Implementation of blocking coordinated atomic actions based on forward error recovery

The coordinated atomic action concept was proposed as a means for providing fault tolerance in complex objectoriented systems that incorporate both cooperative and competitive concurrency. This paper has two purposes: to discuss a particular implementation of this concept and to address a number of the implementation issues that are common to any experiments with this concept. Our implementation relies on a detailed set of programming conventions for the standard Ada 95 language and uses a scheme of forward error recovery incorporating concurrent exception handling and resolution. Ada 95 has a number of unique features which make it a particularly good choice for our experiments. We believe that our approach is practical and useful for many critical applications with high dependability requirements.     

Evaluating the Expressive Power of the Real-Time Specification for Java*

The goal of this paper is to evaluate the real-time specification for Java proposal by performing several case studies. These case studies include: an extensible general resource controller; atomic action support infrastructure; unbounded and imprecise computations. They have been used previously by the Ada community to evaluate the efficacy of the Ada concurrency and real-time models. Our results indicate that the Real-Time Specification for Java is expressive enough to cope with the demands of real-time concurrent programming. If it can be implemented efficiently, it will provide an alternative to Ada 95 for programming real-time systems.     

Steps to an Advanced Ada1Programming Environment

Conceptual simplicity, tight coupling of tools, and effective support of host-target software development will characterize advanced Ada programming support environments. Several important principles have been demonstrated in the Arcturus system, including template-assisted Ada editing, command completion using Ada as a command language, and combining the advantages of interpretation and compilation. Other principles, relating to analysis, testing, and debugging of concurrent Ada programs, have appeared in other contexts. This paper discusses several of these topics, considers how they can be integrated, and argues for their inclusion in an environment appropriate for software development in the late 1980's.     

Specifying Ada server tasks with executable formal grammars

The author shows how a class of concurrent programming problems can be specified with formal grammars. These grammars, more powerful than path expressions, translate readily into Ada server tasks using the rendezvous and select-statement, though they may also be applied to other synchronization constructs. The grammars may be used to clarify informal specifications, to compare different specifications, and to analyze the behavior of implementations of such specifications. They may also be easily converted into Prolog programs that can be executed to generate the strings of events accepted by a grammar or by the Ada task being modeled. The automated translation from Ada to such grammars, and from grammatical specifications to Ada is discussed. The former facilitates the analysis of Ada programs; the latter yields Ada code of high quality     

关于Ada并发可重用软件包的设计

文中首先分析了一般Ａｄａ顺序可重用软件包在用于开发Ａｄａ并发软件时所存在的问题，然后给出了几种可以支持并发软件开发的Ａｄａ可重用软件包的实现方案，并同时指出了各种方案的不足及可取之处。     

Concurrent programming in the Ada® language: The polling bias

The rendezvous is an important concept in concurrent programming—two processes need to synchronize, i.e. rendezvous, to exchange information. The Ada programming language is the first programming language to use the rendezvous as the basis of its concurrent programming facilities. Our experience with rendezvous facilities in the Ada language shows that these facilities lead to and encourage the design of programs that poll. Polling is generally, but not always, undesirable because it is wasteful of system resources. We illustrate and examine the reasons for polling bias in the Ada language. We give suggestions on how to avoid polling programs, and suggest changes to the rendezvous facilities to eliminate the polling bias. The ramifications of these changes to the implementation of the Ada language are also discussed. Although we have focused on the rendezvous facilities in the Ada language our analysis is also applicable to other languages. A polling bias can occur in any concurrent programming language based on the rendezvous mechanism if it does not provide appropriate facilities.     

Ada95语言评述

Ａｄａ９５语言是在Ａｄａ８３基础上修订而成的，它几乎提供了现代程序设计范型及程序设计实践所需要的一切设施，它可以支持面向对象的程序设计、大型程序设计、实时与并行程序设计等等。     

Performance of multi-tasking and synchronization mechanisms in the programming language SR

High-level language primitives for concurrent programming exist in languages such as Ada and Modula-2. However, each of these languages provides only a single means for specifying multitasking and synchronization, essential in the implementation of concurrent systems. The SR language provides several mechanisms for specifying multi-tasking and synchronization, so it can be used to explore the performance of various communication techniques. This paper presents performance results for SR's multi-tasking and synchronization mechanisms and discusses the effects of the generated code, the run-time support and the hardware on these results. These results are compared with those for similar mechanisms in other languages, leading to some general conclusions about the performance of process communication primitives. These performance results can be used by programmers to make design choices that allow systems programs written in high-level languages to meet real-time performance specifications.     

