SlideShare a Scribd company logo

Critical software developement

N
nedseb

Présentation sur le développement de logiciel critique faite par Quentin Ochem à l'IUT d'Aix-en-Provence

EngineeringTechnology
1 of 42
Download to read offline
Slide: 1Copyright © 2014 AdaCore Quentin Ochem Technical Account Manager Critical Software Development
Slide: 2Copyright © 2014 AdaCore What is Critical Software?
Slide: 3Copyright © 2014 AdaCore Case-Study Avionics and DO-178B
Slide: 4Copyright © 2014 AdaCore • Any software flying in the civil air space must have be certified against – DO-178B in USA – ED-12B in Europe • Military aircraft do not need to comply to it except if they fly in the civil air space – E.g. A400 M • Other industries have or think about similar standards (see IEC-50128) – Railroad, military, automotive, energy, medical… DO-178B/C applications
Slide: 5Copyright © 2014 AdaCore • Certifying most parts of a plane is centered on the result – When does the wing break? – Can I get this many people out in this many time? • It’s not possible to just “experiment” the software – Too complex • So certifying a software is based on the process The software certification problem
Slide: 6Copyright © 2014 AdaCore Certifying a system is showing best possible effort has been made in understanding and mastering the environment, specification, implementation and verification In one sentence
Slide: 7Copyright © 2014 AdaCore • The development is organized through processes • Each process describes – Objectives – Activities Processes Objective Activity Applicability Output Control Category A B C D A B C D Test coverage of Software Structure Is achieved 6.4.4.2.a 6.4.4.2.b 6.4.4.2.d Software Verification Results 2 2 2
Slide: 8Copyright © 2014 AdaCore • Each activity may be achieved with independence • When achieved with independence, and other person (outside of any hierarchical dependency) need to perform verifications Reviews and independence Objective Activity Applicability Output Control Category A B C D A B C D Test coverage of Software Structure Is achieved 6.4.4.2.a 6.4.4.2.b 6.4.4.2.d Software Verification Results 2 2 2
System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code referencestrace trace references references trace Executable Object Code Executable Object Code generates [5] Main Development Objectives
System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code compliance traceability compliance compatibilitycompliance traceability compliance traceability [6] Main Verification Objectives (1/4)
System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code complete and correct verifiable conformance accuracy and consistency accuracy & consistency HW compatibility verifiability conformance consistency HW compatibility verifiability conformance partition integrity accuracy & consistency HW compatibility verifiability conformance [6] Main Verification Objectives (2/4)
System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code compliance robustness compliance robustness compatible with target [6] Main Verification Objectives (3/4)
System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code structural and functional coverage [6] Main Verification Objectives (4/4)
Slide: 14Copyright © 2014 AdaCore Tools and Constraints around the Code
Slide: 15Copyright © 2014 AdaCore • Objectives can be achieved by manual activities or automated activities • Some activities are well suited to automation – E.g. Code standard checker, coverage analysis, stack analysis… • If a tool replaces a manual activity, it must be qualified • Qualification is a lighter certification process Tool Support
Slide: 16Copyright © 2014 AdaCore Verification - Static Analysis • Coding Standard Verification • Stack Usage • Worst Case Execution Time • Run-Time Error Analysis • Formal Proof
Slide: 17Copyright © 2014 AdaCore Verification - Dynamic Analysis Tools • Unit Testing • Structural Code Coverage • Stack Usage (!) • Worst Case Execution Time (!)
Slide: 18Copyright © 2014 AdaCore Structural Coverage Analysis • Statement coverage – Each line of code is tested • Decision coverage – Each decision (boolean expression) is tested True and False • Modified Condition / Decision coverage (MC/DC) – Each condition (operand of a boolean expression) can change the result of the decision
Slide: 19Copyright © 2014 AdaCore DO-178 – Structural Coverage Example (1/2)  Coverage  function Sep (X : Character) return Boolean is Result : Boolean := False; begin if X = ‘/’ or else X = ‘’ or else X = ‘:’ then Result := True; end if; return Result; end Sep;  Statement coverage -> call with any X  Decision coverage -> test X = ‘:’ and X = ‘z’
Slide: 20Copyright © 2014 AdaCore DO-178 – Structural Coverage Example (2/2)  MC/DC  if X = ‘/’ or else X = ‘’ or else X = ‘:’ then  Cond1: X = ‘/’ => TFF => TRUE X = ‘z’ => FFF => FALSE  Cond2 X = ‘’ => FTF => TRUE X = ‘y’ => FFF => FALSE  Cond3 X = ‘y’ => FFF => FALSE X = ‘:’ => FFT => TRUE  There is a redundant test here (FFF). 4 tests would be enough.  In general n + 1 test are enough to test an expression of n conditions
Slide: 21Copyright © 2014 AdaCore • No dynamic allocation / pointers • No exceptions • No object orientation (except if…) • No non-deterministic behavior • Limited or no use of the run-time • Explicit coding standard • … Typical Code Constraints
Slide: 22Copyright © 2014 AdaCore • Local Type Substitutability is a new objective in DO-332, allowing the use of object orientation and dispatching calls • It relies on a demonstration of consistency between overriding methods which can be verified by testing or formal analysis • Given a dispatching call from a Root type to one of its methods … • … at run-time, it’s OK to call an overridden method of a child if – The child method precondition does not require additional properties – The child method postcondition provides at least as many properties Local Type Substitutability (part of DO-332, OOT supplement) Root.Method
Slide: 23Copyright © 2014 AdaCore • On top of correctness of pre and post conditions, we need to demonstrate that – Parent preconditions imply Child preconditions – Child postconditions imply Parent postconditions Local Type Substitutability Example type Abstract_Plane is tagged record Speed : Integer; Landed : Boolean; end record; procedure Land (V : Root) with Pre => V.Speed <= 10.0, Post => V.Landed; type My_Plane is new Abstract_Plane with record Gears_Deployed : Boolean; end record; overriding procedure Land (V : Child) with Pre => V.Speed <= 15.0, Post => V.Landed and V.Gears_Deplyed; V <= 10.0  V <= 15.0 {V.Landed, V.Gears_Deployed}  V.Landed
Slide: 24Copyright © 2014 AdaCore 1994 T AdaAda
Slide: 25Copyright © 2014 AdaCore Can You Find the Seven Bugs? float * compute (int * tab, int size) { float tab2 [size]; float * result; for (int j = 0; j <= size; ++j) { tab [j] = tab2 [j] / 10; } result = tab2; return result; }
