symbol report and blanket
|
status: evaluated
|
||||
Symbol Report and Blanket Verification Report#
Introduction#
Scope and purpose#
Symbol report and blanket are tools for post-processing of code coverage data generated by Rust compiler. They are used to calculate code coverage based on the raw data generated by Rust compiler and provide a report with calculated coverage.
Inputs and outputs#
Fig. 20 Symbol report and blanket overview#
Available information#
Version: >= 1.90.0 [1]
Official repository: ferrocene/ferrocene, ferrocene/ferrocene
Additional information for usage in other safety projects: https://public-docs.ferrocene.dev/main/certification/core/safety-plan/tools.html#code-coverage
Installation and integration#
Installation#
Integration#
Integrated in bazel.
Environment#
Requires Rust toolchain and Bazel build environment.
Safety evaluation#
This section outlines the safety evaluation of symbol report and blanket for its use within the S-CORE project. This evaluation assumes that the Rust compiler is qualified and output of coverage data in .profraw format is correct. Due to that, we solely focus on post processing that is done by symbol report and blanket only.
Malfunction identification |
Use case description |
Malfunctions |
Impact on safety? |
Impact safety measures available? |
Impact safety detection sufficient? |
Further additional safety measure required? |
Confidence (automatic calculation) |
|---|---|---|---|---|---|---|---|
1 |
False-positive: A function is reported as covered, although it is not covered |
Overreporting, could result in testing gap. |
yes |
Likelihood of such an error low due to wide usage of the tool (many S-CORE modules and other projects like ferrocene)
Additionally, every new tool release is tested by running tests in prepared integration testsuite to detect such errors. (PROPOSAL POINT)
|
yes |
no |
high |
2 |
False-negative: A function is reported as not covered, although it is covered |
Underreporting, will not result in testing gap. |
yes |
Since we want to achieve 90%+ branch coverage this would stand out and be manually investigated. |
yes |
no |
high |
3 |
Overcounting: Total number of functions is too low |
A function is not being considered, although it is part of the certified subset |
yes |
symbol-report is developed to use exactly the same information as the compiler
Additionally, every new tool release is tested by running tests in prepared integration testsuite to detect such errors. (PROPOSAL POINT)
|
yes |
no |
high |
4 |
Undercounting: Total number of functions is too high |
A function is being considered, although it is not part of the certified subset |
no |
no |
yes |
no |
high |
5 |
Line that can be executed not being reported as executable |
Underreporting, code that should be tested may not being tested |
yes |
blanket` warns if a function has no executable line
Additionally, every new tool release is tested by running tests in prepared integration testsuite to detect such errors. (PROPOSAL POINT)
|
yes |
no |
high |
6 |
Coverage calculation errors: rounding, aggregation errors |
Overreporting or underreporting of coverage that can lead to testing gaps |
yes |
Every new tool release is tested by running tests in prepared integration testsuite to detect such errors. (PROPOSAL POINT)
Since this would be systematic error, it would be detected during manual review of coverage reports (always rounded values, too big/low coverage even no tests are there, etc.).
|
yes |
no |
high |
7 |
Coverage reported for another function |
Wrong reporting view |
no |
Manual review would disclose that coverage is reported for another function than tested one by developer.
|
yes |
no |
high |
Result#
Symbol report and blanket do not require qualification for use in safety-related software development according to ISO 26262.