>> Website Resources
.. >>库:TechXchange
.. .. >> TechXchange: Embedded Software
.. .. .. >> Topic: Ada and SPARK
The International Organization for Standardization recently approved the latest revision of Ada, known as Ada 2012, close to 30 years after the very first version. The language’s evolution shows how Ada has accounted for major software technology developments of the past several decades while retaining the original aims and flavor of its initial design.
Table Of Contents
- Ada 83: A Portable, Modern High-Order Language
- ADA 95:这里来了,更多
- Ada 2005: The Joy Of Interfaces
- ADA 2012:针对当今软件挑战的基于合同的编程
- References
Ada 83: A Portable, Modern High-Order Language
ADA 83是美国国防部(DOD)举办的国际竞赛的结果,旨在取代当时在国防部中使用的500多种编程语言。这是一种通用编程语言,旨在用于大型,长期寿命的软件系统,因此两个基本标准影响了后续版本的每个功能。
First, the language must help programmers detect errors in their code as early as possible. This requires a strong typing mechanism and imposes on the programmer the responsibility of providing precise declarations for types and subtypes—a novel notion at the time. In return, the compiler can recognize more mistakes in the code, and the runtime can include checks that declarations are obeyed by dynamic values. Adverse reactions to this point of view were usually stated as “I don’t need no stinkin’ checks.”
Second, the language favors the reader over the writer. For long-lived systems, it is more important to have well-structured programs that can be understood by others than terse programs that save keystrokes and obscure their purpose. As a result, the language has a rich syntax (“verbose” to its detractors) that allows programs to “read better” on the page.
原始设计还结合了软件工程新生学科的想法:模块化,信息隐藏和关注点的分离。结果是一种具有雄心勃勃的功能的新颖语言:
- Programs organized around packages: A package has a specification and a body. The specification contains all that a client needs to use the services offered by the package, while the body contains the implementation of these services.
- Scalar types, array types, record types (like C constructs), access types (like C pointers but with type safety), and private types: Array types are self-describing. (They carry their bounds.) Record types can be parameterized by means of discriminants. Scalar types and access types are named, and type checking is by name equivalence (not structural equivalence). Type checking is performed both within a compilation unit and across units.
- Private types that provide data encapsulation: They specify a set of applicable operations, but the implementation of the type and its operations is opaque to the client.
- A generic mechanism providing parameterized packages and subprograms: Generic units can be specialized by explicit instantiation.
- Concurrency supported within the language: Tasks are independent units of execution that communicate by synchronizing and exchanging data through rendezvous.
The result was a large language by the standard of the times, and it is fair to say that it stretched the abilities of compiler writers and the capacities of most 1980s-vintage hardware. This delayed the spread of the language by a few years. Several robust compilers were available by 1987, and Ada started to see significant adoption, mostly within aerospace and military applications. DoD programming language policy at the time encouraged Ada usage, and there were also some significant Ada projects outside the military-aerospace domain (e.g., steel mill control, transport systems).
ADA 95:这里来了,更多
In the late 1980s, object-oriented programming became the new paradigm in software construction, and C++ became increasingly popular. Ada 83 had a limited view of inheritance (called type derivation) but no notion of type extension. A review of the language that started in 1990 led to a major revision, culminating in a new standard: Ada 95.
The most important enhancements offered by Ada 95 were:
- Object-oriented programming, supported by the notion of tagged types and type extensions, primitive operations, polymorphism, and dynamic dispatching.
- 将包裹组织成层次结构(儿童单元),以提供更好的软件子系统概念。
- 一种用于数据同步的新构造,受保护类型,它概括了监视器的较旧概念。
- A fully defined interface to other languages, in particular FORTRAN, C, and COBOL.
- 一个全面的预定库库,包括用于字符和字符串处理,数学处理和命令行处理的软件包。
- 附加的附件,以解决系统编程,实时系统,分布式系统,信息系统,数字以及安全和安全性的专门应用需求。
值得强调的是,Ada 95提供了两个complementary mechanisms for software evolution. Type extensions are akin to the classes of other O-O languages, but child units provide a separate mechanism for adding functionality to an existing system, and typically a package (parent or child unit) will declare several related types. The basic software component is a package. Types or classes are too small to serve this purpose.
ADA的演变反映了软件生态系统的演变。我们正在构建更大,更复杂的系统。这些系统通常是用几种语言编写的组件的聚合物。因此,除了将ADA中的组件链接起来的机制外,我们还需要一种与外国组件接口的方法。ADA 95引入了插入包,这些软件包声明其表示的类型必须匹配这些其他语言中的共同类型,以及必须使用以调用外国子程序的参数传递约定。
To declare these interfacing types, the language needs to describe precisely (down to the bit level) the required data layout. Ada has had from the beginning such representation clauses, and it’s worth noting that as a result it is truly a wide-spectrum language that can be used at multiple levels of abstraction.
Ada 2005: The Joy Of Interfaces
十年后,该语言的下一个修订使光看到了光。ADA 2005带来了比其前身更小的增强功能,但仍引入了一些重要的功能。
First, interface types (borrowed from Java) provide multiple inheritances. A type can now have one parent but multiple (interface) progenitors. Among its novel applications, interfaces unify tasks and protected types that can be defined as implementations of a given synchronized interface.
