kd^x^ idjizh azh y xa^cv^hdch edhh^wazh b[i yekb[khi zk be ... › 9d20 › 5f6b55968ea7... ·...
TRANSCRIPT
ICFP Experience Report
Using Objective Caml to DevelopSafety-Critical Embedded Tools
in a Certification FrameworkBruno Pagano, Olivier Andrieu, Thomas Moniot,
Benjamin Canou, Emmanuel Chailloux, Philippe Wang,Pascal Manoury, Jean-Louis Colaço
Date: DEC 03, 2007Page: 1
MLcov 1.0 User Guide
This document is the property of Esterel Technologies. It shall not be communicated to a third party and/or reproduced without prior authorization, and itscontent shall not be disclosed. c� Esterel Technologies 2006-2007.
Edinburgh, September, 1st, 2009
SCADE Cxt Certif TR Concl
Plan
The SCADE Certified Software FactoryUse of O’Caml
Context: Critical SoftwareCertification in AvionicsDO-178BBenefits of Using A Certified CG
Certifying an O’Caml binaryCertifying O’Caml’s Runtime LibraryCertifying the Source CodeTraceability from Source to Binary
Timeline Report
Conclusion
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 2/20
SCADE Cxt Certif TR Concl
The SCADE Certified Software Factory
������������
������������� ����� ������������
���������������������
��� � ��� ��� � !��� � ���� "#���$��%
����������
������������ � ������
� �� �
&������ ��� ��
���������� ��
����������������������� ������������������������������������� � ��������������������������������������� �� ���������������������� ������� �� �������������������������������� ����!���������������"�#���"�� ���!������������$����������!�" ����"����%��&� ������ �!����������!�������������� �!��� ������"�'����� �(���� � ������������������)�����*�����+�����,�����-����������
���������������������������� ���������������������������� ����������������������������������������� ������������������� ���������������������� ��
������ � �����������������������������������
����������� ������ �� ����� ����!���!�"#�$������� � ����������������������������������(����������"���!�"�� ��� �!��$�������"����������� ������������,.�����)����������&����!�" �� ��� �!��$�������&������������ ������������,.�*�������� ���!��$�����#���"��� ��� �!��!����'��������������"������$
����������
��������������� ����
&��' ��������� ���(����
������������
����������
���������������� ���
)����*+�� � ��� ��
����*�,�����&��*-
�$.������+�� � ��� ��
������ ���� ��������
/ ��"0���%&��*-
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 3/20
SCADE Cxt Certif TR Concl
The SCADE Certified Software Factory
������������
������������� ����� ������������
���������������������
��� � ��� ��� � !��� � ���� "#���$��%
����������
������������ � ������
� �� �
&������ ��� ��
���������� ��
����������������������� ������������������������������������� � ��������������������������������������� �� ���������������������� ������� �� �������������������������������� ����!���������������"�#���"�� ���!������������$����������!�" ����"����%��&� ������ �!����������!�������������� �!��� ������"�'����� �(���� � ������������������)�����*�����+�����,�����-����������
���������������������������� ���������������������������� ����������������������������������������� ������������������� ���������������������� ��
������ � �����������������������������������
����������� ������ �� ����� ����!���!�"#�$������� � ����������������������������������(����������"���!�"�� ��� �!��$�������"����������� ������������,.�����)����������&����!�" �� ��� �!��$�������&������������ ������������,.�*�������� ���!��$�����#���"��� ��� �!��!����'��������������"������$
����������
��������������� ����
&��' ��������� ���(����
������������
����������
���������������� ���
)����*+�� � ��� ��
����*�,�����&��*-
�$.������+�� � ��� ��
������ ���� ��������
/ ��"0���%&��*-
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 3/20
