ada 2012
DESCRIPTION
A thorough presentation of all the new features that make Ada 2012 the benchmark for highly-reliable, safe, and secure programming.TRANSCRIPT
Slide: 1Copyright © 2012 AdaCore
Quentin OchemTechnical Account Manager
Ada and Ada 2012 – Overview and rationale
Slide: 2Copyright © 2012 AdaCore
Why Programming
Languages Matter?
Slide: 3Copyright © 2012 AdaCore
Presentation Scope
• In High-Reliable Software, the choice is usually
being made between– C
– C++
– Java
– Ada
• What are the criteria for this choice?
• What are the implications of this choice?
Slide: 4Copyright © 2012 AdaCore
Human Resources Criteria
• There are more people that know C++ than Ada
• There are more people that know C than C++
• There are more people trained in Java than C or
C++
• So from a HR point of view, the choice is
obviously…
Slide: 5Copyright © 2012 AdaCore
Human Resources Criteria
Visual Basic
Slide: 6Copyright © 2012 AdaCore
Is Programmers’ Language Skill an Issue?
• Main software paradigms are key– Object orientation
– Pointers
– Stack
– Exceptions
– …
• Applying these skills to any programming
language should be easy for any developer
Slide: 7Copyright © 2012 AdaCore
Show-Stopper Criteria
• Is the language supported by the industry?
• Does the language have perspectives for long term development?
• Is the language properly supported by tools?
• Does the language generate efficient code?
• Is the language supported on the target architectures?
• Can the language support generic programming paradigms?
All four languages, C, C++, Java and Ada fulfill these requirements
Slide: 8Copyright © 2012 AdaCore
• What direction does the evolution of the language take?
• What are the primary markets using this language?
• Is the language defined by a public or private entity?
• Can the language support the full development cycle
(specification/code/verification)?
• Can the language help in the writing more reliable code?
• Can the language help in the writing more maintainable code?
Other Criteria of Interest
Slide: 9Copyright © 2012 AdaCore
Goal: Reducing Costs (Finding Errors and Inconsistencies Earlier)
Development Test Integration Deployment
Problem FoundFix Cost
Slide: 10Copyright © 2012 AdaCore
Goal: Finding Errors and Inconsistencies Earlier
Development Test Integration Deployment
Problem FoundFix Cost
Slide: 11Copyright © 2012 AdaCore
Easing the Reaching Higher Levels of Reliability
C/C++ Java Ada
ReliabilityAchieved
Developer Responsibility
ToolResponsibility
Language Responsibility
Slide: 12Copyright © 2012 AdaCore
How do we get there?
Slide: 13Copyright © 2012 AdaCore
The One-Line-Of-Code Hell
• Is “tab” null?
• Is “tab” an array?
• Is i within the boundaries of “tab”?
• Has “tab” been initialized?
• Is “tab” expecting floats or integers?
• If it’s float, is this a float or a integer division?
tab [i] = tab [i] / 10;
Can’t tell.
Can’t tell.
Can’t tell.
Can’t tell.
Can’t tell.
Can’t tell.
Slide: 14Copyright © 2012 AdaCore
The One-Line-Of-Code Hell
• Is “tab” null?
• Is “tab” an array?
• Is i within the boundaries of “tab”?
• Has “tab” been initialized?
• Is “tab” expecting floats or integers?
• If it’s float, is this a float or a integer division?
tab (i) := tab (i) / 10;
Can’t tell.
No, tab is an array.
Yes, otherwise can’t access the indices.
Checked at run-time.
If float, compiler runtime.
If needed, explicit conversion.
