peter amey praxis critical systems
DESCRIPTION
A Language for Systems not Just Software. Peter Amey Praxis Critical Systems. Static Analysis Overview. Identifying properties of a program without execution style, coding standards, dubious construct detection language subset conformance, wellformedness control flow and complexity - PowerPoint PPT PresentationTRANSCRIPT
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Peter Amey
Praxis Critical Systems
A Language for Systems not Just Software
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Static Analysis Overview
• Identifying properties of a program without execution– style, coding standards, dubious construct detection
– language subset conformance, wellformedness
– control flow and complexity
– data flow analysis
– information flow analysis
– proof (or formal verification)
• An Ada compiler is a powerful static analyser• Analysis: shows that a program should work in all cases
• Testing: shows that it does work for certain specific cases
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
SPARK Goals
• Precise static analysis• Early use of static analysis
• Facilitated by:– an exact language
– removal of ambiguous and erroneous constructs
– annotations
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Why Annotations?
• Annotations strengthen specifications– Ada separation of specifications/implementations too weak
• Allows analysis without access to implementations– which can be done early on during development
– even before programs are complete or compilable
• Allows efficient detection of erroneous constructs
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
An example
procedure Inc (X : in out Integer);
--# global in out Callcount;
detection of function side-effectfunction AddOne (X : Integer) return Integer is XLocal : Integer := X;begin Inc (Xlocal); return XLocal;end AddOne;
detection of aliasingInc (CallCount);
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Evolution of Annotations
• Initially annotations were about code
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Evolution of Annotations
• Initially annotations were about codepackage P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Evolution of Annotations
• Initially annotations were about codepackage P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;
--# own CallCount; --# initializes CallCount;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Evolution of Annotations
• Initially annotations were about codepackage P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;
--# own CallCount; --# initializes CallCount;
package body Pis CallCount : Integer := 0; procedure Inc (X : in out Integer) is begin X := X + 1; CallCount := CallCount + 1; end Inc;end P;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Evolution of Annotations
• Initially annotations were about codepackage P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;
--# own CallCount; --# initializes CallCount;
package body Pis CallCount : Integer := 0; procedure Inc (X : in out Integer) is begin X := X + 1; CallCount := CallCount + 1; end Inc;end P;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Evolution of Annotations
• Initially annotations were about codepackage P is procedure Inc (X : in out Integer); --# global in out CallCount; end P;
--# own CallCount; --# initializes CallCount;
• They evolved better to describe abstractions
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Refinementpackage Stack--# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack;
package body Stack--# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0 .. MaxDepth; subtype Indexes is Ptrs range 1 .. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors; ... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr; ...
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Refinementpackage Stack--# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack;
package body Stack--# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0 .. MaxDepth; subtype Indexes is Ptrs range 1 .. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors; ... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr; ...
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Refinementpackage Stack--# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack;
package body Stack--# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0 .. MaxDepth; subtype Indexes is Ptrs range 1 .. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors; ... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr; ...
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Refinementpackage Stack--# own State; is procedure Clear; --# global out State; --# derives State from ; procedure Push (X : in Integer); --# global in out State; --# derives State from State, X; procedure Pop (X : out Integer); --# global in out State; --# derives X, State from State; end Stack;
package body Stack--# own State is Vector, Ptr; is MaxDepth : constant := 100; type Ptrs is range 0 .. MaxDepth; subtype Indexes is Ptrs range 1 .. MaxDepth; type Vectors is array (Indexes) of Integer; Ptr : Ptrs; Vector : Vectors; ... procedure Push (X : in Integer); --# global in out Ptr, Vector; --# derives Vector from Vector, --# X, Ptr & --# Ptr from Ptr; ...
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Interactions with the Environment
EnvironmentInput
DevicesOutputDevices
Software Environment
System Input
Data
Items
Output
Data
Items
Monitored
Variables
Controlled
Variables
IN SOFT OUT
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Volatility
X := Z;Y := Z;
does X = Y?
Z : integer;
for Z’Address use ...
