680 likes | 789 Views
Leuven Feb 23, 2010 Robert B K Dewar President AdaCore. What’s New in the World of Ada. First of All, What’s Old in the World of Ada A Short History.
E N D
Leuven Feb 23, 2010 Robert B K Dewar President AdaCore What’s New in the World of Ada
First of All, What’s Old in the World of AdaA Short History • Ada was created in response to a perception that there were too many programming languages around, and none of them really met the requirements for building large scale critical software. • A set of requirements (Woodman .. Tinman .. Ironman .. Steelman) was developed. • A language design competition was ultimately won by a French group at Honeywell, under the direction of Jean Ichbiah. • Originally called green, the language was christened Ada (a woman’s name, so please don’t think it is an acronym and spell it ADA!)
Ada 83, the First ISO Standard • Ada 83 was standardized in 1983 by ANSI and in 1987 by ISO. • Note that technically there is only one standard valid, the current one, and it is called just Ada, but we informally prefix a year to keep the versions separate. • The US DoD established a formal validation procedure for Ada compilers (the ACVC suite), and the first validated compilers appeared in 1983 within months of the standard being released (the first one was at NYU). • Note: The ACVC suite has now been transformed into an ISO-standardized validation procedure, and renamed as ACATS. Ada is the only language with an ISO standard for compiler validation.
Ada 83, A Quick Overview • The package concept, separation of specificaiton and implementation. The idea, build a spec of a package, then clients can use it right away. • Derived types, time and distance would be separate types, so it is wrong at compile time to write T := D; • Ranges for numeric types, a la Pascal (see next slide!) • Generics, support for generic units parametrized by types. • Well separated types, Character /= Boolean /= Integer. • Proper enumeration types • Run-time exceptions • Tasking (first class high level multi-threading) • Designed for readability and maintainability over ease of writing initial code.
User-defined ranges for numeric types, a C Side-Bar • Vista has about 50 million lines of C • Microsoft is busy adding static assertions to this code • Static assertions = in practice range declarations for integer variables • They have added half a million such assertions • As of a year ago • Half added by a sophisticated static analysis tool • Half added by hand • These assertions have helped uncover potential bugs • About 100,000 potential buffer over-runs • The two most common areas of problems in C • Buffer overruns • Overflow problems
Ada 95, The First Major Update • Object oriented features (type extension, dynamic dispatching). Ada 95 was the first standardized OO language. • Child packages, allow introducing a hierarchy into the package structure of large programs. • Protected types (a simpler task communication method) • Standard libraries much extended and standardized • Pragma Assert (copied from GNAT) • Ravenscar Profile (simplified tasking .. Safety critical) • Streams and Stream_IO
Ada 2005 • Interfaces (think Java) • Synchronized interfaces • Full internationalization (full Unicode support) • Container packages (think STL) • Circular dependencies in packages (limited with) • Object.operation notation • Unchecked_Union • PragmaUnsuppress (copied from GNAT)
WG9 directive: new ISO standard in 2012 • Scope of amendment is limited: • A few critical additions to the language • Constructs to address multicore hardware • Numerous fixes to the RM • The usual constraints: expressiveness, simplicity of description, implementability (pick any two)
Major topics of Amendment • Program correctness • Enhanced container library • Expressiveness : functions and expressions • Visibility • Concurrency and real-time programming • Syntactic frills
Program correctness Pre- and Postconditions: function Pop (S : in out Stack) return Elem with Pre => not Is_Empty (S) Post => not Is_Full (S); Type invariants: type Elem is tagged private with invariant => Is_Valid (Elem) invariant’class => Contents (Elem) /= 0; … function Is_Valid (T : Elem) return Boolean; Uniform notation : aspect specifications
Container library Bounded containers Fixed capacity, stack-allocated, controlled only if element is. Vectors, hashed sets, hashed maps. Holder containers Singleton structure for unconstrained values Synchronized queues Amenable to lock-free implementation Multiway trees Vector of descendant nodes, links every which way
Expressiveness In-out parameters for functions checks on order-dependence to prevent unwanted side-effects Conditional expressions: X := (if Cond then X+1 else X * 2); Case Expressions: procedure Mangle (X : in out Integer) with Pre => (case X mod 3 is when 0 => pred1 (X), when 1 => pred2 (X), when 2 => pred3 (X) );
