tool classification report - texas instruments and tests, a validation suite according to iso 26262...

Tool Classification Report Version 0.8 Copyright @ 2013. Texas Instruments Incorporated

Tool Classification Report for TI C/C++ Compiler Chain

Version 0.8


Revision History:

Version Date Status Autor Change

0.6 2012-12-17 Presented Slotosch Integrated feedback from TÜV Nord

0.7 2013-04-28 In Progress Slotosch Generalized and prepared for Generation

0.7.1 2013-05-27 In Progress Slotosch Improved EN 50128 compliance

0.8 <generation date>

Generated Generator Tool

Filled Model-dependent parts

0.9 <review> Reviewed <Reviewer> Reviewed and updated

1.0 Final


Contents

1 Scope of this Document .............................................................................................. 4

2 Glossary ....................................................................................................................... 5

3 Evaluation Method ....................................................................................................... 6

3.1 Standard Requirements .............................................................................................. 9 3.1.1 ISO 26262 Requirements ..................................................................................... 10

3.1.1.1 Planning Tool Usage .................................................................................... 10 3.1.1.2 Tool Evaluation ............................................................................................ 11

3.1.1.3 Tool Qualification ........................................................................................ 12

3.1.1.4 Validity Check .............................................................................................. 12

3.1.1.5 Compliance Check and Confirmation Review ............................................. 12 3.1.2 IEC 61508 ............................................................................................................ 13 3.1.3 DO-178 C and DO-330 ........................................................................................ 13 3.1.4 EN 50128 .............................................................................................................. 14

3.2 Tool Chain Analysis Method ................................................................................... 15

3.2.1 Define List of Tools ............................................................................................. 15 3.2.2 Gather tool application facts and identify use cases............................................. 15 3.2.3 Determine Tool Impact ........................................................................................ 16 3.2.4 Identify Potential Errors ....................................................................................... 16

3.2.4.1 Black Box Error Identification Strategy:...................................................... 17 3.2.4.2 White box Error Identification Strategy: ...................................................... 17

3.2.4.3 Consolidating Potential Errors: .................................................................... 17 3.2.5 Identify and Assign Checks and Restrictions ....................................................... 18

3.2.6 Compute the Tool Confidence Level ................................................................... 19 3.2.7 Document the evaluation results .......................................................................... 19

3.2.7.1 TI Determination .......................................................................................... 19

3.2.7.2 TCL Determination ...................................................................................... 20 3.3 Using the Tool Chain Analyzer ................................................................................ 21

3.3.1 Modeling .............................................................................................................. 21 3.3.2 Validation ............................................................................................................. 22 3.3.3 Review .................................................................................................................. 23 3.3.4 Report generation ................................................................................................. 24

3.4 Using the Qualification Tool .................................................................................... 28

4 Tool Chain Definition ................................................................................................. 28

5 Tool Impact Determination ........................................................................................ 29

6 [generated] ........................................................................ Error! Bookmark not defined.

7 References ............................................................................................................... 135


1 Scope of this Document

This document is a results report of classifying used tools according to their confidence need during the use of a SW tool chain or parts of a

software tool chain related to a specific tool, e.g. a “Generating Tool Chain”.

The evaluated tool chain TI C/C++ Compiler Chain is used by <Customer> for software development. The content of this document

consists of 4 parts:

1. General description of the evaluation method (see section 3).

2. Definition of the tool chain being evaluated (see section 4). 3. Determination of tool impact (see section 5).

4. Determination of tool confidence (see section 6).

The classification is compatible to ISO26262s tool confidence levels but can also be used in other standards (IEC 61508, DO-330, EN 50128) since

they require to determine the confidence needs for the tools by analyzing the impact of potential tool errors. A detailed tracing of the requirements

are in the tool qualification plans for the tools with qualification need


2 Glossary

This section defines technical terms used within this document.

Term Definition Check possibility to detect an error

Error in this document used as “potential error”

Error (model)

element

representation of an (potential) error in the model

Feature (model)

element

representation of a function in the model.

Function an elementary or composed function of the tool, that can be

required in one or more use-cases, e.g. load, save, “perform” functions

Qualification environment

TAU and tests, a validation suite according to ISO 26262

Restriction possibility to avoid an error

Safety Guideline Guideline to mitigate some potential errors of the tool.

Modeled as a Check or Restriction, either in an usual UseCase or Feature of the Tool, or in a separate, virtual Feature that can be required (added) by any use case of the

same tool. Safety Guidelines are listed in the tool classification report and applied in the tool safety manual.

software off-line support tool

(IEC 61508)

According to IEC61508-4-3.2.11: software tool that supports a phase of the software development lifecycle and

that cannot directly influence the safety-related system during its run time.

TAU Test Automation Unit: executes tests for the test suite

TD Tool Error Detection (TD) probability for a potential error to

be detected / avoided in a defined process TD1=high detection probability, TD2=medium detection probability,

TD3=low or unknown detection probability

TCL (ISO 26262-8) Tool Confidence Level (ISO 26262): required confidence in

the tool when used in the analyzed tool chain TCL1=low confidence required ,

TCL2=medium confidence required, TCL3=high confidence required1

TCR This Tool Classification Report, also called Tool Criteria Evaluation Report in ISO 26262

Test Single test with result PASS/FAIL/ABORT

Test Directory A directory containing one or more test (directories)

Test (model) element

Representation of a test directory in the model including a test description that specifies it

Test Suite structured set of single tests

Test Plan list of test (directories) to be executed

Tool a development tool according to ISO 26262

1 Of course once the tool with TCL>1 have been qualified, the TCL can be regarded as existing tool confidence for the qualified ASIL rather than required tool confidence.


Tool Chain a collection of tools, not necessarily forming an input/output chain

Tool classes (IEC 61508-4)

Software off-line support tools are classified into the following tool classes: T1: generates no outputs which can directly or indirectly

contribute to the executable code (including data) of the safety related system

T2: supports the test or verification of the design or executable code, where errors in the tool can fail to reveal defects but cannot directly create errors in the executable

software T3: generates outputs which can directly or indirectly

contribute to the executable code of the safety related system.

Tool Classification determination of the required tool confidence level (ISO26262: TCL or IEC 61508: tool classes)

Tool Evaluation or tool criteria evaluation: see tool classification

Use-Case the purpose of using the tool in development process

Use-Case (model) element

representation of an use-case in the model

Virtual Feature A Feature is called virtual, if it’s virtual attribute is set to true. Virtual Features are modeled in a Tool, but are not

implemented in the tool. They are used to model safety guidelines (documents) and can be added flexible as required features to use cases to denote that the use cases

follow them. Virtual feature do not have errors.

Note that elements, relations and actions from the model that have a formal semantic in the TCA are written in capital and with italic font, e.g.

“Error element”, or “Export -> Excel Review”.

3 Evaluation Method

The safety standards (ISO 26262, IEC 61508, DO-178/DO-330) require

the user to analyze the tools used for the development of safety-critical products. The result of the analysis is a requirement on the reliability of

the tool stated in the tool criteria evaluation report. The confidence is determined by an analysis of the use cases of the tool as

used within the development process. If the tool has an impact on the safety of the product, all potential errors within the used features are

analyzed for how they can be detected or avoided within the process. If

there is no high probability for detecting or avoiding the errors, the tool has to be qualified to ensure the absence of these errors.


Figure 1: Tool Safety Manual Derivation

The tool safety manual for a tool has to contain the mitigations against all potential tool errors that are considered during tool evaluation. The errors

can be grouped into the three classes (see Figure 1): Potential errors in unused features (green in Figure 1)2: Using these

features is prohibited in the tool safety manual (yellow in Figure 1). Potential errors with mitigations: detections and restrictions (yellow

in Figure 1): These mechanisms are described in the tool safety manual.

Remaining potential errors (red in Figure 1): Demonstrating their absence has to be the goal of the tool qualification (tool qualification

plan). The tool qualification report possibly shows some concrete errors that are instances of the potential error classes. The

qualification report contains proposed workarounds for these

concrete errors that have to be part of the safety manual (yellow in Figure 1).

The tool safety manual therefore has to contain the following information: Allowed features and configurations of the tool.

For potential errors that might occur in required features and that are not excluded by tool qualification: Requirements to apply checks

and restrictions to mitigate potential tool errors. Workarounds for known bugs and errors found during qualification.

Other information required by the standards to identify the tool exactly (version, configuration, etc.).

2 Note that the analysis of potential errors in unused functions is not required, but the features need to be identified.


The tool qualification plan has to ensure that the identified potential errors

of the TI C/C++ Compiler Chain which are not detectable / avoidable cannot occur. This is done by applying a validation suite in a systematic

way that shows the absence of these potential errors.

If tools from the TI C/C++ Compiler Chain shall be qualified using validation we have to provide the following documents:

Test Plan: specifies the required test cases for execution Test Report: contains the test results

Test Automation Unit Manual: contains instructions to execute the planned tests cases correctly

Test suite validation and verification documents (plan and report): to ensure that the test suite shows the absence of the potential

errors if passed successfully The documents that depend on the model are typed using italic font.

In the case that the model and the validation suite needs to be extended and new test cases need to be produced and validated, the following

documents are required or need to be extended: Test specifications including a test strategy to show the absence of

the potential errors.

Test suite V&V plan & report The test suite needs validation against the implementation using a review

and a verification that they run correctly on the selected target. This quality process creates the confidence into the effectiveness of the test

suite. The V&V documents for the test suite are contained in the qualification kit to demonstrate the confidence to the user. If the test suite

is extended these documents shall also be extended. Figure 2 shows the relation between the documents and their variability,

i.e. which are constant and which depend on the use case.


Figure 2: Documentation Plan

There are many documents in Figure 2 that are required and that need to

be adapted depending on the user’s process. The process is captured in

the qualification model by selecting the required tool features and the executed mitigations. The use case specific parts in the user specific

documents are generated from the qualification support tool.

The tools of the TI C/C++ Compiler Chain of <Customer> have been classified with the Validas TI C/C++ Compiler, which supports the

required classification using a tool chain model, and helped generating parts of this report.

In this section there are: a general description of the standard requirements, especially the

ISO 26262 requirements to the use of tools (see section 3.1), an abstract explanation of the methods used to analyze the model

using the process description (see section 3.2) and a tool supported approach using the “TI C/C++ Compiler” (see

section 3.3). The version 1.8.1 of the TCA has been used. More information and the tool

are on [TCA_UM] available. According to [ISO26262], this report is subject to the qualification

measures along with a Confirmation Review (see section 3.1.5).

3.1 Standard Requirements

This classification report satisfies the classification and requirements for

the following standards:


ISO 26262, see Section 3.1.1,

IEC 61508, see Section 3.1.2, DO-178 C and DO-330, see Section 3.1.3 and

EN 50128, see 3.1.4.

3.1.1 ISO 26262 Requirements

The ISO 26262-8 recommends various steps and documents in order to

establish “Confidence in the use of software tools” (see Fig 1): Planning Tool Usage, see ISO-26262-8-11.4.4 and section 3.1.1.1

Tool Evaluation, see ISO-26262-8-11.4.5 and section 3.1.1.2, Tool Qualification, see ISO-26262-8-11.4.6 and section 3.1.1.3,

Validity Check, see ISO-26262-8-11.4.2 and section 3.1.1.4and Compliance Check and Confirmation Review, see ISO-26262-8-

11.4.3, 11.4.10 and section 3.1.1.5.

This classification report is the required “Tool Criteria Evaluation Report”, which is the result of the step “Tool Evaluation”. Note in this document the

Tool Criteria Evaluation Report is called “Tool Classification Report”. In order to define the context of this work more clearly the other steps are

shortly explained as well

Fig 1: ISO 26262-8 “Confidence in use of software tools”

3.1.1.1 Planning Tool Usage


All tools to be used for the development of a safety related product need

to be planned first (ISO 26262-8 11.4.4, ISO 26262-6 5.5.4). The following information are used for classifying tools:

Identification and version,

Description of the tool, e.g. reference to a user manual, Used configuration(s),

Use cases with the in- and outputs and If needed qualification methods.

These information and other information required by ISO (see Fig 1) can be included in one or many documents, e.g. the so called Tool Application

Guide.

3.1.1.2 Tool Evaluation

In the tool evaluation the usage information is analyzed and a tool confidence level for the tool is determined. The result of the tool

evaluation is a tool criteria evaluation report, which must contain the information shown in the figure above (see Fig 1).

To determine the tool confidence level for a tool the ISO 26262-8 requires

executing the following two steps: 1. Determine the tool impact (TI) and

2. Determine the Tool Error Detection (TD).

The TCL is determined from these both values.

According to ISO 26262-8 11.4.5.2, the Tool Impact means: “the

possibility that a malfunction of a particular software tool can introduce or fail to detect errors in a safety-related item or element being developed.

- TI1 shall be selected when there is an argument that there is no

such possibility; - TI2 shall be selected in all other cases”.

Tools with TI1 have a low confidence need, e.g. TCL1, and do not need to

be qualified.

For all tools with possible impact (TI2) all use cases have to be analyzed

with the help of the potential errors and their detectability (TD: “Tool Error Detection”). All the use cases of the tool and their potential errors must be

considered and if possible measures that can detect or prevent these errors need to be assigned. For each measure a qualitative tool error

detection (TD) probability has to be assigned: TD=1 if the probability to detect or prevent the error is HIGH,

TD=2 if the probability to detect or prevent the error is MEDIUM and TD=3 in all other cases (LOW or unknown probability).

If several detection or prevention possibilities are available for one error the one with the best detection/prevention probability can be used. In


case of multiple potential errors for one tool or use case the one with the

worst detection or prevention probability determines the TD for the tool or use case.

If the TI and TD level has been estimated the required tool confidence

level is completely determined by ISO 26262 according to the following table (see Fig 2).

TD1 TD2 TD3

TI1 TCL1 TCL1 TCL1

TI2 TCL1 TCL2 TCL3

Fig 2: Tool Confidence Levels according to ISO 26262

Tools with TCL 1 are used so that they have a low confidence need and

thus require no qualification.

3.1.1.3 Tool Qualification

Tools with TCL2 or TCL3 need to be qualified. Depending on the

automotive safety integrity level (ASIL) of the item being developed and the tool confidence level the ISO 26262 recommends qualification

methods. For ASIL D the ISO 26262 recommends “Tool Validation” or “Development of the tool according to a safety standard” as qualification

methods. The result of an ASIL decomposition can be taken for the tools only if the decomposed parts are developed with different tool chains.

The goal of tool qualification is to show the absence of the potential errors

identified during the tool evaluation. The result of tool qualification is a tool qualification report, which must contain the information shown in the

figure above (see Fig 1).

3.1.1.4 Validity Check

Classifications of tools and qualification of tools from other projects can be

reused. In both cases, the validity of the assumptions about the use cases and potential errors needs to be checked for the current project (see

[ISO26262] 8-11.4.2).

3.1.1.5 Compliance Check and Confirmation Review

For each used tool must be guaranteed that it fits to the configuration and the version which was used for the classification. Particularly no functions

and variants which were not classified may be applied. The measures considered against potential errors in the classification must be executed

in concrete development process (see [ISO26262] 8-11.4.10). From ASIL B there must be a “Confirmation Review” that confirms, that

The TCL was determined correctly and The required qualification measures for the tool fit to the required

confidence, i.e. demonstrate the absence of the critical, potential errors.


3.1.2 IEC 61508

The IEC 61508, see [61508] has a tool classification that does not depend

on the use cases of the tools and the potential errors and the measures to detect them.

Part 4, Section 3.2.11 defines:

software off-line support tool as software tool that supports a phase of the software development lifecycle and that cannot directly influence the

safety-related system during its run time. Software off-line tools may be divided into the following classes:

T1: generates no outputs which can directly or indirectly contribute to the executable code (including data) of the safety related system;

T2: supports the test or verification of the design or executable code, where errors in the tool can fail to reveal defects but cannot

directly create errors in the executable software T3: generates outputs which can directly or indirectly contribute to

the executable code of the safety related system

Part 3, Section 7.4.4.5 requires:

An assessment shall be carried out for offline support tools in classes T2 and T3 to determine the level of reliance placed on the tools, and the

potential failure mechanisms of the tools that may affect the executable software. Where such failure mechanisms are identified, appropriate

mitigation measures shall be taken.

This is satisfied by the analysis the ISO 26262 requires for all relevant tools and that is documented in this classification report.

3.1.3 DO-178 C and DO-330

The DO-330, see [DO330] is a standard for tool qualification that is required to be applied from DO-178 C, see [DO178C]. The DO-178C

classifies the tools into the following three classes (see 12.2.2: Determination of the tool qualification level):

Criteria 1: A tool whose output is part of the airborne software and thus could insert an error.

