Ravenscar Protected Objects: a Circus Semantics

The Ravenscar pro le is a restricted subset of the Ada 95 tasking model | designed to provide a certi able deterministic tasking model that supports schedulability analysis and meets tight memory constraints and performance requirements. Centre to Ravenscar is the use of Ada protected objects as the means for ensuring mutually exclusive access to data shared between di erent tasks. In this report, Circus (a speci cation language that combines Z and CSP) is used to model Ada protected objects that comply with restrictions of the Ravenscar pro le. Also, formal proofs showing that the Circus model exhibits the desired properties will be provided; this is the rst time a model about the functional aspects of Ada protected objects has been introduced and formally veri ed. Finally, although some of the properties proved in this report are mainly about behaviour (e.g. freedom of deadlock), all the proofs in this report are conducted in Z. This is a new and interesting result as now Z tools, usually used for proofs about sequential programs, can be used to provide formal proofs of CSP properties, hence concurrent programs.