Kiefmann Bernhard wrote:
My name is Bernhard Kiefmann and I'm writing my Master's thesis with the topic "the suitability of the GNU C compiler used in safety-related areas". The first problem with this is that I have to check if the compiler met the requirements of the international standard IEC 61508:2010. Here I would like to ask you my question as follows:
I think GCC developers and users have different requirements and "Functional safety of electrical/electronic/programmable electronic safety-related systems" is for most of them not the top priority and presumably difficult to achieve for the whole project.
However, I know that the Ada community is wary about the issue and that GCC's gnat (GCC' Ada compiler) is used in safety-critical areas. Also AdaCore (main contributor to the gnat development) advertises "Aids in establishing certification requirements (DO-178B level A / DO-178C-ready, EN 50128, IEC 61508, ECCS-E40B)".
See also gcc.gnu.org/wiki/cauldron2012?action=AttachFile&do=get&target=petergarbett1958.pdf for someone using GCC's Ada compiler for a project, requiring DO178-B/C certification.
Thus, I think the GCC Ada developers/AdaCore developers should be best suited to answer your questions.
I will try to give a first answer to your questions, but as I did not have anything to do with safety certification, I won't be able to give perfect answers.
1) What are the rules of the compiler development? Are there any diagrams of UML? Because they are a requirement of the standard.
Let's start with bugs as there the scheme is a bit easier: If a bug is found and analyzed and a patch has been found, the patch is submitted together with a test case, which becomes part of the regression test suite. Before submitting the patch, it is required to do a build (bootstrap) of the compiler and a run of the test suite without any (new) failure. The patch is then submitted to the gcc-patches mailing list, which allows others to comment and nonobvious patches require the approval prior checkin. - The bootstrap and test-suite run is only done for one architecture, however, as others build+regression test the compiler on various systems regularly, platform specific issues are also detected. Additionally, some other applications/benchmarks/testsuite are also regularly run.
Regarding the addition of new features: It really depends on the developer; I think most do not use UML, but some may.
Actually, a compiler is a rather complex program such that UML does not seem to be a practical approach for the development. Nor is it possible to test all possible code paths. I also believe that a compiler is not required to be developed using UML - contrary to programs requiring safety certification. In any case, I am pretty sure that GNAT is used in safety critical application, which pass the certification.
If I recall correctly some talk by GNAT/AdaCore developers, for certification, they need to prove that the input GNAT code leads to correct assembler at the end - how it reaches the code is not important. But proving that is does, is a bit cumbersome.
2) Are there activities for the Functional Verification?
For the compiler itself, there is only manually writing test cases for new features which should try to give a broad coverage of the new feature, including both valid and invalid (to be diagnosed) code and both compile and run-time test, partially with inspecting the generated code. Plus code-review which does nor really count as formal verification.
However, for applications using GCC, there exist tools. See for instance, http://www.open-do.org/projects/hi-lite/ which is in the context of functional verification and GCC's gnat/C compilers.
If you have information here for me I would rather help in assessing whether the compiler for use in safety-relevant area is suitable.
Well, given that it is used to create programs for safety critical areas, certification agencies seem to regard it (in conjunction with suitable verifications) as suitable ;-)
I hope it helps a bit - any that you will get replies from others who know better how the safety-related certification works.
And good luck with your thesis! Tobias
