Code Coverage: Free Software and Virtualization to the Rescue



Similar documents
FLOSS, COTS, and Safety: A Business Perspective

Towards a Framework for Generating Tests to Satisfy Complex Code Coverage in Java Pathfinder

Certification Authorities Software Team (CAST) Position Paper CAST-26

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

EMC Publishing. Ontario Curriculum Computer and Information Science Grade 11

Nexus Professional Whitepaper. Repository Management: Stages of Adoption

DO-178B compliance: turn an overhead expense into a competitive advantage

Improving Embedded Software Test Effectiveness in Automotive Applications

AdaCore Quality Procedures. Romain Berrendonner Software QA Manager, AdaCore

CS Matters in Maryland CS Principles Course

Real-time Debugging using GDB Tracepoints and other Eclipse features

Best Practices for Verification, Validation, and Test in Model- Based Design

AQA GCSE in Computer Science Computer Science Microsoft IT Academy Mapping

TESSY Automated dynamic module/unit and. CTE Classification Tree Editor. integration testing of embedded applications. for test case specifications

Parameters for Efficient Software Certification

Using Code Coverage Tools in the Linux Kernel

Instructional Design Framework CSE: Unit 1 Lesson 1

SAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE. Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.

white paper A CASE FOR VIRTUAL RAID ADAPTERS Beyond Software RAID

Notes and terms of conditions. Vendor shall note the following terms and conditions/ information before they submit their quote.

Certification Authorities Software Team (CAST) Position Paper CAST-10

The Impact of RTCA DO-178C on Software Development

Model Based System Engineering (MBSE) For Accelerating Software Development Cycle

How To Develop A Powerpc/Powerpc/Ada 95/C++/Adma 83/C/C95/A95/C99/A83/A84/A85/A86/A75/A74

Eddy Integrated Development Environment, LemonIDE for Embedded Software System Development

Bootloader with AES Encryption

THE NAS KERNEL BENCHMARK PROGRAM

Interpreters and virtual machines. Interpreters. Interpreters. Why interpreters? Tree-based interpreters. Text-based interpreters

Why? A central concept in Computer Science. Algorithms are ubiquitous.

Android Development: a System Perspective. Javier Orensanz

Handling Hyper-V. In this series of articles, learn how to manage Hyper-V, from ensuring high availability to upgrading to Windows Server 2012 R2

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

Inside Track Research Note. In association with. Enterprise Storage Architectures. Is it only about scale up or scale out?

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

Essentials of Computer Programming. Computer Science Curriculum Framework

INTEL PARALLEL STUDIO EVALUATION GUIDE. Intel Cilk Plus: A Simple Path to Parallelism

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Monitoring, Tracing, Debugging (Under Construction)

Migrating Application Code from ARM Cortex-M4 to Cortex-M7 Processors

WHITE PAPER. Addressing Monitoring, Access, and Control Challenges in a Virtualized Environment

Virtualization. Dr. Yingwu Zhu

Executive Summary - 1 -

Embedded Systems Conference April 3-7, San Jose [ESC-447] Safety-Critical Design Techniques for Secure and Reliable Systems

IOS110. Virtualization 5/27/2014 1

In-memory Tables Technology overview and solutions

Chapter 2 Addendum (More on Virtualization)

Best Practices for Managing Virtualized Environments

Memory Systems. Static Random Access Memory (SRAM) Cell

1 The Java Virtual Machine

Software Engineering for LabVIEW Applications. Elijah Kerry LabVIEW Product Manager

Chapter 3: Data Mining Driven Learning Apprentice System for Medical Billing Compliance

ARIZONA CTE CAREER PREPARATION STANDARDS & MEASUREMENT CRITERIA SOFTWARE DEVELOPMENT,

pc resource monitoring and performance advisor

Taking control of the virtual image lifecycle process

Module 10. Coding and Testing. Version 2 CSE IIT, Kharagpur

Measuring Software Complexity to Target Risky Modules in Autonomous Vehicle Systems

Techniques and Tools for Software Analysis

NetApp FAS Hybrid Array Flash Efficiency. Silverton Consulting, Inc. StorInt Briefing

Certification Authorities Software Team (CAST) Position Paper CAST-9

SCADE SUITE SOFTWARE VERIFICATION PLAN FOR DO-178B LEVEL A & B

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud

From Control Loops to Software

Vector storage and access; algorithms in GIS. This is lecture 6

Mobile Database Improves Usability, Facilitates Offline Access for Hosted E- Payables Solution

