Gnu linux for safety related systems

Technical breakfast

GNU/Linux for Safety Related Systems

Introduction

• Embedded World – March 2011 – Nicholas McGuire (OSADL)

• GNU/Linux for Safety Related Systems

• Find out if GNU/Linux is a suitable platform for safety-critical applications

Safety related systems

Systems needed to guarantee the safety of their users and the environment

Introduction: Contents

1. Linux and GNU/Linux• Software development• Kernel management: the git way• Modularity of Linux and GNU/Linux distributions

2. Tools for kernel development and its management

3. Safety• Safety and IEC 61508

• git• cscope• sparse

• make C=1• coccinelle (spatch)• gcov && gprof

• Linux is the kernel of the GNU/Linux operating system.• It must guarantee a high quality of service (QoS).• Many important attributes are (RAMS):

• The kernel manages access to the hardware and forms a layer between the hardware and the so-called user space programs.

• An operating system is more than a kernel. e.g. it offers compilers, editors, ftp/web servers, ...

Operating System(e.g., GNU/Linux)

Applications

Kernel(e.g., Linux)

HW

1.- Linux and GNU/Linux

• Reliability• Availability• Maintainabilit

y• Safety

1.- Software development: The Traditional Way

• Software Life-Cycle Model

• The Waterfall Model• The V-Model• The Spiral Model• The Incremental Model• Extreme Programming

• Build and Fix Cycle

• Open Source Development Model

1.- Kernel development: The Open Source way

Community

Review

Develop

Commit

Communication via email on mailing-

lists

• Open Source Development Model: Some tools...


int sum (int a, int b){ return (a - b);}

sum.orig.c



int sum (int a, int b){ return (a + b);}

sum.c



diff

--- sum.orig.c 2008-02-06 16:30:16.000000000 +01.00+++ sum.c 2008-02-06 16:30:36.000000000 +01.00@@ -1,4 +1,4 @@int sum(int a, int b){- return (a-b);+ return (a+b);}

Outputs changes to source code in a readable way

sum_diff_file



patch

--- sum.orig.c 2008-02-06 16:30:16.000000000 +01.00+++ sum.c 2008-02-06 16:30:36.000000000 +01.00@@ -1,4 +1,4 @@int sum(int a, int b){- return (a-b);+ return (a+b);}

It is used to apply a diff to the original file

sum_diff_file

• “The code will become ruined if everyone can submit code” FALSE


• Different layers of authority

Linus Torvalds && Andrew Morton (Kernel v2.6)

Subarchitecture maintainer (USB, networking, …)

File maintainer (group)

• Tag “signed-off by”

1000

300

2

Userbase

• Typical git cycle:• Programmer clones Linus’ repository• Programmer makes a local branch• Programmer edit files• Programmer sends diff files to the mailing list• Programmer commits files to his or her repository• Linus incorporates the changes into the official tree

• It guarantees source code integrity. SHA1 algorithm in each commit to generate checksum based in:

• The content of a object• The “parent” commits of an object• The comment message for the object

• Use a long-term stable version of the kernel

1.- Kernel management: The git way

git

Is a source configuration management (SCM) tool as SVN, CVS, …

• Modularity(GNU/Linux) vs No-modularity (Windows, MAC, ...)

• 1st level: kernel Disable unused features before compiling. They are not disabled at runtime, they do not exist in the binary image. File systems, networking features, ...

• 2nd level: application Compile the applications with exactly the necessary features. Apache example

• 3rd level: choice of applications Some other operating systems do not have this capability. Command line shell and GUI examples

1.- The Modularity of Linux and GNU/Linux distributions

• Safety standards require some degree of formal verification and testing which is necessary to guarantee safety

• Industry has reacted to this important problem, and several organizations and projects has been created:

1.- Testing

• Linux Test Project (LTP)• Linux Foundation• Linux Kernel

Performance• AutoTest• OSADL

• Kernel Stable-tree (2.6.x.y)

• It is for updates on the safety and security of the system.

• New features always have the potential of introducing new bugs.

• Concentrating on fixing bugs without introducing new features is the best way to keep the system current and stable.

• Some distributions provide backports to their stable line of distribution: v1.2.3_1,...

1.- Kernel Stable tree

• git: source configuration management tool

• cscope: developer’s tool for browsing source code

• sparse: reports semantic errors and it is used when we compile with “make C=1”– address space mismatch– type mismatches– bad casting– lock context: semaphores, flags, locks, ...– portability warning– man sparse for (a lot) more

2.- Tools for kernel development (I) DEMO

• make C = 1• make V = 1

• coccinelle: semantic patching– Differences in spacing, indentation and comments– Choice of names given to variables (use of metavariables)– Irrelevant code (use of ‘...’ operator)– Other variations in coding style (use of isomorphisms)

• E.g. if(!y) if (y==NULL) if(NULL==y)

2.- Tools for kernel development (II) DEMO

• gcov: test coverage program– To help create more efficient and faster running code – To discover untested parts of a program

• gprof: profiling tool to analyze the code’s performance. Find out some basic performance statistics, such as:– How often each line of code executes– What lines of code are actually executed– How much computing time each section of code uses

2.- Tools for kernel development (III) DEMO

3.- Safety

Safety definitions:• “Safety is reliability regarding critical failure modes”• “Absence of catastrophic consequences on the user(s) and the

environment”

• A system or application can only be termed safety-critical if it controls a process that can potentially harm its environment or users

• Certification and safety-standards are used.• Standards describe how software should be tested: if it is

enough to black-box test the software, of if additional white-box tests are required.

3.- Safety: IEC 61508

• European standards (IEC 61508, e.g.) allow individual components of the safety-critical system to be certified.

• There are four safety integrity levels (SIL).• SIL provides information about the criticality of a system.• Each level requires different development and verification

methods.Severity of Failure IEC 61508

Catastrophic SIL 4

Severe SIL 3

Major SIL 2

Minor SIL 1

3.- Safety: EN 50128 Mandatory Requirements for SIL4 Applications

• Modular approach: Decomposition of a software system into small parts in order to limit the complexity of the system.

• Design and Coding Standards: A document can be found in the kernel tree that describes the preferred coding style.

• Functional testing: Tools for black-box testing and for code coverage analysis.

• Performance testing: autotest project and kernel-perf project.

• Data recording and analysis: all kernel data are recorded on the kernel homepage.

3.- Safety: EN 50128 Mandatory Requirements for SIL4 Applications

• Compliant with EN ISO 9000-3 and Company Quality System: it depends on the specific safety-critical system and the specific company and its quality system.

• SW Configuration Management:– The whole life-cycle of a component is recorded in its git

history– It is easy to compare two different versions of a source code

file– The commit log files provide information on which changes

occurred during the component’s life-cycle

• Impact Analysis: to identify the effect that a change or an enhancement to a software system will have to other modules in that software system.

That’s all folks! Thank you!!!

Questions, comments, … ??

References- Class: GNU/Linux for safety related systems

(Embedded World 2011)- Book: Linux in Safety-Critical Applications

(OSADL Academic Works)Roland Kammerer (ISBN: 978-3-00-033885-

4)

?

??

?

??

?

?

?

???

?

?

?

?

?

?

?

?? ??

?? ??

?? ??

Technical breakfast

GNU/Linux for Safety Related Systems

Gnu linux for safety related systems

Technology

kernel development

safety safety

c int sum int

source code sparse

gnulinux linux

source code integrity

git way modularity of

cint sum int