Upload
javier
View
22
Download
0
Embed Size (px)
DESCRIPTION
Leuven Feb 23, 2010 Robert B K Dewar President AdaCore. What’s New in the World of Ada. First of All, What’s Old in the World of Ada A Short History. - PowerPoint PPT Presentation
Citation preview
Slide: 1 Copyright © 2008 AdaCore
LeuvenFeb 23, 2010
Robert B K DewarPresident AdaCore
What’s New in the World of Ada
Slide: 2 Copyright © 2008 AdaCore
First of All, What’s Old in the World of AdaA Short History
• Ada was created in response to a perception that there were too many programming languages around, and none of them really met the requirements for building large scale critical software.
• A set of requirements (Woodman .. Tinman .. Ironman .. Steelman) was developed.
• A language design competition was ultimately won by a French group at Honeywell, under the direction of Jean Ichbiah.
• Originally called green, the language was christened Ada (a woman’s name, so please don’t think it is an acronym and spell it ADA!)
Slide: 3 Copyright © 2008 AdaCore
Ada 83, the First ISO Standard
• Ada 83 was standardized in 1983 by ANSI and in 1987 by ISO.
• Note that technically there is only one standard valid, the current one, and it is called just Ada, but we informally prefix a year to keep the versions separate.
• The US DoD established a formal validation procedure for Ada compilers (the ACVC suite), and the first validated compilers appeared in 1983 within months of the standard being released (the first one was at NYU).
• Note: The ACVC suite has now been transformed into an ISO-standardized validation procedure, and renamed as ACATS. Ada is the only language with an ISO standard for compiler validation.
Slide: 4 Copyright © 2008 AdaCore
Ada 83, A Quick Overview
• The package concept, separation of specificaiton and implementation. The idea, build a spec of a package, then clients can use it right away.
• Derived types, time and distance would be separate types, so it is wrong at compile time to write T := D;
• Ranges for numeric types, a la Pascal (see next slide!)• Generics, support for generic units parametrized by
types.• Well separated types, Character /= Boolean /= Integer.• Proper enumeration types• Run-time exceptions• Tasking (first class high level multi-threading)• Designed for readability and maintainability over ease of
writing initial code.
Slide: 5 Copyright © 2008 AdaCore
User-defined ranges for numeric types, a C Side-Bar
• Vista has about 50 million lines of C• Microsoft is busy adding static assertions to this code
– Static assertions = in practice range declarations for integer variables• They have added half a million such assertions
– As of a year ago– Half added by a sophisticated static analysis tool– Half added by hand
• These assertions have helped uncover potential bugs– About 100,000 potential buffer over-runs
• The two most common areas of problems in C– Buffer overruns– Overflow problems
Slide: 6 Copyright © 2008 AdaCore
Ada 95, The First Major Update
• Object oriented features (type extension, dynamic dispatching). Ada 95 was the first standardized OO language.
• Child packages, allow introducing a hierarchy into the package structure of large programs.
• Protected types (a simpler task communication method)
• Standard libraries much extended and standardized• Pragma Assert (copied from GNAT)• Ravenscar Profile (simplified tasking .. Safety critical)• Streams and Stream_IO
Slide: 7 Copyright © 2008 AdaCore
Ada 2005
• Interfaces (think Java)• Synchronized interfaces• Full internationalization (full Unicode support)• Container packages (think STL)• Circular dependencies in packages (limited with)• Object.operation notation• Unchecked_Union• Pragma Unsuppress (copied from GNAT)
Slide: 8 Copyright © 2008 AdaCore
WG9 directive: new ISO standard in 2012
• Scope of amendment is limited:– A few critical additions to the language– Constructs to address multicore hardware– Numerous fixes to the RM
• The usual constraints: expressiveness, simplicity of description, implementability (pick any two)
Slide: 9 Copyright © 2008 AdaCore
Major topics of Amendment
• Program correctness
• Enhanced container library
• Expressiveness : functions and expressions
• Visibility
• Concurrency and real-time programming
• Syntactic frills
Slide: 10 Copyright © 2008 AdaCore
Program correctness• Pre- and Postconditions:
function Pop (S : in out Stack) return ElemwithPre => not Is_Empty (S)Post => not Is_Full (S);
• Type invariants: type Elem is tagged private
withinvariant => Is_Valid (Elem)invariant’class => Contents (Elem) /= 0;
…function Is_Valid (T : Elem) return Boolean;
Uniform notation : aspect specifications
Slide: 11 Copyright © 2008 AdaCore
Container library• Bounded containers
– Fixed capacity, stack-allocated, controlled only if element is.
