Whats New in the World of Ada Leuven
- Slides: 67
What’s New in the World of Ada Leuven Feb 23, 2010 Robert B K Dewar President Ada. Core Copyright © 2008 Ada. Core Slide: 1
First of All, What’s Old in the World of Ada A Short History • Ada was created in response to a perception that there were too many programming languages around, and none of them really met the requirements for building large scale critical software. • A set of requirements (Woodman. . Tinman. . Ironman. . Steelman) was developed. • A language design competition was ultimately won by a French group at Honeywell, under the direction of Jean Ichbiah. • Originally called green, the language was christened Ada (a woman’s name, so please don’t think it is an acronym and spell it ADA!) Copyright © 2008 Ada. Core Slide: 2
Ada 83, the First ISO Standard • Ada 83 was standardized in 1983 by ANSI and in 1987 by ISO. • Note that technically there is only one standard valid, the current one, and it is called just Ada, but we informally prefix a year to keep the versions separate. • The US Do. D established a formal validation procedure for Ada compilers (the ACVC suite), and the first validated compilers appeared in 1983 within months of the standard being released (the first one was at NYU). • Note: The ACVC suite has now been transformed into an ISO-standardized validation procedure, and renamed as ACATS. Ada is the only language with an ISO standard for compiler validation. Copyright © 2008 Ada. Core Slide: 3
Ada 83, A Quick Overview • The package concept, separation of specificaiton and implementation. The idea, build a spec of a package, then clients can use it right away. • Derived types, time and distance would be separate types, so it is wrong at compile time to write T : = D; • Ranges for numeric types, a la Pascal (see next slide!) • Generics, support for generic units parametrized by types. • Well separated types, Character /= Boolean /= Integer. • Proper enumeration types • Run-time exceptions • Tasking (first class high level multi-threading) • Designed for readability and maintainability over ease of writing initial code. Copyright © 2008 Ada. Core Slide: 4
User-defined ranges for numeric types, a C Side-Bar • Vista has about 50 million lines of C • Microsoft is busy adding static assertions to this code – Static assertions = in practice range declarations for integer variables • They have added half a million such assertions – As of a year ago – Half added by a sophisticated static analysis tool – Half added by hand • These assertions have helped uncover potential bugs – About 100, 000 potential buffer over-runs • The two most common areas of problems in C – Buffer overruns – Overflow problems Copyright © 2008 Ada. Core Slide: 5
Ada 95, The First Major Update • Object oriented features (type extension, dynamic dispatching). Ada 95 was the first standardized OO language. • Child packages, allow introducing a hierarchy into the package structure of large programs. • Protected types (a simpler task communication method) • Standard libraries much extended and standardized • Pragma Assert (copied from GNAT) • Ravenscar Profile (simplified tasking. . Safety critical) • Streams and Stream_IO Copyright © 2008 Ada. Core Slide: 6
Ada 2005 • Interfaces (think Java) • Synchronized interfaces • Full internationalization (full Unicode support) • Container packages (think STL) • Circular dependencies in packages (limited with) • Object. operation notation • Unchecked_Union • Pragma Unsuppress (copied from GNAT) Copyright © 2008 Ada. Core Slide: 7
WG 9 directive: new ISO standard in 2012 • Scope of amendment is limited: – A few critical additions to the language – Constructs to address multicore hardware – Numerous fixes to the RM • The usual constraints: expressiveness, simplicity of description, implementability (pick any two) Copyright © 2008 Ada. Core Slide: 8
Major topics of Amendment • Program correctness • Enhanced container library • Expressiveness : functions and expressions • Visibility • Concurrency and real-time programming • Syntactic frills Copyright © 2008 Ada. Core Slide: 9
