guideline

Consider specifying bounds on loops .

Consider specifying bounds on recursion .

Establishing an iteration bound:

Safety_Counter := 0;
Process_List:
   loop
      exit when Current_Item = null;
      ...
      Current_Item := Current_Item.Next;
      ...
      Safety_Counter := Safety_Counter + 1;
      if Safety_Counter > 1_000_000 then
         raise Safety_Error;
      end if;
   end loop Process_List;

Establishing a recursion bound:

subtype Recursion_Bound is Natural range 0 .. 1_000;

procedure Depth_First (Root           : in     Tree;
                       Safety_Counter : in     Recursion_Bound
                                      := Recursion_Bound'Last) is
begin
   if Root /= null then
      if Safety_Counter = 0 then
         raise Recursion_Error;
      end if;
      Depth_First (Root           => Root.Left_Branch,
                   Safety_Counter => Safety_Counter - 1);

      Depth_First (Root           => Root.Right_Branch,
                   Safety_Counter => Safety_Counter - 1);
      ... -- normal subprogram body
   end if;
end Depth_First;

Following are examples of this subprogram's usage. One call specifies a maximum recursion depth of 50. The second takes the default (1,000). The third uses a computed bound:

Depth_First(Root => Tree_1, Safety_Counter => 50);
Depth_First(Tree_2);
Depth_First(Root => Tree_3, Safety_Counter => Current_Tree_Height);

rationale

Recursion, and iteration using structures other than for statements, can be infinite because the expected terminating condition does not arise. Such faults are sometimes quite subtle, may occur rarely, and may be difficult to detect because an external manifestation might be absent or substantially delayed.