Download presentation
Presentation is loading. Please wait.
1
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems A Language for Systems not Just Software
2
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Static Analysis Overview Identifying properties of a program without execution –style, coding standards, dubious construct detection –language subset conformance, wellformedness –control flow and complexity –data flow analysis –information flow analysis –proof (or formal verification) An Ada compiler is a powerful static analyser Analysis: shows that a program should work in all cases Testing: shows that it does work for certain specific cases
3
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited SPARK Goals Precise static analysis Early use of static analysis Facilitated by: –an exact language –removal of ambiguous and erroneous constructs –annotations
4
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Why Annotations? Annotations strengthen specifications –Ada separation of specifications/implementations too weak Allows analysis without access to implementations –which can be done early on during development –even before programs are complete or compilable Allows efficient detection of erroneous constructs
5
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited An example procedure Inc (X : in out Integer); --# global in out Callcount; detection of function side-effect function AddOne (X : Integer) return Integer is XLocal : Integer := X; begin Inc (Xlocal); return XLocal; end AddOne; detection of aliasing Inc (CallCount);
6
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Evolution of Annotations Initially annotations were about code
7
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;
8
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount;
9
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount; package body P is CallCount : Integer := 0; procedure Inc (X : in out Integer) is begin X := X + 1; CallCount := CallCount + 1; end Inc; end P;
10
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount; package body P is CallCount : Integer := 0; procedure Inc (X : in out Integer) is begin X := X + 1; CallCount := CallCount + 1; end Inc; end P;
11
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Evolution of Annotations Initially annotations were about code package P is procedure Inc (X : in out Integer); --# global in out CallCount; end P; --# own CallCount; --# initializes CallCount; They evolved better to describe abstractions
12
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...
13
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...
14
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...
15
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Refinement package Stack --# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack; package body Stack --# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0.. MaxDepth; subtype Indexes is Ptrs range 1.. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors;... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr;...
16
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Interactions with the Environment
17
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Volatility X := Z; Y := Z; does X = Y ? Z : integer; for Z’Address use...
18
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Modelling Volatility package Temperature --# own Inputs; --# initializes Inputs; is procedure Read (X : out Celsius); --# global in out Inputs; --# derives X from Inputs & --# Inputs from Inputs; end Temperature;
19
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Modelling Volatility package Temperature --# own in Inputs; --# initializes Inputs; is procedure Read (X : out Celsius); --# global in out Inputs; --# derives X from Inputs; & --# Inputs from Inputs; end Temperature;
20
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Modelling Volatility package Temperature --# own in Inputs; is procedure Read (X : out Celsius); --# global in Inputs; --# derives X from Inputs; end Temperature;
21
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Case Study - Water Contents Monitor
22
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Sensors package WaterHighSensor --# own in State; is function IsActive return Boolean; --# global State; end WaterHighSensor; package WaterLowSensor --# own in State; is function IsActive return Boolean; --# global State; end WaterLowSensor;
23
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Actuators package Valve is type T is (Open, Shut); end Valve; with Valve; --# inherit Valve; package FillValve --# own out State; is procedure SetTo (Setting : in Valve.T); --# global out State; --# derives State from Setting; end FillValve;
24
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Fault Integrator Abstract Type package FaultIntegrator is type T is limited private; procedure Init (FI : out T; Threshold : in Positive); --# derives FI from Threshold; procedure Test (FI : in out T; CurrentEvent : in Boolean; IntegratedEvent : out Boolean); --# derives IntegratedEvent, --# FI from FI, CurrentEvent; private --# hide FaultIntegrator; end FaultIntegrator;
25
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Main controller procedure Main --# global in WaterHighSensor.State, --# WaterLowSensor.State; --# out FillValve.State, --# DrainValve.State; --# derives FillValve.State from --# WaterLowSensor.State & --# DrainValve.State from --# WaterHighSensor.State; is HighIntegrator, LowIntegrator : FaultIntegrator.T; HighThreshold : constant Positive := 10; LowThreshold : constant Positive := 10;
26
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Main controller procedure ControlHigh --# global in WaterHighSensor.State; --# out DrainValve.State; --# in out HighIntegrator; --# derives DrainValve.State, --# HighIntegrator from --# HighIntegrator, --# WaterHighSensor.State; is separate; procedure ControlLow --# global in WaterLowSensor.State; --# out FillValve.State; --# in out LowIntegrator; --# derives FillValve.State, --# LowIntegrator from --# LowIntegrator, --# WaterLowSensor.State; is separate;
27
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Main controller begin -- Main FaultIntegrator.Init (HighIntegrator, HighThreshold); FaultIntegrator.Init (LowIntegrator, LowThreshold); FillValve.SetTo (Valve.Shut); DrainValve.SetTo (Valve.Shut); loop ControlHigh; ControlLow; end loop; end Main;
28
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Subunits separate (Main) procedure ControlHigh is RawFullEvent, TooFull : Boolean; begin RawFullEvent := WaterHighSensor.IsActive; FaultIntegrator.Test (HighIntegrator, RawFullEvent, -- to get TooFull); if TooFull then DrainValve.SetTo (Valve.Open); else DrainValve.SetTo (Valve.Shut); end if; end ControlHigh;
29
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Device drivers package body WaterHighSensor --# own State is in HighSensorPort; is type Byte is mod 256; ActiveValue : constant Byte := 255; HighSensorPort : Byte; for HighSensorPort'Address use... function IsActive return Boolean --# global HighSensorPort; is RawVal : Byte; Result : Boolean; begin RawVal := HighSensorPort; if RawVal'Valid then Result := RawVal = ActiveValue; else Result := True; -- show too full on sensor failure end if; return Result; end IsActive; end WaterHighSensor;
30
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Traceability and Abstraction function IsActive return Boolean --# global HighSensorPort; --# own State is in HighSensorPort; function IsActive return Boolean; --# global State; --# derives FillValve.State from --# WaterLowSensor.State & --# DrainValve.State from --# WaterHighSensor.State; Low level annotation in implementation terms Refinement hiding implementation detail Annotation in spec is in abstract terms Main controller annotation entirely in abstract terms
31
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited Conclusions SPARK and the Examiner originated from research concerned with reverse engineering of code SPARK has evolved into something much more concerned with program construction than program analysis The combination of abstract own variables and modes provides mechanisms for parallel descriptions of systems and implementations that analysis binds together
Similar presentations