Program correctness • Pre- and Postconditions: function Pop (S : in out Stack) return Elem with Pre => not Is_Empty (S) Post => not Is_Full (S); • Type invariants: type Elem is tagged private with invariant => Is_Valid (Elem) invariant’class => Contents (Elem) /= 0; … function Is_Valid (T : Elem) return Boolean; Uniform notation : aspect specifications Copyright © 2008 Ada. Core Slide: 10
Container library • Bounded containers – Fixed capacity, stack-allocated, controlled only if element is. – Vectors, hashed sets, hashed maps. • Holder containers – Singleton structure for unconstrained values • Synchronized queues – Amenable to lock-free implementation • Multiway trees – Vector of descendant nodes, links every which way Copyright © 2008 Ada. Core Slide: 11
Expressiveness • In-out parameters for functions checks on order-dependence to prevent unwanted sideeffects • Conditional expressions: X : = (if Cond then X+1 else X * 2); Case Expressions: procedure Mangle (X : in out Integer) with Pre => (case X mod 3 is when 0 => pred 1 (X), when 1 => pred 2 (X), when 2 => pred 3 (X) ); Copyright © 2008 Ada. Core Slide: 12
Expressiveness (2) • Iterators over containers User-defined iterators, through new interface types: for cursor in Iterate (My_Container) loop My_Container (Cursor) : = My_Container (Cursor) + 1; end loop; Default iterator with no intervening cursor: for Element of My_Container loop Element : = Element + 1; end loop; ² Quantified expressions: ( for all J in A’First. . A (Inx’Pred (A’Last)) : A (J) <= A (Indx’succ (J)) Copyright © 2008 Ada. Core Slide: 13
Expressiveness (3) • Extended membership operations: – Allow enumeration of values, to represent disjoint subsets: type Color is (Red, Green, Blue , Cyan , Magenta, Yellow, Black); Hue : Color; . . . If (Hue in Red | Blue | Magenta. . Black) then § Can use arbitrary types: if Name in (“Entry” | “Exit” | Translate (“Urgence”) |then Copyright © 2008 Ada. Core Slide: 14
Visibility Use all type Gives use-visibility to primitive operations and literals Integrated packages So an inner instance is merged with enclosing unit Incomplete types can be completed with partial views Types declared in three steps Untagged incomplete types can be used in formals and return § as long as full view available at point of call Copyright © 2008 Ada. Core Slide: 15
Concurrency and real-time Affinities Map task to processor or group of processors Ravenscar for multiprocessors Restriction on affinities and task migration Barriers § Better parallelism than can be obtained with protected objects Copyright © 2008 Ada. Core Slide: 16
Who is Ada. Core • Engineering organization – Two separate independent companies • 100% FLOSS (Freely Licensed Open Source Software) • 100% COTS (Commercial-Off-The-Shelf products) • Worldwide presence Copyright © 2008 Ada. Core Slide: 17
What do we do • Development tools for critical software – mission-critical (Air Traffic Management, simulation, . . . ) – safety-critical (A 350, 787, trains, missiles, . . . ) – security-critical (NSA Tokeneer, . . . ) • Code generation experts – compilers, debuggers, emulators, builders, IDEs, coverage, stack analysis, formal methods, static analysis, . . . – model compilers (involved in Gene-Auto) • 100% Free Software company Copyright © 2008 Ada. Core Slide: 18
Some customer projects Copyright © 2008 Ada. Core Slide: 19
Code. Peer Automatic code review and robustness validation Copyright © 2008 Ada. Core Slide: 20
Peer Review • Best practice in Extreme and Agile programming • Improve code quality • Reduce errors But… • Requires initial effort to setup infrastructure • Needs to sustain project pressure • Often bypassed Copyright © 2008 Ada. Core Slide: 21
Alleviating Peer Review Process Certain categories of verifications • Can be automated • Are better handled by tools Code. Peer provides: • Static analysis • Symbolic program interpretation • Incremental & modular analysis Copyright © 2008 Ada. Core Slide: 22
