CVS difference for ais/ai-00249.txt

Differences between 1.3 and version 1.4
Log of other versions for file ais/ai-00249.txt

--- ais/ai-00249.txt	2001/05/26 02:55:11	1.3
+++ ais/ai-00249.txt	2001/07/14 00:01:48	1.4
@@ -1,4 +1,4 @@
-!standard D.2.2 (5)                                01-05-10  AI95-00249/02
+!standard D.2.2 (5)                                01-06-04  AI95-00249/03
 !standard D.7 (00)
 !class amendment 00-12-04
 !status work item 00-12-04
@@ -9,8 +9,9 @@
 
 !summary
 
-New pragmas and restrictions are proposed to directly support the
-Ravenscar Profile.
+New pragmas and restrictions are proposed to directly support the Ravenscar
+Profile -- an execution time profile suitable for use in High-Integrity and
+Safety-Critical applications.
 
 !problem
 
@@ -21,25 +22,33 @@
 !proposal
 
 This amendment proposes a pragma-based mechanism to allow the application to
-request use of the Ravenscar Profile. It proposes addition of a pragma
-to support the concept of a runtime profile. The amendment then proposes
-the runtime profile identifier "Ravenscar" to be defined in the standard
-and specifies its semantics.
-
-A runtime profile is an alternative mode of operation that is defined by
-the standard. It is selected by inclusion of the configuration pragma
-Runtime_Profile that applies to an active partition. The profile
-identifier "Ravenscar" selects the mode of operation to be the Ravenscar
-Profile.
+request use of the Ravenscar Profile. It proposes the addition of a pragma to
+support the concept of a runtime profile. The amendment then proposes the
+runtime profile identifier "Ravenscar" to be defined in the standard and
+specifies its semantics.
+
+The proposal also introduces several new restriction identifiers to define
+runtime behaviors that are to be restricted when using the Ravenscar profile.
+These identifiers may be used to specify runtime behavior which is independent
+of the Ravenscar definition.
+
+A runtime profile is an alternative mode of operation that is defined by the
+standard. It is selected by inclusion of the configuration pragma Profile that
+applies to an active partition. The profile identifier "Ravenscar" selects the
+mode of operation to be the Ravenscar Profile.
 
 !wording
 
 Static Semantics
-	pragma Runtime_Profile (profile_identifier [profile_argument_definition]);
+    pragma Profile (profile_identifier [profile_argument_definition]);
 
-The profile_identifier shall be either Ravenscar or an implementation-
-defined identifier.
+The profile_identifier shall be either Ravenscar or an implementation-defined
+identifier.
 
+Pragma Profile is a configuration pragma.  It is equivalent to the set of
+pragmas that are defined below.  There may be more than one pragma Profile for
+a partition.
+
 Dynamic Semantics
 
 When profile_identifier Ravenscar is in effect, the following dynamic
@@ -52,15 +61,14 @@
 
 1.2. Locking Policy
 
-The default Locking_Policy for the active partition shall be
-Ceiling_Locking.
+The default Locking_Policy for the active partition shall be Ceiling_Locking.
 
-1.3. Restrictions Pragmas
+1.3. Restrictions Pragma
 
-1.3.1. Standard Pragmas
+1.3.1. Standard Identifiers
 
-The following pragma Restrictions identifiers defined in the standard
-apply to the alternative mode of operation defined by the Ravenscar Profile:
+The following pragma Restrictions identifiers defined in the standard apply to
+the alternative mode of operation defined by the Ravenscar Profile:
 
 	Max_Asynchronous_Select_Nesting => 0
 	Max_Task_Entries => 0
@@ -72,15 +80,19 @@
 	No_Task_Allocators
 	No_Task_Hierarchy
 
-1.3.2. New Pragmas
+1.3.2. New Identifiers
 
-The following new pragma Restrictions identifiers are defined as applying to
+The following new pragma Restrictions identifiers are defined and apply to
 the alternative mode of operation defined by the Ravenscar Profile:
 
-	Max_Entry_Queue_Depth = 1
-Max_Entry_Queue_Depth defines the maximum number of calls that are
-queued on a (protected) entry. Violation of this restriction results in the
-raising of Program_Error exception at the point of the call.
+	Max_Entry_Queue_Length = N
+Max_Entry_Queue_Length defines the maximum number N of calls that are queued on
+an entry. Violation of this restriction results in the raising of Program_Error
+exception at the point of the call.
+
+For the Ravenscar Profile, the value of N is 1.  Note that the affect of this
+restriction applies only to protected entry queues due to the accompanying
+restriction of Max_Task_Entries => 0.
 
 	No_Calendar
 There are no semantic dependencies on package Ada.Calendar.
@@ -94,66 +106,74 @@
 All protected objects are created via library-level declarations.
 
 	No_Protected_Type_Allocators
-There are no allocators for protected types or types containing
-protected type components.
+There are no allocators for protected types or types containing protected
+type components.
 
 	No_Relative_Delay
 Delay_relative statements are not allowed.
 