Criteria 2: A tool that automates verification process(es) and thus

could fail to detect an error, and whose output is used to justify the elimination or reduction of:

o Verification process(es) other that automated by the tool, or o Development process(es) that could have an impact on the

airborne software Criteria 3: A tool that within the scope of its intended use could fail

to detect an error.

From this classification and the software risk level a so called tool qualification level (TQL) is computed using the table in Figure 3. TQL-1 is

the most rigorous level, while TQL-5 has the least requirements.


Figure 3: Determination of TQL in DO-178C, Table 12-1

The DO-330 specifies the processes that shall be applied to qualify the tools depending on the TQL.

The DO-330 requires for all levels to have a plan for software aspects of certification (PSAC) that contains the impact of the tool in the software life

cycle (see 10.1.1.a) and the certification credit it claims during automation in the process (see 10.1.1.b). The verification of the tool in

the operational environment should “demonstrate the coverage of the

processes intended to be eliminated, reduced, or automated by the use of the tool” (see 6.2.2.b).

This report contains the results of the tool classification according to the

use cases and determines the required confidence by analyzing the impact of the potential errors. Hence it satisfies the above requirements from the

DO-330 / DO 178 C.

Furthermore the TQL can be reduced based on this tool classification report if the potential tool errors have high detection probabilities, since

the DO-330 contains the following statement (FAQ D.2): To reduce a tool’s qualification level, the reduction needs to be justified by performing

a tool use and impact analysis. This analysis needs to evaluate the overall use of the tool in the development process and its impact on the software

being produced.

Therefore this classification report is an essential contribution to all qualification levels from DO-178 C and DO-330 and in addition can be

used to reduce the tool qualification level.

3.1.4 EN 50128

Similar to IEC 61508 (see Section 3.1.2) the EN 50128, see [EN50128]

defines in Sections 3.1.42, 3.1.43, 3.1.44 the following tool classes: tool class T1

generates no outputs which can directly or indirectly contribute to the executable code (including data) of the software

tool class T2 supports the test or verification of the design or executable code,

where errors in the tool can fail to reveal defects but cannot directly create errors in the executable software


tool class T3

generates outputs which can directly or indirectly contribute to the executable code (including data) of the safety related system

In Section 6.7 on the supporting process the classification is required in 6.7.1.1:

The objective is to provide evidence that potential failures of tools do not adversely affect the integrated toolset output in a safety related manner

that is undetected by technical and/or organizational measures outside the tool. To this end, software tools are categorised into three classes

namely, T1, T2 & T3 respectively.

The analysis of the potential failure is required in Section 6.7.4.2: The selection of the tools in classes T2 and T3 shall be justified. The

justification shall include the identification of potential failures which can be injected into the tools output and the measures to avoid or handle such

failures.

This justification for T2 and T3 tools is satisfied by the analysis the ISO

26262 requires for all relevant tools and that is documented in this classification report in the generated section 6. A detailed tracing of the

EN 50128 requirements is in the tool qualification plan [TQP] and report.

3.2 Tool Chain Analysis Method

This section describes the Tool Chain Analysis method (TCA) for the “tool

evaluation” that has been applied in order to fulfill the classification requirements of ISO in the previous section 3.1.2. This method

determines TI, tool error detection TD and TCL for an entire tool chain in the following steps:

1. Define list of tools

2. Gather tool application facts and identify use cases 3. Determine tool impact (TI)

4. Identify potential errors 5. Identify and assign checks and restrictions (TD)

6. Compute Tool Confidence Level (TCL)

7. Document evaluation results

In the following subsections these steps are explained in detail.

3.2.1 Define List of Tools

The first step for a tool evaluation is to write a list of all tools that are

used in safety related development parts of the product. For each tool an expert should be determined in order to be able to get the required details

on the use cases.

3.2.2 Gather tool application facts and identify use cases

For each tool the following facts need to be collected and documented:


Tool versions,

Configuration (it could depend of the installation, Used features,

If mentioned in the tool description:

o potential errors of the tool/features, o Measures for prevention and detection of these and other

possible errors.

A use case contains at least the following information: Title: needed to identify the use case.

Description, If necessary the used tool features,

Inputs and Outputs.

The individual tools are integrated over the input and output artifacts to a

tool chain. It is important to give the artifacts consistent names in order to avoid confusion and duplication.

A convenient representation of the input/output relationships of use cases

in a tool chain is the so called tool artifact matrix. It represents all artifacts in lines and all the use cases of the tool in columns. The entries in

the matrix indicate what actions the use cases executed on the artifacts (Read/Write).

3.2.3 Determine Tool Impact

The “Tool Impact” describes the possibility that a tool compromises the safety of a developed product (see ISO 26262-8 11.4.5.2 and section

3.1.2). Two questions need to be answered to determine the tool impact: 1) Can the tool insert an error in the product?

2) Can the tool overlook an error that could affect the product? If both questions can be answered with No, the tool has no impact on the

product safety (TI1). Otherwise there is the possibility of impact (TI2) These two questions need to be answered for every use case of the tool,

the data flow of the use cases from the tool artifact matrix can be used for that.

3.2.4 Identify Potential Errors

For each use case of a tool the potential errors need to be identified.

The identification of potential errors is a very crucial part of the tool evaluation, because an oversight of potential errors can lead to an

incorrect classification. A good error analysis should achieve the following goals:

1) Completeness: All potential errors are considered. 2) Uniformness: All use cases are analyzed with the same method and

same intensity. 3) Appropriate Abstraction: The level of abstraction for error

descriptions has to be appropriate. If error descriptions are too


abstract, assigning suitable checks becomes very difficult. If error

descriptions are too concrete, some errors might not be covered.

In order to achieve these goals two strategies are used to analyze each

use cases of a tool (see [SAFECOMP12]): 1. An artifact oriented Black Box approach (see section 3.2.4.1)

2. A functional White Box approach (see section 3.2.4.2).

The errors found thereby should be consolidated for the specific places of occurrence. This is described in section 3.2.4.3.

3.2.4.1 Black Box Error Identification Strategy:

The black box strategy considers the tools as a black box and identifies the potential errors only on the basis of the artifacts that that are created

by the tool, because these contain the errors. Similar to the white box strategy, the artifacts can also be characterized

with attributes to then inherit the errors of the attributes that are written by the use cases.

Some examples of artifact attributes are “XML file”, “executable file”, and “table”. Some example of potential errors in XML file are: “Syntax error”,

“schema error”, “Attribute error” and “link error”. An artifact attribute matrix which assigns attributes to every artifact must

be created similar to the tool attribute matrix which assigns attributes to

every use case.

3.2.4.2 White box Error Identification Strategy:

The white box considers the tools based on a functional description. According to its internal structure, every specific tool feature is

characterized by attributes. Some examples of attributes are: “Client server architecture”, “command line” or “file parsing”.

Every tool attribute is associated with a predefined set of potential errors that can occur in tools having this tool attribute. For example the tool

attribute “Client Server Architecture” has the potential errors “No Connection”, “Connection Lost” and “Wrong Connection” associated with

it. Another example is the tool attribute “Batch Mode”, which has the potential errors “Command Parameter Misinterpreted”, “Command

Parameter Ignored” or “Command Parameter Rejected” associated with it. Every tool, which has been assigned a certain tool attribute, automatically

inherits the set of potential errors associated with this tool attribute. Similar to a tool artifact matrix which assigns artifacts to every use case, a

tool attribute matrix needs to be created for the white box strategy, which

assigns attributes with standards errors to every use case.

3.2.4.3 Consolidating Potential Errors:


After the white box and black box error identification strategies have been

applied one typically ends up with large sets of potential errors for each use case of a tool. To reach the goal of an “Appropriate Abstraction” of the

set of potential errors, the errors can be summarized in use case specific

equivalence classes of errors that are detectable or avoidable with common measures. When an error subsumes another error, it is sufficient

to define some measure for the subsuming errors. The subsumed errors can be hidden, but the subsumption information must be retained to

protect (ensure) the argumentation. The granularity of the errors should be as rough as possible, in order to

define as few measure of detection and avoidance. On the other hand, the granularity should be so fine, that the measures can be applied concretely

and simply. Overlapping errors should be summarized, if there is no very simple

measure for a class. For example the errors “Command Parameter Misinterpreted” and “Command Parameter Ignored” can be subsumed by a

more general error “Command Parameters Violated”.

3.2.5 Identify and Assign Checks and Restrictions

After the error identification each use case is assigned a set of potential

errors. Now, one has to identify detection- (checks) or avoidance measures (restrictions) for these errors. According to ISO 26262 there are

two measures arts: Checks, which detect errors that have occurred,

Restrictions, which avoid the occurrence of errors.

Measures against potential errors are also modeled in the tool chain and have a qualitative probability (high/medium/low) of detection or

avoidance of allocated error(s). The measures can be used either directly on the tool in which the potential errors could occur, or in another tool. In

the latter case, of course, a corresponding data flow (over artifact connections) must exist between the two tools. The information flow of

these connections depends on the nature of the measure. For checks, the checking tool must use a deficient output artifact as input artifact. The

checking tool will then be executed in the tool chain after the tool with the

potential errors. However, restrictions need to sink in before the use of the potentially deficient tool.

For example, a “syntax check” of a compiler can detect some potential errors of a code generator. In this case, the two tools are connected to the

artifact code generated by the generator and read by the compiler. A specification of a code generation configuration (in the tool) or the

application of a code checker (another tool) on the model that generates the code could be measures of avoidance of some potential errors of the

code generator. Some measure will surely be applied (e.g. the syntax check of the

compiler). Other measures may also be omitted. The latter are marked as assumptions in the tool chain analysis and must be explicitly pinned in the


development process, e.g. by creating scripts/requirements to be kept.

Plus, all the assumptions under which the tool classification is created should be indicated. This is particularly important when the analyzed tool

chains are reused in other projects.

3.2.6 Compute the Tool Confidence Level

After the assignment of checks and restrictions to errors and the estimation of detection probabilities, the tool error detection levels (TD)

and also the tool confidence level (TCL) can be computed automatically for entire use cases, tools or tool chains. The following rules are used:

TD (Errors): the probability that checks and restrictions for an error reach for an error is the maximum of the probabilities of the

assigned and active/achievable checks and restrictions. TD (Use cases): the probability that checks and restrictions reach

for all potential errors in a use case is the minimum of the probabilities of the errors appearing potentially in it.

TD (Tool): the probability that checks and restrictions reach for all potential errors in a tool is the minimum of the probabilities of all

the use cases in the tool. The tool Confidence Level results from the so determined probabilities

according to ISO 26262 (see Fig 2) as follows:

TD=High => TCL 1 TD=MEDIUM => TCL 2

TD=LOW => TCL3

The TCL can be computed in two ways: 1) With the use of assumptions,

2) Without the use of assumptions. In both calculations only the used use cases are committed. Particularly if

reusable functions models of tools are available (when indicated with high TCL), only the functions that are used in the use cases are considered.

3.2.7 Document the evaluation results

The evaluation results for each tool and the entire tool chain need to be documented in the tool criteria evaluation report, in particular the TCL and

the thoughts it results from. It begins with the Tool Impact documentation (TI) and contains all the needed information for computing the TCL. The

analysis must be confirmed in a “Confirmation Review” that must confirm

the argumentation.

3.2.7.1 TI Determination

For the determination of the tool impact two questions need to be

answered: “Can an error occur in the product?” and

“Can an error be ignored in the product?”. If one of the questions is answered with Yes, then there is a possible

impact. The question must be answered on the basis of the data flow of


the use cases and tools. If no impact can be shown the decision must be

supported with an informal argument. For example, typical justifications for the editor are that the inputs are controlled visually (WYSIWYG) and

the errors would be noticed. The decisions must be documented, this

occurs in chapter 5.

3.2.7.2 TCL Determination

The documentation of the TCL computation must contain all the relevant

relations, in particular the potential errors and their checks and restrictions (incl. probabilities) for all uses cases.

All these information are in chapter 6 of this document. In this chapter there is an overview table listing the determined TCL for each tool. In

addition this chapter must also contain the argumentation for the TCL determination. This is achieved by having a separate and modular section

for each tool. Each tool section has the following structure:

1. Introduction a. tool name

b. short description c. result (TCL)

d. overview of the use cases 2. Use Cases:

for each use case:

a. name of the use case b. short description

c. input / output artifact 3. Potential Errors:

for each error: a. name of the error

b. short description 4. Checks/Restrictions

a. for each check/restriction: i. name of the check/restriction

ii. short description iii. detection/avoidance probability (LOW, MEDIUM, HIGH)

5. If needed, list of assumptions 6. TCL Determination

a. total resulting TCL

b. for each error in each use case:

i. name of the error ii. names of the checks and restrictions

handling the error iii. graphical representation showing

the assignment of checks/restrictions to the error


Note: The computed TCL requires that the considered mitigation

mechanisms are carried out by the users of the tools. This can be ensured by respecting tool safety manuals that contain the mitigations.

3.3 Using the TI C/C++ Compiler

The classification of the tool chain TI C/C++ Compiler Chain of <Customer> described above is supported by a Validas tool called “TI

C/C++ Compiler” (TCA). The TCA automatically determines the TCL of all tools, based on a formal model of tool chain and generates a report (see

chapter 6). The tool is available for free and can be obtained from [TCA].The created model for TI C/C++ Compiler Chain was validated

through a consistency check and a review of the user in <Customer>before the creation of this report. Therefore the following

steps are needed for a new generation of this report: Model adaptation (see section 3.3.1),

Consistency check of the model (see section 3.3.2), Model review (see section 3.3.3) and

Report generation (see section 3.3.4).

The steps are described in the following sections. Details can be found in

[TCA_UM] and can be learned in a training course on the tool.

3.3.1 Modeling

The model of the tool chain TI C/C++ Compiler Chain consists of an element “ToolChain” that contains an element “Tool” for every tool of the

tool chain. It also contains the used artifacts that show the relation between the tools.

For each tool, the use cases are modeled, in which the tool is used in <Customer>. Potential errors, checks and restrictions are assigned with

their probabilities to each use case. The error elements are related to the checks and the restrictions that detect or avoid them. The TD and the TCL

are computed according to ISO 26262 (see section 3.1.2 and 3.2.6) with the probabilities of the assigned checks and restrictions. If several use

cases use the same functionalities in a tool, then it makes sense to model these tool functionalities as features. Since each feature can be used by

several use cases, it is possible to avoid redundant error definitions as the

errors are not individually defined for each use case, but they are assigned the features, in which they can occur. The errors of the features

can be reused. They are inferred to the use cases and represented as “Inferred Error” elements.

The tool chain model can be used in different variants or can be extended to new variants. The variants are managed in the element “ToolChain”.

The elements (tools, use cases, artifacts) that are not considered in all variants have a link to the variants in which they are considered.

The reviewed errors are important for the quality of the analysis. Therefore, the tools support a systematic process to identify potential


errors (black box and white box). These are assigned to the artifacts and

the use cases through attributes. The attributes are listed in the ToolChain model under “DefaultErrorAttributes”. Errors that derive from attributes

are called “Derived Errors” and can be disabled from the model, but before

they must be listed in specific errors (list of “subsumed errors”) for the use cases.

The source of the modeled information in the TCA is different. The model integrates information from the process, the used tools and the systematic

error model and generates the reports with the TCLs (see Fig 3).

Fig 3: Validas TI C/C++ Compiler and its environment

The model can be directly created in the tool. Some information can also

be imported via an Excel interface (e.g. the Tool Artifact Matrix).

3.3.2 Validation

There are two steps for the model validation: 1. Consistence check of the model and

2. Textual and technical check (review).

The review is described in section 3.3.3. The model validation is started by right clicking on the model and selecting the feature “Validate” (see Fig 4).

Then, all the tests described in [TCA_UM], chapter 8.5 are executed on the selected model element.


Fig 4: validation start in TCA

No more errors should occur. The following tests could be exceptions (see

[TCA_UM] for detailed descriptions of the checks): Deactivated (checks deactivated elements): this condition may be

violated only by tools that are modelled in this chain, but can not be

used (for example to analyse a variant of a tool chain). UseCaseComplete (checks if the use case contains an error model):

this condition may be violated only by use cases, which are carried out by people (e.g. a review). . In this case the incompleteness

message which indicates missing errors is acceptable. In the present tool chain TI C/C++ Compiler Chain no other “syntactic

violations” exist.

3.3.3 Review

The review of the model ensures the textual and technical correctness of the model in the first instance. This is especially necessary if the modeler

and the assistants who carry out the test are different people, e.g. model creation by the Validas employees or central departments for specific

development projects. The review can be done in the model or in excel.

An excel table is generated, that generates the following columns for each

error, check and restriction in all use cases/tools: Name of the reviewer

Is the probability correctly slected/computed (OK/NOK)? Is the check/restriction performed (true/false)?

