GNAT Pro Roadmap
by Jose Ruiz –
Introduction
Every year the GNAT Pro product family acquires new members and capabilities, to help our customers develop safer, more secure and more efficient code on newer hardware and software platforms. Moving forward, our goal is to offer a clear view on the future development of our technology. As part of this effort, we have made available a public roadmap for AdaCore products on our documentation platform.
This year the new ISO standard for Ada was published (ISO/IEC 8652:2023), as the official Ada 2022 standard. GNAT Pro already implements many of the new features and we will have a look at a few of them below. More will come over time.
We will also cover some extensions to the tooling that we hope will make developers’ lives easier and improve the safety, security and performance of their applications.
Let’s have a look at some of the things that have kept our engineering team busy lately. For a more exhaustive list of targets and capabilities you can check our live website documentation.
New Hardware and Software Platforms
New Software Frameworks
AdaCore has provided compilers based on GCC since our inception. We will obviously keep doing this, but in order to help our customers who are interested in diverse code generation technologies, we will start delivering an alternate LLVM back-end, in addition to the usual GCC back-end. The initial release will be on native Windows and Linux platforms, with subsequent availability on cross and bare metal targets. This can be a good approach to improve safety by implementing dissimilarity (generating two different binaries from the same source code). The GCC-based compilers will migrate to the more recent GCC 12 technology in 2024, and to GCC 13 in 2025.
Alire – a package manager for managing Ada projects, their source code and dependencies – will be integrated into the AdaCore product suite. Customers will be able to retrieve AdaCore libraries through this mechanism, and to build and use them locally.
While on the subject of AdaCore libraries, GNATcoll (library of Ada reusable components) and AWS (Ada Web Server, a library that allows an Ada application to interact through a web interface and services) have been available for native platforms for a long time; they will both be ported first to cross ARM linux products and later to VxWorks 7.
New Targets
On the cross-platform front, there have been a few recent additions to the toolsets with the addition of support for RTEMS 6 and QNX 7.1 (on ARM 64 bit), and for Helix Cert Edition 22.04. The VxWorks 7 versions that will be released by WindRiver in 2023 will soon be supported by the GNAT Pro 24 releases, and they will include an Ada API allowing direct access to the VxWorks 7 C APIs.
FreeRTOS, a real-time operating system for microcontrollers and small microprocessors, will be the target for a GNAT Pro port during 2024 and will help developers produce small footprint embedded systems with Ada.
CUDA (Compute Unified Device Architecture) is a software framework provided by NVIDIA for developing general purpose code on their hardware. The GNAT Pro for CUDA product will be available with the 24 release, relying on NVIDIA CUDA to allow Ada code to run directly on NVIDIA GPUs (Graphics Processing Units). Hence, you will be able to easily improve the performance of your Ada application by partitioning it into the part that is executed on the host processor and the tasks that run on the GPU. Flexible user-defined storage pools have been extended to support heterogeneous memory models, where in addition to memory allocations and deallocations, data can be transferred between different memory partitions over heterogeneous memory models.
Web Assembly (WASM) is an assembly-like language together with an interpreter, which can be run in various environments (e.g., a browser or a bare metal target). GNAT Pro will permit Ada code to be compiled into Web Assembly, so that applications can be reused in completely different contexts without a complete rewrite.
New Languages and Profiles
For bare metal targets, AdaCore’s light-tasking run times will start implementing the Ada 2022 Jorvik profile (a generalization of Ravenscar), in addition to the already supported Ravenscar profile.
For customers interested in executing C++ code on embedded systems, GNAT Pro will support C++ on bare metal targets with a light C++ run-time library to support the core language. The support library for C++ will contain functions to deal with run-time type information (RTTI), exception handling, dynamic memory, and termination handlers, among other useful features.
Improved Security
Security Hardening
GNAT Pro provides new Ada extensions aimed at security hardening in different aspects of code generation. See the Security Hardening Features section of the GNAT Reference Manual.
Register and stack scrubbing are techniques that can prevent leaks of sensitive data. They work by zeroing-out registers and stack frames when returning from subprograms.
These techniques can be applied to all subprograms in a compilation unit (using the -fzero-call-used-regs=choice option for register scrubbing and -fsctrub=choice for stack scrubbing) or to individual subprograms using the Machine_Attribute aspect. Note that stack scrubbing can also be applied to types and variables, ensuring protection of a given data or type of data.
procedure Store_Password;
pragma Machine_Attribute
(Store_Password, "zero_call_used_regs", "used");
-- Before returning, Store_Password scrubs call-clobbered
-- registers that it uses.
pragma Machine_Attribute (Store_Password, "strub");
-- Store_Password and its callers are modified so as to scrub
-- the stack space used by Store_Password after it returns.
GNAT Pro can harden conditionals to protect against hardware control-flow attacks (such as power deprivation) by introducing reversed compares that abort on unexpected results. You write your code as usual, and the compiler inserts extra verification code to check that the boolean value you are using does not contain an unexpected value.
