Rationale for Ada 2005

John Barnes

5.7 High Integrity Systems annex

There are a few changes to this annex. The most noticeable is that its title has been changed from Safety and Security to High Integrity Systems. This reflects common practice in that high-integrity is now the accepted general term for systems such as safety-critical systems and security-critical systems.

There are some small changes to reflect the introduction of the Ravenscar profile. It is clarified that tasking is permitted in a high-integrity system provided that it is well controlled through, for example, the use of the Ravenscar profile.

A new pragma Partition_Elaboration_Policy is introduced. Its syntax is

pragma Partition_Elaboration_Policy(policy_identifier);

Two policy identifiers are predefined, namely, Concurrent and Sequential. The pragma is a configuration pragma and so applies throughout a partition. The default policy is Concurrent.

The normal behaviour in Ada when a program starts is that a task declared at library level is activated by the environment task and can begin to execute before all library level elaboration is completed and before the main subprogram is called by the environment task. Race conditions can arise especially when several library tasks are involved. Problems also arise with the attachment of interrupt handlers.

If the policy Sequential is specified then the rules are changed. The following things happen in sequence

The elaboration of all library units takes place (this is done by the environment task) but library tasks are not activated (we say their activation is deferred). Similarly the attachment of interrupt handlers is deferred.

The environment task then attaches the interrupts.

The library tasks are then activated. While this is happening the environment task is suspended.

Finally, the environment task then executes the main subprogram in parallel with the executing tasks.

Note that from the library tasks' point of view they go seamlessly from activation to execution. Moreover, they are assured that all library units will have been elaborated and all handlers attached before they execute.

If Sequential is specified then

pragma Restrictions(No_Task_Hierarchy);

must also be specified. This ensures that all tasks are at library level.

A final small point is that the Restrictions identifiers No_Unchecked_Conversion and No_Unchecked_Deallocation are now banished to Annex J because No_Dependence can be used instead.