New Webinar: Language subsetting and compiler qualification

Mon, 09/07/2020 - 09:31
Software and compiler meet functional safety standards

 

Welcome to September. We are back from a short but energizing summer vacation with a host of new annoucements and content. First, we are delighted to annouce that we are now an Arm Functional Safety Partner. This program promotes partners, such as BUGSENG, who specialize in software and tools, design and training services and can reliably support their customers with industry leading functional safety services.

We are also running an exciting new series of free webinars. And, we have a ton of new content on our YouTube channel, including recordings of all our webinars going back to March 2020. If you’re looking to keep up with the latest developments in MISRA C/C++ and BARR-C coding standards, static analysis tools, tool qualification, and compliance to industrial functional safety standards, our YouTube webinars are a great place to start.

Our joint webinar with Solid Sands BV

In this blog, we would like to introduce the joint webinar we are running with Marcel Beemster, co-founder and CTO of Solid Sands B.V., a leading provider of compiler testing and qualification technology. The webinar topic is: “Language Subsetting and Compiler Qualification in the Development of Software for Safety-Critical Systems” and it will run on Thursday, 17 September at 11:00-12:00 CEST (UTC+2). You can sign up here. In the meantime, here are a few more details and background information to the topic.

How to save time and money with Language Subsetting and Compiler Qualification in the Development of Software for Safety-Critical Systems

Developing critical systems’ software in compliance with functional safety standards (such as DO-178C and ISO 26262) is challenging. The development of such software in C can save time and money. But, two crucial aspects must be taken into account. The first aspect is language subsetting and the second is compiler qualification.

Why proper language subsetting is essential

Proper language subsetting (for instance, by strict adherence to MISRA C:2012 plus further restrictions, such as the use of floating-point numbers) is crucial. It avoids non-determinism, recursion, dynamic memory allocation and other unsafe language features. The major advantage of an application that is written in a proper subset of C or C++ is that it greatly improves the portability of the code.

By avoiding undefined and implementation defined behavior, the application gains independence from the compiler, target architecture and other aspects of the implementation. This makes it robust to change and future proof. Embedded applications, especially those that are safety-critical, often have a life span that goes far beyond the support period of the tools that are needed to implement them.

Should you assume the compiler will do the right job?

Speaking of implementation tools: how do we know that the compiler properly translates the application to machine code? Can you just assume that the compiler will do the right job? There are two answers to these questions.

  • On the technical side: compilers belong to the most complex software applications that are in widespread use. It is common that a compiler's development started decades before its current use and that many hundreds of developers have made substantial contributions to it. Its development is never finished because of the addition of new features, optimizations and other improvements, and bug-fixes. So it is not evident that the compiler is free of errors.

  • Secondly, functional safety standards, such as ISO 26262, devote a specific section to software tools such as compilers. In ISO 26262 it is called "Confidence in the use of software tools" and this section explains that you need to take a good look at the compiler before you can trust it with your code. Fortunately, it also defines the process to do so.

Beware of the black holes of undefined behaviour

The state of the art method to create confidence in the compiler is by testing it. By definition, undefined behavior cannot be tested because, you know, there is no expected behavior to verify. This is an important reason why adhering to a language subset, such as MISRA, and enforcing it with a high-quality tool is so important.

One of the many advantages of the C and C++ programming languages is that they have a long and well understood history. They are also well supported by tools. Most importantly to us is that they are defined by ISO standards going back to 1990. The C standard specifies the behavior of C programs.

Why language subsetting with MISRA standards and compiler qualification go hand-in-hand

Language subsetting with MISRA standards and compiler qualification go hand-in-hand because they are, today, the only alternative to writing software in assembly language. That means it is very important to understand the synergy between them. On the one hand, if the compiler is defective, the guarantees provided by MISRA do not carry over to the executable code.

On the other hand, compiler qualification suites typically cover the ISO C standard language features: language extensions, whether used intentionally or unintentionally, are not covered. Proper enforcement of the guidelines, such as MISRA, ensures such extensions are not used, that the syntax and constraints of the applicable ISO language standard are complied with, and that the translation limits of the compiler are not exceeded.

In summary, language subsetting and a compiler qualification suite that fully covers the standardized language, ensure that the compiler qualification exercise covers the compiled program.

Be confident your software and compiler meet functional safety standards

Solid Sands created the SuperTest suite, which ensures verification of the correct operation of the compiler with respect to the applicable ISO standards. BUGSENG has built the ECLAIR static analysis platform, which allows almost complete automation of the checks for MISRA compliance, gathering of software metrics and much more. With ECLAIR and SuperTest you can indeed be confident that your software and the compiler that you use today (and the compiler used tomorrow) adhere to the prescriptions of functional safety standards.

Our CTO, Roberto Bagnara co-wrote this blog with Marcel Beemster, a 25+ years professional of compiler technology with a PhD in Computer Science from the University of Amsterdam. Marcel is co-founder and CTO of Solid Sands B.V., a leading provider of compiler testing and qualification technology.

Sign up for our joint webinar on 17 September

Marcel and Roberto will delve into this topic in even more detail in our joint webinar on 17 September. Please register here, if you haven’t already. We look forward to welcoming you back for this new series of webinars!

 

Subscribe here for the BUGSENG updates.

Email address
 
 
We are a passionate team of experts. Do not hesitate to let us have your feedback:
You may be surprised to discover just how much your suggestions matter to us.