a3-1 cs ada. ark sp overview.csetzer/lectures/critsys/02/...(c) anton setzer 2003 (except fo r...

(C)AntonSetzer2003(exceptforpictures)

A3.ProgrammingLanguages

forWritingSafety-CriticalSoftware

(a)Overview.

(b)SPARKAda.

CriticalSystems,CS411,Lentterm2003,Sec.A3A3-1


(a)Overview

MainCriteriaforChoiceofProgrammingLanguagesforCriticalSystems

•Logicalsoundness.

–Isthereasound,unambiguousdefinitionofthelanguage?

•Complexityofdefinition.

–Aretheresimple,formaldefinitionsofthelanguagefeatures?–Toohighcomplexityresultsinhighcomplexityandthereforeinerrorsin

compilersandsupporttools.




•Expressivepower.

–Canprogramfeaturesbeexpressedeasilyandefficiently?–Theeasiertheprogramonehaswritten,theeasieritistoverifyit.

•Security.

–Canviolationsofthelanguagedefinitionsbedetectedbeforeexecution?




•Verifiability.

–Istheresupportforverifyingthatprogramcodemeetsthespecification?

•Boundedspaceandtimerequirements.

–Canitbeshownthattimeandmemoryconstraintsarenotexceeded?



CommonReasonsforProgramErrors

•Subprogramside-effects.

–Variablesinthecallingenvironmentareunexpectedlychanged.

•Aliasing.

–Twoormoredistinctnamesrefertothesamestoragelocation.Changingonevariablechangesaseeminglydifferentone.

•Failuretoinitialize.

–Variableisusedbeforeitisinitialized.



CommonReasonsforProgramErrors(Cont.)

•Expressionevaluationerrors.

–E.g.out-of-rangearraysubscript,divisionbyzero,arithmeticoverflow.–Differentbehaviourofcompilersofthesamelanguageincaseofarithmetic

errors.



ComparisonofProgrammingLanguages

Cullyer,Goodenough,Wichmanhavecomparedsuitabilityofprogramminglanguagesforhighintegritysoftwarebyusingthefollowingcriteria:

•Wildjumps.

–Canitbeguaranteedthataprogramcannotjumptoanarbitrarymemorylocation?

•Overwrites.

–Canalanguageoverwriteanarbitrarymemorylocation?

•Semantics.

–Issemanticsdefinedsufficientlysothatthecorrectnessofthecodecanbeanalyzed?



ComparisonofProgrammingLanguages(Cont.)

•Modelofmathematics.

–Istherearigorousdefinitionofintegerandfloatingpointarithmetic(overflow,errors)?

•Operationalarithmetic.

–Arethereproceduresforcheckingthattheoperationalprogramobeysthemodelofarithmeticwhenrunningonthetargetprocessor?




•Datatyping.

–Aretheremeansofdatatypingthatpreventmisuseofvariables?

•Exceptionhandling.

–Isthereanexceptionhandlingmechanisminordertofacilitaterecoveryifmalfunctionoccurs?

•Exhaustionofmemory.

–Aretherefacilitiestoguardagainstrunningoutofmemory?




•Safesubsets.

–Isthereasafesubsetofthelanguagethatsatisfiesrequirementsmoreadequatelythanthefulllanguage?

•Separatecompilation.

–Isitpossibletocompilemodulesseparately,withtypecheckingagainstmoduleboundaries?

•Well-understood.

–Willdesignersandprogrammersunderstandthelanguagesufficientlytowritesafetycriticalsoftware?




•Legendfornextslide:

–+meansprotectionavailable,

–?meanspartialprotection,

–-meansnoprotection.



StructuredCCORALISOModu-Adaassembler66PASCALla2

Wildjumps+????+Overwrites?--???Semantics?-??+?Modelofmathematics?-?++?Operationalarithmetic?--???Datatyping?-???+Exceptionhandling-?--?+Safesubsets?---?-Exhaustionofmem.+????-Separatecompil.--??++Wellunderstood+??++?



RemarksonCORAL66

•CORAL66=compiledstructuredprogramminglanguagerelatedtoAlgol.

•DevelopedattheRoyalRadarEstablishmentRRE,Malvern,UK.

•Usedforreal-timesystems.

•Allowedinlineassemblycoe.

•NofreeCORAL66compilersseemtobeavailabletoday.



Analysis

•Cmostunsuitablelanguage.

