Managing Compiler Errata

Abstract

Ensuring the reliability and safety of functional safety-related software necessitates effective management of compiler errata. Compiler issues can significantly compromise software integrity, making it essential to monitor and mitigate these risks throughout the product lifecycle. This article explores various strategies and tools for managing compiler errors, evaluating their effectiveness in terms of quality-of-results (QoR) and associated costs.

Problem definition

Although generally reliable, compilers are not without flaws. Issues typically emerge in corner cases and may not always affect the behavior of the compiled software. However, for software that must comply with functional safety standards, it is essential to demonstrate that the software is unaffected by these issues or to update the software accordingly. When software is developed by multiple parties and deployed across numerous devices, updates can be extremely costly. Therefore, constructing a compelling argument that the software remains unaffected by compiler issues can be a more economical solution.

Managing compiler errata

The first step in managing compiler errata is to mitigate the risk of being affected by compiler issues. This can be achieved by adhering to methods outlined in functional safety standards such as ISO 26262, DO-178C, and IEC 61508. Key strategies include: using a certified compiler and ensuring that your use case is compatible with a qualified use case, following coding guidelines such as MISRA or CERT C and utilizing static analysis tools, and considering potential compiler errors during safety and security analysis.

In addition to applying these risk reduction measures, it is important to track compiler errata also after a product has been released. Regularly review the compiler’s published errata or known issue list and apply vendor-recommended mitigations, which can include compiler-specific workarounds or updates. Once a product is in the field, close collaboration with the compiler vendor is necessary for support and insights on whether errata affect your software.

Compiler errata databases

All commercial and open-source compiler suppliers track issues using a database. For an example GCC Bugzilla is a resource where you can find bug reports. If you take a closer look you may conclude that tracking such a large number of issues can be challenging for organizations.

Compiler vendors targeting the FuSa domain analyze and classify known issues based on the relative risk they pose to the compiled software’s behavior. Only issues that could cause misbehavior in the compiled software need to be tracked.

A typical bug report includes a description of the conditions under which the bug manifested and a reference to the compiler version used. Once the compiler supplier has analyzed the bug additional information is added such as, the current status of the bug, the versions of the compiler that are affected by the bug, ways to mitigate or work around the issue, and the version in which the bug is solved.

To help in understanding the nature and impact of compiler bugs, they can be classified into several categories:

Miscompilation Bugs occur when the compiler generates incorrect code from valid input. This can be due to flawed optimizations, inadequate safety checks, or unsound static analyses.
Crash Bugs cause the compiler to crash during the compilation process.
Silent Bugs introduce errors in the compiled code that are difficult to detect because they don’t cause immediate failures. Examples include concurrency bugs and memory leaks.
Workaround Bugs are bugs that programmers can bypass using temporary fixes or workarounds until the bugs are officially resolved.

This article focuses on miscompilation and silent bugs caused by code generation, optimization, and linking errors, as these pose a high risk of causing the compiled software to malfunction. Examples include register allocation bugs, incorrect loop transformations, faulty intraprocedural optimizations, and erroneous dead code elimination.

The challenge with these bugs is that it’s often impossible to identify all software constructs that could trigger them from the issue description alone. While coding standards and static analysis tools aim to keep source code complexity low, complexity increases significantly at the intermediate language level used internally by compilers once optimizations are applied. Additionally, a bug in a specific optimization phase may have its root cause in an analysis phase, such as alias analysis, which is used by other optimization phases. Therefore, even for the compiler engineer fixing the bug, it can be impossible to describe all potential source code constructs triggering the bug. This underlying complexity negatively impacts the quality of results of most methods for verifying whether software is affected by a compiler bug.

Methods for verifying whether software is affected by compiler issues

In the automotive industry, various methods are employed to systematically detect whether software is affected by known compiler bugs. The initial step involves understanding the errata by examining their descriptions, which include the affected compiler versions and specific software constructs or patterns that trigger the bug. This assessment helps determine if the errata apply to your project.