– Vectors, hashed sets, hashed maps.
• Holder containers
– Singleton structure for unconstrained values
• Synchronized queues
– Amenable to lock-free implementation
• Multiway trees
– Vector of descendant nodes, links every which way
Slide: 12 Copyright © 2008 AdaCore
Expressiveness• In-out parameters for functions
checks on order-dependence to prevent unwanted side-effects
• Conditional expressions:
X := (if Cond then X+1 else X * 2);
Case Expressions:procedure Mangle (X : in out Integer)with Pre => (case X mod 3 is
when 0 => pred1 (X),when 1 => pred2 (X),when 2 => pred3 (X) );
Slide: 13 Copyright © 2008 AdaCore
Expressiveness (2)• Iterators over containers
User-defined iterators, through new interface types: for cursor in Iterate (My_Container) loop My_Container (Cursor) := My_Container (Cursor) + 1; end loop;
Default iterator with no intervening cursor: for Element of My_Container loop Element := Element + 1; end loop;
Quantified expressions: ( for all J in A’First .. A (Inx’Pred (A’Last)) : A (J) <= A (Indx’succ (J))
A postcondition on a sorting routine
Slide: 14 Copyright © 2008 AdaCore
Expressiveness (3)• Extended membership operations:
– Allow enumeration of values, to represent disjoint
subsets: type Color is (Red, Green, Blue ,Cyan ,Magenta, Yellow,
Black); Hue : Color; ... If (Hue in Red | Blue | Magenta .. Black) then
Can use arbitrary types:
if Name in (“Entry” | “Exit” | Translate (“Urgence”) |then
Slide: 15 Copyright © 2008 AdaCore
Visibility Use all type
Gives use-visibility to primitive operations and literals
Integrated packages
So an inner instance is merged with enclosing unit
Incomplete types can be completed with partial views
Types declared in three steps
Untagged incomplete types can be used in formals and
return
as long as full view available at point of call
Slide: 16 Copyright © 2008 AdaCore
Concurrency and real-timeAffinities
Map task to processor or group of processors
Ravenscar for multiprocessors
Restriction on affinities and task migration
Barriers
Better parallelism than can be obtained with protected
objects
Slide: 17 Copyright © 2008 AdaCore
Who is AdaCore
• Engineering organization– Two separate independent companies
• 100% FLOSS (Freely Licensed Open Source Software)
• 100% COTS (Commercial-Off-The-Shelf products)• Worldwide presence
Slide: 18 Copyright © 2008 AdaCore
What do we do
• Development tools for critical software– mission-critical (Air Traffic Management, simulation, ...)– safety-critical (A350, 787, trains, missiles, ...)– security-critical (NSA Tokeneer, ...)