Comment, e.g. are there further elements? Or reasons for differences.

The lines in the table are grouped by tools and use cases. The excel export is generated by right-clicking on the tool chain element and

selecting the menu item Export -> Excel review (see Fig 5).


Fig 5: Export Review Table

3.3.4 Report generation

The report generation is also started by right-clicking on the tool chain

elements (see Fig 6).


Fig 6: Starting point of report generation

A configuration dialog appears. In this dialog, an output file can be selected. Different settings can be configured, as described in [TCA_UM].

The generated report (see chapter 6) contains a table with the chosen options at the beginning. To generate the same report again, the settings

from the existing reports must be applied.


Fig 7: configuration dialog for the report generation

The generated report can contain graphs (e.g. for each analyzed potential error). The exported images use the following conventions:

Elements are coloured according to their criticality (confidence

requirement) with the following conventions:

o Uncritical / HIGH detection probability: green (light grey in

black & white export),

o Medium / MEDIUM detection probability: orange (dark grey in

black & white export),

o Critical / LOW detection probability: red (black in black &

white export).

The criticality of elements is determined as follows:

o Check: detection probability,

o Restriction: avoidance probability,

o Error: error detection probability,

o Use case/feature: Tool Confidence Level (TCL1=green/light

grey, TCL2=orange/dark grey, TCL3=red/black),

o Tool: also TCL (TCL1=green/light grey, TCL2=orange/dark

grey, TCL3=red/black),

o Artifacts are coloured according to their usage in the model:

Green/light grey: read and written artifact,

Orange/dark grey: only written artifact that is not used,

Red/black: artifact that is not read, or written.

When needed, the main element is emphasized with a thick border

(e.g. the considered error).

When it is necessary to distinguish between elements the following

shapes are used:


o Use-case: Oval node,

o Feature: Diamond node,

o Error: rectangle box,

o Check/Restriction: Octagon node,

o Tool: Component node (atomic) or dashed square boxes

(hierarchical)

o Artifact: Annotation node (square with a labelled right upper

corner).

The following links between the element are used:

o Dotted lines (labelled with Error / Check) denote the

containment relation of the model, i.e. the pointed element is

contained in the pointing,

o Dashed lines (labelled with requires or calls) denote the

dependency of the line,

o Solid lines have the denotation of the label.

Fig 8: Error View Example


Fig 9: Error View Example (Black/White)

An example for an image with the above elements is shown above (see

Fig 8 and Fig 9). It explains the error “Non-Executable Code” of a linker which is marked in a rectangle with thick border. This error could appear

in the use case “PC Compiler” and detected by “Test Tool” with a high probability.

3.4 Using the Qualification Tool

Within some qualification kits created from Validas, there is a special

purpose qualification tool that eases the qualification process by A model for the tool with features, potential errors and possible

mitigations Guiding the user throw the qualification process,

Selecting the required features, Selecting the mitigations that can be applied in the process,

Generation of the documents (including this classification report) and

Generation of the tool chain analyzer model (.tca file).

In this case the Tool Chain Analyzer is not necessary and is only an optional tool to extend the qualification kit by new features, new errors

and mitigation measures.

4 Tool Chain Definition

The tool chain model TI C/C++ Compiler Chain was created by Validas

AG, based on process description of the <Customer> and taking into

account feedbacks. The model has been reviewed by the experts with tool responsibilities and thus it is a valid model of the current TI C/C++


Compiler Chain. The other projects that want to use the existing

classification results have to ensure that: a) the tool chain is used as described (data flow, counter-measures,…),

b) no new tools, features/use cases in particular are added.

Under these circumstances, the model is valid, and the tool confidence level that has been calculated is actually the level of the used tool chain

and the used tools. The conformity of the model and of this report must be checked for each other development projects (as imposed by the ISO

“Confirmation Review” of the TCL und the required qualification measures, see [ISO26262], 8- 11.4.10).

In addition to the generated classification of the tools in this report, the

following information about all used tools have to be determined (e.g. in the Safety Manual of the tool chain or individual tools):

version of the tool (is important in particular for qualified tools, since each tool-related change needs to be re-qualified),

tool configuration(s), tool environment,

maximum risk level (ASIL,SIL or Risk Class) of the tool or any

existing qualifications, description of the features/user manual,

known errors and measures. Particularly the last point is important for a tool management, because the

users must be informed about tools mistakes of qualified tools.

5 Tool Impact Determination

The Tool Impact (TI) of the tool chain TI C/C++ Compiler Chain was

determined as described in section 3.2.3 and 3.2.3.7.1. The Tool Impact is specified with the calculation of the TCL in section 6 under the result

overview and for every tools and every Use-Case separately. An Excel table [TI] from the TCA was generated to get a better view and

to validate the closed impact. In that table a data flow path from and to the artifacts can be analysed near the applied and if necessary the

justified it in the product.


Fig 12: TI determination in Excel

Fig 12 shows an exemplary determination of the tool impact in one of the exported (and importable) Excel table. The tool impact for the tool chain

TI C/C++ Compiler Chain is in [TI] or in section 6.


6 TCL Details of TI Compiler Tools

This chapter has been generated from the formal tool chain model and contains all relevant

information to determine the TCLs of the used tools.

Table 1 shows the settings and Table 2 shows the active variants with which this document

was generated. For further details of the report creation see section "Report Generation" of the

User Manual.

Setting Value

Compact Report True

With Assumptions Chapters False

Include Subsumes True

Include Images False

Table 1 Settings for this documentation

Variant Settings

Active Variants:

ARM Family

Table 2 Variant Settings

The report starts with an overview of the analysis results, then describes each tool in detail,

including TCL determination, and concludes with an appendix for further information.

ToolChain: TI Compiler Tools

Description:

-None-

TCL Determination:

TCL 3

Use Assumptions:

False

Table 3 ToolChain: TI Compiler Tools

6.1 TCL Result Overview

Table 4 shows the result of the tool evaluation, particulary the tool confidence levels.

Name Tool Impact (TI) Tool

Detection

(TD)

Tool

Confidence

Level (TCL)

Assumptions

Archiver TI 2 (Impact) TD 1

(HIGH)

TCL 1 -

C/C++ Compiler TI 2 (Impact) TD 3

(LOW)

TCL 3 -

Compiler Utilities TI 2 (Impact) TD 2

(MEDIUM)

TCL 2 -


Hex Converter TI 2 (Impact) TD 2

(MEDIUM)

TCL 2 -

Linker TI 2 (Impact) TD 3

(LOW)

TCL 3 -

Table 4 Evaluation Results of TI Compiler Tools

6.2 Archiver

This section explains the determination of the Tool Confidence Level (TCL) for the tool

Archiver.

Tool: Archiver

Description:

The ARM archiver in the executable armar

The ARM archiver lets you combine several individual files into a single archive file.

For example, you can

collect several macros into a macro library. The assembler searches the library and uses

the members

that are called as macros by the source file. You can also use the archiver to collect a

group of object files

into an object library. The linker includes in the library the members that resolve external

references during

the link. The archiver allows you to modify a library by deleting, replacing, extracting, or

adding members.

On architectures like ARM, it is often desirable to have multiple versions of the same

object file libraries,

each built with different sets of build options. When several versions of a single library

are available, the

library information archiver can be used to create an index library of all the object file

library versions. This

index library is the used in the link step in place of a particular version of your object file

library.

Impact:

TI 2 (Impact)

Tool Confidence Level:

TCL 1

Table 5 Tool: Archiver

The tool Archiver is modeled with 15 elements which have impact, none of them are

assumptions. In addition there have been modeled 7 features, none of them are assumptions.

Elements Amount (Assumptions)

Use Cases 1 (0)

Checks 2 (0)

Restrictions 0 (0)

Potential Errors 12 (0)

Table 6 Amount of Elements in Tool Archiver


6.2.1 Use Cases of Archiver

This section describes all analyzed use cases of Archiver in separate subsections.

The following use cases of the tool Archiver are considered:

1. Example Use Case of Archiver, see Section 6.2.1.1

6.2.1.1 Use Case Example Use Case of Archiver

This section describes the use case "Example Use Case of Archiver".

Use Case: Example Use Case of Archiver

Description:

-None-

Table 7 Use Case: Example Use Case of Archiver

The use case requires 3 features and calls no other use cases.

"Example Use Case of Archiver" uses following features:

Create Library

Extract

Libinfo

"Example Use Case of Archiver" uses following safety guidelines:

SG_Arch_HashSum

SG_Arch_RefFileList

"Example Use Case of Archiver" has the following 3 features that have high error detection

probability:

Create Library

Extract

Libinfo

6.2.2 Required Features of Archiver

This section describes all 3 required features of Archiver.

The following tables give an overview of the considered features of Archiver.

Feature: Create Library

Description:

Create library of object files

Errors:

Change Behavior

No Archive Created

Too Few Files

Too Many Files

Table 8 Feature: Create Library


Feature: Extract

Description:

-x

Extract object files from library.

Errors:

Change Behavior

No Files Extracted

Too Few Files

Too Many Files

Table 9 Feature: Extract

Feature: Libinfo

Description:

libinfo tool

Create index library

Errors:

Change Behavior

No Index Created

Too Few Files

Too Many Files

Table 10 Feature: Libinfo

6.2.3 Potential Errors in Archiver

For the tool 12 different potential errors are considered in 12 with occurrences in use cases:

Change Behavior (Table 16)



No Archive Created (Table 19)

No Files Extracted (Table 20)

No Index Created (Table 21)

Too Few Files (Table 23)



Too Many Files (Table 25)



The error flow consists of all relations from errors to checks or restrictions.

There is no relation from errors caused by other tools to checks or restrictions defined

for use cases of this tool.

There are 12 relations from errors caused by this tool to checks or restrictions defined


There is no relation from errors caused by this tool to checks or restrictions defined for

use cases of other tools.


6.2.4 Required Safety Guidelines of Archiver

This section describes all 2 applied safety guidelines of Archiver.

The following tables give an overview of the applied safety guidelines of Archiver .

Safety Guidelines,SG_Archiver,SG_Arch_HashSum

Description:

Container for the mitigation

Contains the following checks:

Hash Sum

Table 11 Safety Guidelines,SG_Archiver,SG_Arch_HashSum

Safety Guidelines,SG_Archiver,SG_Arch_RefFileList

Description:



Compare With Reference List

Table 12 Safety Guidelines,SG_Archiver,SG_Arch_RefFileList

6.2.5 Restrictions in Archiver

For the tool Archiver no restrictions are considered.

6.2.6 Checks in Archiver

The following 2 checks are performed in the tool Archiver.

Check: Compare With Reference List

Description:

The output of the archiver are compared with a reference file list that contains the

expected files

Comment:

Any other use of the output files, e.g. in an automated packaging process is equivalent to

this check

From Feature:

Archiver,Archiver,Archiver,Safety Guidelines,SG_Archiver,SG_Arch_RefFileList

Occurrences:

in SG_Arch_RefFileList in Example Use Case of Archiver

Error detection probability:

TD 1 (HIGH)

Detected errors:

Create Library,No Archive Created

Create Library,Too Few Files

Create Library,Too Many Files

Extract,No Files Extracted

Extract,Too Few Files

Extract,Too Many Files

Libinfo,No Index Created

Libinfo,Too Few Files


Libinfo,Too Many Files

Table 13 Check: Compare With Reference List

Check: Hash Sum

Description:

Using a hash code of the file(s) it can be detected if they deviate from the expectations

Comment:

A binary comparisson with reference values is equivalent to this check

From Feature:

Archiver,Archiver,Archiver,Safety Guidelines,SG_Archiver,SG_Arch_HashSum

Occurrences:

in SG_Arch_HashSum in Example Use Case of Archiver


TD 1 (HIGH)

Detected errors:

Create Library,Change Behavior

Extract,Change Behavior

Libinfo,Change Behavior

Table 14 Check: Hash Sum

6.2.7 TCL Determination

This section determines a TCL for each use case by assigning checks or restrictions with

detection/avoidance probability to each potential error. The TCL for the entire tool can be

derived from the TCL for each use case. The tool Archiver has one use case with TCL 1, no

use case with TCL 2 and no use case with TCL 3. Therefore the tool Archiver has TCL 1.

The use cases are described in the following sections:

For "Example Use Case of Archiver" (TCL 1) see Section 6.2.7.1.

6.2.7.1 TCL Determination for Use Case: Example Use Case of Archiver

The use case "Example Use Case of Archiver" has TCL 1. The TCL is determined by the

lowest Tool Detection Level (TD) of all errors of the use case. The use case "Example Use

Case of Archiver" has 3 features that have been modeled and from which the potential errors

are inferred. There are 12 potential errors in "Example Use Case of Archiver": 12 with TD 1,

0 with TD 2 and 0 with TD 3. The 12 potential errors are described in the remainder of this

section.

The following table gives an overview of the errors of "Example Use Case of Archiver".

Error TD Table

Change Behavior TD 1 (HIGH) Table 16



No Archive Created TD 1 (HIGH) Table 19

No Files Extracted TD 1 (HIGH) Table 20

No Index Created TD 1 (HIGH) Table 21

Too Few Files TD 1 (HIGH) Table 22




Too Many Files TD 1 (HIGH) Table 25



Table 15 Errors of Use Case: Example Use Case of Archiver

Error: Change Behavior

Description:

Archiver corrupts object files when creating index library

From Feature:

Libinfo

Discovered by the following checks:

Safety Guidelines,SG_Archiver,SG_Arch_HashSum.Hash Sum

Occurrences:

in Libinfo in Example Use Case of Archiver

Table 16 Error: Change Behavior


Description:

Archiver corrupts object files when extracting

From Feature:

Extract



Occurrences:

in Extract in Example Use Case of Archiver



Description:

Archiver corrupts object files when creating library

From Feature:

Create Library



Occurrences:

in Create Library in Example Use Case of Archiver


Error: No Archive Created

Description:

Archiver does not create library of object files

From Feature:

Create Library



Safety Guidelines,SG_Archiver,SG_Arch_RefFileList.Compare With Reference List

Occurrences:


Table 19 Error: No Archive Created

Error: No Files Extracted

Description:

Archiver does not extract any object files

From Feature:

Extract



Occurrences:


Table 20 Error: No Files Extracted

Error: No Index Created

Description:

Archiver does not create index library

From Feature:

Libinfo



Occurrences:


Table 21 Error: No Index Created

Error: Too Few Files

Description:

Archiver adds too few libraries when creating index library

From Feature:

Libinfo



Occurrences:


Table 22 Error: Too Few Files


Description:

Archiver extracts too few object files

From Feature:

Extract




Occurrences:




Description:

Archiver adds too few object files when creating library

From Feature:

Create Library



Occurrences:



Error: Too Many Files

Description:

Archiver adds too many libraries when creating index library

From Feature:

Libinfo



Occurrences:


Table 25 Error: Too Many Files


Description:

Archiver extracts too many object files

From Feature:

Extract



Occurrences:




Description:

Archiver adds too many object files when creating library

From Feature:

Create Library




Occurrences:



6.3 C/C++ Compiler


C/C++ Compiler.

Tool: C/C++ Compiler

Description:

The TI ARM compiler: parser, optimizer, code generator, assembler, invoked through

the shell utility

The compiler translates your source program into machine language object code that the

TMS320C28x

can execute. Source code must be compiled, assembled, and linked to create an

executable object file. All

of these steps are executed at once by using the compiler.

Impact:

TI 2 (Impact)


TCL 3

Table 28 Tool: C/C++ Compiler

Identification: Version 504

Description:

The version 5.0.4 of the TI C/C++ Compiler

ID:

-None-

Version:

5

Release:

5.0.4

Environments:

-None-

Configurations:

see use case in [TCP] (Section 6.2.1.1)

Installation:

-None-

Documentation:

-None-

Table 29 Identification: Version 504

The tool C/C++ Compiler is modeled with 51 elements which have impact, none of them are

assumptions. In addition there have been modeled 116 features, none of them are

assumptions.



Use Cases 1 (0)

Checks 13 (0)

Restrictions 0 (0)


Table 30 Amount of Elements in Tool C/C++ Compiler

6.3.1 Use Cases of C/C++ Compiler

This section describes all analyzed use cases of C/C++ Compiler in separate subsections.

The following use cases of the tool C/C++ Compiler are considered:

1. Example Use Case, see Section 6.3.1.1

6.3.1.1 Use Case Example Use Case

This section describes the use case "Example Use Case".

Use Case: Example Use Case

Description:

This is just an example use case that shows how a use case is configured by selecting

your required features.

Comment:

Change use according to your needs.

