegal declaration of task XXX. Task objects must be declared at library level.

Task objects must be declared in library level package specifications or bodies.

*** Semantic Error : 927 : The own task annotation for this task is missing the name XXX in its suspends list.

The task type declaration has name XXX in its list and this must appear in the own task annotation.

*** Semantic Error : 928 : Private elements are not allowed for protected type XXX.

Protected type XXX has been used to declare a protected, moded own variable. Protected, moded own variables are refined onto a set of virtual elements with the same mode. As such private elements are not allowed.

*** Semantic Error : 929 : Unexpected declare annotation. Procedure XXX should have the declare annotation on the specification.

Declare annotations cannot appear on the procedure body if it appears on the procedure specification.

*** Semantic Error : 930 : Task XXX does not appear in the own task annotation for this package.

A task has been declared that is not specified as an own task of the package.

*** Semantic Error : 931 : Task XXX does not have a definition.

A task name appears in the own task annotation for this package but is never declared.

*** Semantic Error : 932 : The priority for protected object XXX does not match that given in the own variable declaration.

The priority given in the priority property must match that given in the protected type.

*** Semantic Error : 933 : A pragma Priority is required for the main program when Ravenscar Profile is enabled.

When SPARK profile Ravenscar is selected, all tasks, protected objects and the main program must explicitly be assigned a priority.

*** Semantic Error : 934 : Priority ceiling check failure: the priority of YYY is less than that of XXX.

The active priority of a task is the higher of its base priority and the ceiling priorities of all protected objects that it is executing. The active priority at the point of a call to a protected operation must not exceed the ceiling priority of the callee.

*** Semantic Error : 935 : The own variable XXX must have the interrupt property.

An own variable has been declared using a protected type with a pragma attach handler. Such objects are used in interrupt processing and must have the interrupt property specified in their own variable declaration.

*** Semantic Error : 936 : The interrupt property is not allowed for XXX.

The interrupt property can only be applied to protected own variables that are type announced. If the type is declared then it must be a protected type that contains an attach handler.

*** Semantic Error : 937 : The protects property is not allowed for XXX.

The protects property can only be applied to protected own variables that are type announced. If the type is declared then it must be a protected type.

*** Semantic Error : 938 : The unprotected variable XXX is shared by YYY and ZZZ.

XXX is an unprotected variable that appears in the global list of the threads YYY and ZZZ. Unprotected variables cannot be shared between threads in SPARK. A thread is one of: the main program, a task, an interrupt handler.

*** Semantic Error : 939 : The suspendable item XXX is referenced by YYY and ZZZ.

XXX is an own variable with the suspends property that appears in the suspends list of the threads YYY and ZZZ. SPARK prohibits this to prevent more than one thread being suspended on the same item at any one time. A thread is one of: the main program, a task, an interrupt handler.

*** Semantic Error : 940 : XXX is a protected own variable. Protected variables may not be used in proof contexts.

The use of protected variables in pre and postconditions or other proof annotations is not (currently) supported. Protected variables are volatile because they can be changed at any time by another program thread and this may invalidate some common proof techniques. The prohibition of protected variables does not prevent proof of absence of run-time errors nor proof of protected operation bodies. See the manual "SPARK Proof Manual" for more details.

*** Semantic Error : 941 : The type of own variable XXX must be local to this package.

The type used to an announce an own variable with a protects property must be declared in the same package.

*** Semantic Error : 942 : Only one instance of the type XXX is allowed.

Type XXX has a protects property. This means there can be only one object in the package that has this type or any subtype of this type.

*** Semantic Error : 943 : The name XXX cannot appear in a protects list.

All items in a protects list must be unprotected own variables owned by this package.

*** Semantic Error : 944 : The name XXX is already protected by YYY.

The name XXX appears in more than one protects list. The first time it appeared was for own variable YYY. XXX should appear in at most one protects list.

*** Semantic Error : 945 : The property XXX must be given a static expression for its value.

This property can only accept a static expression.

*** Semantic Error : 946 : The own variable XXX must only ever be accessed from operations in protected type YYY.

The own variable XXX is protected by the protected type YYY and hence must never be accessed from anywhere else.

*** Semantic Error : 947 : The own variable XXX appears in a protects list for type YYY but is not used in the body.

The protected type YYY claims to protect XXX via a protects property. However, the variable XXX is not used by any operation in YYY.

*** Semantic Error : 948 : The type of own variable or task XXX must be a base type.

Own tasks and protected own variables of a protected type must be announced using the base type. The subsequent variable declaration may be a subtype of the base type.

*** Semantic Error : 949 : Unexpected partition annotation: a global annotation may only appear here when the Ravenscar profile is selected.

When the sequential SPARK profile is selected, the global and derives annotation on the main program describes the entire program's behaviour. No additional, partition annotation is required or permitted. Note that an annotation must appear here if the Ravenscar profile is selected.

*** Semantic Error : 950 : Partition annotation expected: a global and, optionally, a derives annotation must appear after 'main_program' when the Ravenscar profile is selected.

When the Ravenscar profile is selected the global and derives annotation on the main program describes the behaviour of the environment task only, not the entire program. An additional annotation, called the partition annotation, is required to describe the entire program's behaviour; this annotation follows immediately after 'main_program;'.

*** Semantic Error : 951 : Inherited package XXX contains tasks and/or interrupt handlers and must therefore appear in the preceding WITH clause.

In order to ensure that a Ravenscar program is complete, SPARK requires that all 'active' packages inherited by the environment task also appear in a corresponding with clause. This check ensures that any program entities described in the partition annotation are also linked into the program itself.

*** Semantic Error : 952 : Subprogram XXX is an interrupt handler and cannot be called.

Interrupt handler operations cannot be called.

*** Semantic Error : 953 : Interrupt property error for own variable YYY. XXX is not an interrupt handler in type ZZZ.

The handler names in an interrupt property must match one in the protected type of the own variable.

*** Semantic Error : 954 : Interrupt property error for own variable XXX. Interrupt stream name YYY is illegal.

The stream name must be unprefixed and not already in use within the scope of the package.

*** Semantic Error : 955 : XXX can only appear in the partition wide flow annotation.

Interrupt stream variables are used only to enhance the partition wide flow annotation and must not be used elsewhere.

*** Semantic Error : 956 : XXX already appears in as an interrupt handler in the interrupt mappings.

An interrupt handler can be mapped onto exactly one interrupt stream variable. An interrupt stream variable may be mapped onto many interrupt handlers.

