faa-qualifiable ada subset compiler v. santhanam boeing
TRANSCRIPT
FAA-Qualifiable Ada Subset FAA-Qualifiable Ada Subset CompilerCompiler
V. SanthanamV. Santhanam
BoeingBoeing
AgendaAgenda
Problem statementProblem statement Qualifying a compilerQualifying a compiler The subsetThe subset Compiler architectureCompiler architecture Verifying the compilerVerifying the compiler ConclusionConclusion
Problem StatementProblem Statement
FAA certification of software—levels of FAA certification of software—levels of criticalitycriticality– Level A (catastrophic failure)Level A (catastrophic failure)– Level B (severe failure)Level B (severe failure)– Level C (major failure)Level C (major failure)– Level D (minor failure)Level D (minor failure)
DO-178B is the DO-178B is the de factode facto standard for FAA standard for FAA certificationcertification
Problem StatementProblem Statement
Cost of software certification climbs rapidly Cost of software certification climbs rapidly with complexity and level of criticalitywith complexity and level of criticality– Software written in a HOL is often verified Software written in a HOL is often verified
only at the source levelonly at the source level– For highest level of criticality, DO-178B calls For highest level of criticality, DO-178B calls
for verification at the loaded object code levelfor verification at the loaded object code level– Qualifying the tools that transform the source Qualifying the tools that transform the source
code into a load image can significantly reduce code into a load image can significantly reduce the cost of certificationthe cost of certification
Qualifying a CompilerQualifying a Compiler
Qualifying a tool means obviating the need Qualifying a tool means obviating the need to verify its outputto verify its output– Qualifying a compiler suite means being able to Qualifying a compiler suite means being able to
trust the load image if the source program can trust the load image if the source program can be trustedbe trusted
– Software verification can be aimed entirely at Software verification can be aimed entirely at the source programthe source program
– Results and coverage at the source program Results and coverage at the source program translate to results and coverage of the object translate to results and coverage of the object programprogram
Qualifying a CompilerQualifying a Compiler
To be able to take credit for source level To be able to take credit for source level verification at the object level, the compiler verification at the object level, the compiler suitesuite– Must be deterministicMust be deterministic– Must map source code to object in a direct, Must map source code to object in a direct,
context-independent mannercontext-independent manner– Must not include extraneous or unreachable Must not include extraneous or unreachable
codecode
Qualifying a CompilerQualifying a Compiler
To achieve FAA qualification as a code To achieve FAA qualification as a code development tool, the suite must bedevelopment tool, the suite must be– Developed using DO-178B compliant software Developed using DO-178B compliant software
development processdevelopment process– Documented to DO-178B standardDocumented to DO-178B standard– Tested to same DO-178B standard applicable to Tested to same DO-178B standard applicable to
the level of software it is intended to compilethe level of software it is intended to compile A typical COTS compiler meets none of the A typical COTS compiler meets none of the
above criteriaabove criteria
The SubsetThe Subset
Decision to build a compiler for a subset of Decision to build a compiler for a subset of Ada was based on several factorsAda was based on several factors– Ada is widely recognized as a “safe” languageAda is widely recognized as a “safe” language– We had experience building compilers and We had experience building compilers and
analysis front-ends for Adaanalysis front-ends for Ada– We had experience with large safety-critical We had experience with large safety-critical
systems developed in Adasystems developed in Ada– We had helped define and filter software for We had helped define and filter software for
subset restrictions suitable for safety critical subset restrictions suitable for safety critical applicationsapplications
The SubsetThe Subset
The subset was driven by four ground rulesThe subset was driven by four ground rules– The compiler must be written in under 50,000 The compiler must be written in under 50,000
lines of Adalines of Ada– The subset must be suitable for up to medium-The subset must be suitable for up to medium-
sized (< 100,000 SLOC) applicationssized (< 100,000 SLOC) applications– The subset must incorporate the most common The subset must incorporate the most common
restrictions placed on safety critical softwarerestrictions placed on safety critical software– The subset may not extend or alter the syntax or The subset may not extend or alter the syntax or
the semantics of Adathe semantics of Ada
The SubsetThe Subset
Decision to keep or leave out a feature was Decision to keep or leave out a feature was made based on its “score” on four factorsmade based on its “score” on four factors– Complexity it added to the compilerComplexity it added to the compiler– Need for it in small-to-medium sized high-Need for it in small-to-medium sized high-