Table 31 Use Case: Example Use Case


"Example Use Case" uses following features:

16 Bit Thumb Code Generation

ARM Target Specific Code

Big endian code generation

C language source

EABI specific code generation

Include path update

MISRA C source diagnostics

Output file directory

Predefined symbol (macros) support

"Example Use Case" uses following safety guidelines:

SG_Comp_FixConfig

SG_Compiler

SG_General

SG_Linker

SG_Lnk_CompOutputList

SG_Lnk_ReviewDissaembler

SG_Lnk_ReviewLinkInfo

SG_Lnk_ReviewMapfileSimple


SG_Misra

SG_Misra_Redundancy

SG_OutFiles

SG_Out_CompareWithList

SG_Out_PchCompare

SG_Parser

SG_Pre_Redundancy

SG_Preprocessor

SG_TBD

SG_TargetTest

SG_Test_Debug

SG_Test_General

SG_Test_Intensive

Safety Guide

"Example Use Case" has the following 4 features that have high error detection probability:


Include path update



6.3.2 Required Features of C/C++ Compiler

This section describes all 9 required features of C/C++ Compiler.

The following tables give an overview of the considered features of C/C++ Compiler.

Feature: 16 Bit Thumb Code Generation

Description:

-mt, --code_state=16

Errors:

Change behavior

Missing code

No output

Table 32 Feature: 16 Bit Thumb Code Generation

Feature: ARM Target Specific Code

Description:

-mv4, -mv5e, -mv6, -mv6M0, -mv7A8, -mv7M3, -mv7M4, -mv7R4

ARM target specific code generation.

Errors:

Change behavior

Missing code

No output

Wrong code

Table 33 Feature: ARM Target Specific Code

Feature: Big endian code generation


Description:

none, --endian=big

Errors:

Change behavior

Missing code

No output

Wrong code

Table 34 Feature: Big endian code generation

Feature: C language source

Description:

none, -fc

Errors:

Change behavior

Error not detected

No output

Non-functional output

Wrong configuration

Wrong source used

Table 35 Feature: C language source

Feature: EABI specific code generation

Description:

--abi=eabi

Errors:

Change behavior

Missing code

No output

Wrong code

Table 36 Feature: EABI specific code generation

Feature: Include path update

Description:

-| <path>

Errors:

Change behavior

No output

Wrong path

path not updated

Table 37 Feature: Include path update

Feature: MISRA C source diagnostics

Description:

--check_misra

Errors:


Change behavior

No diagnostics

No output

Wrong diagnostics

Table 38 Feature: MISRA C source diagnostics

Feature: Output file directory

Description:

-ft, -fr, -fs

Errors:

Change behavior

No output

Output Directory Wrong

Wrong Directory

Table 39 Feature: Output file directory

Feature: Predefined symbol (macros) support

Description:

-D, -U

Errors:

Change behavior

No output

Symbol ignored

Wrong symbol

Table 40 Feature: Predefined symbol (macros) support

6.3.3 Potential Errors in C/C++ Compiler


Change behavior (Table 77)









Error not detected (Table 81)

Missing code (Table 83)




No diagnostics (Table 86)

No output (Table 92)










Non-functional output (Table 96)

Output Directory Wrong (Table 97)

Symbol ignored (Table 99)

Wrong Directory (Table 105)

Wrong code (Table 100)



Wrong configuration (Table 103)

Wrong diagnostics (Table 104)

Wrong path (Table 106)

Wrong source used (Table 107)

Wrong symbol (Table 108)

path not updated (Table 98)








6.3.4 Required Safety Guidelines of C/C++ Compiler

This section describes all 17 applied safety guidelines of C/C++ Compiler.

The following tables give an overview of the applied safety guidelines of C/C++ Compiler .

Safety Guide

Description:

This virtual feature contains safety guidelines can be selected within use cases in order to

apply the checks

Table 41 Safety Guide

Safety Guide,SG_Compiler

Description:

Container for guidelines for the compiler

Table 42 Safety Guide,SG_Compiler

Safety Guide,SG_General

Description:

General safety guidelines


Table 43 Safety Guide,SG_General

Safety Guide,SG_Misra

Description:

Guidelines for MISRA checks

Table 44 Safety Guide,SG_Misra

Safety Guide,SG_Misra,SG_Misra_Redundancy

Description:

Guideline to use a third party checker


Third Party Checker

Table 45 Safety Guide,SG_Misra,SG_Misra_Redundancy

Safety Guide,SG_OutFiles

Description:

Guidelines for the output file checks

Table 46 Safety Guide,SG_OutFiles

Safety Guide,SG_OutFiles,SG_Out_CompareWithList

Description:

guideline to apply the comaprisson with output reference list


Reference List

Table 47 Safety Guide,SG_OutFiles,SG_Out_CompareWithList

Safety Guide,SG_OutFiles,SG_Out_PchCompare

Description:

Guideline to apply this comparisson


Precompiled Reference List

Table 48 Safety Guide,SG_OutFiles,SG_Out_PchCompare

Safety Guide,SG_Parser

Description:

Guidelines for the parser

Table 49 Safety Guide,SG_Parser

Safety Guide,SG_Parser,SG_Comp_FixConfig

Description:

Guideline to fix the configuration of the parser


Use Config File


Table 50 Safety Guide,SG_Parser,SG_Comp_FixConfig

Safety Guide,SG_Preprocessor

Description:

Safety guidelines for the preprocessor feature

Table 51 Safety Guide,SG_Preprocessor

Safety Guide,SG_Preprocessor,SG_Pre_Redundancy

Description:

Guideline to apply the comparisson with a redundant preprocessor


Third Party Preprocessor

Table 52 Safety Guide,SG_Preprocessor,SG_Pre_Redundancy

Safety Guide,SG_TargetTest

Description:

If the compiled code is tested on the target and if it is tested in all possible situations than

all relevant compiler errors can be found

Inputs:

Executable file

Table 53 Safety Guide,SG_TargetTest

Safety Guide,SG_TargetTest,SG_Test_Debug

Description:

Guideline to apply a testrun before and after debug information generation


Debugger Run

Table 54 Safety Guide,SG_TargetTest,SG_Test_Debug

Safety Guide,SG_TargetTest,SG_Test_General

Description:

Guideline to do a general test


General Testrun

Table 55 Safety Guide,SG_TargetTest,SG_Test_General

Safety Guide,SG_TargetTest,SG_Test_Intensive

Description:

Container for the safety guideline


Intensive Target Testing

Table 56 Safety Guide,SG_TargetTest,SG_Test_Intensive


Safety Guide,SG_TBD

Description:

Container for safety guidelines that hvae to be defined from the user in his procss


To Be Defined By User

Table 57 Safety Guide,SG_TBD

6.3.5 Restrictions in C/C++ Compiler

For the tool C/C++ Compiler no restrictions are considered.

6.3.6 Checks in C/C++ Compiler

The following 13 checks are performed in the tool C/C++ Compiler.

Check: Compare Linker Output Files with Reference File List

Description:

The generated amount of files will be compared with a reference file list, which contains

all file names that have to be created

From Feature:

Linker,Linker,Linker,Safety Guide,SG_Linker,SG_Lnk_CompOutputList

Occurrences:

in SG_Lnk_CompOutputList in Example Use Case


TD 1 (HIGH)

Detected errors:

Add to library search path,No output

BE-8 and BE-32 object file support,No Output

Control linker diagnostics,No Output

Control symbol linkage,No Output

Control variable initialization,No output

Copy Tables,No Output

Create executable object file,No executable

Disable COFF conditional linking,No Output

Generate map file,No map file

Generate map file,No output

Generate xml link info file,No info file

Generate xml link info file,No output

LCF MEMORY directives,No Output

LCF SECTIONS directives,Change Behavior

LCF SECTIONS directives,No Output

LCF UNION and GROUP statements,No Output

LCF assignment of symbols,No Output

LCF creating and filling holes,No Output

Link time optimizations,No Output

Linker preprocessing,No Output

Partial Linking,No object file

Preferred function ordering,No Output

Set executable entry point,No Output


Set heap size,No output

Set output file name,No output file name

Set output file name,Wrong output file name

Set stack size,No output

Support library input files,No output

Table 58 Check: Compare Linker Output Files with Reference File List

Check: Debugger Run

Description:

General testrun in the debugger

From Feature:

C/C++ Compiler,C/C++ Compiler,C/C++ Compiler,Safety

Guide,SG_TargetTest,SG_Test_Debug

Occurrences:

in SG_Test_Debug in Example Use Case


TD 1 (HIGH)

Table 59 Check: Debugger Run

Check: General Testrun

Description:

A simple test run can exclude many errors in the tool chain which result in a non

runnable image file. If other test are executed the general test run can be omitted

From Feature:


Guide,SG_TargetTest,SG_Test_General

Occurrences:

in SG_Test_General in Example Use Case


TD 1 (HIGH)

Detected errors:

Big endian code generation,Missing code

Big endian code generation,Wrong code

C language source,Non-functional output

Include path update,Wrong path

Include path update,path not updated

Table 60 Check: General Testrun

Check: Intensive Target Testing

Description:

-None-

From Feature:


Guide,SG_TargetTest,SG_Test_Intensive

Occurrences:

in SG_Test_Intensive in Example Use Case



TD 1 (HIGH)

Detected errors:

16 Bit Thumb Code Generation,Change behavior

ARM Target Specific Code,Change behavior

Big endian code generation,Change behavior

C language source,Change behavior

C language source,Error not detected

EABI specific code generation,Change behavior

Include path update,Change behavior

MISRA C source diagnostics,Change behavior

Output file directory,Change behavior

Predefined symbol (macros) support,Change behavior

Table 61 Check: Intensive Target Testing

Check: Precompiled Reference List

Description:

Compare output with a list of reference files that should exists

From Feature:


Guide,SG_OutFiles,SG_Out_PchCompare

Occurrences:

in SG_Out_PchCompare in Example Use Case


TD 1 (HIGH)

Table 62 Check: Precompiled Reference List

Check: Reference List

Description:

Compare output with reference file list

From Feature:


Guide,SG_OutFiles,SG_Out_CompareWithList

Occurrences:

in SG_Out_CompareWithList in Example Use Case


TD 1 (HIGH)

Detected errors:

16 Bit Thumb Code Generation,No output

ARM Target Specific Code,No output

Big endian code generation,No output

C language source,No output

EABI specific code generation,No output

Include path update,No output

MISRA C source diagnostics,No output

Output file directory,No output


Table 63 Check: Reference List

Check: Review Against Link Info

Description:

Detailed review of xml link info file against linker command file

Comment:

For the assigned errors (wrong info, wrong map files) the property is high

From Feature:

Linker,Linker,Linker,Safety Guide,SG_Linker,SG_Lnk_ReviewLinkInfo

Occurrences:

in SG_Lnk_ReviewLinkInfo in Example Use Case


TD 1 (HIGH)

Detected errors:

Generate map file,Wrong map file

Generate xml link info file,Wrong info file

Table 64 Check: Review Against Link Info

Check: Review Mapfile

Description:

Detailed review of linker map file or xml link info file

Comment:

Only for elements that are easy to review is the probability high

From Feature:

Linker,Linker,Linker,Safety Guide,SG_Linker,SG_Lnk_ReviewMapfileSimple

Occurrences:

in SG_Lnk_ReviewMapfileSimple in Example Use Case


TD 1 (HIGH)

Detected errors:

Add to library search path,Wrong paths

BE-8 and BE-32 object file support,Incorrect Objects Used

Control symbol linkage,No Symbol Control

Control symbol linkage,Wrong Symbol Control

LCF MEMORY directives,MEMORY Directive Defect

LCF SECTIONS directives,Ignore SECTION Directive

LCF SECTIONS directives,SECTION Directive Defect

LCF UNION and GROUP statements,Ignore UNION and GROUP

LCF UNION and GROUP statements,UNION and GROUP Defect

LCF assignment of symbols,Assignment Defect

LCF assignment of symbols,Igonre Assignment

LCF creating and filling holes,Ignore Hole Filling

Link time optimizations,No LTO

Linker preprocessing,No Preprocessing

Linker preprocessing,Wrong Preprocessing


Set executable entry point,No Entry Point

Set executable entry point,Wrong Entry Point

Set heap size,No heap size

Set heap size,Wrong heap size

Set stack size,No stack size

Set stack size,Wrong stack size

Support library input files,Wrong input files

Table 65 Check: Review Mapfile

Check: Review with Disassembler

Description:

Detailed review of disassembled boot object code

From Feature:

Linker,Linker,Linker,Safety Guide,SG_Linker,SG_Lnk_ReviewDissaembler

Occurrences:

in SG_Lnk_ReviewDissaembler in Example Use Case


TD 2 (MEDIUM)

Detected errors:

CRC tables,Incorrect CRC

CRC tables,No CRC

Control variable initialization,No initialization

Control variable initialization,Wrong initialization

Copy Tables,Copy Tables Defect

Copy Tables,Copy Tables Ignored

Disable COFF conditional linking,No Disabling

Link time optimizations,No LTO

Preferred function ordering,Ordering Defect

Table 66 Check: Review with Disassembler

Check: Third Party Checker

Description:

Parse source code with second MISRA C checker

The Misra rules are standardized. So the output of the TI parser can be compared with a

Third-Party-Misra Checker.

From Feature:


Guide,SG_Misra,SG_Misra_Redundancy

Occurrences:

in SG_Misra_Redundancy in Example Use Case


TD 1 (HIGH)

Detected errors:

MISRA C source diagnostics,No diagnostics

MISRA C source diagnostics,Wrong diagnostics

Table 67 Check: Third Party Checker


Check: Third Party Preprocessor

Description:

Compare .ppd files with third party preprocessor

From Feature:


Guide,SG_Preprocessor,SG_Pre_Redundancy

Occurrences:

in SG_Pre_Redundancy in Example Use Case


TD 1 (HIGH)

Detected errors:

Predefined symbol (macros) support,No output

Predefined symbol (macros) support,Symbol ignored

Predefined symbol (macros) support,Wrong symbol

Table 68 Check: Third Party Preprocessor

Check: To Be Defined By User

Description:

This check has to be defined from the user to detect the assigned errors with a HIGH

probability

A high probability is usually achieved by autmated scripts or other tools that produce

comparable results and the results are compared with the results of this tool.

Comment:

Currently we do not have tests for that feature, but we are working on them in order to

reduce the tasks for the user to implement this check.

From Feature:

C/C++ Compiler,C/C++ Compiler,Safety Guide,SG_TBD

Occurrences:

in SG_TBD in Example Use Case


TD 1 (HIGH)

Table 69 Check: To Be Defined By User

Check: Use Config File

Description:

Compiler Configuration File Used for the settings of the compiler

From Feature:


Guide,SG_Parser,SG_Comp_FixConfig

Occurrences:

in SG_Comp_FixConfig in Example Use Case


TD 1 (HIGH)

Detected errors:

C language source,Wrong configuration


Table 70 Check: Use Config File




derived from the TCL for each use case. The tool C/C++ Compiler has no use case with TCL

1, no use case with TCL 2 and one use case with TCL 3. Therefore the tool C/C++ Compiler

has TCL 3.


For "Example Use Case" (TCL 3) see Section 6.3.7.1.

6.3.7.1 TCL Determination for Use Case: Example Use Case

The use case "Example Use Case" has TCL 3. The TCL is determined by the lowest Tool

Detection Level (TD) of all errors of the use case. The use case "Example Use Case" has 9

features that have been modeled and from which the potential errors are inferred. There are 37

potential errors in "Example Use Case": 29 with TD 1, 0 with TD 2 and 8 with TD 3. The 37

potential errors are described in the remainder of this section.

The following table gives an overview of the errors of "Example Use Case".

