Reliable Software

Reliable Software

How to create reliable software

• Specify requirements in a formal language (eg Z)
• Traceability: trace requirements to code
• Static Analysis: prove properties about program
• Catch errors at compile time: earlier is better

Catching Errors

• Compile time
• Run time
• Handle Exceptions: repair and continue, if possible
• Prove exceptions can't occur
• Prove program properties to avoid runtime checks
• C import vs J package vs A packages
• Ada objects: can control dynamic dispatch
• Java: always unless final
• C++: if method declared as ??
• Ada: depends on parameter
• Primitive method
• Classwide (?) method

Reliable OO

OO in Ada

• In Ada we have added objects to a procedural language
• Design avoids some potential problems with OO languages

Avoid Overriding Errors

• Possible problem - Incorrect overriding
  • Misspelling: initialize vs initialise
  • Wrong parameter lists: missing or extra or wrong type parameters

• Result: get overriding when don't want it, or don't get it when it's wanted

• Solution: Mark routines that override

     type Shape is tagged record x, y: integer; end record;
     function area(S: Shape) return Natural is abstract;
  
  
     type Circle is new Shape with radius; end record;
  
  
     overriding  -- this function MUST override one in parent
     function area(C: Circle) return Natural;
  
  
     function new_function(C: Circle) return Natural;
     -- Does new_function override?
  

• Most useful when compiler switch requires overriding keyword

Avoid dynamic dispatch

• Ada allows programmer to control whether dynamic dispatch occurs

  -- formal parameter s is classwide.  Calls using s will be dynamic
  procedure print(s: Shape'Class) is
  begin
      put(area(s));          -- Dynamic
      put(area(Shape(s)));   -- NOT Dynamic
  
  
  -- Object prefix notation
  put(s.area);          -- Dynamic
  put(Shape(s).area);   -- NOT Dynamic
  
  
  

• Java: all methods use dynamic dispatch
• C++: each method specifies whether it used dynamic dispatch

More Avoiding Dynamic Dispatch

• In Java we get dynamic dispatch with this code:

  Object[] a = new Object[N]; a.fillitwithvariousobjects();

• In Ada we can have arrays of objects, but avoid dynamic dispatch

  procedure Dyn_Dispatch is
      type Any_Shape_Ptr is access Shape'Class
      AA: array (1 .. MaxShapes) of Any_Shape_Ptr;
  begin
      -- Fill array ...
      for i in AA'range loop
          print(AA(i).area);  
          -- Dynamic Dispatch because AA is a classwide type
      end loop;
  end Dyn_Dispatch;
  
  
  procedure No_Dyn_Dispatch is
      CA: array (1 .. MaxCircles) of Circle;
      SA: array (1 .. MaxSquares) of Square;
  begin
      -- Fill arrays ...
  
  
  for i in CA'range loop
      print(area.CA(i));        -- not dynamic: CA not classwide
  end loop;
  
  
  for i in SA'range loop
      print(area.SA(i));        -- not dynamic
  end loop;
  
  
  end No_Dyn_Dispatch;
  

Avoid heap allocation

• Heaps can run out of space
• Avoid this potential problem by not using the heap
• Store all shapes in arrays of known size shapes

• Use an array of pointers to have an array of any size shape

  • The pointers can point to shapes stored on the other arrays

     procedure No_Heap_Alloc is
         type Any_Shape_Ptr is access all Shape'Class
         AA: array (1 .. MaxShapes) of Any_Shape_Ptr;
    
    
     CA: array (1 .. MaxCircles) of aliased Circle;
     SA: array (1 .. MaxSquares) of aliased Square;
    
    
     begin
         -- Fill circle and square arrays ...
         for i in AA'range loop
             if choose_circle(i) then
                 AA(i) := CA(next_circle(i))'access;
             else
                 AA(i) := SA(next_square(i))'access;
             end if;
         end loop;
     end No_Dyn_Dispatch;
    

Avoid redefining fields

• Consider this Java code:

        Class A{int key;}
        Class B extends A{}  // What happens if we add a key here?
        Class C extends B{void useKey(){S.o.p(key);}
  

• Why does Java allow this?

  • Allows parent class to be redefined without knowledge of children
  • That is, add key to A when it already exists in B
• Will not compile in Ada
• Tradeoff: Lose flexibility, gain reliability

Reliable Variant Records

Compile time checks

• Only assign entire records

           t: Transaction := (check, 100, 100);
       begin
           t.kind := cash;  -- compile error
  

Runtime time checks

• Check discriminant at runtime

      t: Transaction := (check, 100, 100);
  begin
      if t.exp_date -- run time error
  

Reliable Pointers

Not null

• Declare pointer variables to not allow null values

  procedure p(n: not null node_ptr);
  ...
  
  
  -- client
  q := null;
  p(q); -- error
  

• Error caught at point of call

• Checks not needed in procedure
• Allows better proofs of program property

Access Checks - Avoid Dangling references

• Some C code with a dangling reference

Strong type checking - Variables

• Stack variables: all and aliased
• Pointers that point to a variable on the stack, must have all
  • type intPtr is access all Integer
• Variables on the stack must have aliased
  • I: aliased Integer

Strong type checking - Routine access

• Callbacks are strongly checked

Storage pools

• Define a storage pool associated with a procedure
• All new statements in the procedure allocate from this poo
• Deallocate all memory at one time when leave scope

Reliable Syntax

• See other notes
• Some notes on Language design, syntax, and reliable programming

Ways of Handling Runtime Checks

• There are several approaches to dealing with possible runtime errors
• Check for them at runtime with exception handler
  • Results in reliable code, but
  • Exception handling can be complex
  • Slows down application
• Leave runtime checks in for testing, remove them for production
  • This has obvious problems!
• Prove that runtime errors can't occur

Proving Program Properties

Goals of Proving Properties

• Prove absence of errors
• Allows removing runtime checks

Contracts

• Use contracts to specify program behavior
• Contract between caller and called
• Parameter modes are a simple contract
• Other contracts include pre/post conditions and invariants

Pre/Post Conditions

• Specify what must be true before a routine is called
  • Caller's responsibility
• Specify what must be true after a routine is called
  • Routine's responsibility
• Examples:
  • Array stack example
  • Tax example
  • Div by 0 example

Proving Properties - Invariants

• Specify what is always true of every member of a type
  • Invariant = not vary
• Objects must be created to meet the invariant
• All routines must preserve the invariant