Slide: 26Copyright © 2014 AdaCore And in Ada? type Int_Array is array (Integer range <>) of Integer; type Float_Array is array (Integer range <>) of Float; function Compute (Tab : Int_Array) return Float_Array is Tab2 : Float_Array (Tab'Range); begin for J in Tab'Range loop Tab (J) := Tab2 (J) / 10; end loop; declare Result : Float_Array := Tab2; begin return Result; end; end Compute;
Slide: 27Copyright © 2014 AdaCore The One-Line-Of-Code Hell • Is “tab” null? • Is “tab” an array? • Is i within the boundaries of “tab”? • Has “tab” been initialized? • Is “tab” expecting floats or integers? • If it’s float, is this a float or a integer division? tab [i] = tab [i] / 10; Can’t tell. Can’t tell. Can’t tell. Can’t tell. Can’t tell. Can’t tell.
Slide: 28Copyright © 2014 AdaCore The One-Line-Of-Code Hell • Is “tab” null? • Is “tab” an array? • Is i within the boundaries of “tab”? • Has “tab” been initialized? • Is “tab” expecting floats or integers? • If it’s float, is this a float or a integer division? tab (i) := tab (i) / 10; Can’t tell. No, tab is an array. Yes, otherwise can’t access to the indices. Checked at run-time. If float, compiler runtime. If needed, explicit conversion.
Slide: 29Copyright © 2014 AdaCore Driving Design Principles • Explicit as much as possible – Put as much (formal) information as possible in the code – Put as much (formal) information as possible in the specification – Avoid pointers as much as possible – Avoid shortcuts – Avoid ambiguous constructs as much as possible – Make dubious construct possible but visible type I_Acc is access all Integer; I : I_Acc := new Integer; function Acc_To_Int is new Ada.Unchecked_Conversion (I_Acc, Integer); function Int_To_Acc is new Ada.Unchecked_Conversion (Integer, I_Acc); I := Int_To_Acc (Acc_To_Int (I) + I_Acc’Size); int * i = malloc (sizeof (int)); i++;
Slide: 30Copyright © 2014 AdaCore Driving Rationale • Ease manual and automatic analysis – From developer review – From peer review – From compiler errors and warnings – From static analysis tools – From proof tools – From maintainance • Simplify code an readability when dealing with high level programming concepts A : Integer_Array (0 .. 10) := (0 => 1, 1 => 1, others => 0) int [] a = new int [10]; a [0] = 1; a [1] = 1; for (int i = 2; i < 10; i++) a [i] = 0;
Slide: 31Copyright © 2014 AdaCore Strong Typing • A type is a semantic entity, independent from its implementation • Strong typing forbids implicit conversions • Values are checked at run-time (can be deactivated) type Kilometers is new Float; type Miles is new Float; Length_1 : Miles := 5.0; Length_2 : Kilometers := 10.0; D : Kilometers := Length_1 + Length_2; type Ratio is new Float range 0.0 .. 100.0; Qty : Integer := 10; Total : Integer := 1000; R : Ratio := Ratio (Total / Qty) * 100.0;
Slide: 32Copyright © 2014 AdaCore Arrays • Arrays can be indexed by any discrete types (integers, enumeration) • First and Last index can be specified at declaration time • Buffer overflows are checked at run-time • There is an array literal (aggregate) type Some_Array is array (Integer range <>) of Integer; type Color_Array is array (Color range <>) of Integer; Arr1 : Some_Array (10 .. 11) := (666, 777); Arr2 : Color_Array (Red .. Green) := (Red => 0, others => 1); Arr1 (9) := 0; -- Exception raised, Index out of range
Slide: 33Copyright © 2014 AdaCore Parameter Modes • Three parameter modes : in (input), out (output) and in-out (input/output) • The correct parameter usage is done at compile-time • The compiler decides if it has to be passed by reference of copy • That’s case of explicit pointer avoidance procedure Do_Something (P1 : in Huge_Structure) –- Passed by reference if too big procedure Do_Something (P1 : in Integer; -- P1 can’t be changed P2 : out Integer; -- No initial value on P2 P3 : in out Integer) -- P3 can be changed
Slide: 34Copyright © 2014 AdaCore • Generalized contracts are available through pre and post- conditions • New type invariants will ensure properties of an object • Subtype predicates Pre, Post Conditions and Invariants type T is private with Invariant => Check (T); type Even is range 1 .. 10 with Predicate => Even mod 2 = 0; procedure P (V : in out Integer) with Pre => V >= 10, Post => V’Old /= V;
Slide: 35Copyright © 2014 AdaCore Package Architecture • All entities are subject to encapsulation – Not only OOP constructions • Specification and Implementation details are separated from the package, addresses any kind of semantic entity package Stack is procedure Push (V : Integer); ... end Stack; package body Stack is procedure Push (V : Integer) is begin ... end Stack;
Slide: 36Copyright © 2014 AdaCore Data Representation • Allows to optimize memory usage • Allows to precisely map data type Size_T is range 0 .. 1023; type Header is record Size : Size_T; Has_Next : Boolean; end record; for Header use record Size at 0 range 0 .. 10; Has_Next at 1 range 6 .. 6; end record;
Slide: 37Copyright © 2014 AdaCore If pointers are needed… • Pointers are typed, associated with accessibility checks • Objects that can be pointed are explicitly identifed • In the absence of deallocation, pointers are guaranteed to never be dangling • Pointers constraints can be specified – Is null value expected? – Is the pointer constant? – Is the object pointed by the pointer constant? type My_Pointer is access all Integer; Global_Int : aliased Integer; function Get_Pointer (Local : Boolean) return My_Pointer is Local_Int : aliased Integer; Tmp : My_Pointer; begin if Local then Tmp := Local_Int’Access; else Tmp := Global_Int’Access; end if; return Tmp; end Get_Pointer; Tmp := Local_Int’Unchecked_Access;
Slide: 38Copyright © 2014 AdaCore Concurrent Programing • Threads and semaphore are first class citizens task Some_Task is begin loop -- Do something select accept Some_Event do -- Do something end Some_Event; or accept Some_Other_Event do -- Do something end Some_Other_Event; end select; end loop; end; ... Some_Task.Some_Event;
Slide: 39Copyright © 2014 AdaCore Why is all of this of any use? • For readability – Specification contains formally expressed properties on the code • For testability – Constraints on subprograms & code can lead to dynamic checks enabled during testing • For static analysis – The compiler checks the consistency of the properties – Static analysis tools (CodePeer) uses these properties as part of its analysis • For formal proof – Formal proof technologies can prove formally certain properties of the code (High-Lite project)
Slide: 40Copyright © 2014 AdaCore Yes But… • It is possible to reach similar levels of safety with other technologies (MISRA-C, RT-Java) • … but safety features have to be re-invented – Requires additional guidelines – Requires additional tools – Limited by the original language features • Examples of features that like “a circle fit in a square” – Types management in MISRA-C – Stack emulation in RT-Java • When long term reliability is a goal, using the correct paradigm to start with will reach higher levels at lower cost
Slide: 41Copyright © 2014 AdaCore 1994 T http://u.adacore.comhttp://u.adacore.com
Slide: 42Copyright © 2013 AdaCore