*** Semantic Error : 957 : Consecutive updates of protected variable XXX are disallowed when they do not depend directly on its preceding value.

A protected variable cannot be updated without direct reference to its preceding value more than once within a subprogram or task. Each update of a protected variable may have a wider effect than just the change of value of the protected variable. The overall change is considered to be the accumulation of all updates and reads of the protected variable and to preseve this information flow successive updates must directly depend on the preceding value of the variable.

*** Semantic Error : 958 : A task may not import the unprotected state XXX.

A task may not import unprotected state unless it is mode in. This is because under the concurrent elaboration policy, the task cannot rely on the state being initialized before it is run.

*** Semantic Error : 959 : Unprotected state XXX is exported by a task and hence must not appear in an initializes clause.

Own variable XXX is being accessed by a task. The order in which the task is run and the own variable initialized is non-deterministic under a concurrent elaboration policy. In this case SPARK forces the task to perform the initialization and as such the own variable must not appear in an initializes clause.

*** Semantic Error : 960 : The function Ada.Real_Time.Clock can only be used directly (1) in an assignment or return statement or (2) to initialize a library a level constant.

*** Semantic Error : 961 : This property value is of an incorrect format.

Please check the user manual for valid property value formats.

*** Semantic Error : 962 : Error(s) detected by VC Generator. See the .vcg file for more information.

This message is echoed to the screen if an unrecoverable error occurs which makes the generation of VCs for the current subprogram impossible. Another message more precisely identifying the problem will be placed in the .vcg file.

*** Semantic Error : 986 : A protected function may not call a locally-declared protected procedure.

See LRM 9.5.1 (2). A protected function has read access to the protected elements of the type whereas the called procedure has read-write access. There is no way in which an Ada compiler can determine whether the procedure will illegally update the protected state or not so the call is prohibited by the rules of Ada. (Of course, in SPARK, we know there is no function side effect but the rules of Ada must prevail nonetheless).

*** Semantic Error : 987 : Task types and protected types may only be declared in package specifications.

The Examiner performs certain important checks at the whole program level such as detection of illegal sharing of unprotected state and partition-level information flow analysis. These checks require visibility of task types and protected types (especially those containing interrupt handlers). SPARK therefore requires these types to be declare in package specifications. Subtypes and objects of task types, protected types and their subtypes may be declared in package bodies.

*** Semantic Error : 988 : Illegal re-use of identifier XXX; this identifier is used in a directly visible protected type.

SPARK does not allow the re-use of operation names which are already in use in a directly visible protected type. The restriction is necessary to avoid overload resolution issues in the protected body. For example, type PT in package P declares operation K. Package P also declares an operation K. From inside the body of PT, a call to K could refer to either of the two Ks since both are directly visible.

*** Semantic Error : 989 : The last statement of a task body must be a plain loop with no exits.

To prevent any possibility of a task terminating (which can lead to a bounded error), SPARK requires each task to end with a non-terminating loop. The environment task (or "main program") does not need to end in a plain loop provided the program closure includes at least one other task. If there are no other tasks, then the environment task must be made non-terminating with a plain loop.

*** Semantic Error : 990 : Unexpected annotation, a task body may have only global and derives annotations.

Issued if a pre, post or declare annotation is attached to a task body.

*** Semantic Error : 991 : Unexpected task body, XXX is not the name of a task declared in this package specification.

Issued if task body is encountered for which there is no preceding declaration.

*** Semantic Error : 992 : A body for task type XXX has already been declared.

Issued if a duplicate body or body stub is encountered for a task.

*** Semantic Error : 993 : There is no protected type declaration for XXX.

Issued if a body is found for a protected types for which there is no preceding declaration.

*** Semantic Error : 994 : Invalid guard, XXX is not a Boolean protected element of this protected type.

The SPARK Ravenscar rules require a simple Boolean guard which must be one of the protected elements of the type declaring the entry.

*** Semantic Error : 995 : Unexpected entry body, XXX is not the name of an entry declared in this protected type.

Local entries are not permitted so a protected body can declare at most one entry body and that must have declared in the protected type specification.

*** Semantic Error : 996 : The protected operation XXX, declared in this type, does not have an associated body.

Each exported protected operation must have a matching implementation in the associated protected body.

*** Semantic Error : 997 : A body for protected type XXX has already been declared.

Each protected type declaration must have exactly one matching protected body or body stub.

*** Semantic Error : 998 : There is no protected type declaration for XXX.

Issued if a protected body or body stub is found and there is no matching declaration for it.

*** Semantic Error : 999 : This feature of Generics is not yet implemented.

Generics are currently limited to instantiation of Unchecked_Conversion.

Warning : No semantic checks carried out, text may not be legal SPARK.

Issued when the Examiner is used solely to check the syntax of a SPARK text: this does not check the semantics of a program (e.g. the correctness of the annotations) and therefore does not guarantee that a program is legal SPARK.

Note: Information flow analysis not carried out.

This is issued as a reminder that information flow analysis has not been carried out in this run of the Examiner: information flow errors may be present undetected in the text analysed.

Note: Flow analysis mode is automatic.

This is issued as a reminder that the Examiner will perform information flow analysis if it encounters full derives annotations and will perform data flow analysis if only moded global annotations are present. Information flow errors may be present undetected in the text analysed.

Note: Ada 83 language rules selected.

Issued when the Examiner is used in SPARK 83 mode.

--- Warning : 1 : The identifier XXX is either undeclared or not visible at this point.

This warning will appear against an identifier in a with clause if it is not also present in an inherit clause. Such an identifier cannot be used in any non-hidden part of a SPARK program. The use of with without inherit is permitted to allow reference in hidden parts of the text to imported packages which are not legal SPARK. For example, the body of SPARK_IO is hidden and implements the exported operations of the package by use of package TEXT_IO. For this reason TEXT_IO must appear in the with clause of SPARK_IO. (warning control file keyword: with_clauses).

--- Warning : 2 : Representation clause - ignored by the Examiner.

The significance of representation clauses cannot be assessed by the Examiner because it depends on the specific memory architecture of the target system. Like pragmas, representation clauses can change the meaning of a SPARK program and the warning highlights the need to ensure their correctness by other means. (warning control file keyword: representation_clauses).

--- Warning : 3 : Pragma - ignored by the Examiner.

