1 © AdaCore under the GNU Free Documentation License Franco Gasperoni gasperoni@adacore.com

1http://libre.adacore.com © AdaCore under the GNU Free Documentation License

Franco Gasperoni

gasperoni@adacore.com

http://libre.adacore.com

• Programming in the Large

– specification & implementation

– privacy

– abstract data types

– hierarchical packages

Separate CompilationSeparate CompilationTHE PROBLEM

Compiler object

Linker

executable

libraries

Problem with this approachProblem with this approach

• No structure

• To write your own code– YOU MUST understand

everybody else’s code

IdeaIdea

SPECIFY WHAT EACH

MODULESHOULD DO

SPECIFICATION

Software module

• Programming in the Large– specification &

implementation•specification

• implementation

• specification rules in Ada

A Specification is a ...A Specification is a ...

CONTRACTImplementorof themodule

Users/clientsof themodule

• On the SERVICES provided by the module

• SPEC = list of services provided

• BODY = implementation of the services (hidden)

Software module

Service_1Service_2Service_3

Service_1 implementation

SPECIFICATION

ExampleExample

• Create a Queue module that can– Add an Integer to the Queue

– See the First integer in the Queue

– Get the first integer in the Queue

– Test whether the Queue is Empty

package Queue is procedure Add (Element : Integer);

function First return Integer; function Get return Integer;

function Empty return Boolean;end Queue;

queue.adsqueue.ads

package Queue

queue.adsqueue.ads

Using package QueueUsing package Queue

with Queue;procedure Client is Queue_Error : exception; X : Integer;begin Queue.Add (3); Queue.Add (4);

if not Queue.Empty then X := Queue.Get; else raise Queue_Error; end if;end Client;

client.adb

Specifications Reduce ComplexitySpecifications Reduce Complexity

SPECSPEC

• To write your own code– only need to understand

specs for the services you need

package Queue?

queue.adsqueue.ads

To write Client only need to look atTo write Client only need to look at

Aside: use clauseAside: use clause

with Queue; use Queue;procedure Client is Queue_Error : exception; X : Integer;begin Queue. Add (3); Queue. Add (4);

if not Queue. Empty then X := Queue. Get; else raise Queue_Error; end if;end Client;

implementation• specification

• implementation

• specification rules in Ada

ONEONE possible possible implementationimplementation

of packageof packageQueueQueue

This implementationThis implementation raises Constraint_Error raises Constraint_Errorif more than Max_Sizeif more than Max_Size

elements are put in the Queue.elements are put in the Queue.

Circular BufferCircular Buffer

0 1Max_Size - 1

Q_Last Q_First

ANOTHERANOTHER possible possible implementationimplementation

of packageof packageQueueQueue

Linked ListLinked List

Q_LastQ_First

A Spec can have several A Spec can have several implementationsimplementations

• Can change implementation

• WITHOUT having to change ANY of the client’s code

queue.adsqueue.ads

firstimplement.

secondimplement.second

implement.

implementation• specification

• implementation

•specification rules in Ada

In AdaIn Ada

• Spec always checked against implementation

• Must with the specs that you are going to

use (not in C)

• Packages provide multiple name spaces

Must with Specs usedMust with Specs used

with Queue;procedure Client is ...begin Queue.Add (3); ...end Client;

Compilationerror

Multiple Name SpacesMultiple Name Spacespackage Queue is procedure Add (E : Integer); ...end Queue;

package Queue is procedure Add (E : Integer); ...end Queue;

package Set is procedure Add (E : Integer); ...end Set;

with Queue;with Set;procedure Client isbegin Queue.Add (3);

Set.Add (99);end Client;

Use Clause and AmbiguitiesUse Clause and Ambiguitiespackage Queue is procedure Add (E : Integer); ...end Queue;

package Queue is procedure Add (E : Integer); ...end Queue;

package Set is procedure Add (E : Integer); ...end Set;

with Queue; use Queue;with Set; use Set;procedure Client isbegin Add (123);end Client;