•Module-2mostsuitable.

–Problem:limitedindustrialuse.–Thereforelackoftools,compilers.∗Industrialusecontributestoreliabilityofcompilers.

•Onesolution:developmentofnewlanguagesforhighintegritysoftware.

–SameproblemasforModula-2:limitedindustrialuse.



Analysis(Cont.)

•Bettersolution:introductionofsafesubsets.

–Relyonstandardcompilersandsupporttools.–Onlyadditionalchecker,whichverifiesthattheprogramisinthesubset.–Addannotationstothelanguage.–Problem:Arecompilerssafe?∗Casestudyrevealed:

Compilerfaultsareequivalenttooneundetectedfaultin50000linesofcode.

∗Especiallyproblemofoptimization.



SafeSubsets

CORALSPADE-Modula2AdasubsetPascalsubsetsubset

Wildjumps++++Overwrites++++Semantics+++?Modelofmathematics?+++Operationalarithmetic?+?+Datatyping?+++Exceptionhandling--?+Safesubsets?++?Exhaustionofmem.++??Separatecompil.??++Wellunderstood++++



ProgrammingLanguagesUsed

•Aerospace.

–TrendtowardsAda.–UseoflanguageslikeFORTRAN,Jovial,C,C++.–140languagesusedinthedevelopmentoftheBoeing757/767.

75languagesusedindevelopmentoftheBoeing747-400.E.g.C++fortheseatbackentertainmentsystemofBoeing777.

–NorthrupB2bombercontrolsystem:C++

•Spacecraft.

–EuropeanSpaceAgency:useofAdainmission-criticalsystems.–NASA:Assembler,Ada.–Spaceshuttle:Hal/sandAdaplusotherlanguages.–AirtrafficcontrolsystemsinUS,Canada,France:Ada.



ProgrammingLanguagesUsed

•Automotivesystems:

–Muchassembler.AlsoC,C++,Modula-2

•Railwayindustry:

–Adaasde-factostandard.

•DenverAirportbaggagesystemwritteninC++,butinitialproblemsprobablynotdirectlyrelatedtotheuseofC++.

•Ingeneral:

–TrendtowardsAdaforthehigh-integritypartsofthesoftware.–Useofassemblerwherenecessary.



(b)SPARKAda

MotivationforDevelopingAda

•OriginalproblemofDepartmentofDefenseinUSA(DOD):

–Toomanylanguagesusedandcreatedformilitaryapplications(>450).∗Languageslargelyincompatibleandnotportable.∗Oftenminimalsoftwareavailable.∗Competitionrestricted,sinceonlyonevendor.

–Existinglanguagestooprimitive.∗Nomodularity.∗Hardtoreuse.

–Problemsparticularlysevereinembeddedsystems.∗56%ofthesoftwarecostofDODin1973forembeddedsystems.∗Mostmoneyspentonmaintainingsoftware,notdevelopingit.



Ada

•DecisionbyDOD:Developmentofnewstandardprogramminglanguageformilitaryapplications.

–NameAda=nameofAdaLovelace(1815-1852).∗WroteprogramsforBabbage’scomputer.∗Thereforecalled“thefirstcomputerprogrammer”.

•Firstrelease:Ada83(1983–sameyearC++wasreleased).

•Ada95:RevisionofAda,integrationofobject-orientation.



SPARKAda

•SubsetofAda.

–OriginaldefinitionbyB.CarréandT.Jennings,Univ.ofSouthampton,1988.

–SeveralrevisionscarriedoutbyPraxisCriticalSystemsLtd.–AdaptedtoAda95–CommercialtoolsavailablefromPraxisCriticalSystems.

•AnnotationstoAda.

–Somerequiredfordataandinformationflowanalysis.–Othersallowtogenerateandproveverificationconditions.–ItisaswellpossibletointegrateuncheckedorevenunimplementedAda

code.

•SPARKAdacodecompileswithstandardAdacompilers.



FactorsforProgrammingLanguagesAddressedbySPARKAda

•LogicalSoundness.

–Problem:statementlikeY:=F(X)+G(X):Orderofevaluationnotspecified.ProblemifF(X)andG(X)havesideeffects.∗E.g.F(X)haseffectZ:=0,G(X)haseffectZ:=1.

∗Solutioninmanylanguages:defineorderofevaluation.Notpossible,ifSPARKAdashouldcompileonstandardcompilers.