All pragmas encountered by the Examiner generate this warning. While many pragmas (e.g. pragma page) are harmless others can change a program's meaning, for example by causing two variables to share a single memory location. (warning control file keyword: pragma pragma_identifier or pragma all).

--- Warning : 4 : declare annotation - ignored by the Examiner.

The declare annotation is ignored by the Examiner if the profile is not Ravenscar. (warning control file keyword: declare_annotations).

--- Warning : 5 : XXX contains interrupt handlers; it is important that an interrupt identifier is not used by more than one handler.

Interrupt identifiers are implementation defined and the Examiner cannot check that values are used only once. Duplication can occur by declaring more than object of a single (sub)type where that type defines handlers. It may also occur if interrupt identifiers are set via discriminants and two or more actual discriminants generate the same value. (warning control file keyword: interrupt_handlers).

--- Warning : 6 : Machine code insertion. Code insertions are ignored by the Examiner.

Machine code is inherently implementation dependent and cannot be analysed by the Examiner. Users are responsible for ensuring that the behaviour of the inserted machine code matches the annotation of the subprogram containing it.

--- Warning : 7 : This identifier is an Ada2005 reserved word.

Such identifiers will be rejected by an Ada2005 compiler and by the SPARK Examiner for SPARK2005. It is recommended to rename such identifiers for future upward compatibility. (warning control file keyword: ada2005_reserved_words).

--- Warning : 11 : Unnecessary others clause - case statement is already complete.

The others clause is non-executable because all case choices have already been covered explicitly. If the range of the case choice is altered later then the others clause may be executed with unexpected results. It is better to omit the others clause in which case any extension of the case range will result in a compilation error.

--- Warning : 12 : Function XXX is an instantiation of Unchecked_Conversion.

See ALRM 13.9. The use of Unchecked_Conversion can result in implementation-defined values being returned. The function should be used with great care. The principal use of Unchecked_Conversion is SPARK programs is the for the reading of external ports prior to performing a validity check; here the suppression of constraint checking prior to validation is useful. The Examiner does not assume that the value returned by an unchecked conversion is valid and so unprovable run-time check VCs will result if a suitable validity check is not carried out before the value is used. (warning control file keyword: unchecked_conversion).

--- Warning : 13 : Function XXX is an instantiation of Unchecked_Conversion returning a type for which run-time checks are not generated. Users must take steps to ensure the validity of the returned value.

See ALRM 13.9. The use of Unchecked_Conversion can result in invalid values being returned. The function should be used with great care especially, as in this case, where the type returned does not generate Ada run-time checks nor SPARK run-time verification conditions. For such types, this warning is the ONLY reminder the Examiner generates that the generated value may have an invalid representation. For this reason the warning is NOT suppressed by the warning control file keyword unchecked_conversion. The principal use of Unchecked_Conversion is SPARK programs is the for the reading of external ports prior to performing a validity check; here the suppression of constraint checking prior to validation is useful.

--- Warning : 120 : Unexpected unmatched 'end accept' annotation ignored.

This end accept annotation does not match any preceding start accept in this unit.

--- Warning : 121 : No warning message matches this accept annotation.

The accept annotation is used to indicate that a particular flow error or semantic warning message is expected and can be justified. This error indicates that the expected message did not actually occur. Note that when matching any information flow error messages containing two variable names, the export should be placed first and the import second (the order in the error message may differ from this depending on the style of information flow error reporting selected). For example: --# accept Flow, 601, X, Y, "..."; justifies the message: "X may be derived from the imported value(s) of Y" or the alternative form: "Y may be used in the derivation of X".

--- Warning : 122 : Maximum number of error or warning justifications reached, subsequent accept annotations will be ignored.

The number of justifications per source file is limited. If you reach this limit it is worth careful consideration of why the code generates so many warnings.

--- Warning : 169 : Direct update of own variable XXX, which is an own variable of a non-enclosing package.

With the publication of Edition 3.1 of the SPARK Definition the previous restriction prohibiting the direct updating of own variables of non-enclosing packages was removed; however, the preferred use of packages as abstract state machines is compromised by such action which is therefore discouraged. (warning control file keyword: direct_updates).

--- Warning : 200 : This static expression cannot be evaluated by the Examiner.

Issued if a static expression exceeds the internal limits of the Examiner because its value is, for example, too large to be evaluated using infinite precision arithmetic. No value will be recorded for the expression and this may limit the Examiner's ability to detect certain sorts of errors such as numeric constraints. (warning control file keyword: static_expressions).

--- Warning : 201 : This expression cannot be evaluated statically because its value may be implementation-defined.

Raised, for example, when evaluating 'Size of a type that does not have an explicit Size representation clause. Attributes of implementation-defined types, such as Integer'Last may also be unknown to be Examiner if they are not specified in the configuration file (warning control file keyword: static_expressions).

--- Warning : 202 : An arithmetic overflow has occurred. Constraint checks have not been performed.

Raised when comparing two real numbers. The examiner cannot deal with real numbers specified to such a high degree of precision. Consider reducing the precision of these numbers.

--- Warning : 300 : VCs cannot be built for multi-dimensional array aggregates.

Issued when an aggregate of a multi-dimensional array is found. Suppresses generation of VCs for that subprogram. Can be worked round by using arrays of arrays.

--- Warning : 301 : Called subprogram exports abstract types for which RTCs are not possible.

--- Warning : 302 : This expression may be re-ordered by a compiler. Add parentheses to remove ambiguity.

Issued when a potentially re-orderable expression is encountered. For example x := a + b + c; Whether intermediate sub-expression values overflow may depend on the order of evaluation which is compiler-dependent. Therefore, code generating this warning should be parenthesized to remove the ambiguity. e.g. x := (a + b) + c;.

--- Warning : 303 : Overlapping choices may not be detected.

Issued where choices in an array aggregate or case statement are outside the range which can be detected because of limits on the size of a table internal to the Examiner.

--- Warning : 304 : Case statement may be incomplete.

Issued when the Examiner cannot determine the completeness of a case statement because the bounds of the type of the controlling expression exceed the size of the internal table used to perform the checks.

--- Warning : 305 : Value too big for internal representation.

Issued when the Examiner cannot determine the completeness of an array aggregate or case statement because the number used in a choice exceed the size allowed in the internal table used to perform the checks.

--- Warning : 306 : Aggregate may be incomplete.

Issued when the Examiner cannot determine the completeness of an array aggregate because its bounds exceed the size of the internal table used to perform the checks.

--- Warning : 307 : Completeness checking incomplete: index type(s) undefined or not discrete.

