1 / 42

Peter Amey Praxis Critical Systems

Closing the Loop: The Influence of Code Analysis on Design. Peter Amey Praxis Critical Systems. SPARK Goals. Precise static analysis Early use of static analysis Facilitated by: an exact language removal of ambiguous and erroneous constructs annotations. Why Annotations?.

orenda
Download Presentation

Peter Amey Praxis Critical Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Closing the Loop: The Influence of Code Analysis on Design Peter Amey Praxis Critical Systems

  2. SPARK Goals • Precise static analysis • Early use of static analysis • Facilitated by: • an exact language • removal of ambiguous and erroneous constructs • annotations

  3. Why Annotations? • Annotations strengthen specifications • Ada separation of specifications/implementations too weak • Allows analysis without access to implementations • which can be done early on during development • even before programs are complete or compilable • Allows efficient detection of erroneous constructs

  4. An example procedure Inc (X : inout Integer); --# globalinout Callcount; detection of function side-effect function AddOne (X : Integer) return Integer is XLocal : Integer := X; begin Inc(Xlocal); return XLocal; end AddOne; detection of aliasing Inc (CallCount);

  5. procedure Swap(X, Y : inout T) is begin Store.Put(X); X := Y; Y := Store.Get; end Swap;

  6. A Store Object package Store is procedure Put(X : in T); function Get return T; end Store;

  7. A Store Object package Store --# own State; is procedure Put(X : in T); --# globalout State; function Get return T; --# global State; end Store;

  8. procedure Swap(X, Y : inout T) --# global out Store.State; is begin Store.Put(X); X := Y; Y := Store.Get; end Swap;

  9. ObjectOrientedDesign • Encapsulation • Abstraction • Loose coupling • Cohesion • Hierarchy

  10. ObjectOrientedDesign • Encapsulation • Abstraction • Loose coupling • Cohesion • Hierarchy SPARK can directly assist with achieving these design goals: e.g. Annotation size is a sensitive measure of coupling between objects.

  11. INFORMED Information flow oriented method for (object) design.

  12. Principles • Application-oriented annotations • Careful selection of the SPARK boundary • Minimised information flow • Separation of the essential from the inessential • Early use of static analysis

  13. Designsteps(simplified) • Identification of system boundary, SPARK boundary and communication across them. • Identification and location of system state. • Handling initialization of state. • Handling secondary considerations. • Implementing object bodies.

  14. Designsteps(simplified) • Identification of system boundary, SPARK boundary and communication across them. • Identification and location of system state. • Handling initialization of state. • Handling secondary considerations. • Implementing object bodies.

  15. System and SPARK Boundaries • Identification of the System Boundary • identify the boundary of the system for which INFORMED is being used to provide the software. • identify the physical inputs and outputs of the system. • Identification of the SPARK boundary. • select a SPARK boundary within the overall system boundary • define boundary variables to give controlled interfaces across the SPARK boundary annotated in problem domain terms. • consider adding boundary abstraction layers.

  16. Parnas & Madey Model

  17. Designsteps(simplified) • Identification of system boundary, SPARK boundary and communication across them. • Identification and location of system state. • Handling initialization of state. • Handling secondary considerations. • Implementing object bodies.

  18. Identification and Localization of State • What must be stored? • Where should it be stored? • consider effect of choice on main program annotations • How should it be stored? • variable package • instance of type package • concrete Ada variable

  19. Designsteps(simplified) • Identification of system boundary, SPARK boundary and communication across them. • Identification and location of system state. • Handling initialization of state. • Handling secondary considerations. • Implementing object bodies.

  20. State Initialization • Initialized prior to program execution • implicitly by environment • explicitly in package elaboration or declarations • Initialized during program execution • by executable statement

  21. Designsteps(simplified) • Identification of system boundary, SPARK boundary and communication across them. • Identification and location of system state. • Handling initialization of state. • Handling secondary considerations. • Implementing object bodies.

  22. Designsteps(simplified) • Identification of system boundary, SPARK boundary and communication across them. • Identification and location of system state. • Handling initialization of state. • Handling secondary considerations. • Implementing object bodies.

  23. Implementing Objects • May identify sub-systems which can be tackled in INFORMED way • Otherwise essentially top-down refinement; but: • defer implementation using hide directive • use Examiner regularly • use annotations as a guide to partitioning.

  24. INFORMEDComponents (ASM) (ADT)

  25. A Cycle Computer The cycle computer consists of a display/control unit to mount on the handlebars of a bicycle and a sensor that detects each complete revolution of the front wheel. The display unit shows the current instantaneous speed on a primarydisplay and has a secondarydisplay showing one of: totaldistance, distancesincelastreset, averagespeed and timesincelastreset. The display/control unit has twobuttons: the first clears the time, average speed and trip values; and the second switches between the various secondary display modes. Unfortunately, but typically of many software projects, the hardware has already been designed: There is a clock that provides a regular tick (but not time of day) and the sensor, a reed relay operated by a magnet on the bicycle wheel, provides a pulse each time the wheel completes a revolution.

  26. BoundaryConsiderations Identification of system boundary, selection of SPARK boundary and definition of boundary variables.

  27. Implementation as Two SPARK Sub-systems

  28. BoundaryVariablesandAbstractions

  29. BoundaryVariablesandAbstractions

  30. LocationofState • Where and how to store: • wheel size • total numbers of pulses received • averages of pulse intervals • clock values for stopwatch function

  31. LocationofState • Where and how to store: • wheel size • total numbers of pulses received • averages of pulse intervals • clock values for stopwatch function

  32. LocationofState • Where and how to store: • wheel size • total numbers of pulses received • averages of pulse intervals • clock values for stopwatch function

  33. Location of State (1)

  34. Location of State (1)

  35. LocationofState • Where and how to store: • wheel size • total numbers of pulses received • averages of pulse intervals • clock values for stopwatch function

  36. Location of State (2)

  37. Location of State (2)

  38. CompleteDesign

  39. CompleteDesign --# global --# in Clock.State, --# Pulse_Queue.State, --# Buttons.State, --# Wheel.Size; --# out Display.State; --# derives --# Display.State --# from --# Clock.State, --# Pulse_Queue.State, --# Button.State, --# Wheel.Size;

  40. Design with unnecessary state --# global --# in Clock.State, --# Pulse_Queue.State, --# Buttons.State, --# Wheel.Size; --# out Display.State; --# in out Pulse_Handler.State; --# derives --# Display.State --# from --# Clock.State, --# Pulse_Queue.State, --# Pulse_Handler.State, --# Button.State, --# Wheel.Size & --# Pulse_Handler.State --# from --# Pulse_Handler.State, --# Pulse_Queue.State, --# Buttons.State;

  41. Conclusions • Static analysis is not just a V&V activity: • early error detection saves money • analysis provides powerful design quality indicators • Loose coupling is achieved by minimising information flow • SPARK annotations provide a sensitive measure of information flow • Designs can be “re-factored” based on early analysis results • Good design provides an on-going pay off throughout the entire life of a system

  42. Resources • www.sparkada.com • sparkinfo@praxis-cs.co.uk Addison Wesley Longman, ISBN : 0-201-17517-7.

More Related