Code. Peer in Action Code. Peer • Static run-time errors detection • Test vectors generation • Pre/post conditions generation • Analysis results consolidation Day-to-day development • compile-time analysis • local analysis Copyright © 2008 Ada. Core Software maintenance Project quality assurance • global change impact analysis • global analysis • test vectors leverage Slide: 23
Code. Peer Area of Action Ada Run-Time Checks • out-of-bound indexing User Checks • numeric overflow • Assert statements • division by zero • if … then … raise … control flow • incorrect invariant Programming Errors • Race conditions • Dead code Copyright © 2008 Ada. Core Slide: 24
Structural Coverage Analysis Copyright © 2008 Ada. Core Slide: 25
Xcov Features – Availability Depends on the Platform Coverage Levels • Object: • Source – Instruction – Statement – Object branch – Decision – Modified Condition/Decision Aggregated Coverage • Capitalization: multiple executions • Consolidation: different executables exercising the same function Tool Qualification • For use in DO-178 B Level A certification activities Copyright © 2008 Ada. Core Slide: 26
Xcov Timeline and Roadmap Instruction & Branch Coverage June 2009 Decision & MC/DC Coverage December 2010 October 2009 Statement Coverage Q 1 2010 First Official Release Branch & Decision Coverage Q 2 2010 Instruction Coverage June 2009 Q 1 2010 Statement Coverage Copyright © 2008 Ada. Core Slide: 27
Structural Coverage Analysis Metrics: Statement Coverage function P (A, B, C : Boolean) return Boolean is begin if ( A and then B ) or else C then return True; Statements end if; end P; A B C if statement ? ? T T Copyright © 2008 Ada. Core At least 1 test per Conditional Expression Slide: 28
Structural Coverage Analysis Metrics: Decision Coverage function P (A, B, C : Boolean) return Boolean is begin if ( A and then B ) or else C then Decision return True; end if; end P; A B C if statement ? ? T T ? F F F Copyright © 2008 Ada. Core At least 2 tests per Conditional Expression Slide: 29
Structural Coverage Analysis Metrics: MCDC function P (A, B, C : Boolean) return Boolean is Conditions begin if ( A and then B ) or else C then Decision return True; end if; end P; At least n+1 tests n = number of conditions A B C if statement T T ? T T T F ? T T F F T T F F F Condition Coverage Copyright © 2008 Ada. Core A C Slide: 30 B
Branch Coverage vs. Decision Coverage function P (A, B, C : Boolean) return Boolean is begin if A and then B then Decision return True; end if; end P; A B if statement T T T F ? F Copyright © 2008 Ada. Core Slide: 31
Decision Coverage: Result in Xcov Copyright © 2008 Ada. Core Slide: 32
Branch Coverage vs. Decision Coverage function P (A, B, C : Boolean) return Boolean is begin if A and then B then return True; end if; end P; T A B if statement T T F F F T F Copyright © 2008 Ada. Core T <lib__f 1+0000001 c>: fffc 0134 +: 88 1 f 00 08 lbz r 0, 0 x 0008(r 31) fffc 0138 +: 54 00 06 3 e clrlwi r 0, 24 fffc 013 c +: 2 f 80 00 00 cmpiw cr 7, r 0, 0 x 0000 <lib__f 1+00000028>: fffc 0140 v: 41 9 e 00 20 beq- cr 7, 0 xfffc 0160 <lib__f 1+00000048> fffc 0144 +: 88 1 f 00 09 lbz r 0, 0 x 0009(r 31) fffc 0148 +: 54 00 06 3 e clrlwi r 0, 24 fffc 014 c +: 2 f 80 00 00 cmpiw cr 7, r 0, 0 x 0000 <lib__f 1+00000038>: fffc 0150 +: 41 9 e 00 10 beq- cr 7, 0 xfffc 0160 <lib__f 1+00000048> return True; <lib__f 1+0000003 c>: fffc 0154 +: 38 00 00 01 li r 0, 0 x 0001 fffc 0158 +: 90 1 f 00 0 c stw r 0, 0 x 000 c(r 31) <lib__f 1+00000044>: fffc 015 c +: 48 00 00 0 c b 0 xfffc 0168 <lib__f 1+00000050> end if; return False; Slide: 33
Branch Coverage vs. Decision Coverage function P (A, B, C : Boolean) return Boolean is begin if A and then B then return True; end if; end P; T A B if statement T T F F F T F Copyright © 2008 Ada. Core T F <lib__f 1+0000001 c>: fffc 0134 +: 88 1 f 00 08 lbz r 0, 0 x 0008(r 31) fffc 0138 +: 54 00 06 3 e clrlwi r 0, 24 fffc 013 c +: 2 f 80 00 00 cmpiw cr 7, r 0, 0 x 0000 <lib__f 1+00000028>: fffc 0140 v: 41 9 e 00 20 beq- cr 7, 0 xfffc 0160 <lib__f 1+00000048> fffc 0144 +: 88 1 f 00 09 lbz r 0, 0 x 0009(r 31) fffc 0148 +: 54 00 06 3 e clrlwi r 0, 24 fffc 014 c +: 2 f 80 00 00 cmpiw cr 7, r 0, 0 x 0000 <lib__f 1+00000038>: fffc 0150 +: 41 9 e 00 10 beq- cr 7, 0 xfffc 0160 <lib__f 1+00000048> return True; <lib__f 1+0000003 c>: fffc 0154 +: 38 00 00 01 li r 0, 0 x 0001 fffc 0158 +: 90 1 f 00 0 c stw r 0, 0 x 000 c(r 31) <lib__f 1+00000044>: fffc 015 c +: 48 00 00 0 c b 0 xfffc 0168 <lib__f 1+00000050> end if; return False; Slide: 34
