Introduction Early operating systems were control programs a few thousand bytes long that schedul... more Introduction Early operating systems were control programs a few thousand bytes long that scheduled jobs, drove peripheral devices, and kept track of system usage for billing purposes. Modern operating systems are much larger, ranging from hundreds of thousands of bytes for personal computers (e.g., MS/DOS, Xenix) to tens of millions of bytes for mainframes (e.g., Honeywell's Multics, IBM's MVS, AT&T's UNIX) and hundreds of millions of bytes for some servers (Microsoft's NT). In addition to managing processors, memory, and dozens of input/output devices, modern operating systems also provide numerous services suchasInternet communications, Web communications, inter-process communications, file and directory systems, data transfer over local networks, and command languages and graphical user interfaces for invoking and controlling programs. These high-level services hide the primitive facilities of the base computer, such as interrupts, status registers, and device in...
Though the use of formal methods for software verification has progress tremendously in the last ... more Though the use of formal methods for software verification has progress tremendously in the last ten year, its take up in industry has been meager, but with the right emphasis this could change dramatically. Software certification standards have started to take formal methods seriously as an alternative to testing. By focusing on practical issues such as common specification languages, adaption to industrial processes for safety certification, scalability, training, and synergies between tools, common reservations about using formal methods could be lain to rest. This could help formal methods become the center of software engineering in the coming decade.
In recent years, various approaches to real-time execution of Java have proven their worth in num... more In recent years, various approaches to real-time execution of Java have proven their worth in numerous commercial and defense applications. The Real-time Specification for Java has extended the Java platform with a range of features needed for real-time computing. As the use of real-time Java has become more widespread, the demand for Java in real-time applications with safety requirements has led to an effort to define a new standard—JSR-302 Safety-Critical Java (SCJ). The goal of this standard is to facilitate the creation of safety-critical Java applications capable of certification under standards such as DO 178B level A or IEC61508 for SIL 4. JSR-302 is nearing completion and will soon be released for public review. This paper introduces some of the primary goals, challenges, and proposed solutions for safety-critical Java and its relationship with the Real-time Specification for Java. Keywords:
Delta algorithms compress data by encoding one file in terms of another. This type of compression... more Delta algorithms compress data by encoding one file in terms of another. This type of compression is useful in a number of situations: storing multiple versions of data, displaying differences, merging changes, distributing updates, storing backups, transmitting video sequences, and others. This article studies the performance parameters of several delta algorithms, using a benchmark of over 1,300 pairs of files taken from two successive releases of GNU software. Results indicate that modern delta compression algorithms based on Ziv-Lempel techniques significantly outperform diff, a popular but older delta compressor, in terms of compression ratio. The modern compressors also correlate better with the actual difference between files without sacrificing performance. Categories and Subject Descriptors: D.2.7 [Software Engineering]: Distribution and Maintenance—version control; D.2.8 [Software Engineering]: Metrics—performance measures;
Introduction Early operating systems were control programs a few thousand bytes long that schedul... more Introduction Early operating systems were control programs a few thousand bytes long that scheduled jobs, drove peripheral devices, and kept track of system usage for billing purposes. Modern operating systems are much larger, ranging from hundreds of thousands of bytes for personal computers (e.g., MS/DOS, Xenix) to tens of millions of bytes for mainframes (e.g., Honeywell's Multics, IBM's MVS, AT
Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001
The current suite of systems that offer client/server capabilities for document versioning relies... more The current suite of systems that offer client/server capabilities for document versioning relies on proprietary protocols for communicating between a central versioning repository and a remote client. In order to support better document authoring via the Web, the DeltaV working group of the Web-DAV (WWW Distributed Authoring and Versioning) project of the Internet Engineering Task Force is working on a standard protocol for versioning over HTTP. The authors present a prototype of DeltaV based on the 04.5 draft. This system demonstrates that, though important aspects of the protocol need to be revised, versioning via the Web can be a practical means of supporting remote access to a central versioning repository.
