MARCH 2012
The Official Publication of The Embedded Systems Conferences and Embedded.com
VOLUME 25,
NUMBER 2
Discriminated
unions
9
Debug real-time
SW with logic analyzer
19
Managing multiple
processes in multicore
27
Probing pointers
34
VERIFYING
REQUIREMENTS
AND OBJECT
CODE
12
SAFE
RELIABLE
SECURE
For nearly 30 years the worlds leading industrial companies have trusted Green Hills
Softwares secure and reliable high performance software for safety-critical applications.
From manufacturing automation, to telemetry and control systems, Green Hills Software
has been delivering proven and secure underpinning technology.
To nd out how the worlds most secure and reliable operating system and software
can take the risk out of your industrial project, visit www.ghs.com/s4i
Copyright 2012 Green Hills Software. Green Hills Software and the Green Hills logo are registered trademarks of
Green Hills Software. All other product names are trademarks of their respective holders.
TRUSTED SOFTWARE FOR INDUSTRIAL
AUTOMATION AND CONTROL
Mouser delivers the components you need, on-time. And with local Technical
Support and Customer Service Experts in 19 locations around the world, youll
nd the newest components to launch your new design seamlessly.
The Newest Products for Your Newest Designs
Mouser and Mouser Electronics are registered trademarks of Mouser Electronics, Inc. The Newest Products for Your Newest Designs is a registered trademark of Mouser Electronics, Inc.
mouser.com
Semiconductors and electronic
components for design engineers.
Scan Here
mouser.com
Authorized Distributor
We deliver
ASAP, PDQ
and JIT . So,
you
re never
SOL.
AS9120A
Certified Distributor
E MB E D D E D S Y S T E MS D E S I G N
THE OFFI CI AL PUBLI CATI ON OF THE EMBEDDED SYSTEMS CONFERENCES AND EMBEDDED. COM
VOLUME 25, NUMBER 2
MARCH 2012
COLUMNS
programming
pointers
9
Discriminated unions
BY DAN SAKS
Discriminated unions can be useful in
some applications, but they also pro-
vide insight into the advantages of
using virtual functions.
break points
34
Probing pointers
BY JACK G. GANSSLE
The wrong probe can either cause your
circuit to fail or even to physically
destroy components. Here are some of
the issues.
DEPARTMENTS
#include
5
Safety threats: from satellites to
pods in you pocket
BY COLIN HOLLAND
DARPA's High-Assurance Cyber
Military Systems program is look-
ing for a synthesizer capable of
producing a machine-checkable
proof that generated code satises
functional specications as well as
security and safety policies.
parity bit
7
Open to interpretation
new products
33
M2M and security
IN PERSON
DesignWest/ESC Silicon Valley
March 1629, 2012
http://esc.eetimes.com/siliconvalley/
ONLINE
www.embedded.com
12
EMBEDDED SYSTEMS DESIGN (ISSN 1558-2493) print; (ISSN 1558-2507 PDF-electronic) is published 10 times a year as follows: Jan/Feb, March, April, May, June,
July/August, Sept., Oct., Nov., Dec. by the EE Times Group, 600 Harrison Street, 5th oor, San Francisco, CA 94107, (415) 947-6000. Please direct advertising and editorial
inquiries to this address. SUBSCRIPTION RATE for the United States is $55 for 10 issues. Canadian/Mexican orders must be accompanied by payment in U.S. funds with addi-
tional postage of $6 per year. All other foreign subscriptions must be prepaid in U.S. funds with additional postage of $15 per year for surface mail and $40 per year for
airmail. POSTMASTER: Send all changes to EMBEDDED SYSTEMS DESIGN, EE Times/ESD, PO Box #3609, Northbrook, IL 60065-3257, embedsys@omeda.com. For cus-
tomer service, telephone toll-free (847) 559-7597. Please allow four to six weeks for change of address to take effect. Periodicals postage paid at San Francisco, CA and additional
mailing ofces. EMBEDDED SYSTEMS DESIGN is a registered trademark owned by the parent company, EE Times Group. All material published in EMBEDDED SYSTEMS
DESIGN is copyright 2010 by EE Times Group. All rights reserved. Reproduction of material appearing in EMBEDDED SYSTEMS DESIGN is forbidden without permission.
Cover Feature:
Tracing requirements
through to object code verication
BY MARK PITCHFORD
Verifying object code can mean the difference between success
and failure, quality and crap. But skipping the step because a
standard doesnt require it or because it theoretically eats into
prots is a surprisingly common practice. The author postu-
lates that this practice is not only shortsighted but no longer
valid.
19
Troubleshooting real-time software
issues using a logic analyzer
BY DAVID B. STEWART
This logic analyzer technique is a power-tool for the
embedded software engineers toolbox.
28
Manage multiple processes and processors
in a deterministic multicore design
BY CHRIS MAIN
How should processes running on different RTOSes communi-
cate in multi-OS systems? The author suggests you can manage
inter-process communications with global-object networking.
INDUSTRIAL
MEDICAL
AEROSPACE
AVIATION
SYSTEM ON A CHIP
CONSUMER
Express Logic has completed 14 years
of successful business operation,
and our agship product, ThreadX,
has been used in over 1 billion
electronic devices and systems,
ranging from printers to smartphones, from single-chip
SoCs to multiprocessors. Time and time again, when
leading manufacturers put their company on the line,
when their engineering team chooses an RTOS for their
next critical product, they choose ThreadX.
