Leuven Feb 23, 2010 Robert B K Dewar President AdaCore

Slide: 1 Copyright © 2008 AdaCore

LeuvenFeb 23, 2010

Robert B K DewarPresident AdaCore

What’s New in the World of Ada


First of All, What’s Old in the World of AdaA Short History

• Ada was created in response to a perception that there were too many programming languages around, and none of them really met the requirements for building large scale critical software.

• A set of requirements (Woodman .. Tinman .. Ironman .. Steelman) was developed.

• A language design competition was ultimately won by a French group at Honeywell, under the direction of Jean Ichbiah.

• Originally called green, the language was christened Ada (a woman’s name, so please don’t think it is an acronym and spell it ADA!)


Ada 83, the First ISO Standard

• Ada 83 was standardized in 1983 by ANSI and in 1987 by ISO.

• Note that technically there is only one standard valid, the current one, and it is called just Ada, but we informally prefix a year to keep the versions separate.

• The US DoD established a formal validation procedure for Ada compilers (the ACVC suite), and the first validated compilers appeared in 1983 within months of the standard being released (the first one was at NYU).

• Note: The ACVC suite has now been transformed into an ISO-standardized validation procedure, and renamed as ACATS. Ada is the only language with an ISO standard for compiler validation.


Ada 83, A Quick Overview

• The package concept, separation of specificaiton and implementation. The idea, build a spec of a package, then clients can use it right away.

• Derived types, time and distance would be separate types, so it is wrong at compile time to write T := D;

• Ranges for numeric types, a la Pascal (see next slide!)• Generics, support for generic units parametrized by

types.• Well separated types, Character /= Boolean /= Integer.• Proper enumeration types• Run-time exceptions• Tasking (first class high level multi-threading)• Designed for readability and maintainability over ease of

writing initial code.


User-defined ranges for numeric types, a C Side-Bar

• Vista has about 50 million lines of C• Microsoft is busy adding static assertions to this code

– Static assertions = in practice range declarations for integer variables• They have added half a million such assertions

– As of a year ago– Half added by a sophisticated static analysis tool– Half added by hand

• These assertions have helped uncover potential bugs– About 100,000 potential buffer over-runs

• The two most common areas of problems in C– Buffer overruns– Overflow problems


Ada 95, The First Major Update

• Object oriented features (type extension, dynamic dispatching). Ada 95 was the first standardized OO language.

• Child packages, allow introducing a hierarchy into the package structure of large programs.

• Protected types (a simpler task communication method)

• Standard libraries much extended and standardized• Pragma Assert (copied from GNAT)• Ravenscar Profile (simplified tasking .. Safety critical)• Streams and Stream_IO


Ada 2005

• Interfaces (think Java)• Synchronized interfaces• Full internationalization (full Unicode support)• Container packages (think STL)• Circular dependencies in packages (limited with)• Object.operation notation• Unchecked_Union• Pragma Unsuppress (copied from GNAT)


WG9 directive: new ISO standard in 2012

• Scope of amendment is limited:– A few critical additions to the language– Constructs to address multicore hardware– Numerous fixes to the RM

• The usual constraints: expressiveness, simplicity of description, implementability (pick any two)


Major topics of Amendment

• Program correctness

• Enhanced container library

• Expressiveness : functions and expressions

• Visibility

• Concurrency and real-time programming

• Syntactic frills


Program correctness• Pre- and Postconditions:

function Pop (S : in out Stack) return ElemwithPre => not Is_Empty (S)Post => not Is_Full (S);

• Type invariants: type Elem is tagged private

withinvariant => Is_Valid (Elem)invariant’class => Contents (Elem) /= 0;

…function Is_Valid (T : Elem) return Boolean;

Uniform notation : aspect specifications


Container library• Bounded containers

– Fixed capacity, stack-allocated, controlled only if element is.

– Vectors, hashed sets, hashed maps.

