Materiality and Organizing

The Safety-Critical Java Memory ModelA Formal Account

Ana Cavalcanti Andy Wellings Jim Woodcock

University of York

IFIP WG 2.3, September 2011

1 / 24

Outline

Safety-Critical Java (SCJ)

Unifying theories of programming (UTP)

Invariants in the UTP

A theory for the Safety-Critical Java memory model

Memory safety

Programming variables and their values

Conclusions

2 / 24

Safety-Critical Java

◮ two languages dominate high-integrity real-time systemsI safer C/C++ subsets — little formal supportI Ada subsets: Spark, Ravenscar profile — Spark Examiner

◮ new development: Safety-Critical Java

◮ international effort lead by the Open Group

◮ performed under Java Community Process

◮ based on RTSJ: Real-Time Specification for Java

3 / 24

Java

◮ all objects placed on heap, scanned by garbage collector

◮ method local variables stored in stack

◮ each thread of control has associated stack

◮ variables and object fields primitive or reference

◮ programmer doesn’t need to worry about memorymanagement

4 / 24

RTSJ

◮ regionalised memory areas for dynamic objects

◮ scoped and immortal memory

◮ object scopes depend on threads

◮ when supporting threads die, objects are collected

◮ immortal objects persist

◮ scope rules forbid dangling references

◮ rule violation is a run-time error

◮ programmer must place object in appropriate scope

◮ tool support required for efficiency and exception-freedom

5 / 24

SCJ

◮ restricts RTSJ use of the heap

◮ annotations for static memory-safety checking

◮ rules & tools by Tang, Plsek, Vitek

◮ non-trivial validation: e.g., overly restrictive rules

◮ independent correctness criteria required◮ contributions?

I informal description: SCJ memory model rationaleI relational memory semanticsI starting point for program development technique

6 / 24

Safety-Critical Java Memory model

◮ safety-critical software spectrum◮ single thread, single processor, simple timing constraint◮ multi-thread, multi-mode, multi-processor◮ three compliance levels◮ level 1: roughly Ravenscar profile◮ mission: bounded set of asynchronous event handlers (ASEHs)◮ sequence of releases◮ periodic: time triggered◮ aperiodic: event triggered◮ safety-critical programming

I no memory allocation during executionI manual allocation too error-proneI garbage collection too complex

◮ SCJ memory modelI safe, predictable dynamic memory managementI restricted scoped memoryI no garbage collection

7 / 24

Application structure

MissionSequencerStart

MissionSelection

MissionInitialisation

MissionExecution

MisionCleanup

Halt

8 / 24

Scoped memory area

I t l MImmortal Memory

Per Mission Memory (a Scoped Memory Area)

X X

X

X

X X

X

Per

Release

Scoped

Per

Release

Scoped

Per

Release

Scoped

XPer

Release

ScopedASEH

1

Memory Memory

ASEH3

Memory

Temporary

Private

Memory

Temporary

ASEH2

Private

Scoped

Memory

Private

Scoped

Memory

ASEH4Valid

object

referencesKey:

Thread Stacks

(one per ASEH and one each

ASEH1

an illegal

referenceX

yfor the mission sequencer and

main program)



X X

X

X

X X

X

Per

Release

Scoped

Per

Release

Scoped

Per

Release

Scoped

XPer

Release

ScopedASEH

1

Memory Memory

ASEH3

Memory

Temporary

Private

Memory

Temporary

ASEH2

Private

Scoped

Memory

Private

Scoped

Memory

ASEH4Valid

object

referencesKey:

Thread Stacks


ASEH1

an illegal

referenceX


main program)



X X

X

X

X X

X

Per

Release

Scoped

Per

Release

Scoped

Per

Release

Scoped

XPer

Release

ScopedASEH

1

Memory Memory

ASEH3

Memory

Temporary

Private

Memory

Temporary

ASEH2

Private

Scoped

Memory

Private

Scoped

Memory

ASEH4Valid

object

referencesKey:

Thread Stacks


ASEH1

an illegal

referenceX


main program)



X X

X

X

X X

X

Per

Release

Scoped

Per

Release

Scoped

Per

Release

Scoped

XPer

Release

ScopedASEH

1

Memory Memory

ASEH3

Memory

Temporary

Private

Memory

Temporary

ASEH2

Private

Scoped

Memory

Private

Scoped

Memory

ASEH4Valid

object

referencesKey:

Thread Stacks


ASEH1

an illegal

referenceX


main program)

.. SCJ Memory Areas

9 / 24

hiJaC: High Integrity Java Applications in Circus

◮ Five-year project

◮ First effort to formalise the SCJ paradigm

◮ Highly constrained programming architecture

◮ Java is a vehicle

◮ Paradigm not identified

◮ Circus family: Z and CSP + time + object-orientation

◮ Semantic model: UTP

10 / 24

Unifying theories of programming

◮ Relational predicative model: alphabetised predicates

◮ Combination of paradigms

◮ Refinement

Theories

◮ Observational variables (and their dashed counterparts)

◮ Healthiness conditions

◮ Relations: x ′ > x

◮ Designs: (x > 0 ⊢ x ′ = x + 1)

11 / 24

Designs

Theory

◮ Pre and postcondition specifications

◮ Observational variables: ok and ok ′

◮ (P ⊢ Q) =̂ (ok ∧ P ⇒ ok ′ ∧ Q)

Design healthiness conditions

H1 P = ok ⇒ P

H2 P = P ; J where J =̂ (ok ⇒ ok ′) ∧ v ′ = v

Every design D can be written as (¬ D f ⊢ D t)

Db =̂ D [b/ok ′]