Our ThreadX RTOS is rock-solid, thoroughly eld-proven,
and represents not only the safe choice, but the most
cost-effective choice when your companys product
ThreadX, FileX, and TraceX are registered trademarks, and NetX, USBX, PEGX, StackX, and Certication Pack are trademarks of Express Logic, Inc.
All other trademarks are the property of their respective owners.
Copyright 2010, Express Logic, Inc.
When Your Companys Success, And Your Job, Are On The Line -
You Can Count On Express Logics ThreadX
RTOS
REALLY COUNTS
THREADX: WHEN IT
simply must succeed. Its royalty-free
licensing model helps keep your BOM low,
and its proven dependability helps keep
your support costs down as well. ThreadX
repeatedly tops the time-to-market results
reported by embedded developers like you. All the while,
Express Logic is there to assist you with enhancements,
training, and responsive telephone support.
Join leading organizations like HP, Apple, Marvell, Philips, NASA,
and many more who have chosen ThreadX for use in over 800
million of their products because their products are too
important to rely on anything but the best. Rely on ThreadX,
when it really counts!
Contact Express Logic to nd out more about our ThreadX RTOS, FileX
le system, NetX
USB Host/Device/OTG stack, and our PEGX
graphics toolkit for embedded GUI development. Also ask about our TraceX
real-time event trace and analysis tool, and StackX
, our patent-pending stack size analysis tool that makes stack overows a
thing of the past. And if youre developing safety-critical products for aviation, industrial or medical applications, ask
about our new Certication Pack
for ThreadX.
For a free evaluation copy, visit www.rtos.com 1-888-THREADX
Edward L. Lamie
With ThreadX
Second Edition
Now with appendices for ARM, Cold re,
MIPS and PowerPC architectures
Newnes
INCLUDED CD-ROM
REAL-TIME
EMBEDDED
MULTITHREADING
T H R E A D
BY Colin Holland #include
E MB E D D E D S Y S T E MS D E S I G N E MB E D D E D S Y S T E MS D E S I G N
BY Colin Holland #include
E MB E D D E D S Y S T E MS D E S I G N
Director of Content
Colin Holland
colin.holland@ubm.com
Managing Editor
Susan Rambo
(415) 947-6675
susan.rambo@ubm.com
Acquisitions/Newsletter Editor,
ESD and Embedded.com
Bernard Cole
(928) 525-9087
bccole@acm.org
Contributing Editors
Michael Barr
Jack W. Crenshaw
Jack G. Ganssle
Dan Saks
Art Director
Debee Rommel
debee.rommel@ubm.com
Production Director
Donna Ambrosino
dambrosino@ubm-us.com
Article submissions
After reading our writers guidelines, send
article submissions to Bernard Cole at
bccole@acm.org
Subscriptions/RSS Feeds/Newsletters
www.eetimes.com/electronics-subscriptions
Subscriptions Customer Service (Print)
Embedded Systems Design
PO Box # 3609
Northbrook, IL 60065- 3257
embedsys@omeda.com
(847) 559-7597
Article Reprints, E-prints, and
Permissions
Mike Lander
Wrights Reprints
(877) 652-5295 (toll free)
(281) 419-5725 ext.105
Fax: (281) 419-5712
www.wrightsreprints.com/reprints/index.cfm
?magid=2210
Publisher
David Blaza
(415) 947-6929
david.blaza@ubm.com
Associate Publisher, ESD and EE Times
Bob Dumas
(516) 562-5742
bob.dumas@ubm.com
CorporateUBM Electronics
Paul Miller Chief Executive Ofcer
David Blaza Vice President
Karen Field Senior Vice President, Content
Felicia Hamerman Vice President, Marketing
Brent Pearson Chief Information Ofcer
Jean-Marie Enjuto Vice President, Finance
Amandeep Sandhu Director of Audience Engagement &
Analytics
Barbara Couchois Vice President, Partner Services &
Operations
CorporateUBM LLC
Marie Myers Senior Vice President,
Manufacturing
Pat Nohilly Senior Vice President, Strategic
Development and Business
Administration
E MB E D D E D S Y S T E MS D E S I G N
Safety threats: from satellites
to pods in your pocket
www.embedded.com | embedded systems design | MARCH 2012 5
T
he spotlight is shining again on
the security of embedded com-
puter systems as the Defense Ad-
vanced Research Projects Agency
(DARPA) sets up its High-Assurance
Cyber Military Systems (HACMS)
program.
Our vision for HACMS is to
adopt a clean-slate, formal method-
based approach to enable semi-auto-
mated code synthesis from executable,
formal specifications, said DARPA
program manager, Kathleen Fisher.
Embedded computer systems play
a part in every aspect of DoDs tech-
nology. The software in these systems
does everything from manage large
physical infrastructures and run pe-
ripherals such as printers and routers,
to control medical devices such as
pacemakers and insulin pumps. Net-
working these embedded computer
systems enables remote retrieval of di-
agnostic information, software up-
dates, and access to innovative features,
but it also introduces vulnerabilities to
the system via remote attack.
