This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: Help for my Master thesis
- From: Tobias Burnus <burnus at net-b dot de>
- To: Kiefmann Bernhard <bernhard dot kiefmann at stud dot fh-campuswien dot ac dot at>
- Cc: "gcc at gcc dot gnu dot org" <gcc at gcc dot gnu dot org>
- Date: Sat, 30 Mar 2013 00:35:06 +0100
- Subject: Re: Help for my Master thesis
- References: <DC7EC57C-2104-45C4-B96F-9333F59F7D5B at stud dot fh-campuswien dot ac dot at>
Kiefmann Bernhard wrote:
My name is Bernhard Kiefmann and I'm writing my Master's thesis with the topic "the suitability of the GNU C compiler used in safety-related areas". The first problem with this is that I have to check if the compiler met the requirements of the international standard IEC 61508:2010. Here I would like to ask you my question as follows:
I think GCC developers and users have different requirements and
"Functional safety of electrical/electronic/programmable electronic
safety-related systems" is for most of them not the top priority and
presumably difficult to achieve for the whole project.
However, I know that the Ada community is wary about the issue and that
GCC's gnat (GCC' Ada compiler) is used in safety-critical areas. Also
AdaCore (main contributor to the gnat development) advertises "Aids in
establishing certification requirements (DO-178B level A /
DO-178C-ready, EN 50128, IEC 61508, ECCS-E40B)".
See also
gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=petergarbett1958.pdf
for someone using GCC's Ada compiler for a project, requiring DO178-B/C
certification.
Thus, I think the GCC Ada developers/AdaCore developers should be best
suited to answer your questions.
I will try to give a first answer to your questions, but as I did not
have anything to do with safety certification, I won't be able to give
perfect answers.
1) What are the rules of the compiler development? Are there any diagrams of UML? Because they are a requirement of the standard.
Let's start with bugs as there the scheme is a bit easier: If a bug is
found and analyzed and a patch has been found, the patch is submitted
together with a test case, which becomes part of the regression test
suite. Before submitting the patch, it is required to do a build
(bootstrap) of the compiler and a run of the test suite without any
(new) failure. The patch is then submitted to the gcc-patches mailing
list, which allows others to comment and nonobvious patches require the
approval prior checkin. - The bootstrap and test-suite run is only done
for one architecture, however, as others build+regression test the
compiler on various systems regularly, platform specific issues are also
detected. Additionally, some other applications/benchmarks/testsuite are
also regularly run.
Regarding the addition of new features: It really depends on the
developer; I think most do not use UML, but some may.
Actually, a compiler is a rather complex program such that UML does not
seem to be a practical approach for the development. Nor is it possible
to test all possible code paths. I also believe that a compiler is not
required to be developed using UML - contrary to programs requiring
safety certification. In any case, I am pretty sure that GNAT is used in
safety critical application, which pass the certification.
If I recall correctly some talk by GNAT/AdaCore developers, for
certification, they need to prove that the input GNAT code leads to
correct assembler at the end - how it reaches the code is not important.
But proving that is does, is a bit cumbersome.
2) Are there activities for the Functional Verification?
For the compiler itself, there is only manually writing test cases for
new features which should try to give a broad coverage of the new
feature, including both valid and invalid (to be diagnosed) code and
both compile and run-time test, partially with inspecting the generated
code. Plus code-review which does nor really count as formal verification.
However, for applications using GCC, there exist tools. See for
instance, http://www.open-do.org/projects/hi-lite/ which is in the
context of functional verification and GCC's gnat/C compilers.
If you have information here for me I would rather help in assessing whether the compiler for use in safety-relevant area is suitable.
Well, given that it is used to create programs for safety critical
areas, certification agencies seem to regard it (in conjunction with
suitable verifications) as suitable ;-)
I hope it helps a bit - any that you will get replies from others who
know better how the safety-related certification works.
And good luck with your thesis!
Tobias