对于一个项目,我目前正在尝试为一架假想的飞机编写一个迷你飞行员辅助系统。任务是学习 Ada Spark,而不是航空电子设备。我已经对我希望使用的飞机组件进行了建模,在主文件中进行了一些测试以检查组件是否按预期工作,一切都很好,现在我要向函数添加前置和后置条件,以确保我的飞机 super 安全的。其中一项安全措施是确保在飞机牵引时无法启动发动机,反之亦然,在发动机启动时切换到牵引。
我将引擎建模为高度复杂的记录,具有一个属性,类型为 OnOff,它采用 On 或 Off 值之一。请注意,我计划扩展属性,因此它不会保留单一属性记录。
这是引擎规范文件
package engines with SPARK_Mode
is
type OnOff is (On, Off);
type Engine is record
isOn: OnOff;
end record;
procedure switchOn (x : in out Engine);
procedure switchOff (x : in out Engine);
end engines;
我的飞机是这样组装的:
type Plane is record
engine1: Engine;
engine2: Engine;
gearOfLanding: LandingGear;
doorPax1, doorPax2, doorServ1, doorServ2,
doorCockpit: Door;
panelOfReadings: ReadingsPanel;
panelOfAlerts: AlertsPanel;
planOfFlight: FlightPlan;
speedLimits: SpeedLimit;
altitudeLimits: AltitudeLimit;
attitudeLimits: AttitudeLimit;
litresPerMile: Integer;
fuelTank1: FuelTank;
end record;
planes 文件中的过程 switchOnEngine 将引擎作为输入,并从引擎文件中调用 switchOn。这是规范,下面是正文:
procedure switchOnEngine (x : in out Engine; y : in Plane) with
Pre => y.panelOfReadings.mode /= Tow,
Post => x = (isOn => On) and y.panelOfReadings.mode /= Tow;
procedure switchOnEngine (x : in out Engine; y : in Plane)
is
begin
switchOn(x);
end switchOnEngine;
飞机作为变量传入,因此我可以检查前置条件和后置条件的各种属性,但我收到警告消息,但不确定如何解决。
precondition might fail
cannot prove y.panelOfReadings.mode /= Tow e.g when .......mode =>Tow
以下行也从我控制飞机的主文件中给出错误
switchOnEngine(AirForceOne.engine1, AirForceOne);
formal parameters x and y are aliased, and this is being marked as a 'high' priority warning.
这是主文件中飞机的初始化
AirForceOne : Plane := (
engine1 => (isOn => Off),
engine2 => (isOn => Off),
litresPerMile => 5,
gearOfLanding => (isExtended => Extended),
doorPax1 => (isClosed => Closed, isLocked => Unlocked),
doorPax2 => (isClosed => Closed, isLocked => Unlocked),
doorServ1 => (isClosed => Closed, isLocked => Unlocked),
doorServ2 => (isClosed => Closed, isLocked => Unlocked),
doorCockpit => (isClosed => Closed, isLocked => Unlocked),
fuelTank1 => (capacity=>26000, currentFuel=>26000),
planOfFlight => (distFromDest => 1500),
panelOfReadings =>
(mode => Tow,
currentSpeed => 0,
altitud => 0,
attitud =>
(currentPitch=>0,
currentRoll =>0)
),
panelOfAlerts =>
(approachingStallSpeed => Off,
unRestrictedSpeed => Off,
withinLandingSpdRange => Off,
withinOptCruiseAlt => Off,
withinOptCruiseSpeed => Off,
takeoffSpeedReached => Off,
fuelStatus => Off,
maxPitchAngleExceeded => Off,
maxRollAngleExceeded => Off),
speedLimits =>
(minLanding => 180,
maxLanding => 200,
minStall => 110,
minTakeoff => 130,
maxRestricted => 300,
maxGroundMode => 10),
altitudeLimits =>
(minFlight => 500,
maxFlight => 41000,
optCruiseAlt => 36000,
maxRestrictedSpeed => 10000,
maxInitiateFlareMode => 100),
attitudeLimits =>
(maxRoll => 30,
maxPitch => 30,
minRoll => -30,
minPitch => -30)
);
任何帮助都会很棒。我以为在前提条件下建议飞机不能被拖走就足够了,但似乎还不够。
最佳答案
Switchonengine的目的是改变飞机的状态。编写它来改变引擎的状态会让事情变得复杂。
Max_Engines : constant := 100; -- The Lillium jet has 36, so I hope this is enough
type Engine_Num is range 1 .. Max_Engines;
type Engine_Info is ...
type Engine_Map is array (Engine_Num range <>) of Engine_Info with
Dynamic_Predicate => Engine_Map'First = 1;
type Plane_Info (Num_Engines : Engine_Num) is record
Engine : Engine_Map (1 .. Num_Engines);
...
procedure Turn_On (Engine : in Engine_Num; Plane : in out Plane_Info) with
Pre => Engine in 1 .. Plane.Num_Engines and then
(not Running (Plane.Engine (Engine) ) and not Under_Tow (Plane),
Post => Running (Plane.Engine (Engine) );
Air_Force_One : Plane_Info (Num_Engines => 4);
关于ada - 如何阻止 ADA Spark 中的以下示例中的先决条件失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67167605/