Presentation is loading. Please wait.

Presentation is loading. Please wait.

Quentin Ochem AdaCore.  Complex software are filled with bugs  OS (windows, linux, macosx…)  Webservers  Office suites  Video games  …  And in.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Quentin Ochem AdaCore.  Complex software are filled with bugs  OS (windows, linux, macosx…)  Webservers  Office suites  Video games  …  And in."— Presentation transcript:

1 Quentin Ochem AdaCore

2

3  Complex software are filled with bugs  OS (windows, linux, macosx…)  Webservers  Office suites  Video games  …  And in most cases, bugs are OK  Reboot the system  Get an updated version  Workaround  Live with it

4  In certain cases, bugs are not OK  They may kill people (aircraft, train, missile, medical devices…)  They may lose money (bank…)  They may fail to achieve a critical mission (secure a top secret facility…)  When bugs are detected, it’s often too late  People die  Money is lost  Security is breached

5  Every Industry has its own standard  “Framework”IEC 61 508  Avionics ED 12B / DO 178B  MilitaryDEF STAN 00-56  Railroad EN 50128  Automotive ISO 2626-2  SpaceECCS-Q-ST-80C  Medical DevicesIEC 62 304  They rely on similar principles

6  The activities to be performed depend on the SW criticality level  DO-178C – level A(Catastrophic)  Failures will likely cause multiple casualties, or crash the airplane  DO-178C – level B(Hazardous/Severe)  Failure will largely reduce the plane safety margin, or cause casualties to people other than the flight crew  DO-178C – level C(Major)  Failure will significantly reduce the plane safety margin, or cause distress to people other than the flight crew  DO-178C – level D(Minor)  Failure will slightly reduce the plane safety or discomfort to passengers of cabin crew  DO-178C – Level E(No Effect)  Failure will have no effect for safety

7  The development is organized through processes  Each process describes  Objectives  Activites ObjectiveActivityApplicabilityOutputControl Category ABCDABCD Test coverage of Software Structure Is achieved 6.4.4.2.a 6.4.4.2.b 6.4.4.2.d Software Verification Results 222

8  “Just” reasonable development process…  Specify requirements  Implement only requirements  Test  Verify tests  Reviews  Control the development process  … but now this process is checked and validated  That’s the certification process

9  Certify the process (e.g. DO-178B)  We can’t prove how good is the software  Let’s show how hard we tried  Certify the product (e.g. DEF-STAN 00-56)  Through “safety cases”  Demonstrate absence of identified vulnerabilities

10  Certifying is expensive  Proof must be written for all activities  The software must be tested entirely with regards to  Functionalities  Robustness  All development artifact must be traceable (justifiable, explainable)

11  Certification authorities are responsible for checking that the process is followed  They’re not checking directly the quality of the software  The applicant and the authorities iterates and discuss various solutions followed to implement the standard  Things are not fixed – new techniques can be used

12  The code is smaller and more expensive to write  A typical engineer write 1 line of code per day on average  Not everything can be certified  Non-deteministic behaviors are out of the scope  Not everything needs to be certified  On a system, certain parts of the software are critical, others aren’t (e.g. entertainment system)

13  Is the OS certified?  Is the Run-Time certified?  What guarantees on the compiler?  What guarantees on the tools?  What else runs on the platform?

14

15  Defines and refines what the system should do  High Level Requirements (close to the « human » understanding)  Low Level Requirements (close to the code)  As of today, this is the part that is the most error prone

16  Implements requirements  Must be verifiable  “Easy” part  Some (very rough) statistics  1 line of code per day per developer  1 line of code per 10 lines of test

17  Manual Reviews  Unit and Functional Testing  Dynamic analysis  Static analysis

18 Test procedures Code / Test Cases Low level Requirements High Level Requirements HR1LL1C1C2TC1TP1TP2LL2

19 DesignReviewReview CheckRequirementsReviewReview CheckCodeReviewReview CheckVerificationReviewReview Check

20 DesignReviewReview CheckRequirementsReviewReview CheckCodeReviewReview CheckVerificationReviewReview Check

21

22  Integration Testing  Test the software in the final environment  Functional Testing - “Black Box”  Test high level functionalities  Unit Testing “White Box”  Test software entities without considering the final purpose

23  “High level errors”  Design Errors  Algorithmic errors  “Low level errors”  Non-initialized variables  Infinite loops  Dead code  Stack overflow  Race conditions  Any kind of Run-Time errors (exceptions)

24  How to ensure that all the code is actually tested?  How to ensure that all the code is testing the requirements?  Coverage verifications checks that all the code is exercised, and that no unintended function is left