In addition to generating code,
HACMS is looking for a synthesizer
capable of producing a machine-
checkable proof that the generated
code satisfies functional specifica-
tions as well as security and safety
policies. A key technical challenge is
the development of techniques to en-
sure that such proofs are composable,
allowing the construction of high-as-
surance systems out of high-assur-
ance components.
Technologies cited as key to
HACMS include semi-automated soft-
ware synthesis systems, verification
tools such as theorem provers and
model checkers, and specification lan-
guages. And opportunities will abound
for industry at large to take advantage
as HACMS aims to produce a set of
publicly available tools integrated into a
high-assurance software workbench,
widely distributed to both defense and
commercial sectors. In the defense sec-
tor, HACMS plans to enable high-as-
surance military systems ranging from
unmanned ground, air and underwater
vehicles, to weapons systems, satellites,
and command and control devices.
Of course, security for embedded
systems is not a new concern. Security
is a major focus throughout this years
Embedded Systems Conference, now
part of DESIGN West. ESC offers two
tracks directly on security and another
on embedded systems disasters, which
will probably touch on the aftermath
of security-related flaws. Also, for the
first time along side ESC, Black Hat is
presenting a one-day version of its
renowned Black Hat Briefings, a series
of technical security conferences that
bring together thought leaders from
the corporate and government sectors
to academic and even underground re-
searchers. On the same day (March
29th) Robert Vamosi, author of When
Gadgets Betray Us: The Dark Side of our
Infatuation with New Technologies, will
examine in his keynote address how, in
the rush to embrace the next new
thing, real concerns about informa-
tion security or personal privacy fall by
the wayside.
I hope to see as many of you as
possible at ESCDESIGN Westfind
out more at www.ubmdesign.com.
Colin Holland
Colin.holland@ubm.com
Colin Holland is the director
of content for Embedded
Systems Design magazine,
Embedded.com, and the
DesignWest and East (which
includes the Embedded
Systems Conferences).
You may reach him at
colin.holland@ubm.com.
INNOVATORS CREATE INTELLIGENT ROBOTS
THAT TRANSFORM MANUFACTURING.
Image supplied by KUKA
When the innovators at KUKA decided to create the foundation for the automation of tomorrow, they decided
to work with Wind River. Building upon the proven reliability and breakthrough performance of our VxWorks and
multi-core platforms, the KUKA team developed their revolutionary KR C4 controllera safer, more powerful,
more exible system that allows all integrated controllers to share a common database and infrastructure. And
by working with Wind River, they did it all with far less risk.
INNOVATORS START HERE.
Please visit http://www.windriver.com/customers to learn more
about how Wind River customers have transformed their devices.
KUKA KR C4
Control system that integrates robot, motion, sequence,
and process control
Built on VxWorks and multi-core operating environments
o
penFlow and Software Defined
Networking exhibit tremendous
promise. (Controlling network
flow with the OpenFlow protocol Daniel
Proch, www.eetimes.com/4235488)! I
hope the open source consortium make
it easier and transparent for small com-
panies and individual like us to get in-
volved, participate, and contribute to its
future success.
Netteligent
Many of the possibilities for network
control described for OpenFlow and
even for existing technologies open
up questions about the motives be-
hind that control. Cable providers
and other ISPs are increasingly get-
ting into providing content, and it is
very easy to see them tilting the table
towards their content and against
competitors (i.e. Netflix). It is also
questionable that centralized control
over all flows works better than a ro-
bust distributed control system. Even
if you argue that centralized control
is necessary to tame rogue data (i.e.
P2P), there is still dependence on
per-packet inspection. Most of these
marking schemes can be spoofed rel-
atively easily. Bottom line, there is
still a lot of work to be done in this
area.
Larry Mittag
I am not sure if vendors like Cisco, Ju-
niper, etc., are really interested in
OpenFlow implementation. Notice,
their routers and switches would per-
form very simple tasksno sophisti-
cated routing/switching any more.
Only simple match-action aproach.
The intelligence is moved to the ex-
ternal manager. New features would
be implemented externally to
router/switches. So their devices
would be easily replaced by any ven-
dor boxes supporting OpenFlow.
bgolab
Stay on target
Although enlightening as always, unfor-
tunately, this story line appears to be
branching away from this topic prema-
turely (Quiet down out there! Jack
Crenshaw, www.eetimes.com/4235490).
Models for Kalman filtering are not
an independent choice that can be
fathomed by examining input/output
data plots. There are two special re-
quirements:
First, the model must be one-step
predictive. Given past and current
data, it must provide a prediction (a
very good one cant hurt!) of what the
next output response will be, given
the next input, but before that new
output is observed.
Second, the model form does not
use x-y past history directly like the
least-squares fitting discussed so far,
but instead, it must reduce past histo-
ry to bare essentials in the form of a
set of state variables (sometimes
without any direct physical interpre-
tation), with model outputs subse-
quently derived from these state vari-
ables, and with new inputs serving to
influence future state variable values.
The key relationships are described
by a matrix of parameters that Ill
call a state matrix for brevity.
Without this matrix model, you cant
calculate the variance propagation
equations, nor Kalman gain correc-
tions to keep the model on-track, and
the ordinary Kalman Filter idea is in
trouble.
