A correct-by-construction AADL runtime for the Ravenscar profile using SPARK2014

Abstract

Middleware is an integral part of critical software, providing core services for data exchange and manipulation, job execution, and scheduling. Their correctness is central to the correct execution of the software. They must be carefully configured to meet all functional and non-functional requirements. From a set of valid configuration parameters, one then has to demonstrate the implementation is correct and can fulfill its mission. Model-based techniques provide the foundations for correct-by-construction engineering. Most notably, they can be used to model a system, assess its configuration is correct, and then generate the corresponding middleware instance. The SAE AADL language supports the modeling of safety-critical systems and covers its design, configuration, and analysis. In this paper, we present several contributions: the definition of a model of computation aligned with the Ada Ravenscar profile supported by an architectural model expressed using AADL; derivation rules from AADL constructs to middleware services using Ada 2012 and SPARK 2014, and the proof of correctness of the implementation. Our contribution illustrates how one can prove the absence of runtime errors in middleware configured from high-level descriptions. This effort illustrates the positive effect models, programming languages and associated toolsets have on developing high-assurance middleware.