Recommended

Timed Concurrent Language for Argumentation
Timed Concurrent Language for ArgumentationTimed Concurrent Language for Argumentation
Timed Concurrent Language for ArgumentationCarlo Taticchi
 
Handling Exceptions In C &amp; C++ [Part B] Ver 2
Handling Exceptions In C &amp; C++ [Part B] Ver 2Handling Exceptions In C &amp; C++ [Part B] Ver 2
Handling Exceptions In C &amp; C++ [Part B] Ver 2ppd1961
 
Concurrent Argumentation with Time: an Overview
Concurrent Argumentation with Time: an OverviewConcurrent Argumentation with Time: an Overview
Concurrent Argumentation with Time: an OverviewCarlo Taticchi
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)Olve Maudal
 
Syntutic
SyntuticSyntutic
SyntuticRohit Chintu
 
Présentation Domotique Maximin Coste
Présentation Domotique Maximin CostePrésentation Domotique Maximin Coste
Présentation Domotique Maximin Costenedseb
 
Présentation projet domotique
Présentation projet domotiquePrésentation projet domotique
Présentation projet domotiqueSinGuy
 
Rénovation du bac pro sen 13 & 14 06 2016
Rénovation du bac pro sen 13 & 14 06 2016Rénovation du bac pro sen 13 & 14 06 2016
Rénovation du bac pro sen 13 & 14 06 2016SinGuy
 

