Abstract
Safety-Critical Java (SCJ) is a novel version of Java that addresses issues related to real-time programming and certification of safety-critical applications. In this paper, we propose a technique that reveals the issues involved in the formal verification of an SCJ program, and provides guidelines for tackling them in a refinement-based approach. It is based on Circus, a combination of well established notations: Z, CSP, Timed CSP, and object orientation. We cater for the specification of timing requirements and their decomposition towards the structure of missions and event handlers of SCJ. We also consider the integrated refinement of value-based specifications into class-based designs using SCJ scoped memory areas. We present a refinement strategy, a Circus variant that captures the essence of the SCJ paradigm, and a substantial example based approach on a concurrent version of a case study that has been used as a benchmark by the SCJ community: an aircraft collision detector.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Adams MM, Clayton PB (2005) Cost-effective formal verification for control systems. In: ICFEM 2005. LNCS, vol 3785. Springer, Berlin, pp 465–479
Bolton C (2005) Using the alloy analyzer to verify data refinement in Z. Electron Notes Theor Comput Sci 137(2):23–44
Braberman V, Fernandez F, Garbervetsky D, Yovine S (2008) Parametric prediction of heap memory requirements. In: International symposium on memory management. ACM special interest group on programming language, pp 141–150
Burns A (1999) The Ravenscar profile. Ada Lett XIX:49–52
Burns A, Wellings AJ (2007) Concurrent and real-time programming in Ada. Cambridge University Press, Cambridge
Burns A, Wellings AJ (2009) Real-time systems and programming languages, 4th edn. Addison-Wesley, Reading
Cavalcanti ALC, Clayton P, O’Halloran C (2011) From control law diagrams to Ada via Circus. Form Asp Comput 23(4):465–512
Cavalcanti ALC, Sampaio ACA, Woodcock JCP (2003) A refinement strategy for Circus. Form Asp Comput 15(2–3):146–181
Cavalcanti ALC, Sampaio ACA, Woodcock JCP (2005) Unifying classes and processes. Software & Systems Modeling 4(3):277–296
Cavalcanti ALC, Wellings A, Woodcock JCP (2012) The safety-critical java memory model formalised. Form Asp Comput. doi:10.1007/s00165-012-0253-4
Cavalcanti ALC, Wellings A, Woodcock JCP, Wei K, Zeyda F (2011) Safety-critical Java in Circus. In: Ravn AP (ed) 9th JTRES. ACM digital library. ACM, New York
Cavalcanti ALC, Woodcock JCP (1999) ZRC—A refinement calculus for Z. Form Asp Comput 10(3):267–289
Freitas AF, Cavalcanti ALC (2006) Automatic Translation from Circus to Java. In: FM 2006. LNCS, vol 4085. Springer, Berlin, pp 115–130
Freitas L, McDermott JP (2011) Formal methods for security in the xenon hypervisor. Int J Softw Tools Technol Transf 13(5):463–489
Grov G, Ireland A, Llano MT (2012) Refinement plans for informed formal design. In: 3rd ABZ. LNCS, vol 7316. Springer, Berlin, pp 208–222
Harwood W, Cavalcanti ALC, Woodcock JCP (2008) A theory of pointers for the UTP. In: ICTAC. LNCS, vol 5160. Springer, Berlin, pp 141–155
Hayes IJ, Utting M (2001) A sequential real-time refinement calculus. Acta Inform 37(6):385–448
Hoare CAR, He J (1998) Unifying theories of programming. Prentice Hall, New York
Kalibera T, Hagelberg J, Pizlo F, Plsek A, Titzer B, Vitek J (2009) CD x : a family of real-time Java benchmarks. In: Proceedings of the 7th JTRES. ACM, New York, pp 41–50
Kalibera T, Parizek P, Malohlava M, Schoeberl M (2010) Exhaustive testing of safety critical Java. In: 8th JTRES. ACM, New York, pp 164–174
Locke D, Andersen BS, Brosgol B, Fulton M, Henties T, Hunt JJ, Nielsen JO, Nilsen K, Schoeberl M, Tokar J, Vitek J, Wellings A (2010) Safety critical Java specification, first release 0.76. The Open Group, UK. jcp.org/aboutJava/communityprocess/edr/jsr302/index.html
