In this blog, we promote the joint webinar we are running with BUGSENG. The webinar topic is: “Language Subsetting and Compiler Qualification in the Development of Software for Safety-Critical Systems”. It will run on Thursday, 17 September at 11:00-12:00 CEST (UTC+2). You can sign up here. In the meantime, here are a few more details and background information about the topic.
How to save time and money with Language Subsetting and Compiler Qualification in the Development of Software for Safety-Critical Systems
Developing critical system software in compliance with functional safety standards (such as DO-178C and ISO 26262) is challenging. The development of such software in C can save time and money. But, two crucial aspects must be taken into account. The first aspect is language subsetting and the second is compiler qualification.
Why proper language subsetting is essential
Proper language subsetting (for instance, by strict adherence to MISRA C:2012 plus further restrictions, such as the use of floating-point numbers) is crucial. It avoids non-determinism, recursion, dynamic memory allocation and other unsafe language features. The major advantage of an application that is written in a proper subset of C or C++ is that it greatly improves the portability of the code.
By avoiding undefined and implementation defined behavior, the application gains independence from the compiler, target architecture and other aspects of the implementation. This makes it robust to change and future-proof. Embedded applications, especially those that are safety-critical, often have a life span that goes far beyond the support period of the tools that are needed to implement them.
Should you assume the compiler will do the right job?
Speaking of implementation tools: how do we know that the compiler properly translates the application to machine code? Can you just assume that the compiler will do the right job? There are two answers to these questions.
- On the technical side: compilers belong to the most complex software applications that are in widespread use. It is common that a compiler’s development started decades before its current use and that many hundreds of developers have made substantial contributions to it. Its development is never finished because of the addition of new features, optimizations and other improvements, and bug-fixes. So it is not evident that the compiler is free of errors.
- Secondly, functional safety standards, such as ISO 26262, devote a specific section to software tools such as compilers. In ISO 26262 it is called “Confidence in the use of software tools” and this section explains that you need to take a good look at the compiler before you can trust it with your code. Fortunately, it also defines the process to do so.
Beware of the black holes of undefined behavior
The state of the art method to create confidence in the compiler is by testing it. By definition, undefined behavior cannot be tested because, you know, there is no expected behavior to verify. This is an important reason why adhering to a language subset such as MISRA and enforcing it with a high-quality tool is so important.
One of the many advantages of the C and C++ programming languages is that they have a long and well understood history. They are also well supported by tools. Most importantly to us is that they are defined by ISO standards going back to 1990. The C standard specifies the behavior of C programs.
Why language subsetting with MISRA standards and compiler qualification go hand-in-hand
Language subsetting with MISRA standards and compiler qualification go hand-in-hand because they are, today, the only alternative to writing software in assembly language. That means it is very important to understand the synergy between them. On the one hand, if the compiler is defective, the guarantees provided by MISRA do not carry over to the executable code.
On the other hand, compiler qualification suites typically cover the ISO C standard language features: language extensions, whether used intentionally or unintentionally, are not covered. Proper enforcement of guidelines such as MISRA ensures such extensions are not used, that the syntax and constraints of the applicable ISO language standard are complied with, and that the translation limits of the compiler are not exceeded.
In summary, language subsetting and a compiler qualification suite that fully covers the standardized language, ensure that the compiler qualification exercise covers the compiled program.
Be confident your software and compiler meet functional safety standards
Solid Sands created the SuperTest suite, which ensures verification of the correct operation of the compiler with respect to the applicable ISO standards. BUGSENG has built the ECLAIR static analysis platform, which allows almost complete automation of the checks for MISRA compliance, gathering of software metrics and much more. With ECLAIR and SuperTest you can indeed be confident that your software and the compiler that you use today (and the compiler used tomorrow) adhere to the prescriptions of functional safety standards.
Sign up for our joint webinar on 17 September
Our CTO, Marcel Beemster and BUGSENG’s CTO, Roberto Bagnara will delve into this topic in even more detail in our joint webinar on 17 September. Please register here, if you haven’t already!
By Dr. Roberto Bagnara, CTO & Dr. Marcel Beemster, CTORegister
Subscribe to our monthly blog!