Recommended

Timed Concurrent Language for Argumentation
Timed Concurrent Language for ArgumentationTimed Concurrent Language for Argumentation
Timed Concurrent Language for ArgumentationCarlo Taticchi
 
Handling Exceptions In C &amp; C++ [Part B] Ver 2
Handling Exceptions In C &amp; C++ [Part B] Ver 2Handling Exceptions In C &amp; C++ [Part B] Ver 2
Handling Exceptions In C &amp; C++ [Part B] Ver 2ppd1961
 
Concurrent Argumentation with Time: an Overview
Concurrent Argumentation with Time: an OverviewConcurrent Argumentation with Time: an Overview
Concurrent Argumentation with Time: an OverviewCarlo Taticchi
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)Olve Maudal
 
Syntutic
SyntuticSyntutic
SyntuticRohit Chintu
 
Présentation Domotique Maximin Coste
Présentation Domotique Maximin CostePrésentation Domotique Maximin Coste
Présentation Domotique Maximin Costenedseb
 
Présentation projet domotique
Présentation projet domotiquePrésentation projet domotique
Présentation projet domotiqueSinGuy
 
Rénovation du bac pro sen 13 & 14 06 2016
Rénovation du bac pro sen 13 & 14 06 2016Rénovation du bac pro sen 13 & 14 06 2016
Rénovation du bac pro sen 13 & 14 06 2016SinGuy
 
Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveEngineering Software Lab
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Engineering Software Lab
 
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Thomas Wuerthinger
 
"Quantum" Performance Effects
"Quantum" Performance Effects"Quantum" Performance Effects
"Quantum" Performance EffectsSergey Kuksenko
 
Final field semantics
Final field semanticsFinal field semantics
Final field semanticsVladimir Sitnikov
 
Computer Engineering (Programming Language: Swift)
Computer Engineering (Programming Language: Swift)Computer Engineering (Programming Language: Swift)
Computer Engineering (Programming Language: Swift)Sethmi Kachchakaduge
 
CompletableFuture уже здесь
CompletableFuture уже здесьCompletableFuture уже здесь
CompletableFuture уже здесьDmitry Chuyko
 
Nishar resume
Nishar resumeNishar resume
Nishar resumeMD NISHAR
 
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...Yuji Kubota
 
Tech Days 2015: Certification and Qualification
Tech Days 2015: Certification and Qualification Tech Days 2015: Certification and Qualification
Tech Days 2015: Certification and Qualification AdaCore
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
Adop and maintenance task presentation 151015
Adop and maintenance task presentation 151015Adop and maintenance task presentation 151015
Adop and maintenance task presentation 151015andreas kuncoro
 
Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Rapita Systems Ltd
 
Nishar_Resume
Nishar_ResumeNishar_Resume
Nishar_ResumeMD NISHAR
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessDr. Syed Hassan Amin
 
Type-safe DSLs
Type-safe DSLsType-safe DSLs
Type-safe DSLsWerner Keil
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Open-DO Update
Open-DO UpdateOpen-DO Update
Open-DO UpdateAdaCore
 
chapter4.ppt
chapter4.pptchapter4.ppt
chapter4.pptMalathyN6
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
 
LABanque, vision d'une nouvelle monnaie pour les makers
LABanque, vision d'une nouvelle monnaie pour les makersLABanque, vision d'une nouvelle monnaie pour les makers
LABanque, vision d'une nouvelle monnaie pour les makersnedseb
 
LABanque vision d'une nouvelle monnaie complémentaire
LABanque vision d'une nouvelle monnaie complémentaireLABanque vision d'une nouvelle monnaie complémentaire
LABanque vision d'une nouvelle monnaie complémentairenedseb
 

More Related Content

Similar to Critical software developement

Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveEngineering Software Lab
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Engineering Software Lab
 
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Thomas Wuerthinger
 
"Quantum" Performance Effects
"Quantum" Performance Effects"Quantum" Performance Effects
"Quantum" Performance EffectsSergey Kuksenko
 
Computer Engineering (Programming Language: Swift)
Computer Engineering (Programming Language: Swift)Computer Engineering (Programming Language: Swift)
Computer Engineering (Programming Language: Swift)Sethmi Kachchakaduge
 
CompletableFuture уже здесь
CompletableFuture уже здесьCompletableFuture уже здесь
CompletableFuture уже здесьDmitry Chuyko
 
Nishar resume
Nishar resumeNishar resume
Nishar resumeMD NISHAR
 
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...Yuji Kubota
 
Tech Days 2015: Certification and Qualification
Tech Days 2015: Certification and Qualification Tech Days 2015: Certification and Qualification
Tech Days 2015: Certification and Qualification AdaCore
 
Adop and maintenance task presentation 151015
Adop and maintenance task presentation 151015Adop and maintenance task presentation 151015
Adop and maintenance task presentation 151015andreas kuncoro
 
Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Rapita Systems Ltd
 
Nishar_Resume
Nishar_ResumeNishar_Resume
Nishar_ResumeMD NISHAR
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessDr. Syed Hassan Amin
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Open-DO Update
Open-DO UpdateOpen-DO Update
Open-DO UpdateAdaCore
 
chapter4.ppt
chapter4.pptchapter4.ppt
chapter4.pptMalathyN6
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
 

Similar to Critical software developement (20)

Code coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspectiveCode coverage in theory and in practice form the do178 b perspective
Code coverage in theory and in practice form the do178 b perspective
 
Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective Code Coverage in Theory and in practice form the DO178B perspective
Code Coverage in Theory and in practice form the DO178B perspective
 
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...
 
