Version 1.3 of ais/ai-00265.txt
!standard D.2.2 (5) 02-09-05 AI95-00265/03
!standard D.7 (00)
!class amendment 01-05-10
!status work item 01-05-10
!status received 01-05-10
!subject Partition Elaboration Policy for High-Integrity Systems
A configuration pragma is proposed to select the partition elaboration policy.
This is in response to certification concerns about hazardous race conditions
that could occur due to tasks being activated prior to completion of the
library-level elaboration code.
There are determinism and hazard mitigation issues relating to task activation
and termination semantics for Safety-Critical and High-Integrity applications.
To satisfy the requirements of the Safety Critical and High-Integrity domains,
there is a need to define the behavior of program elaboration to be atomic;
that is, no interrupts are delivered and task activation shall be deferred
until the completion of all library-level elaboration code. This eliminates
all hazards that relate to tasks and interrupt handlers accessing global data
prior to it having been elaborated, without having to resort to potentially
complex elaboration order control. In some cases, it may be that the correct
sequential elaboration order of the library units conflicts with an order that
would need to be imposed to allow a task to use fully-elaborated global data
as part of execution of its elaboration code.
A proposed approach to addressing this concern is to introduce a configuration
pragma to define the partition elaboration policy.
The policy is selected by the configuration pragma
Partition_Elaboration_Policy. Two policy identifiers are defined by the
standard : Sequential and Concurrent. The default policy is Concurrent.
If Sequential is chosen then Restriction No_Task_Hierarchy must also
New section H.6:
H.6 Pragma Partition_Elaboration_Policy
The form of a pragma Partition_Elaboration_Policy is as follows:
pragma Partition_Elaboration_Policy ( <Policy_Identifier> );
The Policy_Identifier shall be either Sequential or Concurrent;
Concurrent is the default.
If the Policy_Identifier is Sequential then Pragma
Restrictions (No_Task_Hierarchy) must have already been specified for
The pragma is a configuration pragma.
Partition_Elaboration_Policy => Sequential
With the Sequential value as the partition elaboration policy, all task
activation for library-level tasks, and all interrupt handler attachment for
library-level interrupt handlers is deferred. The deferred task activation and
handler attachment occurs immediately after the "begin" of the Environment task
(see 10.2 (6)). At this point, the Environment task is suspended until all
deferred task activation and handler attachment is complete.
In this mode of operation, it is a bounded error for the Environment task to
execute a potentially-blocking operation other than a delay statement or
task creation during its declarative part. Program_Error may be raised
by the call, or the active partition may deadlock.
In this mode of operation, if any deferred task activation fails then
Tasking_Error exception is raised at the "begin" of the Environment Task.
Since this is an implicit scope, it cannot declare any exception handlers, and
hence the Environment task and all tasks whose activations fail are terminated.
A task whose activation succeeds may continue to execute, or may instead become
immediately terminated (see 10.2 (30)), thereby completing execution of the
If the Environment task executes a potentially blocking operation that is
not a delay statement or task creation during its declarative part (prior
to activation of tasks and enabling of delivery of interrupts) then it is
recommended that the active partition be immediately terminated. However,
detection of this case may introduce distributed overhead in the runtime
execution, and so it is not mandated.
If any deferred task activation fails, it is recommended that the active
partition be immediately terminated to mitigate the hazard posed by continuing
execution with a subset of the tasks being active. However, detection of this
case may introduce distributed overhead in the runtime execution, and so it is
not mandated (see 10.2 (30)).
Partition_Elaboration_Policy => Concurrent
With the Concurrent value as the partition elaboration policy, the execution of
the declarative part of the Environment task is as defined by the standard mode
of operation with respect to task activation and interrupt handler attachment.
a) The Restriction No_Task_Hierarchy is needed to prevent deadlock.
b) Do we need to say what happens if an interrupt does occur during
[Editor's note: This originally was part of the Ravenscar proposal,
Questions? Ask the ACAA Technical Agent