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Modelling Volatility
package Temperature--# own Inputs; --# initializes Inputs; is procedure Read (X : out Celsius); --# global in out Inputs; --# derives X from Inputs & --# Inputs from Inputs; end Temperature;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Modelling Volatility
package Temperature--# own in Inputs; --# initializes Inputs; is procedure Read (X : out Celsius); --# global in out Inputs; --# derives X from Inputs; & --# Inputs from Inputs; end Temperature;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Modelling Volatility
package Temperature--# own in Inputs; is procedure Read (X : out Celsius); --# global in Inputs; --# derives X from Inputs; end Temperature;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Case Study - Water Contents Monitor
Water high sensor
Water low sensor
Fill Valve
Drain Valve
Fault integrator
Valve
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Sensors
package WaterHighSensor--# own in State;is function IsActive return Boolean; --# global State; end WaterHighSensor; package WaterLowSensor--# own in State;is function IsActive return Boolean; --# global State; end WaterLowSensor;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Actuators
package Valveis type T is (Open, Shut);end Valve; with Valve;--# inherit Valve;package FillValve--# own out State;is procedure SetTo (Setting : in Valve.T); --# global out State; --# derives State from Setting; end FillValve;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Fault Integrator Abstract Type
package FaultIntegratoris type T is limited private; procedure Init (FI : out T; Threshold : in Positive); --# derives FI from Threshold; procedure Test (FI : in out T; CurrentEvent : in Boolean; IntegratedEvent : out Boolean); --# derives IntegratedEvent, --# FI from FI, CurrentEvent; private--# hide FaultIntegrator;end FaultIntegrator;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Main controller
procedure Main--# global in WaterHighSensor.State,--# WaterLowSensor.State;--# out FillValve.State,--# DrainValve.State;--# derives FillValve.State from --# WaterLowSensor.State &--# DrainValve.State from--# WaterHighSensor.State;is HighIntegrator, LowIntegrator : FaultIntegrator.T; HighThreshold : constant Positive := 10; LowThreshold : constant Positive := 10;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Main controller procedure ControlHigh --# global in WaterHighSensor.State; --# out DrainValve.State; --# in out HighIntegrator; --# derives DrainValve.State, --# HighIntegrator from --# HighIntegrator, --# WaterHighSensor.State; is separate; procedure ControlLow --# global in WaterLowSensor.State; --# out FillValve.State; --# in out LowIntegrator; --# derives FillValve.State, --# LowIntegrator from --# LowIntegrator, --# WaterLowSensor.State; is separate;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Main controller
begin -- Main FaultIntegrator.Init (HighIntegrator, HighThreshold); FaultIntegrator.Init (LowIntegrator, LowThreshold); FillValve.SetTo (Valve.Shut); DrainValve.SetTo (Valve.Shut); loop ControlHigh; ControlLow; end loop;end Main;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Subunits
separate (Main)procedure ControlHighis RawFullEvent, TooFull : Boolean;begin RawFullEvent := WaterHighSensor.IsActive; FaultIntegrator.Test (HighIntegrator, RawFullEvent, -- to get TooFull); if TooFull then DrainValve.SetTo (Valve.Open); else DrainValve.SetTo (Valve.Shut); end if;end ControlHigh;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Device driverspackage body WaterHighSensor--# own State is in HighSensorPort; is type Byte is mod 256; ActiveValue : constant Byte := 255; HighSensorPort : Byte; for HighSensorPort'Address use ... function IsActive return Boolean --# global HighSensorPort; is RawVal : Byte; Result : Boolean; begin RawVal := HighSensorPort; if RawVal'Valid then Result := RawVal = ActiveValue; else Result := True; -- show too full on sensor failure end if; return Result; end IsActive;end WaterHighSensor;
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Traceability and Abstraction
function IsActive return Boolean--# global HighSensorPort;
--# own State is in HighSensorPort;
function IsActive return Boolean;--# global State;
--# derives FillValve.State from --# WaterLowSensor.State &--# DrainValve.State from--# WaterHighSensor.State;
Low level annotation inimplementation terms
Refinement hiding implementation detail
Annotation in spec is inabstract terms
Main controller annotationentirely in abstract terms
SIGAda 2001 - Copyright © 2001 Praxis Critical Systems Limited
Conclusions
• SPARK and the Examiner originated from research concerned with reverse engineering of code
• SPARK has evolved into something much more concerned with program construction than program analysis
• The combination of abstract own variables and modes provides mechanisms for parallel descriptions of systems and implementations that analysis binds together