Error TD Table

Change behavior TD 1 (HIGH) Table 72









Error not detected TD 1 (HIGH) Table 81

Missing code TD 3 (LOW) Table 82

Missing code TD 1 (HIGH) Table 83



No diagnostics TD 1 (HIGH) Table 86

No output TD 1 (HIGH) Table 87









Non-functional output TD 1 (HIGH) Table 96

Output Directory Wrong TD 3 (LOW) Table 97

path not updated TD 1 (HIGH) Table 98


Symbol ignored TD 1 (HIGH) Table 99

Wrong code TD 3 (LOW) Table 100

Wrong code TD 1 (HIGH) Table 101

Wrong code TD 3 (LOW) Table 102

Wrong configuration TD 1 (HIGH) Table 103

Wrong diagnostics TD 1 (HIGH) Table 104

Wrong Directory TD 3 (LOW) Table 105

Wrong path TD 1 (HIGH) Table 106

Wrong source used TD 3 (LOW) Table 107

Wrong symbol TD 1 (HIGH) Table 108

Table 71 Errors of Use Case: Example Use Case

Error: Change behavior

Description:

Compiler changes the behavior of the C source

From Feature:

C language source


Safety

Guide,SG_Compiler,SG_Comp_ComparingRun,SG_Comp_ThirdParty.Compiling

With Second Compiler

Safety Guide,SG_TargetTest,SG_Test_Intensive.Intensive Target Testing

Occurrences:

in C language source in Example Use Case

Table 72 Error: Change behavior


Description:

Change the behavior of the source when compiling with MISRA C diagnostics

From Feature:



Safety




Occurrences:

in MISRA C source diagnostics in Example Use Case



Description:

Change the behavior of the source when compiling for ARM target specific code

From Feature:




Safety




Occurrences:

in ARM Target Specific Code in Example Use Case



Description:

Change the behavior of the source when compiling with include path

From Feature:

Include path update


Safety




Occurrences:

in Include path update in Example Use Case



Description:

Change the behavior of the source when compiling for big endian

From Feature:



Safety




Occurrences:

in Big endian code generation in Example Use Case



Description:

Change the behavior of the source when compiling with output directories

From Feature:



Safety Guide,SG_Compiler,SG_Comp_ComparingRun,SG_Comp_Comp

OutputDir.Compare Output Directory Effect

Safety





Occurrences:

in Output file directory in Example Use Case



Description:

Change the behavior of the source when compiling for EABI

From Feature:



Safety




Occurrences:

in EABI specific code generation in Example Use Case



Description:

Change the behavior of the source when compiling with predefined symbols

From Feature:



Safety




Occurrences:

in Predefined symbol (macros) support in Example Use Case



Description:

Change the behavior of the source when compiling for 16-bit thumb code

From Feature:



Safety




Occurrences:

in 16 Bit Thumb Code Generation in Example Use Case



Error: Error not detected

Description:

Error in C source when compiling not detected

From Feature:

C language source


Safety




Occurrences:


Table 81 Error: Error not detected

Error: Missing code

Description:

Compiler does not generate any ARM target specific code

From Feature:



Safety Guide,SG_Reviews,SG_Rev_Ass.Review of Generated Assembler Code

Occurrences:


Table 82 Error: Missing code

Error: Missing code

Description:

Compiler does not generate any big endian code

From Feature:



Safety Guide,SG_TargetTest,SG_Test_General.General Testrun

Occurrences:



Error: Missing code

Description:

Compiler does not generate any EABI code

From Feature:





Occurrences:



Error: Missing code

Description:

Compiler does not generate 16-bit thumb code

From Feature:



Safety Guide,SG_Reviews,SG_Rev_Gen.Review generated assembly or object code

Occurrences:



Error: No diagnostics

Description:

Compiler does not generate any MISRA C diagnostics

From Feature:



Safety Guide,SG_Misra,SG_Misra_Redundancy.Third Party Checker

Safety Guide,SG_Reviews,SG_Rev_Source.Source Code Review

Occurrences:


Table 86 Error: No diagnostics

Error: No output

Description:

No output generated from Compiler for C source

From Feature:

C language source


Safety Guide,SG_OutFiles,SG_Out_CompareWithList.Reference List

Occurrences:


Table 87 Error: No output

Error: No output

Description:

No output generated from compiler when using MISRA C diagnostics

From Feature:





Occurrences:



Error: No output

Description:

No output generated from compiler when compiling for ARM target specific code

From Feature:




Occurrences:



Error: No output

Description:

No output generated from compiler when updating include path

From Feature:

Include path update



Occurrences:



Error: No output

Description:

No output generated from compiler when compiling for big endian

From Feature:




Occurrences:



Error: No output

Description:

No output generated from compiler when specifying output directories

From Feature:




Occurrences:




Error: No output

Description:

No output generated from compiler when compiling for EABI

From Feature:




Occurrences:



Error: No output

Description:

No output generated from compiler when using predefined symbols

From Feature:



Safety Guide,SG_Preprocessor,SG_Pre_Redundancy.Third Party Preprocessor

Occurrences:



Error: No output

Description:

No output generated from compiler for 16-bit thumb code

From Feature:




Occurrences:



Error: Non-functional output

Description:

Non-functional output from compiling C source

From Feature:

C language source



Occurrences:



Table 96 Error: Non-functional output

Error: Output Directory Wrong

Description:

Compiler does not output to specified directory

From Feature:



Safety Guide,SG_Reviews,SG_Rev_Build.Review Build Directory

Occurrences:


Table 97 Error: Output Directory Wrong

Error: path not updated

Description:

Compiler does not update include path

From Feature:

Include path update



Occurrences:


Table 98 Error: path not updated

Error: Symbol ignored

Description:

Compiler ignores predefined symbols

From Feature:




Safety Guide,SG_Reviews,SG_Rev_PPD.PPD File Review

Occurrences:


Table 99 Error: Symbol ignored

Error: Wrong code

Description:

Compiler generates wrong ARM target specific code

From Feature:




Occurrences:



Table 100 Error: Wrong code

Error: Wrong code

Description:

Compiler generates wrong big endian code

From Feature:




Occurrences:



Error: Wrong code

Description:

Compiler generates wrong EABI code

From Feature:




Occurrences:



Error: Wrong configuration

Description:

Compiler wrongly configured for C source

From Feature:

C language source


Safety Guide,SG_Parser,SG_Comp_FixConfig.Use Config File

Occurrences:


Table 103 Error: Wrong configuration

Error: Wrong diagnostics

Description:

Compiler generates wrong MISRA C diagnostics

From Feature:



Safety Guide,SG_Misra,SG_Misra_Redundancy.Third Party Checker

Safety Guide,SG_Reviews,SG_Rev_Diagnostic.Review of Disgnostics Sources

Occurrences:



Table 104 Error: Wrong diagnostics

Error: Wrong Directory

Description:

Compiler outputs to wrong directory

From Feature:



Safety Guide,SG_Reviews,SG_Rev_Build.Review Build Directory

Occurrences:


Table 105 Error: Wrong Directory

Error: Wrong path

Description:

Compiler generates wrong include paths

From Feature:

Include path update



Occurrences:


Table 106 Error: Wrong path

Error: Wrong source used

Description:

Wrong C source used when compiling

From Feature:

C language source


Safety Guide,SG_General,SG_Gen_VersionControl.Verify through version control

system

Occurrences:


Table 107 Error: Wrong source used

Error: Wrong symbol

Description:

Compiler generates wrong predefined symbol output

From Feature:




Safety Guide,SG_Reviews,SG_Rev_PPD.PPD File Review


Occurrences:


Table 108 Error: Wrong symbol

6.4 Compiler Utilities


Compiler Utilities.

Tool: Compiler Utilities

Description:

Other utilities on the compiler, modelled as features of this tool box.

Impact:

TI 2 (Impact)


TCL 2

Table 109 Tool: Compiler Utilities

The tool Compiler Utilities is modeled with 16 elements which have impact, none of them are



Use Cases 1 (0)

Checks 3 (0)

Restrictions 0 (0)


Table 110 Amount of Elements in Tool Compiler Utilities

6.4.1 Use Cases of Compiler Utilities

This section describes all analyzed use cases of Compiler Utilities in separate subsections.

The following use cases of the tool Compiler Utilities are considered:

1. Example Use Case of Utilities, see Section 6.4.1.1

6.4.1.1 Use Case Example Use Case of Utilities

This section describes the use case "Example Use Case of Utilities".

Use Case: Example Use Case of Utilities

Description:



Comment:


Table 111 Use Case: Example Use Case of Utilities



"Example Use Case of Utilities" uses following features:

Absolute Lister

Cross-Reference Lister

Disassembler

Name Utility

Object File Display

Strip Utility

"Example Use Case of Utilities" uses following safety guidelines:

SG_Util_AbsListRev

SG_Util_DisAsReview

SG_Util_RefFileLists

"Example Use Case of Utilities" has the following 0 features that have high error detection

probability:

6.4.2 Required Features of Compiler Utilities

This section describes all 6 required features of Compiler Utilities.

The following tables give an overview of the considered features of Compiler Utilities.

Feature: Absolute Lister

Description:

The ARM absolute lister in the executable armabs

The absolute lister is a debugging tool that accepts linked object files as input and creates

.abs files as output. These .abs files can be assembled to produce a listing that shows the

absolute

addresses of object code. Manually, this could be a tedious process requiring many

operations; however,

the absolute lister utility performs these operations automatically.

Errors:

No Abs Files

Wrong Abs File

Table 112 Feature: Absolute Lister

Feature: Cross-Reference Lister

Description:

The cross-reference lister is a debugging tool. This utility accepts linked object files as

input

and produces a cross-reference listing as output. This listing shows symbols, their

definitions, and their

references in the linked source files.

Errors:

No Listing File

Wrong Listing File

Table 113 Feature: Cross-Reference Lister


Feature: Disassembler

Description:

the ARM disassemblerin the executable armdis

The disassembler accepts object files and executable files as input and produces an

assembly listing

as output. This listing shows assembly instructions, their opcodes, and the section

program counter

values.

Errors:

No Output

Wrong Source Output

Table 114 Feature: Disassembler

Feature: Name Utility

Description:

The ARM name utility in the executable armnm

The name utility prints the list of names defined and referenced in an object file,

executable file,

or archive library. It also prints the symbol value and an indication of the kind of

symbol. Hidden symbols

are listed as "".

Errors:

No Output

Wrong Output

Table 115 Feature: Name Utility

Feature: Object File Display

Description:

The ARM object file display routine in the executable armofd.

The object file display utility prints the contents of object files (.obj), executable files

(.out),

and/or archive libraries (.lib) in both text and XML formats. Hidden symbols are listed

as no name, while

localized symbols are listed like any other local symbol.

Errors:

No Output

Wrong Output

Table 116 Feature: Object File Display

Feature: Strip Utility

Description:

The ARM strip utility in the executable armstrip.

The strip utility removes symbol table and debugging information from object and

executable

files.

Errors:

No Stripped Output


Wrong Stripped Output

Table 117 Feature: Strip Utility

6.4.3 Potential Errors in Compiler Utilities


No Abs Files (Table 125)

No Listing File (Table 126)

No Output (Table 129)



No Stripped Output (Table 130)

Wrong Abs File (Table 131)

Wrong Listing File (Table 132)

Wrong Output (Table 133)

Wrong Output (Table 134)

Wrong Source Output (Table 135)

Wrong Stripped Output (Table 136)








6.4.4 Required Safety Guidelines of Compiler Utilities

This section describes all 3 applied safety guidelines of Compiler Utilities.

The following tables give an overview of the applied safety guidelines of Compiler Utilities .

Safety Guidelines,SG_CompilerUtilities,SG_Util_AbsListRev

Description:

Container for mitigation


Review of Absolute Lister Output

Table 118 Safety Guidelines,SG_CompilerUtilities,SG_Util_AbsListRev

Safety Guidelines,SG_CompilerUtilities,SG_Util_DisAsReview

Description:



Review of Disassembled Object

Table 119 Safety Guidelines,SG_CompilerUtilities,SG_Util_DisAsReview

Safety Guidelines,SG_CompilerUtilities,SG_Util_RefFileLists


Description:




Table 120 Safety Guidelines,SG_CompilerUtilities,SG_Util_RefFileLists

6.4.5 Restrictions in Compiler Utilities

For the tool Compiler Utilities no restrictions are considered.

6.4.6 Checks in Compiler Utilities

The following 3 checks are performed in the tool Compiler Utilities.


Description:

The output of the compiler utilities are compared with a reference file list that contains

the expected files

Comment:


this check

From Feature:

Compiler Utilities,Compiler Utilities,Compiler Utilities,Safety

Guidelines,SG_CompilerUtilities,SG_Util_RefFileLists

Occurrences:

in SG_Util_RefFileLists in Example Use Case of Utilities


TD 1 (HIGH)

Detected errors:

Absolute Lister,No Abs Files

Cross-Reference Lister,No Listing File

Disassembler,No Output

Name Utility,No Output

Object File Display,No Output

Strip Utility,No Stripped Output


Check: Review of Absolute Lister Output

Description:

Detailed review of absolute listing output

From Feature:


Guidelines,SG_CompilerUtilities,SG_Util_AbsListRev

Occurrences:

in SG_Util_AbsListRev in Example Use Case of Utilities


TD 2 (MEDIUM)

Detected errors:


Disassembler,Wrong Source Output

Table 122 Check: Review of Absolute Lister Output

Check: Review of Disassembled Object

Description:

Detailed review of disassembled object code.

From Feature:


Guidelines,SG_CompilerUtilities,SG_Util_DisAsReview

Occurrences:

in SG_Util_DisAsReview in Example Use Case of Utilities


TD 2 (MEDIUM)

Detected errors:

Absolute Lister,Wrong Abs File

Cross-Reference Lister,Wrong Listing File

Disassembler,Wrong Source Output

Name Utility,Wrong Output

Object File Display,Wrong Output

Strip Utility,Wrong Stripped Output

Table 123 Check: Review of Disassembled Object




derived from the TCL for each use case. The tool Compiler Utilities has no use case with TCL

1, one use case with TCL 2 and no use case with TCL 3. Therefore the tool Compiler Utilities

has TCL 2.


For "Example Use Case of Utilities" (TCL 2) see Section 6.4.7.1.

6.4.7.1 TCL Determination for Use Case: Example Use Case of Utilities

The use case "Example Use Case of Utilities" has TCL 2. The TCL is determined by the


Case of Utilities" has 6 features that have been modeled and from which the potential errors

are inferred. There are 12 potential errors in "Example Use Case of Utilities": 6 with TD 1, 6

with TD 2 and 0 with TD 3. The 12 potential errors are described in the remainder of this

section.

The following table gives an overview of the errors of "Example Use Case of Utilities".

Error TD Table

No Abs Files TD 1 (HIGH) Table 125

No Listing File TD 1 (HIGH) Table 126

No Output TD 1 (HIGH) Table 127




No Stripped Output TD 1 (HIGH) Table 130

Wrong Abs File TD 2 (MEDIUM) Table 131

Wrong Listing File TD 2 (MEDIUM) Table 132

Wrong Output TD 2 (MEDIUM) Table 133

Wrong Output TD 2 (MEDIUM) Table 134

Wrong Source Output TD 2 (MEDIUM) Table 135

Wrong Stripped Output TD 2 (MEDIUM) Table 136

Table 124 Errors of Use Case: Example Use Case of Utilities

Error: No Abs Files

Description:

Absolute lister does not generate ,abs files

From Feature:

Absolute Lister


Safety Guidelines,SG_CompilerUtilities,SG_Util_RefFileLists.Compare With

Reference List

Occurrences:

in Absolute Lister in Example Use Case of Utilities

Table 125 Error: No Abs Files

Error: No Listing File

Description:

Cross-reference lister does not generate a lising file

From Feature:




Reference List

Occurrences:

in Cross-Reference Lister in Example Use Case of Utilities

Table 126 Error: No Listing File

Error: No Output

Description:

Name utility does not generate any output

From Feature:

Name Utility



Reference List

Occurrences:

in Name Utility in Example Use Case of Utilities

Table 127 Error: No Output


Error: No Output

Description:

OFD utility does not generate any output

From Feature:

Object File Display



Reference List

Occurrences:

in Object File Display in Example Use Case of Utilities


Error: No Output

Description:

Disassembler does not generate any output

From Feature:

Disassembler



Reference List

Occurrences:

in Disassembler in Example Use Case of Utilities


Error: No Stripped Output

Description:

Strip utility does not generate any output

From Feature:

Strip Utility



Reference List

Occurrences:

in Strip Utility in Example Use Case of Utilities

Table 130 Error: No Stripped Output

Error: Wrong Abs File

Description:

Absolute lister generates incorrect ,abs files

From Feature:

Absolute Lister


Safety Guidelines,SG_CompilerUtilities,SG_Util_DisAsReview.Review of

Disassembled Object

Occurrences:


in Absolute Lister in Example Use Case of Utilities

Table 131 Error: Wrong Abs File

Error: Wrong Listing File

Description:

Cross-reference lister generates an incorrect listing file

From Feature:




Disassembled Object

Occurrences:

in Cross-Reference Lister in Example Use Case of Utilities

Table 132 Error: Wrong Listing File

Error: Wrong Output

Description:

Name utility generates an incorrect output file

From Feature:

Name Utility



Disassembled Object

Occurrences:

in Name Utility in Example Use Case of Utilities

Table 133 Error: Wrong Output

Error: Wrong Output

Description:

OFD utility generates an incorrect output file

From Feature:

Object File Display



Disassembled Object

Safety Guidelines,SG_TBD.To Be Defined By User

Occurrences:

in Object File Display in Example Use Case of Utilities

Table 134 Error: Wrong Output

Error: Wrong Source Output

Description:

Disassembler generates an incorrect output file

From Feature:

Disassembler



Safety Guidelines,SG_CompilerUtilities,SG_Util_AbsListRev.Review of Absolute

Lister Output


Disassembled Object

Occurrences:

in Disassembler in Example Use Case of Utilities

Table 135 Error: Wrong Source Output

Error: Wrong Stripped Output

Description:

Strip utility generates an incorrect output file

From Feature:

Strip Utility



Disassembled Object

Occurrences:

in Strip Utility in Example Use Case of Utilities

Table 136 Error: Wrong Stripped Output

6.5 Hex Converter

This section explains the determination of the Tool Confidence Level (TCL) for the tool Hex

Converter.