Control theory students know
that a state matrix is easily obtained
by looking at the last page of the
homework handout. In real world ap-
plications, however, the problem of
estimating parameter values for the
state matrix is a whole lot harder. I
suspect that most attempts to apply
Kalman filtering are already in trouble
at this point, well before reaching the
less familiar territory of the variance
model. It might be interesting to hear
about difficulties others have had
with this.
I hope that Jack gets back to de-
scribe clear and effective ways to deal
with the tricky model identification
fitting problem, or the rest wont mat-
ter much. Of course, this article was
still just the beginning of the story.
RidgeRat
Open to interpretation
parity bit
Many of the possibilities for
network control described
for OpenFlow and existing
technologies open up ques-
tions about the motives
behind that control.
!
!
!
www.embedded.com | embedded systems design | MARCH 2012 7
center of the engineering universe
designwest
Its incoming fast! For the first time, seven summits including ESC converge
at DESIGN West, creating a burst of expert training and education,
hands-on knowledge exchanges, and the latest products and techniques.
Be here, at the center of the engineering universe.
March 26-29, 2012
McEnery Convention Center
San Jose, CA
Sharpen the skills you need now.
(PEHGGHG+:DQG6:GHVLJQ7RWDOV\VWHPVLQWHJUDWLRQ
3RZHUPDQDJHPHQW2SHQVRXUFHVRIWZDUH$QGURLG
(PEHGGHGVHFXULW\/('VDQGVHQVRUV$QGPRUHNH\WRSLFV
designmed
android
/('V
esc
blackhat
multicore
sensors
center of the engineering universe
Everything you need to know
in one location at one time.
g g
re, at the center
Marc
McEnery C
Sa
p
ngineering univ
2012
on Center
CA
ubmdesign.com
Register
Now
C solution using a construct called a
discriminated union, and examine its
limitations.
AN ILLUSTRATIVE PROBLEM
Suppose you have an application that
employs two-dimensional geometric
shapes, such as circles, rectangles, and
triangles. At a minimum, each shape
object contains some linear or angular
distances sufficient to characterize the
physical extent of the shape. For ex-
ample, a circle has a radius, a rectangle
has a height and a width, and a trian-
gle has two sides and an angle. The
shapes may have common attributes
as well, such a position (planar coordi-
nates), or outline and fill colors.
A fairly traditional C implemen-
tation for a shape is a structure with a
nested union, such as:
typedef struct shape shape;
struct shape {
coordinates position;
color outline, fill;
shape_kind kind;
union {
circle_part circle;
rectangle_part rectangle;
triangle_part triangle;
} u;
};
The union member, u, is large enough to hold the largest
of its members, but it can only store the value of one
member at a time.
In this example, each union member has a different
structure type. For a circle, you need to store only the ra-
dius, as in:
typedef struct circle_part circle_part;
struct circle_part {
double radius;
};
For a rectangle, you need the height and width:
O
ff and on for almost two years,
Ive been writing about tech-
niques for representing and
manipulating memory-mapped de-
vices in C and C++. My more recent
columns have been more about C++
than C, focusing on language fea-
tures such as constructors and new-
expressions, which C++ doesnt
share with C.
1, 2
Some readers have suggested that
the C code I presented is preferable to
the C++ code because the C structure
implementations for devices are gen-
erally simpler than their correspon-
ding C++ class implementations. Last
month, I argued that the C++ imple-
mentations are actually better because
theyre easier to use correctly and
harder to use incorrectly.
Other readers have claimed that
my C++ implementations are flawed
because theyre too simplethey dont use inheritance
and preclude the use of virtual functions.
Classes with virtual functions can be very useful, but
they arent the solution to every problem. Classes that
represent memory-mapped devices, such as the ones Ive
presented, work with real hardware specifically because
they dont use virtual functions. The new C++ Standard
acknowledges the usefulness of such classes by defining
categories such as standard layout classes, which avoid fea-
tures such as virtual functions.
In the coming months, Ill explain what virtual func-
tions are. Ill show why they can be useful in some appli-
cations, but undesirable in classes that represent memory-
mapped device registers. Ill also show you how C++
typically implements virtual functions by showing how
you can emulate them in C.
Ill begin this month by looking at the sort of problem
that virtual functions are good at solving. Ill show a typical
By Dan Saks
Discriminated unions
Dan Saks is president of Saks & Associates, a C/C++
training and consulting company. For more informa-
tion about Dan Saks, visit his website at
www.dansaks.com. Dan also welcomes your feed-
back: e-mail him at dan@dansaks.com.
programming
pointers
www.embedded.com | embedded systems design | MARCH 2012 9
Discriminated unions
can be useful in some
applications, but they
also provide insight into
the advantages of using
virtual functions.
!
!
!
typedef struct rectangle_part rectangle_part;
struct rectangle_part {
double height, width;
};
For a triangle, you need two sides and an adjacent angle:
typedef struct triangle_part triangle_part;
struct triangle_part {
double side1, side2, angle;
};
When the union members have such simple types,
you might find it easier to dispense with the named
structure types and simply define unnamed structures
inside the union, as in:
union {
struct {
double radius;
} circle;
struct {
double height, width;
} rectangle;
struct {
double side1, side2, angle;
} triangle;
} u;
The value of the shapes kind member indicates which
union member is currently in use. The shape_kind type
enumerates the possible values:
enum shape_kind {
sk_circle, sk_rectangle, sk_triangle
};
typedef enum shape_kind shape_kind;
For example, setting a shapes kind member to sk_rec-
tangle indicates that its now OK to access (write to or
read from) the unions rectangle member and its
height and width members.
