kd^x^ idjizh azh y xa^cv^hdch edhh^wazh b[i yekb[khi zk be ... › 9d20 › 5f6b55968ea7... ·...

ICFP Experience Report

Using Objective Caml to DevelopSafety-Critical Embedded Tools

in a Certification FrameworkBruno Pagano, Olivier Andrieu, Thomas Moniot,

Benjamin Canou, Emmanuel Chailloux, Philippe Wang,Pascal Manoury, Jean-Louis Colaço

Date: DEC 03, 2007Page: 1

MLcov 1.0 User Guide

This document is the property of Esterel Technologies. It shall not be communicated to a third party and/or reproduced without prior authorization, and itscontent shall not be disclosed. c� Esterel Technologies 2006-2007.

Edinburgh, September, 1st, 2009

SCADE Cxt Certif TR Concl

Plan

The SCADE Certified Software FactoryUse of O’Caml

Context: Critical SoftwareCertification in AvionicsDO-178BBenefits of Using A Certified CG

Certifying an O’Caml binaryCertifying O’Caml’s Runtime LibraryCertifying the Source CodeTraceability from Source to Binary

Timeline Report

Conclusion

EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 2/20


The SCADE Certified Software Factory

��

��

��

�� !�� "#��$��%

��

��

� ��

&��

��

�� !��"�#��"�� !��$��!�" ��"��%��&� �� !��!�� !�� "�'�� (�� )��*��+��,��-��

��

��

�� !��!�"#�$�� (��"��!�"�� !��$��"�� ,.��)��&��!�" �� !��$��&�� ,.�*�� !��$��#��"�� !��!��'��"��$

��

��

&��' �� (��

��

��

��

)��*+��

��*�,��&��*-

�$.��+��

��

/ ��"0��%&��*-



SCADE Suite in a Certification Framework

Date: DEC 03, 2007Page: 1

MLcov 1.0 User Guide

This document is the property of Esterel Technologies. It shall not be communicated to a third party and/or reproduced without prior authorization, and itscontent shall not be disclosed. c� Esterel Technologies 2006-2007.

esterel-technologies.com

SCADE SuiteI IDE for safety-critical softwareI Based on synchronous dataflow language LustreI Graphical editor, model simulation, formal verification

KCG (Qualifiable Code Generator)I C code generatorI Qualifiable DO-178B (level A) development tool

I Last version written in O’CamlEDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 4/20


Use of O’Caml

OCaml was very natural for R&DI It is very-well suited for compilers (CG)I Prototype already in O’Caml

HoweverI DO-178B: Use the best language for a given projectI Domain is very conservative:

Use C or AdaNeed to

I Demonstrate the compatibility between DO-178B andO’Caml

I Find means to assess that generated code is undercontrol !

I This generated various activities detailed later...EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 5/20


Context: Critical Software

Certification of Safety-Critical SoftwareI Critical Code

I Domains: avionics, railway, ...I Norms

I DO–178B Aerospace and DefenseI EN 50128 Rail TransportationI IEC61508 Industrial and TransportationI IEC60880 Nuclear



Certification in Avionics

Avionic industry is the most regulated oneI 1st international conference in 1910!

Everything is ruledI Conception, ...I Transportation, Crew, ...I Noise, Population health, ...I Leisure

Components must be conceived such thatI Defects WRT flight security take-off or landing are

EXTREMELY IMPROBABLE, and do not result from simplecause

I Any other defects are IMPROBABLE



Activities Required by Certification

Traceability: reviews & testsSystem

Requirements Analysis

SoftwareHigh-Level

Specifications

Architectural Design

DetailedDesign

Coding

UnaryTesting

Integration Testing

ValidationTests

SoftwareReceipt



DO-178B

Software Considerationsin Airborne Systems and Equipment Certification

Mean of conformity for embedded software“It is in general not feasible to assess the numberor kinds of software errors, if any, that may remainafter the completion of system design,development, and test. DO-178B/ED-12B,provides acceptable means for assessing andcontrolling the software used to program digitalcomputer-based systems”



Benefits of Using A Certified CG

!"#$%&'()*+,- ./+0'01,203*4$1$)(0/,5 678#9:;8,<""=,>?//$(/

! !"#$%&'()*)+,#)"-%,+#)&)#)'$

! .++/(,+0%"*%('1/)('2'-#$

! .++/(,+0%"*%,34"()#52$

! .(+5)#'+#/('

! 6"/(+'%+"7'%!"#$%$&('1/)('2'-#$

8'-'*)#$%"*%9$)-4%.%:'(#)*)'7%.:;8'-'*)#$%"*%9$)-4%.%:'(#)*)'7%.:;

! !"#$%&'($) *$+','%-&'./))

"! !#$%&'()('! *(+,-*(.(/01! 2$.3'4! %-05! 5-65&'()('!*(+,-*(.(/017!

8$0!('-.-/90(:!

;!! #$%&'()('! *(+,-*(.(/01! 9*(! 922,*90(! 9/:!

2$/1-10(/07!

<,0$.90(:!

=!! #$%&'()('! *(+,-*(.(/01! 9*(! 2$.390->'(! %-05!

09*6(0!2$.3,0(*7!

8$0!('-.-/90(:!

?!! #$%&'()('!*(+,-*(.(/01!9*(!)(*-@-9>'(7! A'-.-/90(:!

B!! #$%&'()('!*(+,-*(.(/01!2$/@$*.!0$!109/:9*:17! <,0$.90(:!

C!! #$%&'()('1! *(+,-*(.(/01! 9*(! 0*92(9>'(! 0$! 5-65&

'()('!*(+,-*(.(/017!

8$0!('-.-/90(:!

