Version 1.1 of ais/ai-00305.txt

Unformatted version of ais/ai-00305.txt version 1.1
Other versions for file ais/ai-00305.txt

!standard D.7 (00)          02-07-17 AI95-00305/01
!class amendment 02-07-17
!status work item 02-07-17
!status received 02-07-17
!priority High
!difficulty Medium
!subject Additional Restrictions for Real-Time Systems
A new pragma and restrictions are proposed to directly support the Ravenscar Profile -- an execution time profile suitable for use in High-Integrity and Safety-Critical applications.
The Ravenscar Profile is commonly used in Safety-Critical and High-Integrity applications. However, the profile is incompletely supported by the standard, requiring users to fall back on vendor-specific extensions.
This amendment introduces several new restriction identifiers to define runtime behaviors that are to be restricted when using the Ravenscar profile. These identifiers may be used to specify runtime behavior which is independent of the Ravenscar definition.
A new pragam is also defined to force an implementation to detect blocking within a protected operation.
The following new pragma Restrictions identifiers are defined and added to D.7:
Max_Entry_Queue_Length = N
Max_Entry_Queue_Length defines the maximum number N of calls that are queued on an entry. Violation of this restriction results in the raising of Program_Error exception at the point of the call.
There are no semantic dependencies on package Ada.Calendar.
There is no call to any of the operations defined in package Ada.Interrupts (Is_Reserved, Is_Attached, Current_Handler, Attach_Handler, Exchange_Handler, Detach_Handler, Reference).
All protected objects are created via library-level declarations.
There are no allocators for protected types or types containing protected type components.
Delay_relative statements are not allowed.
Requeue statements are not allowed.
Select_statements are not allowed.
There are no semantic dependencies on package Ada.Task_Attributes.
The Boolean expression in an entry barrier shall be either a Boolean literal value or the value of a Boolean component of the enclosing protected object.
The following pragma is defined in D.7:
pragma Detect_Blocking;
Static Semantics
The pragma is a configuration pragma.
Post-Compilation Rules
An implementation is required to detect a potentially blocking operation within a protected operation, and to raise Program_Error as required under 9.5.1(17).
Implementation Permissions
An operation that causes a task to be blocked within a foreign language domain is not defined to be potentially blocking, and may not be detected.
a) The pragma No_Task_Hierarchy must impose the constraint that all tasks depend directly on the Environment task as a result of all task objects being created by library level declarations. The restriction means that no support is needed for "masters" and "waiting for dependent tasks" even for tasks declared within the main subprogram. This also matches the semantics for pragma No_Local_Protected_Objects.
b) No_Protected_Type_Allocators matches the existing restriction No_Task_Allocators.
c) No_Delay in H.4 is too strong for the Ravenscar Profile since we want to allow delay_until Ada.Real_Time.Time, but not relative delay (non- deterministic) nor package Ada.Calendar (too coarse).
d) No_Select_Statements excludes selective_accept, timed and conditional (protected) entry calls, and asynchronous_select.
!ACATS test

Editor's Note: This AI was split out of the Ravenscar AI, AI-249.


Questions? Ask the ACAA Technical Agent