A union paired with a discrete value that indicates
the active member of the union is called a discriminated
union or a tagged union. Some programming languages
have a similar construct called a variant record. The dis-
crete value is called a discriminator or tag. I prefer the
terms discriminated union and discriminator because tag
already has another meaning in C. The discriminator
typically has an enumeration type, but could have an in-
tegral type.
You can write a small assortment of initialization
functions to properly initialize each kind of shape. For
example:
programming pointers
Listing 1 A function that nds the largest shape in an
array of shapes, using an overt switch statement.
shape const *largest(shape const s[], size_t n) {
shape const *p = NULL;
double max = -1;
size_t i;
for (i = 0; i < n; ++i) {
double area = -1;
switch (s[i].kind) {
case sk_circle:
area = PI * s[i].u.circle.radius
* s[i].u.circle.radius;
break;
case sk_rectangle:
area = s[i].u.rectangle.height
* s[i].u.rectangle.width;
break;
case sk_triangle:
area = sin(s[i].u.triangle.angle)
* s[i].u.triangle.side1
* s[i].u.triangle.side2 / 2;
break;
}
if (area > max) {
max = area;
p = &s[i];
}
}
return p;
}
ANONYMOUS UNIONS
C++ and more recent dialects of C support anony-
mous unions. That is, you can leave the union itself
unnamed and access the union members as if they
were members of the enclosing structure. If you de-
fine the shape structure as:
struct shape {
~~~
union {
circle_part circle;
rectangle_part rectangle;
triangle_part triangle;
}; // union name omitted
};
then you can simplify expressions such as:
s->u.rectangle.height = h;
to just:
s->rectangle.height = h;
My examples dont use anonymous unions be-
cause I tested this code with older C compilers that
dont support them.
10 MARCH 2012 | embedded systems design | www.embedded.com
void rectangle_construct
(shape *s, double h, double w) {
s->kind = sk_rectangle;
s->u.rectangle.height = h;
s->u.rectangle.width = w;
}
initializes a shape as a rectangle with a particular height and
width. You can write similar initialization functions for circle
and triangles. Using these functions, you can create an array
of assorted shapes as follows:
shape sa[4];
~~~
circle_construct(&sa[0], 2);
triangle_construct(&sa[1], 5, 6, asin(0.8));
rectangle_construct(&sa[2], 3, 4);
circle_construct(&sa[3], 3);
Suppose your application needs to determine the shape
with the largest area in a collection of shapes. You can do the
job with the function named largest shown in Listing 1.
Most of the loop body in Listing 1 is a switch statement
that computes the area of a shape. This is arguably a funda-
mental shape operation that would be better packaged as an
operation all by itself:
double shape_area(shape const *s) {
switch (s->kind) {
case sk_circle:
return PI * s->u.circle.radius
* s->u.circle.radius;
case sk_rectangle:
return s->u.rectangle.height
* s->u.rectangle.width;
case sk_triangle:
return sin(s->u.triangle.angle)
* s->u.triangle.side1
* s->u.triangle.side2 / 2;
}
return -1;
}
Using the shape_area function dramatically simplifies the
largest function, as shown in Listing 2.
CORRECTNESS AND MAINTENANCE PROBLEMS
One of the problems with discriminated unions is that it re-
quires a lot of discipline to ensure that you dont access a
union member unless its the currently active member as
indicated by the discriminator. In most cases, this means
you should be scrupulous about wrapping the accesses to
union members inside if- or switch-statements that test the
discriminator.
Unfortunately, nothing in C prevents accidents such as:
case sk_rectangle:
area = s->u.triangle.side1
* s->u.triangle.side2;
~~~
This code will compile and then produce unpredictable, pos-
sibly erroneous, run-time results.
Some languages, such as Ada, have built-in support for
discriminated unions intended to prevent such mishaps. An-
drei Alexandescru showed how you can implement safe dis-
criminated unions in C++ using template metaprogramming
techniques.
3, 4
Another problem with discriminated unions is that they
can easily lead to code thats hard to maintain. For example,
in addition to the shape_area function, your application
might include other shape operations such as
shape_perimeter, shape_resize, or shape_put. Each
function has a similar, if not identical, switch-statement
structure as shape_area. If you add a new shape, or modify
the attributes of an existing shape, you probably have to
change every one of those functions.
Virtual functions provide an alternative to discriminated
unions that are safe, efficient, and often more maintainable.
Ill discuss virtual functions in my upcoming columns.
ENDNOTES:
1. Saks, Dan. Calling constructors with placement new, Embedded Sys-
tems Design, September 2011, p. 9. www.eetimes.com/4219506.
2. Saks, Dan. Using member new to map devices, Embedded.com,
November 2011. www.eetimes.com/4230743.
3. Alexandrescu, Andrei. Discriminated Unions (I), Dr. Dobbs Journal,
April 1, 2002. http://drdobbs.com/184403821.