SCADE Cxt Certif TR Concl
The SCADE Certified Software Factory
������������
������������� ����� ������������
���������������������
��� � ��� ��� � !��� � ���� "#���$��%
����������
������������ � ������
� �� �
&������ ��� ��
���������� ��
����������������������� ������������������������������������� � ��������������������������������������� �� ���������������������� ������� �� �������������������������������� ����!���������������"�#���"�� ���!������������$����������!�" ����"����%��&� ������ �!����������!�������������� �!��� ������"�'����� �(���� � ������������������)�����*�����+�����,�����-����������
���������������������������� ���������������������������� ����������������������������������������� ������������������� ���������������������� ��
������ � �����������������������������������
����������� ������ �� ����� ����!���!�"#�$������� � ����������������������������������(����������"���!�"�� ��� �!��$�������"����������� ������������,.�����)����������&����!�" �� ��� �!��$�������&������������ ������������,.�*�������� ���!��$�����#���"��� ��� �!��!����'��������������"������$
����������
��������������� ����
&��' ��������� ���(����
������������
����������
���������������� ���
)����*+�� � ��� ��
����*�,�����&��*-
�$.������+�� � ��� ��
������ ���� ��������
/ ��"0���%&��*-
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 3/20
SCADE Cxt Certif TR Concl
SCADE Suite in a Certification Framework
Date: DEC 03, 2007Page: 1
MLcov 1.0 User Guide
This document is the property of Esterel Technologies. It shall not be communicated to a third party and/or reproduced without prior authorization, and itscontent shall not be disclosed. c� Esterel Technologies 2006-2007.
esterel-technologies.com
SCADE SuiteI IDE for safety-critical softwareI Based on synchronous dataflow language LustreI Graphical editor, model simulation, formal verification
KCG (Qualifiable Code Generator)I C code generatorI Qualifiable DO-178B (level A) development tool
I Last version written in O’CamlEDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 4/20
SCADE Cxt Certif TR Concl
SCADE Suite in a Certification Framework
Date: DEC 03, 2007Page: 1
MLcov 1.0 User Guide
This document is the property of Esterel Technologies. It shall not be communicated to a third party and/or reproduced without prior authorization, and itscontent shall not be disclosed. c� Esterel Technologies 2006-2007.
esterel-technologies.com
SCADE SuiteI IDE for safety-critical softwareI Based on synchronous dataflow language LustreI Graphical editor, model simulation, formal verification
KCG (Qualifiable Code Generator)I C code generatorI Qualifiable DO-178B (level A) development tool
I Last version written in O’CamlEDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 4/20
SCADE Cxt Certif TR Concl
Use of O’Caml
OCaml was very natural for R&DI It is very-well suited for compilers (CG)I Prototype already in O’Caml
HoweverI DO-178B: Use the best language for a given projectI Domain is very conservative:
Use C or AdaNeed to
I Demonstrate the compatibility between DO-178B andO’Caml
I Find means to assess that generated code is undercontrol !
I This generated various activities detailed later...EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 5/20
SCADE Cxt Certif TR Concl
Context: Critical Software
Certification of Safety-Critical SoftwareI Critical Code
I Domains: avionics, railway, ...I Norms
I DO–178B Aerospace and DefenseI EN 50128 Rail TransportationI IEC61508 Industrial and TransportationI IEC60880 Nuclear
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 6/20
SCADE Cxt Certif TR Concl
Certification in Avionics
Avionic industry is the most regulated oneI 1st international conference in 1910!
