Java in the Safety-Critical Domain [chapter]

Ana Cavalcanti, Alvaro Miyazawa, Andy Wellings, Jim Woodcock, Shuai Zhao
<span title="">2017</span> <i title="Springer International Publishing"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/2w3awgokqne6te4nvlofavy5a4" style="color: black;">Lecture Notes in Computer Science</a> </i> &nbsp;
Safety-Critical Java (SCJ) is an Open Group standard that defines a novel version of Java suitable for programming systems with various levels of criticality. SCJ enables real-time programming and certification of safety-critical applications. This tutorial presents SCJ and an associated verification technique to prove correctness of programs based on refinement. For modelling, we use the Circus family of notations, which combine Z, CSP, Timed CSP, and object orientation. The technique caters
more &raquo; ... r the specification of functional and timing requirements, and establishes the correctness of designs based on architectures that use the structure of missions and event handlers of SCJ. It also considers the integrated refinement of value-based specifications into class-based designs using SCJ scoped memory areas. As an example, we use an SCJ implementation of a widely used leadership-election protocol. As opposed to the RTSJ, SCJ enforces a constrained execution model based on missions, event handlers, and memory areas [46] . SCJ restricts the RTSJ. It prohibits use of the heap and defines a policy for the use of memory areas, which are cleared at specific points of the program flow to avoid the unpredictable garbage collection of the heap. The SCJ design is organised in Levels (0, 1, and 2), with a decreasing amount of restrictions to the execution model. In this tutorial, we give a detailed description of SCJ and its programming and memory models. For illustration, we use a Level 1 implementation of a leadership-election protocol, which is widely used for coordination of distributed systems. SCJ Level 1 corresponds roughly to the Ravenscar profile for Ada [6] . We also present here a technique for verification by refinement of SCJ Level 1 programs [12] . It uses the Circus family of notations [10], which combine constructs from Z [49] for data modelling, CSP [40] for behavioural specification, and standard imperative commands from Morgan's refinement calculus [34]. We cover Circus Time [45], with facilities for time modelling from Timed CSP [39], and OhCircus [11], based on the Java model of object-orientation. This tutorial gives an overview of Circus and its constructs relevant for modelling SCJ designs. Our technique is based on the stepwise development of SCJ programs based on specification models that do not consider the details of either the SCJ mission or memory models. Development proceeds by model transformation justified by the application of algebraic laws that guarantee that the transformed model is a refinement of the original model. Before, presenting the SCJ refinement technique, we give an overview of algebraic refinement. The verification technique is a refinement strategy: a procedure for application of algebraic refinement laws. Four Circus specifications characterise the major development steps: we call them anchors, as they identify the (intermediate) targets for model transformation and the design aspects treated in each step of development. Each anchor is written using a different combination of the Circus family of notations. The first anchor is the abstract specification written in Circus Time. The last is written in SCJ-Circus; it is so close to an SCJ program as to enable automatic code generation. This tutorial describes this technique using the verification of the leadership-election protocol as an example. Next, we present the notations used in our work, namely, SCJ, in Section 2, and Circus, in Section 3. Algebraic refinement is the subject of Section 4. Finally, Section 5 presents our refinement strategy. We draw some conclusions, where we identify open problems on refinement for SCJ, in Section 6.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-319-56841-6_4">doi:10.1007/978-3-319-56841-6_4</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/6h4qh74t5jgpnfkdachghf73we">fatcat:6h4qh74t5jgpnfkdachghf73we</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20180723155108/http://eprints.whiterose.ac.uk/115605/1/CMWWZ17.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/60/50/6050d9708751499bb9a6e4d1d2ea9c9caa66a658.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-319-56841-6_4"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> springer.com </button> </a>