SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited  Peter Amey Praxis Critical Systems A Language for Systems not Just Software.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Inspection of Safety-Critical Software Using Program- Function Tables Jeffrey Smith, Richard Bruno, Vince Fumo.
Modules Program is built out of components. Each component defines a set of logically related entities (strong internal coupling) A component has a public.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Slide: 1 Copyright © AdaCore Packages Presented by Quentin Ochem university.adacore.com.
Programming Languages and Paradigms
Programming Paradigms Introduction. 6/15/2005 Copyright 2005, by the authors of these slides, and Ateneo de Manila University. All rights reserved. L1:
Copyright © 2001 Praxis Critical Systems Limited  New and Exciting Things in the World of SPARK Roderick Chapman Praxis Critical Systems.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.
Modeling SPARK Systems with UML Xavier Sautejeau SigAda’05 © Sodius.
Presented by David LESENS and Johannes KANIG Thursday, 16 May 2013 Astrium Space Transportation AdaCore Formal Validation of Aerospace Software DASIA 2013.
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited  Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
HCSSAS Capabilities and Limitations of Static Error Detection in Software for Critical Systems S. Tucker Taft CTO, SofCheck, Inc., Burlington, MA, USA.
Software Engineering and Design Principles Chapter 1.
Modules Program is built out of components. Each component defines a set of logically related entities (strong internal coupling) A component has a public.
ISBN Chapter 11 Abstract Data Types and Encapsulation Concepts.
Chapter 15 Design, Coding, and Testing. Copyright © 2005 Pearson Addison-Wesley. All rights reserved Design Document The next step in the Software.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Chapter 1 Principles of Programming and Software Engineering.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Verification and Validation
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Language Evaluation Criteria
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
Semantic Analysis Legality checks –Check that program obey all rules of the language that are not described by a context-free grammar Disambiguation –Name.
MT311 Java Application Development and Programming Languages Li Tak Sing( 李德成 )
Software Models (Cont.) 9/22/2015ICS 413 – Software Engineering1 -Component-based software engineering -Formal Development Model.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
Porting Implementation of Packet Utilization Standard from ADA to JAVA Annelie Hultman (TEC-EME) Donata Pedrazzani (TEC-EMS) ESA/ESTEC 2004 JPUS de-briefing.
1 Life Cycle of Software Specification Design –Risk Analysis –Verification Coding Testing –Refining –Production Maintenance.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.
Slide: 1 Copyright © AdaCore Subprograms Presented by Quentin Ochem university.adacore.com.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.
1 Programming Languages and the Software Production Process Informal Cardelli’s metrics of programming languages fitness to real-time applications: Economy.
COP4020 Programming Languages Names, Scopes, and Bindings Prof. Xin Yuan.
High Integrity Ada in a UML and C world Peter Amey, Neil White Presented by Liping Cai.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
© Andrew IrelandDependable Systems Group Invariant Patterns for Program Reasoning Andrew Ireland Dependable Systems Group School of Mathematical & Computer.
The Evolution of Programming Languages Day 2 Lecturer: Xiao Jia The Evolution of PLs1.
SOFTWARE DESIGN. INTRODUCTION There are 3 distinct types of activities in design 1.External design 2.Architectural design 3.Detailed design Architectural.
Ch Ch jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes, notes, notes) Dr. Carter Tiernan.
Topics AliasesSubprograms Generics & Configurations.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
ECSE Software Engineering 1I HO 4 © HY 2012 Lecture 4 Formal Methods A Library System Specification (Continued) From Specification to Design.
Chapter 10, Slide 1 ABSTRACT DATA TYPES Based on the fundamental concept of ABSTRACTION:  process abstraction  data abstraction Both provide:  information.
1 © AdaCore under the GNU Free Documentation License Franco Gasperoni
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Ch. 5 Ch. 51 jcmt Summer 2003Programming Languages CSE3302 Programming Languages (more notes) Summer 2003 Dr. Carter Tiernan.
Principles of programming languages 10: Object oriented languages Isao Sasano Department of Information Science and Engineering.
08120: Programming 2: SoftwareTesting and Debugging Dr Mike Brayshaw.
SAFEWARE System Safety and Computers Chap18:Verification of Safety Author : Nancy G. Leveson University of Washington 1995 by Addison-Wesley Publishing.
(1) ICS 313: Programming Language Theory Chapter 11: Abstract Data Types (Data Abstraction)
Ada, Scheme, R Emory Wingard. Ada History Department of Defense in search of high level language around Requirements drafted for the language.
CSC 243 – Java Programming, Spring, 2014 Week 4, Interfaces, Derived Classes, and Abstract Classes.
7-Nov Fall 2001: copyright ©T. Pearce, D. Hutchinson, L. Marshall Oct lecture23-24-hll-interrupts 1 High Level Language vs. Assembly.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
J-P. Rosen Adalog J-P. Rosen Adalog The contract model of Ada 2012.
Principles of Programming & Software Engineering
SWEN421 – Lecture 3 Building High Integrity Software with SPARK Ada
Principles of Programming and Software Engineering
Component Implementations Using RESOLVE
Thanyapat Sakunkonchak Masahiro Fujita
Contract-Based Programming with/without Ada 2012
Presentation transcript:

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Peter Amey Praxis Critical Systems A Language for Systems not Just Software

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Static Analysis Overview Identifying properties of a program without execution –style, coding standards, dubious construct detection –language subset conformance, wellformedness –control flow and complexity –data flow analysis –information flow analysis –proof (or formal verification) An Ada compiler is a powerful static analyser Analysis: shows that a program should work in all cases Testing: shows that it does work for certain specific cases