Expressiveness (2) Iterators over containers User-defined iterators, through new interface types: for cursor in Iterate (My_Container) loop My_Container (Cursor) := My_Container (Cursor) + 1; end loop; Default iterator with no intervening cursor: for Element of My_Container loop Element := Element + 1; end loop; Quantified expressions: ( for all J in A’First .. A (Inx’Pred (A’Last)) : A (J) <= A (Indx’succ (J)) A postcondition on a sorting routine
Expressiveness (3) Extended membership operations: Allow enumeration of values, to represent disjoint subsets: type Color is (Red, Green, Blue ,Cyan ,Magenta, Yellow, Black); Hue : Color; ... If (Hue in Red | Blue | Magenta .. Black) then Can use arbitrary types: if Name in (“Entry” | “Exit” | Translate (“Urgence”) |then
Visibility Use all type Gives use-visibility to primitive operations and literals Integrated packages So an inner instance is merged with enclosing unit Incomplete types can be completed with partial views Types declared in three steps Untagged incomplete types can be used in formals and return as long as full view available at point of call
Concurrency and real-time Affinities Map task to processor or group of processors Ravenscar for multiprocessors Restriction on affinities and task migration Barriers Better parallelism than can be obtained with protected objects
Who is AdaCore • Engineering organization • Two separate independent companies • 100% FLOSS (Freely Licensed Open Source Software) • 100% COTS (Commercial-Off-The-Shelf products) • Worldwide presence
What do we do • Development tools for critical software • mission-critical (Air Traffic Management, simulation, ...) • safety-critical (A350, 787, trains, missiles, ...) • security-critical (NSA Tokeneer, ...) • Code generation experts • compilers, debuggers, emulators, builders, IDEs, coverage, stack analysis, formal methods, static analysis, ... • model compilers (involved in Gene-Auto) • 100% Free Software company
CodePeer Automatic code review and robustness validation
Peer Review • Best practice in Extreme and Agile programming • Improve code quality • Reduce errors But… • Requires initial effort to setup infrastructure • Needs to sustain project pressure • Often bypassed
Alleviating Peer Review Process Certain categories of verifications • Can be automated • Are better handled by tools CodePeer provides: • Static analysis • Symbolic program interpretation • Incremental & modular analysis
CodePeer in Action CodePeer Day-to-day development Software maintenance Project quality assurance • Static run-time errors detection • Test vectors generation • Pre/post conditions generation • Analysis results consolidation • compile-time analysis • local analysis • global change impact analysis • global analysis • test vectors leverage
CodePeer Area of Action Programming Errors Ada Run-Time Checks User Checks • Race conditions • Dead code • Assert statements • if … then … raise … control flow • out-of-bound indexing • numeric overflow • division by zero • incorrect invariant
Coverage Levels Object: Instruction Object branch Source Statement Decision Modified Condition/Decision Xcov Features – Availability Depends on the Platform • Aggregated Coverage • Capitalization: multiple executions • Consolidation: different executables exercising the same function • Tool Qualification • For use in DO-178B Level A certification activities
Xcov Timeline and Roadmap PowerPC ERC32/LEON 2
Structural Coverage Analysis Metrics: Statement Coverage functionP (A, B, C : Boolean) return Boolean is begin if( A and then B ) or else C then return True; end if; endP; Statements At least 1 test per Conditional Expression
Structural Coverage Analysis Metrics: Decision Coverage functionP (A, B, C : Boolean) return Boolean is begin if( A and then B ) or else C then return True; end if; endP; Decision At least 2 tests per Conditional Expression
Structural Coverage Analysis Metrics: MCDC functionP (A, B, C : Boolean) return Boolean is begin if( A and then B ) or else C then return True; end if; endP; Conditions Decision At least n+1 tests n = number of conditions A C B Condition Coverage
Branch Coverage vs. Decision Coverage functionP (A, B, C : Boolean) return Boolean is begin ifA and then B then return True; end if; endP; Decision
Branch Coverage vs. Decision Coverage functionP (A, B, C : Boolean) return Boolean is begin ifA and then B then return True; end if; endP; if A and then B then <lib__f1+0000001c>: fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31) fffc0138 +: 54 00 06 3e clrlwi r0,r0,24 fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000 <lib__f1+00000028>: fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160 <lib__f1+00000048> fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31) fffc0148 +: 54 00 06 3e clrlwi r0,r0,24 fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000 <lib__f1+00000038>: fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160 <lib__f1+00000048> return True; <lib__f1+0000003c>: fffc0154 +: 38 00 00 01 li r0,0x0001 fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31) <lib__f1+00000044>: fffc015c +: 48 00 00 0c b 0xfffc0168 <lib__f1+00000050> end if; return False; <lib__f1+00000048>: T T