4. Alexandrescu, Andrei.Discriminated Unions (II), Dr. Dobbs Journal,
June 1, 2002. http://drdobbs.com/184403828.
Listing 2 A function that nds the largest shape in an
array of shapes, using the shape_area function.
shape const *largest(shape const s[], size_t n) {
shape const *p = NULL;
double max = -1;
size_t i;
for (i = 0; i < n; ++i) {
double area = shape_area(&s[i]);
if (area > max) {
max = area;
p = &s[i];
}
}
return p;
}
www.embedded.com | embedded systems design | MARCH 2012 11
o longer is it enough to write robust software. The recent
trend in standards development is to prove that a projects
requirements are fulfilled, even if those requirements have
changed during the course of a projects lifecycle. Require-
ments traceability yields a more predictable outcome at
deployment and responds to an increased demand for
12 MARCH 2012 | embedded systems design | www.embedded.com
sound monitoring and management
techniques during development, par-
ticularly between project phases.
Most requirements traceability
stops short of object code, suggesting
an implied reliance on the faithful ad-
herence of compiled object code to the
intentions expressed by the author of
the source code. This can have critical
consequences, such as putting peoples
lives risk or having a significant impact
on business.
Where an industry standard is en-
forced, a development team will usual-
ly adhere only to the parts of standard
that are relevant to their application.
Object code verification, on the other
hand, ensures that critical parts of an
application are not compromised by
the object code, which in principle is a
desirable outcome for any software
whatever its purpose. However, can ob-
ject code verification be justified as part
of a test regime outside the confines of
its enforcement through the required
adherence to a standardparticularly
in those industries where software fail-
ure brings dire consequences, and yet
standards are less mature.
In this article, I explain why its im-
portant to verify object code and how
its possible to manage requirements so
Tracing requirements
through to object
code verification
cover feature
you can trace them right through to
object-code verification (OCV).
STANDARDS & CERTIFICATIONS
Irrespective of the industry and the
maturity of its safety standards, the
case for software that has been proven
and certified to be reliable through
standards compliance and a require-
ments-traceable process is becoming
ever more compelling.
According to research directed by
the U.S. National Institute of Security
Technology, 64% of software vulnera-
bilities stem from programming errors.
For example, an analysis of 3,140 med-
ical device recalls conducted between
1992 and 1998 by the U.S. Food and
Drug Administration (FDA) revealed
that 242 of the recalls (7.7%) were at-
tributable to software failures. In April
2010, the FDA warned users about
faulty components in defibrillators
manufactured by Cardiac Science
Corp. Unable to remedy the problems
with software patches, Cardiac Science
was forced to replace 24,000 defibrilla-
tors. As a result, Cardiac Sciences
shares were hit; the company reported
a net loss of $18.5 million.
The medical-equipment standard
IEC 62304 is designed specifically to
provide suitable processes to minimize
the likelihood of such problems in
medical devices. Other industries have
similar standards as shown in Table 1.
Although each is tuned to a specif-
ic industry sector, these standards have
much in common. In particular, the
IEC 61508 industrial standard is some-
times used as a basis for other stan-
dards, including all of the others
shown except DO-178B/C.
One example of how this com-
monality of purpose shows itself is in
the use of Safety Integrity Levels. In
each case, a risk assessment is complet-
ed for every software project to assign
the required assessment safety level of
each part of the system. The more de-
manding the safety level, the more rig-
orous and thorough the process and
testing need to be.
REQUIREMENTS MANAGEMENT
AND TRACEABILITY
Requirements traceability is widely ac-
cepted as a development best practice
to ensure that all requirements are im-
plemented and that all development ar-
tifacts can be traced back to one or
more requirements. The automotive in-
dustrys draft standard ISO 26262 re-
quires bidirectional traceability and has
a constant emphasis on the need for the
derivation of one development tier
from the one above it (see sidebar).
While this is a laudable principle,
last minute changes of requirements or
code made to correct problems identi-
fied during test tend to put such ideals
in disarray. Many projects fall into a
pattern of disjointed software develop-
ment in which requirements, design,
implementation, and testing artifacts
are produced from isolated develop-
ment phases. Such isolation results in
tenuous links between requirements,
the development stages, and/or the de-
velopment teams.
Leading safety critical standards and safety integrity levels.
Industry Standard Safety integrity level
Avionics DO-178B (First published 1992) / DO-178C (2012) Level E to Level A
Industrial IEC 61508 (First published 1998, updated 2010) SIL Level 1 to 4
Railway CENELEC EN 50128 (First published 2001) SIL Level 0 to 4
Nuclear IEC 61513 (First published 2001) SIL Level 1 to 4
Automotive ISO 26262 (First published and updated 2011) ASIL A to ASIL D
Medical IEC 62304 (First published 2006) Class A to Class C
Process IEC 61511 (First published 2003) SIL Level 1 to 4
Table 1
MAINTAIN BIDIRECTIONAL TRACEABILITY OF
REQUIREMENTS
The intent of this specific practice is to maintain the bidirectional traceability of re-
quirements for each level of product decomposition. When the requirements are
managed well, traceability can be established from the source requirement to its
lower level requirements and from the lower level requirements back to their
source. Such bidirectional traceability helps determine that all source requirements
have been completely addressed and that all lower level requirements can be
traced to a valid source. Requirements traceability can also cover the relationships
to other entities such as intermediate and final work products, changes in design
documentation, and test plans. Source: ISO 26262
RTM sits at the heart of the project, defining and describing the interaction between the design,
code, test and verification stages of development.