Everything is ruledI Conception, ...I Transportation, Crew, ...I Noise, Population health, ...I Leisure
Components must be conceived such thatI Defects WRT flight security take-off or landing are
EXTREMELY IMPROBABLE, and do not result from simplecause
I Any other defects are IMPROBABLE
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 7/20
SCADE Cxt Certif TR Concl
Activities Required by Certification
Traceability: reviews & testsSystem
Requirements Analysis
SoftwareHigh-Level
Specifications
Architectural Design
DetailedDesign
Coding
UnaryTesting
Integration Testing
ValidationTests
SoftwareReceipt
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 8/20
SCADE Cxt Certif TR Concl
DO-178B
Software Considerationsin Airborne Systems and Equipment Certification
Mean of conformity for embedded software“It is in general not feasible to assess the numberor kinds of software errors, if any, that may remainafter the completion of system design,development, and test. DO-178B/ED-12B,provides acceptable means for assessing andcontrolling the software used to program digitalcomputer-based systems”
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 9/20
SCADE Cxt Certif TR Concl
Benefits of Using A Certified CG
!"#$%&'()*+,- ./+0'01,203*4$1$)(0/,5 678#9:;8,<""=,>?//$(/
! !"#$%&'()*)+,#)"-%,+#)&)#)'$
! .++/(,+0%"*%('1/)('2'-#$
! .++/(,+0%"*%,34"()#52$
! .(+5)#'+#/('
! 6"/(+'%+"7'%!"#$%$&('1/)('2'-#$
8'-'*)#$%"*%9$)-4%.%:'(#)*)'7%.:;8'-'*)#$%"*%9$)-4%.%:'(#)*)'7%.:;
! !"#$%&'($) *$+','%-&'./))
"! !#$%&'()('! *(+,-*(.(/01! 2$.3'4! %-05! 5-65&'()('!*(+,-*(.(/017!
8$0!('-.-/90(:!
;!! #$%&'()('! *(+,-*(.(/01! 9*(! 922,*90(! 9/:!
2$/1-10(/07!
<,0$.90(:!
=!! #$%&'()('! *(+,-*(.(/01! 9*(! 2$.390->'(! %-05!
09*6(0!2$.3,0(*7!
8$0!('-.-/90(:!
?!! #$%&'()('!*(+,-*(.(/01!9*(!)(*-@-9>'(7! A'-.-/90(:!
B!! #$%&'()('!*(+,-*(.(/01!2$/@$*.!0$!109/:9*:17! <,0$.90(:!
C!! #$%&'()('1! *(+,-*(.(/01! 9*(! 0*92(9>'(! 0$! 5-65&
'()('!*(+,-*(.(/017!
8$0!('-.-/90(:!
D! !<'6$*-05.1!9*(!922,*90(7!! 8$0!('-.-/90(:!
E!! F$@0%9*(! 9*25-0(20,*(! -1! 2$.390->'(! %-05! 5-65&
'()('!*(+,-*(.(/017!
8$0!('-.-/90(:!
G! !F$@0%9*(!9*25-0(20,*(!-1!2$/1-10(/07!! <,0$.90(:!
"H!! F$@0%9*(! 9*25-0(20,*(! -1! 2$.390->'(! %-05! 09*6(0!
2$.3,0(*7!
8$0!('-.-/90(:!
""!! F$@0%9*(!9*25-0(20,*(!-1!)(*-@-9>'(7!! A'-.-/90(:!
";!! F$@0%9*(!9*25-0(20,*(!2$/@$*.1!0$!109/:9*:17! <,0$.90(:!
"=!! F$@0%9*(!39*0-0-$/-/6!-/0(6*-04!-1!2$/@-*.(:7! 8$0!('-.-/90(:!
!
) !"#$%&'($) *$+','%-&'./)
"! F$,*2(!I$:(!2$.3'-(1!%-05!'$%&'()('!*(+,-*(.(/01! A'-.-/90(:!
;! F$,*2(!I$:(!2$.3'-(1!%-05!1$@0%9*(!9*25-0(20,*(!! A'-.-/90(:!
=! F$,*2(!I$:(!-1!)(*-@-9>'(! A'-.-/90(:!
?! F$,*2(!I$:(!2$/@$*.1!0$!109/:9*:1! A'-.-/90(:!
B! F$,*2(!I$:(!-1!0*92(9>'(!0$!'$%&'()('!*(+,-*(.(/01! A'-.-/90(:!
C! F$,*2(!I$:(!-1!922,*90(!9/:!2$/1-10(/0! A'-.-/90(:!
D! J,03,0!$@! 1$@0%9*(! -/0(6*90-$/!3*$2(11! -1! 2$.3'(0(!
9/:!2$**(20!
8$0!('-.-/90(:!
!
