FAA-Qualifiable Ada Subset FAA-Qualifiable Ada Subset CompilerCompiler

V. SanthanamV. Santhanam

BoeingBoeing

AgendaAgenda

Problem statementProblem statement Qualifying a compilerQualifying a compiler The subsetThe subset Compiler architectureCompiler architecture Verifying the compilerVerifying the compiler ConclusionConclusion

Problem StatementProblem Statement

FAA certification of software—levels of FAA certification of software—levels of criticalitycriticality– Level A (catastrophic failure)Level A (catastrophic failure)– Level B (severe failure)Level B (severe failure)– Level C (major failure)Level C (major failure)– Level D (minor failure)Level D (minor failure)

DO-178B is the DO-178B is the de factode facto standard for FAA standard for FAA certificationcertification

Problem StatementProblem Statement

Cost of software certification climbs rapidly Cost of software certification climbs rapidly with complexity and level of criticalitywith complexity and level of criticality– Software written in a HOL is often verified Software written in a HOL is often verified

only at the source levelonly at the source level– For highest level of criticality, DO-178B calls For highest level of criticality, DO-178B calls

for verification at the loaded object code levelfor verification at the loaded object code level– Qualifying the tools that transform the source Qualifying the tools that transform the source

code into a load image can significantly reduce code into a load image can significantly reduce the cost of certificationthe cost of certification

Qualifying a CompilerQualifying a Compiler

Qualifying a tool means obviating the need Qualifying a tool means obviating the need to verify its outputto verify its output– Qualifying a compiler suite means being able to Qualifying a compiler suite means being able to

trust the load image if the source program can trust the load image if the source program can be trustedbe trusted

– Software verification can be aimed entirely at Software verification can be aimed entirely at the source programthe source program

– Results and coverage at the source program Results and coverage at the source program translate to results and coverage of the object translate to results and coverage of the object programprogram

Qualifying a CompilerQualifying a Compiler

To be able to take credit for source level To be able to take credit for source level verification at the object level, the compiler verification at the object level, the compiler suitesuite– Must be deterministicMust be deterministic– Must map source code to object in a direct, Must map source code to object in a direct,

context-independent mannercontext-independent manner– Must not include extraneous or unreachable Must not include extraneous or unreachable

codecode

Qualifying a CompilerQualifying a Compiler

To achieve FAA qualification as a code To achieve FAA qualification as a code development tool, the suite must bedevelopment tool, the suite must be– Developed using DO-178B compliant software Developed using DO-178B compliant software

development processdevelopment process– Documented to DO-178B standardDocumented to DO-178B standard– Tested to same DO-178B standard applicable to Tested to same DO-178B standard applicable to

the level of software it is intended to compilethe level of software it is intended to compile A typical COTS compiler meets none of the A typical COTS compiler meets none of the

above criteriaabove criteria

The SubsetThe Subset

Decision to build a compiler for a subset of Decision to build a compiler for a subset of Ada was based on several factorsAda was based on several factors– Ada is widely recognized as a “safe” languageAda is widely recognized as a “safe” language– We had experience building compilers and We had experience building compilers and

analysis front-ends for Adaanalysis front-ends for Ada– We had experience with large safety-critical We had experience with large safety-critical

systems developed in Adasystems developed in Ada– We had helped define and filter software for We had helped define and filter software for

subset restrictions suitable for safety critical subset restrictions suitable for safety critical applicationsapplications

The SubsetThe Subset

The subset was driven by four ground rulesThe subset was driven by four ground rules– The compiler must be written in under 50,000 The compiler must be written in under 50,000

lines of Adalines of Ada– The subset must be suitable for up to medium-The subset must be suitable for up to medium-

sized (< 100,000 SLOC) applicationssized (< 100,000 SLOC) applications– The subset must incorporate the most common The subset must incorporate the most common

restrictions placed on safety critical softwarerestrictions placed on safety critical software– The subset may not extend or alter the syntax or The subset may not extend or alter the syntax or

the semantics of Adathe semantics of Ada

The SubsetThe Subset

Decision to keep or leave out a feature was Decision to keep or leave out a feature was made based on its “score” on four factorsmade based on its “score” on four factors– Complexity it added to the compilerComplexity it added to the compiler– Need for it in small-to-medium sized high-Need for it in small-to-medium sized high-

integrity embedded applicationsintegrity embedded applications– Availability of alternativesAvailability of alternatives– Desirability for high-integrity applicationsDesirability for high-integrity applications