Slide: 15Copyright © 2012 AdaCore
Driving Design Principles
• Be explicit as much as possible– Put as much (formal) information as possible in the code
– Put as much (formal) information as possible in the specification
– Avoid pointers as much as possible
– Avoid shortcuts
– Avoid ambiguous constructs as much as possible
– Make dubious constructs possible but visible
type I_Acc is access all Integer; I : I_Acc := new Integer; function Acc_To_Int is new Ada.Unchecked_Conversion (I_Acc, Integer); function Int_To_Acc is new Ada.Unchecked_Conversion (Integer, I_Acc);
I := Int_To_Acc (Acc_To_Int (I) + I_Acc’Size);
int * i = malloc (sizeof (int));
i++;
Slide: 16Copyright © 2012 AdaCore
Driving Rationale
• Ada eases manual and automatic analysis at various levels:– Developer review
– Peer review
– Compiler errors and warnings
– Static analysis tools
– Proof tools
– Maintenance
• Simplify code and readability when dealing with high-level programming
concepts
A : Integer_Array (0 .. 10) := (0 => 1, 1 => 1, others => 0)
int [] a = new int [10];
a [0] = 1; a [1] = 1;for (int i = 2; i < 10; i++) a [i] = 0;
Slide: 17Copyright © 2012 AdaCore
Strong Typing
• A type is a semantic entity, independent from its implementation
• Strong typing forbids implicit conversions
• Values are checked at run-time (can be deactivated)
type Kilometers is new Float;type Miles is new Float;
Length_1 : Miles := 5.0;Length_2 : Kilometers := 10.0;D : Kilometers := Length_1 + Length_2;
type Ratio is new Float range 0.0 .. 100.0;Qty : Integer := 10;Total : Integer := 1000;
R : Ratio := Ratio (Total / Qty) * 100.0;
Slide: 18Copyright © 2012 AdaCore
Strong typing (continued)
• Enumerations have a dedicated semantic
type Color is (Red, Blue, White, Green, Black, Yellow);type Direction is (North, South, East, West);type Light is (Green, Yellow, Red);
C : Color := Red; -- This is the red from ColorL : Light := Red; -- This is the red from Light
C := L; -- This is not permittedC := North; -- This is not permitted
enum Color {Red, Blue, White, Green, Black, Yellow};enum Direction {North, South, East, West);
Color C = Red;C = West; // Ok, but what does it mean?C = 666; // Ok, but what does it mean?
Slide: 19Copyright © 2012 AdaCore
Arrays
• Arrays can be indexed by any discrete types (integers,
enumeration)
• First and Last index can be specified at declaration time
• Buffer overflows are checked at run-time
• There is an array literal (aggregate)
type Some_Array is array (Integer range <>) of Integer;type Color_Array is array (Color range <>) of Integer;
Arr1 : Some_Array (10 .. 11) := (666, 777);Arr2 : Color_Array (Red .. Green) := (Red => 0, others => 1);
Arr1 (9) := 0; -- Exception raised, Index out of range
Slide: 20Copyright © 2012 AdaCore
Array Copy, Slicing and Sliding
• Arrays provide a high-level copy sematic
• Arrays provide a high level slicing/sliding sematic
type Integer_Array is array (Integer range <>) of Integer; V1 : Integer_Array (1 .. 10) := (others => 0); V2 : Integer_Array (1 .. 10) := (others => 1);begin V1 := V2;
type Integer_Array is array (Integer range <>) of Integer; V1 : Integer_Array (1 .. 10) := (others => 0); V2 : Integer_Array (11 .. 20) := (others => 1);begin V1 (1 .. 2) := V2 (11 .. 12);
Slide: 21Copyright © 2012 AdaCore
Parameter Modes
• Three parameter modes : in (input), out (output) and in-out
(input/output)
• The correct parameter usage is done at compile-time
• The compiler decides if it has to be passed by reference or copy
• This is a case of explicit pointer avoidance
procedure Do_Something (P1 : in Huge_Structure) –- Passed by reference if too big
procedure Do_Something (P1 : in Integer; -- P1 can’t be changed P2 : out Integer; -- No initial value on P2 P3 : in out Integer) -- P3 can be changed
Slide: 22Copyright © 2012 AdaCore
• Generalized contracts are available through pre- and post-
conditions
• New type invariants will ensure properties of an object
• Subtype predicates
Pre, Post Conditions and Invariants
type T is private with Type_Invariant => Check (T);
type Even is range 1 .. 10 with Dynamic_Predicate => Even mod 2 = 0;
procedure P (V : in out Integer) with Pre => V >= 10, Post => V’Old /= V;
Slide: 23Copyright © 2012 AdaCore
Package Architecture
• All entities are subject to encapsulation– Not only OOP constructions
• Specification and Implementation details are separated from the package,
addresses any kind of semantic entity
package Stack is
procedure Push (V : Integer); ...
end Stack; package body Stack is
procedure Push (V : Integer) is begin ...