VLIW Processors. VLIW Processors

Using WebLOAD to Monitor Your Production Environment

Managing Application Performance and Availability in a Virtual Environment

find model parameters, to validate models, and to develop inputs for models. c 1994 Raj Jain 7.1

Volume I, Section 4 Table of Contents

Zabin Visram Room CS115 CS126 Searching. Binary Search

How Safe does my Code Need to be? Shawn A. Prestridge, Senior Field Applications Engineer

Image Compression through DCT and Huffman Coding Technique

Course MS10975A Introduction to Programming. Length: 5 Days

A Guide Through the BPM Maze

A New Foundation For Customer Management

Programming LEGO NXT Robots using NXC

Base One's Rich Client Architecture

Using CMM with DO-178B/ED-12B for Airborne System Development

Virtualization Technologies (ENCS 691K Chapter 3)

Development of AUTOSAR Software Components within Model-Based Design

Intel Application Software Development Tool Suite 2.2 for Intel Atom processor. In-Depth

CHAPTER - 5 CONCLUSIONS / IMP. FINDINGS

THREE YEAR DEGREE (HONS.) COURSE BACHELOR OF COMPUTER APPLICATION (BCA) First Year Paper I Computer Fundamentals

Hypercosm. Studio.

Virtual Platforms Addressing challenges in telecom product development

F-22 Raptor. Agenda. 1. Motivation

UNCLASSIFIED Version 1.0 May 2012

Bringing Big Data Modelling into the Hands of Domain Experts

Evading Android Emulator

Security Auditing in a Virtual Environment

Progress Report Aspect Oriented Programming meets Design Patterns. Academic Programme MSc in Advanced Computer Science. Guillermo Antonio Toro Bayona

Lenovo Partner Pack for System Center Operations Manager

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

Motorola 8- and 16-bit Embedded Application Binary Interface (M8/16EABI)

Mission-Critical Java. An Oracle White Paper Updated October 2008

Transcription:

Code Coverage: Free Software and Virtualization to the Rescue Franco Gasperoni, AdaCore gasperoni@adacore.com What is Code Coverage and Why Is It Useful? Your team is developing or updating an embedded application based on a set of requirements. If you do not intend to conduct a testing campaign to verify compliance of the code with the requirements don t read any further. Code coverage will not be of much use. If you are still reading you probably plan to create or upgrade your collection of tests and ensure that what has been developed adheres to the requirements. Whether your testing campaign relies on unit/functional/robustness/ tests or a mixture of these you will probably wonder about the quality of your test suite and more specifically how to ascertain that the test suite is reasonably complete. Code coverage allows you to answer this question. As you run the test suite on your application, a code coverage tool tells you which portions of the application are really being exerted by the testing campaign. Let s get down to earth and work trough an example. Let s assume that we have been asked to sort an array of floats (our requirement). To meet this requirement we implement the insertion sort routine given in Figure 1. 01: type Float_Array is array (Integer range <>) of Float; 02: 03: procedure Insertion_Sort (A : in out Float_Array) is 04: Value : Float; 05: I : Integer; 06: begin 07: for W in A'First.. A'Last loop 08: Value := A (W); 09: I := W; 10: while I > A'First and then A (I - 1) > Value loop 11: A (I) := A (I - 1); 12: I := I - 1; 13: end loop; 14: if I < W then 15: A (I) := Value; 16: end if; 17: end loop; 18: end Insertion_Sort; Figure 1: A simple insertion sort algorithm. Page 1 of 7