Issued where the array index (sub)type is inappropriate: this is probably because there is an error in its definition, which will have been indicated by a previous error message.

--- Warning : 308 : Use of equality operator with floating point type.

The use of this operator is discouraged in SPARK because of the difficulty in determining exactly what it means to say that two instances of a floating point number are equal.

--- Warning : 309 : Type conversion to own type, consider using type qualification instead.

Issued where a type conversion is either converting from a (sub)type to the same (sub)type or is converting between two subtypes of the same type. In the former case the type conversion may be safely removed because no constraint check is required; in the latter case the type conversion may be safely replaced by a type qualification which preserves the constraint check.(warning control file keyword: type_conversions).

--- Warning : 310 : Use of obsolescent Ada 83 language feature.

Issued when a language feature defined by Ada 95 to be obsolescent is used. Use of such features is not recommended because compiler support for them cannot be guaranteed.(warning control file keyword:obsolescent_features).

--- Warning : 311 : Priority pragma for XXX is unavailable and has not been considered in the ceiling priority check.

--- Warning : 312 : Replacement rules cannot be built for multi-dimensional array constant XXX.

Issued when a VC or PF references a multi-dimensional array constant. Can be worked round by using arrays of arrays.

--- Warning : 313 : The constant XXX has semantic errors in its initializing expression or has a hidden completion which prevent generation of a replacement rule.

Issued when replacement rules are requested for a composite constant which had semantic errors in its initializing expression, or is a deferred constant whose completion is hidden from the Examiner. Semantic errors must be eliminated before replacement rules can be generated.

--- Warning : 314 : The constant XXX has semantic errors in its type which prevent generation of rules.

Issued when an attempt is made to generate type deduction rules for a constant which has semantic errors in its type. These semantic errors must be eliminated before type deduction rules can be generated.

--- Warning : 315 : The procedure XXX does not have a derives annotation. The analysis of this call assumes that each of its exports is derived from all of its imports.

Issued in flow=auto mode when a function calls a procedure that does not have a derives annotation. In most cases this assumption will not affect the validity of the analysis, but if the called procedure derives null from an import this can have an impact. Note that functions are considered to have implicit derives annotations so this warning is not issued for calls to functions.

--- Warning : 320 : The proof function XXX has a non-boolean return and a return annotation. Please make sure that the return is always in-type.

Any proof function with a non-bool return can introduce unsoundness if the result could overflow. For example a return of (x + 1) is not ok if x can take the value of integer'last. (warning control file keyword: proof_function_non_boolean).

--- Warning : 321 : The proof function XXX has an implicit return annotation. Please be careful not to introduce unsoundness.

Any proof function with an implicit return can easily introduce unsoundness as they do not have a body which we can check to expose any contradictions. For example: return B => False. (warning control file keyword: proof_function_implicit).

--- Warning : 322 : The return refinement for proof function XXX is assumed to hold as it is axiomatic and thus cannot be checked.

(warning control file keyword: proof_function_refinement).

--- Warning : 323 : The precondition refinement for proof function XXX is assumed to hold as it is axiomatic and thus cannot be checked.

(warning control file keyword: proof_function_refinement).

--- Warning : 350 : Unexpected pragma Import. Variable XXX is not identified as an external (stream) variable.

The presence of a pragma Import makes it possible that the variable is connected to some external device. The behaviour of such variables is best captured by making them moded own variables (or "stream" variables). If variables connected to the external environment are treated as if they are normal program variables then misleading analysis results are inevitable. The use of pragma Import on local variables of subprograms is particularly deprecated. The warning may safely be disregarded if the variable is not associated with memory-mapped input/output or if the variable concerned is an own variable and the operations on it are suitably annotated to indicate volatile, stream-like behaviour. Where pragma Import is used, it is essential that the variable is properly initialized at the point from which it is imported. (warning control file keyword:imported_objects).

--- Warning : 351 : Unexpected address clause. XXX is a constant.

Great care is needed when attaching an address clause to a constant. The use of such a clause is safe if, and only if, the address supplied provides a valid value for the constant which does not vary during the execution life of the program, for example, mapping the constant to PROM data. If the address clause causes the constant to have a value which may alter, or worse, change dynamically under the influence of some device external to the program, then misleading or incorrect analysis is certain to result. If the intention is to create an input port of some kind, then a constant should not be used. Instead a moded own variable (or "stream" variables) should be used. (warning control file keyword: address_clauses).

--- Warning : 360 : This pragma must have zero or one arguments.

--- Warning : 361 : This pragma must have exactly one argument.

--- Warning : 362 : This pragma must have exactly two arguments.

--- Warning : 363 : This pragma must have at least one argument.

--- Warning : 364 : This pragma must have between two and four arguments.

--- Warning : 365 : This pragma must have exactly zero arguments.

--- Warning : 366 : This pragma must have one or two arguments.

--- Warning : 380 : Casing inconsistent with declaration. Expected casing is XXX.

The Examiner checks the case used for an identifier against the declaration of that identifier and warns if they do not match. (warning control file keyword:style_check_casing).

--- Warning : 389 : Generation of VCs for consistency of generic and instantiated subprogram constraints is not yet supported. It will be supported in a future release of the Examiner.

--- Warning : 390 : This generic subprogram has semantic errors in its declaration which prevent instantiations of it.

Issued to inform the user that a generic subprogram instantiation cannot be completed because of earlier errors in the generic declaration.

--- Warning : 391 : If the identifier XXX represents a package which contains a task or an interrupt handler then the partition-level analysis performed by the Examiner will be incomplete. Such packages must be inherited as well as withed.

--- Warning : 392 : External variable XXX may have an invalid representation and its assignment may cause a run-time exception which is outside the scope of the absence of RTE proof.

Where values are read from external variables (i.e. variables connected to the external environment) there is no guarantee that the bit pattern read will be a valid representation for the type of the external variable. Unexpected behaviour may result if invalid values are used in expressions. If the code is compiled with Ada run-time checks enabled the assignment of an invalid value may (but need not) raise a run-time exception dependent on the compiler. A compiler may provide facilities to apply extended checking which may also raise a run-time exception if an invalid value is used. The SPARK Toolset does not check the validity of the external variable and therefore any possible exception arising from its assignment is outside the scope of proof of absence of RTE. To ensure that a run-time exception cannot occur make the type of the external variable such that any possible bit pattern that may be read from the external source is a valid value. If the desired type is such a type then the always_valid assertion may be applied to the external variable; otherwise use explicit tests to ensure it has a valid value for the desired type before converting to an object of the desired type. In SPARK 95 the 'Valid attribute (see ALRM 13.9.2) may be used to determine the validity of a value if it can be guaranteed that the assignment of an invalid value read from an external variable will not raise a run time exception, either by compiling the code with checks off or by ensuring the compiler does not apply constraint checks when assigning same subtype objects. Note that when the Examiner is used to generate run-time checks, it will not be possible to discharge those involving external variables unless one of the above steps is taken. More information on interfacing can be found in the INFORMED manual and the SPARK Proof Manual. (warning control file keyword: external_assignment).

