Interface-Implementation Contract Checking
-
Upload
dharmalingam-ganesan -
Category
Technology
-
view
282 -
download
0
description
Transcript of Interface-Implementation Contract Checking
![Page 1: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/1.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Interface-Implementation Contract Checking:
A Case Study on NASA’s OSAL
Dharmalingam Ganesan, Mikael Lindvall
Fraunhofer Center for Experimental Software Engineering
College Park
Maryland
1
![Page 2: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/2.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Agenda
• Context: NASA OSAL
• Static equivalence analysis
• Static contract checking
• Conclusion
2
![Page 3: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/3.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Context: NASA OSAL
• Operating System Abstraction Layer
• Isolates flight software from real time operating systems and hardware.
• Implementation for the real time systems RTEMS and vxWorks and posix compliant non-real time systems.
• Provides “Write once, run everywhere (somewhere)” at compile level
• Used for mission critical embedded systems
• Provides support for file-system, tasks, queues, semaphores, interrupts, hardware abstraction, I/O ports and exception handling
3
![Page 4: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/4.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
NASA OSAL
• Why is it important that OSAL is bug free?
– flight software is mission critical and needs to
be of very high quality
– OSAL is the foundation of the CFE which CFS
runs on top of
– OSAL is used in many NASA missions, e.g.
the Lunar Renaissance Orbit
– If OSAL has issues, it might result in
catastrophic failure
4
![Page 5: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/5.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
NASA OSAL in CFS
5
![Page 6: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/6.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
NASA OSAL – Architecture
6
![Page 7: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/7.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Agenda
• Context: NASA OSAL
• Static equivalence analysis
• Static contract checking
• Conclusion
7
![Page 8: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/8.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static equivalence analysis
• Currently OSAL has implementations for Rtems, vxWorks and Posix operating systems
• All implementations should work the same
– Perform same operation regardless of OS
– Return same error-codes when errors occur
8
![Page 9: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/9.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static equivalence analysis
• Used to find differences between implementations of OSAL
– Posix, RTEMS, vxWorks
• Extracts return codes from function bodies
• Return codes of each implementation compared to find differences
9
![Page 10: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/10.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static equivalence analysis
• Enables us to easily find otherwise subtle and hard to
find errors
10
Posix implementation Rtems implementation
![Page 11: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/11.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static equivalence analysis - example
11
![Page 12: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/12.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Runtime Issues # Issues
Precondition Checking Diffs. 13
Return Code Diffs. 24
Global Variable Writing Diffs. 15
Parameter Writing Diffs. 3
Parameter Checking 2
Σ 57
12
Which defects can be found in OSAL when analyzing function pairs for functional
equivalence?
Minor Issues # Issues
Configuration Issues 9*
Output Differences 18*
Σ 27
Acknowledged and/or Fixed
![Page 13: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/13.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Agenda
• Context: NASA OSAL
• Static equivalence analysis
• Static contract checking
• Conclusion
13
![Page 14: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/14.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static contract checking without a formal contract
• API‘s are supposed to fulfill a “contract”
• A contract is:
– Specification of what each function does and
– How it responds to errors and what the function should return
• Programmers program to a API using the contract as a guide.
• A function not written according to the contract can cause hard to find errors
14
![Page 15: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/15.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static contract checking without a formal contract
15
Example of function fulfilling contract
Contract
Implementation
![Page 16: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/16.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static contract checking without a formal contract
16
Example of function fulfilling contract
![Page 17: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/17.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static contract checking without a formal contract
17
Example of function fulfilling contract
![Page 18: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/18.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static contract checking without a formal contract
18
Example of function not fulfilling contract
![Page 19: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/19.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Static contract checking without a formal contract
19
• Regular expressions to create simple and fast perl
programs
• Compatible with C and C++
• Extracts return codes from function bodies and contract
comments
• Compares the return codes of contract comments and
function bodies to find mismatches
![Page 20: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/20.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering20
Static contract checking without a formal contract
![Page 21: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/21.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering21
Static contract checking without a formal contract
...and the other way around.
• To find if functions implement more than the contracts
implies
• To identify an uncomplete contract that could result in
implementation mismatches between wrappers
• Extract return codes from the function bodies, instead
of the contract comments
• Compare the extracted returns to the contract
comments to find undocumented behavior
![Page 22: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/22.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering22
Static contract checking without a formal contract
![Page 23: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/23.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
static contract checking without a formal contract
23
A part of the 61 issues found in the Posix
implementation.
All issues reported and taken care now.
![Page 24: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/24.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Summary
Static equivalence analysis:
• A lightweight technique
• powerful for detecting inconsistencies between wrappers
• Found several inconsistencies (addressed in OSAL)
Static contract checking without a formal contract:
• A lightweight technique
• Found a lot of inconsistencies between documentation and code (addressed in OSAL)
• Does not need any modeling or rigor
– (but neither sound nor complete)
24
![Page 25: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/25.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Thank you!
25
![Page 26: Interface-Implementation Contract Checking](https://reader034.fdocuments.us/reader034/viewer/2022051616/5538fc454a79598e758b48fe/html5/thumbnails/26.jpg)
© 2013 Fraunhofer USA, Inc.
Center for Experimental Software Engineering
Acknowledgement
• Gunnar Cortes
• Henning Femmer
• Dave McComas
• Alan Cudmore
• Wesley Deadrick
26