∗SolutioninSPARKAda:Functionsarenotallowedtohaveside-effects.



FactorsforProgrammingLanguagesAddressedbySPARKAda(Cont.)

•Simplicityoflanguagedefinition.

–Omissionoftoocomplexprinciples.∗Novariantrecords.

·(Dependenttypes,butnocompletecompiletimechecking).∗Notasks(concurrency).∗Nogenerictypes.




•Expressivepower.

–Hidingofvariablesallowed.–Allowstospecifystrongassertionsaboutvariables

•Security.

–Arrayboundchecks.–Programsdoesnotstrayoutsidethecomputationalmodel–BothguaranteedbyAda.–Inordertobeverifiableatcompile-time:∗Constraints(arraybounds,ranges)havetobestatic(determinedat

compiletime).




•Verifiability

–Extraannotations∗controlofdataflow,∗controlofinformationflow,∗proofannotations(morebelow).

–Everyfragmentofcodehasasingleentrypointandlimitedexitpoints.

•Boundedspaceandtimerequirements.

–Recursiondisallowed.–Noarrayswithoutbounds∗Canbedeclared,butonlysubtypesofitcanbeused.

–Nopointers(calledaccesstypesinAda).–Theaboveguaranteesboundedspace.

Boundedtimedifficulttoguarantee.




•Languageshouldbeasexplicitaspossible.

–Nopolymorphism(ie.thatanoperationisdefinedfordifferenttypes):∗Nooverloadingoffunctions.∗Noarraysliding:

Assignment,comparison,operationsonarraysonlyallowedonarrayswithsamearrayindexsets.·Aswellnoconcatenationofarrays.·However,forstringsallowed.

∗Nodefaultparameters,defaultrecordcomponents.∗Howeverstandard+,∗areoverloaded.




•(Languageshouldbeasexplicitaspossible,cont.)

–Noanonymoussubtypes.∗Insteadof:

typeVectorisarray(0...100)ofInteger;onehastowritetypeVectorindexisrange0...100;typeVectorisarray(Vectorindex)ofInteger;

∗Exception:loopvariablescanbeelementsofananonymousrange.–Uniquenamesofentitiesatagivenplace:∗Packagevariableshavetousedexplicitly:

AvariableXofapackageMypackagehastobereferencedasMypackage.X




•Nostructureswhicharetoocomplextograsp.

–Notypehierarchies.∗Noderivedtypes(essentiallyacopyofatype).∗Notypeextension(subtypesinobject-orientedprogr.)∗Noclass-widetypes(classeswhichhavesubclasses).

Thereforenoinheritance.·Problemofinheritance:propertiesareinheritedremotely.

∗Howeversubtypes(restrictionoftherangeofatype)allowed.–Restrictiononreturnstatementsandexits.∗Noreturnstatementsinprocedures.∗Exactlyonereturnstatementinfunctions.∗Exitfromloopsonlypossibletoinnermostloop.∗Noexitoutofifcondition(sincetheretheinnermostloopisthe

if-statement).



ArchitectureoftheSPARKAda

•SPARK-examiner.

–Verifiesthefollowing:∗CorrectAdasyntax.∗SPARK-subsetofAdachosen,asdescribedabove.

–Carriesoutthreelevelsofanalysis:∗Dataflowanalysis.∗Informationflowanalysis.∗Generationofverificationconditions.

⇓

•SPADE-simplifier

–Simplifiesverificationconditionsoftheexaminer.Trivialonesarealreadyproved.



ArchitectureoftheSPARKAda(Cont.)

⇓

•SPADE-proof-checker

–Prooftoolforinteractivelyprovingverificationconditions.



ThreeLevelsofAnalysis

•Dataflowanalysis.

–Checksinput/outputbehaviourofparametersandvariables.–Checksinitializationofvariables.–Checksthatchangedandimportedvariablesareusedlater(possiblyas

outputvariables).

•Informationflowanalysis.

–Verifiesinterdependenciesbetweenvariables.

•Verificationconditions.

–Generationofproofconditions,whichallowtoprovecorrectnessofprograms.



ThreeLevelsofAnalysis(Cont.)

Ideaisthatthe3differentlevelsofanalysisareapplieddependentonthecriticalityoftheprogram.(Somepartsmightnotbecheckedatall).



Annotations

•Certainannotationsareaddedtotheprograms.