12 / 24

Invariants in the UTP

Operation invariants P ⊢ Q ∧ Ψ

OIH(Ψ) D = D ∧ (ok ∧ ¬ D f ⇒ Ψ)

State invariants (P ∧ ψ ⊢ Q ∧ ψ′)

ISH(ψ) D = D ∨ (ok ∧ ¬ D f ∧ ψ ⇒ ok ′ ∧ D t)

OSH(ψ) D = D ∧ (ok ∧ ¬ D f ∧ ψ ⇒ ψ′)

SIH(ψ) =̂ ISH(ψ) ◦ OSH(ψ)

13 / 24

Type Definitions

◮ program, mission sequencer, event handlers: stacks of frames

◮ frames: execution context for methods

◮ variables: VName

◮ values are primitive values or references:Value = PValue ∪ Ref

◮ null : a primitive value

◮ Frame = VName 7→ Value

◮ mission handlers: HName

14 / 24

Type Definitions

◮ references in a frame: refsInF (f ) = ran(f ◃ Ref )

◮ object values: OValue = VName 7→ Value

◮ memory contents: MAreaC = Ref 7→ OValue

◮ references to resident objects in a memory area:

refsRes(ma) = domma

◮ references in a memory area:

refsInMA(ma)= { r : Ref | ∃ r ′ : refsRes(ma) • r ∈ ran(ma(r ′)) }

◮ profile maps resident references to their object fields

◮ profile : MAreaC → (Ref 7→ FVName)

profile(ma) = { r : domma • r 7→ dom(ma(r)) }

15 / 24

A theory for the SCJ memory model

Alphabet

◮ pStack ,msStack : stackFrame

◮ handlers : FHName

◮ hStack : handlers → stackFrame

◮ immortal ,mission : MAreaC

◮ perR : handlers → MAreaC

◮ tPriv : handlers → stackMAreaC

.. Diagram

Types


◮ MAreaC = Ref 7→ OValue

16 / 24

Healthiness conditions

Objects only ever added to immortal memory

HSCJ1 =̂ OIH(profile(immortal) ⊆ profile(immortal ′))

Program stack related to immortal memory

HSCJ2 =̂ SIH(refsIn(pStack) ⊆ refsRes(immortal))

Immortal memory is closed

HSCJ3 =̂ SIH(refsIn(immortal) ⊆ refsRes(immortal))

17 / 24


Objects only ever added to immortal memory

HSCJ1 =̂ OIH(profile(immortal) ⊆ profile(immortal ′))

Sequencer stack related to immortal and mission memory

HSCJ4 =̂ SIH(refsIn(msStack) ⊆ refsRes({immortal ,mission}))

Mission memory is closed

HSCJ5 =̂ SIH(refsIn(mission) ⊆ refsRes({immortal ,mission}))

17 / 24


Similar for the other stacks and memory areas.Profile of mission, per release, and temporary private areas

◮ We cannot relate mission and mission ′, for instance.

◮ History variables

◮ Similar to timed model

Memory areas are disjoint

HSCJ9 =̂

SIH

disjoint

⟨refsRes immortal , refsRes mission⟩a seqPR(perR)a seqTP(tPriv)

◮ seqPR(perR)/seqTP(tPriv): sequences of sets of referencesresiding in per-release/temporary private memory

18 / 24

Memory safety

x r2

b r3

z 2

y r1

ff

f

1

2 x r2

b r3

2

y r1

ff

f

1

2

m r3

n r4

r2

m

1

1s

x r3r1

m2

u null

v r5

r3

c 6r5 w r2

.. Stack-areas Example

19 / 24

Memory safety

Regions and dangling references


◮ MAreaC = Ref 7→ OValue

◮ OValue = VName 7→ Value

regionRefs(rs,mas) = (((∪

mas) o9 ran)◃ Ref )∗(| rs |)

regionFrame(f ,mas) = regionRefs(refsInF (f ),mas)region(sf ,mas) =

∪{ f : sf • regionFrame(f ,mas) }

noDangRef (sf ,mas) = (region(sf ,mas) ⊆ refsRes(mas))

r1

r3r3

r2

r5

r4

20 / 24

Memory safety


HMS1 =̂ SIH(noDangRef (pStack , {immortal}))

HMS2 =̂ SIH(noDangRef (msStack , {immortal ,mission}))

HMS3 =̂ SIH(∀ h : handlers • noDangRef (hStack(h),mas))where mas = {immortal ,mission, perR(h) } ∪ ran(tPriv(h))

Theorem: Every SCJ-healthy predicate is HMS-healthy

21 / 24


The AVS model

◮ A: valid addresses

◮ V : values of terminals

◮ S : sharing relation

.. Example

Example: x

◮ Addresses: x , x .m, x .n, x .m.u, and so on.

◮ Values of terminals: x .m.u is null , x .m.v .c is 6, and so on.

22 / 24



HV1 =̂ SIH(∧

v : vars(pStack) • v = !(v , pStack , {immortal}))

HV2 =̂ SIH

( ∧v : vars(msStack) •v = !(v ,msStack , {immortal ,mission})

)HV3 =̂

SIH

∀ h : handlers •∧

v : vars(hStack h) •

v = !

(v , hStack h,{immortal ,mission, perR h} ∪ ran(tPriv h)

)

23 / 24

Conclusions and future work

◮ First formalisation of the SCJ memory model

◮ Essential ingredient for reasoning by refinement

◮ General results on UTP theories

Future work

◮ Connections to other theories

◮ Extension to Circus

◮ Refinement laws and strategies

24 / 24

Materiality and Organizing

Documents

Transcript of Materiality and Organizing