end Stack;
Slide: 24Copyright © 2012 AdaCore
Privacy
• A package contains well identified public and private parts
• The user can concentrate on only one part of the file
package Stack is
procedure Push (V : Integer); procedure Pop (V : out Integer);
private
type Stack_Array is array (1 .. 1000) of Integer; Current_Pos : Integer := 0;
end Stack;
Slide: 25Copyright © 2012 AdaCore
Private Types
• A private type can be implemented by any data structure
• User code does not rely on the actual representation
package Stack is
procedure Push (V : Integer); procedure Pop (V : out Integer);
private
type Stack_Array is array (1 .. 1000) of Integer; Current_Pos : Integer := 0;
end Stack;
Slide: 26Copyright © 2012 AdaCore
Data Representation
• Allows to optimize memory usage
• Allows to precisely map data
type Size_T is range 0 .. 1023;
type Header is record Size : Size_T; Has_Next : Boolean;end record; for Header userecord Size at 0 range 0 .. 10; Has_Next at 1 range 6 .. 6;end record;
Slide: 27Copyright © 2012 AdaCore
Genericity
• Instanciation has to be explicit
generic type T is private;package P is V : T;end P;
package I1 is new P (Integer);package I2 is new P (Integer);
I1.V := 5;I2.V := 6;
template <class T>class P { public static T V;};
P <int>::V = 5;P <int>::V = 6;
Slide: 28Copyright © 2012 AdaCore
Object Orientation
• Ada implements full OOP principles– Encapsulation
– Inheritance
– Dispatching
• Safe OOP paradigm is implemented– A unique concrete inheritance tree
– Multiple interface inheritance
– “Overriding” methods can be checked
• OOP can be comfortably used without (explicit) pointers
Slide: 29Copyright © 2012 AdaCore
Object Orientation Example
type Root is tagged record F1 : Integer;end record;
not overridingfunction Get (Self : Root) return Integer;
type Child is new Root with record F2 : Integer;end record;
overridingfunction Get (Self : Child) return Integer;
List : Root_List;
L.Add (Root’(F1 => 0));L.Add (Root’(F1 => 1));L.Add (Child’(F1 => 2, F2 => 0));
Total := 0;
for Item of List loop Total := Total + Item.Get;end loop;
Slide: 30Copyright © 2012 AdaCore
If pointers are needed…
• Pointers are typed, associated with accessibility checks
• Objects that can be pointed are explicitly identified
• In the absence of de-allocation, pointers are guaranteed to never dangle
• Pointers’ constraints can be specified– Is null value expected?
– Is the pointer constant?
– Is the object pointed by the pointer constant?
type My_Pointer is access all Integer;
Global_Int : aliased Integer;
function Get_Pointer (Local : Boolean) return My_Pointer is Local_Int : aliased Integer; Tmp : My_Pointer;begin if Local then Tmp := Local_Int’Access; else Tmp := Global_Int’Access; end if;
return Tmp;end Get_Pointer;
Tmp := Local_Int’Unchecked_Access;
Slide: 31Copyright © 2012 AdaCore
Concurrent Programing
• Threads and semaphore are first class citizens
task Some_Task isbegin loop -- Do something select accept Some_Event do -- Do something end Some_Event; or accept Some_Other_Event do -- Do something end Some_Other_Event; end select; end loop;end;
...
Some_Task.Some_Event;
Slide: 32Copyright © 2012 AdaCore
Why is all of this of any use?