"Quantum" Performance Effects
"Quantum" Performance Effects"Quantum" Performance Effects
"Quantum" Performance Effects
 
Final field semantics
Final field semanticsFinal field semantics
Final field semantics
 
Computer Engineering (Programming Language: Swift)
Computer Engineering (Programming Language: Swift)Computer Engineering (Programming Language: Swift)
Computer Engineering (Programming Language: Swift)
 
CompletableFuture уже здесь
CompletableFuture уже здесьCompletableFuture уже здесь
CompletableFuture уже здесь
 
Nishar resume
Nishar resumeNishar resume
Nishar resume
 
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
HeapStats: Troubleshooting with Serviceability and the New Runtime Monitoring...
 
Tech Days 2015: Certification and Qualification
Tech Days 2015: Certification and Qualification Tech Days 2015: Certification and Qualification
Tech Days 2015: Certification and Qualification
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-coding
 
Adop and maintenance task presentation 151015
Adop and maintenance task presentation 151015Adop and maintenance task presentation 151015
Adop and maintenance task presentation 151015
 
Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage" Presentation slides: "How to get 100% code coverage"
Presentation slides: "How to get 100% code coverage"
 
Nishar_Resume
Nishar_ResumeNishar_Resume
Nishar_Resume
 
Improving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review ProcessImproving Code Quality Through Effective Review Process
Improving Code Quality Through Effective Review Process
 
Type-safe DSLs
Type-safe DSLsType-safe DSLs
Type-safe DSLs
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Open-DO Update
Open-DO UpdateOpen-DO Update
Open-DO Update
 
chapter4.ppt
chapter4.pptchapter4.ppt
chapter4.ppt
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 

More from nedseb

LABanque, vision d'une nouvelle monnaie pour les makers
LABanque, vision d'une nouvelle monnaie pour les makersLABanque, vision d'une nouvelle monnaie pour les makers
LABanque, vision d'une nouvelle monnaie pour les makersnedseb
 
LABanque vision d'une nouvelle monnaie complémentaire
LABanque vision d'une nouvelle monnaie complémentaireLABanque vision d'une nouvelle monnaie complémentaire
LABanque vision d'une nouvelle monnaie complémentairenedseb
 
Présentation projet robot télésurveillance
Présentation projet robot télésurveillancePrésentation projet robot télésurveillance
Présentation projet robot télésurveillancenedseb
 
Présentation des Hack de l'été de Nicolas Muller
Présentation des Hack de l'été de Nicolas MullerPrésentation des Hack de l'été de Nicolas Muller
Présentation des Hack de l'été de Nicolas Mullernedseb
 
Présentation Indy dans l'audela par Benjamin Mauclaire
Présentation Indy dans l'audela par Benjamin MauclairePrésentation Indy dans l'audela par Benjamin Mauclaire
Présentation Indy dans l'audela par Benjamin Mauclairenedseb
 
Présentation des Locaux de la rue des boeufs par Guy Sinnig
Présentation des Locaux de la rue des boeufs par Guy SinnigPrésentation des Locaux de la rue des boeufs par Guy Sinnig
Présentation des Locaux de la rue des boeufs par Guy Sinnignedseb
 
Présentation sur les Formations du LAB par Guy Sinnig
Présentation sur les Formations du LAB par Guy SinnigPrésentation sur les Formations du LAB par Guy Sinnig
Présentation sur les Formations du LAB par Guy Sinnignedseb
 

More from nedseb (7)

LABanque, vision d'une nouvelle monnaie pour les makers
LABanque, vision d'une nouvelle monnaie pour les makersLABanque, vision d'une nouvelle monnaie pour les makers
LABanque, vision d'une nouvelle monnaie pour les makers
 
LABanque vision d'une nouvelle monnaie complémentaire
LABanque vision d'une nouvelle monnaie complémentaireLABanque vision d'une nouvelle monnaie complémentaire
LABanque vision d'une nouvelle monnaie complémentaire
 
Présentation projet robot télésurveillance
Présentation projet robot télésurveillancePrésentation projet robot télésurveillance
Présentation projet robot télésurveillance
 
Présentation des Hack de l'été de Nicolas Muller
Présentation des Hack de l'été de Nicolas MullerPrésentation des Hack de l'été de Nicolas Muller
Présentation des Hack de l'été de Nicolas Muller
 