–Specifictothe3levelsofanalysis.

•WrittenasAdacomments:

–IgnoredbyAdacompilers.–UsedbytheSPARKAdatools.–Syntax:startwith--#,e.g.∗--#globalinoutMyGlobalVariable;



DataFlowAnalysis–Parameters

•InAdaallparametershavetobelabeledas

–inputparameters;symbol:in,–outputparameters;symbol:out,–input/outputparameters;symbol:inout.

•Example:

procedureABC(A:inFloat;B:outInteger;C:inoutColour)



DataFlowAnalysis–Parameters(Cont.)

•Examinerverifiesthat

–Inputparametersare∗notmodified,∗butusedatleastonce,

–outputparametersare∗notreadbeforebeinginitialized,∗initialized.

–input/outputparametersare∗read,∗andmodified.



DataFlowAnalysis–GlobalVariables

•Globalvariablesmustbegivenstatusasinputoroutputorinput/outputvariablesbyannotations.

–Syntaxexamples:∗--#globalinA;∗--#globaloutB;∗--#globalinoutC;

•Dataflowanalysiscarriesoutthesameanalysisasforparameters.



DataFlowAnalysis–Functions

•Functionscanhaveonlyinputparameters(nokeywordrequired).

•Functionshaveonlyreadaccesstoglobalparameters.Thereforethesyntaxforglobalparametersissimply--#globalA;or--#globalA,B,C;

•Neitherparametersnorglobalvariablescanbechanged.Thereforefunctionsdon’thavesideeffects.



DataFlowAnalysis–Packages

•Packagevariables=variablesglobaltoapackage.

•Packagevariablesmustbedeclaredbyannotations.Syntaxexample:--#ownX,Y;

•Ifavariableisinitializedithastobedeclared;whetheritisinitializedwillbeverified.Syntaxexample:--#initializesX;

–However,evenanuninitializedpackagevariableisallowedtobeusedbyaprocedure.



DataFlowAnalysis–Packages(Cont.)

•Ifapackageisusedithastobedeclared:Syntaxexample:--#inheritsMypackage;



Example(DataFlowAnalysis)

•Considerthefollowingwrongprogram,whichshouldexchangeXandY:

procedureExchange(X,Y:inoutFloat)is

T:Floatbegin

T:=X;X:=Y;Y:=XendExchange;

•Mistake:bodyshouldbe:T:=X;X:=Y;Y:=T



Example(DataFlowAnalysis;Cont.)

•Dataflowanalysisresultsin3errormessages:

–T:=Xisineffectivestatement.–ImportofinitialvalueofXisineffective.–Tisneitherreferencednorused.



Example2(DataFlowAnalysis)

•Hereisanotherwrongprogram,whichshouldexchangeXandY:

procedureExchange(X,Y:inoutFloat)isbeginX:=Y;Y:=XendExchange;

•Dataflowanalysisresultsinerrormessage:

–ImportationofinitialvalueofXisineffective.



InformationFlowAnalysis

•Additionalannotationsonhowvariablesdependoneachother.Syntaxexamples:--#derivesXfromY;or

--#derivesXfromY&--#YfromX;

or,ifnothingisused--#derivesXfrom;

•Informationflowverifiesthatthesedependenciesarefulfilled



Example(InformationFlowAnalysis)

•Considerthefollowingwrongprogram,whichshouldexchangeXandYandcountthenumberofexchangesinZ:

procedureExchangeAndCount(X,Y,Z:inoutInteger)--#derivesXfromY&--#YfromX&--#ZfromZ;isT:Integer;begin

T:=X;Y:=X;Y:=T;Z:=Z+T;endExchangeAndCount;

•TheerroristhatZ:=Z+T;shouldbereplacedbyZ:=Z+1;



Example(InformationFlowAnalysis;Cont.)

•Dataflowanalysissucceedswithoutproblems.

•Informationflowanalysisgiveswarning,sinceZdependsonZandX.



ProofConditions–ProcedureswithoutLoops

•Forprocedureswithoutloops,twokindsofannotationsarerelevant:

–Pre-conditions,e.g.:--#preM>=0andM>0;

–Post-conditions,e.g.:--#postM=M∼+1;

•Thenexaminergeneratesformulaswhichexpress:

–Ifthepre-conditionshold,andtheprocedureisexecuted,afterwardsthepost-conditionholds.