K-65&#()('!*(+,-*(.(/01L
#$%&'()('!M(+,-*(.(/01
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 10/20
HIGH LEVEL REQUIREMENTS==
LOW LEVEL REQUIREMENTS
SCADE Cxt Certif TR Concl
Certifying an O’Caml binary
O’Caml specificitiesI High-level language: functional model, pattern
matching, polymorphism, exceptions, etcI Significant Runtime Library: garbage collector,
polymorphic comparison, exceptions, etc
NecessitiesI Runtime Library coverageI New tools for O’Caml code coverageI New means for O’Caml code traceability
Target and VersionI OCaml 3.09.3 Native compiler for x86 (32-bit)
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 11/20
SCADE Cxt Certif TR Concl
Certifying an O’Caml binary
Test the Runtime libraryI Memory management (allocator and collector)I Language features implementation
(apply, exception, ...)I Language built-in functions (IO, operators, ...)
Test the Source CodeI Program source code + Standard library
Traceability from Source to BinaryI From Source to AssemblyI Translation of Explicit Control of the Source CodeI Controls Introduced by the Compiler Itself
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 12/20
SCADE Cxt Certif TR Concl
Certifying O’Caml’s Runtime Library
O’Caml’s runtime libraryI Complex Low-level C codeI Very efficient garbage collectorI Unsafe or extra features
SolutionI Simplify the garbage collector
I simple Stop & Copy (125 lines of C instead of 1’200)I Remove unneeded stuff (by KCG)
I Threads, Marshaling, Weak pointers
I Really easier to specify and test!4’500 lines of C code instead of 16’000
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 13/20
SCADE Cxt Certif TR Concl
Certifying the Source Code
Coding standardI Functional and imperative subset of O’Caml
I No objects, no polymorphic variants,no lazy evaluation,...
I Reduced standard libraryI Coding rules
I Identifier naming conventionsI No variable hidingI Limited use of anonymous functionsI etc.
Coverage measurementI MC/DC measure required
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 14/20
SCADE Cxt Certif TR Concl
Modified Condition/Decision Coverage
Statement Coverage (SC)I Each statement is executed at least once� 1 test
Decision Coverage (DC)I SC + each Boolean decision must be evaluated to
true and false� 2 tests
Multiple Condition Coverage (MCC)I DC + all combinations of Boolean conditions� 2n tests
Modified Condition/Decision Coverage (MC/DC)I Each cond takes on every possible outcomeI Each cond independently affects decision’s outcome� n+1 tests
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 15/20
SCADE Cxt Certif TR Concl
MLcov: code coverage for O’Caml
MC/DC measure capable tool for O’Caml
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 16/20
SCADE Cxt Certif TR Concl
MLcov report
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 17/20
SCADE Cxt Certif TR Concl
Traceability from Source to Binary
Making relation between Source & Assembly explicitI Translation of Explicit Control of the Source Code
I pattern matching, exceptions handling, ...I Controls Introduced by the Compiler Itself
I memory allocation, array access,functional application mechanism
I Primitive functionsI translated either to assembly or external function calls
Thanks to different intermediate languagesfrom Source to Assembly
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 18/20
SCADE Cxt Certif TR Concl
Timeline Report
« 2005 – 2009 »I Prototype for KCG written in O’CamlI From prototype to final product, different ways:
1. Rewrite prototype in C or Ada,2. Using an O’Caml to C compiler to certify generated C
code3. Or Directly certify O’Caml code
I For choice 3, modify the runtime libraryand build test tools for O’Caml
I Industrial development process byEsterel-Technologies
I Certification IEC 61508 & EN 50128 for railwaysI Used in several DO-178B projects
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 19/20
SCADE Cxt Certif TR Concl
Conclusion
Successful use of a functional language to developcertified safety-critical softwareHigh-level requirements � Low-level requirements
I shorter certification processLast version of KCG written in O’Caml
I easier & faster to write a compilerCertification Norms are Open
I Made it possible to use a functional language to writea compiler to develop safety-critical embedded toolsin a Certification Framework
A new domain for ICFP languages
EDINBURGH SEPTEMBER, 1ST, 2009 ICFP PHILIPPE WANG (UPMC/LIP6) 20/20