Abstract
In spite of the high-level abstraction benefits of automatic tracing garbage collection, current prevailing sentiment within the safety certification community is that a simpler memory model is required for the most rigorous levels of software safety certification. Thus, the draft JSR-302 specification for safety critical Java relies on scope-based memory allocation rather than tracing garbage collection. The scoped memory model for JSR-302 is a simplification of the RTSJ model. JSR-302 enforces a strict hierarchy of scopes and distinguishes private scopes, which can be seen only by one thread, from mission scopes, which can be accessed by all the threads that comprise a mission, including threads running within inner-nested sub-missions. The hierarchical memory structure allows implementations to guarantee the absence of memory fragmentation for scope management, unlike the Real-Time Specification for Java from which the JSR-302 specification was derived.
In the absence of block structure, it is more difficult in Java to safely manage references to stack-allocated objects than in Ada. While the simplified hierarchical management of scoped memory that is part of JSR-302 addresses memory fragmentation concerns, it does not guarantee the absence of dangling pointers. As with the Real-Time Specification for Java, JSR-302 requires a run-time check to enforce that no reference assignment creates a relationship whereby an outer-nested object is allowed to point to an inner-nested object. This rule assures the absence of dangling pointers, but it introduces a different problem: every assignment to a reference field must be accompanied by a run-time check to validate the appropriate scope nesting relationship. This run-time check will throw a run-time exception if the assignment is deemed inappropriate.
The safety certification evidence for a given safety-critical Java program must therefore include an argument for every reference assignment that it will not cause the program to abort with a run-time exception. Furthermore, the certification evidence must prove that sufficient memory is available to reliably execute each safety-critical task in the system.
This tutorial provides an overview of dynamic memory management in Safety Critical Java and describes two annotation systems that have been designed to support static (compile-time) enforcement of memory safety properties. The first annotation system is described in an appendix to the draft JSR-302 standard. This relatively simple annotation system, which is not considered normative, serves to demonstrate that memory safety can be statically proven without requiring extensive annotations throughout existing library code. The second annotation system is the system implemented in Perc Pico. This annotation system, which is much richer than the draft JSR-302 annotation, has been in experimental use for over five years. During that time, tens of thousands of lines of experimental application code have been developed, with the experience motivating a variety of refinements to the original design.
- K. Arnold, J. Gosling, D. Holmes. The Java™ Programming Language, 4th edition. 928 pages. Prentice Hall PTR. Aug., 2005. Google Scholar
Digital Library
- K. Nilsen, Differentiating Features of the PERC Virtual Machine, http://www.aonix.com/pdf/PERCWhitePaper_e.pdfGoogle Scholar
- G. Bollella, B. Brosgol, J. Gosling, P. Dibble, S. Furr, M. Turnbull, The Real-Time Specification for Java, Addison Wesley Longman, 195 pages, Jan. 15, 2000.Google Scholar
- K. Nilsen, Making Effective Use of the Real-Time Specification for Java, Atego White Paper, September 2004, available at http://research.aonix.com/jsc/rtsj.issues.9-04.pdf.Google Scholar
- F. Pizlo, J. Fox, D. Holmes, J. Vitek, "Real-Time Java Scoped memory: design patterns and semantics", Proceedings of the IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC), pp. 101--110. Vienna, Austria, May, 2004.Google Scholar
- J Consortium Inc. International J Consortium Specification: Real-Time Core Extensions, 2000.Google Scholar
- P. Puschner, G. Bernat, A. Wellings, "Making Java Real-Time", The Annals of the Marie Curie Fellowship Association (MCFA), vol. 2, pp. 76--81, Marie Curie Fellowship Association, 2003.Google Scholar
- J. Kwon, A. Wellings, S. King, "Ravenscar-Java: a High-Integrity Profile for Real-Time Java", JGI'02 Proceedings of the 2002 joint ACM-ISCOPE Conference on Java Grande, pp. 131--140, ACM New York, NY, USA, 2002. Google Scholar
Digital Library
- M. Schoeberl, H. Sondegaard, B. Thomsen, A. Ravn, "A Profile for Safety Critical Java", ISORC'07 Proceedings of the 10th IEEE International Symposium on Real-Time Distributed Computing, pp. 94--101, IEEE Computer Society Washington, DC, USA, 2007. Google Scholar
Digital Library
- Meeting minutes, notes, and preliminary materials related to an early draft specification for safety-critical Java, available at http://research.aonix.com/jsc/index.html.Google Scholar
- PERC Pico User Manual, Apr. 19, 2008, available at http://research.aonix.com/jsc/pico-manual.4--19-08.pdf.Google Scholar
- D. Locke, B. S. Andersen, B. Brosgol, M. Fulton, T. Henties, J. Hunt, J. Nielsen, K. Nilsen, M. Schoeberl, J. Tokar, J. Vitek, A. Wellings. Safety-Critical Java Technology Specification, Public Draft, version 0.78, Oct. 2010, available at http://www.jcp.org/en/jsr/detail?id=302.Google Scholar
- P. van der Linden. Just Java 2, Sixth Edition.816 pages. Sun Microsystems Press, Prentice Hall. 2004. Google Scholar
Digital Library
- M. Richard-Foy, T. Schoofs, E. Jenn, L. Gauthier, K. Nilsen. "Use of PERC Pico for Safety Critical Java", Conference Proceedings: Embedded Real-Time Software and Systems, Toulouse, France, May 2010.Google Scholar
- J. Durbin, R. Scharading. "The Modernization of the Aegis Fleet with Open Architecture", Conference Proceedings System and Software Technology Conference, Salt Lake City, UT, May 2011.Google Scholar
- K. Nilsen. "Improving Abstraction, Encapsulation, and Performance within Mixed-Mode Real-Time Java Applications." Conference Proceedings of the ACM JTRES'07 5th International Workshop on Java Technologies for Real-Time and Embedded Systems, Vienna, Austria, September, 2007. Google Scholar
Digital Library
Index Terms
Tutorial overview: understanding dynamic memory management in safety critical java
Recommendations
Tutorial overview: understanding dynamic memory management in safety critical java
HILT '12: Proceedings of the 2012 ACM conference on High integrity language technologyIn spite of the high-level abstraction benefits of automatic tracing garbage collection, current prevailing sentiment within the safety certification community is that a simpler memory model is required for the most rigorous levels of software safety ...
Harmonizing alternative approaches to safety-critical development with Java
JTRES '11: Proceedings of the 9th International Workshop on Java Technologies for Real-Time and Embedded SystemsAs JSR-302 nears final approval, questions arise as to how it relates to alternative safety-critical Java development approaches. While availability of and adherence to an official standard is important for certain applications, there exist situations ...
Real-time Java in modernization of the aegis weapon system
HILT '12: Proceedings of the 2012 ACM conference on High integrity language technologyThe U.S. Navy's Aegis system, considered to be the "shield of the fleet", provides area air defense for a carrier battle group in addition to providing long-range ballistic missile defense. A typical Aegis deployment consists of about 100 computers, ...







Comments