Figure 1
Map requirements
to architecture;
generate defects
Manage requirements;
assign verification and
debug tasks; track defects
Implement requirements;
map to code and verify
design; generate defects
Verifies requirements
against test cases;
generate defects
Model or
design
specification
Software
requirements
and defect
reports
Code base
Requirements
Traceability
Matrix
(RTM)
Test cases
Project managers
Test engineers
Software engineers
Development and
build engineers
www.embedded.com | embedded systems design | MARCH 2012 13
cover feature
The traditional view of software de-
velopment shows each phase flowing
into the next, perhaps with feedback to
earlier phases, and a surrounding
framework of configuration manage-
ment and process (e.g., Agile, RUP).
Traceability is assumed to be part of the
relationships between phases. However,
the reality is that while each individual
phase may be conducted efficiently, the
links between development tiers be-
come increasingly poorly maintained
over the duration of projects.
The answer to this conundrum lies
in Requirements Traceability Matrix
(RTM) as shown in Figure 1, which sits
at the heart of any project even if its
not identified as such. Whether the links
are physically recorded and managed or
not, they still exist. For example, a devel-
oper creates a link simply by reading a
design specification and uses that to
drive the implementation.
This alternative view of the develop-
ment landscape illustrates the impor-
tance that should be attached to the
RTM. Due to this fundamental centrali-
ty, its vital that project managers place
sufficient priority on investing in tooling
for RTM construction. The RTM must
also be represented explicitly in any life-
cycle model to emphasise its importance,
as Figure 2 illustrates. With this elevated
focus, the RTM is constructed and main-
tained efficiently and accurately.
When the RTM becomes the center
of the development process, it has an
impact on all stages of design from high-
level requirements through to target-
based deployment and OCV.
The Tier 1 high-level requirements
might consist of a definitive statement of
the system to be developed. This tier
may be subdivided depending on the
scale and complexity of the system.
Tier 2 describes the design of the
system level defined by Tier 1. Above all,
this level must establish links or trace-
ability with Level 1 and begin the
process of constructing the RTM. It in-
volves the capture of low-level require-
ments specific to the design and imple-
mentation and that have no impact on
the functional criteria of the system.
Tier 3s implementation refers to the
source/assembly code developed in ac-
cordance with Tier 2. Verification activi-
ties include code rule checking and qual-
ity analysis. Maintenance of the RTM
presents many challenges at this level, as
tracing requirements to source code files
may not be specific enough and devel-
opers may need to link to individual
functions. In many cases, the system is
likely to involve several functions. Trace-
ability of those functions back to Tier 2
requirements includes many-to-few re-
lationships. Its very easy to overlook
one or more of these relationships in a
manually-managed matrix.
In Tier 4 host-based verification,
formal verification begins. Using a test
The requirements traceability matrix (RTM) plays a central role in a development lifecycle model.
Artifacts at all stages of development are linked directly to the requirements matrix. Changes within
each phase automatically update the RTM so that overall development progress is evident from
design, coding, and test through to object code verification at the 6th tier.
Figure 2
Graphics to high-level
requirements
Low-level to
high-level
requirements
Low-level requirements
to code
Code and quality
review defects
Test cases to
low-level
requirements
Test cases to
low-level
requirements
Tier 1
Tier 2
Tier 3
Tier 4
Tier 5
high-level
requirements
Implementation
(source/assembly code)
Host
Target
Requirements Traceability Matrix
Requirements Traceability Matrix
Requirements Traceability Matrix
Requirements Traceability Matrix
model/
design concepts
Legacy/
hand code
Software
specs
Static and
dynamic
analysis
Automated
test
Object code to
source code
Tier 6
Object code verification
Requirements Traceability Matrix
Automated
test
Listing 1
void f_while4( int f_while4_input1, int f_while4_input2 )
{
int f_while4_local1, f_while4_local2 ;
f_while4_local1 = f_while4_input1 ;
f_while4_local2 = f_while4_input2 ;
while( f_while4_local1 < 1 || f_while4_local2 > 1 )
{
f_while4_local1 ++ ;
f_while4_local2 ;
}
}
Listing 2
1 void
1 f_while4 (
1 int f_while4_input1 ,
1 int f_while4_input2 )
1 {
1 int
1 f_while4_local1 ,
1 f_while4_local2 ;
1 f_while4_local1 = f_while4_input1 ;
1 f_while4_local2 = f_while4_input2 ;
-
2 while
2 (
2 f_while4_local1 < 1
2 ||
-
3 f_while4_local2 > 1
-
4 )
-
5 {
5 f_while4_local1 ++ ;
5 f_while4_local2 ;
5 }
-
6 }
14 MARCH 2012 | embedded systems design | www.embedded.com
strategy that may be top-down, bottom
up, or a combination of both, software
simulation techniques help create auto-
mated test harnesses and test-case gen-
erators as necessary. Test cases should be
repeatable at Tier 5 if required.
