Concurrency

Concurrency ≠ Parallelism

Concurrency allows to create a well structured program
Parallelism allows to create a high performance program
Multiple cores/processors are...
- possible for concurrent programs
- essential to parallelism
What about Ada and SPARK?
- GNAT runtimes for concurrency available on single core & multicore (for SMP platforms)
- parallel features scheduled for inclusion in Ada and SPARK 202x

Concurrent Program Structure in Ada

../../../_images/concurrent_program_struct_ada.png

The problems with concurrency

Control and data flow become much more complex
- possibly nondeterministic even
- actual behavior is one of many possible interleavings of tasks
Data may be corrupted by concurrent accesses
- so called data races or race conditions
Control may block indefinitely, or loop indefinitely
- so called deadlocks and livelocks
Scheduling and memory usage are harder to compute

Ravenscar – the Ada solution to concurrency problems

Ravenscar profile restricts concurrency in Ada
- ensures deterministic behavior at every point in time
- recommends use of protected objects to avoid data races
- prevents deadlocks with Priority Ceiling Protocol
- allows use of scheduling analysis techniques (RMA, RTA)
- facilitates computation of memory usage with static tasks
GNAT Extended Ravenscar profile lifts some restrictions
- still same benefits as Ravenscar profile
- removes painful restrictions for some applications

Concurrent Program Structure in Ravenscar

../../../_images/concurrent_program_struct_ravenscar.png

Ravenscar – the SPARK solution to concurrency problems

Ravenscar and Extended_Ravenscar profiles supported in SPARK
Data races prevented by flow analysis
- ensures no problematic concurrent access to unprotected data
- flow analysis also ensures non-termination of tasks
Run-time errors prevented by proof
- includes violations of the Priority Ceiling Protocol

Concurrency – A trivial example

package Show_Trivial_Task is type Task_Id is new Integer; task type T (Id : Task_Id); T1 : T (0); T2 : T (1); end Show_Trivial_Task;

package body Show_Trivial_Task is task body T is Current_Task : Task_Id := Id; begin loop delay 1.0; end loop; end T; end Show_Trivial_Task;

Id can be written by T1 and T2 at the same time

Setup for using concurrency in SPARK

Any unit using concurrency features (tasks, protected objects, etc.) must set the profile

pragma Profile (Ravenscar);
--  or
pragma Profile (GNAT_Extended_Ravenscar);

... plus an additional pragma
- that ensures tasks start after the end of elaboration

pragma Partition_Elaboration_Policy (Sequential);

... which are checked by GNAT partition-wide
- pragmas needed for verification even it not for compilation

Tasks in Ravenscar

A task can be either a singleton object or a type
- no declarations of entries for rendez-vous

task T;
task type TT;

... completed by a body
- infinite loop to prevent termination

task body T is
begin
   loop
      ...
   end loop;
end T;

Tasks are declared at library-level
... as standalone objects or inside records/arrays

type TA is array (1 .. 3) of TT;
type TR is record
   A, B : TT;
end record;

Communication Between Tasks in Ravenscar

Tasks can communicate through protected objects
A protected object is either a singleton object or a type
- all PO private data initialized by default in SPARK

package Show_Protected_Object is protected P is procedure Set (V : Natural); function Get return Natural; private The_Data : Natural := 0; end P; end Show_Protected_Object;

package body Show_Protected_Object is protected body P is procedure Set (V : Natural) is begin The_Data := V; end Set; function Get return Natural is (The_Data); end P; end Show_Protected_Object;

Protected Objects in Ravenscar

Protected objects are declared at library-level
... as standalone objects or inside records/arrays
- The record type needs to be volatile, as a non-volatile type cannot contain a volatile component. The array type is implicitly volatile when its component type is volatile.

package Show_Protected_Object_Ravenscar is protected type PT is procedure Set (V : Natural); function Get return Natural; private The_Data : Natural := 0; end PT; P : PT; type PAT is array (1 .. 3) of PT; PA : PAT; type PRT is record A, B : PT; end record with Volatile; PR : PRT; end Show_Protected_Object_Ravenscar;

package body Show_Protected_Object_Ravenscar is protected body PT is procedure Set (V : Natural) is begin The_Data := V; end Set; function Get return Natural is (The_Data); end PT; end Show_Protected_Object_Ravenscar;

Protected Communication with Procedures & Functions

CREW enforced (Concurrent-Read-Exclusive-Write)
- procedures have exclusive read-write access to PO
- functions have shared read-only access to PO
Actual mechanism depends on target platform
- scheduler enforces policy on single core
- locks used on multicore (using CAS instructions)
- lock-free transactions used for simple PO (again using CAS)
Mechanism is transparent to user
- user code simply calls procedures/functions
- task may be queued until PO is released by another task

Blocking Communication with Entries

Only protected objects have entries in Ravenscar
Entry = procedure with entry guard condition
- second level of queues, one for each entry, on a given PO
- task may be queued until guard is True and PO is released
- at most one entry in Ravenscar
- guard is a Boolean component of PO in Ravenscar

package Show_Blocking_Communication is protected type PT is entry Reset; private Is_Not_Null : Boolean := False; The_Data : Integer := 1000; end PT; end Show_Blocking_Communication;

package body Show_Blocking_Communication is protected body PT is entry Reset when Is_Not_Null is begin The_Data := 0; end Reset; end PT; end Show_Blocking_Communication;