•Iftherearenopre-conditions,thentheformulaexpressesthatthepost-conditionholdsalways.



ProofConditions–ProcedureswithoutLoops(Cont.)

•Inthepost-conditions,

–X∼standsforthevalueofXbeforeexecutingtheprocedure,–Xstandsforthevalueafterexecutingit,–e.g.X=X∼+1;expresses:

ThevalueofXafterexecutingtheprocedureisthevalueofXbeforeexecutingit+1.

•Formulasarebuiltusing:

–Booleanconnectivesand,or,not,xor,->,–quantifiersforall,forsome.



Example(ProofConditions)

•Assumethefollowingwrongprogram:

procedureExchange(X,Y:inoutFloat);--#derivesXfromX&--#YfromY;--#preX>=0.0;--#postX=Y∼andY=X∼;isT:Floatbegin

T:=X;X:=T;T:=Y;Y:=T;endExchange;

•Thepostconditionisnotfulfilledingeneral.



Example(ProofConditions,Cont.)

•Theexaminergeneratestheformula:

H1:x>=0.0.H2:true.H3:true.->

C1:x=y.C2:y=x.

whichisnotprovable.

•(Thedataandinformationflowcheckissogood,thatitisdifficulttofindsimplebutwrongprograms,whichpassit).



Example2(ProofConditions)

•Assumethecorrectprogram:

procedureExchange(X,Y:inoutFloat);--#derivesXfromY--#YfromX;--#postX=Y∼andY=X∼;isT:Floatbegin

T:=X;X:=Y;Y:=T;endExchange;



Example2(ProofConditions;Cont.)

•Theexaminergeneratestheformula:

H1:true.H2:true.H3:true.->

C1:x=x.C2:y=y.

•Thesimplifiershowsthatthisisprovable



ProofConditions–CheckConditions

•Onecaninsertinbetweentheproceduresacheckcondition.E.g.,inthepreviousexample,insertbetweenT:=XandX:=Y:--#checkT>0.0;

•Nowtheformulasexpress:

–Fromthepre-conditionfollowsatthatpositionthecheck-condition.–Fromthepre-conditionandthecheck-conditionatthatpositionfollows

thepost-condition.–Checkconditionsservethereforeasintermediateproof-goals.



ProofConditions–ReturnConditions

•Ifonehasfunctions,onecaneitherstatetheresultofthefunction:E.g.--#returnX+1expresses:theresultisX+1.oronecanassociatewiththeresultavariableandacondition.E.g.onecanwrite:--#returnX=>X>Y;ifYisaparameteroraglobalparameter.Theexampleexpresses:thereturnedvalueis>Y.



ProofConditions–ProcedureswithLoops

•Ifonehasaloop,aloopinvariantisrequired.Thesyntaxisforinstance:--#assertX+Y=X∼+Y∼;

•Ifonehasoneprecondition,oneloopandonepostcondition,theexaminergeneratesproofconditionsexpressing:

–Fromthepre-conditionfollows,whenfirstenteringtheloop,theconditionofassert.

–Fromassertfollows,ifexitconditionsarefalse,theconditionofassertafteronestep.

–Fromassertfollows,ifoneexitconditionistrue,thepostcondition.



Example(ProofConditionswithLoop)

proceduretest(X,Y:inoutFloat)--#derivesXfromX&--#YfromX,Y;--#preX>0.0;--#postX+Y=X∼+Y∼andX


GeneratedProofConditions

Theexaminergeneratesinthelastexamplethefollowingproofconditions:

•H1:x>0.H2:true.H3:true.

->

C1:x+y=x+y.

•H1:x+y=x∼+y∼H2:not(x-1

C1:x-1+(y+1)=x∼+y∼.



GeneratedProofConditions;Cont.)

•H1:x+y=x∼+y∼H2:x-1

C1:x-1+(y+1)=x∼+y∼.C2:x-1


OtherAnnotations

•Themainprogramisdeclaredby:--#mainprogram;

•Partswhichshouldn’tbeexaminedcanbedeclaredby:--#hide;

–Allowsespeciallydirectinteractionwithnon-criticalandthereforenon-verifiedAdaprograms.

–Allowsaswelltointegratenotyetimplementedcode.


a3-1 cs ada. ark sp overview.csetzer/lectures/critsys/02/...(c) anton setzer 2003 (except fo r...

Documents