Tool: Hex Converter

Description:

The ARM hex converter in the executable armhex.

The TMS320C28x assembler and linker create object files which are in binary formats

that encourage

modular programming and provide powerful and flexible methods for managing code

segments and target

system memory.

Most EPROM programmers do not accept object files as input. The hex conversion

utility converts an

object file into one of several standard ASCII hexadecimal formats, suitable for loading

into an EPROM

programmer. The utility is also useful in other applications requiring hexadecimal

conversion of an object

file (for example, when using debuggers and loaders).

The hex conversion utility can produce these output file formats:

• ASCII-Hex, supporting 16-bit addresses

• Extended Tektronix (Tektronix)

• Intel MCS-86 (Intel)

• Motorola Exorciser (Motorola-S), supporting 16-bit addresses

• Texas Instruments SDSMAC (TI-Tagged), supporting 16-bit addresses

• Texas Instruments TI-TXT format, supporting 16-bit addresses

Impact:


TI 2 (Impact)


TCL 2

Table 137 Tool: Hex Converter

The tool Hex Converter is modeled with 32 elements which have impact, none of them are



Use Cases 1 (0)

Checks 2 (0)

Restrictions 0 (0)


Table 138 Amount of Elements in Tool Hex Converter

6.5.1 Use Cases of Hex Converter

This section describes all analyzed use cases of Hex Converter in separate subsections.

The following use cases of the tool Hex Converter are considered:

1. Example Use Case of Converter, see Section 6.5.1.1

6.5.1.1 Use Case Example Use Case of Converter

This section describes the use case "Example Use Case of Converter".

Use Case: Example Use Case of Converter

Description:



Comment:


Table 139 Use Case: Example Use Case of Converter


"Example Use Case of Converter" uses following features:

Boot Table

Create Hex Output

Create Load Image

Memory Image

Sections

Set Entry Point

Set Fill Value

Set ROM Device Width

Set System Memory Width

Use ROMS Directive


"Example Use Case of Converter" uses following safety guidelines:

SG_Hex_RefFileLists

SG_Hex_Testrun

"Example Use Case of Converter" has the following 0 features that have high error detection

probability:

6.5.2 Required Features of Hex Converter

This section describes all 10 required features of Hex Converter.

The following tables give an overview of the considered features of Hex Converter.

Feature: Boot Table

Description:

-boot

Build a boot table for an on chip loader

Errors:

No Boot Table

No Output

Wrong Boot Table

Table 140 Feature: Boot Table

Feature: Create Hex Output

Description:

-a, -I, -m1, -x, -t

Create hex output file

Errors:

Corrupt Output

No Output

Table 141 Feature: Create Hex Output

Feature: Create Load Image

Description:

--load_image

Errors:

No Image

No Output

Wrong Image

Table 142 Feature: Create Load Image

Feature: Memory Image

Description:

-image

Generating a memory image

Errors:

No Image


No Output

Wrong Image

Table 143 Feature: Memory Image

Feature: Sections

Description:

Use SECTIONS directive

Errors:

No Output

SECTION Corrupted

SECTIONS Ignored

Table 144 Feature: Sections

Feature: Set Entry Point

Description:

-e

Set entry point

Errors:

No Entry Point

No Output

Wrong Entry Point

Table 145 Feature: Set Entry Point

Feature: Set Fill Value

Description:

-fill

Errors:

No Fill

No Output

Wrong Fill

Table 146 Feature: Set Fill Value

Feature: Set ROM Device Width

Description:

-romwidth

Set ROM device width.

Errors:

No Output

No Romwidth

Wrong Romwidth

Table 147 Feature: Set ROM Device Width

Feature: Set System Memory Width

Description:


-memwidth

Errors:

No Memwidth

No Output

Wrong Memwidth

Table 148 Feature: Set System Memory Width

Feature: Use ROMS Directive

Description:

-None-

Errors:

No Output

ROMS Corrupt

ROMS Ignored

Table 149 Feature: Use ROMS Directive

6.5.3 Potential Errors in Hex Converter


Corrupt Output (Table 155)

No Boot Table (Table 156)

No Entry Point (Table 157)

No Fill (Table 158)

No Image (Table 159)

No Image (Table 160)

No Memwidth (Table 161)











No Romwidth (Table 172)

ROMS Corrupt (Table 173)

ROMS Ignored (Table 174)

SECTION Corrupted (Table 175)

SECTIONS Ignored (Table 176)

Wrong Boot Table (Table 177)

Wrong Entry Point (Table 178)

Wrong Fill (Table 179)

Wrong Image (Table 181)

Wrong Image (Table 180)

Wrong Memwidth (Table 182)

Wrong Romwidth (Table 183)









6.5.4 Required Safety Guidelines of Hex Converter

This section describes all 2 applied safety guidelines of Hex Converter.

The following tables give an overview of the applied safety guidelines of Hex Converter .

Safety Guidelines,SG_HexConverter,SG_Hex_RefFileLists

Description:




Table 150 Safety Guidelines,SG_HexConverter,SG_Hex_RefFileLists

Safety Guidelines,SG_HexConverter,SG_Hex_Testrun

Description:



General Testrun

Table 151 Safety Guidelines,SG_HexConverter,SG_Hex_Testrun

6.5.5 Restrictions in Hex Converter

For the tool Hex Converter no restrictions are considered.

6.5.6 Checks in Hex Converter

The following 2 checks are performed in the tool Hex Converter.


Description:

The output of the archiver are compared with a reference file list that contains the

expected files

Comment:


this check

From Feature:

Hex Converter,Hex Converter,Hex Converter,Safety

Guidelines,SG_HexConverter,SG_Hex_RefFileLists

Occurrences:

in SG_Hex_RefFileLists in Example Use Case of Converter



TD 1 (HIGH)

Detected errors:

Boot Table,No Output

Create Hex Output,No Output

Create Load Image,No Output

Memory Image,No Output

Sections,No Output

Set Entry Point,No Output

Set Fill Value,No Output

Set ROM Device Width,No Output

Set System Memory Width,No Output

Use ROMS Directive,No Output


Check: General Testrun

Description:

Run the test on the target and verify that the hex conversion has worked corectly

From Feature:

Hex Converter,Hex Converter,Hex Converter,Safety

Guidelines,SG_HexConverter,SG_Hex_Testrun

Occurrences:

in SG_Hex_Testrun in Example Use Case of Converter


TD 2 (MEDIUM)

Detected errors:

Boot Table,No Boot Table

Boot Table,Wrong Boot Table

Create Hex Output,Corrupt Output

Create Load Image,No Image

Create Load Image,Wrong Image

Memory Image,No Image

Memory Image,Wrong Image

Sections,SECTION Corrupted

Sections,SECTIONS Ignored

Set Entry Point,No Entry Point

Set Entry Point,Wrong Entry Point

Set Fill Value,No Fill

Set Fill Value,Wrong Fill

Set ROM Device Width,No Romwidth

Set ROM Device Width,Wrong Romwidth

Set System Memory Width,No Memwidth

Set System Memory Width,Wrong Memwidth

Use ROMS Directive,ROMS Corrupt

Use ROMS Directive,ROMS Ignored

Table 153 Check: General Testrun





derived from the TCL for each use case. The tool Hex Converter has no use case with TCL 1,

one use case with TCL 2 and no use case with TCL 3. Therefore the tool Hex Converter has

TCL 2.


For "Example Use Case of Converter" (TCL 2) see Section 6.5.7.1.

6.5.7.1 TCL Determination for Use Case: Example Use Case of Converter

The use case "Example Use Case of Converter" has TCL 2. The TCL is determined by the


Case of Converter" has 10 features that have been modeled and from which the potential

errors are inferred. There are 29 potential errors in "Example Use Case of Converter": 10 with

TD 1, 19 with TD 2 and 0 with TD 3. The 29 potential errors are described in the remainder

of this section.

The following table gives an overview of the errors of "Example Use Case of Converter".

Error TD Table

Corrupt Output TD 2 (MEDIUM) Table 155

No Boot Table TD 2 (MEDIUM) Table 156

No Entry Point TD 2 (MEDIUM) Table 157

No Fill TD 2 (MEDIUM) Table 158

No Image TD 2 (MEDIUM) Table 159

No Image TD 2 (MEDIUM) Table 160

No Memwidth TD 2 (MEDIUM) Table 161











No Romwidth TD 2 (MEDIUM) Table 172

ROMS Corrupt TD 2 (MEDIUM) Table 173

ROMS Ignored TD 2 (MEDIUM) Table 174

SECTION Corrupted TD 2 (MEDIUM) Table 175

SECTIONS Ignored TD 2 (MEDIUM) Table 176

Wrong Boot Table TD 2 (MEDIUM) Table 177

Wrong Entry Point TD 2 (MEDIUM) Table 178

Wrong Fill TD 2 (MEDIUM) Table 179

Wrong Image TD 2 (MEDIUM) Table 180

Wrong Image TD 2 (MEDIUM) Table 181

Wrong Memwidth TD 2 (MEDIUM) Table 182


Wrong Romwidth TD 2 (MEDIUM) Table 183

Table 154 Errors of Use Case: Example Use Case of Converter

Error: Corrupt Output

Description:

Hex converter generates corrupt output file

From Feature:

Create Hex Output


Safety Guidelines,SG_HexConverter,SG_Hex_SecondTool.Use Redundant Third

Party Tool

Safety Guidelines,SG_HexConverter,SG_Hex_Testrun.General Testrun

Occurrences:

in Create Hex Output in Example Use Case of Converter

Table 155 Error: Corrupt Output

Error: No Boot Table

Description:

Hex converter does not build a boot table

From Feature:

Boot Table



Party Tool


Occurrences:

in Boot Table in Example Use Case of Converter

Table 156 Error: No Boot Table

Error: No Entry Point

Description:

Hex converter does not set entry point

From Feature:

Set Entry Point



Party Tool


Occurrences:

in Set Entry Point in Example Use Case of Converter

Table 157 Error: No Entry Point

Error: No Fill

Description:

Hex converter does not set fill value


From Feature:

Set Fill Value



Party Tool


Occurrences:

in Set Fill Value in Example Use Case of Converter

Table 158 Error: No Fill

Error: No Image

Description:

Hex converter does not generate a memory image

From Feature:

Memory Image



Party Tool


Occurrences:

in Memory Image in Example Use Case of Converter

Table 159 Error: No Image

Error: No Image

Description:

Hex converter does not generate a ROM device width

From Feature:

Create Load Image



Party Tool


Occurrences:

in Create Load Image in Example Use Case of Converter

Table 160 Error: No Image

Error: No Memwidth

Description:

Hex converter does not generate a memory width

From Feature:




Party Tool


Occurrences:


in Set System Memory Width in Example Use Case of Converter

Table 161 Error: No Memwidth

Error: No Output

Description:

Hex converter does not create output file

From Feature:

Memory Image


Safety Guidelines,SG_HexConverter,SG_Hex_RefFileLists.Compare With

Reference List

Occurrences:



Error: No Output

Description:

No output generated from hex converter when generating a ROM device width

From Feature:

Create Load Image



Reference List

Occurrences:



Error: No Output

Description:


From Feature:

Create Hex Output



Reference List

Occurrences:

in Create Hex Output in Example Use Case of Converter


Error: No Output

Description:


From Feature:

Set Entry Point




Reference List

Occurrences:



Error: No Output

Description:

No output generated from hex converter when building a boot table

From Feature:

Boot Table



Reference List

Occurrences:



Error: No Output

Description:


From Feature:

Set Fill Value



Reference List

Occurrences:



Error: No Output

Description:

No output generated from hex converter when processing SECTIONS directives

From Feature:

Sections



Reference List

Occurrences:

in Sections in Example Use Case of Converter


Error: No Output

Description:

No output generated from hex converter when generating a memory width


From Feature:




Reference List

Occurrences:



Error: No Output

Description:

No output generated from hex converter when processing ROMS directives

From Feature:

Use ROMS Directive



Reference List

Occurrences:

in Use ROMS Directive in Example Use Case of Converter


Error: No Output

Description:

No output generated from hex converter when generating a ROM device width

From Feature:




Reference List

Occurrences:

in Set ROM Device Width in Example Use Case of Converter


Error: No Romwidth

Description:

Hex converter does not generate a ROM device width

From Feature:




Party Tool


Occurrences:


Table 172 Error: No Romwidth


Error: ROMS Corrupt

Description:

Hex converter processes the ROMS directive incorrectly

From Feature:

Use ROMS Directive



Party Tool


Occurrences:


Table 173 Error: ROMS Corrupt

Error: ROMS Ignored

Description:

Hex converter does not process the ROMS directive

From Feature:

Use ROMS Directive



Party Tool


Occurrences:


Table 174 Error: ROMS Ignored

Error: SECTION Corrupted

Description:

Hex converter processes the SECTIONS directive incorrectly

From Feature:

Sections



Party Tool


Occurrences:


Table 175 Error: SECTION Corrupted

Error: SECTIONS Ignored

Description:

Hex converter does process the SECTIONS directive

From Feature:

Sections




Party Tool


Occurrences:


Table 176 Error: SECTIONS Ignored

Error: Wrong Boot Table

Description:

Hex converter builds wrong table

From Feature:

Boot Table



Party Tool


Occurrences:


Table 177 Error: Wrong Boot Table

Error: Wrong Entry Point

Description:

Hex converter sets wrong entry point

From Feature:

Set Entry Point



Party Tool


Occurrences:


Table 178 Error: Wrong Entry Point

Error: Wrong Fill

Description:

Hex converter sets wrong fill value

From Feature:

Set Fill Value



Party Tool


Occurrences:


Table 179 Error: Wrong Fill


Error: Wrong Image

Description:

Hex converter generates a wrong memory image

From Feature:

Memory Image



Party Tool


Occurrences:


Table 180 Error: Wrong Image

Error: Wrong Image

Description:

Hex converter generates a wrong ROM device width

From Feature:

Create Load Image



Party Tool


Occurrences:


Table 181 Error: Wrong Image

Error: Wrong Memwidth

Description:

Hex converter generates a wrong memory width

From Feature:




Party Tool


Occurrences:


Table 182 Error: Wrong Memwidth

Error: Wrong Romwidth

Description:

Hex converter generates a wrong ROM device width

From Feature:





Party Tool


Occurrences:


Table 183 Error: Wrong Romwidth

6.6 Linker


Linker.

Tool: Linker

Description:

The ARM linker in the executable armlnk

Impact:

TI 2 (Impact)


TCL 3

Table 184 Tool: Linker

The tool Linker is modeled with 97 elements which have impact, none of them are



Use Cases 1 (0)

Checks 2 (0)

Restrictions 0 (0)


Table 185 Amount of Elements in Tool Linker

6.6.1 Use Cases of Linker

This section describes all analyzed use cases of Linker in separate subsections.

The following use cases of the tool Linker are considered:

1. Example Use Case of Linker, see Section 6.6.1.1

6.6.1.1 Use Case Example Use Case of Linker

This section describes the use case "Example Use Case of Linker".

Use Case: Example Use Case of Linker

Description:



Comment:



Table 186 Use Case: Example Use Case of Linker


"Example Use Case of Linker" uses following features:

Add to library search path

BE-8 and BE-32 object file support

CRC tables

Control linker diagnostics

Control symbol linkage

Control variable initialization

Copy Tables

Create executable object file

Disable COFF conditional linking

Generate map file

Generate xml link info file

LCF MEMORY directives

LCF SECTIONS directives

LCF UNION and GROUP statements

LCF assignment of symbols

LCF creating and filling holes

LCF preprocessing

Link time optimizations

Linker preprocessing

Partial Linking

Preferred function ordering

Set executable entry point

Set heap size

Set output file name

Set stack size

Support library input files

"Example Use Case of Linker" uses following safety guidelines:

SG_Lnk_CompareExecutable Output

SG_TBD

Safety Guide

"Example Use Case of Linker" has the following 1 features that have high error detection

probability:

LCF preprocessing

6.6.2 Required Features of Linker

This section describes all 26 required features of Linker.

The following tables give an overview of the considered features of Linker.