• Holder containers

– Singleton structure for unconstrained values

• Synchronized queues

– Amenable to lock-free implementation

• Multiway trees

– Vector of descendant nodes, links every which way


Expressiveness• In-out parameters for functions

checks on order-dependence to prevent unwanted side-effects

• Conditional expressions:

X := (if Cond then X+1 else X * 2);

Case Expressions:procedure Mangle (X : in out Integer)with Pre => (case X mod 3 is

when 0 => pred1 (X),when 1 => pred2 (X),when 2 => pred3 (X) );


Expressiveness (2)• Iterators over containers

User-defined iterators, through new interface types: for cursor in Iterate (My_Container) loop My_Container (Cursor) := My_Container (Cursor) + 1; end loop;

Default iterator with no intervening cursor: for Element of My_Container loop Element := Element + 1; end loop;

Quantified expressions: ( for all J in A’First .. A (Inx’Pred (A’Last)) : A (J) <= A (Indx’succ (J))

A postcondition on a sorting routine


Expressiveness (3)• Extended membership operations:

– Allow enumeration of values, to represent disjoint

subsets: type Color is (Red, Green, Blue ,Cyan ,Magenta, Yellow,

Black); Hue : Color; ... If (Hue in Red | Blue | Magenta .. Black) then

Can use arbitrary types:

if Name in (“Entry” | “Exit” | Translate (“Urgence”) |then


Visibility Use all type

Gives use-visibility to primitive operations and literals

Integrated packages

So an inner instance is merged with enclosing unit

Incomplete types can be completed with partial views

Types declared in three steps

Untagged incomplete types can be used in formals and

return

as long as full view available at point of call


Concurrency and real-timeAffinities

Map task to processor or group of processors

Ravenscar for multiprocessors

Restriction on affinities and task migration

Barriers

Better parallelism than can be obtained with protected

objects


Who is AdaCore

• Engineering organization– Two separate independent companies

• 100% FLOSS (Freely Licensed Open Source Software)

• 100% COTS (Commercial-Off-The-Shelf products)• Worldwide presence


What do we do

• Development tools for critical software– mission-critical (Air Traffic Management, simulation, ...)– safety-critical (A350, 787, trains, missiles, ...)– security-critical (NSA Tokeneer, ...)

• Code generation experts– compilers, debuggers, emulators, builders, IDEs, coverage, stack analysis,

formal methods, static analysis, ...– model compilers (involved in Gene-Auto)

• 100% Free Software company


Some customer projects


CodePeerAutomatic code review and robustness validation


Peer Review

• Best practice in Extreme and Agile programming

• Improve code quality

• Reduce errors

But…

• Requires initial effort to setup infrastructure

• Needs to sustain project pressure

• Often bypassed


Alleviating Peer Review Process

Certain categories of verifications

• Can be automated

• Are better handled by tools

CodePeer provides:

• Static analysis

• Symbolic program interpretation

• Incremental & modular analysis


CodePeer in Action

• Static run-time errors detection• Test vectors generation• Pre/post conditions generation• Analysis results consolidation

CodePeer

• compile-time analysis• local analysis

Day-to-day development

• global change impact analysis

Software maintenance

• global analysis• test vectors leverage

Project quality assurance


CodePeer Area of Action

• Race conditions• Dead code

Programming Errors

• out-of-bound indexing• numeric overflow• division by zero• incorrect invariant

Ada Run-Time Checks

• Assert statements• if … then … raise … control flow

User Checks


Structural Coverage Analysis


Xcov Features – Availability Depends on the Platform

Tool Qualification

• For use in DO-178B Level A certification activities


Xcov Timeline and Roadmap


Structural Coverage Analysis Metrics: Statement Coverage

function P (A, B, C : Boolean) return Boolean isbegin if ( A and then B ) or else C then

return True; end if;end P;