• For readability– Specification contains formally expressed properties on the code
• For testability– Constraints on subprograms & code can lead to dynamic checks
enabled during testing
• For static analysis– The compiler checks the consistency of the properties
– Static analysis tools (CodePeer) uses these properties as part of its
analysis
• For formal proof– Formal proof technologies can formally prove certain properties of
the code (High-Lite project)
Slide: 33Copyright © 2012 AdaCore
Yes But…
• It is possible to reach similar levels of safety with other
technologies (MISRA-C, RT-Java)
• … but safety features have to be re-invented– Requires additional guidelines
– Requires additional tools
– Limited by the original language features
• Examples of “circle fits in a square” features– Types management in MISRA-C
– Stack emulation in RT-Java
• When long term reliability is a goal, using the correct paradigm to start with
will reach higher levels at lower cost
Slide: 34Copyright © 2012 AdaCore
Key Messages
Slide: 35Copyright © 2012 AdaCore
Ada Evolution
Ada 83
Ada 95• Object
Orientation• Better Access
Types• Protected
Types• Child
Packages
Ada 2005• Interfaces• Containers• Better Limited
Types• Ravenscar
Ada 2012• Pre / Post /
Invariants• Iterators• New
expressions• Process
Affinities
Slide: 36Copyright © 2012 AdaCore
• Ada 83 to 2005 forbids the use of in out for function
• Since Ada 95, it’s possible to workaround that with the
access mode (but requires the explicit use of an access)
• Ada 2012 allows ‘in out’ parameters for functions
In out parameters for functions
function Increment (V : in out Integer) return Integer isbegin V := V + 1; return V;end F;
Slide: 37Copyright © 2012 AdaCore
• Ada 2012 detects “obvious” aliasing problems
Aliasing detection
function Change (X, Y : in out Integer) return Integer is begin X := X * 2; Y := Y * 4;
return X + Y; end;
One, Two : Integer := 1;
begin
Two := Change (One, One); -- warning: writable actual for "X" overlaps with actual for "Y“
Two := Change (One, Two) + Change (One, Two); -- warning: result may differ if evaluated after other actual in expression
Slide: 38Copyright © 2012 AdaCore
• The Ada 2012 standard normalizes pre-conditions, post-
conditions
• New type invariants will ensure properties of an object
• Subtype predicates
Pre, Post conditions and Invariants
type T is private with Type_Invariant => Check (T);
type Even is range 1 .. 10 with Dynamic_Predicate => Even mod 2 = 0;
procedure P (V : in out Integer) with Pre => V >= 10, Post => V’Old /= V;
Slide: 39Copyright © 2012 AdaCore
• It will be possible to write expressions with a result
depending on a condition
Conditional expressions
procedure P (V : Integer) is X : Integer := (if V = 10 then 15 else 0); Y : Integer := (case V is when 1 .. 10 => 0, when others => 10);begin null;end;
Slide: 40Copyright © 2012 AdaCore
• Given a container, it will be possible to write a simple loop
iterating over the elements
• Custom iterators will be possible
Iterators
Ada 2005 Ada 2012
for X in C.Iterate loop -- work on X Y := Container.Element (X); -- work on Yend loop;
for Y of C loop -- work on Yend loop;
X : Container.Iterator := First (C); Y : Element_Type;declare while X /= Container.No_Element loop -- work on X Y := Container.Element (X); -- work on Y X := Next (X); end loop;
Slide: 41Copyright © 2012 AdaCore
• Checks that a property is true on all components of a
collection (container, array…)
Quantifier expressions
type A is array (Integer range <>) of Integer;
V : A := (10, 20, 30);B1 : Boolean := (for all J in V’Range => V (J) >= 10); -- TrueB2 : Boolean := (for some J in V’Range => V (J) >= 20); -- True
Slide: 42Copyright © 2012 AdaCore
• Memberships operations are now available for all kind of
Boolean expressions
Generalized memberships tests
Ada 2005 Ada 2012
if C in ‘a’ | ‘e’ | ‘i’ | ‘o’ | ‘u’ | ‘y’ then
case C is when ‘a’ | ‘e’ | ‘i’ | ‘o’ | ‘u’ | ‘y’ =>
if C = ‘a’ or else C = ‘e’ or else C = ‘i’ or else C = ‘o’ or else C = ‘u’ or else C = ‘y’then
Slide: 43Copyright © 2012 AdaCore
• Function implementation can be directly given at
specification time if it represents only an “expression”
Expression functions
function Even (V : Integer) return Boolean is (V mod 2 = 0);
Slide: 44Copyright © 2012 AdaCore
• Ada 2005 containers are unsuitable for HIE application– Rely a lot of the runtime
– Not bounded
• Ada 2012 introduces a new form of container, “bounded”
used for– HIE product
– Statically memory managed
– Static analysis and proof
Containers
Slide: 45Copyright © 2012 AdaCore
• Task can be assigned to specific processors
• Enhances control over program behavior
• Enables Ravenscar on multi-core
Processor affinities
task body T1 is pragma CPU (1);begin […]end T1;
task body T2 is pragma CPU (2);begin […]end T2;
Slide: 46Copyright © 2012 AdaCore
• Improve readability– Specification contains formally expressed properties on the code
• Improve testability– Constraints on subprograms & code can lead to dynamic checks
enabled during testing
• Allow more static analysis– The compiler checks the consistency of the properties
– Static analysis tools (CodePeer) uses these properties as part of its
analysis
• Allow more formal proof– Formal proof technologies can prove formally certain properties of
the code (High-Lite project)
Ada 2012 safety improvements