Post on 12-Jul-2015
Avionics Europe 2013
Zoë Stephenson
zoe.stephenson@rapitasystems.com
Timing Tool Test
Effectiveness for WCET
Analysis Tools
Confidence in software tools rests on the
effectiveness of tool verification –
essentially, asking the right questions.
To determine the right questions for WCET
tools, this presentation includes our WCET
tool test effectiveness framework and
explains how it influences our tool testing.
Overview
Motivation – WCET analysis in context
Obtaining confidence in tools
How timing tools are used
How we evaluated our own testing efforts
What the evaluation means for RapiTime
The presentation is split into five distinct
sections:
Context: general SW development
Timing
RequirementTiming
Evidence
Software
develop test
evaluate
improve
The V model: requirement, software, test result
Context: timing requirements
Timing
RequirementTiming
Evidence
Software
develop test
evaluate
improve
Timing Analysis
Tool + Method
This is where we introduce a timing analysis tool and
method to check that the software meets those
requirements
Context: timing requirements
Tool
Operational
Requirements
Tool Verification
Results
developtest
evaluate
improve
Now we run tests to ensure the tool is operating correctly
(according to its TOR)
Context: tool test effectiveness
Criteria for Test
EffectivenessTest
Effectiveness
develop review
evaluate
improve
Now we review whether the test suite for the tool has
sufficiently exercised the tool
How RVS aids testing
RVS
RapiTime
collect data on-target during execution
transmit data to host computer
combine with program static analysis: beyond end-to-end tests
report test coverage and potential untested worst-case behaviours
direct tool user to define more comprehensive tests
DO-178B says…
The objective of the tool qualification process is to ensure that
the tool provides confidence at least equivalent to that of the
process(es) eliminated, reduced or automated.
Tool Development Tool Testing
Qualification context
Tool Qualification Plan
Tool Accomplishment Summary
Tool Use Cases
Tool User
Tool Vendor
The background and what we are concerned with
for effectiveness of the test of RapiTime (circled in
green)
Tool testing: effective
correct tool
incorrect tool
tool testing accept
rejecttool testing
A tool test is effective if it can distinguish a tool that meets
the requirements from a tool that does not
Tool testing: representative
tool
tool
tool testing accept
acceptreal world
If a test is representative, you can infer real-world
correctness from correctness during the test
Timing tool usage
Tool Verification
ResultsTiming Analysis Tool + Method
test
Tool Test / Analysis Suite
test
procedures
test input
programs
tool
target
user
Adding detail to the model of the tool and its usage
highlights the factors that are considered in the
assessment
Assessment approach
Usage Model
custom SHARD /
HAZOP process
Causes and
Mitigations
Undesired Outcome
requirements
derivation
Conditions of Use∆ Test plans
adjust testing
Guideword selection
Guideword Application
No Test not present / not done
More Over-constrained analysis, cases missed
Less Shallow test, cases missed
Part of Incomplete test, not whole programs
As well as N/A
Reverse N/A
Error Test claims tool works, but it does not
Applicability of general guidewords for test effectiveness:
(and similarly for other artefacts and flows)
Top-level analysis
Provide both procedures and review criteria for test selection and
customisation
Test procedure review criteria: Depth
Generalisability
Completeness
General tool derived requirements: If main tool calls further tools, propagate back error return code
from “less”
from “more”
from “part of”
Timing tool analysis
structural diversity
…with expected
execution times
threads, tasks,
schedules…
subprograms:
direct, indirect…
blocks, entries,
exits…
selection, loop,
nesting…
compound
statement, exits…
expressions,
decisions…
Timing tool analysis
execution time
diversity
bus interaction
with peripheralsbranch prediction
denormalized
numbers
representing the
deployed system
Testing must be applicable across hardware features that
lead to variations in execution time at different scales
RapiTime analysis
Independent time
source
Other calibrated
delay
Target measurement
library testing
Target measurement
for multicore
Target measurement
for ARINC 653
Traceability by
configuration ID
Workflow to validate
annotations
Creating software with a known execution time
Ensuring that on-target measurement is
representative
Helping the user to manage the execution time
analysis
Strengthened confidence
RapiTime works on large programs, peculiar code structures, a variety of OS styles
RapiTime works with a large range of data collection and extraction mechanisms
RapiTime provides comprehensive traceability mechanisms for observed measurements and
computed execution times
Improving tool offering
New integration possibilities for multicore and time-partitioned systems
More comprehensive assessment advice for different target hardware and
measurement capabilities
More flexible verification kits for on-site tool qualification
New features in RVS 3.1
Graphical report comparisons help to show where a test effective in the lab falls
short on site
Wider range of path highlighting facilities show WCET path deviations at a glance
Commandline data export to CSV, XML and text formats help to trace between tool assessment and individual tests