Part of the Lecture Notes in Computer Science book series LNCS, volume Abstract Software fault tree is a graphical analysis technique that is based on the concept of axiomatic verification. A template-based approach to software fault tree analysis was proposed for Ada83 programs. For the past years since this approach, no noticeable extensions or revisions on the template-based software fault tree analysis have been proposed while the target language has been evolved into Ada In this paper, we examine the validness of the original Ada83 analysis templates to determine which of them are still applicable to Ada95 programs considering major changes from Ada83 to Ada In addition, we propose newly required templates as well as the necessary modification of the original Ada83 templates in order to cope with the changes. We demonstrate the use of our proposed templates with an example program.
|Published (Last):||13 September 2016|
|PDF File Size:||5.76 Mb|
|ePub File Size:||15.46 Mb|
|Price:||Free* [*Free Regsitration Required]|
Integer Types An integer type definition defines an integer type whose set of values includes at least those of the specified range. Negative bounds are allowed. A type declaration of the form: type T is range L.. The elaboration of the declaration of an integer type consists of the elaboration of the equivalent type and subtype declarations. The range of each of these types must be symmetric about zero, excepting an extra negative value which may exist in some implementations.
The base type of each of these types is the type itself. Other integer types have no literals. The circumstances under which these implicit conversions are invoked are described in section 4. The same arithmetic operators are predefined for all integer types see 4.
MAX; Notes: The name declared by an integer type declaration is a subtype name. The smallest most negative value supported by the predefined integer types of an implementation is the named number SYSTEM.
Style Guide references: 7. Finally, for every discrete type or subtype T, the basic operations include the attributes listed below. In this presentation, T is referred to as being a subtype the subtype T for any property that depends on constraints imposed by T; other properties are stated in terms of the base type of T.
The first group of attributes yield characteristics of the subtype T. This group includes the attribute BASE see 3. Yields zero for a null range. All attributes of the second group are functions with a single parameter. The corresponding actual parameter is indicated below by X. The parameter X must be a value of the base type of T. The result is the position number of the value of the parameter.
The result type is the base type of T. The result is the value whose position number is one greater than that of X. The result is the value whose position number is one less than that of X. The result is the image of the value of X, that is, a sequence of characters representing the value in display form.
The image of an integer value is the corresponding decimal literal; without underlines, leading zeros, exponent, or trailing spaces; but with a single leading character that is either a minus sign or a space. The lower bound of the image is one. The image of an enumeration value is either the corresponding identifier in upper case or the corresponding character literal including the two apostrophes ; neither leading nor trailing spaces are included. Any leading and any trailing spaces of the sequence of characters that corresponds to the parameter are ignored.
For an enumeration type, if the sequence of characters has the syntax of an enumeration literal and if this literal exists for the base type of T, the result is the corresponding enumeration value. For an integer type, if the sequence of characters has the syntax of an integer literal, with an optional single leading character that is a plus or minus sign, and if there is a corresponding value in the base type of T, the result is this value.
Besides the basic operations, the operations of a discrete type include the predefined relational operators. For enumeration types, operations include enumeration literals.
For boolean types, operations include the predefined unary logical negation operator not, and the predefined logical operators. The operations of a subtype are the corresponding operations of its base type except for the following: assignment, membership tests, qualification, explicit type conversions, and the attributes of the first group; the effect of each of these operations depends on the subtype assignments, membership tests, qualifications, and conversions involve a subtype check; attributes of the first group yield a characteristic of the subtype.
Real Types Real types provide approximations to the real numbers, with relative bounds on errors for floating point types, and with absolute bounds for fixed point types. Error bounds on the predefined operations are given in terms of the model numbers. An implementation of the type must include at least these model numbers and represent them exactly. An implementation-dependent set of numbers, called the safe numbers, is also associated with each real type. The set of safe numbers of a real type must include at least the set of model numbers of the type.
The range of safe numbers is allowed to be larger than the range of model numbers, but error bounds on the predefined operations for safe numbers are given by the same rules as for model numbers. Safe numbers therefore provide guaranteed error bounds for operations on an implementation-dependent range of numbers; in contrast, the range of model numbers depends only on the real type definition and is therefore independent of the implementation.
Other real types have no literals. The conditions under which these implicit conversions are invoked are described in section 4. The elaboration of a real type definition includes the elaboration of the floating or fixed point constraint and creates a real type. Note: An algorithm written to rely only upon the minimum numerical properties guaranteed by the type definition for model numbers will be portable without further precautions. Style Guide references: 5. Floating Point Types For floating point types, the error bound is specified as a relative precision by giving the required minimum number of significant decimal digits.
This value must belong to some integer type and must be positive nonzero ; it is denoted by D in the remainder of this section. If the floating point constraint is used as a real type definition and includes a range constraint, then each bound of the range must be defined by a static expression of some real type, but the two bounds need not have the same real type.
The specified number D is the minimum number of decimal digits required after the point in the decimal mantissa that is, if radix is ten. The value of D in turn determines a corresponding number B that is the minimum number of binary digits required after the point in the binary mantissa that is, if radix is two.
The number B associated with D is the smallest value such that the relative precision of the binary form is no less than that specified for the decimal form. The guaranteed minimum accuracy of operations of a floating point type is defined in terms of the model numbers of the floating point constraint that forms the corresponding real type definition see 4.
The base type of each predefined floating point type is the type itself. The model numbers of each predefined floating point type are defined in terms of the number D of decimal digits returned by the attribute DIGITS see 3. For each predefined floating point type consequently also for each type derived therefrom , a set of safe numbers is defined as follows.
