Presentation is loading. Please wait.

Presentation is loading. Please wait.

FAA-Qualifiable Ada Subset Compiler V. Santhanam Boeing.

Published byPrecious Maxted Modified over 9 years ago

Similar presentations

Presentation on theme: "FAA-Qualifiable Ada Subset Compiler V. Santhanam Boeing."— Presentation transcript:

1 FAA-Qualifiable Ada Subset Compiler V. Santhanam Boeing

2 Agenda Problem statement Problem statement Qualifying a compiler Qualifying a compiler The subset The subset Compiler architecture Compiler architecture Verifying the compiler Verifying the compiler Conclusion Conclusion

3 Problem Statement FAA certification of softwarelevels of criticality FAA certification of softwarelevels of criticality –Level A (catastrophic failure) –Level B (severe failure) –Level C (major failure) –Level D (minor failure) DO-178B is the de facto standard for FAA certification DO-178B is the de facto standard for FAA certification

4 Problem Statement Cost of software certification climbs rapidly with complexity and level of criticality Cost of software certification climbs rapidly with complexity and level of criticality –Software written in a HOL is often verified only at the source level –For highest level of criticality, DO-178B calls for verification at the loaded object code level –Qualifying the tools that transform the source code into a load image can significantly reduce the cost of certification

5 Qualifying a Compiler Qualifying a tool means obviating the need to verify its output Qualifying a tool means obviating the need to verify its output –Qualifying a compiler suite means being able to trust the load image if the source program can be trusted –Software verification can be aimed entirely at the source program –Results and coverage at the source program translate to results and coverage of the object program

6 Qualifying a Compiler To be able to take credit for source level verification at the object level, the compiler suite To be able to take credit for source level verification at the object level, the compiler suite –Must be deterministic –Must map source code to object in a direct, context-independent manner –Must not include extraneous or unreachable code

7 Qualifying a Compiler To achieve FAA qualification as a code development tool, the suite must be To achieve FAA qualification as a code development tool, the suite must be –Developed using DO-178B compliant software development process –Documented to DO-178B standard –Tested to same DO-178B standard applicable to the level of software it is intended to compile A typical COTS compiler meets none of the above criteria A typical COTS compiler meets none of the above criteria

8 The Subset Decision to build a compiler for a subset of Ada was based on several factors Decision to build a compiler for a subset of Ada was based on several factors –Ada is widely recognized as a safe language –We had experience building compilers and analysis front-ends for Ada –We had experience with large safety-critical systems developed in Ada –We had helped define and filter software for subset restrictions suitable for safety critical applications

9 The Subset The subset was driven by four ground rules The subset was driven by four ground rules –The compiler must be written in under 50,000 lines of Ada –The subset must be suitable for up to medium- sized (< 100,000 SLOC) applications –The subset must incorporate the most common restrictions placed on safety critical software –The subset may not extend or alter the syntax or the semantics of Ada

10 The Subset Decision to keep or leave out a feature was made based on its score on four factors Decision to keep or leave out a feature was made based on its score on four factors –Complexity it added to the compiler –Need for it in small-to-medium sized high- integrity embedded applications –Availability of alternatives –Desirability for high-integrity applications

11 The Subset The choice was a subset of Ada 95 roughly equivalent to Ada 83 The choice was a subset of Ada 95 roughly equivalent to Ada 83 –No tasking –No generics –No OO features –No subunits or child units –No run-time memory management –No user overloading –Limited nesting

12 The Subset Some of the Ada 95 additions are retained Some of the Ada 95 additions are retained –Modular (unsigned) integer types –Access to subprograms, global data –Use type clause (no package use clause) –Aliasing of objects (address clause)

13 Compiler Architecture Compiler architecture is untypical Compiler architecture is untypical –Performs virtually no optimizations –Enforces safe coding standards as if they were language semantics –Designed for testability, not performance –Written in a portable subset of Ada –Compiled with no optimizations –All run-time checks on –Liberal use of assertions

14 The Zbra Compiler Suite Zbra Source code Zbra Compiler (Zcmp) Zbra Assembly code Other Z-code files Zbra Assembler (Zasm) Byte code (Z-code) Zbra Linker (Zvml) Zbra Compiler Suite Z-code executable Zbra Virtual Machine Interpreter (ZVM) Target Machine Native code