If we test our insertion sort routine using Test_1 = (1.0, 2.5, 3.141) code coverage shows that lines 11, 12, and 15 are not executed since the condition A (I - 1) > Value on line 10 and condition I < W on line 14 will always be false. If Test_1 is our only test vector, code coverage shows that we have tested our insertion sort algorithm only roughly. If we also use test vector Test_2 = (7.5, 2.3, 1.0, 0.5) then all source code lines in Figure 1 will be executed. What Should Be Covered? With test vectors Test_1 and Test_2, code coverage shows that we have exerted all lines in our implementation of the insertion sort algorithm. Is this good enough? This depends on how critical is our application. In the context of safety-critical embedded avionics applications, for instance, the DO-178B [1] standard focuses on requirements-based testing and distinguishes 5 levels of software criticality (from Level E not critical at all to Level A very safety-critical). Levels C, B, and A, are those where the DO- 178B expects a certain degree of code coverage to ascertain that we have a reasonably complete test suite with respect to the requirements. If our insertion sort algorithm is used in a level of criticality C application then test vectors Test_1 and Test_2 are good enough. As we go up to Level B and Level A criticality and as the likelihood of injuries and loss of lives increases should the embedded software malfunction, more stringent coverage requirements apply. In Level B, for instance, covering each line of source code must be complemented with decision coverage, i.e. covering each decision branch. In our insertion sort example we must provide a test vector to try things out when the for-loop at line 7 is never executed. If our insertion sort algorithm is to fly as part of a Level B application we must add an empty array as test vector to our test suite. For the highest level of software criticality, Level A, instruction and decision coverage have to be complemented with modified condition/decision coverage (MC/DC). In MC/DC we have to test that each condition in a decision independently affects the decision s outcome. In our insertion sort example the only decision with more than one condition is in line 10 where there are two conditions: Condition 1: I > A'First Condition 2: A (I - 1) > Value Test vectors 1 and 2 have tested two of the three combinations of interest, namely: Condition 1 = True and Condition 2 = False (test vector 1); Condition 1 = True and Condition 2 = True (test vector 2). We are missing a test for Condition 1 = False. This is easily addressed by providing an additional test with a single element array. Page 2 of 7

Obtaining Code Coverage Information In the previous sections we have explained what code coverage is and its usefulness in assessing the quality of a test suite in regard to a set of requirements according to the level of criticality of the tested software. This section surveys the options to obtain code coverage information. In all of the following options coverage information is related back to the original source. Instrumenting the Source With this technique instrumentation is added, either by hand or with a tool, to the source code to log coverage information. This is the approach followed by several tool vendors. This approach has the advantage of providing a straightforward coverage mapping between the source code and the information logged. Furthermore, it does not require changing the compiler and is fairly simple to put in place for unit tests that run both on the host computer and the target hardware. This approach has several drawbacks. Firstly it is programming language specific. From a tools vendor perspective this means a tool per programming language supported. If the application being tested uses several programming languages this means using different tools for the application. In addition instrumentation needs to store the log somewhere, typically in a file, which is problematic on embedded systems without a file system. Finally this approach is very intrusive and modifies the object code generated by the compiler which may result in different behaviors between the instrumented code and the final embedded application. To circumvent some of these problems, when possible, developers execute the instrumented test suite on the host computer, while the un-instrumented test suite is run on the target hardware. The results of the two runs are then compared to ensure that the same behavior is obtained. For large test suites this is a further disadvantage of this approach. Instrumenting the Object In this technique the compiler is modified in such a way that instrumentation is inserted directly at the object level during compilation. Instrumentation is inserted only when requested by the developer with a special compiler switch. GCC, the GNU Compiler Collection, has the ability to extract code coverage information by instrumenting the object following this approach. When the executable is tested, instrumentation logs are accrued in a file (one file per object). A separate tool, called gcov in the case of GCC, reads the instrumentation logs, gathers the generated information and maps it back to the original source code [2]. The advantage of this approach with respect to the previous one is its programming language independence, in the case of GCC at least. Otherwise, all the other disadvantages of direct source-level instrumentation are present with object-level instrumentation. Page 3 of 7

Extracting an Execution Trace With this technique the object code trace is obtained by some means, typically via a JTAG or Nexus probe, or by single stepping the processor. This trace is then related back to the original source code to determine coverage. This last step isn t straightforward. It requires a mapping between the source and the object code. One possibility is exploiting the debug information included in the executable. This approach is programming language independent. In addition, and foremost, this approach is non intrusive and allows to extract coverage information directly from the final application that is to run on the target hardware. In terms of disadvantages this approach can be slow. In addition, when executing the application on the target hardware, a connection between the target hardware and the host where the trace is saved is still necessary. The alternative of logging the data on the board requires significant amounts of storage that is typically not available on embedded boards. If a probe is used to collect the execution trace, extra specialized hardware needs to be used. Finally, in the presence of compiler optimizations, relating trace information back to the source to obtain source code coverage is not always a simple task. Free Software Coverage Tools: The Current Generation The Free Software/Open Source coverage tool of reference is GCC/gcov. As previously mentioned the coverage approach taken by GCC/gcov is object-level instrumentation. This provides a convenient and easy-to-use source-coverage capability in the case of unit tests that can run on the host. If the testing campaign is based on unit tests, and GCC is used on the host, and there is no need for DO- 178B qualification material, we are almost set. One missing piece is a tool/ide to visualize in a friendly and synthetic way what lines in the source are and aren t covered. Free Software tools such as LCOV [3] or the GPS IDE [4] address this need. Depending on the project s criticality and its risk management policy, the last missing piece may be an internal or external provider to rely on for periodic releases of the Free Software coverage tools along with the support and maintenance guarantees needed by the project. In the case of Ada and C, AdaCore [5] is one such provider. In the case of C++, CodeSourcery [6] is another. Free Software Coverage Tools: The Next Generation Thanks to public funds, the next generation of Free Software code coverage tools is on its way [7]. Project Coverage will produce a Free Software coverage analysis toolset together with artifacts that allow the tools to be used for safety-critical software projects undergoing a DO-178B software audit process for all levels of criticality. While an important target use of the coverage toolset is safety-critical embedded applications, the design of the tools allows its use in non safety-critical circumstances. Page 4 of 7