Feature: Add to library search path

Description:


-l

Errors:

Change behavior

No output

Paths not used

Wrong paths

Table 187 Feature: Add to library search path

Feature: BE-8 and BE-32 object file support

Description:

-be8, -be32

Errors:

Change Behavior

Incorrect Objects Used

No Output

Table 188 Feature: BE-8 and BE-32 object file support

Feature: Control linker diagnostics

Description:

--diag_error, --diag_remark, --diag_warning, --diag_suppress, --warn_sections

Errors:

Change Behavior

No Diagnostics

No Output

Wrong Diagnostics

Table 189 Feature: Control linker diagnostics

Feature: Control symbol linkage

Description:

--globalize, --hide, --make_global, --make_static, --symbol_map

Errors:

Change Behavior

No Output

No Symbol Control

Wrong Symbol Control

Table 190 Feature: Control symbol linkage

Feature: Control variable initialization

Description:

--rom_model or -c, --ram_model or -cr

Errors:

Change behavior

No initialization

No output

Wrong initialization


Table 191 Feature: Control variable initialization

Feature: Copy Tables

Description:

Linker generated copy tables

Errors:

Change Behavior

Copy Tables Defect

Copy Tables Ignored

No Output

Table 192 Feature: Copy Tables

Feature: CRC tables

Description:

Linker generated CRC tables

Errors:

Change Behavior

Incorrect CRC

No CRC

No Output

Table 193 Feature: CRC tables

Feature: Create executable object file

Description:

none, -a

Errors:

Change behavior

No executable

Wrong executable

Table 194 Feature: Create executable object file

Feature: Disable COFF conditional linking

Description:

-j, --disable_clink

Errors:

Change Behavior

No Disabling

No Output

Table 195 Feature: Disable COFF conditional linking

Feature: Generate map file

Description:

-m

Errors:

Change behavior


No map file

No output

Wrong map file

Table 196 Feature: Generate map file

Feature: Generate xml link info file

Description:

--xml_link_info

Errors:

Change behavior

No info file

No output

Wrong info file

Table 197 Feature: Generate xml link info file

Feature: LCF assignment of symbols

Description:

Linker command file assignment of symbols

Errors:

Assignment Defect

Change Behavior

Igonre Assignment

No Output

Table 198 Feature: LCF assignment of symbols

Feature: LCF creating and filling holes

Description:

Linker command file creating and filling holes

Errors:

Change Behavior

Hole Filling Defect

Ignore Hole Filling

No Output

Table 199 Feature: LCF creating and filling holes

Feature: LCF MEMORY directives

Description:

Linker command file MEMORY directives

Errors:

Change Behavior

Ignore MEMORY Directive

MEMORY Directive Defect

No Output

Table 200 Feature: LCF MEMORY directives


Feature: LCF preprocessing

Description:

Linker command file preprocessing

Table 201 Feature: LCF preprocessing

Feature: LCF SECTIONS directives

Description:

Linker command file SECTIONS directives

Errors:

Change Behavior

Ignore SECTION Directive

No Output

SECTION Directive Defect

Table 202 Feature: LCF SECTIONS directives

Feature: LCF UNION and GROUP statements

Description:

Linker command file UNION and GROUP statements

Errors:

Change Behavior

Ignore UNION and GROUP

No Output

UNION and GROUP Defect

Table 203 Feature: LCF UNION and GROUP statements

Feature: Link time optimizations

Description:

--cinit_compress, --compress_dwarf, --copy_compression

Errors:

Change Behavior

No LTO

No Output

Non Functional Output

Table 204 Feature: Link time optimizations

Feature: Linker preprocessing

Description:

--define, --undefine

Errors:

Change Behavior

No Output

No Preprocessing

Wrong Preprocessing

Table 205 Feature: Linker preprocessing


Feature: Partial Linking

Description:

-r

Errors:

Change behavior

No object file

Wrong object file

Table 206 Feature: Partial Linking

Feature: Preferred function ordering

Description:

--preferred_order

Errors:

Change Behavior

No Output

Ordering Defect

Table 207 Feature: Preferred function ordering

Feature: Set executable entry point

Description:

--entry_point

Errors:

Change Behavior

No Entry Point

No Output

Wrong Entry Point

Table 208 Feature: Set executable entry point

Feature: Set heap size

Description:

-heap

Errors:

Change behavior

No heap size

No output

Wrong heap size

Table 209 Feature: Set heap size

Feature: Set output file name

Description:

-o

Errors:

Change behavior

No output file name


Wrong output file name

Table 210 Feature: Set output file name

Feature: Set stack size

Description:

--stack

Errors:

Change behavior

No output

No stack size

Wrong stack size

Table 211 Feature: Set stack size

Feature: Support library input files

Description:

-l. --library, --priority, -x, -scanlibs

Errors:

Change behavior

Input file not used

No output

Wrong input files

Table 212 Feature: Support library input files

6.6.3 Potential Errors in Linker


Assignment Defect (Table 224)



























Copy Tables Defect (Table 250)

Copy Tables Ignored (Table 251)

Hole Filling Defect (Table 252)

Ignore Hole Filling (Table 253)

Ignore MEMORY Directive (Table 254)

Ignore SECTION Directive (Table 255)

Ignore UNION and GROUP (Table 256)

Igonre Assignment (Table 257)

Incorrect CRC (Table 258)

Incorrect Objects Used (Table 259)

Input file not used (Table 260)

MEMORY Directive Defect (Table 261)

No CRC (Table 262)

No Diagnostics (Table 263)

No Disabling (Table 264)

No Entry Point (Table 265)

No LTO (Table 270)
















No Preprocessing (Table 296)

No Symbol Control (Table 298)

No executable (Table 266)

No heap size (Table 267)

No info file (Table 268)

No initialization (Table 269)

No map file (Table 271)

No object file (Table 272)









No output file name (Table 295)

No stack size (Table 297)

Non Functional Output (Table 299)

Ordering Defect (Table 300)

Paths not used (Table 301)

SECTION Directive Defect (Table 302)

UNION and GROUP Defect (Table 303)

Wrong Diagnostics (Table 304)

Wrong Entry Point (Table 305)

Wrong Preprocessing (Table 315)

Wrong Symbol Control (Table 317)

Wrong executable (Table 306)

Wrong heap size (Table 307)

Wrong info file (Table 308)

Wrong initialization (Table 309)

Wrong input files (Table 310)

Wrong map file (Table 311)

Wrong object file (Table 312)

Wrong output file name (Table 313)

Wrong paths (Table 314)

Wrong stack size (Table 316)








There are 3 errors caused by this tool without any relation to checks or restrictions.

The following 3 error occurrences of Linker have no relation to any check or restriction:

Hole Filling Defect (Table 252)

Ignore MEMORY Directive (Table 254)

Wrong executable (Table 306)

6.6.4 Required Safety Guidelines of Linker

This section describes all 8 applied safety guidelines of Linker.

The following tables give an overview of the applied safety guidelines of Linker .

Safety Guide

Description:

-None-


Table 213 Safety Guide

Safety Guide,SG_Linker

Description:

Safety guidelines for the linker feature

Table 214 Safety Guide,SG_Linker

Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Output

Description:

Container for the safety guideline


Linking with and without setting output file name

Table 215 Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Output

Safety Guide,SG_Linker,SG_Lnk_CompOutputList

Description:

Guideline to compare the output file lists


Compare Linker Output Files with Reference File List

Table 216 Safety Guide,SG_Linker,SG_Lnk_CompOutputList

Safety Guide,SG_Linker,SG_Lnk_ReviewDissaembler

Description:

Guideline to review the dissasembled output


Review with Disassembler

Table 217 Safety Guide,SG_Linker,SG_Lnk_ReviewDissaembler

Safety Guide,SG_Linker,SG_Lnk_ReviewLinkInfo

Description:

Guideline to apply the review of the XML link file information


Review Against Link Info

Table 218 Safety Guide,SG_Linker,SG_Lnk_ReviewLinkInfo

Safety Guide,SG_Linker,SG_Lnk_ReviewMapfileSimple

Description:

Guideline for reviewing the mapfile for simple elements that can be easy detected


Review Mapfile

Table 219 Safety Guide,SG_Linker,SG_Lnk_ReviewMapfileSimple

Safety Guide,SG_TBD


Description:

Container for safety guidelines that hvae to be defined from the user in his procss


To Be Defined By User

Table 220 Safety Guide,SG_TBD

6.6.5 Restrictions in Linker

For the tool Linker no restrictions are considered.

6.6.6 Checks in Linker

The following 2 checks are performed in the tool Linker.

Check: Linking with and without setting output file name

Description:

And compare the executable using binary compare or test

From Feature:

Linker,Linker,Linker,Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Output

Occurrences:

in SG_Lnk_CompareExecutable Output in Example Use Case of Linker


TD 1 (HIGH)

Detected errors:

Set output file name,Change behavior

Table 221 Check: Linking with and without setting output file name

Check: To Be Defined By User

Description:

This check has to be defined from the user to detect the assigned errors with a HIGH

probability

A high probability is usually achieved by autmated scripts or other tools that produce

comparable results and the results are compared with the results of this tool.

Comment:

Currently we do not have tests for that feature, but we are working on them in order to

reduce the tasks for the user to implement this check.

From Feature:

Linker,Linker,Safety Guide,SG_TBD

Occurrences:

in SG_TBD in Example Use Case of Linker


TD 1 (HIGH)

Detected errors:

CRC tables,Incorrect CRC

CRC tables,No CRC

CRC tables,No Output

Copy Tables,Copy Tables Defect

Copy Tables,Copy Tables Ignored


Preferred function ordering,Ordering Defect

Table 222 Check: To Be Defined By User




derived from the TCL for each use case. The tool Linker has no use case with TCL 1, no use

case with TCL 2 and one use case with TCL 3. Therefore the tool Linker has TCL 3.


For "Example Use Case of Linker" (TCL 3) see Section 6.6.7.1.

6.6.7.1 TCL Determination for Use Case: Example Use Case of Linker

The use case "Example Use Case of Linker" has TCL 3. The TCL is determined by the lowest

Tool Detection Level (TD) of all errors of the use case. The use case "Example Use Case of

Linker" has 26 features that have been modeled and from which the potential errors are

inferred. There are 94 potential errors in "Example Use Case of Linker": 7 with TD 1, 0 with

TD 2 and 87 with TD 3. The 94 potential errors are described in the remainder of this section.

The following table gives an overview of the errors of "Example Use Case of Linker".

Error TD Table

Assignment Defect TD 3 (LOW) Table 224

Change Behavior TD 3 (LOW) Table 225

Change behavior TD 3 (LOW) Table 226

























Copy Tables Defect TD 1 (HIGH) Table 250

Copy Tables Ignored TD 1 (HIGH) Table 251

Hole Filling Defect TD 3 (LOW) Table 252

Ignore Hole Filling TD 3 (LOW) Table 253

Ignore MEMORY Directive TD 3 (LOW) Table 254

Ignore SECTION Directive TD 3 (LOW) Table 255

Ignore UNION and GROUP TD 3 (LOW) Table 256

Igonre Assignment TD 3 (LOW) Table 257

Incorrect CRC TD 1 (HIGH) Table 258

Incorrect Objects Used TD 3 (LOW) Table 259

Input file not used TD 3 (LOW) Table 260

MEMORY Directive Defect TD 3 (LOW) Table 261

No CRC TD 1 (HIGH) Table 262

No Diagnostics TD 3 (LOW) Table 263

No Disabling TD 3 (LOW) Table 264

No Entry Point TD 3 (LOW) Table 265

No executable TD 3 (LOW) Table 266

No heap size TD 3 (LOW) Table 267

No info file TD 3 (LOW) Table 268

No initialization TD 3 (LOW) Table 269

No LTO TD 3 (LOW) Table 270

No map file TD 3 (LOW) Table 271

No object file TD 3 (LOW) Table 272

No Output TD 3 (LOW) Table 273

No output TD 3 (LOW) Table 274





















No output file name TD 3 (LOW) Table 295

No Preprocessing TD 3 (LOW) Table 296

No stack size TD 3 (LOW) Table 297


No Symbol Control TD 3 (LOW) Table 298

Non Functional Output TD 3 (LOW) Table 299

Ordering Defect TD 1 (HIGH) Table 300

Paths not used TD 3 (LOW) Table 301

SECTION Directive Defect TD 3 (LOW) Table 302

UNION and GROUP Defect TD 3 (LOW) Table 303

Wrong Diagnostics TD 3 (LOW) Table 304

Wrong Entry Point TD 3 (LOW) Table 305

Wrong executable TD 3 (LOW) Table 306

Wrong heap size TD 3 (LOW) Table 307

Wrong info file TD 3 (LOW) Table 308

Wrong initialization TD 3 (LOW) Table 309

Wrong input files TD 3 (LOW) Table 310

Wrong map file TD 3 (LOW) Table 311

Wrong object file TD 3 (LOW) Table 312

Wrong output file name TD 3 (LOW) Table 313

Wrong paths TD 3 (LOW) Table 314

Wrong Preprocessing TD 3 (LOW) Table 315

Wrong stack size TD 3 (LOW) Table 316

Wrong Symbol Control TD 3 (LOW) Table 317

Table 223 Errors of Use Case: Example Use Case of Linker

Error: Assignment Defect

Description:

Linker assigns symbols from the lcf incorrectly

From Feature:



Safety Guide,SG_Linker,SG_Lnk_ReviewMapfileSimple.Review Mapfile

Occurrences:

in LCF assignment of symbols in Example Use Case of Linker

Table 224 Error: Assignment Defect


Description:

Change the behavior of the source when linking and setting entry point

From Feature:



Safety Guide,SG_Other,SG_IntensiveTargetTest.Intensive Target Testing

Safety Guide,SG_Other,SG_OtherLinker.Compiling and Linking With Second

Compiler

Occurrences:

in Set executable entry point in Example Use Case of Linker




Description:

Change the behavior of the source when linking and setting a stack size

From Feature:

Set stack size




Compiler

Occurrences:

in Set stack size in Example Use Case of Linker



Description:

Change the behavior of the source when linking with lcf assigned symbols

From Feature:





Compiler

Occurrences:




Description:

Change the behavior of the source when linking and setting a heap size

From Feature:

Set heap size




Compiler

Occurrences:

in Set heap size in Example Use Case of Linker



Description:

Change the behavior of the source when linking and using library input files

From Feature:






Compiler

Occurrences:

in Support library input files in Example Use Case of Linker



Description:

Change the behavior of the source when partial linking

From Feature:

Partial Linking




Compiler

Occurrences:

in Partial Linking in Example Use Case of Linker



Description:

Change the behavior of the source when linking with be-8 or be-32 object files

From Feature:





Compiler

Occurrences:

in BE-8 and BE-32 object file support in Example Use Case of Linker



Description:

Change the behavior of the source when linking and using link time optimizations

From Feature:



Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Options.Link With/Without

Option



Compiler

Occurrences:

in Link time optimizations in Example Use Case of Linker




Description:

Change the behavior of the source when linking with the use of UNION and GROUP

statements in a lcf

From Feature:





Compiler

Occurrences:

in LCF UNION and GROUP statements in Example Use Case of Linker



Description:

Change the behavior of the source when linking and adding to library search path

From Feature:





Compiler

Occurrences:

in Add to library search path in Example Use Case of Linker



Description:

Change the behavior of the source when linking and setting specific output file name

From Feature:



Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Output.Linking with and

without setting output file name



Compiler

Occurrences:

in Set output file name in Example Use Case of Linker




Description:

Change the behavior of the source when linking to create an executable object file

From Feature:





Compiler

Occurrences:

in Create executable object file in Example Use Case of Linker



Description:

Change the behavior of the source when linking with copy tables

From Feature:

Copy Tables




Compiler

Occurrences:

in Copy Tables in Example Use Case of Linker



Description:

Change the behavior of the source when linking when disabling conditional linking

From Feature:




Option



Compiler

Occurrences:

in Disable COFF conditional linking in Example Use Case of Linker



Description:

Change the behavior of the source when linking with the use of SECTIONS directives in

a lcf

From Feature:




Safety Guide,SG_Linker,SG_Lnk_CompOutputList.Compare Linker Output Files

with Reference File List


Occurrences:

in LCF SECTIONS directives in Example Use Case of Linker



Description:

Change the behavior of the source when linking with xml link info file

From Feature:



Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Info.Link with and without

generating an xml link info file



Compiler

Occurrences:

in Generate xml link info file in Example Use Case of Linker



Description:

Change the behavior of the source when linking with linker preprocessing

From Feature:





Compiler

Occurrences:

in Linker preprocessing in Example Use Case of Linker



Description:

Change the behavior of the source when linking with rom or ram model

From Feature:





Compiler

Occurrences:


in Control variable initialization in Example Use Case of Linker



Description:

Change the behavior of the source when linking and controlling symbol linkage

From Feature:





Compiler

Occurrences:

in Control symbol linkage in Example Use Case of Linker



Description:

