1 / 21

FAA-Qualifiable Ada Subset Compiler

FAA-Qualifiable Ada Subset Compiler. V. Santhanam Boeing. Agenda. Problem statement Qualifying a compiler The subset Compiler architecture Verifying the compiler Conclusion. Problem Statement. FAA certification of software—levels of criticality Level A (catastrophic failure)

oistin
Download Presentation

FAA-Qualifiable Ada Subset Compiler

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FAA-Qualifiable Ada Subset Compiler V. Santhanam Boeing

  2. Agenda • Problem statement • Qualifying a compiler • The subset • Compiler architecture • Verifying the compiler • Conclusion

  3. Problem Statement • FAA certification of software—levels of criticality • Level A (catastrophic failure) • Level B (severe failure) • Level C (major failure) • Level D (minor failure) • DO-178B is the de facto standard for FAA certification

  4. Problem Statement • Cost of software certification climbs rapidly with complexity and level of criticality • Software written in a HOL is often verified only at the source level • For highest level of criticality, DO-178B calls for verification at the loaded object code level • Qualifying the tools that transform the source code into a load image can significantly reduce the cost of certification

  5. Qualifying a Compiler • Qualifying a tool means obviating the need to verify its output • Qualifying a compiler suite means being able to trust the load image if the source program can be trusted • Software verification can be aimed entirely at the source program • Results and coverage at the source program translate to results and coverage of the object program

  6. Qualifying a Compiler • To be able to take credit for source level verification at the object level, the compiler suite • Must be deterministic • Must map source code to object in a direct, context-independent manner • Must not include extraneous or unreachable code

  7. Qualifying a Compiler • To achieve FAA qualification as a code development tool, the suite must be • Developed using DO-178B compliant software development process • Documented to DO-178B standard • Tested to same DO-178B standard applicable to the level of software it is intended to compile • A typical COTS compiler meets none of the above criteria

  8. The Subset • Decision to build a compiler for a subset of Ada was based on several factors • Ada is widely recognized as a “safe” language • We had experience building compilers and analysis front-ends for Ada • We had experience with large safety-critical systems developed in Ada • We had helped define and filter software for subset restrictions suitable for safety critical applications

  9. The Subset • The subset was driven by four ground rules • The compiler must be written in under 50,000 lines of Ada • The subset must be suitable for up to medium-sized (< 100,000 SLOC) applications • The subset must incorporate the most common restrictions placed on safety critical software • The subset may not extend or alter the syntax or the semantics of Ada

  10. The Subset • Decision to keep or leave out a feature was made based on its “score” on four factors • Complexity it added to the compiler • Need for it in small-to-medium sized high-integrity embedded applications • Availability of alternatives • Desirability for high-integrity applications

  11. The Subset • The choice was a subset of Ada 95 roughly equivalent to Ada 83 • No tasking • No generics • No OO features • No subunits or child units • No run-time memory management • No user overloading • Limited nesting

  12. The Subset • Some of the Ada 95 additions are retained • Modular (unsigned) integer types • Access to subprograms, global data • Use type clause (no package use clause) • Aliasing of objects (address clause)

  13. Compiler Architecture • Compiler architecture is untypical • Performs virtually no optimizations • Enforces safe coding standards as if they were language semantics • Designed for testability, not performance • Written in a portable subset of Ada • Compiled with no optimizations • All run-time checks on • Liberal use of assertions

  14. Zbra Source code Zbra Assembly code Other Z-code files The Zbra Compiler Suite Zbra Compiler Suite ZbraCompiler(Zcmp) Native code Byte code (Z-code) ZbraAssembler(Zasm) ZbraLinker(Zvml) Z-code executable Zbra Virtual Machine Interpreter(ZVM) Target Machine

  15. Compiler Architecture • Compiler targets to a virtual machine • Stack-based VM supports Ada operations directly • VM facilitates direct source-to-object mapping • VM allows execution profiling without source code changes or a different compilation mode • VM facilitates application portability • VM serves as the run-time support layer

  16. Verifying the Compiler • Qualification as a level A code development tool per DO-178B calls for • Requirements-based testing • Achieving maximum structural coverage through requirements-based testing • Augmenting with module tests to achieve 100% structural coverage

  17. Verifying the Compiler • Requirements-based testing • All applicable ACVC tests are included • 562 tests were determined to be applicable • Supplemented with architecture specific tests • 116 tests • A growing suite of “regression tests” • 106 tests to date

  18. Verifying the Compiler • Module tests are employed only • Where requirements-based tests leave coverage deficiencies • When code is unreachable otherwise

  19. Verifying the Compiler • Additional means of verification planned • Compiler itself is to be compiled using two independent Ada compilers • All requirements-based tests are to be run on both versions of the compiler • At least one Level A system will be constructed and deployed using conventional verification process • Will serve to provide service history

  20. Conclusion • We have • Demonstrated that it is possible to build a qualifiable compiler for a useful subset of Ada • Complemented the COTS technology with a unique product that fills a serious void • Raised the bar on how safety critical systems ought to be built • Provided a means by which software verification costs can be contained

  21. FAA-Qualifiable Compiler Question?

More Related