An Ada Programming Mistake Corrected
I originally planned to place this writing in my Finger server, but decided it's wasted effort, that
the silly thing should be retired at some point soon; this is much better written as a full article.
I lately reviewed the Ada Reference Manual, to refresh my knowledge of controlled types, and noticed
what I thought to be a flaw in my Usable_Datagram_Package library. I'd review my code again and yet
uncover a different flaw. I at first slightly misunderstood the text on how Initialize and Finalize
are called, and believed Finalize may be called on a System_Resource holding a Socket_Nonsense field
uninitialized; such an occurence would be rare, and typically harmless, but could result in a random
file descriptor's closing. After reviewing the behaviour of out parameter semantics for the by-copy
types, I realized I couldn't count on any inner calls setting the value of the field for me, meaning
a change would be needed. A rare and subtle flaw is a flaw nonetheless. That fix for such a flaw's
trivial, however, and I soon noticed that giving the field a default value of negative one suffices.
As all of this involves calls at the operating system boundary, I often use a tool called strace for
examining such things. The Ada debugger I could use is out of step with the compiler, meaning I may
not examine the behaviour of my programs nicely otherwise. It amuses me how such a basic tool isn't
standardized. I wanted to see how that behaviour would manifest, and was befuddled after it didn't.
I then noticed the true flaw in my library: No closing whatsoever was done, even after engineering a
scenario in which it should've happened. I reviewed the Ada Reference Manual again, and reading the
relevant section more carefully revealed to me that Finalize isn't called on an object with a failed
Initialize, but a partial initialization must clean up after itself before exiting, which my library
failed to do in one case. If the UDP system resource were obtained, but the port weren't, the first
operation should be undone by closing the resource before raising an exception. I corrected this by
adding such closing code to the relevant exception case and, while rather tricky to see, fixed this.
This possible resource exhaustion flaw wouldn't have been discovered within normal code, because all
UDP programs I've designed get a System_Resource at or near the beginning, or they fail immediately.
It was pleasing to correct this flaw before it affected anyone and with a change to merely one line.
How poor, that it was made and unnoticed until lately, but how nice that it was so easily corrected.