--- Warning : 393 : External variable XXX may have an invalid representation and is of a type for which run-time checks are not generated but its assignment may cause a run-time exception. Users must take steps to ensure the validity of the assigned or returned value.

Where values are read from external variables (i.e. variables connected to the external environment) there is no guarantee that the bit pattern read will be a valid representation for the type of the external variable. Unexpected behaviour may result if invalid values are used in expressions. If the code is compiled with Ada run-time checks enabled the assignment of an invalid value may (but need not) raise a run-time exception dependent on the compiler. A compiler may provide facilities to apply extended checking which may also raise a run-time exception if an invalid value is used The SPARK Toolset does not check the validity of the external variable and therefore any possible exception arising from its assignment is outside the scope of proof of absence of RTE. Where, as in this case, the type is one for which Ada run-time checks need not be generated and SPARK run-time verification conditions are not generated, extra care is required. For such types, this warning is the ONLY reminder the Examiner generates that the external value may have an invalid representation. For this reason the warning is NOT suppressed by the warning control file keyword external_assignment. To ensure that a run-time exception cannot occur make the type of the external variable such that any possible bit pattern that may be read from the external source is a valid value. Explicit tests of the value may then be used to determine the value of an object of the desired type. In SPARK 95 the 'Valid attribute (see ALRM 13.9.2) may be used to determine the validity of a value if it can be guaranteed that the assignment of an invalid value read from an external variable will not raise a run time exception, either by compiling the code with checks off or by ensuring the compiler does not apply constraint checks when assigning same subtype objects. Boolean external variables require special care since the Examiner does not generate run-time checks for Boolean variables; use of 'Valid is essential when reading Boolean external variables. More information on interfacing can be found in the INFORMED manual and the SPARK Proof Manual.

--- Warning : 394 : Variables of type XXX cannot be initialized using the facilities of this package.

A variable of a private type can only be used (without generating a data flow error) if there is some way of giving it an initial value. For a limited private type only a procedure that has an export of that type and no imports of that type is suitable. For a private type either a procedure, function or (deferred) constant is required. The required facility may be placed in, or already available in, a public child package. (warning control file keyword: private_types).

--- Warning : 395 : Variable XXX is an external (stream) variable but does not have an address clause or a pragma import.

When own variables are given modes they are considered to be inputs from or outputs to the external environment. The Examiner regards them as being volatile (i.e. their values can change in ways not visible from an inspection of the source code). If a variable is declared in that way but it is actually an ordinary variable which is NOT connected to the environment then misleading analysis is inevitable. The Examiner expects to find an address clause or pragma import for variables of this kind to indicate that they are indeed memory-mapped input/output ports. This warning is issued if an address clause or pragma import is not found.

--- Warning : 396 : Unexpected address clause. Variable XXX is not identified as an external (stream) variable.

The presence of an address clause makes it possible that the variable is connected to some external device. The behaviour of such variables is best captured by making them moded own variables (or "stream" variables). If variables connected to the external environment are treated as if they are normal program variables then misleading analysis results are inevitable. The use of address clauses on local variables of subprograms is particularly deprecated. The warning may safely be disregarded if the variable is not associated with memory-mapped input/output or if the variable concerned is an own variable and the operations on it are suitably annotated to indicate volatile, stream-like behaviour. (warning control file keyword: address_clauses).

--- Warning : 397 : Variables of type XXX can never be initialized before use.

A variable of a private type can only be used (without generating a data flow error) if there is some way of giving it an initial value. For a limited private type only a procedure that has an export of that type and no imports of that type is suitable. For a private type either a procedure, function or (deferred) constant is required.

--- Warning : 398 : The own variable XXX can never be initialized before use.

The own variable can only be used (without generating a data flow error) if there is some way of giving it an initial value. If it is initialized during package elaboration (or implicitly by the environment because it represents an input port) it should be placed in an "initializes" annotation. Otherwise there needs to be some way of assigning an initial value during program execution. Either the own variable needs to be declared in the visible part of the package so that a direct assignment can be made to it or, more usually, the package must declare at least one procedure for which the own variable is an export but not an import. Note that if the own variable is an abstract own variable with some constituents initialized during elaboration and some during program execution then it will never be possible correctly to initialize it; such abstract own variables must be divided into separate initialized and uninitialized components.

--- Warning : 399 : The called subprogram has semantic errors in its interface (parameters and/or annotations) which prevent flow analysis of this call.

Issued to inform the user that flow analysis has been suppressed because of the error in the called subprogram's interface.

--- Warning : 9 : The body of XXX has a hidden exception handler - analysis and verification of contracts for this handler have not been performed.

Issued when a --# hide XXX annotation is used to hide a user-defined exception handler. (warning control file keyword: handler_parts).

--- Warning : 10 : XXX is hidden - hidden text is ignored by the Examiner.

Issued when a --# hide XXX annotation is used. (warning control file keyword: hidden_parts).

--- Warning : 400 : Variable XXX is declared but not used.

Issued when a variable declared in a subprogram is neither referenced, nor updated. (warning control file keyword: unused_variables).

--- Warning : 402 : Default assertion planted to cut loop.

In order to prove properties of code containing loops, the loop must be "cut" with a suitable assertion statement. When generating run-time checks, the Examiner inserts a simple assertion to cut any loops which do not have one supplied by the user. The assertion is placed at the point where this warning appears in the listing file. The default assertion asserts that the subprogram's precondition (if any) is satisfied, that all imports to it are in their subtypes and that any for loop counter is in its subtype. In many cases this provides sufficient information to complete a proof of absence of run-time errors. If more information is required, then the user can supply an assertion and the Examiner will append the above information to it. (warning control file keyword: default_loop_assertions).

--- Warning : 403 : XXX is declared as a variable but used as a constant.