Markey N (2011) Robustness in real-time systems. In: 6th IEEE international symposium on industrial embedded systems. IEEE Press, New York, pp 28–34
Marriott C, Zeyda F, Cavalcanti ALC (2012) A tool chain for the automatic generation of Circus specifications of simulink diagrams. In: ABZ. LNCS, vol 7316. Springer, Berlin, pp 294–307
Miyazawa A, Cavalcanti ALC (2012) Refinement-oriented models of stateflow charts. J Sci Comput Program 77(10–11):1151–1177
Morgan CC (1988) Auxiliary variables in data refinement. J Inf Process Lett 29(6):293–296
Morgan CC (1994) Programming from specifications, 2nd edn. Prentice Hall, New York
Mukherjee P, Stavridou V (1998) Decomposition in real-time safety-critical systems. Real-Time Syst 14:183–202
Oliveira MVM (2006) Formal derivation of state-rich reactive programs using Circus. Ph.D. Thesis, University of York
Oliveira MVM, Cavalcanti ALC, Woodcock JCP (2009) A UTP semantics for Circus. Form Asp Comput 21(1–2):3–32
Oliveira WR, Barros RSM (1997) The real numbers in Z. In: Proceedings of the 2nd BCS-FACS northern formal methods workshop. British Computer Society, London
Reed GM, Roscoe AW (1988) A timed model for communicating sequential processes. J Theor Comput Sci 58:249–261
Roscoe AW (1998) The theory and practice of concurrency. Prentice Hall, New York
Santos TLVL, Cavalcanti ALC, Sampaio ACA (2006) Object orientation in the UTP. In: Unifying theories of programming. LNCS, vol 4010. Springer, Berlin, pp 18–37
Sherif A, Cavalcanti ALC, He J, Sampaio ACA (2010) A process algebraic framework for specification and validation of real-time systems. Form Asp Comput 22(2):153–191
Singh NK, Wellings AJ, Cavalcanti ALC (2012) The cardiac pacemaker case study and its implementation in safety-critical Java and Ravenscar Ada. In: 10th JTRES. ACM, New York, pp 62–71
Tofte M, Talpin JP (1997) Region-based memory management. Inf Comput 132(2):109–176
Wei K, Woodcock JCP, Burns A (2010) A timed model of Circus with the reactive design miracle. In: 8th SEFM. IEEE Comput. Soc., Los Alamitos, pp 315–319
Wellings A (2004) Concurrent and real-time programming in Java. Wiley, New York
Woodcock JCP (2009) The miracle of reactive programming. In: Unifying theories of programming 2008. LNCS. Springer, Berlin, pp 202–217
Woodcock JCP, Cavalcanti ALC (2004) A tutorial introduction to designs in unifying theories of programming. In: IFM 2004. LNCS, vol 2999. Springer, Berlin, pp 40–66. Invited tutorial
Woodcock JCP, Davies J (1996) Using Z—Specification, refinement, and proof. Prentice Hall, New York
Zeyda F, Cavalcanti ALC, Wellings A (2011) The safety-critical Java mission model: a formal account. In: ICFEM. LNCS
Zeyda F, Cavalcanti ALC, Wellings A, Woodcock JCP, Wei K (2012a) Refinement of the Parallel CDx. Tech. Rep., University of York, Department of Computer Science, York, UK
Zeyda F, Oliveira MVM, Cavalcanti ALC (2012b) Mechanised support for sound refinement tactics. Form Asp Comput 24(1):127–160
Acknowledgements
This work is funded by EPSRC grant EP/H017461/1. Chris Marriott and Neeraj Singh have contributed with useful discussions.
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Definitions in anchor A of the CD x
The type Frame is the set of partial functions from aircraft to (3d) vectors whose size is less than or equal to \(\mathit{MAX\_AIRCRAFT}\), the maximum number of aircraft detected.
The domain of the function determines the aircraft in view of the radar. We introduce Aircraft as the set of non-empty sequences of byte values: \(\mathit{Aircraft} \;\widehat{=}\; \mathrm{seq}_{1}(\mathit{byte})\) where byte is the set of integers from −128 to 127. The sequences represent unique call signs, mirroring the way aircraft are identified in aviation. The type Vector is defined by a schema whose components x, y and z correspond to the coordinates of a vector.
The work in Oliveira and Barros (1997) describes how real numbers can be axiomatised in Z.