-	No_Requeue
+	No_Requeue_Statements
 Requeue statements are not allowed.
 
 	No_Select_Statements
 Select_statements are not allowed.
 
-	No_Task_Attributes
+	No_Task_Attributes_Package
 There are no semantic dependencies on package Ada.Task_Attributes.
 
-	Simple_Barrier_Variables
-The Boolean expression in an entry barrier shall be the value of a
-Boolean component of the enclosing protected object.
+	Simple_Barriers
+The Boolean expression in an entry barrier shall be be either a Boolean literal
+value or the value of a Boolean component of the enclosing protected object.
 
 1.4. Bounded Error Detection
 
 The bounded error that is the invocation of one of the following
-potentially blocking operations during a protected action shall be
-detected:
+potentially blocking operations during a protected action shall be detected:
 -	a protected entry_call_statement
 -	a delay_until_statement
--	a call to Ada.Synchronous_Task_Control.Suspend_Until_True
+-	a call to a language-defined subprogram that is potentially blocking,
+          for example Ada.Synchronous_Task_Control.Suspend_Until_True
+
+Notes
+(1) The Ravenscar Profile subset excludes the following potentially blocking
+    operations within a protected action:
+    - a select statement
+    - an accept statement
+    - a task entry call
+    - a relative delay statement
+    - an abort statement
+    - task creation or activation
+    - an external requeue statement with the same target object as that of
+      the protected action
 
-Note
+(2) Detection of these bounded error cases results in Program_Error being
+    raised (see 9.5.1(17)).
 
-Detection of these bounded error cases results in Program_Error being
-raised (see 9.5.1(17)).
+(3) Potentially blocking operations that occur in a foreign language domain
+    may not be detected.
 
 !example
 
 !discussion
 
-a) Pragma Runtime_Profile is presented as an "alternative" mode of
-operation rather than a "non-standard" mode as in section 1.5 since its
-inclusion in the standard makes it not non-standard. Other profiles may
-be defined by an implementation, for example to define the Spark subset,
-or to define variations of the Ravenscar definition such as
-Ravenscar_Non_Preemptive.
-
-b) The pragma No_Task_Hierarchy must impose the constraint that all
-tasks depend immediately on the Environment task as a result of all task
-objects being created by library level declarations. It is not clear
-whether the existing RM wording fully implies this. It is not
-sufficient to say that all tasks shall depend (directly or indirectly)
-on the Environment task since this presumably would include those
-declared inside library-level subprograms. What we want to restrict is
-having to support "masters" and "waiting for dependent tasks". This
-also matches the semantics for pragma No_Local_Protected_Objects.
-
-c) The restrictions forcing the maximum length of an entry queue to be
-one and the maximum number of entries to be one are there for
-deterministic operation of entry queue servicing and to simplify the
-runtime implementation. The semantics are intended to be consistent with
-those for blocking on a suspension object via
-Suspend_Until_True.
+a) Pragma Profile is presented as an "alternative" mode of operation rather
+than a "non-standard" mode as in section 1.1.5(11) since its inclusion in the
+Standard makes it not non-standard. Other profiles may be defined by an
+implementation, for example to define the Spark subset, or to define variations
+of the Ravenscar definition such as Ravenscar_Non_Preemptive.
+
+b) The pragma No_Task_Hierarchy must impose the constraint that all tasks
+depend directly on the Environment task as a result of all task objects being
+created by library level declarations. The restriction means that no support
+is needed for "masters" and "waiting for dependent tasks" even for tasks
+declared within the main subprogram. This also matches the semantics for
+pragma No_Local_Protected_Objects.
+
+c) The restrictions forcing the maximum length of an entry queue to be one and
+the maximum number of entries to be one are there for deterministic operation
+of entry queue servicing and to simplify the runtime implementation. The
+semantics are intended to be consistent with those for blocking on a
+suspension object via Suspend_Until_True.
 
 d) Static attachment of interrupt handlers via pragma Attach_Handler is
 supported.
@@ -161,14 +181,13 @@
 e) No_Protected_Type_Allocators matches existing restriction
 No_Task_Allocators.
 
-f) No_Delay in H.4 is too strong for the Ravenscar Profile since we want
-to allow delay_until Ada.Real_Time.Time, but not relative delay (non-
+f) No_Delay in H.4 is too strong for the Ravenscar Profile since we want to
+allow delay_until Ada.Real_Time.Time, but not relative delay (non-
 deterministic) nor package Ada.Calendar (too coarse).
 
-g) No_Select_Statements excludes selective_accept (there are no task
-entries anyway), timed and conditional (protected) entry calls, and
-asynchronous_select (which is re-inforced by also requiring
-Max_Async_Select_Nesting = 0).
+g) No_Select_Statements excludes selective_accept (there are no task entries
+anyway), timed and conditional (protected) entry calls, and asynchronous_select
+(which is re-inforced by also requiring Max_Asynchronous_Select_Nesting = 0).
 
 !ACATS test
 

Questions? Ask the ACAA Technical Agent