Présentation Indy dans l'audela par Benjamin Mauclaire
Présentation Indy dans l'audela par Benjamin MauclairePrésentation Indy dans l'audela par Benjamin Mauclaire
Présentation Indy dans l'audela par Benjamin Mauclaire
 
Présentation des Locaux de la rue des boeufs par Guy Sinnig
Présentation des Locaux de la rue des boeufs par Guy SinnigPrésentation des Locaux de la rue des boeufs par Guy Sinnig
Présentation des Locaux de la rue des boeufs par Guy Sinnig
 
Présentation sur les Formations du LAB par Guy Sinnig
Présentation sur les Formations du LAB par Guy SinnigPrésentation sur les Formations du LAB par Guy Sinnig
Présentation sur les Formations du LAB par Guy Sinnig
 

Recently uploaded

OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 

Recently uploaded (20)

OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 

Critical software developement

  • 1. Slide: 1Copyright © 2014 AdaCore Quentin Ochem Technical Account Manager Critical Software Development
  • 2. Slide: 2Copyright © 2014 AdaCore What is Critical Software?
  • 3. Slide: 3Copyright © 2014 AdaCore Case-Study Avionics and DO-178B
  • 4. Slide: 4Copyright © 2014 AdaCore • Any software flying in the civil air space must have be certified against – DO-178B in USA – ED-12B in Europe • Military aircraft do not need to comply to it except if they fly in the civil air space – E.g. A400 M • Other industries have or think about similar standards (see IEC-50128) – Railroad, military, automotive, energy, medical… DO-178B/C applications
  • 5. Slide: 5Copyright © 2014 AdaCore • Certifying most parts of a plane is centered on the result – When does the wing break? – Can I get this many people out in this many time? • It’s not possible to just “experiment” the software – Too complex • So certifying a software is based on the process The software certification problem
  • 6. Slide: 6Copyright © 2014 AdaCore Certifying a system is showing best possible effort has been made in understanding and mastering the environment, specification, implementation and verification In one sentence
  • 7. Slide: 7Copyright © 2014 AdaCore • The development is organized through processes • Each process describes – Objectives – Activities Processes Objective Activity Applicability Output Control Category A B C D A B C D Test coverage of Software Structure Is achieved 6.4.4.2.a 6.4.4.2.b 6.4.4.2.d Software Verification Results 2 2 2
  • 8. Slide: 8Copyright © 2014 AdaCore • Each activity may be achieved with independence • When achieved with independence, and other person (outside of any hierarchical dependency) need to perform verifications Reviews and independence Objective Activity Applicability Output Control Category A B C D A B C D Test coverage of Software Structure Is achieved 6.4.4.2.a 6.4.4.2.b 6.4.4.2.d Software Verification Results 2 2 2
  • 9. System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code referencestrace trace references references trace Executable Object Code Executable Object Code generates [5] Main Development Objectives
  • 10. System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code compliance traceability compliance compatibilitycompliance traceability compliance traceability [6] Main Verification Objectives (1/4)
  • 11. System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code complete and correct verifiable conformance accuracy and consistency accuracy & consistency HW compatibility verifiability conformance consistency HW compatibility verifiability conformance partition integrity accuracy & consistency HW compatibility verifiability conformance [6] Main Verification Objectives (2/4)
  • 12. System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code compliance robustness compliance robustness compatible with target [6] Main Verification Objectives (3/4)
  • 13. System RequirementsSystem Requirements High Level Requirements High Level Requirements Software ArchitectureSoftware Architecture Low Level Requirements Low Level Requirements Source CodeSource Code Executable Object Code Executable Object Code structural and functional coverage [6] Main Verification Objectives (4/4)
  • 14. Slide: 14Copyright © 2014 AdaCore Tools and Constraints around the Code
  • 15. Slide: 15Copyright © 2014 AdaCore • Objectives can be achieved by manual activities or automated activities • Some activities are well suited to automation – E.g. Code standard checker, coverage analysis, stack analysis… • If a tool replaces a manual activity, it must be qualified • Qualification is a lighter certification process Tool Support
  • 16. Slide: 16Copyright © 2014 AdaCore Verification - Static Analysis • Coding Standard Verification • Stack Usage • Worst Case Execution Time • Run-Time Error Analysis • Formal Proof
  • 17. Slide: 17Copyright © 2014 AdaCore Verification - Dynamic Analysis Tools • Unit Testing • Structural Code Coverage • Stack Usage (!) • Worst Case Execution Time (!)