This is accomplished by two complementary transformations, each activated by a separate command-line option. The first option, -fharden-compares, enables hardening of comparisons whose result is stored in a variable, and -fharden-conditional-branches enables hardening of comparisons that guard conditional branches.
Ada provides built-in support for introducing boolean types with alternative representations, using representation clauses. For additional hardening, GNAT Pro adds the hardbool Machine_Attribute pragma, that can be used to annotate these boolean types, so that expressions of such types used as conditions are checked for validity (Constraint_Error is raised if the result is not one of the possible values).
Finally, the GNAT Pro compiler can now guard against unexpected execution flows, such as branching into the middle of subprograms, as in Return Oriented Programming exploits. Option -fharden-control-flow-redundancy instructs the compiler to generate hardening code to take note of visited basic blocks while executing a subprogram, and to verify before returning that the path taken reflect a legitimate path in the control flow graph of the subprogram, detecting potential control flow tampering.
Security Testing
Helping users test their code is also an important part of our job, and the GNATfuzz automated testing technology continues its progress within the AdaCore suite, extending to more native platforms (Windows), covering more languages (C), implementing better heuristics, and improving the coverage of conditional codeits results and its integration with the rest of the dynamic analysis suite, including the creation of unit tests. This technology is extremely effective for finding corner-case security-related vulnerabilities.
Compact Code with Ada 2022
A lot of work during the last few years has gone into the updating of the Ada standard to its 2022 version. Suggestions have come from industrial users, hobbyists, and AdaCore (as a compiler vendor and heavy user of Ada). The GNAT Pro compiler has been largely used to prototype and test new ideas.
One of the assets of the Ada language is to be explicit about the programmer’s intent. However, sometimes the cost is unnecessary verbosity. Ada 2022 tries to address some of these shortcomings where conciseness is consistent with clarity of intention.
Printing values is a must when developing user interfaces. The ‘Image attribute in Ada returns a string representation of the value passed as input. This was only possible for discrete types until Ada 2012. In Ada 2022 the ‘Image attribute can be applied to any type (including records, arrays, access types, and private types) and also to values (eliminating the need to write the type to which they belong).
-- No longer need to use the type attribute
Put_Line (Long_Float'Image (Speed));
-- You can simply use the value attribute
Put_Line (Speed'Image);
Array aggregates have been made simpler to write using the square brackets notation, which eliminates the need to write implicit indices, and provides a meaningful new kind of component association. Among other things, it simplifies writing empty aggregates, single-element aggregates and iterated component associations. Here is an example:
-- You no longer need to use this cryptic syntax
Old_Style_Empty : Float_Array := (1 .. 0 => <>);
Old_Style_One_Item : Float_Array := (1 => 7.2);
-- You can use this simpler syntax
New_Style_Empty : Float_Array := [];
New_Style_One_Item : Float_Array := [7.2];
-- Compact notation to initialize elements according to indices
Fractions : Float_Array := [for X in 1 .. 10 => 1.0 / Float (X)];
Delta aggregates are a new handy feature to use when you need to create a copy of an object (array or record) with just a few modifications. You take a reference value and then you name the components you want to modify.
type Location is record
X, Y, Z : Float;
end record;
Point : constant Location := (X => 1.0, Y => 2.0, Z => 3.0);
Projection : constant Location := (Point with delta Z => 0.0);
type Vector_3D is array (1 .. 3) of Float;
Point_3D : constant Vector_3D := [1.0, 2.0, 3.0];
Projection_3D : constant Vector_3D := [Point_3D with delta 3 => 0.0];
A target name symbol “@” has been defined; it can be added on the right hand side of an assignment statement, and the symbol acts as the equivalent of the name on the left hand side, helping to make the statement shorter. You can even use it more than once in the same statement.
Point.Z := @ ** 2 + @;
Conditional when constructs have been extended to all control-flow related statements (quantified expressions, ) and not only to exit statements, entry bodies, and select statements.
(for some X in 2 .. N when X * X <= N => N mod X = 0)
return True when I = 0;
goto Cleanup when Found;
raise Error when Result < 0;
As a GNAT Pro language extension, and not (yet) in Ada, a special syntax for string literals supporting "string interpolation" (similar to what is provided in other languages like Python and Rust) allows expressions to be given directly within a string literal, and the values of the expressions are "interpolated" directly into the value of the enclosing string at run time.
procedure Print_Score (Name: String; N1, N2: Integer) is
begin
Put_Line (f"Average for {Name} is {(N1 + N2) / 2}.");
end Print_Score;
Conclusion
This post has summarized some of the exciting new capabilities that will be supported by GNAT Pro in coming releases. A longer term and more exhaustive roadmap for AdaCore products can be found in the public roadmap for AdaCore products.
AdaCore customers should not hesitate to download the forthcoming GNAT Pro releases and ask us how to use any of their features and tools. And tell us what you like and any suggested improvements to the ecosystem.