The Safety-Critical Java Memory Model A Formal Account

Transcription

1 The Safety-Critical Java Memory Model A Formal Account Ana Cavalcanti Andy Wellings Jim Woodcock University of York IFIP WG 2.3, September / 24

2 Outline Safety-Critical Java (SCJ) Unifying theories of programming (UTP) Invariants in the UTP A theory for the Safety-Critical Java memory model Memory safety Programming variables and their values Conclusions 2 / 24

3 Safety-Critical Java two languages dominate high-integrity real-time systems safer C/C++ subsets little formal support Ada subsets: Spark, Ravenscar profile Spark Examiner new development: Safety-Critical Java international effort lead by the Open Group performed under Java Community Process based on RTSJ: Real-Time Specification for Java 3 / 24

4 Java all objects placed on heap, scanned by garbage collector method local variables stored in stack each thread of control has associated stack variables and object fields primitive or reference programmer doesn t need to worry about memory management 4 / 24

5 RTSJ regionalised memory areas for dynamic objects scoped and immortal memory object scopes depend on threads when supporting threads die, objects are collected immortal objects persist scope rules forbid dangling references rule violation is a run-time error programmer must place object in appropriate scope tool support required for efficiency and exception-freedom 5 / 24

6 SCJ restricts RTSJ use of the heap annotations for static memory-safety checking rules & tools by Tang, Plsek, Vitek non-trivial validation: e.g., overly restrictive rules independent correctness criteria required contributions? informal description: SCJ memory model rationale relational memory semantics starting point for program development technique 6 / 24

7 Safety-Critical Java Memory model safety-critical software spectrum single thread, single processor, simple timing constraint multi-thread, multi-mode, multi-processor three compliance levels level 1: roughly Ravenscar profile mission: bounded set of asynchronous event handlers (ASEHs) sequence of releases periodic: time triggered aperiodic: event triggered safety-critical programming no memory allocation during execution manual allocation too error-prone garbage collection too complex SCJ memory model safe, predictable dynamic memory management restricted scoped memory no garbage collection 7 / 24

8 Application structure Start MissionSequencer Halt Mission Selection Mission Initialisation Mission Execution Mision Cleanup 8 / 24

9 Scoped memory area Immortal lm Memory X X X Per Mission Memory (a Scoped Memory Area) X X X ASEH 1 Per Release Scoped Memory Per Release Scoped Memory Per Release Scoped Memory X Per Release Scoped Memory Temporary Private Scoped Memory ASEH2 ASEH3 Temporary Private Scoped Memory ASEH1 Thread Stacks (one per ASEH and one each for the mission sequencer and main program) Key: X Valid object references an illegal reference ASEH4. SCJ Memory Areas 9 / 24

10 hijac: High Integrity Java Applications in Circus Five-year project First effort to formalise the SCJ paradigm Highly constrained programming architecture Java is a vehicle Paradigm not identified Circus family: Z and CSP + time + object-orientation Semantic model: UTP 10 / 24

11 Unifying theories of programming Relational predicative model: alphabetised predicates Combination of paradigms Refinement Theories Observational variables (and their dashed counterparts) Healthiness conditions Relations: x > x Designs: (x > 0 x = x + 1) 11 / 24

12 Designs Theory Pre and postcondition specifications Observational variables: ok and ok (P Q) = (ok P ok Q) Design healthiness conditions H1 P = ok P H2 P = P ; J where J = (ok ok ) v = v Every design D can be written as ( D f D t ) D b = D[b/ok ] 12 / 24

13 Invariants in the UTP Operation invariants P Q Ψ OIH(Ψ) D = D (ok D f Ψ) State invariants (P ψ Q ψ ) ISH(ψ) D = D (ok D f ψ ok D t ) OSH(ψ) D = D (ok D f ψ ψ ) SIH(ψ) = ISH(ψ) OSH(ψ) 13 / 24

14 Type Definitions program, mission sequencer, event handlers: stacks of frames frames: execution context for methods variables: VName values are primitive values or references: Value = PValue Ref null: a primitive value Frame = VName Value mission handlers: HName 14 / 24