Statements

A B C if statement? ? T T

At least 1 test per Conditional Expression


Structural Coverage Analysis Metrics: Decision Coverage



A B C if statement? ? T T? F F F

At least 2 tests per Conditional Expression

Decision


Structural Coverage Analysis Metrics: MCDC



A B C if statementT T ? TF ? T TT F F F

A B C if statementT T F TF T F FF T T TT F F F

Decision

Conditions

Condition Coverage

At least n+1 testsn = number of conditions

A

BC


Branch Coverage vs. Decision Coverage

function P (A, B, C : Boolean) return Boolean isbegin if A and then B then


A B if statementT T TF ? F

Decision


Decision Coverage: Result in Xcov



function P (A, B, C : Boolean) return Boolean is

begin if A and then B then


A B if statementT T TT F FF T F

if A and then B then<lib__f1+0000001c>:fffc0134 +: 88 1f 00 08 lbz r0,0x0008(r31)fffc0138 +: 54 00 06 3e clrlwi r0,r0,24fffc013c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000028>:fffc0140 v: 41 9e 00 20 beq- cr7,0xfffc0160

<lib__f1+00000048>fffc0144 +: 88 1f 00 09 lbz r0,0x0009(r31)fffc0148 +: 54 00 06 3e clrlwi r0,r0,24fffc014c +: 2f 80 00 00 cmpiw cr7,r0,0x0000<lib__f1+00000038>:fffc0150 +: 41 9e 00 10 beq- cr7,0xfffc0160

<lib__f1+00000048>return True;<lib__f1+0000003c>:fffc0154 +: 38 00 00 01 li r0,0x0001fffc0158 +: 90 1f 00 0c stw r0,0x000c(r31)<lib__f1+00000044>:fffc015c +: 48 00 00 0c b 0xfffc0168

<lib__f1+00000050>end if;return False;<lib__f1+00000048>:

T

T











T

T F


Branch Coverage: Result in Xcov


Branch Coverage: Result in Xcov


Branch Coverage vs. Decision Coverage: Full Branch Cov









T F

T F


Bridging the Gap between Source and Object Code Coverage

HOST

TARGET

PureFunctional Test

InstrumentedFunctional Test

Instrumented

Executable

Sources

Approach by Instrumentation

Executable

CompilationLink

CompilationLink

Instrumentation

Coverage Data

CoverageInformation

CompilationLink

Sources

PureFunctional Test

PureFunctional Test

Instrumented Environment

Execution Trace

Executable

Coverage Information

Approach by Virtualization


Challenges

Preserving the Control Flow

function P (Param : Boolean) return Boolean isbegin if Param then return True; else return False; end if;end P;

_ada_p: blr

_ada_p: cmpwi %cr7,%r3,0 beqlr- %cr7 li %r3,1 blr

Compilation


GNAT Pro Update


Agenda

• What’s New in GNAT Pro

• QEMU for VxWorks 653

• Towards Safer Programming

• Modeling from a GNAT Pro Perspective

• Multilanguage Development

• SPARK Pro


What’s New in GNAT Pro


Comprehensive Ada Solutions

Front-Line Support

++


• Support for the JVM

• Support for the 8-bit AVR microcontroller

• GNAT for Lego Mindstorms NXT

Increased Number of Supported Platforms

• Wind River– VxWorks 6.7 (SMP)– VxWorks Cert 6– Workbench 3.1 for VxWorks 653 – pre-release

• SYSGO– ELinOS– PikeOS


A Year of Development in GNAT Pro

• Over 130 new features/enhancements in GNAT Pro 6.2

• GNAT Pro Component Collection

• A year of Ada Gems: the HOWTO library


A new set of libraries at your fingertips

An overview of the GNAT Component Collection

• Extending your Ada application with shell scripts

• A trace module for customized message/error logging

• A Virtual File System abstraction– Truly portable across systems– Handles remote files seamlessly

• Email and mailbox manipulation

• Database interface package– For safe SQL queries– Generates Ada types reflecting the database schema