At this stage, we confirm that the
software is functioning as intended
within its development environment,
even though there is no guarantee it will
work when in its target environment.
However, testing in the host environ-
ment first allows the time-consuming
target test to confirm that the tests re-
main sound in the target environment.
Tier 5s target-based verification
represents the on-target testing element
of formal verification. This frequently
consists of a simple confirmation that
the host-based verification performed
previously can be duplicated in the tar-
get environment, although some tests
may only be applicable in that environ-
ment itself.
Tier 6 takes the target-based work a
stage further, to tie in the comparison of
the object and source code as part of the
RTM and an extension to it.
OBJECT CODE VERIFICATION
The aerospace DO-178B standard
(6.4.4.2 Structural Coverage Analysis)
defines OCV as:
The structural coverage analysis may
be performed on the source code, unless
the software is Level A and the compiler
generates object code that is not directly
traceable to source code statements.
Then, additional verication should be
performed on the object code to estab-
lish the correctness of such generated
code sequences. A compiler-generated
array bound check in the object code is
an example of object code that is not di-
rectly traceable to the source code.
Object code verification hinges on
how much the control flow structure of
the compiler-generated object code dif-
fers from that of the application source
code from which it was derived.
cover feature
www.embedded.com | embedded systems design | MARCH 2012 15
Listing 3
39 _f_while4:
40 push fp
41 ldiu sp,fp
42 addi 2,sp
43 ldi *-fp(2),r0 ; |40|
44 ldiu *-fp(3),r1 ; |41|
45 sti r0,*+fp(1) ; |40|
46 sti r1,*+fp(2) ; |41|
47 ble L3 ; |43| New test 2
48 ;* Branch Occurs to L3 ; |43|
49 ldiu r1,r0
50 cmpi 1,r0 ; |43|
51 ble L5 ; |43|
52 ;* Branch Occurs to L5 ; |43| New test 3
53i
54 L3:
55 ldiu 1,r0 ; |45|
56 ldiu 1,r1 ; |46|
57 addi *+fp(1),r0 ; |45|
58 subri *+fp(2),r1 ; |46|
59 sti r0,*+fp(1) ; |45|
60 cmpi 0,r0 ; |43|
61 sti r1,*+fp(2) ; |46|
62 ble L3 ; |43| New test 1
63 ;* Branch Occurs to L3 ; |43|
64 ldiu r1,r0
65 cmpi 1,r0 ; |43|
66 bgt L3 ; |43|
67 ;* Branch Occurs to L3 ; |43|
68
69 L5:
70 ldiu *-fp(1),r1
71 bud r1
Free Evaluation Kits: www.smxrtos.com/eval
Free Demos: www.smxrtos.com/demo
Save time and money with embedded
software solutions built to run right out of
the box. Get development started quickly,
with no integration required and full support
for popular tools. With Micro Digital you have
low-cost, no-royalty licensing, full source
code, and direct programmer support. So
get your project off to a great start. Visit us
at www.smxrtos.com today.
Your solution
is here.
www.smxrtos.com
R T O S I N N O V A T O R S
ARM Cortex ColdFire PowerPC x86 IAR EWARM CrossWorks GCC CodeWarrior
Object code control flow versus source
code control flow: Consider the very
simple source code in Listing 1. This C
code can be demonstrated to achieve
100% source code coverage by means of
a single call:
f_while4(0,3);
and can be reformatted to a single oper-
ation per line (shown in Listing 2).
The prefix for each of these reformat-
ted lines of code identifies a basic
blockthat is, a sequence of straight line
code. The resulting flow chart for the
function shows both the structure of the
source code and the coverage attained by
such a test case with the basic blocks iden-
tified on the flow chart nodes (Figure 3).
The object code generated by a com-
piler will depend on the optimization
setting, the compiler vendor, the target,
and a host of other issues. Listing 3
shows just one example of resulting (re-
formatted) assembler code generated by
a widely-used, commercially available
compiler with optimization disabled.
The flow chart looks quite different
for the assembler codeand using the
identical test case generates a quite differ-
ent flow graph both in terms of appear-
ance and in terms of coverage (Figure 4).
Its clear from the flow chart and the
assembler code that more tests are neces-
sary to achieve 100% code coverage.
= + + + f t ft ft ft
0.5
= F
T
r
1.4
ln(
4
)
= C
l
h
d
5.08ln(
4
) = L
h
d
15.6 (ln(
8
) 2) = H x
x
d
Never connect a logic
analyzer to a circuit
unless youve thought
through the probe imped-
ance issues.
But it gets worse . . .
!
!
!
Get current,
without the hassle.
Design News is a registered trademark of UBM plc 2012
REGISTER AT
DesignNews.com/dkcec
With Digi-Keys Continuing Education Center, catch up to 180 days of free,
interactive courses engineered by Design News, starting January 2012.
Build your engineering know how. Take one or all. Its your choice.
Tracks include: Microcontrollers Basic, Microcontrollers Advanced, MEMS Sensor
Technology, Lighting, Embedded Internet and Cloud, Wirelesss, and Power.
@DigiKeyCEC
Digi-Key Continuing Education Center
FOLLOW US
A full featured development solution
for all ARM Powered
platforms.
1-800-348-8051
www.arm.com/ds5
Leading Embedded
Development Tools