3. Tool Analysis

3.1. Potential Errors

3.1.1. Installation

Error identifier

Use case

Description

Risk

Mitigation

Identifier: ERR_INSTALL_01

UC0_INST

Ferrocene was not correctly installed

Undefined behavior

AVD_CHECK_INSTALL_001

3.1.2. Rust Driver

Error identifier

Use case

Description

Risk

Mitigation

Identifier: ERR_DRIVER_02

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An used environment variable is set to an incorrect value

Undefined behavior

AVD_CHECK_CLEAN_ENV_002

Identifier: ERR_DRIVER_03

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An invalid option is passed

Undefined behavior

AVD_CHECK_BUILD_SCRIPT_003

Identifier: ERR_DRIVER_04

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Error diagnostics are not correctly emited

Undefined behavior

AVD_CHECK_BUILD_SCRIPT_003 AND AVD_TEST_007

Identifier: ERR_DRIVER_05

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

The output is generated with missing part

Wrong code

AVD_CHECK_BUILD_SCRIPT_003

Identifier: ERR_DRIVER_06

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

The behavior is incorrect because of concurrent modification

Undefined behavior

AVD_PARALLEL_BUILD_006

Identifier: ERR_DRIVER_07

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

A warning is generated instead of an error

Undefined behavior

AVD_WARNING_AS_ERROR_005

Identifier: ERR_DRIVER_08

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

The compilation has a wrong behavior

Wrong code

AVD_TEST_007

Identifier: ERR_DRIVER_09

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An incomplete input is accepted leading to an undefined behavior

Undefined behavior

AVD_TEST_007

Identifier: ERR_DRIVER_10

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Some object files are not generated silently

Use an artifact from a previous build

AVD_CLEAN_004

3.1.3. Rust Front-End

Error identifier

Use case

Description

Risk

Mitigation

Identifier: ERR_RUST_FE_11

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Input has invalid contents

Invalid code generated

AVD_TEST_007

Identifier: ERR_RUST_FE_12

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Error diagnostics is invalid

Invalid code generated

AVD_WARNING_AS_ERROR_005

Identifier: ERR_RUST_FE_13

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Invalid output generated from valid input

Invalid code generated

AVD_TEST_007

Identifier: ERR_RUST_FE_14

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

The behavior is incorrect because of concurrent modifications

Invalid code generated

AVD_PARALLEL_BUILD_006

Identifier: ERR_RUST_FE_15

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Invalid input is accepted

Undefined behavior

AVD_TEST_007

Identifier: ERR_RUST_FE_16

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Incorrect number of inputs are accepted

Undefined behavior

AVD_CHECK_BUILD_SCRIPT_003

3.1.4. LLVM

Error identifier

Use case

Description

Risk

Mitigation

Identifier: ERR_LLVM_17

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Input parameter has invalid value

Most likely LLVM will crash. Invalid code could also be generated

AVD_TEST_007

Identifier: ERR_LLVM_18

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An object file is invalid

Invalid code generated

AVD_CHECK_BUILD_SCRIPT_003

Identifier: ERR_LLVM_19

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An object file or static library is not correctly translated to machine code

Undefined behavior

AVD_TEST_007

Identifier: ERR_LLVM_20

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

The behavior is incorrect because of concurrent modifications

Invalid code generated

AVD_PARALLEL_BUILD_006

Identifier: ERR_LLVM_21

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An object or static library exposes additional symbols

Internal functionality might become callable from the outside

AVD_TEST_007

Identifier: ERR_LLVM_22

UC1_RLIB, UC2_STATICLIB, UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Output does not contain expected variables or functions

Invalid code generated

AVD_CHECK_CLEAN_ENV_002 AND AVD_CLEAN_004 AND AVD_TEST_007

3.1.5. Linking

Error identifier

Use case

Description

Risk

Mitigation

UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Invalid input is accepted

Undefined behavior

AVD_CHECK_BUILD_SCRIPT_003

UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Invalid executable or library produced

Undefined behavior

AVD_TEST_007

UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

The behavior is incorrect because of concurrent modifications

Undefined behavior

AVD_PARALLEL_BUILD_006

UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Incorrect number of inputs are accepted

Undefined behavior

AVD_CHECK_BUILD_SCRIPT_003

UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

An input is missing

Invalid code generated but won’t run

AVD_CHECK_INSTALL_001

UC3_EXEC, UC4_EXEC_RLIB, UC5_EXEC_CLIB

Error diagnostics not emmited

Invalid or missing code not detected by user may be linked against subsequent stage

AVD_TEST_007

3.2. Detection Measures and Usage Restriction

Measure identifier

Description

Identifier: AVD_CHECK_INSTALL_001

The toolchain Installation shall be checked in order to ensure the validity of the build results.

Identifier: AVD_CHECK_CLEAN_ENV_002

User must verify that environment variables used by the toolchain are correctly set.

Identifier: AVD_CHECK_BUILD_SCRIPT_003

User must verify that the list of build actions is correct.

Identifier: AVD_CLEAN_004

Before building, the user must ensure that the build environment is clean of former compilation artifacts.

Identifier: AVD_WARNING_AS_ERROR_005

All Warnings should be considered errors, the build should NOT display any warning.

Identifier: AVD_PARALLEL_BUILD_006

Concurrent file updates during the build operations are prohibited.

Identifier: AVD_TEST_007

Testing must be performed on the final application or libraries, or on any parts built, using an environment as close as possible to the final build.

3.3. Potential Errors by Classes Traceability Matrix

Potential errors are the result of the HazOp analysis, it should be documented in the HazOp Report documents.

3.4. Tool Evaluation Results

During this analysis, we highlighted some of the potential errors concerning Ferrocene that impacts the safety-related software code. Hence, the tool impact is TI2.

Moreover, this analysis shows us that the likelihood of detecting these potential errors is very low. Therefore, the tool error detection class is TD3.

Using clause 11.4.5.4 in part 8 of the [ISO-26262:2018] standard, we can conclude that in the worst case the Tool Classification Level is TCL3 and therefore we choose the following qualification methods:

  • 1b. Evaluation of the tool development process in accordance with 11.4.8

  • 1c. Validation of the software tool in accordance with 11.4.9

According to clause 11.4.2 in part 8 of the [ISO-26262:2018] standard, this choice depends on the user’s software development life-cycle and their validation strategy. The user has the responsibility to determine whether this level, or a better one, is applicable.

3.5. IEC 61508 Tool Classification

Ferrocene provides a development environment capable of compiling and linking programs for the target architecture to conform with automotive [ISO-26262:2018] TCL 3/ASIL D level and industrial [IEC-61508:2010] class T3.