15 Compiler Architecture Compiler targets to a virtual machine Compiler targets to a virtual machine –Stack-based VM supports Ada operations directly –VM facilitates direct source-to-object mapping –VM allows execution profiling without source code changes or a different compilation mode –VM facilitates application portability –VM serves as the run-time support layer

16 Verifying the Compiler Qualification as a level A code development tool per DO-178B calls for Qualification as a level A code development tool per DO-178B calls for –Requirements-based testing –Achieving maximum structural coverage through requirements-based testing –Augmenting with module tests to achieve 100% structural coverage

17 Verifying the Compiler Requirements-based testing Requirements-based testing –All applicable ACVC tests are included »562 tests were determined to be applicable –Supplemented with architecture specific tests »116 tests –A growing suite of regression tests »106 tests to date

18 Verifying the Compiler Module tests are employed only Module tests are employed only –Where requirements-based tests leave coverage deficiencies –When code is unreachable otherwise

19 Verifying the Compiler Additional means of verification planned Additional means of verification planned –Compiler itself is to be compiled using two independent Ada compilers –All requirements-based tests are to be run on both versions of the compiler –At least one Level A system will be constructed and deployed using conventional verification process »Will serve to provide service history

20 Conclusion We have We have –Demonstrated that it is possible to build a qualifiable compiler for a useful subset of Ada –Complemented the COTS technology with a unique product that fills a serious void –Raised the bar on how safety critical systems ought to be built –Provided a means by which software verification costs can be contained

21 FAA-Qualifiable Compiler Question?

Download ppt "FAA-Qualifiable Ada Subset Compiler V. Santhanam Boeing."

Similar presentations

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Chapt.2 Machine Architecture Impact of languages –Support – faster, more secure Primitive Operations –e.g. nested subroutine calls »Subroutines implemented.

Chapt.2 Machine Architecture Impact of languages –Support – faster, more secure Primitive Operations –e.g. nested subroutine calls »Subroutines implemented.
Agenda Definitions Evolution of Programming Languages and Personal Computers The C Language.

Agenda Definitions Evolution of Programming Languages and Personal Computers The C Language.
Software & Services Group, Developer Products Division Copyright© 2010, Intel Corporation. All rights reserved. *Other brands and names are the property.

Software & Services Group, Developer Products Division Copyright© 2010, Intel Corporation. All rights reserved. *Other brands and names are the property.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION

SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Lusine Sarkisian Automated Software Module Testing for FAA Certification.

Lusine Sarkisian Automated Software Module Testing for FAA Certification.
Assembly: Some background Why assembly? It is used to write 1.device drivers 2.Embedded systems 3.Real-time systems 4.Whenever there are significant speed.

Assembly: Some background Why assembly? It is used to write 1.device drivers 2.Embedded systems 3.Real-time systems 4.Whenever there are significant speed.
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
L EC. 01: J AVA FUNDAMENTALS Fall. 2014 0 Java Programming.

L EC. 01: J AVA FUNDAMENTALS Fall Java Programming.
Types of software. Sonam Dema..

Types of software. Sonam Dema..
Miser-C MISRA-C Compliance Checker Ian Biller, Phillippe Dass, Bryan Eldridge, Jon Senchyna, Tracy Thomas Faculty Coach: Professor Michael Lutz Project.

Miser-C MISRA-C Compliance Checker Ian Biller, Phillippe Dass, Bryan Eldridge, Jon Senchyna, Tracy Thomas Faculty Coach: Professor Michael Lutz Project.
Language Evaluation Criteria

Language Evaluation Criteria
CS 355 – Programming Languages

CS 355 – Programming Languages
C++ Code Analysis: an Open Architecture for the Verification of Coding Rules Paolo Tonella ITC-irst, Centro per la Ricerca Scientifica e Tecnologica

C++ Code Analysis: an Open Architecture for the Verification of Coding Rules Paolo Tonella ITC-irst, Centro per la Ricerca Scientifica e Tecnologica
1 History of compiler development 1953 IBM develops the 701 EDPM (Electronic Data Processing Machine), the first general purpose computer, built as a “defense.

1 History of compiler development 1953 IBM develops the 701 EDPM (Electronic Data Processing Machine), the first general purpose computer, built as a “defense.
Ranga Rodrigo. The purpose of software engineering is to find ways of building quality software.

Ranga Rodrigo. The purpose of software engineering is to find ways of building quality software.

Similar presentations

Ads by Google