Scheduling and memory requirements analysis with AADLSinghoff, F.; Legrand, J.; Nana, L.; Marcé, L.
doi: 10.1145/1104011.1103847pmid: N/A
This article describes an Ada set of packages which allows designers to perform resource requirements analysis of AADL specifications. This set of Ada packages is part of Cheddar, an Ada framework that we are developing at the University of Brest 22.The framework provides tools to check if AADL threads will meet their deadline at execution time. Some new AADL properties are proposed to model and analyze dependent AADL thread sets. It also provides some tools to perform memory requirements analysis on AADL specifications.
Modeling SPARK systems with UMLSautejeau, Xavier
doi: 10.1145/1104011.1103848pmid: N/A
In this paper, we will consider two aspects of UML in order to assess how well suited it is for modeling SPARK systems. The first aspect is the ability to represent SPARK in UML from a theoretical perspective. The second aspect is more from a hands-on perspective and evaluates what makes a UML CASE-tool more suitable for modeling SPARK systems than another.
Optimizing the SPARK program slicerSward, Ricky E.; Baird III, Leemon C.
doi: 10.1145/1104011.1103849pmid: N/A
Recent trends in software re-engineering have included tools to extract program slices from existing Ada procedures. One such tool has already been developed that extracts program slices from SPARK procedures along with a proof that the functionality of the original procedure is equivalent to the functionality of the collection of resulting slices. This paper extends this work by showing how assumptions in the proof can cause inefficiencies in SPARKSlicer and by presenting alternatives that optimize out the inefficiencies. The original proof is modified to show that the SPARK program slicer still produces functionally equivalent program slices from SPARK procedures with these optimizations.
Experiences using SPARK in an undergraduate CS courseRuocco, Anthony S.
doi: 10.1145/1104011.1103852pmid: N/A
This paper describes experiences garnered while teaching a course on high integrity software using SPARK to a mix of junior and senior level undergraduates. The paper describes the impact of pre-requisites, course layout and execution, and lessons learned by students and the instructor. The course used the SPARK toolset provide by Praxis High Integrity Systems, and the Gnat Programming System (GPS) provided by AdaCore Technologies (ACT) under the Ada Academic Initiative Program. Details about using these tools is integrated through out the paper.
The implementation of ada 2005 synchronized interfaces in the GNAT compilerMiranda, Javier; Schonberg, Edmond; Kirtchev, Hristian
doi: 10.1145/1104011.1103853pmid: N/A
One of the most important object-oriented features of the new revision of the Ada Programming Language is the introduction of Abstract Interfaces to provide a form of multiple inheritance. Ada 2005 Abstract Interface Types are akin to Java interfaces, and as such support inheritance of specification rather than inheritance of implementation. Ada 2005 interfaces apply as well to tasks and protected types, and provide a classification mechanism for concurrent programming that goes considerably beyond the capabilities of Java.This paper summarizes the implementation in the GNAT compiler of the various kinds of interfaces that relate to concurrent programming in Ada 2005 1. The implementation is efficient, and involves mostly modifications to the compiler front-end, with virtually minimal impact on run-time structures, beyond those that are in place to support regular interfaces. However, the implementation of interface operations as triggers in selective waits and asynchronous transfers of control proved to be surprisingly delicate and requires additional predefined primitive operations.
Temporal skeletons for verifying timeNaeser, Gustaf; Lundqvist, Kristina; Asplund, Lars
doi: 10.1145/1104011.1103854pmid: N/A
This paper presents an intermediate notation used in a framework for verification of real-time properties. The framework aims at overcoming the need for the framework user to have significant knowledge of the verification specific detail that formal verification at some level is bound to impose on a model. In order to accomplish this, model extraction from source code of an initial formal model, a timing skeleton, is made automatically. The model refinement needed to transform the temporal skeleton into a model that can be verified is not done immediately. This allows postponement of the abstraction and specialisation needed for the verification which further improves the readability of the skeleton. The purpose of the timing skeleton is that it easily can be validated to represent the source code it was created from. The timing skeleton is then automatically refined with verification detail, and then hidden for the user, transformed into the notation of a verification tool. This transformation is hidden from the user. In order to reduce the complexity of the application model the framework uses a formally verified run-time kernel with a clear separation from the application. The kernel supports preemption, dynamic priorities and multiple processors.
The affordable application of formal methods to software engineeringDavis, James F.
doi: 10.1145/1104011.1103855pmid: N/A
The purpose of this research paper is to examine (1) why formal methods are required for software systems today; (2) the Praxis High Integrity Systems' Correctness-by-Construction methodology; and (3) an affordable application of a formal methods methodology to software engineering. The cultivated research for this paper included literature reviews of documents found across the Internet and in publications as well as reviews of conference proceedings including the 2004 High Confidence Software and Systems Conference and the 2004 Special Interest Group on Ada Conference. This research realized that (1) our reliance on software systems for national, business and personal critical processes outweighs the trust we have in our systems; (2) there is a growing demand for the ability to trust our software systems; (3) methodologies such as Praxis' Correctness-by-Construction are readily available and can provide this needed level of trust; (4) tools such as Praxis' SparkAda when appropriately applied can be an affordable approach to applying formal methods to a software system development process; (5) software users have a responsibility to demand correctness; and finally, (6) software engineers have the responsibility to provide this correctness. Further research is necessary to determine what other methodologies and tools are available to provide affordable approaches to applying formal methods to software engineering. In conclusion, formal methods provide an unprecedented ability to build trust in the correctness of a system or component. Through the development of methodologies such as Praxis' Correctness by Construction and tools such as SparkAda, it is becoming ever more cost advantageous to implement formal methods within the software engineering lifecycle. As the criticality of our IT systems continues to steadily increase, so must our trust that these systems will perform as expected. Software system clients, such as government, businesses and all other IT users, must demand that their IT systems be delivered with a proven level of correctness or trust commensurate to the criticality of the function they perform.
SafetyChip: a time monitoring and policing deviceNaeser, Gustaf; Asplund, Lars; Furunäs, Johan
doi: 10.1145/1104011.1103856pmid: N/A
The SafetyChip proposes a strategy where parts of the effort invested in the formal verification during the development of a system can be reused during the system's operation. The strength in a formal verification of a system is that a system can mathematically be proven to fulfil certain requirements, e.g., timing requirements. The SafetyChip uses information from verification to monitor and police a system during run-time. The monitoring is done by surveillance of the applications communication with the run-time kernel. If deviance from the predefined verified behaviour is detected, the SafetyChip can signal (police) this in different ways, e.g., by generating interrupts the system can respond to.In our experiments we use systems written in Ravenscar compliant Ada code and have automated model extraction from source code to the models used to verify the system.This paper presents the functionality and design of the SafetyChip. Properties of an implementation of the SafetyChip are also presented.