After #43, messages and payloads are passed around as heap references and must be manually freed. A problem with this in practice is that SPARK has a hard time dealing with the Ada.Unchecked_Deallocation procedure. It believes that the procedure is a potentially blocking operation and issues unnecessary warnings any time it is used inside protected objects. The same warning is produced for all the debugger calls inside message manager, and in various other places.

This is obviously incredibly annoying and dangerous as it obscures real issues SPARK could be finding. Currently message manager has 30+ warnings for no reason because of this.

I've read that Ada 2022 supports an aspect Nonblocking which can be used to communicate to SPARK that what we're doing is fine. It appears that GNAT has not implemented this feature, so I'm leaving this issue to let future people know there is a solution.

https://stackoverflow.com/questions/58843940/specify-that-a-subprogram-in-another-package-is-not-blocking
http://www.ada-auth.org/standards/22over/Ada2022-Overview.pdf

This problem should disappear now that we are officially using Ada 2022. In particular, Ada.Unchecked_Deallocation was described as "potentially blocking" by earlier Ada standards, but is now explicitly required to be nonblocking by Ada 2022 (see section 13.11.2 of the Ada 2022 standard).