Conferences and supporting programme
Verification of Memory Interferences in Automotive Software: A Practical Approach
Freedom From Interferences (FFI) is a main concerns in today's safety related software. According to ISO 26262 Standard on functional safety of automotive systems FFI means that a fault in a software component will not lead to a fault in a more safety critical component. Many projects involve mixed critical architectures, i.e., they run applications with different Automotive Safety Integrity Levels (ASIL) on the same microcontroller. If architectural solutions are known to ensure FFI ? using software partitioning, hardware memory protections, or other safety mechanisms ? the verification and debugging can be difficult. Indeed, the implementation of a Memory Protection Unit (MPU) often reveals the weaknesses of the design, and it is then difficult and time consuming to understand all the exceptions during testing. As FFI encompasses several interference (dynamic execution, shared resources, memory, etc.), we decided to focus on the problem of memory interference between different safety related software components. Indeed, one of the major risks of these interferences is cascading failures that may lead to the corruption of safety data. For example: writing from a lower ASIL component into a higher ASIL data, or reading and processing a lower ASIL data from a higher ASIL component without checking it. These cascading failures may lead to the corruption of the integrity of safety data. This paper will show how the design of complex application can be verified with regards to memory interferences between different applications. This will be illustrated on a case study from Valeo, ADAS system, on which the Safety Checker® from Tasking was used to check the memory interferences. An emphasis will be put on the process to verify the FFI at different steps of the development cycle and also how it has been applied on the project. The Safety Checker® from Tasking is a tool that enables to automatically verify access rights (write/read/execute) between different logical partitions of software components. Indeed, the C code files are allocated to a partition, and access rights are given between the partitions. Then the tool checks all the access by parsing the call graph tree and checking the rights with regards to allowed ones. It gives all the memory access violations, i.e., possible interferences between the partitions. These results are a major help in the design and the verification of safety properties on complex software. The results obtained on the project have demonstrated that memory interferences can be efficiently detected, and redesign of the architecture, e.g., ASIL allocation, is eased. The paper will finally discuss the proposed approach, its strengths and limitations.
--- Date: 27.02.2018 Time: 10:00 AM - 10:30 AM Location: Conference Counter NCC Ost