Re: Need help with PowerPC/Ada and realtime tasking

[JP Thornley <jpt@diphi.demon.co.uk>]

In article: <EACHUS.96May28185945@spectre.mitre.org>  
eachus@spectre.mitre.org (Robert I. Eachus) writes:
> ... other validations may matter more.

And the one that matters most is our own.

The primary need is an acceptable level of assurance that the compiler 
has no code generation fault that could affect the executable code in 
the box.

So, the starting point is a (probably) validated compiler that is known 
to have had a wide usage in different aplications.  The bug list must be 
stable and all the code generation bugs should be definable in terms of 
the Ada source constructs that may raise the bug - this is so that  
avoidance strategies and checking actions can be laid down to give 
assurance that the construct is not used (if this is not possible then a 
method for inspecting the executable for the error must be available).

The likelihood of the discovery of new code generation faults must also 
be low, as the effort needed to deal with them after the start of coding 
could be unacceptably large.

That is the starting point for our own validation activities - which, in 
the past, have been based around a set of test cases that use every 
language construct (in the subset, not the full language) in every 
context in which they might appear.  These test cases are compiled and 
the object code checked for acceptability.  Any anomalies found here 
will place further restrictions on the code (for example, with a 
compiler currently in use, address representation clauses in package 
bodies are avoided).

If this still looks OK then the compiler is judged acceptable for 
safety-critical code.

Subsequently, as the application code is produced, samples are compiled 
and the object code reviewed against the source to maintain confidence 
that the application is not going into untested areas of the compiler.  
Any compilation units that do not use the predefined compiler switches 
also have the object code inspected.

If the level of effort required for the test cases is not feasible for a 
particular project/compiler then it is necessary to inspect 100% of the 
compiler output against the source.

-- 
------------------------------------------------------------------------
| JP Thornley    EMail jpt@diphi.demon.co.uk                           |
------------------------------------------------------------------------