Revision control has long been a standard part of software development. With the enormous expansi... more Revision control has long been a standard part of software development. With the enormous expansion of the Internet and its increasing use as a means of communicating among geographically dispersed software developers, the need for distributed version control over the Internet has become acute. In order to address this need, the authors have developed a revision control server based on the World Wide Web (WWW) and RCE (an outgrowth of RCS). This proves to be possible and it also highlights the strengths and weaknesses of using the Hyper Text Mark up Language and standard WWW browsers such as NetScape TM and Mosaic to accomplish this goal.
The Real-time Specification for Java (RTSJ) introduced a range of language features for explicit ... more The Real-time Specification for Java (RTSJ) introduced a range of language features for explicit memory management. While the RTSJ gives programmers fine control over memory use and allows linear allocation and constant-time deallocation, the RTSJ relies upon dynamic runtime checks for safety making it unsuitable for safety critical applications. We introduce ScopeJ, a statically-typed, multi-threaded, object calculus in which scopes are first class constructs. Scopes reify allocation contexts and provide a safe alternative to automatic memory management. Safety follows from the use of an ownership type system that enforces a topology on run-time patterns of references. ScopeJ's type system is novel in that ownership annotations are implicit. This substantially reduces the burden for developers and increases the likelihood of adoption. The notion of implicit ownership is particularly appealing when combined with pluggable type systems, as one can apply different type constraints to different components of an application depending on the requirements without changing the source language. In related work we have demonstrated the usefulness of our approach in the context of highly-responsive systems and stream processing.
dresden.de The current trend in Model Driven Architecture is to use model transformation to refin... more dresden.de The current trend in Model Driven Architecture is to use model transformation to refine a model from a platform-independent model to a platform-specific model, resulting in a linear development process. With the advent of commer-cially available realtime and safety critical Java implemen-tations as a basis for platform neutral realtime systems, one could raise the level of reuse in modeling realtime systems by keeping platform independent information completely sepa-rate from platform specific information, so that model refine-ment is done by adding modeling aspects and maps between aspects rather than by model transformation. The result is a modeling process that is less order dependent, thereby supporting the full flexibility of Java Technology even for realtime system design.
Parallel development has become standard practice in software development and maintenance. Though... more Parallel development has become standard practice in software development and maintenance. Though most every revision control and configuration management system provides some form of merging for combining changes made in parallel, these mechanisms often yield unsatisfactory results. The authors present a new merging algorithm, that uses a fast differencing algorithm and renaming analysis to provide better merge results. The system is language aware, but not language dependent and does not require a special editor, so it can be easily integrated in current development environments. 1.
Though realtime Java offers significant advantages over other programming languages for safe prog... more Though realtime Java offers significant advantages over other programming languages for safe programming, the analysis of worst case execution of realtime Java programs is considerably more difficult. The extra complexity can be addressed using a minimal set of parameterized annotations and data flow analysis to provide a standard worst case execution time analysis tool with the additional information necessary to determine the worst case execution time analysis of realtime Java programms. This methodology has the advantage over existing methods in that it is equally applicable to general purpose library code as to application specific implementation code.
Finding changed identifiers in programs is important for program comparison and merging. Comparin... more Finding changed identifiers in programs is important for program comparison and merging. Comparing two versions of a program is complicated if renaming has occurred. Textual merging is highly unreliable if, in one version, identifiers were renamed, while in the other version, code using the old identifiers was added or modified. A tool that
Until recently, the preferred language for developing safety critical applications has been Ada, ... more Until recently, the preferred language for developing safety critical applications has been Ada, but this is beginning to change. The number of developers willing to program in Ada is diminishing, while the complexity of applications is increasing. Where as C and C++ are poor alternatives to Ada, realtime Java specifications have benefited from strong cross fertilisation from the Ada community, giving realtime Java most of Ada’s advantages for developing safety critical systems. Though strongly related to standard Java technology such as J2SE and J2EE, realtime Java is really a different beast. The differences are subtle, so as to benefit from a common language base; but essential. Realtime Java sets itself apart by having much stronger threading semantics: it provides a strict specification of thread priorities and protocols for avoiding Priority Inversion. The RTSJ also introduces techniques for avoiding timing anomalies caused by garbage collection, ideally while maintaining the ...
