Interface-Implementation Contract Checking

363 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
363
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Interface-Implementation Contract Checking

  1. 1. Interface-Implementation Contract Checking: A Case Study on NASA’s OSAL Dharmalingam Ganesan, Mikael Lindvall Fraunhofer Center for Experimental Software Engineering College Park Maryland © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 1
  2. 2. Agenda • Context: NASA OSAL • Static equivalence analysis • Static contract checking • Conclusion © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 2
  3. 3. Context: NASA OSAL • Operating System Abstraction Layer • Isolates flight software from real time operating systems and hardware. • Implementation for the real time systems RTEMS and vxWorks and posix compliant non-real time systems. • Provides “Write once, run everywhere (somewhere)” at compile level • Used for mission critical embedded systems • Provides support for file-system, tasks, queues, semaphores, interrupts, hardware abstraction, I/O ports and exception handling © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 3
  4. 4. NASA OSAL • Why is it important that OSAL is bug free? – flight software is mission critical and needs to be of very high quality – OSAL is the foundation of the CFE which CFS runs on top of – OSAL is used in many NASA missions, e.g. the Lunar Renaissance Orbit – If OSAL has issues, it might result in catastrophic failure © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 4
  5. 5. NASA OSAL in CFS © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 5
  6. 6. NASA OSAL – Architecture © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 6
  7. 7. Agenda • Context: NASA OSAL • Static equivalence analysis • Static contract checking • Conclusion © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 7
  8. 8. Static equivalence analysis • Currently OSAL has implementations for Rtems, vxWorks and Posix operating systems • All implementations should work the same – Perform same operation regardless of OS – Return same error-codes when errors occur © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 8
  9. 9. Static equivalence analysis • Used to find differences between implementations of OSAL – Posix, RTEMS, vxWorks • Extracts return codes from function bodies • Return codes of each implementation compared to find differences © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 9
  10. 10. Static equivalence analysis • Enables us to easily find otherwise subtle and hard to find errors Posix implementation Rtems implementation © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 10
  11. 11. Static equivalence analysis - example © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 11
  12. 12. Which defects can be found in OSAL when analyzing function pairs for functional equivalence? Runtime Issues # Issues Minor Issues # Issues Precondition Checking Diffs. 13 Configuration Issues 9* Return Code Diffs. 24 Output Differences 18* Global Variable Writing Diffs. 15 Parameter Writing Diffs. 3 Parameter Checking 2 Σ Σ 27 57 Acknowledged and/or Fixed © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 12
  13. 13. Agenda • Context: NASA OSAL • Static equivalence analysis • Static contract checking • Conclusion © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 13
  14. 14. Static contract checking without a formal contract • API‘s are supposed to fulfill a “contract” • A contract is: – Specification of what each function does and – How it responds to errors and what the function should return • Programmers program to a API using the contract as a guide. • A function not written according to the contract can cause hard to find errors © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 14
  15. 15. Static contract checking without a formal contract Example of function fulfilling contract Contract Implementation © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 15
  16. 16. Static contract checking without a formal contract Example of function fulfilling contract © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 16
  17. 17. Static contract checking without a formal contract Example of function fulfilling contract © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 17
  18. 18. Static contract checking without a formal contract Example of function not fulfilling contract © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 18
  19. 19. Static contract checking without a formal contract • Regular expressions to create simple and fast perl programs • Compatible with C and C++ • Extracts return codes from function bodies and contract comments • Compares the return codes of contract comments and function bodies to find mismatches © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 19
  20. 20. Static contract checking without a formal contract © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 20
  21. 21. Static contract checking without a formal contract ...and the other way around. • To find if functions implement more than the contracts implies • To identify an uncomplete contract that could result in implementation mismatches between wrappers • Extract return codes from the function bodies, instead of the contract comments • Compare the extracted returns to the contract comments to find undocumented behavior © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 21
  22. 22. Static contract checking without a formal contract © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 22
  23. 23. static contract checking without a formal contract A part of the 61 issues found in the Posix implementation. All issues reported and taken care now. © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 23
  24. 24. Summary Static equivalence analysis: • A lightweight technique • powerful for detecting inconsistencies between wrappers • Found several inconsistencies (addressed in OSAL) Static contract checking without a formal contract: • A lightweight technique • Found a lot of inconsistencies between documentation and code (addressed in OSAL) • Does not need any modeling or rigor – (but neither sound nor complete) © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 24
  25. 25. Thank you! dganesan@fc-md.umd.edu mlindvall@fc-md.umd.edu © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 25
  26. 26. Acknowledgement • Gunnar Cortes • Henning Femmer • Dave McComas • Alan Cudmore • Wesley Deadrick © 2013 Fraunhofer USA, Inc. Center for Experimental Software Engineering 26

×