Branch Coverage: Result in Xcov Copyright © 2008 Ada. Core Slide: 35
Branch Coverage: Result in Xcov Copyright © 2008 Ada. Core Slide: 36
Branch Coverage vs. Decision Coverage: Full Branch Cov function P (A, B, C : Boolean) return Boolean is begin if A and then B then return True; end if; end P; T F A B if statement T T F F F T F Copyright © 2008 Ada. Core T F <lib__f 1+0000001 c>: fffc 0134 +: 88 1 f 00 08 lbz r 0, 0 x 0008(r 31) fffc 0138 +: 54 00 06 3 e clrlwi r 0, 24 fffc 013 c +: 2 f 80 00 00 cmpiw cr 7, r 0, 0 x 0000 <lib__f 1+00000028>: fffc 0140 v: 41 9 e 00 20 beq- cr 7, 0 xfffc 0160 <lib__f 1+00000048> fffc 0144 +: 88 1 f 00 09 lbz r 0, 0 x 0009(r 31) fffc 0148 +: 54 00 06 3 e clrlwi r 0, 24 fffc 014 c +: 2 f 80 00 00 cmpiw cr 7, r 0, 0 x 0000 <lib__f 1+00000038>: fffc 0150 +: 41 9 e 00 10 beq- cr 7, 0 xfffc 0160 <lib__f 1+00000048> return True; <lib__f 1+0000003 c>: fffc 0154 +: 38 00 00 01 li r 0, 0 x 0001 fffc 0158 +: 90 1 f 00 0 c stw r 0, 0 x 000 c(r 31) <lib__f 1+00000044>: fffc 015 c +: 48 00 00 0 c b 0 xfffc 0168 <lib__f 1+00000050> end if; return False; Slide: 37
Bridging the Gap between Source and Object Code Coverage Approach by Instrumentation Coverage Information Sources Compilation Link Approach by Virtualization Sources Compilation Link Instrumentation Compilation Link Executable Instrumented Executable Pure Functional Test Copyright © 2008 Ada. Core Instrumented Functional Test Execution Trace Pure Functional Test Instrumented Environment HOST Coverage Data Coverage Information TARGET Pure Functional Test Slide: 38
Challenges Preserving the Control Flow function P (Param : Boolean) return Boolean is begin if Param then return True; else return False; end if; end P; Compilation _ada_p: blr Copyright © 2008 Ada. Core _ada_p: cmpwi %cr 7, %r 3, 0 beqlr- %cr 7 li %r 3, 1 blr Slide: 39
GNAT Pro Update Copyright © 2008 Ada. Core Slide: 40
Agenda • What’s New in GNAT Pro • QEMU for Vx. Works 653 • Towards Safer Programming • Modeling from a GNAT Pro Perspective • Multilanguage Development • SPARK Pro Copyright © 2008 Ada. Core Slide: 41
What’s New in GNAT Pro Copyright © 2008 Ada. Core Slide: 42
Comprehensive Ada Solutions Front-Line Support + Copyright © 2008 Ada. Core Slide: 43
Increased Number of Supported Platforms • Wind River – Vx. Works 6. 7 (SMP) – Vx. Works Cert 6 – Workbench 3. 1 for Vx. Works 653 – pre-release • SYSGO – ELin. OS – Pike. OS • Support for the JVM • Support for the 8 -bit AVR microcontroller • GNAT for Lego Mindstorms NXT Copyright © 2008 Ada. Core Slide: 44
A Year of Development in GNAT Pro • Over 130 new features/enhancements in GNAT Pro 6. 2 • GNAT Pro Component Collection • A year of Ada Gems: the HOWTO library Copyright © 2008 Ada. Core Slide: 45
A new set of libraries at your fingertips An overview of the GNAT Component Collection • Extending your Ada application with shell scripts • A trace module for customized message/error logging • A Virtual File System abstraction – Truly portable across systems – Handles remote files seamlessly • Email and mailbox manipulation • Database interface package – For safe SQL queries – Generates Ada types reflecting the database schema Copyright © 2008 Ada. Core Slide: 46
QEMU for Vx. Works 653 Copyright © 2008 Ada. Core Slide: 47
Bringing Power. PC Simulation to Vx. Works 653 Features • Open-Source simulation solution: QEMU • Efficient Simulation Technology • Windows hosted • Simulation of a Power. PC 750 gx • 1 UART • 1 ethernet device • 32 MB Flash • BSPs for Vx. Works 653 (4 MB and 16 MB flash) • Final ROM Image generator • Integration with Workbench target server Copyright © 2008 Ada. Core Slide: 48
