closing the loop - copyright © 2002 praxis critical systems limited peter amey praxis critical...
TRANSCRIPT
![Page 1: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/1.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Peter Amey
Praxis Critical Systems
Closing the Loop: The Influence of Code Analysis on Design
![Page 2: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/2.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
SPARK Goals
• Precise static analysis• Early use of static analysis
• Facilitated by:– an exact language
– removal of ambiguous and erroneous constructs
– annotations
![Page 3: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/3.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Why Annotations?
• Annotations strengthen specifications– Ada separation of specifications/implementations too weak
• Allows analysis without access to implementations– which can be done early on during development
– even before programs are complete or compilable
• Allows efficient detection of erroneous constructs
![Page 4: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/4.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
An example
procedure Inc (X : in out Integer);
--# global in out Callcount;
detection of function side-effectfunction AddOne (X : Integer) return Integer is XLocal : Integer := X;begin Inc (Xlocal); return XLocal;end AddOne;
detection of aliasingInc (CallCount);
![Page 5: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/5.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
procedure Swap(X, Y : in out T) isbegin Store.Put(X); X := Y; Y := Store.Get;end Swap;
![Page 6: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/6.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
A Store Object
package Store
is procedure Put(X : in T);
function Get return T; end Store;
![Page 7: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/7.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
A Store Object
package Store--# own State;is procedure Put(X : in T); --# global out State;
function Get return T; --# global State;end Store;
![Page 8: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/8.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
procedure Swap(X, Y : in out T) --# global out Store.State;isbegin Store.Put(X); X := Y; Y := Store.Get;end Swap;
![Page 9: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/9.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Object Oriented Design
• Encapsulation• Abstraction• Loose coupling• Cohesion• Hierarchy
![Page 10: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/10.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Object Oriented Design
• Encapsulation• Abstraction• Loose coupling• Cohesion• Hierarchy
SPARK can directly assist with achieving these design goals: e.g. Annotation size is a sensitive measure of coupling between objects.
![Page 11: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/11.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
INFORMED
Information flow oriented method for (object) design.
![Page 12: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/12.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Principles
• Application-oriented annotations
• Careful selection of the SPARK boundary
• Minimised information flow
• Separation of the essential from the inessential
• Early use of static analysis
![Page 13: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/13.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design steps (simplified)
• Identification of system boundary, SPARK boundary and communication across them.
• Identification and location of system state.• Handling initialization of state.• Handling secondary considerations.• Implementing object bodies.
![Page 14: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/14.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design steps (simplified)
• Identification of system boundary, SPARK boundary and communication across them.
• Identification and location of system state.• Handling initialization of state.• Handling secondary considerations.• Implementing object bodies.
![Page 15: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/15.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
System and SPARK Boundaries
• Identification of the System Boundary– identify the boundary of the system for which INFORMED
is being used to provide the software.
– identify the physical inputs and outputs of the system.
• Identification of the SPARK boundary.– select a SPARK boundary within the overall system
boundary
– define boundary variables to give controlled interfaces across the SPARK boundary annotated in problem domain terms.
– consider adding boundary abstraction layers.
![Page 16: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/16.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Parnas & Madey Model
EnvironmentInput
DevicesOutputDevices
Software Environment
System Input
Data
Items
Output
Data
Items
Monitored
Variables
Controlled
Variables
IN SOFT OUT
![Page 17: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/17.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design steps (simplified)
• Identification of system boundary, SPARK boundary and communication across them.
• Identification and location of system state.• Handling initialization of state.• Handling secondary considerations.• Implementing object bodies.
![Page 18: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/18.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Identification and Localization of State
• What must be stored?• Where should it be stored?
– consider effect of choice on main program annotations
• How should it be stored?– variable package
– instance of type package
– concrete Ada variable
![Page 19: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/19.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design steps (simplified)
• Identification of system boundary, SPARK boundary and communication across them.
• Identification and location of system state.• Handling initialization of state.• Handling secondary considerations.• Implementing object bodies.
![Page 20: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/20.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
State Initialization
• Initialized prior to program execution– implicitly by environment
– explicitly in package elaboration or declarations
• Initialized during program execution– by executable statement
![Page 21: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/21.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design steps (simplified)
• Identification of system boundary, SPARK boundary and communication across them.
• Identification and location of system state.• Handling initialization of state.• Handling secondary considerations.• Implementing object bodies.
![Page 22: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/22.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design steps (simplified)
• Identification of system boundary, SPARK boundary and communication across them.
• Identification and location of system state.• Handling initialization of state.• Handling secondary considerations.• Implementing object bodies.