25  Statement Coverage  Decision Coverage  Condition Coverage if A = 0 or else B = 0 then P1; end if; else null;

26  Coverage by code instrumentation  The code tested is not the code deployed  Needs memory on the board to store results  Coverage by target single-stepping  Very slow  Coverage by emulator instrumentation  Do not test the real board

27  Embedded software may have a limited amount of memory  Need to check the appropriate stack usage  By testing (if it crashes, let’s double it)  By post-mortem introspection (if it’s close to crash, let’s double it)  By static analysis

28  Computes the tree of calls  Can’t handle recursively  Can’t handle external calls  Can’t handle indirect calls  Computes the size of each frame  Can’t handle dynamic frames  Combine both information for determining the worst stack consumption

29

30  Worst time execution timing must be computed …  … but is extremely hard to prove  Done by testing  Done by model checking  Requires predictable architecture (no cache, no branch heuristic…)

31  Concurrent behavior must be deterministic  Concurrent programming tends to be non- deterministic  Needs  Modeling technologies  Deterministic models (Ravenscar)

32

33  Constant naming / formatting  Avoid ambiguous features  Force comments

34  Pointers  Recursivity  Indirect calls  Exceptions

35 float * compute (int * tab, int size) { float tab2 [size]; float * result; for (int j = 0; j <= size; ++j) { tab [j] = tab2 [j] / 10; } result = tab2; return result; }

36 type Int_Array is array (Integer range <>) of Integer; type Float_Array is array (Integer range <>) of Float; function Compute (Tab : Int_Array) return Float_Array is Tab2 : Float_Array (Tab’Range); begin for J in Tab’Range loop Tab (J) := Tab2 (J) / 10; end loop; declare Result : Float_Array := Tab2; begin return Result; end; end Compute;

37

38  Formal Methods  Object Orientation  Modeling  Outsourcing

39  Cover various areas  Static analysis  Dynamic analysis  Test support  Requirement management  Traceability management  Version control systems  Code generators  Typically two different kind  Verification tools  Development tools  Tool Qualification or certification often required

40  Determines the complexity of the tools to write  Programming languages  Ada  Java  C/C++  Domain specific languages (DSL)  SCADE  Simulink  MARTE

41

42  Certifying SW is expensive  … but Certifying SW is necessary  Tools developed for certification can be pragmatically used for “regular” SW

Download ppt "Quentin Ochem AdaCore.  Complex software are filled with bugs  OS (windows, linux, macosx…)  Webservers  Office suites  Video games  …  And in."

Similar presentations

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.

CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.
Building Reliable Software Requirements and Methods.

Building Reliable Software Requirements and Methods.
Reasons to study concepts of PL

Reasons to study concepts of PL
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.

1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
1 Security Architecture and Analysis Software Inspections and Verification Software Testing and Certification.

1 Security Architecture and Analysis Software Inspections and Verification Software Testing and Certification.
Describing Syntax and Semantics

Describing Syntax and Semantics
CS4723 Software Validation and Quality Assurance Lecture 02 Overview of Software Testing.

CS4723 Software Validation and Quality Assurance Lecture 02 Overview of Software Testing.
Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie.

Scalable and Flexible Static Analysis of Flight-Critical Software Guillaume P. Brat Arnaud J. Venet Carnegie.
Data Structures and Programming.  John Edgar2.

Data Structures and Programming.  John Edgar2.
Industrial practice on mixed-criticality engineering and certification in the aerospace industry 2013-03-22 DATE 2013 / WICERT 2013.

Industrial practice on mixed-criticality engineering and certification in the aerospace industry DATE 2013 / WICERT 2013.
JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.

JAVA v.s. C++ Programming Language Comparison By LI LU SAMMY CHU By LI LU SAMMY CHU.
Www.adacore.com A Pragmatic View of Formal Methods The Hi-Lite Project Robert B K Dewar SSS ‘11 President & CEO, AdaCore Emeritus Professor of Computer.

A Pragmatic View of Formal Methods The Hi-Lite Project Robert B K Dewar SSS ‘11 President & CEO, AdaCore Emeritus Professor of Computer.
Language Evaluation Criteria

Language Evaluation Criteria
System/Software Testing

System/Software Testing
Testing. Definition From the dictionary- the means by which the presence, quality, or genuineness of anything is determined; a means of trial. For software.

Testing. Definition From the dictionary- the means by which the presence, quality, or genuineness of anything is determined; a means of trial. For software.

Similar presentations

Ads by Google