1
Adapted from A. Burns, B. Dobbing, T. Vardanega: Guide for the use of the Ada Ravenscar
Profile in high integrity systems, Univ. of York Tech. Report YCS-2003-348, January 2003
2
 Software components of critical real-time applications must be provably predictable
 Software development methodology of complex applications focuses mainly on
functionality, and so is inadequate, because non-functional issues (viz. safety,
reliability, timeliness, memory usage, dynamic change management, etc.) are left until
too late in the development cycle
 Traditional approach to formal verification and certification of critical real-time systems
is to use a cyclic executive calling a series of procedures in a deterministic manner
 Such a system is easy to analyze, but difficult to design if even a moderate complexity
is called for, not suited for sporadic activities occurring, or error recoveries
 Ada has proven useful in creating systems of integrity and real-time applications, albeit
by use of Ada subsets of deterministic constructs, thus ensuring code analyzability
3
 … is an Ada subset of its tasking model, restricted to meet real time requirements for




Determinism
Schedulability Analysis
Memory Boundedness
Mapping into a small and efficient run-time system,


Supporting task synchronization and communication
Certifiable to the highest integrity levels
 Potential verification techniques include:




Information flow analysis
Schedulability analysis
Execution-order analysis
Model checking
 Ravenscar Profile is silent on the non-tasking (i.e. sequential) aspects of Ada, like


Exception handling (or not handling)
Constraints on the sequential part of the language (static analysis, worst-case execution time, etc.)
4
 Recent research findings:

Accurate analysis of real-time behaviour is possible with a careful choice of
scheduling / dispatching methods + careful restrictions on task interactions

Priority-Based Preemptive Scheduling is usually used with Priority Ceiling Protocol (PCP) to avoid unbounded
priority inversion and deadlock

This approach supports





Cyclic activities
Sporadic activities
The idea of hard, soft, firm, and non-critical components
Controlled inter-process synchronization and communication
Scalability to distributed systems
5
 Tasks in an application have timing constraints
 Critical tasks must meet deadlines
 Four basic levels of criticality in terms of importance of meeting a deadline:

Hard: A hard deadline task MUST meet its deadlines. The failure to do so may result in unacceptable failure at the
system level

Firm: A firm deadline task must meet its deadlines under “average” or “normal” conditions. An occasional missed
deadline may be tolerated (but perhaps at cost of degraded performance). There is no value of completing the firm
task after a deadline has been missed (thus system-level degradation of service)

Soft: A soft deadline task also must meet its deadlines under “average” or “normal” conditions. An occasional
missed deadline may be tolerated (but perhaps at cost of degraded performance). There is value of completing
the soft task even after a deadline has been missed

Non-Critical: A non-critical task has no strict deadlines. Typically it is used to perform background duties. Task
failure does not endanger the performance of the system
6
 At any moment in time, some tasks may be:



Ready to run: i.e. are ready to execute if processor time became available
Suspended: they cannot run until some event occurs
Blocked: they await resource currently owned by another task
 Suspended tasks may become ready:


Synchronously: as a result of action taken by currently running task
Asynchronously: as a result of an external event
 Ravenscar requires priority-based preemptive scheduling on a single processor:



Scheduler ensures that highest priority ready task is always executing
Scheduler performs context switches
Preemptive means that context switches can occur due to asynchronous events
 Tasks are required to interact as a result of:



Contention to shared resources
Exchange of data
Synchronization needs
7
 Tasks interactions, if uncontrolled, pose risks of:

Unbounded Priority Inversion / Blocking: when a high priority task is blocked by a low priority task using a certain
resource, thus blocking the high priority task. In this case intermediate priority tasks can run “amok”, starving the
high priority task for access to processor

Deadlock: when group of tasks (perhaps the entire system) block each other permanently due to the circular
ownership and contention for resources

Livelock: when group of tasks (perhaps the entire system) do indeed execute but fail to make progress due to
circular dependencies between them

Missed Deadline: when a task fails to meet its deadline due to factors such as system overload, cost of context
switching in excessive preemptions, excessive blocking, deadlocks, livelocks, or CPU overrun
 Ravenscar Profile is designed to minimize those risks
 In Ravenscar Profile tasks do not interact directly, but only via shared resources known
as protected objects
8
pragma Task_Dispatching_Policy (FIFO_Within_Priorities);
pragma Locking_Policy (Ceiling_Locking);
pragma Detect_Blocking;
pragma Restrictions (
No_Abort_Statements,
No_Dynamic_Attachment,
No_Dynamic_Priorities,
No_Implicit_Heap_Allocations,
No_Local_Protected_Objects,
No_Local_Timing_Events,
No_Protected_Type_Allocators,
No_Relative_Delay,
No_Requeue_Statements,
No_Select_Statements,
No_Specific_Termination_Handlers,
No_Task_Allocators,
No_Task_Hierarchy,
No_Task_Termination,
Simple_Barriers,
Max_Entry_Queue_Length => 1,
Max_Protected_Entries => 1,
Max_Task_Entries
=> 0,
No_Dependence => Ada.Asynchronous_Task_Control,
No_Dependence => Ada.Calendar,
No_Dependence => Ada.Execution_Time.Group_Budget,
No_Dependence => Ada.Execution_Time.Timers,
No_Dependence => Ada.Task_Attributes);
Or, in short:
Pragma Profile (Ravenscar);