A Framework for Software Fault Tolerance in Real-Time Systems

Real-time systems often have very high reliability requirements and are therefore prime candidates for the inclusion of fault tolerance techniques. In order to provide tolerance to software faults, some form of state restoration is usually advocated as a means of recovery. State restoration can be expensive and the cost is exacerbated for systems which utilize concurrent processes. The concurrency present in most real-time systems and the further difficulties introduced by timing constraints suggest that providing tolerance for software faults may be inordinately expensive or complex. We believe that this need not be the case, and propose a straightforward pragmatic approach to software fault tolerance'which is believed to be applicable to many real-time systems. The approach takes advantage of the structure of real-time systems to simplify error recovery, and a classification scheme for errors is introduced. Responses to each type of error are proposed which allow service to be maintained.     

Analyzing partially-implemented real-time systems

Most analysis methods for real-time systems assume that all the components of the system are at roughly the same stage of development and can be expressed in a single notation, such as a specification or programming language. There are, however, many situations in which developers would benefit from tools that could analyze partially-implemented systems: those for which some components are given only as high-level specifications while others are fully implemented in a programming language. In this paper, we propose a method for analyzing such partially-implemented real-time systems. We consider real-time concurrent systems for which some components are implemented in Ada and some are partially specified using regular expressions and graphical interval logic (GIL), a real-time temporal logic. We show how to construct models of the partially-implemented systems that account for such properties as run-time overhead and scheduling of processes, yet support tractable analysis of nontrivial programs. The approach can be fully automated, and we illustrate it by analyzing a small example     

Safety verification of Ada programs using software fault trees

The software fault-tree analysis technique is explained. It is then extended to allow its use on a more complex language involving such features as concurrency and exception handling. Ada is used as the example language because many safety-critical projects are using or planning to use Ada. It also contains complex, real-time programming facilities found in other languages used in these types of projects. Software fault-tree analysis uses failure-mode templates to generate the fault tree. The templates provided can be used to define the procedures for applying the technique to programs written in most other declarative languages. To explain the use of the templates an example Ada program, for a traffic-light-control system, is analyzed. The cost and practicality of the method and its implications for software reuse are assessed. The application of the safety analysis procedures to requirements modeling and specification languages is considered     

A complete axiomatic semantics of spawning

Summary In modern imperative languages there are two commonly occurring ways to activate concurrently running tasks,splitting (cobegin...coend) andspawning. The programming language Ada makes use of both forms of task activation. We present a formal system for verifying partial correctness specifications of Ada tasks activated by spawning. The system is based upon a view of tasks as histories of events. We show how the mindset of splitting may be applicable when developing a formal system for reasoning about spawning. The resultant proof system is compositional, and a robust extension of partial correctness proof systems for sequential constructs. A transition model is given for spawning, and the proof system is proven complete in the sense of Cook [10] relative to this model, under certain reasonable assumptions. The specific proof rules given apply to a subset of Ada without real-time and distributed termination. Our approach to task verification applies to other imperative languages besides Ada, and the essential parts of our methodology are applicable to other formal systems besides those based on partial correctness reasoning. Sigurd Meldal is professor of informatics at the University of Bergen. He is interested in techniques and tools based on formal methods for development of concurrent software. His current foci are the investigation of algebraic approaches to nondeterminism, and the participation in the design of a concurrent specification, prototyping and implementation language. The latter supplements formal proof with support for run time control of consistency between concurrent systems as specified and as implemented. Meldal received his cand. real. (1982) and dr. scient. (1986) degrees in informatics from the University of Oslo.This research was supported by a grant from the Norwegian Research Council for Science and the Humanities, by the Defense Advanced Research Projects Agency/Information Systems Technology Office under the office of Naval Research contract N00014-90-J1232, by the Air Force Office of Scientific Research under Grant AFOSR83-0255 and by a Fulbright Scholarship from the US Educational Foundation in Norway     

Achieving dependability throughout the development process: adistributed software experiment

Distributed software engineering techniques and methods for improving the specification and testing phases are considered. To examine these issues, an experiment was performed using the design diversity approach in the specification, design, implementation, and testing of distributed software. In the experiment, three diverse formal specifications were used to produce multiple independent implementations of a distributed communication protocol in Ada. The problems encountered in building complex concurrent processing systems in Ada were also studied. Many pitfalls were discovered in mapping the formal specifications into Ada implementations     

Ada programming language standardization

The need for software management and standardization of programming languages used in military systems was first identified by DoD in 1975. DoD at that time supported many limited use languages for what are now called embedded computer applications. This diversity of languages contributed to high software costs. In November 1976, DoD first established seven approved , , , -J3, -J73, , -2, -1. Eventually the number of approved DoD languages may be reduced to three, Ada, , and . Ada was established as Military Standard 1815, on 10 December 1980. The ANSI standardization process for Ada is in progress. The Ada concept places restrictions on what may be called an Ada compiler. Compilers may not be called Ada compilers until they have passed validation tests. Up to 80% of software costs are incurred after the software has been put into service. Ada can promote a programming style that leads to maintainable software. It is in the program maintenance phase of the software life cycle where large savings will be achieved through the use of Ada.     

