>> Website Resources
.. >> Library: TechXchange
.. .. >> TechXchange: Embedded Software
.. .. .. .. .. >>主题:Ada和Spark
|
|
Download this article in .PDF format This file type includes high-resolution graphics and schematics when applicable. |
Ada is a general-purpose language, like C++ or Java, supporting the usual features of modern programming languages, such as data encapsulation, object orientation, templates (called “generics”), exceptions, and tasking. Originally defined in 1983, it has undergone several revisions, the latest in 2012. What sets Ada apart from other general-purpose languages is that it was designed from the start with reliability, safety, and security in mind. Not surprisingly, Ada is used in domains where the correctness of software is critical: space, avionics, air-traffic control, railway, and military.
SPARK is a specialized subset of Ada designed to facilitate the use of formal methods, so that correctness of software or other program properties can be guaranteed with mathematics-based assurance. Therefore, SPARK is used in the same domains as Ada, by those who value the strong guarantees offered by formal methods.
Because formal methods can be more cost-effective than testing in achieving high levels of confidence in software correctness, new domains where software is also critical, such as automotive and drone software, are increasingly attracted to solutions like SPARK. In particular, formal methods provide a better solution than testing for defending against security attacks that exploit software vulnerabilities.
Ada
One of Ada’s most prominent characteristics is a strong and powerful type system. Ada supports a wide range of user-defined types. It includes signed (with overflow semantics) and modular integer types (with wrapping semantics) of various sizes. Both types allow restrictions on the range of valid integers. Ada also supports enumeration types and array types indexed by any integer or enumeration type:
type My_Index is range 1 .. 100; -- A signed integer type containing only integers from 1 to 100 type My_Color is (Red, Blue, Yellow); -- An enumeration type, which is not the same as an integer in Ada type My_Array is array (My_Index range <>) of My_Color; -- A My_Array object is indexed by any value from My_Index (i.e., an integer between 1 and 100) -- and contains elements of type My_Color ADA提供了一项重要功能,可增强可靠性:它会自动插入运行时检查大量常见错误。具体而言,它会动态检查数组界外(通常称为“缓冲区溢出”)之外的访问以及其类型范围之外的整数值。如果发生违规情况,则在运行时会增加例外。如果需要(例如,在验证后,有信心不会发生错误),则由于效率原因可以禁用这些检查:
I : My_Index := ; -- An exception will be raised if Iâs value is not between 1 and 100 A : My_Array (1 .. 2) := (Red, Blue); -- A is an array whose index range is 1 through 2 and where A(1)=Red and A(2)=Blue C : Color := A (I); -- C is Aâs I-th element. An exception will be raised if I is greater than 2. The current (2012) version of Ada goes one step further in promoting reliability by introducing support for contract-based programming. The most common forms of contracts are subprogram preconditions and postconditions. These are Boolean expressions that serve as contracts between callers and callees that must be true before and after every call to the subprogram, respectively. Contracts are useful for developing safe and secure software for several reasons. First, they enhance the program’s readability and maintainability by supplying source-code documentation for a subprogram’s assumptions and guarantees. Second, they enhance testing because they can be checked at runtime.
procedure Increase (X : in out Integer) with Pre => X <= Max, -- It is the responsibility of every caller of Increase to check that its argument is less than Max. Post => X > XâOld; -- It is the responsibility of Increaseâs implementation to ensure that -- the returned value of X is strictly greater than its initial value. SPARK
火花,这是基于Ada,也是设计with safety, security, and reliability in mind, but it differs in that supports formal verification as well. SPARK has evolved alongside Ada from its first version, SPARK 83, which was based on Ada 83 (where it included a stylized comment syntax for verification-related annotations that augmented a subset of Ada), to the current version, SPARK 2014.
该最新版本是ADA 2012的子集(并使用内置到ADA的合同机制),并允许几种形式的静态验证。特别是,软件开发人员可以指定信息应如何流过程序中的变量并定义有关程序行为的功能属性。所有这些合同,以及运行时没有错误和例外的所有合同,都可以在静态上进行验证。
To achieve this goal, some features of Ada that are not easily amenable to formal verification have been excluded from SPARK. Most notably, the forbidden features include pointers (but addresses are allowed). This restriction is motivated by the heavy syntax that would be required for a verifiable program using pointers, as well as the difficulties of automatic verification of such programs.
Spark不仅是ADA的一个子集,而且还结合了专门支持正式分析的功能。其中包括新型合同类型,可增强用户的注释能力,因此可以正式验证。例如,SPARK定义了描述子程序使用哪些变量的合同,以及变量和子程序之间的信息如何流动:
procedure Swap_X_And_Y with Globals => (In_Out => (X, Y)), -- Swap_X_And_Y modifies the global variables X and Y. Depends => (X => Y, Y => X); -- The final value of X depends only on the initial value of Y -- and the final value of Y depends only on the initial value of X. SPARK also allows the programmer to define a subprogram’s contract as a set of distinct cases, grouping values for which the subprogram should have the same behavior, in a manner similar to conventional test cases:
函数absolute_value(x:integer)返回自然,pre => x /= integer-首先, - 绝对_value不应在整数的最小值上调用,因为它会导致溢出contract_cases =>(x <0 => absolute_value结果= - x,x,x = 0 =>absolute_valueâresult = 0,x> 0 =>absolute_valueâresult = x);- absolute_value在X的三个域上的行为不同。-在负值上,它返回相反,在0返回0-并且在正值上,它返回与输入相同的值。Using Ada with SPARK
Although technically Ada and SPARK are different languages, they work well together. The new features introduced in SPARK use standard Ada syntax (pragmas, aspects, and attributes) for its additional features. Ada and SPARK can be mixed at a fine-grained level—the programmer can combine Ada and SPARK code in different packages or subprograms, or inside a single package or subprogram (for example, between a subprogram’s specification and its body, or between a package declaration’s visible and private parts). This mixing helps alleviate the SPARK language restrictions. For instance, the programmer can use full Ada in places where the flexibility of pointers is more important than the ability to formally verify behavior:
带有spark_mode的软件包atravent_pointer是 - 我们在spark type type my_pointer中是私有的;- 此软件包的用户看不到my_pointer是什么。- 他们必须使用子程序访问其内容。函数access_pointer(p:my_pointer)返回值;函数create_pointer(v:value)返回my_pointer;私人pragma spark_mode(off);- 我们现在在ADA类型MY_POINTER中访问所有值;- my_pointer实际上是指针!end Abstract_pointer;Ada and SPARK make an effective two-language team for writing safe, secure, and reliable software. SPARK adds static formal verification to the dynamic verification performed by Ada. The most critical parts of an application can be written in SPARK, allowing users to benefit from formal-verification techniques, while the full expressive power of Ada can be retained for those parts that require a more straightforward implementation.
In summary, Ada vs. SPARK is not a competition, but rather an effective and cooperative relationship: One language (Ada) offers strong features to provide confidence in reliability, safety, and security through traditional verification methods (testing and review), and a compatible language (SPARK) offers strong features to guarantee reliability, safety, and security with formal methods.
>> Website Resources
.. >> Library: TechXchange
.. .. >> TechXchange: Embedded Software
.. .. .. .. .. >>主题:Ada和Spark
