Formal Aspects of Computing

, Volume 25, Issue 1, pp 37–57 | Cite as

The Safety-Critical Java memory model formalised

  • Ana Cavalcanti
  • Andy Wellings
  • Jim WoodcockEmail author
Original Article


Safety-Critical Java (SCJ) is a version of Java for real-time programming, restricted to facilitate certification of implementations of safety-critical systems. Its development is the result of an international effort involving experts from industry and academia. What we provide here is, as far as we know, the first formalisation of the SCJ model of memory regions. We use Hoare and He’s unifying theories of programming (UTP), enabling the integration of our theory with refinement models for object orientation and concurrency. In developing the SCJ theory, we also make a contribution to UTP by providing a general theory of invariants (an instance of which is used in the SCJ theory). The results presented here are a first essential ingredient to formalise the novel programming paradigm embedded in SCJ, and enable the justification and development of formal reasoning techniques based on refinement.


Safety-Critical Java Memory safety Semantics Unifying theories of programming Integration Refinement 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Bar03.
    Barnes J (2003) High integrity software: the SPARK approach to safety and security. Addison-Wesley, BostonGoogle Scholar
  2. Bar05.
    Barnes J (2005) Programming in Ada 95. Addison-Wesley, BostonGoogle Scholar
  3. Bur+05.
    Burdy L et al (2005) An overview of JML tools and applications. Softw Tools Technol Transf 7(3): 212–232CrossRefGoogle Scholar
  4. Bur99.
    Burns A (1999) The Ravenscar profile. Ada Lett XIX (4):49–52. ACM, New YorkGoogle Scholar
  5. CHW06.
    Cavalcanti ALC, Harwood W, Woodcock JCP (2006) Pointers and records in the unifying theories of programming. In: Dunne S, Stoddart B (eds) UTP symposium. Lecture notes in computer science, vol 4010. Springer, Berlin, pp 200–216Google Scholar
  6. CS06.
    Chen Y, Sanders J (2006) Compositional reasoning for pointer structures. In: Mathematics of program construction. Lecture notes in computer science, vol 4014. Springer, Berlin, pp 115–139Google Scholar
  7. CWW11.
    Cavalcanti A, Wellings AJ, Woodcock J (2011) The Safety-Critical Java memory model: a formal account. In: Butler M, Schulte W (eds) Proceedings FM 2011: 17th international symposium on formal methods. Lecture notes in computer science, vol 6664. Springer, Berlin, pp 246–261Google Scholar
  8. HCW08.
    Harwood W, Cavalcanti ALC, Woodcock JCP (2008) A theory of pointers for the UTP. In: Fitzgerald JS, Haxthausen AE, Yenigun H (eds) ICTAC08: theoretical aspects of computing. Lecture notes in computer science, vol 5160. Springer, Berlin, pp 141–155Google Scholar
  9. HH03.
    Hoare CAR, He J (2003) A trace model for pointers and objects. In: Programming methodology. Springer, Berlin, pp 223–245Google Scholar
  10. HH98.
    Hoare CAR, He J (1998) Unifying theories of programming. Prentice-Hall, Eaglewoods CliffsGoogle Scholar
  11. HHL10.
    Haddad G, Hussain F, Leavens GT (2010) The design of SafeJML, a specification language for SCJ with support for WCET specification. 8th international workshop on Java technologies for real-time and embedded systems. ACM, New YorkGoogle Scholar
  12. Hat95.
    Hatton L, Safer C (1995) Developing software in high integrity and safety-critical systems. McGraw-Hill, New YorkGoogle Scholar
  13. He07.
    He J (2007) UTP semantics for web services. In: Davies J, Gibbons J (eds) Integrated formal methods. Lecture notes in computer science, vol 4591. Springer, Berlin, pp 353–372Google Scholar
  14. MIS07.
    MISRA (2007) Motor Industry Software Reliability Association. In: MISRA AC INT: introduction to the MISRA guidelines for the use of automatic code generation in automotive systems. ISBN: 978-906400-00-2Google Scholar
  15. OCW09.
    Oliveira MVM, Cavalcanti ALC, Woodcock JCP (2009) A UTP semantics for Circus. Formal Aspects Comput 21(1–2): 3–32zbMATHCrossRefGoogle Scholar
  16. SCJDraft.
    Locke D, Andersen BS, Brosgol B, Fulton M (2010) Safety Critical Java specification, first release 0.76, The Open Group, 2010, UK.
  17. SCJS10.
    Sherif A, Cavalcanti ALC, He J, Sampaio ACA (2010) A process algebraic framework for specification and validation of real-time systems. Formal Aspects Comput 22(2): 153–191zbMATHCrossRefGoogle Scholar
  18. SCS06.
    Santos TLVL, Cavalcanti ALC, Sampaio ACA (2006) Object orientation in the UTP. In: Dunne S, Stoddart B (eds) Unifying theories of programming. Lecture notes in computer science, vol 4010. Springer, Berlin, pp 18–37Google Scholar
  19. TPV10.
    Tang D, Plsek A, Vitek J (2010) Static checking of Safety Critical Java annotations. In: 8th international workshop on Java technologies for real-time and embedded systems. ACM, New YorkGoogle Scholar
  20. Ven07.
    Venners B (2007) Inside the Java virtual machine.
  21. Wel04.
    Wellings A (2004) Concurrent and real-time programming in Java. Wiley, New YorkGoogle Scholar
  22. WK11.
    Wellings A, Kim M (2011) Asynchronous event handling and Safety Critical Java. In: Concurrency and computation: practice and experience, vol 23. doi: 10.1002/cpe.1756

Copyright information

© British Computer Society 2012

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of YorkYorkUK

Personalised recommendations