XXX is a variable which was initialized at declaration but whose value is only ever read not updated; it could therefore have been declared as a constant. (warning control file keyword: constant_variables).

--- Warning : 404 : Subprogram imports variables of abstract types for which run-time checks cannot be generated.

--- Warning : 405 : VCs for statements including real numbers are approximate.

The Examiner generates VCs associated with real numbers using perfect arithmetic rather than the machine approximations used on the target platform. It is possible that rounding errors might cause a Constraint_Error even if these run-time check proofs are completed satisfactorily. (warning control file keyword: real_rtcs).

--- Warning : 406 : VC Generator unable to create output files. Permission is required to create directories and files in the output directory.

This message is echoed to the screen if the Examiner is unable to create output files for the VCs being generated (for instance, if the user does not have write permission for the output directory).

--- Warning : 407 : This package requires a body. Care should be taken to provide one because an Ada compiler will not detect its omission.

Issued where SPARK own variable and initialization annotations make it clear that a package requires a body but where no Ada requirement for a body exists.

--- Warning : 408 : VCs could not be generated for this subprogram owing to semantic errors in its specification or body. Unprovable (False) VC generated.

Semantic errors prevent VC Generation, so a single False VC is produced. This will be detected and reported by POGS.

--- Warning : 409 : VCs could not be generated for this subprogram due to its size and/or complexity exceeding the capacity of the VC Generator. Unprovable (False) VC generated.

A subprogram which has excessive complexity of data structure or number of paths may cause the VC Generator to exceed its capacity. A single False VC is generated in this case to make sure this error is detected in subsequent proof and analysis with POGS.

--- Warning : 410 : Task or interrupt handler XXX is either unavailable (hidden) or has semantic errors in its specification which prevent partition-wide flow analysis being carried out.

Partition-wide flow analysis is performed by checking all packages withed by the main program for tasks and interrupt handlers and constructing an overall flow relation that captures their cumulative effect. It is for this reason that SPARK requires task and protected types to be declared in package specifications. If a task or protected type which contains an interrupt handler, is hidden from the Examiner (in a hidden package private part) or contains errors in it specification, the partition-wide flow analysis cannot be constructed correctly and is therefore suppressed. Correct the specification of the affected tasks and (temporarily if desired) make them visible to the Examiner.

--- Warning : 411 : Task type XXX is unavailable and has not been considered in the shared variable check.

The Examiner checks that there is no potential sharing of unprotected data between tasks. If a task type is hidden from the Examiner in a hidden package private part, then it is not possible to check whether that task may share unprotected data.

--- Warning : 412 : Task type XXX is unavailable and has not been considered in the max-one-in-a-queue check.

The Examiner checks that no more than one task can suspend on a single object. If a task is hidden from the Examiner in a hidden package private part, then it is not possible to check whether that task may suspend on the same object as another task.

--- Warning : 413 : Task or main program XXX has errors in its annotations. The shared variable and max-one-in-a-queue checks may be incomplete.

The Examiner checks that no more than one task can suspend on a single object and that there is no potential sharing of unprotected data between tasks. These checks depend on the accuracy of the annotations on the task types withed by the main program. If these annotations contain errors, then any reported violations of the shared variable and max-one-in-a-queue checks will be correct; however, the check may be incomplete. The errors in the task annotations should be corrected.

--- Warning : 414 : Long output file name has been truncated.

Raised if an output file name is longer than the limit imposed by the operating system and has been truncated. Section 4.7 of the Examiner User Manual describes how the output file names are constructed. If this message is seen there is a possibility that the output from two or more subprograms will be written to the same file name, if they have a sufficiently large number of characters in common.

--- Warning : 415 : The analysis of generic packages is not yet supported. It will be supported in a future release of the Examiner.

--- Warning : 420 : Instance of SEPR 2124 found. An extra VC will be generated here and must be discharged to ensure absence of run-time errors. Please seek advice for assistance with this issue.

In release 7.5 of the Examiner, a flaw in the VC generation was fixed such that subcomponents of records and elements of arrays when used as "out" or "in out" parameters will now generate an additional VC to verify absence of run-time errors. This warning flags an instance of this occurrence. Please read the release note and/or seek advice for assistance with this issue.

--- Warning : 425 : The -vcg switch should be used with the selected language profile.

A code generator language profile such as KCG is in use and so conditional flow errors may be present in the subprogram. Therefore the -vcg switch must be used to generate VCs and the VCs related to definedness discharged using the proof tools.

--- Warning : 426 : The with_clause contains a reference to a public child of the package. The Examiner will not detect mutual recursion between subprograms of the two packages.

A code generator language profile such as KCG allows a package body to with its own public child which is not normally permitted in SPARK. The removal of this restriction means that the Examiner will not detect mutual recursion between subprograms declared in the visible parts of the package and its child. The code generator is expected to guarantee the absence of recursion.

--- Warning : 430 : SLI generation abandoned owing to syntax or semantic errors or multiple units in a single source file.

--- Warning : 431 : Preconditions on the main program are assumed to be true and not checked by the VC generation system.

--- Warning : 444 : Assumptions cannot be checked and must be justified with an accept annotation.

--- Warning : 495 : The VC file XXX has a pathname longer than 255 characters which can produce unexpected problems on Windows with respect to the SPARK tools (undischarged VCs) and other tools.

There is little that can be done to work around this as this is a fundamental limitation of Windows. You could try one of the following: Perform analysis higher up in the directory tree (i.e. in C:\a instead of C:\project_name\spark\analysis). You could try remapping a directory to a new drive to do the same (google for subst). You could try renaming or restructuring your program to flatten the structure a bit. And finally you can perform analysis on a UNIX system such as Mac OSX or GNU/Linux as they do not suffer from this problem.

??? Flow Error : 501 : Expression contains reference(s) to variable XXX, which may have an undefined value.

The expression may be that in an assignment or return statement, an actual parameter, or a condition occurring in an if or case statement, an iteration scheme or exit statement. The Examiner has identified at least one syntactic path to this point where the variable has NOT been given a value. Conditional data flow errors are extremely serious and must be carefully investigated. NOTE: the presence of random and possibly invalid values introduced by data flow errors invalidates proof of exception freedom for the subprogram body which contains them. All reports of data flow errors must be eliminated or shown to be associated with semantically infeasible paths before attempting exception freedom proofs. See the manual "SPARK Proof Manual " for full details.

??? Flow Error : 504 : Statement contains reference(s) to variable XXX, which may have an undefined value.