The safe numbers have the same number B of mantissa digits as the model numbers of the type and have an exponent in the range -E.. Consequently, the safe numbers include the model numbers. The rules defining the accuracy of operations with model and safe numbers are given in section 4. The safe numbers of a subtype are those of its base type. A floating point type declaration of one of the two forms that is, with or without the optional range constraint indicated by the square brackets : type T is digits D [range L..
R is supplied, then both L and R must belong to the range of safe numbers. The maximum number of digits that can be specified in a floating accuracy definition is given by the system-dependent named number SYSTEM. The elaboration of a floating point type declaration consists of the elaboration of the equivalent type and subtype declarations.
If a floating point constraint follows a type mark in a subtype indication, the type mark must denote a floating point type or subtype. The floating point constraint is compatible with the type mark only if the number D specified in the floating accuracy definition is not greater than the corresponding number D for the type or subtype denoted by the type mark. Furthermore, if the floating point constraint includes a range constraint, the floating point constraint is compatible with the type mark only if the range constraint is, itself, compatible with the type mark.
The elaboration of such a subtype indication includes the elaboration of the range constraint, if there is one; it creates a floating point subtype whose model numbers are defined by the corresponding floating accuracy definition. A value of a floating point type belongs to a floating point subtype if and only if it belongs to the range defined by the subtype.
The same arithmetic operators are predefined for all floating point types see 4. Notes: A range constraint is allowed in a floating point subtype indication, either directly after the type mark, or as part of a floating point constraint.
In either case the bounds of the range must belong to the base type of the type mark see 3. The imposition of a floating point constraint on a type mark in a subtype indication cannot reduce the allowed range of values unless it includes a range constraint the range of model numbers that correspond to the specified number of digits can be smaller than the range of numbers of the type mark.
A value that belongs to a floating point subtype need not be a model number of the subtype. The largest model number for the type MASS is approximately 1. Consequently the declaration of this type is legal only if this upper bound is in the range of the safe numbers of a predefined floating point type having at least 7 digits of precision.
In addition, for every floating point type or subtype T, the basic operations include the attributes listed below. The attributes of this group are the attribute BASE see 3. This attribute yields the number D of section 3. This attribute yields the number B of section 3. This attribute yields the number E of section 3. Finally, for each floating point type there are machine-dependent attributes that are not related to model numbers and safe numbers. The operations of a subtype are the corresponding operations of the type except for the following: assignment, membership tests, qualification, explicit conversion, and the attributes of the first group; the effects of these operations are redefined in terms of the subtype.
References: abs operator , and 4. Fixed Point Types For fixed point types, the error bound is specified as an absolute value, called the delta of the fixed point type. This value must belong to some real type and must be positive nonzero. If the fixed point constraint is used as a real type definition, then it must include a range constraint; each bound of the specified range must be defined by a static expression of some real type but the two bounds need not have the same real type.
If the fixed point constraint is used in a subtype indication, the range constraint is optional. A canonical form is defined for any fixed point model number other than zero.
Alternatively, it is possible to specify the value of small by a length clause see The guaranteed minimum accuracy of operations of a fixed point type is defined in terms of the model numbers of the fixed point constraint that forms the corresponding real type definition see 4. For a fixed point constraint that includes a range constraint, the model numbers comprise zero and all multiples of small whose mantissa can be expressed using exactly B binary digits, where the value of B is chosen as the smallest integer number for which each bound of the specified range is either a model number or lies at most small distant from a model number.
For a fixed point constraint that does not include a range constraint this is only allowed after a type mark, in a subtype indication , the model numbers are defined by the delta of the fixed accuracy definition and by the range of the subtype denoted by the type mark. An implementation must have at least one anonymous predefined fixed point type. The base type of each such fixed point type is the type itself. The model numbers of each predefined fixed point type comprise zero and all numbers for which mantissa in the canonical form has the number of binary digits returned by the attribute MANTISSA, and for which the number small has the value returned by the attribute SMALL.
A fixed point type declaration of the form: type T is delta D range L.. The fixed point declaration is illegal if no predefined type satisfies these requirements.
Safety Verification of ADA95 Programs Using Software Fault Trees
Features[ edit ] Ada was originally designed for embedded and real-time systems. Tucker Taft of Intermetrics between and , improved support for systems, numerical, financial, and object-oriented programming OOP. Features of Ada include: strong typing , modular programming mechanisms packages , run-time checking , parallel processing tasks , synchronous message passing , protected objects, and nondeterministic select statements , exception handling , and generics. Code blocks are delimited by words such as "declare", "begin", and "end", where the "end" in most cases is followed by the identifier of the block it closes e. In the case of conditional blocks this avoids a dangling else that could pair with the wrong nested if-expression in other languages like C or Java. Ada is designed for developing very large software systems.
ADA83 LRM PDF
Ada (programming language)
A single ; without a statement to terminate is not allowed. This page was last edited on 12 Decemberat Do you have a missing With or Use clause? Ada does support a limited form of region-based memory management ; also, creative use of storage pools can provide for a limited form of automatic garbage collection, since destroying a storage pool also destroys all the objects in the pool. Size F ; DIO. This proposal was influenced by the programming language LIS that Ichbiah and his group had developed in the s. In the case of conditional blocks this avoids a dangling else that could pair with the wrong nested if-expression in other languages like C or Java. Ada package specifications the package interface can also be compiled separately without the implementation to check for consistency.