Second, a new visibility mechanism (the “limited with” clause) allows the declaration of mutually dependent package declarations. Compilation dependencies previously had to constitute a directed graph without loops.
Third, the original design of the language excluded the creation of subsets, and the official compiler validation test suite was intended to enforce the “no-subset” rule. However, for hard real-time purposes, the concurrency model of Ada is too rich and has too much implementation freedom. This makes a typical multitasking system hard to analyze in terms of deadlock, priority inversion, and other ills that concurrent systems are prone to. Ada 2005 includes the definition of a subset of the language’s concurrency features, the Ravenscar profile, which requires a smaller runtime than the full language and supports the construction of completely deterministic systems.
第四,通过额外的数字支持(向量,矩阵等)和广泛的容器设施,可以增强预定义的库。
ADA 2012:针对当今软件挑战的基于合同的编程
Like its predecessors, the latest revision of the language, which became an ISO standard in December 2012, addresses two sets of concerns: expressiveness and safety. For the first, there are several new expression forms, convenient iterators over containers, mechanisms for mapping tasking programs onto multicore architectures, and other improvements. However, the enhancements related to software safety are likely to be more significant in the long run. The language now includes a mechanism to specify assertions known as aspects (see the code).
package Utilities is procedure Swap( Left, Right : in out Integer ) with Post => Left=Right'Old and Right=Left'Old; function Factorial( N : Integer ) return Integer with Pre => N in 0..12, -- 13! overflows 32 bit integers Post => Factorial'Result = (if N=0 then 1 else N * Factorial(N-1)); end Utilities; package body Utilities is ... -- Bodies of Swap and Factorial go here end Utilities; with Utilities; procedure Testing is I, J, M, N : Integer; begin ... -- Initialize I, J Utilities.Swap(I, J); ... -- Initialize N M := Utilities.Factorial(N); ... end Testing;
Preconditions and postconditions can be provided for subprograms. A precondition establishes that the program state (the subprogram’s input parameters and global data) must obey a stated condition for the subprogram to operate correctly. A postcondition establishes that the result of the subprogram, which includes the state of output parameters, obeys some other stated condition.
Related Articles
•Ada 2012: The Joy of Contracts
•C ++ 11和ADA 2012-新闻复兴的母语?
•Ada Offers Advantages Over C And C++
Type invariants stipulate that the internal state of a private type obeys some condition. A type invariant must hold whenever an object of the type is created or modified by a client-visible subprogram—that is to say by code that is external to the package that defines the type.
亚型谓词定义了现有亚型的子集。该子集中只有值是子类型的有效值。亚型上的迭代省略了不满足谓词的值。
这些构造,统称为“合同-based programming,” aren’t completely novel. Some of them were included in Eiffel decades ago. But it is the first time that they appear as first-class citizens in a mainstream language, and they correspond to an interesting point in the evolution of programming. On the one hand, there has been remarkable progress in program analysis tools in the last decade. On the other hand, there is intense concern in the world at large about the safety and security of all software systems.
高可靠性的软件领域a niche that was mostly occupied by the aerospace industry and had developed stringent procedures for the development and certification of software systems such as the DO-178B standard for commercial avionics. The last few years have made it clear that complex software touches our lives constantly. The safety of financial software, automotive software, and medical software is as vital as that of air traffic control software, for example.
从一开始,ADA就包括了旨在使程序更具值得信赖的构造。例如,指定数组的大小并确保数组对象是自描述的,使对象的目的更加清晰,但它还允许编译器或运行时捕获对象的滥用。实际上,一种类型或亚型声明是关于软件行为的断言,编译器使用断言来验证代码是否有意义。编译器是程序分析工具,可以验证程序的某些简单属性。
Other program analysis tools perform a deeper analysis of a program and can determine, for example, that an uninitialized variable in one unit can cause another unit to malfunction. Typically this analysis is more complex than what is done in conventional compilers, and it includes global data flow techniques.
At a higher level of complexity, program verification tools include theorem provers and can ascertain that the execution of a program obeys some general postconditions. Interestingly, such formal tools were discussed a half-century ago, but never in the context of an existing programming language. They were always applied to very small languages with well-defined semantics, and formal proofs of correctness did not become widespread. The methods were too cumbersome, the semantics of the language not formal enough, or the application domain did not seem to require their use.
Ada 2012 is intended to change this trend. By exploiting the richer assertion mechanism added to the language, programmers can indicate their intent more precisely and explicitly—always a good thing! These annotations also provide additional information to the compiler, the program analysis tools, and the formal verification tools, which can then ascertain more precisely whether what the programmer wrote is consistent. The result can only be more reliable software.
In a way, from the programmer’s point of view, the difference between a compiler (leaving aside the fact that it generates code!), a program analysis tool, and a verification tool is maturity. Compilers have been around for much longer. But the modern programmer concerned with program correctness (as all should be!) will also use more complex tools. Today, Ada is uniquely positioned to fit in this continuum of techniques.
References
- ADA 2012语言参考手册; the reference manual is available here in several formats.
- Ada Comparison Chart; this table summarizes the evolution of the major features of the Ada language.
>> Website Resources
.. >>库:TechXchange
.. .. >> TechXchange: Embedded Software
.. .. .. >> Topic: Ada and SPARK