This paper develops four related architectural principles which can guide the construction of err... more This paper develops four related architectural principles which can guide the construction of error-tolerant operating systems. The fundamental principle, system closure, specifies that no action is permissible unless explicitly authorized. The capability based machine is the most efficient known embodiment of this principle: it allows efficient small access domains, multiple domain processes without a privileged mode of operation, and user and system descriptor information protected by the same mechanism. System closure implies a second principle, resource control, that prevents processes from exchanging information via residual values left in physical resource units. These two principles enable a third, decision verification by failure-independent processes. These principles enable prompt error detection and cost-effective recovery. Implementations of these principles are given for process management, interrupts and traps, store access through capabilities, protected procedure entry, and tagged architecture.
In recent years, various approaches to real-time execution of Java have proven their worth in num... more In recent years, various approaches to real-time execution of Java have proven their worth in numerous commercial and defense applications. The Real-time Specification for Java has extended the Java platform with a range of features needed for real-time computing. As the use of real-time Java has become more widespread, the demand for Java in real-time applications with safety requirements has led to an eort to define a new standard—JSR-302 Safety-Critical Java (SCJ). The goal of this standard is to facilitate the creation of safety-critical Java applications capable of certification under standards such as DO 178B level A or IEC61508 for SIL 4. JSR-302 is nearing completion and will soon be released for public review. This paper introduces some of the primary goals, challenges, and proposed solutions for safety-critical Java and its relationship with the Real-time Specification for Java.
Introduction Early operating systems were control programs a few thousand bytes long that schedul... more Introduction Early operating systems were control programs a few thousand bytes long that scheduled jobs, drove peripheral devices, and kept track of system usage for billing purposes. Modern operating systems are much larger, ranging from hundreds of thousands of bytes for personal computers (e.g., MS/DOS, Xenix) to tens of millions of bytes for mainframes (e.g., Honeywell's Multics, IBM's MVS, AT&T's UNIX) and hundreds of millions of bytes for some servers (Microsoft's NT). In addition to managing processors, memory, and dozens of input/output devices, modern operating systems also provide numerous services suchasInternet communications, Web communications, inter-process communications, file and directory systems, data transfer over local networks, and command languages and graphical user interfaces for invoking and controlling programs. These high-level services hide the primitive facilities of the base computer, such as interrupts, status registers, and device in...
Though the use of formal methods for software verification has progress tremendously in the last ... more Though the use of formal methods for software verification has progress tremendously in the last ten year, its take up in industry has been meager, but with the right emphasis this could change dramatically. Software certification standards have started to take formal methods seriously as an alternative to testing. By focusing on practical issues such as common specification languages, adaption to industrial processes for safety certification, scalability, training, and synergies between tools, common reservations about using formal methods could be lain to rest. This could help formal methods become the center of software engineering in the coming decade.