• Code generation experts– compilers, debuggers, emulators, builders, IDEs, coverage, stack analysis,
formal methods, static analysis, ...– model compilers (involved in Gene-Auto)
• 100% Free Software company
Slide: 19 Copyright © 2008 AdaCore
Some customer projects
Slide: 20 Copyright © 2008 AdaCore
CodePeerAutomatic code review and robustness validation
Slide: 21 Copyright © 2008 AdaCore
Peer Review
• Best practice in Extreme and Agile programming
• Improve code quality
• Reduce errors
But…
• Requires initial effort to setup infrastructure
• Needs to sustain project pressure
• Often bypassed
Slide: 22 Copyright © 2008 AdaCore
Alleviating Peer Review Process
Certain categories of verifications
• Can be automated
• Are better handled by tools
CodePeer provides:
• Static analysis
• Symbolic program interpretation
• Incremental & modular analysis
Slide: 23 Copyright © 2008 AdaCore
CodePeer in Action
• Static run-time errors detection• Test vectors generation• Pre/post conditions generation• Analysis results consolidation
CodePeer
• compile-time analysis• local analysis
Day-to-day development
• global change impact analysis
Software maintenance
• global analysis• test vectors leverage
Project quality assurance
Slide: 24 Copyright © 2008 AdaCore
CodePeer Area of Action
• Race conditions• Dead code
Programming Errors
• out-of-bound indexing• numeric overflow• division by zero• incorrect invariant
Ada Run-Time Checks
• Assert statements• if … then … raise … control flow
User Checks
Slide: 25 Copyright © 2008 AdaCore
Structural Coverage Analysis
Slide: 26 Copyright © 2008 AdaCore
Xcov Features – Availability Depends on the Platform
Tool Qualification
• For use in DO-178B Level A certification activities
Slide: 27 Copyright © 2008 AdaCore
Xcov Timeline and Roadmap
Slide: 28 Copyright © 2008 AdaCore
Structural Coverage Analysis Metrics: Statement Coverage
function P (A, B, C : Boolean) return Boolean isbegin if ( A and then B ) or else C then
return True; end if;end P;
Statements
A B C if statement? ? T T
At least 1 test per Conditional Expression
Slide: 29 Copyright © 2008 AdaCore
Structural Coverage Analysis Metrics: Decision Coverage
function P (A, B, C : Boolean) return Boolean isbegin if ( A and then B ) or else C then
return True; end if;end P;
A B C if statement? ? T T? F F F
At least 2 tests per Conditional Expression
Decision
Slide: 30 Copyright © 2008 AdaCore
Structural Coverage Analysis Metrics: MCDC
function P (A, B, C : Boolean) return Boolean isbegin if ( A and then B ) or else C then
return True; end if;end P;
A B C if statementT T ? TF ? T TT F F F
A B C if statementT T F TF T F FF T T TT F F F
Decision
Conditions
Condition Coverage
At least n+1 testsn = number of conditions
A
BC
Slide: 31 Copyright © 2008 AdaCore
Branch Coverage vs. Decision Coverage
function P (A, B, C : Boolean) return Boolean isbegin if A and then B then
return True; end if;end P;
A B if statementT T TF ? F
Decision
Slide: 32 Copyright © 2008 AdaCore
Decision Coverage: Result in Xcov
Slide: 33 Copyright © 2008 AdaCore
Branch Coverage vs. Decision Coverage
function P (A, B, C : Boolean) return Boolean is
begin if A and then B then
return True; end if;end P;
A B if statementT T TT F FF T F
if A and then B then<lib__f1+0000001c>:fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31)fffc0138 +: 54 00 06 3e clrlwi r0,r0,24fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000028>:fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160
<lib__f1+00000048>fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31)fffc0148 +: 54 00 06 3e clrlwi r0,r0,24fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000038>:fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160
<lib__f1+00000048>return True;<lib__f1+0000003c>:fffc0154 +: 38 00 00 01 li r0,0x0001fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31)<lib__f1+00000044>:fffc015c +: 48 00 00 0c b 0xfffc0168
<lib__f1+00000050>end if;return False;<lib__f1+00000048>:
T
T
Slide: 34 Copyright © 2008 AdaCore
Branch Coverage vs. Decision Coverage
function P (A, B, C : Boolean) return Boolean is
begin if A and then B then
return True; end if;end P;
A B if statementT T TT F FF T F
