FAA-Qualifiable Ada Subset Compiler V. Santhanam Boeing

Agenda Problem statement Problem statement Qualifying a compiler Qualifying a compiler The subset The subset Compiler architecture Compiler architecture Verifying the compiler Verifying the compiler Conclusion Conclusion

Problem Statement FAA certification of softwarelevels of criticality FAA certification of softwarelevels of criticality –Level A (catastrophic failure) –Level B (severe failure) –Level C (major failure) –Level D (minor failure) DO-178B is the de facto standard for FAA certification DO-178B is the de facto standard for FAA certification

Problem Statement Cost of software certification climbs rapidly with complexity and level of criticality Cost of software certification climbs rapidly with complexity and level of criticality –Software written in a HOL is often verified only at the source level –For highest level of criticality, DO-178B calls for verification at the loaded object code level –Qualifying the tools that transform the source code into a load image can significantly reduce the cost of certification

Qualifying a Compiler Qualifying a tool means obviating the need to verify its output Qualifying a tool means obviating the need to verify its output –Qualifying a compiler suite means being able to trust the load image if the source program can be trusted –Software verification can be aimed entirely at the source program –Results and coverage at the source program translate to results and coverage of the object program

Qualifying a Compiler To be able to take credit for source level verification at the object level, the compiler suite To be able to take credit for source level verification at the object level, the compiler suite –Must be deterministic –Must map source code to object in a direct, context-independent manner –Must not include extraneous or unreachable code

Qualifying a Compiler To achieve FAA qualification as a code development tool, the suite must be To achieve FAA qualification as a code development tool, the suite must be –Developed using DO-178B compliant software development process –Documented to DO-178B standard –Tested to same DO-178B standard applicable to the level of software it is intended to compile A typical COTS compiler meets none of the above criteria A typical COTS compiler meets none of the above criteria

The Subset Decision to build a compiler for a subset of Ada was based on several factors Decision to build a compiler for a subset of Ada was based on several factors –Ada is widely recognized as a safe language –We had experience building compilers and analysis front-ends for Ada –We had experience with large safety-critical systems developed in Ada –We had helped define and filter software for subset restrictions suitable for safety critical applications

The Subset The subset was driven by four ground rules The subset was driven by four ground rules –The compiler must be written in under 50,000 lines of Ada –The subset must be suitable for up to medium- sized (< 100,000 SLOC) applications –The subset must incorporate the most common restrictions placed on safety critical software –The subset may not extend or alter the syntax or the semantics of Ada

The Subset Decision to keep or leave out a feature was made based on its score on four factors Decision to keep or leave out a feature was made based on its score on four factors –Complexity it added to the compiler –Need for it in small-to-medium sized high- integrity embedded applications –Availability of alternatives –Desirability for high-integrity applications

The Subset The choice was a subset of Ada 95 roughly equivalent to Ada 83 The choice was a subset of Ada 95 roughly equivalent to Ada 83 –No tasking –No generics –No OO features –No subunits or child units –No run-time memory management –No user overloading –Limited nesting

The Subset Some of the Ada 95 additions are retained Some of the Ada 95 additions are retained –Modular (unsigned) integer types –Access to subprograms, global data –Use type clause (no package use clause) –Aliasing of objects (address clause)

Compiler Architecture Compiler architecture is untypical Compiler architecture is untypical –Performs virtually no optimizations –Enforces safe coding standards as if they were language semantics –Designed for testability, not performance –Written in a portable subset of Ada –Compiled with no optimizations –All run-time checks on –Liberal use of assertions

The Zbra Compiler Suite Zbra Source code Zbra Compiler (Zcmp) Zbra Assembly code Other Z-code files Zbra Assembler (Zasm) Byte code (Z-code) Zbra Linker (Zvml) Zbra Compiler Suite Z-code executable Zbra Virtual Machine Interpreter (ZVM) Target Machine Native code

Compiler Architecture Compiler targets to a virtual machine Compiler targets to a virtual machine –Stack-based VM supports Ada operations directly –VM facilitates direct source-to-object mapping –VM allows execution profiling without source code changes or a different compilation mode –VM facilitates application portability –VM serves as the run-time support layer

Verifying the Compiler Qualification as a level A code development tool per DO-178B calls for Qualification as a level A code development tool per DO-178B calls for –Requirements-based testing –Achieving maximum structural coverage through requirements-based testing –Augmenting with module tests to achieve 100% structural coverage

Verifying the Compiler Requirements-based testing Requirements-based testing –All applicable ACVC tests are included »562 tests were determined to be applicable –Supplemented with architecture specific tests »116 tests –A growing suite of regression tests »106 tests to date

Verifying the Compiler Module tests are employed only Module tests are employed only –Where requirements-based tests leave coverage deficiencies –When code is unreachable otherwise

Verifying the Compiler Additional means of verification planned Additional means of verification planned –Compiler itself is to be compiled using two independent Ada compilers –All requirements-based tests are to be run on both versions of the compiler –At least one Level A system will be constructed and deployed using conventional verification process »Will serve to provide service history

Conclusion We have We have –Demonstrated that it is possible to build a qualifiable compiler for a useful subset of Ada –Complemented the COTS technology with a unique product that fills a serious void –Raised the bar on how safety critical systems ought to be built –Provided a means by which software verification costs can be contained

FAA-Qualifiable Compiler Question?