Version 1.2 of ais/ai-00305.txt
!standard D.7 (00) 02-09-02 AI95-00305/02
!class amendment 02-07-17
!status work item 02-07-17
!status received 02-07-17
!subject New pragma and additional restriction identifiers for Real-Time Systems
A new pragma and restrictions are proposed to enhance the ability to
create highly-efficient and predictable tasking runtime systems.
Experience constructing the "highly efficient tasking runtime systems"
of D.7 has shown that the set of restrictions is insufficient. In particular,
the Ravenscar Profile is commonly used in Safety-Critical and High-Integrity
applications to provide a highly efficient tasking runtime. However, the
profile requires restrictions beyond those defined by the Standard,
requiring users to fall back on vendor-defined extensions.
This amendment introduces several new restriction identifiers to define
runtime behaviors that are to be restricted when using the Ravenscar profile.
These identifiers may be used to specify runtime behavior which is independent
of the Ravenscar definition.
A new pragma is also defined to force an implementation to detect blocking
within a protected operation.
The following new static restriction_identifiers are defined and
inserted after D.7(10):
There are no semantic dependencies on package Ada.Calendar.
There is no call to any of the operations defined in package
Ada.Interrupts (Is_Reserved, Is_Attached, Current_Handler,
Attach_Handler, Exchange_Handler, Detach_Handler, Reference).
All protected objects are created via library-level declarations.
There are no allocators for protected types or types containing
protected type components.
Delay_relative statements are not allowed.
Requeue statements are not allowed.
Select_statements are not allowed.
There are no semantic dependencies on package Ada.Task_Attributes.
The Boolean expression in an entry barrier shall be either a
Boolean literal value or the value of a Boolean component
of the enclosing protected object.
The following new dynamic restrictions_identifier is defined and
All tasks are non-terminating. An implementation must define what
happens if a task attempts to terminate.
The following new dynamic restrictions_parameter_identifier is defined and
inserted after D.7(19/1):
Max_Entry_Queue_Length defines the maximum number of calls
that are queued on an entry. Violation of this restriction
results in the raising of Program_Error exception at the point
of the call.
The following pragma is defined as a new subsection H.5:
H.5 Pragma Detect_Blocking
The following pragma forces an implementation to detect potentially
blocking operations within a protected operation.
The form of a pragma Detect_Blocking is as follows:
The pragma is a configuration pragma.
An implementation is required to detect a potentially blocking
operation within a protected operation, and to raise Program_Error
as required under 9.5.1(17).
An operation that causes a task to be blocked within a foreign language
domain is not defined to be potentially blocking, and may not be detected.
a) The pragma No_Task_Hierarchy must impose the constraint that all tasks
depend directly on the Environment task as a result of all task objects being
created by library level declarations. The restriction means that no support
is needed for "masters" and "waiting for dependent tasks". This also matches
the semantics for pragma No_Local_Protected_Objects.
b) No_Protected_Type_Allocators matches the existing restriction
c) No_Delay in H.4 is too strong for the Ravenscar Profile since we want to
allow delay_until Ada.Real_Time.Time, but not relative delay (non-
deterministic) nor package Ada.Calendar (too coarse).
d) No_Select_Statements excludes selective_accept, timed and
conditional (protected) entry calls, and asynchronous_select.
e) Some restriction identifiers concerning tasking are actually defined in
H.4. For reasons of minimum change it is not proposed to move them.
Editor's Note: This AI was split out of the Ravenscar AI, AI-249.
Questions? Ask the ACAA Technical Agent