To perform this activity effectively, a certain level of expertise in the C language, the target architecture, and Functional Safety (FuSa) aspects of the user software is required. The efficiency and effectiveness of this activity largely depend on the quality of the bug report provided by the compiler supplier.

Often, a static analysis tool is used to identify constructs in the source code that match patterns described in the errata. If the errata describe a particular source code construct, grep-like tools or more advanced equivalence checkers can be used to locate occurrences of problematic constructs in the codebase. However, the results of this activity are often disappointing because the issue description typically shows one specific code fragment causing the issue. What is needed is a generic description of the root cause of the issue and how this root cause propagates to the C source language level. Such detailed issue descriptions are rarely provided in bug reports and are often difficult to develop for the class of bugs addressed in this article.

If the compiler vendor provides a specific diagnostic or mitigation for an issue, it is relatively straightforward to apply these solutions during the software development phase. However, once the software has been released, it is generally not feasible to use the mitigation to determine if the software is affected by the issue. Only when the effects of a mitigation are fine-grained can a subsequent binary inspection of the assembly or binary file be successfully performed in practice.

Code instrumentation, which involves inserting logging or assertions around areas suspected of being affected by the errata, presents several challenges. Often, the issue description lacks sufficient detail to identify all the areas that require instrumentation. Additionally, this method is intrusive and can adversely affect the software’s timing behavior, leading to low-quality outcomes and high costs.

Formal verification of whether the semantics of the source code match the instructions in the binary file is feasible today, but with the current state of the technology, it can only be successfully applied to small code bases. For large code bases, one must limit oneself to verifying safety-critical code sections only.

Compiler vendors targeting the FuSa domain may offer bug-checking compilers. These tools function like standard compilers but generate a diagnostic message pinpointing the locations in the user’s source code that trigger the compiler bug. Typically, these bug-checking compilers are available only upon customer request and to those who have this service included in their support contract. However, some vendors like TASKING offer bug-checking compilers as supplemental products to their standard compilers. These compiler vendor-specific tools typically provide the highest quality results.

FuSa standards provide detailed, safety level-dependent requirements for verification and test processes. However, during the initial development of the software, the verification activities did not reveal any problems caused by compiler issues that were unknown at that time but emerged after the software’s release. This raises the question: were the applied verification activities insufficient, or is the software genuinely unaffected by the newly identified compiler issue? To answer this question, special attention must be given to tests that exercise the constructs mentioned in the errata. If there are doubts about the completeness of the test set, specific test cases mimicking the scenarios described in the errata could be developed, and the alternative methods outlined in this section should be applied.

In the remainder of this article, we explore using existing ASIL-compliant test sets in combination with a bug-checking compiler to verify whether software is affected by compiler issues.

Using a Bug-checking compiler (Inspector tool)

A bug-checking compiler is a specialized type of compiler designed to identify and diagnose bugs in software. These tools execute quickly, making them suitable for analyzing large code bases. Unlike standard compilers, which translate code from a high-level programming language to machine code, bug-checking compilers include detectors that identify code constructs in the user’s software that trigger known compiler bugs. This helps developers quickly understand and address issues. The largely automated analysis phase reduces the need for manual inspection, significantly increasing the efficiency of identifying bugs.

TASKING provides a bug-checking compiler called the “Inspector tool” alongside their standard compilers. This tool is capable of identifying most known issues. Below is an excerpt from the TASKING Issue Portal, which lists known bugs and indicates whether a detector is available in the Inspector tool to analyze if the user’s software is affected by the bug. There are limitations on whether an inspector is provided. Issues not in scope include SIL‑1 issues, as they do not pose a FuSa risk, issues not detectable statically at compile time, and library issues, as most are identifiable only at execution time. Generally speaking, for most miscompilation and silent bugs, a detector is available.

*Figure 1, Excerpt of TASKING Issues Portal*

Integrating a bug-checking compiler into the software development workflow is straightforward. For TASKING’s Inspector tool, this involves configuring the build system to use the Inspector instead of the standard compiler. Both tools support the same command line options, with additional options in the Inspector to enable or disable specific detectors for which fixes have already been provided. Ideally the bug-checking compiler is integrated into the continuous integration (CI) pipeline ensuring that every code change is automatically checked for known compiler bugs, maintaining software integrity throughout its lifecycle.