if A and then B then<lib__f1+0000001c>:fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31)fffc0138 +: 54 00 06 3e clrlwi r0,r0,24fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000028>:fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160
<lib__f1+00000048>fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31)fffc0148 +: 54 00 06 3e clrlwi r0,r0,24fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000038>:fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160
<lib__f1+00000048>return True;<lib__f1+0000003c>:fffc0154 +: 38 00 00 01 li r0,0x0001fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31)<lib__f1+00000044>:fffc015c +: 48 00 00 0c b 0xfffc0168
<lib__f1+00000050>end if;return False;<lib__f1+00000048>:
T
T F
Slide: 35 Copyright © 2008 AdaCore
Branch Coverage: Result in Xcov
Slide: 36 Copyright © 2008 AdaCore
Branch Coverage: Result in Xcov
Slide: 37 Copyright © 2008 AdaCore
Branch Coverage vs. Decision Coverage: Full Branch Cov
function P (A, B, C : Boolean) return Boolean is
begin if A and then B then
return True; end if;end P;
A B if statementT T TT F FF T F
if A and then B then<lib__f1+0000001c>:fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31)fffc0138 +: 54 00 06 3e clrlwi r0,r0,24fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000028>:fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160
<lib__f1+00000048>fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31)fffc0148 +: 54 00 06 3e clrlwi r0,r0,24fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000038>:fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160
<lib__f1+00000048>return True;<lib__f1+0000003c>:fffc0154 +: 38 00 00 01 li r0,0x0001fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31)<lib__f1+00000044>:fffc015c +: 48 00 00 0c b 0xfffc0168
<lib__f1+00000050>end if;return False;<lib__f1+00000048>:
T F
T F
Slide: 38 Copyright © 2008 AdaCore
Bridging the Gap between Source and Object Code Coverage
HOST
TARGET
PureFunctional Test
InstrumentedFunctional Test
Instrumented
Executable
Sources
Approach by Instrumentation
Executable
CompilationLink
CompilationLink
Instrumentation
Coverage Data
CoverageInformation
CompilationLink
Sources
PureFunctional Test
PureFunctional Test
Instrumented Environment
Execution Trace
Executable
Coverage Information
Approach by Virtualization
Slide: 39 Copyright © 2008 AdaCore
Challenges
Preserving the Control Flow
function P (Param : Boolean) return Boolean isbegin if Param then return True; else return False; end if;end P;
_ada_p: blr
_ada_p: cmpwi %cr7,%r3,0 beqlr- %cr7 li %r3,1 blr
Compilation
Slide: 40 Copyright © 2008 AdaCore
GNAT Pro Update
Slide: 41 Copyright © 2008 AdaCore
Agenda
• What’s New in GNAT Pro
• QEMU for VxWorks 653
• Towards Safer Programming
• Modeling from a GNAT Pro Perspective
• Multilanguage Development
• SPARK Pro
Slide: 42 Copyright © 2008 AdaCore
What’s New in GNAT Pro
Slide: 43 Copyright © 2008 AdaCore
Comprehensive Ada Solutions
Front-Line Support
++
Slide: 44 Copyright © 2008 AdaCore
• Support for the JVM
• Support for the 8-bit AVR microcontroller
• GNAT for Lego Mindstorms NXT
Increased Number of Supported Platforms
• Wind River– VxWorks 6.7 (SMP)– VxWorks Cert 6– Workbench 3.1 for VxWorks 653 – pre-release
• SYSGO– ELinOS– PikeOS
Slide: 45 Copyright © 2008 AdaCore
A Year of Development in GNAT Pro
• Over 130 new features/enhancements in GNAT Pro 6.2
• GNAT Pro Component Collection
• A year of Ada Gems: the HOWTO library
Slide: 46 Copyright © 2008 AdaCore
A new set of libraries at your fingertips
An overview of the GNAT Component Collection
• Extending your Ada application with shell scripts
• A trace module for customized message/error logging
• A Virtual File System abstraction– Truly portable across systems– Handles remote files seamlessly
• Email and mailbox manipulation
• Database interface package– For safe SQL queries– Generates Ada types reflecting the database schema
Slide: 47 Copyright © 2008 AdaCore
QEMU for VxWorks 653
Slide: 48 Copyright © 2008 AdaCore
Bringing PowerPC Simulation to VxWorks 653
Features• Open-Source simulation solution: QEMU• Efficient Simulation Technology• Windows hosted
• Simulation of a PowerPC 750gx• 1 UART• 1 ethernet device• 32MB Flash
