4. Predefined Profiles

GNAT Pro supports two language defined profiles: Ravenscar and Jorvik. These profiles provide subsets of Ada’s tasking capabilities suitable for embedded or certification applications. This section provides a brief introduction to these profiles.

4.1. The Ravenscar Profiles

The Ravenscar profile defines a subset of tasking features suitable for use in applications having extremely demanding requirements. The profile is a part of the Ada programming language and is defined by the language standard in section D.13 of the Real-Time Systems annex.

The profile is intended to support four application domains:

  • hard real-time applications requiring predictability,

  • safety-critical applications requiring formal certification,

  • high-integrity applications requiring formal verification, and

  • embedded applications requiring small memory footprint and low execution overhead.

The resulting tasking subset is designed to be small enough to allow efficient and analyzable run-time libraries, but large enough to permit programming styles needed in practice for all these domains.

For details of using the Ravenscar profile, including what the subset allows and excludes, see Guidance for the use of the Ada Ravenscar Profile in high integrity systems, ISO/IEC Technical Report 24718.

4.2. The Jorvik Profile

In addition to the Ravenscar tasking profile, GNAT supports the Jorvik (pronounced “yourvick”) profile, a new tasking profile in the Ada 202x language standard. Jorvik is the standardization of the older GNAT_Extended_Ravenscar profile. The latter profile name remains in GNAT as an alias to the Jorvik profile for compatibility with existing applications.

The Jorvik profile relaxes certain Ravenscar profile restrictions in order to increase expressive power for applications in the hard real-time and embedded system domains. Applications exclusively in these two domains typically do not require the formal certification and verification analyses imposed by the other Ravenscar domains. As a result, the new profile allows an underlying tasking run-time library implementation that, although somewhat more complex, remains small and efficient. However, for those applications requiring the most rigorous forms of analysis, i.e., those required for certification, the Ravenscar profile remains the best choice.

GNAT Pro provides a number of run-time libraries providing the Jorvik tasking subset, with differing subsets of the remaining sequential language supported. The following sections describe the Jorvik profile included in these run-times. Anything not specified as removed or altered from the Ravenscar profile remains unchanged in the Jorvik profile.

4.2.1. Number of Entries Per Protected Object

The Jorvik profile does not specify a value for Max_Protected_Entries. As a result, multiple entries per protected object are allowed.

Note that this change also allows entry families to have more than one member.

4.2.2. Number of Queued Callers per Entry

The Jorvik profile does not specify Max_Entry_Queue_Length. As a result, multiple callers can be queued on any given protected entry, rather than only one at a time. Task entries remain disallowed.

Note that any protected object containing protected entry declarations can specify, for each entry, the maximum number of callers allowed. This maximum number is checked at runtime, if specified, and can be used to compute a less pessimistic WCET off-line. Specification of the maximum value is optional.

The maximum value is specified via the language standard aspect or pragma Max_Queue_Length applied to that entry. (Max_Queue_Length is defined independent of Jorvik.) The value must be a static (positive) integer value. For example:

protected type P is

   entry A (Item : Integer)
      with Max_Queue_Length => 2;

   entry B (Item : Integer);
   pragma Max_Queue_Length (X);

private
   ...
end P;

4.2.3. Entry Barriers

The Jorvik profile does not specify Simple_Barriers. Instead, the new language-standard restriction “Pure_Barriers” is applied automatically. As a result, in addition to simple Boolean local variables, more complex Boolean expressions are allowed.

However, these expressions are still limited in content so that side effects, exceptions, and recursion are impossible. Removing the possibility of side effects is important because the language does not specify the number of times a given barrier is evaluated. Allowing exceptions would complicate the implementation, whereas the goal is an efficient and predictable run-time library implementation that minimizes barrier evaluation cost.

Specifically, “Pure_Barriers” allows the following:

  • References to components of the protected object

  • References to discriminants of the protected object

  • Numeric literals

  • Enumeration (and thus character) literals

  • Named numbers

  • Predefined relational operators

  • Predefined logical operators (“and”, “or”, “xor”, “not”)

  • Short-circuit control forms (“and then”, “or else”)

  • Membership tests

  • Conditional expressions

  • The Count attribute

The list above is a general description intended to give an idea of the enhancements. Several of the above have restrictions. See the Ada 202x draft Reference Manual description for precise details (section D.7 “Tasking Restrictions” specifically.)

Note that the Count attribute is allowed in the barriers for protected entries (and protected entry families), not just within entry bodies as in Ravenscar.

4.2.4. Relative Delay Statements

The Jorvik profile does not specify No_Relative_Delay. As a result, both relative and absolute delay statements are allowed.

Although relative delay statements are not appropriate for expressing cyclic behavior, there are cases in which a relative delay has precisely the required semantics. For example, a relay may have a requirement that it not be actuated more than N times per second. A relative delay after each actuation directly implements that requirement.

4.2.5. Additional Non-Tasking Restrictions Removed

Some Ravenscar restrictions are not related to tasking and can be relaxed without affecting timing analysis and space/speed performance.

4.2.5.1. No_Implicit_Heap_Allocations

The Jorvik profile does not specify No_Implicit_Heap_Allocations. This restriction is in the standard Ravenscar profile for the sake of the other domains and need not be applied when focusing on real-time and embedded systems. (Note that users can specify this restriction in their application code if they want the restriction to apply.)

Instead, the No_Implicit_Heap_Allocations restriction has been replaced by No_Implicit_Task_Allocations and No_Implicit_Protected_Object_Allocations.

4.2.5.2. No Dependence on Ada.Calendar

The Jorvik profile removes the restriction prohibiting use of the Ada.Calendar package. This restriction is present in standard Ravenscar because the Ada.Real_Time package has more appropriate semantics for real-time/embedded applications. However, not all usage of Ada.Calendar is unreasonable, for example time-stamping log messages.