Change the behavior of the source when linking with filling holes in a lcf

From Feature:





Compiler

Occurrences:

in LCF creating and filling holes in Example Use Case of Linker



Description:

Change the behavior of the source when linking with preferred function ordering

From Feature:





Compiler

Occurrences:

in Preferred function ordering in Example Use Case of Linker



Description:

Change the behavior of the source when linking with controlled diagnostics


From Feature:




Option



Compiler

Occurrences:

in Control linker diagnostics in Example Use Case of Linker



Description:

Change the behavior of the source when linking with the use of MEMORY directives in

a lcf

From Feature:





Compiler

Occurrences:

in LCF MEMORY directives in Example Use Case of Linker



Description:

Change the behavior of the source when linking with CRC tables

From Feature:

CRC tables




Compiler

Occurrences:

in CRC tables in Example Use Case of Linker



Description:

Change the behavior of the source when linking with mapfile

From Feature:

Generate map file


Safety Guide,SG_Linker,SG_Lnk_CompareExecutable Map.Link with and without


generating a map file



Compiler

Occurrences:

in Generate map file in Example Use Case of Linker


Error: Copy Tables Defect

Description:

Linker does not generate copy tables

From Feature:

Copy Tables


Safety Guide,SG_Linker,SG_Lnk_ReviewDissaembler.Review with Disassembler

Safety Guide,SG_TBD.To Be Defined By User

Occurrences:


Table 250 Error: Copy Tables Defect

Error: Copy Tables Ignored

Description:

Linker does not generate copy tables

From Feature:

Copy Tables




Occurrences:


Table 251 Error: Copy Tables Ignored

Error: Hole Filling Defect

Description:

Linker fills holes incorrectly

From Feature:


Occurrences:


Table 252 Error: Hole Filling Defect

Error: Ignore Hole Filling

Description:

Linker does not fill holes

From Feature:





Occurrences:


Table 253 Error: Ignore Hole Filling

Error: Ignore MEMORY Directive

Description:

Linker ignores MEMORY directives in a lcf

From Feature:


Occurrences:


Table 254 Error: Ignore MEMORY Directive

Error: Ignore SECTION Directive

Description:

Linker ignores SECTIONS directives in a lcf

From Feature:




Occurrences:


Table 255 Error: Ignore SECTION Directive

Error: Ignore UNION and GROUP

Description:

Linker ignores UNION and GROUP statements in a lcf

From Feature:




Occurrences:


Table 256 Error: Ignore UNION and GROUP

Error: Igonre Assignment

Description:

Linker does not assign any symbols from the lcf

From Feature:





Occurrences:


Table 257 Error: Igonre Assignment

Error: Incorrect CRC

Description:

Linker generates incorrect CRC tables

From Feature:

CRC tables




Occurrences:


Table 258 Error: Incorrect CRC

Error: Incorrect Objects Used

Description:

Linker does not use correct object files

From Feature:




Safety Guide,SG_Other,SG_GeneralTargetTest.General Testrun

Occurrences:


Table 259 Error: Incorrect Objects Used

Error: Input file not used

Description:

Linker does not use any library input files

From Feature:




Occurrences:


Table 260 Error: Input file not used

Error: MEMORY Directive Defect

Description:

Linker processes MEMORY directives incorrectly

From Feature:





Occurrences:


Table 261 Error: MEMORY Directive Defect

Error: No CRC

Description:

Linker does not generate CRC tables

From Feature:

CRC tables




Occurrences:


Table 262 Error: No CRC

Error: No Diagnostics

Description:

Linker does not perform any controlled diagnostics

From Feature:



Safety Guide,SG_Linker,Lnk_ReviewLogs.Log Review

Occurrences:


Table 263 Error: No Diagnostics

Error: No Disabling

Description:

Linker does not disable conditional linking

From Feature:




Occurrences:


Table 264 Error: No Disabling

Error: No Entry Point

Description:

Linker does not set the entry point

From Feature:





Occurrences:


Table 265 Error: No Entry Point

Error: No executable

Description:

Linker does not generate an executable

From Feature:





Safety Guide,SG_Linker,SG_Lnk_ReviewODF Exe.Detailed review of ofd utility

output on executable object file

Occurrences:


Table 266 Error: No executable

Error: No heap size

Description:

Linker does not set a heap size

From Feature:

Set heap size



Occurrences:


Table 267 Error: No heap size

Error: No info file

Description:

Linker does not generate an xml link info file

From Feature:





Occurrences:


Table 268 Error: No info file

Error: No initialization

Description:

Linker does not generate any rom or ram model initialization


From Feature:





Occurrences:


Table 269 Error: No initialization

Error: No LTO

Description:

Linker does not use link time optimizations

From Feature:





Occurrences:


Table 270 Error: No LTO

Error: No map file

Description:

Linker does not generate a map file

From Feature:

Generate map file




Occurrences:


Table 271 Error: No map file

Error: No object file

Description:

Linker does not generate a partially linked object file

From Feature:

Partial Linking




Occurrences:


Table 272 Error: No object file


Error: No Output

Description:

No output generated from linker when setting entry point

From Feature:





Occurrences:



Error: No output

Description:

No output generated from linker when setting a stack size

From Feature:

Set stack size




Occurrences:



Error: No Output

Description:

No output generated from linker when using lcf assigned symbols

From Feature:





Occurrences:



Error: No output

Description:

No output generated from linker when setting a heap size

From Feature:

Set heap size




Occurrences:




Error: No output

Description:

No output generated from linker when using library input files

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when using be-8 or be-32 object file

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when using link time optimizations

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when using UNION and GROUP statements in a lcf

From Feature:






Occurrences:



Error: No output

Description:

No output generated from linker when adding to library search paths

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when generating copy tables

From Feature:

Copy Tables




Occurrences:



Error: No Output

Description:

No output generated from linker when disabling conditional linking

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when using SECTIONS directives in a lcf


From Feature:





Occurrences:



Error: No output

Description:

No output generated from linker when generating xml link info file

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when using linker preprocessing

From Feature:





Occurrences:



Error: No output

Description:

No output generated from linker when using rom or ram model

From Feature:





Occurrences:




Error: No Output

Description:

No output generated from linker when controlling symbol linkage

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when filling holes in a lcf

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when generating a preferred function order

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when using controlled diagnostics

From Feature:





Occurrences:




Error: No Output

Description:

No output generated from linker when using MEMORY directives in a lcf

From Feature:





Occurrences:



Error: No Output

Description:

No output generated from linker when generating CRC tables

From Feature:

CRC tables



Occurrences:



Error: No output

Description:

No output generated from linker when generating map file

From Feature:

Generate map file




Occurrences:



Error: No output file name

Description:

Linker does not generate output file with specific name

From Feature:






Occurrences:


Table 295 Error: No output file name

Error: No Preprocessing

Description:

Linker does not perform any preprocessing

From Feature:




Occurrences:


Table 296 Error: No Preprocessing

Error: No stack size

Description:

Linker does not set a stack size

From Feature:

Set stack size



Occurrences:


Table 297 Error: No stack size

Error: No Symbol Control

Description:

Linker does not control symbol linkage

From Feature:




Occurrences:


Table 298 Error: No Symbol Control

Error: Non Functional Output

Description:

Linker generates non-functional output when using link time optimizations

From Feature:





Occurrences:


Table 299 Error: Non Functional Output

Error: Ordering Defect

Description:

Linker generates incorrect function orderong

From Feature:





Occurrences:


Table 300 Error: Ordering Defect

Error: Paths not used

Description:

Linker does not use any library search paths

From Feature:




Occurrences:


Table 301 Error: Paths not used

Error: SECTION Directive Defect

Description:

Linker processes SECTIONS directives incorrectly

From Feature:




Occurrences:


Table 302 Error: SECTION Directive Defect

Error: UNION and GROUP Defect

Description:

Linker processes UNION and GROUP statements incorrectly

From Feature:





Occurrences:


Table 303 Error: UNION and GROUP Defect

Error: Wrong Diagnostics

Description:

Linker generates wrong diagnostics

From Feature:



Safety Guide,SG_Linker,Lnk_ReviewLogs.Log Review

Occurrences:


Table 304 Error: Wrong Diagnostics

Error: Wrong Entry Point

Description:

Linker generates wrong entry point

From Feature:




Occurrences:


Table 305 Error: Wrong Entry Point

Error: Wrong executable

Description:

Linker generates wrong executable object file

From Feature:


Occurrences:


Table 306 Error: Wrong executable

Error: Wrong heap size

Description:

Linker generates wrong heap size

From Feature:

Set heap size



Occurrences:



Table 307 Error: Wrong heap size

Error: Wrong info file

Description:

Linker generates wrong xml link info file

From Feature:



Safety Guide,SG_Linker,SG_Lnk_ReviewLinkInfo.Review Against Link Info

Occurrences:


Table 308 Error: Wrong info file

Error: Wrong initialization

Description:

Linker generates wrong rom or ram model initialization

From Feature:




Occurrences:


Table 309 Error: Wrong initialization

Error: Wrong input files

Description:

Linker uses wrong library input files

From Feature:




Occurrences:


Table 310 Error: Wrong input files

Error: Wrong map file

Description:

Linker generates wrong map file

From Feature:

Generate map file


Safety Guide,SG_Linker,SG_Lnk_ReviewLinkInfo.Review Against Link Info

Occurrences:


Table 311 Error: Wrong map file


Error: Wrong object file

Description:

Linker generates wrong partially linked object file

From Feature:

Partial Linking


Safety Guide,SG_Linker,SG_Lnk_ReviewMapfileComplex.Review Mapfile

Safety Guide,SG_Linker,SG_Lnk_ReviewODF Obj.Detailed review of ofd utility

output on partially linked object file

Occurrences:


Table 312 Error: Wrong object file

Error: Wrong output file name

Description:

Linker generates wrong output file name

From Feature:





Occurrences:


Table 313 Error: Wrong output file name

Error: Wrong paths

Description:

Linker uses wrong library search paths

From Feature:




Occurrences:


Table 314 Error: Wrong paths

Error: Wrong Preprocessing

Description:

Linker uses wrong preprocessin

From Feature:




Occurrences:



Table 315 Error: Wrong Preprocessing

Error: Wrong stack size

Description:

Linker generates wrong stack size

From Feature:

Set stack size



Occurrences:


Table 316 Error: Wrong stack size

Error: Wrong Symbol Control

Description:

Linker generates wrong symbol linkage

From Feature:




Occurrences:


Table 317 Error: Wrong Symbol Control

6.7 Additional Information

This section contains additional information from the formal model of the tool chain.

Additional information is not required from the ISO 26262 for the determination of the TCL,

but eases the modeling process and the understanding of the error flow.

6.7.1 Artifacts

The analysis incorporates artifacts for the validation of the model. If an error is checked by

another tool, then there should be information flow between them. Artifacts can be used to

model this flow and our analysis checks if there is an information flow between error sources

and error sinks.

The tool chain "TI Compiler Tools" is using 14 artifacts, which are described hereafter.

Artifact: Archived Object Library

Description:

A library of object files created by the archiver

Table 318 Artifact: Archived Object Library

Artifact: Assembly files

Description:


For example file.asm

Table 319 Artifact: Assembly files

Artifact: C/C++ Source File

Description:

-None-

Table 320 Artifact: C/C++ Source File

Artifact: Executable file

Description:

For example file.out

Table 321 Artifact: Executable file

Artifact: Index Library

Description:

A library index made up of several libraries that differ in compile options. The linker

chooses the correct libraries by comparing options with the index.

Table 322 Artifact: Index Library

Artifact: Intermediate Files

Description:

For example file.opt or file.if

Table 323 Artifact: Intermediate Files

Artifact: Linker Command File

Description:

Linker command file - example lnk.cmd

Table 324 Artifact: Linker Command File

Artifact: Map File

Description:

Linker or Hex Converter Map file - example file.map

Table 325 Artifact: Map File

Artifact: Object Files

Description:

For example file.obj

Table 326 Artifact: Object Files

Artifact: Object Library

Description:

A standard object library


Table 327 Artifact: Object Library

Artifact: Options and Commands

Description:

The options and commands for the Compiler (but not the arguments).

Table 328 Artifact: Options and Commands

Artifact: Preprocess Source File

Description:

Preprocessed source files - example file.pp

Table 329 Artifact: Preprocess Source File

Artifact: Relocatable (Partially-linked) Object file

Description:

-None-

Table 330 Artifact: Relocatable (Partially-linked) Object file

Artifact: XML Link Info File

Description:

XML link info file - example file.xml

Table 331 Artifact: XML Link Info File

6.7.2 Error Model for the TI Compiler Tools Tool Chain

The error model consists of general attributes that are mapped to the used tools or use cases.

Each of these mapped elements receives a copy of the listed errors.

In the following sections all used attributes, errors, checks and restrictions are described

6.7.2.1 Tool Attribute Descriptions

The following 3 general tool attributes have been used in the analysis of the "TI Compiler

Tools".

Tool Attribute: Compiling

Description:

-None-

Contains the following potential errors:

No Object File Generated

Wrong Object-Code Behavior

Wrong or Missing Source Files Compiled

Table 332 Tool Attribute: Compiling

Tool Attribute: File Generator

Description:

-None-


No File Created


Semantic Error

Syntax Error

Table 333 Tool Attribute: File Generator

Tool Attribute: Output messages to stdio

Description:

-None-


Incomplete message to stdio

Table 334 Tool Attribute: Output messages to stdio

6.7.2.2 Artifact Attribute Descriptions

The following general artifact attribute has been used in the analysis of the "TI Compiler

Tools".

Artifact Attribute: XML

Description:

XML files have typical errors


Contains wrong values

Syntax Errors

Wrong encoding

Table 335 Artifact Attribute: XML

6.7.2.3 Error Descriptions

The following 10 errors have been used in the analysis of the "TI Compiler Tools".

Error: Contains wrong values

Description:

Semantic erros in the xml

From artifact attribute:

XML

Table 336 Error: Contains wrong values

Error: Incomplete message to stdio

Description:

The message is not output completely to stdio.

From tool attribute:

Output messages to stdio

Table 337 Error: Incomplete message to stdio

Error: No File Created

Description:

Files, that are intented to be generated, are missing after generation (e.g. missing write

permissions)



File Generator

Table 338 Error: No File Created

Error: No Object File Generated

Description:

-None-


Compiling

Table 339 Error: No Object File Generated

Error: Semantic Error

Description:

The generated file contains the wrong data or misses data


File Generator

Table 340 Error: Semantic Error

Error: Syntax Error

Description:

The generated file does not conform the expected syntax resp. format


File Generator

Table 341 Error: Syntax Error

Error: Syntax Errors

Description:

-None-


XML

Table 342 Error: Syntax Errors

Error: Wrong encoding

Description:

-None-


XML

Table 343 Error: Wrong encoding

Error: Wrong Object-Code Behavior

Description:

Object code does not behave as required or intended


Compiling


Table 344 Error: Wrong Object-Code Behavior

Error: Wrong or Missing Source Files Compiled

Description:

-None-


Compiling

Table 345 Error: Wrong or Missing Source Files Compiled


7 References

[61508] International Electrotechnical Commission, IEC 61508, Functional

safety of electrical/electronic/programmable electronic safety-related systmes, Edition 2.0, Apr 2010.

[DO178C] RTCA. DO-178C: Software Considerations in Airbone Systems and

Equipment Certification, 1st Edition 2011-12-13.

[DO330] RTCA. DO-330: Software Tool Qualification Considerations 1st Edition 2011-12-13.

[EN50128]: BS EN 50128:2011, Railway applications — Communication, signalling and processing systems — Software for railway control and protection

systems, BSI Standards Publication

[ISO26262] ISO/FDIS 26262 Road Vehicles –Functional safety–, Draft International Standard of International Organization for Standardization, BL19, 2010-12-07

[SAFECOMP12] Determining Potential Errors in Tool Chains: Strategies to Reach

Tool Confidence According to ISO 26262, SAFECOMP 2012, Wildmoser, Philipps, Slotosch

[TCA] TI C/C++ Compiler, tool available on www.validas.de/TCA.html, verwendete Version 1.8.1

[TI] Tool Impacts determination in TI C/C++ Compiler Chain

[TCA_UM] TI C/C++ Compiler, Version 1.8.1, User Manual Version, (<TCAHome>/plugins/Documentation/UserManual.pdf)

[TQP] Tool Qualification Plan for the tool(s) of TI C/C++ Compiler Chain to be constraint, generated during tool qualification

[TSM] Tool Saftey Manual for the tool(s) of TI C/C++ Compiler Chain to be

qualified, generated during tool qualification

http://www.validas.de/TCA.html

tool classification report - texas instruments and tests, a validation suite according to iso 26262...

Documents