Relaxed Constraints on Entries with Extended Ravenscar

Proof limitations with Ravenscar
- not possible to relate guard to other components with invariant
GNAT Extended Ravenscar profile lifts these constraints
- and allows multiple tasks to call the same entry

package Show_Relaxed_Constraints_On_Entries is protected type Mailbox is entry Publish; entry Retrieve; private Num_Messages : Natural := 0; end Mailbox; end Show_Relaxed_Constraints_On_Entries;

package body Show_Relaxed_Constraints_On_Entries is Max : constant := 100; protected body Mailbox is entry Publish when Num_Messages < Max is begin Num_Messages := Num_Messages + 1; end Publish; entry Retrieve when Num_Messages > 0 is begin Num_Messages := Num_Messages - 1; end Retrieve; end Mailbox; end Show_Relaxed_Constraints_On_Entries;

Interrupt Handlers in Ravenscar

Interrupt handlers are parameterless procedures of PO
- with aspect Attach_Handler specifying the corresponding signal
- with aspect Interrupt_Priority on the PO specifying the priority

with System; use System; with Ada.Interrupts.Names; use Ada.Interrupts.Names; package Show_Interrupt_Handlers is protected P with Interrupt_Priority => System.Interrupt_Priority'First is procedure Signal with Attach_Handler => SIGHUP; end P; end Show_Interrupt_Handlers;

Priority of the PO should be in System.Interrupt_Priority
- default is OK – in the range of System.Interrupt_Priority
- checked by proof (default or value of Priority or Interrupt_Priority)

Other Communications Between Tasks in SPARK

Tasks must communicate through synchronized objects
- atomic objects
- protected objects
- suspension objects (standard Boolean protected objects)
Constants are considered as synchronized
- this includes variables constant after elaboration (specified with aspect Constant_After_Elaboration)
Single task or PO can access an unsynchronized object
- exclusive relation between object and task/PO must be specified with aspect Part_Of

Data and Flow Dependencies of Tasks

Input/output relation can be specified for a task
- as task never terminates, output is understood while task runs
- task itself is both an input and an output
- implicit In_Out => T
- explicit dependency

package Show_Data_And_Flow_Dependencies is X, Y, Z : Integer; task T with Global => (Input => X, Output => Y, In_Out => Z), Depends => (T => T, Z => X, Y => X, null => Z); end Show_Data_And_Flow_Dependencies;

State Abstraction over Synchronized Variables

Synchronized objects can be abstracted in synchronized abstract state with aspect Synchronous

package Show_State_Abstraction with Abstract_State => (State with Synchronous, External) is protected type Protected_Type is procedure Reset; private Data : Natural := 0; end Protected_Type; task type Task_Type; end Show_State_Abstraction;

package body Show_State_Abstraction with Refined_State => (State => (A, P, T)) is A : Integer with Atomic, Async_Readers, Async_Writers; P : Protected_Type; T : Task_Type; protected body Protected_Type is procedure Reset is begin Data := 0; end Reset; end Protected_Type; task body Task_Type is begin P.Reset; A := 0; end Task_Type; end Show_State_Abstraction;

Synchronized state is a form of external state
- Synchronous same as External => (Async_Readers, Async_Writers)
- tasks are not volatile and can be part of regular abstract state

Synchronized Abstract State in the Standard Library

Standard library maintains synchronized state
- the tasking runtime maintains state about running tasks
- the real-time runtime maintains state about current time

package Ada.Task_Identification with
  SPARK_Mode,
  Abstract_State =>
    (Tasking_State with Synchronous,
       External => (Async_Readers, Async_Writers)),
  Initializes    => Tasking_State

package Ada.Real_Time with
  SPARK_Mode,
  Abstract_State =>
    (Clock_Time with Synchronous,
       External => (Async_Readers, Async_Writers)),
  Initializes    => Clock_Time

API of these units refer to Tasking_State and Clock_Time

Concurrency

Concurrency ≠ Parallelism

Concurrent Program Structure in Ada

The problems with concurrency

Ravenscar – the Ada solution to concurrency problems

Concurrent Program Structure in Ravenscar

Ravenscar – the SPARK solution to concurrency problems

Concurrency – A trivial example

Setup for using concurrency in SPARK

Tasks in Ravenscar

Communication Between Tasks in Ravenscar

Protected Objects in Ravenscar

Protected Communication with Procedures & Functions

Blocking Communication with Entries

Relaxed Constraints on Entries with Extended Ravenscar

Interrupt Handlers in Ravenscar

Other Communications Between Tasks in SPARK

Data and Flow Dependencies of Tasks

State Abstraction over Synchronized Variables

Synchronized Abstract State in the Standard Library

Code Examples / Pitfalls

Example #1

Example #2

Example #3

Example #4

Example #5

Example #6

Example #7

Example #8

Example #9

Example #10