SIGAda Copyright © 2001 Praxis Critical Systems Limited  SPARK Goals Precise static analysis Early use of static analysis Facilitated by: –an exact language –removal of ambiguous and erroneous constructs –annotations

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Why Annotations? Annotations strengthen specifications –Ada separation of specifications/implementations too weak Allows analysis without access to implementations –which can be done early on during development –even before programs are complete or compilable Allows efficient detection of erroneous constructs

SIGAda Copyright © 2001 Praxis Critical Systems Limited  An example procedure Inc (X : in out Integer); --# global in out Callcount; detection of function side-effect function AddOne (X : Integer) return Integer is XLocal : Integer := X; begin Inc (Xlocal); return XLocal; end AddOne; detection of aliasing Inc (CallCount);

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Evolution of Annotations Initially annotations were about code

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount; package body P is CallCount : Integer := 0; procedure Inc (X : in out Integer) is begin X := X + 1; CallCount := CallCount + 1; end Inc; end P;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount; package body P is CallCount : Integer := 0; procedure Inc (X : in out Integer) is begin X := X + 1; CallCount := CallCount + 1; end Inc; end P;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount; They evolved better to describe abstractions

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Interactions with the Environment

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Volatility X := Z; Y := Z; does X = Y ? Z : integer; for Z’Address use...

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Modelling Volatility package Temperature --# own Inputs; --# initializes Inputs; is procedure Read (X : out Celsius); --# global in out Inputs; --# derives X from Inputs & --# Inputs from Inputs; end Temperature;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Modelling Volatility package Temperature --# own in Inputs; --# initializes Inputs; is procedure Read (X : out Celsius); --# global in out Inputs; --# derives X from Inputs; & --# Inputs from Inputs; end Temperature;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Modelling Volatility package Temperature --# own in Inputs; is procedure Read (X : out Celsius); --# global in Inputs; --# derives X from Inputs; end Temperature;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Case Study - Water Contents Monitor

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Sensors package WaterHighSensor --# own in State; is function IsActive return Boolean; --# global State; end WaterHighSensor; package WaterLowSensor --# own in State; is function IsActive return Boolean; --# global State; end WaterLowSensor;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Actuators package Valve is type T is (Open, Shut); end Valve; with Valve; --# inherit Valve; package FillValve --# own out State; is procedure SetTo (Setting : in Valve.T); --# global out State; --# derives State from Setting; end FillValve;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Fault Integrator Abstract Type package FaultIntegrator is type T is limited private; procedure Init (FI : out T; Threshold : in Positive); --# derives FI from Threshold; procedure Test (FI : in out T; CurrentEvent : in Boolean; IntegratedEvent : out Boolean); --# derives IntegratedEvent, --# FI from FI, CurrentEvent; private --# hide FaultIntegrator; end FaultIntegrator;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Main controller procedure Main --# global in WaterHighSensor.State, --# WaterLowSensor.State; --# out FillValve.State, --# DrainValve.State; --# derives FillValve.State from --# WaterLowSensor.State & --# DrainValve.State from --# WaterHighSensor.State; is HighIntegrator, LowIntegrator : FaultIntegrator.T; HighThreshold : constant Positive := 10; LowThreshold : constant Positive := 10;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Main controller procedure ControlHigh --# global in WaterHighSensor.State; --# out DrainValve.State; --# in out HighIntegrator; --# derives DrainValve.State, --# HighIntegrator from --# HighIntegrator, --# WaterHighSensor.State; is separate; procedure ControlLow --# global in WaterLowSensor.State; --# out FillValve.State; --# in out LowIntegrator; --# derives FillValve.State, --# LowIntegrator from --# LowIntegrator, --# WaterLowSensor.State; is separate;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Main controller begin -- Main FaultIntegrator.Init (HighIntegrator, HighThreshold); FaultIntegrator.Init (LowIntegrator, LowThreshold); FillValve.SetTo (Valve.Shut); DrainValve.SetTo (Valve.Shut); loop ControlHigh; ControlLow; end loop; end Main;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Subunits separate (Main) procedure ControlHigh is RawFullEvent, TooFull : Boolean; begin RawFullEvent := WaterHighSensor.IsActive; FaultIntegrator.Test (HighIntegrator, RawFullEvent, -- to get TooFull); if TooFull then DrainValve.SetTo (Valve.Open); else DrainValve.SetTo (Valve.Shut); end if; end ControlHigh;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Device drivers package body WaterHighSensor --# own State is in HighSensorPort; is type Byte is mod 256; ActiveValue : constant Byte := 255; HighSensorPort : Byte; for HighSensorPort'Address use... function IsActive return Boolean --# global HighSensorPort; is RawVal : Byte; Result : Boolean; begin RawVal := HighSensorPort; if RawVal'Valid then Result := RawVal = ActiveValue; else Result := True; -- show too full on sensor failure end if; return Result; end IsActive; end WaterHighSensor;

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Traceability and Abstraction function IsActive return Boolean --# global HighSensorPort; --# own State is in HighSensorPort; function IsActive return Boolean; --# global State; --# derives FillValve.State from --# WaterLowSensor.State & --# DrainValve.State from --# WaterHighSensor.State; Low level annotation in implementation terms Refinement hiding implementation detail Annotation in spec is in abstract terms Main controller annotation entirely in abstract terms

SIGAda Copyright © 2001 Praxis Critical Systems Limited  Conclusions SPARK and the Examiner originated from research concerned with reverse engineering of code SPARK has evolved into something much more concerned with program construction than program analysis The combination of abstract own variables and modes provides mechanisms for parallel descriptions of systems and implementations that analysis binds together

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.