Beyond the production of useful tools and certification material for industrial users, an important goal is to raise awareness and interest about safety-critical and certification issues in the Free Software/Open Source community. The key insight of Project Coverage is as follows: code coverage can greatly benefit from recent advances in hardware virtualization technology [8] as promoted, for instance, by VMware [9] or QEMU [10]. See Figure 2. By virtualizing the target hardware, Project Coverage tools can execute the binary code that is to run on the target hardware as-is on a host computer. While executing the target code on the host, Project Coverage tools collect binary branch information. The collected information is then analyzed off-line Conventional Approach Approach by Virtualization Sources Coverage Information Sources Coverage Information Compilation Link Compilation Link Instrumentation Compilation Link Binary Branch Information Executable Instrumented Executable Executable Instrumented HOST Virtual Machine Coverage Data TARGET Pure Instrumented Pure Figure 2: Obtaining code coverage information by hardware virtualization. and mapped back to the original sources by using the source to object code mapping information extracted from the debugging information contained in the executable. We are basing this part of our work on the DWARF standard for debugging information that the majority of compilation chains are capable of generating. Our virtualization technology is based on QEMU that we are extending, first to output binary branch coverage information, and second to make it usable in industrial contexts typically found in the avionics domain (MIL-STD-1553, ARINC 629, etc.). Page 5 of 7

Because QEMU works by compiling the target object code into the host object code and that the host computer is typically faster than the target one, virtualization is actually a plus over direct execution on the target. The approach put forth by Project Coverage features several strong points: (1) Project Coverage tools are easy to use and deploy since they run on the host computer; (2) Project Coverage tools work for all compiled programming languages and compilers that can output DWARF debugging information and can be easily adjoined to existing development environments; (3) Compared to a gcov -based approach, the Project Coverage solution is completely decoupled from the compiler. This means that one can change/freeze compilers and coverage tools independently of each other. This is unlike the gcov approach which is tightly coupled to the compiler so a change in the compiler implies a change of gcov and more to the point - a change in gcov will force a compiler change. This tight coupling between compiler and gcov coverage toolset is a factor of risk that is avoided with the Project Coverage approach. (4) Project Coverage tools are non-intrusive and capable of working directly with the final executable; (5) No specialized hardware is required to extract coverage information; (6) Thanks to the difference in speed, memory, and file system requirements between the target and host computer, the process of extracting coverage information on the host by virtualizing the target hardware compares favorably in terms of speed with current approaches to gather coverage information; In addition to the above: (7) Users of Project Coverage will obtain DO-178B qualification material when necessary; (8) Project Coverage tools will be freely available and its industrial users will have the option to purchase high-quality professional support. In summary Project Coverage is a clever combination of several unrelated trends in today s software technology landscape (Free Software, Virtualization, DWARF, DO-178B qualification ) to produce a unique code coverage solution that safety-critical and non safety-critical developers can use in their projects. References [1] EUROCAE, RTCA: ED-12B/DO-178B: Software Considerations in Airborne Systems and Equipment Certification. See http://www.eurocae.eu/ or http://www.rtca.org/. [2] gcov a Test Coverage Program. See http://gcc.gnu.org/onlinedocs/gcc/gcov.html. Page 6 of 7

[3] The LTP GCOV extension (LCOV). See http://ltp.sourceforge.net/coverage/lcov.php. [4] The GNAT Programming Studio. See http://libre.adacore.com/gps/. [5] http://www.adacore.com/. [6] http://www.codesourcery.com/. [7] http://libre.adacore.com/coverage/. [8] The Economist: Virtualization: The Rise of the Hypervisor. January 17, 2008. Available at http://www.economist.com/business/displaystory.cfm?story_id=10534566. [9] http://www.vmware.com/. [10] http://en.wikipedia.org/wiki/qemu. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information