  • 18. Slide: 18Copyright © 2014 AdaCore Structural Coverage Analysis • Statement coverage – Each line of code is tested • Decision coverage – Each decision (boolean expression) is tested True and False • Modified Condition / Decision coverage (MC/DC) – Each condition (operand of a boolean expression) can change the result of the decision
  • 19. Slide: 19Copyright © 2014 AdaCore DO-178 – Structural Coverage Example (1/2)  Coverage  function Sep (X : Character) return Boolean is Result : Boolean := False; begin if X = ‘/’ or else X = ‘’ or else X = ‘:’ then Result := True; end if; return Result; end Sep;  Statement coverage -> call with any X  Decision coverage -> test X = ‘:’ and X = ‘z’
  • 20. Slide: 20Copyright © 2014 AdaCore DO-178 – Structural Coverage Example (2/2)  MC/DC  if X = ‘/’ or else X = ‘’ or else X = ‘:’ then  Cond1: X = ‘/’ => TFF => TRUE X = ‘z’ => FFF => FALSE  Cond2 X = ‘’ => FTF => TRUE X = ‘y’ => FFF => FALSE  Cond3 X = ‘y’ => FFF => FALSE X = ‘:’ => FFT => TRUE  There is a redundant test here (FFF). 4 tests would be enough.  In general n + 1 test are enough to test an expression of n conditions
  • 21. Slide: 21Copyright © 2014 AdaCore • No dynamic allocation / pointers • No exceptions • No object orientation (except if…) • No non-deterministic behavior • Limited or no use of the run-time • Explicit coding standard • … Typical Code Constraints
  • 22. Slide: 22Copyright © 2014 AdaCore • Local Type Substitutability is a new objective in DO-332, allowing the use of object orientation and dispatching calls • It relies on a demonstration of consistency between overriding methods which can be verified by testing or formal analysis • Given a dispatching call from a Root type to one of its methods … • … at run-time, it’s OK to call an overridden method of a child if – The child method precondition does not require additional properties – The child method postcondition provides at least as many properties Local Type Substitutability (part of DO-332, OOT supplement) Root.Method
  • 23. Slide: 23Copyright © 2014 AdaCore • On top of correctness of pre and post conditions, we need to demonstrate that – Parent preconditions imply Child preconditions – Child postconditions imply Parent postconditions Local Type Substitutability Example type Abstract_Plane is tagged record Speed : Integer; Landed : Boolean; end record; procedure Land (V : Root) with Pre => V.Speed <= 10.0, Post => V.Landed; type My_Plane is new Abstract_Plane with record Gears_Deployed : Boolean; end record; overriding procedure Land (V : Child) with Pre => V.Speed <= 15.0, Post => V.Landed and V.Gears_Deplyed; V <= 10.0  V <= 15.0 {V.Landed, V.Gears_Deployed}  V.Landed
  • 24. Slide: 24Copyright © 2014 AdaCore 1994 T AdaAda
  • 25. Slide: 25Copyright © 2014 AdaCore Can You Find the Seven Bugs? float * compute (int * tab, int size) { float tab2 [size]; float * result; for (int j = 0; j <= size; ++j) { tab [j] = tab2 [j] / 10; } result = tab2; return result; }
  • 26. Slide: 26Copyright © 2014 AdaCore And in Ada? type Int_Array is array (Integer range <>) of Integer; type Float_Array is array (Integer range <>) of Float; function Compute (Tab : Int_Array) return Float_Array is Tab2 : Float_Array (Tab'Range); begin for J in Tab'Range loop Tab (J) := Tab2 (J) / 10; end loop; declare Result : Float_Array := Tab2; begin return Result; end; end Compute;
  • 27. Slide: 27Copyright © 2014 AdaCore The One-Line-Of-Code Hell • Is “tab” null? • Is “tab” an array? • Is i within the boundaries of “tab”? • Has “tab” been initialized? • Is “tab” expecting floats or integers? • If it’s float, is this a float or a integer division? tab [i] = tab [i] / 10; Can’t tell. Can’t tell. Can’t tell. Can’t tell. Can’t tell. Can’t tell.
  • 28. Slide: 28Copyright © 2014 AdaCore The One-Line-Of-Code Hell • Is “tab” null? • Is “tab” an array? • Is i within the boundaries of “tab”? • Has “tab” been initialized? • Is “tab” expecting floats or integers? • If it’s float, is this a float or a integer division? tab (i) := tab (i) / 10; Can’t tell. No, tab is an array. Yes, otherwise can’t access to the indices. Checked at run-time. If float, compiler runtime. If needed, explicit conversion.
  • 29. Slide: 29Copyright © 2014 AdaCore Driving Design Principles • Explicit as much as possible – Put as much (formal) information as possible in the code – Put as much (formal) information as possible in the specification – Avoid pointers as much as possible – Avoid shortcuts – Avoid ambiguous constructs as much as possible – Make dubious construct possible but visible type I_Acc is access all Integer; I : I_Acc := new Integer; function Acc_To_Int is new Ada.Unchecked_Conversion (I_Acc, Integer); function Int_To_Acc is new Ada.Unchecked_Conversion (Integer, I_Acc); I := Int_To_Acc (Acc_To_Int (I) + I_Acc’Size); int * i = malloc (sizeof (int)); i++;
  • 30. Slide: 30Copyright © 2014 AdaCore Driving Rationale • Ease manual and automatic analysis – From developer review – From peer review – From compiler errors and warnings – From static analysis tools – From proof tools – From maintainance • Simplify code an readability when dealing with high level programming concepts A : Integer_Array (0 .. 10) := (0 => 1, 1 => 1, others => 0) int [] a = new int [10]; a [0] = 1; a [1] = 1; for (int i = 2; i < 10; i++) a [i] = 0;