![Page 23: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/23.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Implementing Objects
• May identify sub-systems which can be tackled in INFORMED way
• Otherwise essentially top-down refinement; but:– defer implementation using hide directive
– use Examiner regularly
– use annotations as a guide to partitioning.
![Page 24: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/24.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
INFORMED Components
Main program
Variable package
Type package
Boundary variable
(ASM)
(ADT)
![Page 25: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/25.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
A Cycle Computer
Reset
Mode
0AVE 13.6
The cycle computer consists of a display/control unit to mount on the handlebars of a bicycle and a sensor that detects each complete revolution of the front wheel.
The display unit shows the current instantaneous speed on a primary display and has a secondary display showing one of: total distance, distance since last reset, average speed and time since last reset.
The display/control unit has two buttons: the first clears the time, average speed and trip values; and the second switches between the various secondary display modes.
Unfortunately, but typically of many software projects, the hardware has already been designed:
There is a clock that provides a regular tick (but not time of day) and the sensor, a reed relay operated by a magnet on the bicycle wheel, provides a pulse each time the wheel completes a revolution.
![Page 26: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/26.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Boundary Considerations
Identification of system boundary, selection of SPARK boundary and definition of boundary variables.
![Page 27: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/27.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Implementation as Two SPARK Sub-systems
Wheel pulse
Main
Pulse Queue
Displays
Controls
Clock
SPARK sub-system one SPARK sub-system two
![Page 28: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/28.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Boundary Variables and Abstractions
Main
Pulse Queue
Clock
Secondary Display
Primary Display
Reset Button
Mode Button
![Page 29: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/29.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Boundary Variables and Abstractions
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
Reset
Mode
0
AVE 13.6
![Page 30: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/30.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State
Where and how to store:• wheel size• total numbers of pulses received• averages of pulse intervals• clock values for stopwatch function
![Page 31: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/31.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State
Where and how to store:• wheel size• total numbers of pulses received• averages of pulse intervals• clock values for stopwatch function
![Page 32: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/32.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State
Where and how to store:• wheel size• total numbers of pulses received• averages of pulse intervals• clock values for stopwatch function
![Page 33: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/33.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State (1)
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
![Page 34: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/34.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State (1)
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
Wheel
![Page 35: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/35.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State
Where and how to store:• wheel size• total numbers of pulses received• averages of pulse intervals• clock values for stopwatch function
![Page 36: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/36.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State (2)
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
Wheel
![Page 37: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/37.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Location of State (2)
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
Wheel
Pulse Count
![Page 38: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/38.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Complete Design
Main
Pulse Queue
Clock
Controls
Displays
Secondary
Primary
Reset
Mode
Wheel Size
SpeedsAverager
RollingJourney
Pulse Count
![Page 39: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/39.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Complete Design
--# global--# in Clock.State,--# Pulse_Queue.State,--# Buttons.State,--# Wheel.Size;--# out Display.State;--# derives --# Display.State--# from--# Clock.State,--# Pulse_Queue.State,--# Button.State, --# Wheel.Size;
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
Wheel
SpeedsAverager
RollingJourney
Pulse Count
![Page 40: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/40.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Design with unnecessary state
--# global--# in Clock.State,--# Pulse_Queue.State,--# Buttons.State,--# Wheel.Size;--# out Display.State;--# in out Pulse_Handler.State;--# derives --# Display.State--# from--# Clock.State,--# Pulse_Queue.State,--# Pulse_Handler.State,--# Button.State, --# Wheel.Size &--# Pulse_Handler.State--# from--# Pulse_Handler.State,--# Pulse_Queue.State,--# Buttons.State;
Main
Pulse Queue
Clock
Buttons
Display
Secondary
Primary
Reset
Mode
Wheel
SpeedsAverager
RollingJourney
Pulse Handler
![Page 41: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/41.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Conclusions
• Static analysis is not just a V&V activity:– early error detection saves money
– analysis provides powerful design quality indicators
• Loose coupling is achieved by minimising information flow– SPARK annotations provide a sensitive measure of
information flow
• Designs can be “re-factored” based on early analysis results
• Good design provides an on-going pay off throughout the entire life of a system
![Page 42: Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited Peter Amey Praxis Critical Systems Closing the Loop: The Influence of Code Analysis](https://reader035.vdocuments.us/reader035/viewer/2022062313/56649cef5503460f949be4ac/html5/thumbnails/42.jpg)
Closing the Loop - Copyright © 2002 Praxis Critical Systems Limited
Resources
• www.sparkada.com• [email protected]
Addison Wesley Longman,
ISBN : 0-201-17517-7.