QEMU for VxWorks 653


Bringing PowerPC Simulation to VxWorks 653

Features• Open-Source simulation solution: QEMU• Efficient Simulation Technology• Windows hosted

• Simulation of a PowerPC 750gx• 1 UART• 1 ethernet device• 32MB Flash

• BSPs for VxWorks 653 (4MB and 16MB flash)• Final ROM Image generator• Integration with Workbench target server


QEMU for VxWorks 653 – Key Benefits

• Fully supported simulator for VxWorks 653

• Available to all developers

• Single compiler for development and deployment

• Development platform close to the final HW platform (PowerPC processor)

• Code tested can be the code running on the final target

• Avoids endianness issues

• Eases functional testing

• Optional upgrade to MC/DC code coverage toolset (forthcoming)


Towards Safer Programming


Safer Programming: the AdaCore Answer


Safer Programming: the AdaCore Answer

Available today

Qualification materialQ3 2010

Qualification material

On demand

Qualification materialQ3 2010


Modeling from a GNAT Pro perspective

Ongoing Work


Modeling from a GNAT Pro Perspective


Modeling from a GNAT Pro Perspective – Matlab/Simulink

SimulinkManual Coding

• Customization to the final target• Code Easier to certify

+

• Duplicate work• Errors-prone process

–



Simulink

• Write once in Matlab/Simulink

+

• C code generator not qualified

–



Simulink

• Write once in Matlab/Simulink• Adapted to DO-178B/C application development• From the Gene-Auto project (ITEA Framework)• Partners: Airbus, Thales, Continental, Barco…• AdaCore working with the consortium for a qualifiable Ada code generator

+

• Safe subset of Simulink available

+/–


Modeling from a GNAT Pro Perspective – UML2/SysML

Papyrus

AdaCore’s contribution to the EU-funded TOPCASED project


Multi-Language Development


Multilanguage Development

• Support for Ada, C, C++

• GPRbuild

• C/C++ to Ada Binding Generator

• Ada-Java Interfacing Suite


GNAT Pro at the heart of multilanguage applications

…for Source_Dirs use…;for Library_Kind use “relocatable”;package Builder is for Default_Switches (“Ada”) use …; for Default_Switches (“C”) use …; …end Builder;…

GNAT Project File


C/C++ -> Ada Binding Generator

class Domestic {public: virtual void Set_Owner (char* Name) = 0;};class Animal {public: int Age_Count; virtual void Set_Age (int New_Age);};class Dog : Animal, Domestic {public: char *Owner; virtual void Set_Owner (char* Name); Dog();};

C++ Header package animals_h is

package Class_Domestic is type Domestic is limited interface; pragma Import (CPP, Domestic); procedure Set_Owner (this : access Domestic; Name : Interfaces.C.Strings.chars_ptr) is abstract; end; use Class_Domestic;

package Class_Animal is type Animal is tagged limited record Age_Count : aliased int; end record; pragma Import (CPP, Animal); […] end; use Class_Animal;

package Class_Dog is type Dog is new Animal and Carnivore and Domestic with record Tooth_Count : aliased int; Owner : Interfaces.C.Strings.chars_ptr; end record; […]

Ada Spec


When Multilanguage Development Includes Java

• Typical use of Ada-Java Multilanguage Development

Communication?


Automating the Use of Ada from Java

• Using the GNAT Ada-Java Interfacing Suite


Automating the Use of Ada from Java

ImportsLoads

• Using the GNAT Ada-Java Interfacing Suite


SPARK ProHigh-Assurance by Design


What is SPARK Pro?

A combination of…

• AdaCore Toolset & Service-Oriented Customer Interface

– GNAT Programming Studio/GNATbench

– GNAT Tracker

• Praxis High-Integrity Systems’ SPARK Language

– A design approach for high-assurance software,

– A means of enforcing discipline in software process,

– A set of static verification tools,

– A programming language.

Documents

Leuven Feb 23, 2010 Robert B K Dewar President AdaCore