  • 31. Slide: 31Copyright © 2014 AdaCore Strong Typing • A type is a semantic entity, independent from its implementation • Strong typing forbids implicit conversions • Values are checked at run-time (can be deactivated) type Kilometers is new Float; type Miles is new Float; Length_1 : Miles := 5.0; Length_2 : Kilometers := 10.0; D : Kilometers := Length_1 + Length_2; type Ratio is new Float range 0.0 .. 100.0; Qty : Integer := 10; Total : Integer := 1000; R : Ratio := Ratio (Total / Qty) * 100.0;
  • 32. Slide: 32Copyright © 2014 AdaCore Arrays • Arrays can be indexed by any discrete types (integers, enumeration) • First and Last index can be specified at declaration time • Buffer overflows are checked at run-time • There is an array literal (aggregate) type Some_Array is array (Integer range <>) of Integer; type Color_Array is array (Color range <>) of Integer; Arr1 : Some_Array (10 .. 11) := (666, 777); Arr2 : Color_Array (Red .. Green) := (Red => 0, others => 1); Arr1 (9) := 0; -- Exception raised, Index out of range
  • 33. Slide: 33Copyright © 2014 AdaCore Parameter Modes • Three parameter modes : in (input), out (output) and in-out (input/output) • The correct parameter usage is done at compile-time • The compiler decides if it has to be passed by reference of copy • That’s case of explicit pointer avoidance procedure Do_Something (P1 : in Huge_Structure) –- Passed by reference if too big procedure Do_Something (P1 : in Integer; -- P1 can’t be changed P2 : out Integer; -- No initial value on P2 P3 : in out Integer) -- P3 can be changed
  • 34. Slide: 34Copyright © 2014 AdaCore • Generalized contracts are available through pre and post- conditions • New type invariants will ensure properties of an object • Subtype predicates Pre, Post Conditions and Invariants type T is private with Invariant => Check (T); type Even is range 1 .. 10 with Predicate => Even mod 2 = 0; procedure P (V : in out Integer) with Pre => V >= 10, Post => V’Old /= V;
  • 35. Slide: 35Copyright © 2014 AdaCore Package Architecture • All entities are subject to encapsulation – Not only OOP constructions • Specification and Implementation details are separated from the package, addresses any kind of semantic entity package Stack is procedure Push (V : Integer); ... end Stack; package body Stack is procedure Push (V : Integer) is begin ... end Stack;
  • 36. Slide: 36Copyright © 2014 AdaCore Data Representation • Allows to optimize memory usage • Allows to precisely map data type Size_T is range 0 .. 1023; type Header is record Size : Size_T; Has_Next : Boolean; end record; for Header use record Size at 0 range 0 .. 10; Has_Next at 1 range 6 .. 6; end record;
  • 37. Slide: 37Copyright © 2014 AdaCore If pointers are needed… • Pointers are typed, associated with accessibility checks • Objects that can be pointed are explicitly identifed • In the absence of deallocation, pointers are guaranteed to never be dangling • Pointers constraints can be specified – Is null value expected? – Is the pointer constant? – Is the object pointed by the pointer constant? type My_Pointer is access all Integer; Global_Int : aliased Integer; function Get_Pointer (Local : Boolean) return My_Pointer is Local_Int : aliased Integer; Tmp : My_Pointer; begin if Local then Tmp := Local_Int’Access; else Tmp := Global_Int’Access; end if; return Tmp; end Get_Pointer; Tmp := Local_Int’Unchecked_Access;
  • 38. Slide: 38Copyright © 2014 AdaCore Concurrent Programing • Threads and semaphore are first class citizens task Some_Task is begin loop -- Do something select accept Some_Event do -- Do something end Some_Event; or accept Some_Other_Event do -- Do something end Some_Other_Event; end select; end loop; end; ... Some_Task.Some_Event;
  • 39. Slide: 39Copyright © 2014 AdaCore Why is all of this of any use? • For readability – Specification contains formally expressed properties on the code • For testability – Constraints on subprograms & code can lead to dynamic checks enabled during testing • For static analysis – The compiler checks the consistency of the properties – Static analysis tools (CodePeer) uses these properties as part of its analysis • For formal proof – Formal proof technologies can prove formally certain properties of the code (High-Lite project)
  • 40. Slide: 40Copyright © 2014 AdaCore Yes But… • It is possible to reach similar levels of safety with other technologies (MISRA-C, RT-Java) • … but safety features have to be re-invented – Requires additional guidelines – Requires additional tools – Limited by the original language features • Examples of features that like “a circle fit in a square” – Types management in MISRA-C – Stack emulation in RT-Java • When long term reliability is a goal, using the correct paradigm to start with will reach higher levels at lower cost
  • 41. Slide: 41Copyright © 2014 AdaCore 1994 T http://u.adacore.comhttp://u.adacore.com
  • 42. Slide: 42Copyright © 2013 AdaCore