D! !<'6$*-05.1!9*(!922,*90(7!! 8$0!('-.-/90(:!

E!! F$@0%9*(! 9*25-0(20,*(! -1! 2$.390->'(! %-05! 5-65&

'()('!*(+,-*(.(/017!

8$0!('-.-/90(:!

G! !F$@0%9*(!9*25-0(20,*(!-1!2$/1-10(/07!! <,0$.90(:!

"H!! F$@0%9*(! 9*25-0(20,*(! -1! 2$.390->'(! %-05! 09*6(0!

2$.3,0(*7!

8$0!('-.-/90(:!

""!! F$@0%9*(!9*25-0(20,*(!-1!)(*-@-9>'(7!! A'-.-/90(:!

";!! F$@0%9*(!9*25-0(20,*(!2$/@$*.1!0$!109/:9*:17! <,0$.90(:!

"=!! F$@0%9*(!39*0-0-$/-/6!-/0(6*-04!-1!2$/@-*.(:7! 8$0!('-.-/90(:!

!

) !"#$%&'($) *$+','%-&'./)

"! F$,*2(!I$:(!2$.3'-(1!%-05!'$%&'()('!*(+,-*(.(/01! A'-.-/90(:!

;! F$,*2(!I$:(!2$.3'-(1!%-05!1$@0%9*(!9*25-0(20,*(!! A'-.-/90(:!

=! F$,*2(!I$:(!-1!)(*-@-9>'(! A'-.-/90(:!

?! F$,*2(!I$:(!2$/@$*.1!0$!109/:9*:1! A'-.-/90(:!

B! F$,*2(!I$:(!-1!0*92(9>'(!0$!'$%&'()('!*(+,-*(.(/01! A'-.-/90(:!

C! F$,*2(!I$:(!-1!922,*90(!9/:!2$/1-10(/0! A'-.-/90(:!

D! J,03,0!$@! 1$@0%9*(! -/0(6*90-$/!3*$2(11! -1! 2$.3'(0(!

9/:!2$**(20!

8$0!('-.-/90(:!

!

K-65&#()('!*(+,-*(.(/01L

#$%&'()('!M(+,-*(.(/01


HIGH LEVEL REQUIREMENTS==

LOW LEVEL REQUIREMENTS


Certifying an O’Caml binary

O’Caml specificitiesI High-level language: functional model, pattern

matching, polymorphism, exceptions, etcI Significant Runtime Library: garbage collector,

polymorphic comparison, exceptions, etc

NecessitiesI Runtime Library coverageI New tools for O’Caml code coverageI New means for O’Caml code traceability

Target and VersionI OCaml 3.09.3 Native compiler for x86 (32-bit)



Certifying an O’Caml binary

Test the Runtime libraryI Memory management (allocator and collector)I Language features implementation

(apply, exception, ...)I Language built-in functions (IO, operators, ...)

Test the Source CodeI Program source code + Standard library

Traceability from Source to BinaryI From Source to AssemblyI Translation of Explicit Control of the Source CodeI Controls Introduced by the Compiler Itself



Certifying O’Caml’s Runtime Library

O’Caml’s runtime libraryI Complex Low-level C codeI Very efficient garbage collectorI Unsafe or extra features

SolutionI Simplify the garbage collector

I simple Stop & Copy (125 lines of C instead of 1’200)I Remove unneeded stuff (by KCG)

I Threads, Marshaling, Weak pointers

I Really easier to specify and test!4’500 lines of C code instead of 16’000



Certifying the Source Code

Coding standardI Functional and imperative subset of O’Caml

I No objects, no polymorphic variants,no lazy evaluation,...

I Reduced standard libraryI Coding rules

I Identifier naming conventionsI No variable hidingI Limited use of anonymous functionsI etc.

Coverage measurementI MC/DC measure required



Modified Condition/Decision Coverage

Statement Coverage (SC)I Each statement is executed at least once� 1 test

Decision Coverage (DC)I SC + each Boolean decision must be evaluated to

true and false� 2 tests

Multiple Condition Coverage (MCC)I DC + all combinations of Boolean conditions� 2n tests

Modified Condition/Decision Coverage (MC/DC)I Each cond takes on every possible outcomeI Each cond independently affects decision’s outcome� n+1 tests



MLcov: code coverage for O’Caml

MC/DC measure capable tool for O’Caml



MLcov report



Traceability from Source to Binary

Making relation between Source & Assembly explicitI Translation of Explicit Control of the Source Code

I pattern matching, exceptions handling, ...I Controls Introduced by the Compiler Itself

I memory allocation, array access,functional application mechanism

I Primitive functionsI translated either to assembly or external function calls

Thanks to different intermediate languagesfrom Source to Assembly



Timeline Report

« 2005 – 2009 »I Prototype for KCG written in O’CamlI From prototype to final product, different ways:

1. Rewrite prototype in C or Ada,2. Using an O’Caml to C compiler to certify generated C

code3. Or Directly certify O’Caml code

I For choice 3, modify the runtime libraryand build test tools for O’Caml

I Industrial development process byEsterel-Technologies

I Certification IEC 61508 & EN 50128 for railwaysI Used in several DO-178B projects



Conclusion

Successful use of a functional language to developcertified safety-critical softwareHigh-level requirements � Low-level requirements

I shorter certification processLast version of KCG written in O’Caml

I easier & faster to write a compilerCertification Norms are Open

I Made it possible to use a functional language to writea compiler to develop safety-critical embedded toolsin a Certification Framework

A new domain for ICFP languages


kd^x^ idjizh azh y xa^cv^hdch edhh^wazh b[i yekb[khi zk be ... › 9d20 › 5f6b55968ea7... ·...

Documents