Ravenscar - program termination

Ravenscar - program termination

[Maciej Sobczak]

Hi,

The N442 document states that Ravenscar profile forbids task termination.
I understand that task termination is the fact of a task finishing its 
job and completing.

Do I understand correctly that Ravenscar programs are by definition 
running forever? What about programs that are expected to finish?


-- 
Maciej Sobczak : http://www.msobczak.com/
Programming    : http://www.msobczak.com/prog/

Re: Ravenscar - program termination

[Ludovic Brenta]

Maciej Sobczak writes:
> The N442 document states that Ravenscar profile forbids task termination.
> I understand that task termination is the fact of a task finishing its
> job and completing.
>
> Do I understand correctly that Ravenscar programs are by definition
> running forever? What about programs that are expected to finish?

Yes, it is my understanding as well, and I'm happy with that.

    I remember being impressed with Ada because you could write an
    infinite loop without a faked up condition. The idea being that in
    Ada the typical infinite loop would normally be terminated by
    detonation.  -- Larry Wall

The Ravenscar profile is specifically targeted at high-integrity
systems, where infinite loops are, I think, the norm.

-- 
Ludovic Brenta.

Re: Ravenscar - program termination

[Maciej Sobczak]

Ludovic Brenta wrote:

>> Do I understand correctly that Ravenscar programs are by definition
>> running forever? What about programs that are expected to finish?
> 
> Yes, it is my understanding as well, and I'm happy with that.
> 
>     I remember being impressed with Ada because you could write an
>     infinite loop without a faked up condition. The idea being that in
>     Ada the typical infinite loop would normally be terminated by
>     detonation.  -- Larry Wall

:-)

> The Ravenscar profile is specifically targeted at high-integrity
> systems, where infinite loops are, I think, the norm.

Sorry, but I don't see anything in the concept of high-integrity 
software that would make it a norm. High-integrity software is a set of 
quality objectives, whereas infinite loops are (or aren't) part of 
system requirements. These should stay independent, even though I 
understand that expectations for both often come in pairs.

OK, just nit-picking. ;-)
I wanted to be sure that I understand it correctly, thanks.
Still, it looks like I cannot say:

pragma Profile(Ravenscar);

in my Hello World program even though this program meets the objectives 
of the profile. That's not fair! :-)

-- 
Maciej Sobczak : http://www.msobczak.com/
Programming    : http://www.msobczak.com/prog/

Re: Ravenscar - program termination

[Markus E Leypold]

Maciej Sobczak <no.spam@no.spam.com> writes:

> Ludovic Brenta wrote:
>
>>> Do I understand correctly that Ravenscar programs are by definition
>>> running forever? What about programs that are expected to finish?
>> Yes, it is my understanding as well, and I'm happy with that.
>>     I remember being impressed with Ada because you could write an
>>     infinite loop without a faked up condition. The idea being that in
>>     Ada the typical infinite loop would normally be terminated by
>>     detonation.  -- Larry Wall
>
> :-)
>
>> The Ravenscar profile is specifically targeted at high-integrity
>> systems, where infinite loops are, I think, the norm.
>
> Sorry, but I don't see anything in the concept of high-integrity
> software that would make it a norm. High-integrity software is a set
> of quality objectives, whereas infinite loops are (or aren't) part of
> system requirements. These should stay independent, even though I
> understand that expectations for both often come in pairs.
>
> OK, just nit-picking. ;-)
> I wanted to be sure that I understand it correctly, thanks.
> Still, it looks like I cannot say:
>
> pragma Profile(Ravenscar);
>
> in my Hello World program even though this program meets the
> objectives of the profile. That's not fair! :-)

Well, it terminates. What does termination mean in a "high integrity"
embedded system -- does the hardware go away? :-). I think if someone
wants to shutdown such a system the thing happening is, that every
task goes into idle mode and the last thing a controlling task does,
is, to display (or otherwise indicate) "you may now shut off power,
the countdown to eject the warp core has been stopped" or something
like this.

:-)

Regards -- Markus

Re: Ravenscar - program termination

[matteo.bordin]

> Sorry, but I don't see anything in the concept of high-integrity
> software that would make it a norm. High-integrity software is a set of
> quality objectives, whereas infinite loops are (or aren't) part of
> system requirements. These should stay independent, even though I
> understand that expectations for both often come in pairs.

The Ravenscar profile is aimed to high-integrity real-time systems. A 
static set of working tasks
is a requirement to perform sound feasibility analysis (at least 
within a given execution mode).

> Still, it looks like I cannot say:
>
> pragma Profile(Ravenscar);
>
> in my Hello World program even though this program meets the objectives
> of the profile. That's not fair! :-)

On real-time kernels supporting the Ravenscar profile, even the main 
procedure must contain an infinite loop.

Regards,

M.B.