15 Type Definitions references in a frame: refsin F (f ) = ran(f Ref ) object values: OValue = VName Value memory contents: MAreaC = Ref OValue references to resident objects in a memory area: refsres(ma) = dom ma references in a memory area: refsin MA (ma) = { r : Ref r : refsres(ma) r ran(ma(r )) } profile maps resident references to their object fields profile : MAreaC (Ref F VName) profile(ma) = { r : dom ma r dom(ma(r)) } 15 / 24

16 A theory for the SCJ memory model Alphabet pstack, msstack : stack Frame handlers : F HName hstack : handlers stack Frame immortal, mission : MAreaC perr : handlers MAreaC tpriv : handlers stack MAreaC. Diagram Types Frame = VName Value MAreaC = Ref OValue 16 / 24

17 Healthiness conditions Objects only ever added to immortal memory HSCJ1 = OIH(profile(immortal) profile(immortal )) Program stack related to immortal memory HSCJ2 = SIH(refsIn(pStack) refsres(immortal)) Immortal memory is closed HSCJ3 = SIH(refsIn(immortal) refsres(immortal)) 17 / 24

18 Healthiness conditions Objects only ever added to immortal memory HSCJ1 = OIH(profile(immortal) profile(immortal )) Sequencer stack related to immortal and mission memory HSCJ4 = SIH(refsIn(msStack) refsres({immortal, mission})) Mission memory is closed HSCJ5 = SIH(refsIn(mission) refsres({immortal, mission})) 17 / 24

19 Healthiness conditions Similar for the other stacks and memory areas. Profile of mission, per release, and temporary private areas We cannot relate mission and mission, for instance. History variables Similar to timed model Memory areas are disjoint HSCJ9 = SIH disjoint refsres immortal, refsres mission seqpr(perr) seqtp(tpriv) seqpr(perr)/seqtp(tpriv): sequences of sets of references residing in per-release/temporary private memory 18 / 24

20 Memory safety s f 2 x r2 b r3 f 1 z 2 y r1 m 1 r2 m n r3 r4 m 2 r1 x r3 r3 u v null r5 r5 c 6 w r2. Stack-areas Example 19 / 24

21 Memory safety Regions and dangling references Frame = VName Value MAreaC = Ref OValue OValue = VName Value regionrefs(rs, mas) = ((( mas) o 9 ran) Ref ) ( rs ) regionframe(f, mas) = regionrefs(refsin F (f ), mas) region(sf, mas) = { f : sf regionframe(f, mas) } nodangref (sf, mas) = (region(sf, mas) refsres(mas)) r3 r2 r4 r1 r5 20 / 24

22 Memory safety Healthiness conditions HMS1 = SIH(noDangRef (pstack, {immortal})) HMS2 = SIH(noDangRef (msstack, {immortal, mission})) HMS3 = SIH( h : handlers nodangref (hstack(h), mas)) where mas = {immortal, mission, perr(h) } ran(tpriv(h)) Theorem: Every SCJ-healthy predicate is HMS-healthy 21 / 24

23 Programming variables and their values The AVS model A: valid addresses V : values of terminals S: sharing relation. Example Example: x Addresses: x, x.m, x.n, x.m.u, and so on. Values of terminals: x.m.u is null, x.m.v.c is 6, and so on. 22 / 24

24 Programming variables and their values Healthiness conditions HV1 = SIH( v : vars(pstack) v =!(v, pstack, {immortal})) ( v : vars(msstack) HV2 = SIH v =!(v, msstack, {immortal, mission}) ) HV3 = h : handlers ( v : vars(hstack h) ) SIH v, hstack h, v =! {immortal, mission, perr h} ran(tpriv h) 23 / 24

25 Conclusions and future work First formalisation of the SCJ memory model Essential ingredient for reasoning by refinement General results on UTP theories Future work Connections to other theories Extension to Circus Refinement laws and strategies 24 / 24