The statement here is a procedure call, and the variable XXX may appear in an actual parameter, whose value is imported when the procedure is executed. If the variable XXX does not occur in the actual parameter list, it is an imported global variable of the procedure (named in its global definition). The Examiner has identified at least one syntactic path to this point where the variable has NOT been given a value. Conditional data flow errors are extremely serious and must be carefully investigated. NOTE: the presence of random and possibly invalid values introduced by data flow errors invalidates proof of exception freedom for the subprogram body which contains them. All reports of data flow errors must be eliminated or shown to be associated with semantically infeasible paths before attempting exception freedom proofs. See the manual "SPARK Proof Manual " for full details.

??? Flow Error : 601 : YYY may be derived from the imported value(s) of XXX.

Here the item on the left of "may be derived from ..." is an exported variable and the item(s) on the right are imports of a procedure subprogram. The message reports a possible dependency, found in the code, which does not appear in the specified dependency relation (derives annotation). The discrepancy could be caused by an error in the subprogram code which implements an unintended dependency. It could also be in an error in the subprogram derives annotation which omits a necessary and intended dependency. Finally, the Examiner may be reporting a false coupling between two items resulting from a non-executable code path or the sharing of disjoint parts of structured or abstract data (e.g one variable writing to one element of an array and another variable reading back a different element). Unexpected dependencies should be investigated carefully and only accepted without modification of either code or annotation if it is certain they are of "false coupling" kind.

??? Flow Error : 601 : The imported value of XXX may be used in the derivation of YYY.

Here first item is an import and the second is an export of a procedure subprogram. The message reports a possible dependency, found in the code, which does not appear in the specified dependency relation. This version of the message has been retained for backward compatibility.

??? Flow Error : 602 : The undefined initial value of XXX may be used in the derivation of YYY.

Here XXX is a non-imported variable, and YYY is an export, of a procedure subprogram.

??? Flow Error : 605 : Information flow from XXX to YYY violates information flow policy.

This message indicates a violation of security or safety policy, such as information flow from a Secret input to an Unclassified output.

??? Flow Error : 606 : The imported value of XXX may be used in the derivation of YYY. Furthermore, this information flow violates information flow policy.

Here XXX is an import and YYY is an export of a procedure subprogram. The message reports a possible dependency, found in the code, which does not appear in the specified dependency relation. If this dependency did appear in the dependency relation, then it would also constitute an integrity violation.

!!! Flow Error : 20 : Expression contains reference(s) to variable XXX which has an undefined value.

The expression may be that in an assignment or return statement, an actual parameter, or a condition occurring in an if or case statement, an iteration scheme or exit statement. NOTE: the presence of random and possibly invalid values introduced by data flow errors invalidates proof of exception freedom for the subprogram body which contains them. All unconditional data flow errors must be eliminated before attempting exception freedom proofs. See the manual "SPARK Proof Manual" for full details.

!!! Flow Error : 23 : Statement contains reference(s) to variable XXX which has an undefined value.

The statement here is a procedure call or an assignment to an array element, and the variable XXX may appear in an actual parameter, whose value is imported when the procedure is executed. If the variable XXX does not occur in the actual parameter list, it is an imported global variable of the procedure (named in its global definition). NOTE: the presence of random and possibly invalid values introduced by data flow errors invalidates proof of exception freedom for the subprogram body which contains them. All unconditional data flow errors must be eliminated before attempting exception freedom proofs. See the manual "SPARK Proof Manual" for full details.

!!! Flow Error : 22 : Value of expression is invariant.

The expression is either a case expression or a condition (Boolean-valued expression) associated with an if-statement, not contained in a loop statement. The message indicates that the expression takes the same value whenever it is evaluated, in all program executions. Note that if the expression depends on values obtained by a call to another other subprogram then a possible source for its invariance might be an incorrect annotation on the called subprogram.

!!! Flow Error : 30 : The variable XXX is imported but neither referenced nor exported.

!!! Flow Error : 31 : The variable XXX is exported but not (internally) defined.

!!! Flow Error : 32 : The variable XXX is neither imported nor defined.

!!! Flow Error : 33 : The variable XXX is neither referenced nor exported.

!!! Flow Error : 34 : The imported, non-exported variable XXX may be redefined.

The updating of imported-only variables is forbidden under all circumstances.

!!! Flow Error : 35 : Importation of the initial value of variable XXX is ineffective.

The meaning of this message is explained in Section 4.2 of Appendix A.

!!! Flow Error : 36 : The referencing of variable XXX by a task or interrupt handler has been omitted from the partition annotation.

This message is only issued when processing the partition annotation. The partition annotation must describe all the actions of the tasks and interrupt handlers making up the program. Therefore, if a variable is imported somewhere in the program by a task or interrupt handler, then it must also be an import at the partition level. As well as the omission of explicit imports, this message is also generated if the implicit imports of tasks and interrupt handlers are omitted. For tasks this means any variable the task suspends on and for interrupt handlers it means the name of the protected object containing the handler or, if given, the name of the interrupt stream associated with the handler.

!!! Flow Error : 37 : The updating of variable XXX by a task or interrupt handler has been omitted from the partition annotation.

This message is only issued when processing the partition annotation. The partition annotation must describe all the actions of the tasks and interrupt handlers making up the program. Therefore, if a variable is exported somewhere in the program by a task or interrupt handler, then it must also be an export at the partition level.

!!! Flow Error : 38 : The protected element XXX must be initialized at its point of declaration.

To avoid potential race conditions during program startup, all elements of a protected type must be initialized with a constant value at the point of declaration.

!!! Flow Error : 50 : YYY is not derived from the imported value(s) of XXX.

The item before "is not derived ..." is an export or function return value and the item(s) after are imports of the subprogram. The message indicates that a dependency, stated in the dependency relation (derives annotation) or implied by the function signature is not present in the code. The absence of a stated dependency is always an error in either code or annotation.

!!! Flow Error : 50 : The imported value of XXX is not used in the derivation of YYY.

The variable XXX, which appears in the dependency relation of a procedure subprogram, as an import from which the export YYY is derived, is not used in the code for that purpose. YYY may be a function return value. This version of the message has been retained for backward compatibility.

!!! Flow Error : 53 : The package initialization of XXX is ineffective.

Here XXX is an own variable of a package, initialized in the package initialization. The message states that XXX is updated elsewhere, before being read.

!!! Flow Error : 54 : The initialization at declaration of XXX is ineffective.