Application-Level Fault Tolerance as a Complement to System-Level Fault Tolerance

As multiprocessor systems become more complex, their reliability will need to increase as well. In this paper we propose a novel technique which is applicable to a wide variety of distributed real-time systems, especially those exhibiting data parallelism. System-level fault tolerance involves reliability techniques incorporated within the system hardware and software whereas application-level fault tolerance involves reliability techniques incorporated within the application software. We assert that, for high reliability, a combination of system-level fault tolerance and application-level fault tolerance works best. In many systems, application-level fault tolerance can be used to bridge the gap when system-level fault tolerance alone does not provide the required reliability. We exemplify this with the RTHT target tracking benchmark and the ABF beamforming benchmark.     

Data abstraction in Modula-2

Data abstraction is one of the most fundamental principles of software engineering. The increasing realization of this is reflected in the design of programming languages, from the tentative user-defined data types of Pascal through to the more extensive facilities provided today by languages such as Ada and Modula-2.This tutorial paper examines how the data abstraction facilities provided by Modula-2 can be used in a sophisticated application. We demonstrate that data abstraction facilitates the production of code which is highly modularized, is easy to write and easy to read. The application, garbage collection, is an important part of system software, and is particularly interesting because it highlights the conflict between efficiency and expressive power. We show the extent to which a functional style of programming can be utilized in solving a problem which is inherently concerned with ‘state’, and we also show how formal semantics can be provided for the abstract data types.     

Ada-I:支持保护对象继承的Ada95扩充语言

面向对象并发程序设计语言能够帮助程序员利用面向对象技术编写并发程序,从而获得面向对象技术给软件开发带来的种种好处.然而,由于继承异常现象的存在,影响了并发程序设计语言引入继承特性.Ada95语言是支持并发程序设计的面向对象语言之一,但并不支持保护对象的继承.Ada-I语言在Ada95语言的基础上进行扩充,从而支持保护对象的继承,并且避免了继承异常现象的出现.     

软件容错：技术与展望

本文主要给出现有主流软件容错技术的一个综述。首先从传统软件容错技术开始，介绍设计多样性和数据多样性；然后介绍主流的软件容错新技术，如重配置与重恢复、指令复制错误探测、SWIFT等，同时，站在软件容错用于处理嵌入式系统硬件暂态故障的角度对这些技术进行了分析；最后在对它们比较的基础上探讨软件容错技术的可能发展方
向。     

Extending conventional languages by distributed/concurrent exception resolution

The state of art in handling and resolving concurrent exceptions is discussed and a brief outline of all research in this area is given. Our intention is to demonstrate that exception resolution is a very useful concept which facilitates joint forward error recovery in concurrent and distributed systems. To do this, several new arguments are considered. We understand resolution as reaching an agreement among cooperating participants of an atomic action. It is provided by the underlying system to make it unified and less error prone, which is important for forward error recovery, complex by nature. We classify atomic action schemes into asynchronous and synchronous ones and discuss exception handling for schemes of both kinds. The paper also deals with introducing atomic action schemes based on exception resolution into existing concurrent and distributed languages, which usually have only local exceptions. We outline the basic approach and demonstrate its applicability by showing how exception resolution can be used in Ada 83, Ada 95 (for both concurrent and distributed systems) and Java. A discussion of ways to make this concept more object-oriented and, with the help of reflection, more flexible and useful, concludes the paper.     

The concurrency models of Ada and occam—a practical comparison

A comparison of the concurrency models of Ada and occam is presented. This comparison is performed in terms of an Ada-to-occam compiler. A subset of the Ada programming language may be compiled allowing a study of how programs and algorithms expressed using the Ada concurrency model can be mapped to the occam concurrency model. The resultant occam code may then be executed on a transputer. This paper describes the Ada and occam concurrency models, highlights the major differences between them, discusses the problems encountered in trying to map concurrent Ada programs to equivalent occam programs as a result of these differences and explains how these problems were overcome in the present compiler.