Compilationerror

ambiguity

But … Ada has overloadingBut … Ada has overloadingpackage Queue is procedure Add (E : Integer); procedure Add (E : Float); ...end Queue;

package Queue is procedure Add (E : Integer); procedure Add (E : Float); ...end Queue;

with Queue; use Queue;

procedure Client isbegin Add (123);

Add (3.141);end Client;

– privacy

package Queues is type Queue is …;

procedure Add (Q : Queue; Element : Integer); function First (Q : Queue) return Integer; function Get (Q : Queue) return Integer; function Empty (Q : Queue) return Boolean;end Queues;

Having Several QueuesHaving Several Queues

Using Several QueuesUsing Several Queues

with Queues; use Queues;procedure Client is Q1 : Queue; Q2 : Queue;

begin Add (Q1, 123);

Add (Q2, 3);

Add (Q2, Get (Q1));end Client;

One possible One possible implementation ...implementation ...

type Q_Element;type Element_Ptr is access Queue_Element;

type Queue_Element is record Val : Integer; Next : Element_Ptr;end record;

type Queue is record First : Element_Ptr; Last : Element_Ptr;end record;

type Q_Element;type Element_Ptr is access Queue_Element;

type Queue_Element is record Val : Integer; Next : Element_Ptr;end record;

type Queue is record First : Element_Ptr; Last : Element_Ptr;end record;

Client code allowed to Client code allowed to depend on the depend on the

implementation !implementation !with Queues; use Queues;procedure Client is Q1 : Queue; Q2 : Queue;

begin Add (Q1, 123); Add (Q2, 3);

Q2.Last := null;

end Client;

Another implementation ...Another implementation ...

Max_Size : constant := 100;type Q_array (Natural range <>) of Integer;

type Queue is record Q : Q_Array (0 .. Max_Size); First : Natural; Last : Natural; Size : Natural;end record;

Max_Size : constant := 100;type Q_array (Natural range <>) of Integer;

type Queue is record Q : Q_Array (0 .. Max_Size); First : Natural; Last : Natural; Size : Natural;end record;

… … breaks client code !breaks client code !

begin Add (Q1, 123); Add (Q2, 3);

Q2.Last := null;

end Client;

Compilationerror

Even without changing Even without changing the implementationthe implementationthere is a there is a PROBLEMPROBLEM

begin Add (Q1, 123); Add (Q2, 3);

Q2.Last := null;

end Client;

Q2 is in aninconsistent

33FirstLast

You need PRIVACYYou need PRIVACY

• Exposing your data structures is risky

– Client code may manipulate the structures directly without using your own services

– Client code is hard to change

ThinkThink BIGBIG

what if what if the the QueuesQueues package package

is is used byused by 1000s1000s of other of other packagespackages

• If there is a bug concerning a Queue, you may have to look at 1000s of packages to find the bug

• If you change the implementation you may have to update 1000s of packages

– privacy•private types

• private types & discriminants

• limited private types

Private typesPrivate types

package Queues is type Queue is private;

procedure Add (Q : Queue; Element : Integer); function First (Q : Queue) return Integer; function Get (Q : Queue) return Integer; function Empty (Q : Queue) return Boolean;

private type Queue is …;end Queues;

In any implementation ...In any implementation ...package Queues is type Queue is private;

private type Queue_Element; type Element_Ptr is access Queue_Element; type Queue_Element is record Val : Integer; Next : Element_Ptr; end record;

type Queue is record First : Element_Ptr; Last : Element_Ptr; end record;end Queues;

… … private types are PRIVATEprivate types are PRIVATE

begin Add (Q1, 123); Add (Q2, 3);

Q2.Last := null;

end Client;

Compilationerror

Advantages of Advantages of privateprivate types types

• Enforces the contract of a specification

• No client code can corrupt your data structures

• Can change implementation without changing client code

– privacy• private types

• private types & discriminants

• limited private types

X : Integer;

begin Add (Q1, 123); Add (Q1, 3);

Q2 := Q1;

X := Get (Q2);end Client;

Does this affect Q1 ?

it depends on … the it depends on … the implementation !implementation !