• BSPs for VxWorks 653 (4MB and 16MB flash)• Final ROM Image generator• Integration with Workbench target server
Slide: 49 Copyright © 2008 AdaCore
QEMU for VxWorks 653 – Key Benefits
• Fully supported simulator for VxWorks 653
• Available to all developers
• Single compiler for development and deployment
• Development platform close to the final HW platform (PowerPC processor)
• Code tested can be the code running on the final target
• Avoids endianness issues
• Eases functional testing
• Optional upgrade to MC/DC code coverage toolset (forthcoming)
Slide: 50 Copyright © 2008 AdaCore
Towards Safer Programming
Slide: 51 Copyright © 2008 AdaCore
Safer Programming: the AdaCore Answer
Slide: 52 Copyright © 2008 AdaCore
Safer Programming: the AdaCore Answer
Available today
Qualification materialQ3 2010
Qualification material
On demand
Qualification materialQ3 2010
Slide: 53 Copyright © 2008 AdaCore
Modeling from a GNAT Pro perspective
Ongoing Work
Slide: 54 Copyright © 2008 AdaCore
Modeling from a GNAT Pro Perspective
Slide: 55 Copyright © 2008 AdaCore
Modeling from a GNAT Pro Perspective – Matlab/Simulink
SimulinkManual Coding
• Customization to the final target• Code Easier to certify
+
• Duplicate work• Errors-prone process
–
Slide: 56 Copyright © 2008 AdaCore
Modeling from a GNAT Pro Perspective – Matlab/Simulink
Simulink
• Write once in Matlab/Simulink
+
• C code generator not qualified
–
Slide: 57 Copyright © 2008 AdaCore
Modeling from a GNAT Pro Perspective – Matlab/Simulink
Simulink
• Write once in Matlab/Simulink• Adapted to DO-178B/C application development• From the Gene-Auto project (ITEA Framework)• Partners: Airbus, Thales, Continental, Barco…• AdaCore working with the consortium for a qualifiable Ada code generator
+
• Safe subset of Simulink available
+/–
Slide: 58 Copyright © 2008 AdaCore
Modeling from a GNAT Pro Perspective – UML2/SysML
Papyrus
AdaCore’s contribution to the EU-funded TOPCASED project
Slide: 59 Copyright © 2008 AdaCore
Multi-Language Development
Slide: 60 Copyright © 2008 AdaCore
Multilanguage Development
• Support for Ada, C, C++
• GPRbuild
• C/C++ to Ada Binding Generator
• Ada-Java Interfacing Suite
Slide: 61 Copyright © 2008 AdaCore
GNAT Pro at the heart of multilanguage applications
…for Source_Dirs use…;for Library_Kind use “relocatable”;package Builder is for Default_Switches (“Ada”) use …; for Default_Switches (“C”) use …; …end Builder;…
GNAT Project File
Slide: 62 Copyright © 2008 AdaCore
C/C++ -> Ada Binding Generator
class Domestic {public: virtual void Set_Owner (char* Name) = 0;};class Animal {public: int Age_Count; virtual void Set_Age (int New_Age);};class Dog : Animal, Domestic {public: char *Owner; virtual void Set_Owner (char* Name); Dog();};
C++ Header package animals_h is
package Class_Domestic is type Domestic is limited interface; pragma Import (CPP, Domestic); procedure Set_Owner (this : access Domestic; Name : Interfaces.C.Strings.chars_ptr) is abstract; end; use Class_Domestic;
package Class_Animal is type Animal is tagged limited record Age_Count : aliased int; end record; pragma Import (CPP, Animal); […] end; use Class_Animal;
package Class_Dog is type Dog is new Animal and Carnivore and Domestic with record Tooth_Count : aliased int; Owner : Interfaces.C.Strings.chars_ptr; end record; […]
Ada Spec
Slide: 63 Copyright © 2008 AdaCore
When Multilanguage Development Includes Java
• Typical use of Ada-Java Multilanguage Development
Communication?
Slide: 64 Copyright © 2008 AdaCore
Automating the Use of Ada from Java
• Using the GNAT Ada-Java Interfacing Suite
Slide: 65 Copyright © 2008 AdaCore
Automating the Use of Ada from Java
ImportsLoads
• Using the GNAT Ada-Java Interfacing Suite
Slide: 66 Copyright © 2008 AdaCore
SPARK ProHigh-Assurance by Design
Slide: 67 Copyright © 2008 AdaCore
What is SPARK Pro?
A combination of…
• AdaCore Toolset & Service-Oriented Customer Interface
– GNAT Programming Studio/GNATbench
– GNAT Tracker
• Praxis High-Integrity Systems’ SPARK Language
– A design approach for high-assurance software,
– A means of enforcing discipline in software process,
– A set of static verification tools,
– A programming language.