The SubsetThe Subset

The choice was a subset of Ada 95 roughly The choice was a subset of Ada 95 roughly equivalent to Ada 83equivalent to Ada 83– No taskingNo tasking– No genericsNo generics– No OO featuresNo OO features– No subunits or child unitsNo subunits or child units– No run-time memory managementNo run-time memory management– No user overloadingNo user overloading– Limited nestingLimited nesting

The SubsetThe Subset

Some of the Ada 95 additions are retainedSome of the Ada 95 additions are retained– Modular (unsigned) integer typesModular (unsigned) integer types– Access to subprograms, global dataAccess to subprograms, global data– Use type clause (no package use clause)Use type clause (no package use clause)– Aliasing of objects (address clause)Aliasing of objects (address clause)

Compiler ArchitectureCompiler Architecture

Compiler architecture is untypicalCompiler architecture is untypical– Performs virtually no optimizationsPerforms virtually no optimizations– Enforces safe coding standards as if they were Enforces safe coding standards as if they were

language semanticslanguage semantics– Designed for testability, not performanceDesigned for testability, not performance– Written in a portable subset of AdaWritten in a portable subset of Ada– Compiled with no optimizationsCompiled with no optimizations– All run-time checks onAll run-time checks on– Liberal use of assertionsLiberal use of assertions

The Zbra Compiler SuiteThe Zbra Compiler Suite

Zbra Source code

ZbraCompiler(Zcmp)

Zbra Assembly

code

Other Z-code

files

ZbraAssembler

(Zasm)

Byte code

(Z-code)

ZbraLinker(Zvml)

Zbra Compiler Suite

Z-code executable

Zbra Virtual Machine Interpreter

(ZVM)

Target Machine

Native code

Compiler ArchitectureCompiler Architecture

Compiler targets to a virtual machineCompiler targets to a virtual machine– Stack-based VM supports Ada operations Stack-based VM supports Ada operations

directlydirectly– VM facilitates direct source-to-object mappingVM facilitates direct source-to-object mapping– VM allows execution profiling without source VM allows execution profiling without source

code changes or a different compilation modecode changes or a different compilation mode– VM facilitates application portabilityVM facilitates application portability– VM serves as the run-time support layerVM serves as the run-time support layer

Verifying the CompilerVerifying the Compiler

Qualification as a level A code Qualification as a level A code development tool per DO-178B calls fordevelopment tool per DO-178B calls for– Requirements-based testingRequirements-based testing– Achieving maximum structural coverage Achieving maximum structural coverage

through requirements-based testingthrough requirements-based testing– Augmenting with module tests to achieve 100% Augmenting with module tests to achieve 100%

structural coveragestructural coverage

Verifying the CompilerVerifying the Compiler

Requirements-based testingRequirements-based testing– All applicable ACVC tests are includedAll applicable ACVC tests are included

» 562 tests were determined to be applicable562 tests were determined to be applicable

– Supplemented with architecture specific testsSupplemented with architecture specific tests» 116 tests116 tests

– A growing suite of “regression tests”A growing suite of “regression tests”» 106 tests to date106 tests to date

Verifying the CompilerVerifying the Compiler

Module tests are employed onlyModule tests are employed only– Where requirements-based tests leave coverage Where requirements-based tests leave coverage

deficienciesdeficiencies– When code is unreachable otherwiseWhen code is unreachable otherwise

Verifying the CompilerVerifying the Compiler

Additional means of verification plannedAdditional means of verification planned– Compiler itself is to be compiled using two Compiler itself is to be compiled using two

independent Ada compilersindependent Ada compilers– All requirements-based tests are to be run on All requirements-based tests are to be run on

both versions of the compilerboth versions of the compiler– At least one Level A system will be constructed At least one Level A system will be constructed

and deployed using conventional verification and deployed using conventional verification processprocess

» Will serve to provide service historyWill serve to provide service history

ConclusionConclusion

We haveWe have– Demonstrated that it is possible to build a Demonstrated that it is possible to build a

qualifiable compiler for a useful subset of Adaqualifiable compiler for a useful subset of Ada– Complemented the COTS technology with a Complemented the COTS technology with a

unique product that fills a serious voidunique product that fills a serious void– Raised the bar on how safety critical systems Raised the bar on how safety critical systems

ought to be builtought to be built– Provided a means by which software Provided a means by which software

verification costs can be containedverification costs can be contained

FAA-Qualifiable CompilerFAA-Qualifiable Compiler

Question?Question?