Re: Ravenscar - program termination

[Jeffrey R. Carter]

Markus E Leypold wrote:
> 
> Well, it terminates. What does termination mean in a "high integrity"
> embedded system -- does the hardware go away? :-). I think if someone
> wants to shutdown such a system the thing happening is, that every
> task goes into idle mode and the last thing a controlling task does,
> is, to display (or otherwise indicate) "you may now shut off power,
> the countdown to eject the warp core has been stopped" or something
> like this.

Termination in an embedded system often means the processor no longer 
has power :)

-- 
Jeff Carter
"I soiled my armor, I was so scared."
Monty Python & the Holy Grail
71

Re: Ravenscar - program termination

[Niklas Holsti]

matteo.bordin@gmail.com wrote:
   [ snip ]
> On real-time kernels supporting the Ravenscar profile, even the main 
> procedure must contain an infinite loop.

I don't think that is an Ada requirement. As I understand it, under the 
Ravenscar profile the environment task is the master of all application 
tasks, so it will await their termination; since they never terminate, 
neither does the environment task (RM 2005 10.2(25)), even if the main 
procedure terminates and returns to the body of the environment task.

I have seen a Ravenscar Ada implementation that requires the main 
procedure to end with an infinite loop, but I think that is a 
non-standard requirement. A trivial one, of course.

-- 
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
       .      @       .

Re: Ravenscar - program termination

[Robert A Duff]

Niklas Holsti <niklas.holsti@nospam.please> writes:

> matteo.bordin@gmail.com wrote:
>   [ snip ]
>> On real-time kernels supporting the Ravenscar profile, even the main
>> procedure must contain an infinite loop.
>
> I don't think that is an Ada requirement. As I understand it, under the
> Ravenscar profile the environment task is the master of all application
> tasks, so it will await their termination; since they never terminate,
> neither does the environment task (RM 2005 10.2(25)), even if the main
> procedure terminates and returns to the body of the environment task.

Then what would happen if there were no tasks other than the environment
task?

> I have seen a Ravenscar Ada implementation that requires the main
> procedure to end with an infinite loop, but I think that is a
> non-standard requirement.

Why so?  The RM wording says "all tasks", and that includes the env
task.

- Bob

Re: Ravenscar - program termination

[Niklas Holsti]

Robert A Duff wrote:
> Niklas Holsti <niklas.holsti@nospam.please> writes:
> 
> 
>>matteo.bordin@gmail.com wrote:
>>  [ snip ]
>>
>>>On real-time kernels supporting the Ravenscar profile, even the main
>>>procedure must contain an infinite loop.
>>
>>I don't think that is an Ada requirement. As I understand it, under the
>>Ravenscar profile the environment task is the master of all application
>>tasks, so it will await their termination; since they never terminate,
>>neither does the environment task (RM 2005 10.2(25)), even if the main
>>procedure terminates and returns to the body of the environment task.
> 
> 
> Then what would happen if there were no tasks other than the environment
> task?

OK, good point. If a Ravenscar program has no tasks (other than the 
environment task) then the main procedure must not terminate, agreed. 
(Also there must *be* a main procedure.)

>>I have seen a Ravenscar Ada implementation that requires the main
>>procedure to end with an infinite loop, but I think that is a
>>non-standard requirement.
> 
> 
> Why so?  The RM wording says "all tasks", and that includes the env
> task.

If I remember correctly the documentation for that implementation said 
that it was a non-standard requirement. The reason given for this 
requirement was very implementation-dependent: the main procedure became 
the "idle task" for the scheduler, which required that the idle task be 
always "ready", therefore the main procedure was not allowed to 
terminate. But of course the documentation may have been wrong to say it 
was non-standard.

If Ravenscar really requires that the main procedure be non-terminating, 
I'm happy to learn that. From a very formal point of view I guess this 
requirement means that the kernel need not implement "await for task 
termination" even in the environment task.

-- 
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
       .      @       .

Re: Ravenscar - program termination

[Ludovic Brenta]

Niklas Holsti writes:
> If Ravenscar really requires that the main procedure be
> non-terminating, I'm happy to learn that. From a very formal point
> of view I guess this requirement means that the kernel need not
> implement "await for task termination" even in the environment task.

Indeed, one of Ravenscar's goals is to make the necessary kernel easy
to certify to the most stringent safety standards.  As with all
high-integrity software, the best way to achieve this is to make
things small and simple.  So, not only does Ravenscar avoid the need
to wait for task termination, but also the tasking model (priority
ceiling inheritance) avoids the need for locks completely.  Imagine a
tasking kernel with no mutexes :)

Ravenscar is beautiful, IMHO.

-- 
Ludovic Brenta.

Re: Ravenscar - program termination

[Niklas Holsti]

Ludovic Brenta wrote:
> Niklas Holsti writes:
> 
>>If Ravenscar really requires that the main procedure be
>>non-terminating, I'm happy to learn that. From a very formal point
>>of view I guess this requirement means that the kernel need not
>>implement "await for task termination" even in the environment task.
> 
> 
> Indeed, one of Ravenscar's goals is to make the necessary kernel easy
> to certify to the most stringent safety standards.  As with all
> high-integrity software, the best way to achieve this is to make
> things small and simple.  So, not only does Ravenscar avoid the need
> to wait for task termination [snip]...