In recent years, various approaches to real-time execution of Java have proven their worth in num... more In recent years, various approaches to real-time execution of Java have proven their worth in numerous commercial and defense applications. The Real-time Specification for Java has extended the Java platform with a range of features needed for real-time computing. As the use of real-time Java has become more widespread, the demand for Java in real-time applications with safety requirements has led to an effort to define a new standard—JSR-302 Safety-Critical Java (SCJ). The goal of this standard is to facilitate the creation of safety-critical Java applications capable of certification under standards such as DO 178B level A or IEC61508 for SIL 4. JSR-302 is nearing completion and will soon be released for public review. This paper introduces some of the primary goals, challenges, and proposed solutions for safety-critical Java and its relationship with the Real-time Specification for Java. Keywords:
Delta algorithms compress data by encoding one file in terms of another. This type of compression... more Delta algorithms compress data by encoding one file in terms of another. This type of compression is useful in a number of situations: storing multiple versions of data, displaying differences, merging changes, distributing updates, storing backups, transmitting video sequences, and others. This article studies the performance parameters of several delta algorithms, using a benchmark of over 1,300 pairs of files taken from two successive releases of GNU software. Results indicate that modern delta compression algorithms based on Ziv-Lempel techniques significantly outperform diff, a popular but older delta compressor, in terms of compression ratio. The modern compressors also correlate better with the actual difference between files without sacrificing performance. Categories and Subject Descriptors: D.2.7 [Software Engineering]: Distribution and Maintenance—version control; D.2.8 [Software Engineering]: Metrics—performance measures;
Introduction Early operating systems were control programs a few thousand bytes long that schedul... more Introduction Early operating systems were control programs a few thousand bytes long that scheduled jobs, drove peripheral devices, and kept track of system usage for billing purposes. Modern operating systems are much larger, ranging from hundreds of thousands of bytes for personal computers (e.g., MS/DOS, Xenix) to tens of millions of bytes for mainframes (e.g., Honeywell's Multics, IBM's MVS, AT
Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001
The current suite of systems that offer client/server capabilities for document versioning relies... more The current suite of systems that offer client/server capabilities for document versioning relies on proprietary protocols for communicating between a central versioning repository and a remote client. In order to support better document authoring via the Web, the DeltaV working group of the Web-DAV (WWW Distributed Authoring and Versioning) project of the Internet Engineering Task Force is working on a standard protocol for versioning over HTTP. The authors present a prototype of DeltaV based on the 04.5 draft. This system demonstrates that, though important aspects of the protocol need to be revised, versioning via the Web can be a practical means of supporting remote access to a central versioning repository.
Revision control has long been a standard part of software development. With the enormous expansi... more Revision control has long been a standard part of software development. With the enormous expansion of the Internet and its increasing use as a means of communicating among geographically dispersed software developers, the need for distributed version control over the Internet has become acute. In order to address this need, the authors have developed a revision control server based on the World Wide Web (WWW) and RCE (an outgrowth of RCS). This proves to be possible and it also highlights the strengths and weaknesses of using the Hyper Text Mark up Language and standard WWW browsers such as NetScape TM and Mosaic to accomplish this goal.
The Real-time Specification for Java (RTSJ) introduced a range of language features for explicit ... more The Real-time Specification for Java (RTSJ) introduced a range of language features for explicit memory management. While the RTSJ gives programmers fine control over memory use and allows linear allocation and constant-time deallocation, the RTSJ relies upon dynamic runtime checks for safety making it unsuitable for safety critical applications. We introduce ScopeJ, a statically-typed, multi-threaded, object calculus in which scopes are first class constructs. Scopes reify allocation contexts and provide a safe alternative to automatic memory management. Safety follows from the use of an ownership type system that enforces a topology on run-time patterns of references. ScopeJ's type system is novel in that ownership annotations are implicit. This substantially reduces the burden for developers and increases the likelihood of adoption. The notion of implicit ownership is particularly appealing when combined with pluggable type systems, as one can apply different type constraints to different components of an application depending on the requirements without changing the source language. In related work we have demonstrated the usefulness of our approach in the context of highly-responsive systems and stream processing.
dresden.de The current trend in Model Driven Architecture is to use model transformation to refin... more dresden.de The current trend in Model Driven Architecture is to use model transformation to refine a model from a platform-independent model to a platform-specific model, resulting in a linear development process. With the advent of commer-cially available realtime and safety critical Java implemen-tations as a basis for platform neutral realtime systems, one could raise the level of reuse in modeling realtime systems by keeping platform independent information completely sepa-rate from platform specific information, so that model refine-ment is done by adding modeling aspects and maps between aspects rather than by model transformation. The result is a modeling process that is less order dependent, thereby supporting the full flexibility of Java Technology even for realtime system design.