Issued if the value assigned to a variable at declaration cannot affect the final value of any exported variable of the subprogram in which it occurs because, for example, it is overwritten before it is used.

!!! Flow Error : 57 : Information flow from XXX to YYY violates the selected information flow policy.

Issued if safety or security policy checking is enabled and the specified dependency relation contains a relationship in which the flow of information from state or input to state or output violates the selected policy.

!!! Flow Error : 1 : The previously stated updating of XXX has been omitted.

XXX occurred as an export in the earlier dependency relation but neither XXX nor any refinement constituent of it occurs in the refined dependency relation.

!!! Flow Error : 2 : The updating of XXX has not been previously stated.

A refinement constituent of XXX occurs as an export in the refined dependency relation but XXX does not occur as an export in the earlier dependency relation.

!!! Flow Error : 3 : The previously stated dependency of the exported value of XXX on the imported value of YYY has been omitted.

The dependency of the exported value of XXX on the imported value of YYY occurs in the earlier dependency relation but in the refined dependency relation, no constituents of XXX depend on any constituents of YYY.

!!! Flow Error : 4 : The dependency of the exported value of XXX on the imported value of YYY has not been previously stated.

A refined dependency relation states a dependency of XXX or a constituent of XXX on YYY or a constituent of YYY, but in the earlier relation, no dependency of XXX on YYY is stated.

!!! Flow Error : 5 : The (possibly implicit) dependency of the exported value of XXX on its imported value has not been previously stated.

Either a dependency of a constituent of XXX on at least one constituent of XXX occurs in the refined dependency relation, or not all the constituents of XXX occur as exports in the refined dependency relation. However, the dependency of XXX on itself does not occur in the earlier dependency relation.

!!! Flow Error : 40 : Exit condition is stable, of index 0.

!!! Flow Error : 40 : Exit condition is stable, of index 1.

!!! Flow Error : 40 : Exit condition is stable, of index greater than 1.

In these cases the (loop) exit condition occurs in an iteration scheme, an exit statement, or an if-statement whose (unique) sequence of statements ends with an unconditional exit statement - see the SPARK Definition. The concept of loop stability is explained in Section 4.4 of Appendix A. A loop exit condition which is stable of index 0 takes the same value at every iteration around the loop, and with a stability index of 1, it always takes the same value after the first iteration. Stability with indices greater than 0 does not necessarily indicate a program error, but the conditions for loop termination require careful consideration.

!!! Flow Error : 41 : Expression is stable, of index 0.

!!! Flow Error : 41 : Expression is stable, of index 1.

!!! Flow Error : 41 : Expression is stable, of index greater than 1.

The expression, occurring within a loop, is either a case expression or a condition (Boolean-valued expression) associated with an if-statement, whose value determines the path taken through the body of the loop, but does not (directly) cause loop termination. Information flow analysis shows that the expression does not vary as the loop is executed, so the same branch of the case or if statement will be taken on every loop iteration. An Index of 0 means that the expression is immediately stable, 1 means it becomes stable after the first pass through the loop and so on. The stability index is given with reference to the loop most closely-containing the expression. Stable conditionals are not necessarily an error but do require careful evaluation; they can often be removed by lifting them outside the loop.

!!! Flow Error : 10 : Ineffective statement.

Execution of this statement cannot affect the final value of any exported variable of the subprogram in which it occurs. The cause may be a data-flow anomaly (i.e. the statement could be an assignment to a variable, which is always updated again before it is read. However, statements may be ineffective for other reasons - see Section 4.1 of Appendix A.

!!! Flow Error : 10 : Assignment to XXX is ineffective.

This message always relates to a procedure call or an assignment to a record. The variable XXX may be an actual parameter corresponding to a formal one that is exported; otherwise XXX is an exported global variable of the procedure. The message indicates that the updating of XXX, as a result of the procedure call, has no effect on any final values of exported variables of the calling subprogram. Where the ineffective assignment is expected (e.g. calling a supplied procedure that returns more parameters than are needed for the immediate purpose), it can be a useful convention to choose a distinctive name, such as "Unused" for the actual parameter concerned. The message "Assignment to Unused is ineffective" is then self-documenting.

*** Illegal Structure : 1 : An exit statement may not occur here.

Exit statements must be of the form "exit when c;" where the closest enclosing statement is a loop or "if c then S; exit;" where the if statement has no else part and its closest enclosing statement is a loop. See the SPARK Definition for details.

*** Illegal Structure : 2 : A return statement may not occur here.

A return statement may only occur as the last statement of a function.

*** Illegal Structure : 3 : The last statement of this function is not a return statement.

SPARK requires that the last statement of a function be a return statement.

*** Illegal Structure : 4 : Return statements may not occur in procedure subprograms.

--- note : 1 : This dependency relation was not used for this analysis and has not been checked for accuracy.

Issued when information flow analysis is not performed and when modes were specified in the global annotation. It is a reminder that the dependencies specified in this annotation (including whether each variable is an import or an export) have not been checked against the code, and may therefore be incorrect. (warning control file keyword: notes).

--- note : 2 : This dependency relation has been used only to identify imports and exports, dependencies have been ignored.

Issued as a reminder when information flow analysis is not performed in SPARK 83. The dependencies specified in this annotation have not been checked against the code, and may therefore be incorrect. (warning control file keyword: notes).

--- note : 3 : The deferred constant Null_Address has been implicitly defined here.

Issued as a reminder that the declaration of the type Address within the target configuration file implicitly defines a deferred constant of type Null_Address. (warning control file keyword: notes).

--- note : 4 : The constant Default_Priority, of type Priority, has been implicitly defined here.

Issued as a reminder that the declaration of the subtype Priority within the target configuration file implicitly defines a constant Default_Priority, of type Priority, with the value (Priority'First + Priority'Last) / 2. (warning control file keyword: notes).

!!! Program has a cyclic path without an assertion.

SPARK generates VCs for paths between cutpoints in the code; these must be chosen by the developer in such a way that every loop traverses at least one cutpoint. If the SPARK Examiner detects a loop which is not broken by a cutpoint, it cannot generate verification conditions for the subprogram in which the loop is located, and instead, issues this warning. This can only be corrected by formulating a suitable loop-invariant assertion for the loop and including it as an assertion in the SPARK text at the appropriate point.

!!! Unexpected node kind in main tree.

This message indicates corruption of the syntax tree being processed by the VC Generator. It should not be seen in normal operation.