Assumptions of Use#
Communication Assumptions of Use
|
status: valid
security: NO
safety: ASIL_B
|
||||
Monotonic Semi-Dynamic Memory Allocation
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that enough memory is configured for shared memory instances, in order that LoLa can perform all necessary allocations (e.g. push-back on a Vector). |
|||||
Correctly Configured Maximum Number of Subscribers
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that correct maximum number of subscriber is configured for each event for each service instance. |
|||||
Correctly configured maximum number of maximum elements per subscriber
|
status: valid
security: NO
safety: ASIL_B
|
||||
|
|||||
Correctly configured ASIL Level
|
status: valid
security: NO
safety: ASIL_B
|
||||
|
|||||
Only LoLa supported types
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured, that only types that are supported by LoLa are transmitted. |
|||||
No APIs from Implementation Namespace
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that no API calls from the implementation namespace (e.g impl) are directly invoked or types from within are directly used. |
|||||
No guarantees for notifications
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that a miss behavior of event notification, will not harm a safety goal. |
|||||
Checking for possible message overflow
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that a message overflow, which results in message loss will not harm a safety goal. If this is not possible, a check for message overflow and necessary actions need to be performed. |
|||||
Different user for ASIL and QM processes
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that processes with a different ASIL shall be executed within different user-ids. |
|||||
Config on a safe filesystem
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that any configuration item that is read at runtime by LoLa is stored on a safety certified filesystem (according to the highest supported safety level). |
|||||
No static context support
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that LoLa is not used within static context within C++. |
|||||
No guarantee in availability of services
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that no safety goal is harmed, because a service instance is not found. |
|||||
No notification on termination of producer
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensure that termination (either gracefully or due to a malfunction) of a producer will not lead to a violation of a safety goal. |
|||||
Check for nullptr on Allocate()
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be checked if Allocate() on an event will return a nullptr. If a nullptr is returned, the system shall transition to safe state. |
|||||
One producer only one AllocateePtr
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that at any time a producer instance per event only holds one AllocateePtr. |
|||||
No Copy-Send() while holding AllocateePtr.
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that Send(const& value) is not invoked while an AllocateePtr is held. |
|||||
None reentrant methods per event instance
|
status: valid
security: NO
safety: ASIL_B
|
||||
|
|||||
Skeleton alive while its AllocateePtr being used
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that a Skeleton instance is still alive while any AllocateePtr returned by it is used. |
|||||
Event Subscription active while holding SamplePtr
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that Unsubscribe() isn’t called on a proxy eventinstance as long as any SamplePtr provided by it, is still held. |
|||||
Non-Terminating callbacks
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that any callback passed to LoLa for invocation is not throwing. |
|||||
Valid callbacks while proxy alive
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that all callbacks passed towards LoLa are valid as long as the associated proxy is alive. |
|||||
Quality of data is dependent on producer
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that the necessary quality of data is produced by the respective skeleton process. |
|||||
Validity of pointer on LoLa pointer
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that no pointer, pointing to the memory of a SamplePtr or AllocateePtr is used once the SamplePtr or AllocateePtr are invalid. |
|||||
LoLa Memory only accessed through LoLa
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that no other code accesses the mapped memory managed by LoLa. |
|||||
No shared memory allocation in namespace lola
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that no other code creates shared memory segments beginning with “lola”. |
|||||
LoLa specific QNX Messaging End-Points only accessed through LoLa
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that the LoLa specific QNX Message Passing end-points are only accessed through LoLa APIs. |
|||||
aragen not safe
|
status: valid
security: NO
safety: ASIL_B
|
||||
If aragen is being used to generate LoLa interfaces, any output produced by aragen shall be manually reviewed for its correctness. |
|||||
unsupported data-types
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that neither variants nor maps are sent via LoLa. |
|||||
No guarantee on execution time
|
status: valid
security: NO
safety: ASIL_B
|
||||
There is no guarantee on the execution time of any function call provided by LoLa. |
|||||
Usage of configuration "oversubscription"
|
status: valid
security: NO
safety: ASIL_B
|
||||
If event instance “oversubscription” is enabled. LoLa makes no warranty, that proxies/consumers can’t suffer from data loss! It is the responsibility of the user to adapt scheduling/event-data access in a way, that no data-loss happens. However, we can give the guarantee that if only QM consumers misbehave,ASIL consumers are not affected by these actions. |
|||||
Same compiler settings for provider and consumer side
|
status: valid
security: NO
safety: ASIL_B
|
||||
All compiler settings having influence on the binary representation of data exchanged via mw::com/LoLa (event, field, service-method payloads) have to be identical for compilation of code containing mw::com proxies and skeletons, which communicate. |
|||||
Event or Field reception via GenericProxy needs specific care
|
status: valid
security: NO
safety: ASIL_B
|
||||
When receiving event or field data via untyped GenericProxyEvent or GenericProxyField, care has to be taken, when accessing the corresponding SamplePtr<void> delivered by calls to GetNewSamples(): When casting it to the expected type, it needs to be checked, that no access behind the size returned by GetSampleSize() will happen. |
|||||
Correctly configured events/fields per service type
|
status: valid
security: NO
safety: ASIL_B
|
||||
It shall be ensured that all safety relevant events/fields in the service type, are the same in all configurations. |
|||||