We introduce common operators on vectors such as sum (+ V ), difference (− V ), scalar produce (∗ V ), dot product (⋅ V ) and length (|_|). Their Z definitions are omitted here as they are standard. We also define ZeroV and UnitV for the zero and unit vector. MkVector(c 1,c 2,c 3) yields a record ⦉x==c 1,y==c 2,z==c 3⦊ of type Vector.
The function CalcCollisionSet yields collisions as a set of aircraft pairs.
The pairs (a 1,a 2) in the set of collisions are characterised by a set comprehension that uses of a relation collide that captures whether their trajectories (posns a 1,motions a 1) and (posns a 2,motions a 2) are at risk of colliding. A trajectory is a pair of vectors: the first gives the trajectory’s position and the second its motion. We define \(\mathit{Trajectory} \;\widehat{=}\; \mathit{Vector} \times \mathit{Vector}\).
THRESHOLD is a constant that specifies the minimum acceptable distance between two trajectories; if it is less than or equal to that, we signal a potential collision.
The distance function carries out the actual distance calculation of aircraft trajectories.
We determine the minimal distance between two traversing points. This may not be the minimal distance between any two points, but is consistent with the algorithm in Kalibera et al. (2009).
Appendix B: Some classes
2.1 B.1 Class RawFrame
The class RawFrame is used to encode radar frames as data objects in the program. It records the position of all aircraft, identified by their call sign, that are currently in view of the radar. Some constants capture static variables used in the program.
The implementation uses two arrays: callsigsn, to record aircraft positions, and positions, to determine the respective call signs of the aircraft. It also includes a planeCnt integer component to determine the number of valid entries in the array ensemble.
The initialisation schema captures the initilisations of the state components in the code. Here, we create the data objects for both arrays and also define that, initially, there are no valid entries in the arrays; hence, no aircrafts are initially recorded in the frame.
The logical methods are used in the refinement for the definition of retrieve relations. The function getCallSign determines the call sign result! recorded in callsigns with index plane?.
The find logical function uses getCallSign to obtain the index result! for an aircraft given by its call sign a? within the array ensemble. This, in particular, allows us to determine the position of an aircraft with a given call sign.
The following private method is overloaded. Although, strictly speaking, overloading is not allowed in OhCircus, a simple renaming can be used to give semantics to the class. To be faithful to the code, we use the overloading here. In the same vein, we also use for loops, whose meaning can be given by recursion in the usual way.
The only method in the interface of RawFrame is copy defined below.
It uses the private copy methods above to copy the arrays of a given instance of the class RawFrame itself to the arrays of the current object.
2.2 B.2 Class StateTable
The class StateTable is used to record previous aircraft positions. This is important to calculate the predicted trajectories of aircraft and determine their potential collisions.
A hash map positionMap stores aircraft positions. For memory management, there is a store of pre-allocated objects for 3d vectors: the allocatedVectors and usedVectors fields.
The initialisation creates the data objects for the position map and as allocates 3d vector objects for the object store. The allocation during initialisation ensures that the vector objects are created in mission memory; this is crucial since those objects are shared between the handlers. Initially, no objects are in use from the store.
The put method is used to insert an element into the position_map. This is essentially using the corresponding put method of HashMap, with added logic that ensures that 3d vector objects are not created anew, but recycled from the pre-allocated object store.
The get method infers the position of an aircraft from the position map.
2.3 B.3 Class Partition
The class Partition holds the data for partitions of the voxel space.
It records a list parts of arrays corresponding to the partitions as well as a cyclic counter that facilitates recording voxels’ aircrafts in the partitions.
The initialisation allocates the parts list and determines that all partitions are empty (this is achieved by a call to the method clear of this same class defined next).
The clear method clears the voxel lists for all partitions.
The recordMotionList records the aircraft in a voxel in one of the partitions. The cyclic counter counter is used to ensure that partitions are populated in a balanced manner.
The getDetectorWork method obtains the content of one of the partitions subsequent to all voxel motion lists being recorded. It simply returns the respective entry of the parts array.
Rights and permissions
About this article
Cite this article
Cavalcanti, A., Zeyda, F., Wellings, A. et al. Safety-critical Java programs from Circus models. Real-Time Syst 49, 614–667 (2013). https://doi.org/10.1007/s11241-013-9182-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11241-013-9182-4