QEMU for Vx. Works 653 – Key Benefits • Fully supported simulator for Vx. Works 653 • Available to all developers • Single compiler for development and deployment • Development platform close to the final HW platform (Power. PC processor) • Code tested can be the code running on the final target • Avoids endianness issues • Eases functional testing • Optional upgrade to MC/DC code coverage toolset (forthcoming) Copyright © 2008 Ada. Core Slide: 49
Towards Safer Programming Copyright © 2008 Ada. Core Slide: 50
Safer Programming: the Ada. Core Answer Copyright © 2008 Ada. Core Slide: 51
Safer Programming: the Ada. Core Answer Available today Qualification material Q 3 2010 Copyright © 2008 Ada. Core Qualification material Q 3 2010 Qualification material On demand Slide: 52
Modeling from a GNAT Pro perspective Ongoing Work Copyright © 2008 Ada. Core Slide: 53
Modeling from a GNAT Pro Perspective Copyright © 2008 Ada. Core Slide: 54
Modeling from a GNAT Pro Perspective – Matlab/Simulink Manual Coding Simulink + • Customization to the final target • Code Easier to certify – • Duplicate work • Errors-prone process Copyright © 2008 Ada. Core Slide: 55
Modeling from a GNAT Pro Perspective – Matlab/Simulink + • Write once in Matlab/Simulink – • C code generator not qualified Copyright © 2008 Ada. Core Slide: 56
Modeling from a GNAT Pro Perspective – Matlab/Simulink + • Write once in Matlab/Simulink • Adapted to DO-178 B/C application development • From the Gene-Auto project (ITEA Framework) • Partners: Airbus, Thales, Continental, Barco… • Ada. Core working with the consortium for a qualifiable Ada code generator +/– • Safe subset of Simulink available Copyright © 2008 Ada. Core Slide: 57
Modeling from a GNAT Pro Perspective – UML 2/Sys. ML Papyrus Ada. Core’s contribution to the EU-funded TOPCASED project Copyright © 2008 Ada. Core Slide: 58
Multi-Language Development Copyright © 2008 Ada. Core Slide: 59
Multilanguage Development • Support for Ada, C, C++ • GPRbuild • C/C++ to Ada Binding Generator • Ada-Java Interfacing Suite Copyright © 2008 Ada. Core Slide: 60
GNAT Pro at the heart of multilanguage applications GNAT Project File … for Source_Dirs use…; for Library_Kind use “relocatable”; package Builder is for Default_Switches (“Ada”) use …; for Default_Switches (“C”) use …; … end Builder; … Copyright © 2008 Ada. Core Slide: 61
C/C++ -> Ada Binding Generator C++ Header class Domestic { public: virtual void Set_Owner (char* Name) = 0; }; class Animal { public: int Age_Count; virtual void Set_Age (int New_Age); }; class Dog : Animal, Domestic { public: char *Owner; virtual void Set_Owner (char* Name); Dog(); }; Copyright © 2008 Ada. Core Ada Spec package animals_h is package Class_Domestic is type Domestic is limited interface; pragma Import (CPP, Domestic); procedure Set_Owner (this : access Domestic; Name : Interfaces. C. Strings. chars_ptr) is abstract; end; use Class_Domestic; package Class_Animal is type Animal is tagged limited record Age_Count : aliased int; end record; pragma Import (CPP, Animal); […] end; use Class_Animal; package Class_Dog is type Dog is new Animal and Carnivore and Domestic with record Tooth_Count : aliased int; Owner : Interfaces. C. Strings. chars_ptr; end record; […] Slide: 62
When Multilanguage Development Includes Java • Typical use of Ada-Java Multilanguage Development Communication? Copyright © 2008 Ada. Core Slide: 63
Automating the Use of Ada from Java • Using the GNAT Ada-Java Interfacing Suite Copyright © 2008 Ada. Core Slide: 64
Automating the Use of Ada from Java • Using the GNAT Ada-Java Interfacing Suite Imports Loads Copyright © 2008 Ada. Core Slide: 65
SPARK Pro High-Assurance by Design Copyright © 2008 Ada. Core Slide: 66
What is SPARK Pro? A combination of… • Ada. Core Toolset & Service-Oriented Customer Interface – GNAT Programming Studio/GNATbench – GNAT Tracker • Praxis High-Integrity Systems’ SPARK Language – A design approach for high-assurance software, – A means of enforcing discipline in software process, – A set of static verification tools, – A programming language. Copyright © 2008 Ada. Core Slide: 67