Yes, but waiting for task termination in a Ravenscar environment task, 
after calling the main procedure, is surely very simple:

    if (there are any tasks in the system) then
       -- The tasks will never terminate.
       loop null; end loop;
    else
       (error because the environment task is terminating)
    end if;

> Ravenscar is beautiful, IMHO.

I agree with that.

-- 
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
       .      @       .

Re: Ravenscar - program termination

[Maciej Sobczak]

Markus E Leypold wrote:

>> Still, it looks like I cannot say:
>>
>> pragma Profile(Ravenscar);
>>
>> in my Hello World program even though this program meets the
>> objectives of the profile. That's not fair! :-)
> 
> Well, it terminates. What does termination mean in a "high integrity"
> embedded system

And who said that Ravenscar is for embedded systems *only*?
The word "embedded" does not even appear in the document, apart from the 
example in chapter 7 (which as an example is not normative).

I wrote a Hello World program and I want to impress my boss telling him 
that my program complies with Ravenscar recommendations. That sounds 
much more serious than a plain dumb Hello World program!

I've found a way:

with Ada.Text_IO;
procedure Hello is
begin
    Ada.Text_IO.Put_Line("Hello Ravenscar!");
    loop
       null;
    end loop;
end Hello;

Wow! ;-)
But the CPU is spinning like crazy.


OK, back to serious mode.
One of the Ravenscar objectives is to allow implementations to provide 
stripped-down runtime when the profile is requested. This is a nice 
feature, even for programs that are not safety-critical in nature.
How does GNAT handle this? Can I expect it to build smaller (faster?) 
executables when I say pragma Profile(Ravenscar) provided that the 
program complies to all the restrictions anyway?

-- 
Maciej Sobczak : http://www.msobczak.com/
Programming    : http://www.msobczak.com/prog/

Re: Ravenscar - program termination

[Ludovic Brenta]

Maciej Sobczak writes:
> I wrote a Hello World program and I want to impress my boss telling
> him that my program complies with Ravenscar recommendations. That
> sounds much more serious than a plain dumb Hello World program!

A high-integrity "hello world"?  With tasking? :)

+pragma Profile (Ravenscar);
 with Ada.Text_IO;
+with Ada.Synchronous_Task_Control;
 procedure Hello is
+   Blocker : Ada.Synchronous_Task_Control.Suspension_Object;
 begin
    Ada.Text_IO.Put_Line("Hello Ravenscar!");
    loop
-      null;
+      Ada.Synchronous_Task_Control.Suspend_Until_True (Blocker);
    end loop;
 end Hello;

That should solve your CPU utilisation problem :)

> OK, back to serious mode.
> One of the Ravenscar objectives is to allow implementations to provide
> stripped-down runtime when the profile is requested. This is a nice
> feature, even for programs that are not safety-critical in nature.
> How does GNAT handle this? Can I expect it to build smaller (faster?)
> executables when I say pragma Profile(Ravenscar) provided that the
> program complies to all the restrictions anyway?

I'm not sure how GNAT handles this, and I think it depends on the
target.  It makes no sense at all to write high-integrity software
running on a low-integrity operating system (not to mention
low-integrity hardware); the intention is that the high-integrity
Ravenscar run-time kernel *is* the operating system.

As a consequence, Ada.Text_IO in a high-integrity system makes little
sense, unless you have a high-integrity console driver.  Since the
console driver would be hardware-dependent, you'd have to write your
own to complement GNAT's minimal Ravenscar tasking kernel.

I think that's why, in effect, high-integrity implies embedded.

In low-integrity, non-embedded software, you cannot benefit from the
"minimal kernel", "lock-free operation" or "configurable scheduling
policies", but you can benefit from other inherent properties of the
tasking model, which reduce the opportunities for deadlocks.

PS. Keep in mind that calls to Ada.Text_IO.Put_Line are "potentially
blocking", so you cannot call them from a protected object in
Ravenscar.  See ARM 9.5.1(8, 10), D.13.1(4/2), H.5(5/2).

-- 
Ludovic Brenta.

Re: Ravenscar - program termination

[Jeffrey R. Carter]

Ludovic Brenta wrote:
> 
> Indeed, one of Ravenscar's goals is to make the necessary kernel easy
> to certify to the most stringent safety standards.  As with all
> high-integrity software, the best way to achieve this is to make
> things small and simple.  So, not only does Ravenscar avoid the need
> to wait for task termination, but also the tasking model (priority
> ceiling inheritance) avoids the need for locks completely.  Imagine a
> tasking kernel with no mutexes :)

The assumption is a single processor. We're already moving away from that.

-- 
Jeff Carter
"Alms for an ex-leper!"
Monty Python's Life of Brian
75