• If a Queue is implemented with

– a pointer then Get (Q2) MODIFIES Q1

– a record containing an array then Get (Q2) does NOT modify Q1

with Queues; use Queues;procedure Client is Q1 : Queue; Q2 : Queue; X : Integer;begin Add (Q1, 123);

Add (Q1, 3);

Q2 := Q1;

X := Get (Q2);X := Get (Q2);end Client;

123123Q1: 33

123123Q1:

123123Q1: 33

Pointer Pointer implementationimplementation

limited private typeslimited private types

• NO assignment :=

• NO equality comparison =

package Queues is type Queue is limited private;

X : Integer;

begin Add (Q1, 123); Add (Q1, 3);

Q2 := Q1;

end Client;

COMPILATIONERROR

:= forbidden

– privacy

To add functionality ...To add functionality ...

function Last (Q : Queue) return Integer;

Must add it to

QueuesQueue is a private type

But ...But ...

• Every time you change a spec you must recompile all its clients

• Every time you change a module you must RETEST the whole module

Solution: use child unitsSolution: use child units

queues.ads

function Queues . Last (Q : Queue) return Integer;queues-last.ads

Child subprogram

Child Units RulesChild Units Rules

• The body or private part of a child unit can see the private part of all of its parents

• The spec of a child unit does NOT

Using a child unitUsing a child unit

with Queues; use Queues;with Queues.Last;procedure Client is Q : Queue; X : Integer;

begin Add (Q, 123); Add (Q, 3);

X := Queues.Last (Q);end Client;

queues.ads

package Queues . New_Functionality is function Last (Q : Queue) return Integer;end Queues . New_Functionality

queues-new_functionality.ads

Child package

with Queues; use Queues;with Queues.New_Functionality;procedure Client is Q : Queue; X : Integer;

begin Add (Q, 123); Add (Q, 3);

X := Queues.New_Functionality.Last (Q);end Client;

1 © AdaCore under the GNU Free Documentation License Franco Gasperoni gasperoni@adacore.com

Documents

GNAT Pro User Day: New and Upcoming Developments in the AdaCore Technology

AdaCore Paris Tech Day 2016: Jamie Ayre - Market Perspective

AdaCore Paris Tech Day 2016: Elie Richa - Integrated Unit Testing for a Trusted Code Generator

Slide: 1 Copyright © AdaCore Subprograms Presented by Quentin Ochem university.adacore.com

GNAT Pro User Day: AdaCore University

Slide: 1 Copyright © AdaCore Basic Types Presented by Quentin Ochem university.adacore.com

Slide: 1 Copyright © AdaCore Packages Presented by Quentin Ochem university.adacore.com

AdaCore Technologies for DO-178C / ED-12C · Quentin Ochem is the Lead of Business Development and Technical Account Management at AdaCore, a role that entails expanding the company's

calendar highlights / May–November 2015 Inside AdaCore · Atlantic during Autumn 2015. At these AdaCore Tech Days com - pany staff will present the latest news about current products

AdaCore Paris Tech Day 2016: Jerome Lambourg - Cross and BareBoard Team Inside Out

Programming in the Small: C/C++/Java Pitfalls & Ada Benefits Franco Gasperoni gasperoni@adacore.com

b 6UfbYg - AdaCore...safe and secure foundations on which succeeding versions of the language have built. Franco Gasperoni Chief Executive Officer, AdaCore Paris, January 2013 iii

AdaCore Paris Tech Day 2016: Fabien Chouteau - Making the Ada Drivers Library

Tristan Gingold - KU Leuvendirk.craeynest/ada... · 2016. 1. 29. · AdaCore FOSS contributions • AdaCore maintains the Ada front-end of GCC • AdaCore also contributes patches

Aluna: Carolina Paloma Gasperoni Orientador: Prof. Dr. Elias Canhadas Genvigir Cornélio Procópio 2011 Ferramenta para Captura e Representação de Design

Introduction to Software Construction Franco Gasperoni gasperoni@adacore.com

Tech Days 2015: AdaCore Roadmap

GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools

AdaCore Paris Tech Day 2016: Arnaud Chalet - GNAT Pro Roadmap

GNAT Pro User Day: Leveraging AdaCore Tool to Support Rigorous Software Development Process