Branch Coverage vs. Decision Coverage functionP (A, B, C : Boolean) return Boolean is begin ifA and then B then return True; end if; endP; if A and then B then <lib__f1+0000001c>: fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31) fffc0138 +: 54 00 06 3e clrlwi r0,r0,24 fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000 <lib__f1+00000028>: fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160 <lib__f1+00000048> fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31) fffc0148 +: 54 00 06 3e clrlwi r0,r0,24 fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000 <lib__f1+00000038>: fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160 <lib__f1+00000048> return True; <lib__f1+0000003c>: fffc0154 +: 38 00 00 01 li r0,0x0001 fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31) <lib__f1+00000044>: fffc015c +: 48 00 00 0c b 0xfffc0168 <lib__f1+00000050> end if; return False; <lib__f1+00000048>: T T F
Branch Coverage vs. Decision Coverage: Full Branch Cov functionP (A, B, C : Boolean) return Boolean is begin ifA and then B then return True; end if; endP; if A and then B then <lib__f1+0000001c>: fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31) fffc0138 +: 54 00 06 3e clrlwi r0,r0,24 fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000 <lib__f1+00000028>: fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160 <lib__f1+00000048> fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31) fffc0148 +: 54 00 06 3e clrlwi r0,r0,24 fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000 <lib__f1+00000038>: fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160 <lib__f1+00000048> return True; <lib__f1+0000003c>: fffc0154 +: 38 00 00 01 li r0,0x0001 fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31) <lib__f1+00000044>: fffc015c +: 48 00 00 0c b 0xfffc0168 <lib__f1+00000050> end if; return False; <lib__f1+00000048>: T F T F
Compilation Link Executable Bridging the Gap between Source and Object Code Coverage Approach by Instrumentation Approach by Virtualization Coverage Information Coverage Information Sources Sources Compilation Link Instrumentation Compilation Link Execution Trace Pure Functional Test Executable Instrumented Executable Instrumented Environment HOST TARGET Coverage Data Instrumented Functional Test Pure Functional Test Pure Functional Test
Challenges -fpreserve-control-flow Preserving the Control Flow function P (Param : Boolean) return Boolean is begin ifParamthen return True; else return False; end if; end P; Compilation _ada_p: cmpwi %cr7,%r3,0 beqlr- %cr7 li %r3,1 blr _ada_p: blr
Agenda • What’s New in GNAT Pro • QEMU for VxWorks 653 • Towards Safer Programming • Modeling from a GNAT Pro Perspective • Multilanguage Development • SPARK Pro
Comprehensive Ada Solutions Front-Line Support +
Increased Number of Supported Platforms • Wind River • VxWorks 6.7 (SMP) • VxWorks Cert 6 • Workbench 3.1 for VxWorks 653 – pre-release • SYSGO • ELinOS • PikeOS • Support for the JVM • Support for the 8-bit AVR microcontroller • GNAT for Lego Mindstorms NXT
A Year of Development in GNAT Pro • Over 130 new features/enhancements in GNAT Pro 6.2 • GNAT Pro Component Collection • A year of Ada Gems: the HOWTO library
A new set of libraries at your fingertips An overview of the GNAT Component Collection • Extending your Ada application with shell scripts • A trace module for customized message/error logging • A Virtual File System abstraction • Truly portable across systems • Handles remote files seamlessly • Email and mailbox manipulation • Database interface package • For safe SQL queries • Generates Ada types reflecting the database schema
Bringing PowerPC Simulation to VxWorks 653 Features • Open-Source simulation solution: QEMU • Efficient Simulation Technology • Windows hosted • Simulation of a PowerPC 750gx • 1 UART • 1 ethernet device • 32MB Flash • BSPs for VxWorks 653 (4MB and 16MB flash) • Final ROM Image generator • Integration with Workbench target server
QEMU for VxWorks 653 – Key Benefits • Fully supported simulator for VxWorks 653 • Available to all developers • Single compiler for development and deployment • Development platform close to the final HW platform (PowerPC processor) • Code tested can be the code running on the final target • Avoids endianness issues • Eases functional testing • Optional upgrade to MC/DC code coverage toolset (forthcoming)