integrity embedded applicationsintegrity embedded applications– Availability of alternativesAvailability of alternatives– Desirability for high-integrity applicationsDesirability for high-integrity applications
The SubsetThe Subset
The choice was a subset of Ada 95 roughly The choice was a subset of Ada 95 roughly equivalent to Ada 83equivalent to Ada 83– No taskingNo tasking– No genericsNo generics– No OO featuresNo OO features– No subunits or child unitsNo subunits or child units– No run-time memory managementNo run-time memory management– No user overloadingNo user overloading– Limited nestingLimited nesting
The SubsetThe Subset
Some of the Ada 95 additions are retainedSome of the Ada 95 additions are retained– Modular (unsigned) integer typesModular (unsigned) integer types– Access to subprograms, global dataAccess to subprograms, global data– Use type clause (no package use clause)Use type clause (no package use clause)– Aliasing of objects (address clause)Aliasing of objects (address clause)
Compiler ArchitectureCompiler Architecture
Compiler architecture is untypicalCompiler architecture is untypical– Performs virtually no optimizationsPerforms virtually no optimizations– Enforces safe coding standards as if they were Enforces safe coding standards as if they were
language semanticslanguage semantics– Designed for testability, not performanceDesigned for testability, not performance– Written in a portable subset of AdaWritten in a portable subset of Ada– Compiled with no optimizationsCompiled with no optimizations– All run-time checks onAll run-time checks on– Liberal use of assertionsLiberal use of assertions
The Zbra Compiler SuiteThe Zbra Compiler Suite
Zbra Source code
ZbraCompiler(Zcmp)
Zbra Assembly
code
Other Z-code
files
ZbraAssembler
(Zasm)
Byte code
(Z-code)
ZbraLinker(Zvml)
Zbra Compiler Suite
Z-code executable
Zbra Virtual Machine Interpreter
(ZVM)
Target Machine
Native code
Compiler ArchitectureCompiler Architecture
Compiler targets to a virtual machineCompiler targets to a virtual machine– Stack-based VM supports Ada operations Stack-based VM supports Ada operations
directlydirectly– VM facilitates direct source-to-object mappingVM facilitates direct source-to-object mapping– VM allows execution profiling without source VM allows execution profiling without source
code changes or a different compilation modecode changes or a different compilation mode– VM facilitates application portabilityVM facilitates application portability– VM serves as the run-time support layerVM serves as the run-time support layer
Verifying the CompilerVerifying the Compiler
Qualification as a level A code Qualification as a level A code development tool per DO-178B calls fordevelopment tool per DO-178B calls for– Requirements-based testingRequirements-based testing– Achieving maximum structural coverage Achieving maximum structural coverage
through requirements-based testingthrough requirements-based testing– Augmenting with module tests to achieve 100% Augmenting with module tests to achieve 100%
structural coveragestructural coverage
Verifying the CompilerVerifying the Compiler
Requirements-based testingRequirements-based testing– All applicable ACVC tests are includedAll applicable ACVC tests are included
» 562 tests were determined to be applicable562 tests were determined to be applicable
– Supplemented with architecture specific testsSupplemented with architecture specific tests» 116 tests116 tests
– A growing suite of “regression tests”A growing suite of “regression tests”» 106 tests to date106 tests to date
Verifying the CompilerVerifying the Compiler
Module tests are employed onlyModule tests are employed only– Where requirements-based tests leave coverage Where requirements-based tests leave coverage
deficienciesdeficiencies– When code is unreachable otherwiseWhen code is unreachable otherwise
Verifying the CompilerVerifying the Compiler
Additional means of verification plannedAdditional means of verification planned– Compiler itself is to be compiled using two Compiler itself is to be compiled using two
independent Ada compilersindependent Ada compilers– All requirements-based tests are to be run on All requirements-based tests are to be run on
both versions of the compilerboth versions of the compiler– At least one Level A system will be constructed At least one Level A system will be constructed
and deployed using conventional verification and deployed using conventional verification processprocess
» Will serve to provide service historyWill serve to provide service history
ConclusionConclusion
We haveWe have– Demonstrated that it is possible to build a Demonstrated that it is possible to build a
qualifiable compiler for a useful subset of Adaqualifiable compiler for a useful subset of Ada– Complemented the COTS technology with a Complemented the COTS technology with a
unique product that fills a serious voidunique product that fills a serious void– Raised the bar on how safety critical systems Raised the bar on how safety critical systems
ought to be builtought to be built– Provided a means by which software Provided a means by which software
verification costs can be containedverification costs can be contained
FAA-Qualifiable CompilerFAA-Qualifiable Compiler
Question?Question?