Parallel development has become standard practice in software development and maintenance. Though... more Parallel development has become standard practice in software development and maintenance. Though most every revision control and configuration management system provides some form of merging for combining changes made in parallel, these mechanisms often yield unsatisfactory results. The authors present a new merging algorithm, that uses a fast differencing algorithm and renaming analysis to provide better merge results. The system is language aware, but not language dependent and does not require a special editor, so it can be easily integrated in current development environments. 1.
Though realtime Java offers significant advantages over other programming languages for safe prog... more Though realtime Java offers significant advantages over other programming languages for safe programming, the analysis of worst case execution of realtime Java programs is considerably more difficult. The extra complexity can be addressed using a minimal set of parameterized annotations and data flow analysis to provide a standard worst case execution time analysis tool with the additional information necessary to determine the worst case execution time analysis of realtime Java programms. This methodology has the advantage over existing methods in that it is equally applicable to general purpose library code as to application specific implementation code.
Finding changed identifiers in programs is important for program comparison and merging. Comparin... more Finding changed identifiers in programs is important for program comparison and merging. Comparing two versions of a program is complicated if renaming has occurred. Textual merging is highly unreliable if, in one version, identifiers were renamed, while in the other version, code using the old identifiers was added or modified. A tool that
Until recently, the preferred language for developing safety critical applications has been Ada, ... more Until recently, the preferred language for developing safety critical applications has been Ada, but this is beginning to change. The number of developers willing to program in Ada is diminishing, while the complexity of applications is increasing. Where as C and C++ are poor alternatives to Ada, realtime Java specifications have benefited from strong cross fertilisation from the Ada community, giving realtime Java most of Ada’s advantages for developing safety critical systems. Though strongly related to standard Java technology such as J2SE and J2EE, realtime Java is really a different beast. The differences are subtle, so as to benefit from a common language base; but essential. Realtime Java sets itself apart by having much stronger threading semantics: it provides a strict specification of thread priorities and protocols for avoiding Priority Inversion. The RTSJ also introduces techniques for avoiding timing anomalies caused by garbage collection, ideally while maintaining the ...
This paper develops four related architectural principles which can guide the construction of err... more This paper develops four related architectural principles which can guide the construction of error-tolerant operating systems. The fundamental principle, system closure, specifies that no action is permissible unless explicitly authorized. The capability based machine is the most efficient known embodiment of this principle: it allows efficient small access domains, multiple domain processes without a privileged mode of operation, and user and system descriptor information protected by the same mechanism. System closure implies a second principle, resource control, that prevents processes from exchanging information via residual values left in physical resource units. These two principles enable a third, decision verification by failure-independent processes. These principles enable prompt error detection and cost-effective recovery. Implementations of these principles are given for process management, interrupts and traps, store access through capabilities, protected procedure entry, and tagged architecture.
In recent years, various approaches to real-time execution of Java have proven their worth in num... more In recent years, various approaches to real-time execution of Java have proven their worth in numerous commercial and defense applications. The Real-time Specification for Java has extended the Java platform with a range of features needed for real-time computing. As the use of real-time Java has become more widespread, the demand for Java in real-time applications with safety requirements has led to an eort to define a new standard—JSR-302 Safety-Critical Java (SCJ). The goal of this standard is to facilitate the creation of safety-critical Java applications capable of certification under standards such as DO 178B level A or IEC61508 for SIL 4. JSR-302 is nearing completion and will soon be released for public review. This paper introduces some of the primary goals, challenges, and proposed solutions for safety-critical Java and its relationship with the Real-time Specification for Java.
Uploads
Papers by James Hunt