Version 1.1 of ais/ai-00305.txt
!standard D.7 (00) 02-07-17 AI95-00305/01
!class amendment 02-07-17
!status work item 02-07-17
!status received 02-07-17
!priority High
!difficulty Medium
!subject Additional Restrictions for Real-Time Systems
!summary
A new pragma and restrictions are proposed to directly support the Ravenscar
Profile -- an execution time profile suitable for use in High-Integrity and
Safety-Critical applications.
!problem
The Ravenscar Profile is commonly used in Safety-Critical and High-Integrity
applications. However, the profile is incompletely supported by the standard,
requiring users to fall back on vendor-specific extensions.
!proposal
This amendment introduces several new restriction identifiers to define
runtime behaviors that are to be restricted when using the Ravenscar profile.
These identifiers may be used to specify runtime behavior which is independent
of the Ravenscar definition.
A new pragam is also defined to force an implementation to detect blocking
within a protected operation.
!wording
The following new pragma Restrictions identifiers are defined and added
to D.7:
Max_Entry_Queue_Length = N
Max_Entry_Queue_Length defines the maximum number N of calls
that are queued on an entry. Violation of this restriction
results in the raising of Program_Error exception at the point
of the call.
No_Calendar
There are no semantic dependencies on package Ada.Calendar.
No_Dynamic_Attachment
There is no call to any of the operations defined in package
Ada.Interrupts (Is_Reserved, Is_Attached, Current_Handler,
Attach_Handler, Exchange_Handler, Detach_Handler, Reference).
No_Local_Protected_Objects
All protected objects are created via library-level declarations.
No_Protected_Type_Allocators
There are no allocators for protected types or types containing
protected type components.
No_Relative_Delay
Delay_relative statements are not allowed.
No_Requeue_Statements
Requeue statements are not allowed.
No_Select_Statements
Select_statements are not allowed.
No_Task_Attributes_Package
There are no semantic dependencies on package Ada.Task_Attributes.
Simple_Barriers
The Boolean expression in an entry barrier shall be either a
Boolean literal value or the value of a Boolean component
of the enclosing protected object.
The following pragma is defined in D.7:
Syntax
pragma Detect_Blocking;
Static Semantics
The pragma is a configuration pragma.
Post-Compilation Rules
An implementation is required to detect a potentially blocking
operation within a protected operation, and to raise Program_Error
as required under 9.5.1(17).
Implementation Permissions
An operation that causes a task to be blocked within a foreign language
domain is not defined to be potentially blocking, and may not be detected.
!example
!discussion
a) The pragma No_Task_Hierarchy must impose the constraint that all tasks
depend directly on the Environment task as a result of all task objects being
created by library level declarations. The restriction means that no support
is needed for "masters" and "waiting for dependent tasks" even for tasks
declared within the main subprogram. This also matches the semantics for
pragma No_Local_Protected_Objects.
b) No_Protected_Type_Allocators matches the existing restriction
No_Task_Allocators.
c) No_Delay in H.4 is too strong for the Ravenscar Profile since we want to
allow delay_until Ada.Real_Time.Time, but not relative delay (non-
deterministic) nor package Ada.Calendar (too coarse).
d) No_Select_Statements excludes selective_accept, timed and
conditional (protected) entry calls, and asynchronous_select.
!ACATS test
!appendix
Editor's Note: This AI was split out of the Ravenscar AI, AI-249.
****************************************************************
Questions? Ask the ACAA Technical Agent