Diagnostics provided by a bug-checking compiler can be classified into two categories:

Definite Impact: The user software, at the point described in the diagnostic, is definitely affected by the compiler errata, with no false positives.
Potential Impact: The user software, at the point described in the diagnostic, is potentially affected by the compiler errata, with possible false positives.

Reviewing diagnostic messages is crucial.

Dealing with definite diagnostics is straightforward. The user is informed about the exact location in the software where the bug impacts the correctness of the generated compiler output. The mitigation field of the errata describes the actions to mitigate the effects of the bug. Based on this information, the user must assess whether the implications of the bug necessitate an update to the software.

Dealing with potential detections can be more challenging, depending on the number of false positives. If the number is low, each diagnostic message can be assessed individually. If the number is high, this may become troublesome. However, the bug-checking compiler is the most state-of-the-art tool for detecting whether software is affected by a compiler bug. Therefore, the best way forward is to first demonstrate that the number of false positives is high to gain a level of confidence that the software is unaffected by the compiler bug, and combine that evidence with the results of the FuSa standard ASIL-compliant verification and tests requirements that apply to the software.

After modifying the software, conduct FuSa standard-compliant verification and testing to ensure the fixes have resolved the identified issues.

State of the Art – Quality Assurance

TASKING’s Inspector tool is developed by the same engineering team that created the compiler, using the same processes. This ensures a deep understanding of the compiler’s design and adherence to process maturity standards such as ASPICE.

The implementation of a bug-checking compiler mirrors that of the associated compiler, with additional code – called detectors – to issue diagnostic messages when the root cause of a bug is detected. These detectors must be non-intrusive and shall not alter the internal state of the compiler as this would compromise the reliability of the tool.

To verify non-intrusiveness, the bug-checking compiler inherits the test suites of the compiler. Under test conditions, the bug-checking compiler can generate binary code. The binary code generated by the bug-checking compiler should be identical to the code generated by the associated compiler. This test ensures that the diagnostics implemented in the bug-checking compiler do not affect its internal state.

Per detector, additional tests are developed to verify that diagnostic messages are issued when required.

Additionally, the Inspector tool is used to verify whether the libraries that are shipped with the compiler are impacted by a compiler bug.

Tool Confidence Level Argument

The Inspector tool is used in projects that must comply with safety standards, such as ISO 26262. The associated tool qualification process is depicted in Figure 1.

*Figure 2, ISO 26262 Tool Qualification Process*

The Tool Impact level (TI) of a bug-checking compiler is TI2, as there is a possibility that a malfunction of the tool could fail to detect errors in a safety-related item or element.

When selecting the appropriate Tool Error Detection (TD) level, the user’s verification process must be considered. According to ISO 26262, TD1 should be selected if there is a high degree of confidence that a malfunction and its corresponding outputs will be prevented or detected. Since the tool is typically deployed in projects with high ASILs, the user’s development and verification processes comply with the stringent requirements of such projects, ensuring a high level of confidence that errors are detected by the default verification process. The Inspector tool is used to complement the user’s verification process, therefore TD1 applies.

As a consequence, the Tool Confidence Level is TCL1, meaning that no qualification methods are required.

Conclusion

Managing compiler errata is essential for ensuring the reliability and safety of functional safety-related software throughout its lifecycle. Advanced bug-checking tools, such as TASKING’s Inspector, offer state-of-the-art solutions for detecting whether compiler bugs compromise the integrity of the user’s software. Since bugs can be discovered at any time, it is crucial that these tools are continuously updated.

By utilizing tools like Inspector, the errata management process becomes largely automated, significantly reducing the need for manual intervention and leading to substantial cost savings.

Authors

Peter Himler, Gerard Vink, both part of TASKING’s Business Development and Innovation team.

German version available here.

Start your trial