[go: up one dir, main page]

EP1763757A2 - Device for controlling the structural coverage of a software program and method of implementing said device - Google Patents

Device for controlling the structural coverage of a software program and method of implementing said device

Info

Publication number
EP1763757A2
EP1763757A2 EP05754129A EP05754129A EP1763757A2 EP 1763757 A2 EP1763757 A2 EP 1763757A2 EP 05754129 A EP05754129 A EP 05754129A EP 05754129 A EP05754129 A EP 05754129A EP 1763757 A2 EP1763757 A2 EP 1763757A2
Authority
EP
European Patent Office
Prior art keywords
memory
address
processor
software
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP05754129A
Other languages
German (de)
French (fr)
Inventor
Jérôme THALES Intellectual Property PAPINEAU
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales SA
Original Assignee
Thales SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales SA filed Critical Thales SA
Publication of EP1763757A2 publication Critical patent/EP1763757A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Prevention of errors by analysis, debugging or testing of software
    • G06F11/362Debugging of software
    • G06F11/3636Debugging of software by tracing the execution of the program
    • G06F11/364Debugging of software by tracing the execution of the program tracing values on a bus

Definitions

  • the invention relates to a device for controlling the structural coverage of software and to a method implementing the device.
  • standards such as the DO 178 B standard established by the Department of Defense of the United States impose strict controls during the validation of software intended to be embedded.
  • Level B of this standard requires complete structural software coverage at the instruction and decision level.
  • all of the software's instructions must be executed and all decisions must have taken all possible choices.
  • the control of structural coverage has not been carried out directly.
  • a simulation of the software adapted to operate for example on a personal computer called a host is used. On this host it is easy to know the structural coverage of the software. We are also developing on this host a first complete functional test of the software.
  • the target which will receive the software during its normal operation. If the structural coverage is correct on the host and if the two functional tests give identical results, it is deduced that the structural coverage is correct on the target.
  • the software is generally developed in a so-called high level language, such as for example the C language, then translated into said machine language using only instructions directly understandable by the processor using the software.
  • the host processor is similar to that of the target, their machine languages are similar and the type of control described above is reliable.
  • the host and target processors have different architectures, their machine languages are also different. This difference leads to uncertainty about the deduction of structural coverage on the target.
  • Another solution consists in carrying out tests only on the target and in adding a flag in each branch of the software. If, at the end of the functional tests, all the flags were activated, this proves that all the branches of the software have been used and therefore the structural coverage is correct.
  • This solution has the disadvantage of increasing the rate of load of the processor and of including in the software of the instructions, the flags, useless with the function of the software. These additional instructions degrade the reliability of the software.
  • the invention aims to overcome the drawbacks described above by proposing a device and a method for controlling the structural coverage of software, the control being carried out directly on the target without the intervention of a host and without modifying The software.
  • the subject of the invention is a device for controlling the structural coverage of software implemented by a processor, the software being stored in a first memory, the software comprising instructions which can be located by addresses circulating on a bus. of addresses connecting the processor to the first memory, characterized in that it comprises a second memory connected to the address bus making it possible to store a first and a second value associated with each address, the first value indicating that the associated address was called by the processor and the second value indicating that the associated address was not called by the processor.
  • This device makes it possible to check the structural coverage at the instruction level.
  • the second memory also makes it possible to store a third and a fourth value associated with each address, the third value indicating that the instruction located at the address is immediately followed in the course of the software by an instruction located at the consecutive address of the associated address, the fourth value indicating that the instruction located at the address is not immediately followed, in the course of the software, by an instruction located at the consecutive address of the associated address.
  • the subject of the invention is also a method implementing a device described above, characterized in that it consists in - erasing the entire content of the second memory, - carrying out software validation tests, - comparing the contents of the second memory with a list of addresses where instructions exist. This process verifies the structural coverage at the instruction level.
  • FIG. 1 represents in the form of a block diagram , a device for controlling the structural coverage of software stored in a memory and implemented by a processor;
  • FIG. 2 represents the control device of FIG. 1 adapted for the control of data flow;
  • FIG. 3 represents an example of a pointer controlling the use of data used by the software.
  • FIG. 1 describes an item of equipment 1 comprising a processor 2 connected to a memory 3 by an address bus 4.
  • Software is stored in memory 3 also called program memory.
  • the software includes instructions that can be located in the memory 3 by addresses circulating on the address bus 4. the instructions allow the processor 2 to operate.
  • the processor 2 calls the instructions according to a flowchart or an algorithm defined during the design of the software.
  • the structural coverage of the software is checked during software validation. This check consists of a check that during normal use of the software, all the instructions of the software are implemented by the processor 2. It can also be checked that all the decisions have taken all the possible choices.
  • a device 5 for controlling structural coverage comprises a memory 6 connected to the address bus 4.
  • the memory 6 is for example of the random access type, a type well known in the Anglo-Saxon literature under the name of RAM (Random Access Memory) ).
  • the memory 6 makes it possible to store a first and a second value associated with each address.
  • the first value indicates that the associated address has been called by processor 2 and the second value indicates that the associated address has not been called by processor 2.
  • the second memory 6 makes it possible to store a third and a fourth value associated with each address.
  • the third value indicates that the instruction located at the address is immediately followed in the course of the software by an instruction located at the address immediately following the associated address.
  • the fourth value indicates that the instruction located at the address is not immediately followed, in the course of the software, by an instruction located at the consecutive address of the associated address.
  • the four values can be stored in two bits of the second memory 6.
  • Each address of the memory 3 is associated with two bits of the memory 6.
  • the memory 6 comprises at least twice as many bits as addresses used in the memory 3 by software instructions.
  • the memory 6 comprises twice as many bits as addresses available in the memory 3.
  • the device 5 includes means for giving the bits of the memory 6 a logic state representative of a call by processor 2 of the address associated with these bits and representative of. fact that the instruction located at the address is followed immediately or not immediately in the course of the software, by an instruction located at the consecutive address of the associated address in the memory 3. It is defined that two addresses are consecutive if they contain two instructions that follow in writing the software.
  • These means comprise for example a component 7 comprising programmable logic elements.
  • the device comprises means for giving the bits of the second memory 6 a logical state representative of a call by the processor 2 of the associated address and of the address immediately following the associated address in the course of the software.
  • These means advantageously include a component comprising programmable logic elements. It is of course possible to use the component 7.
  • the four values which the two bits associated with a so-called current address can take are for example the following. As long as the current address was not called, the two bits keep a value of 00. The two bits change value when the next address, in the course of the software is called. If the next address is the consecutive address in the order of the addresses of memory 3, the two bits are set to a value 10. If on the contrary, the next address is not the consecutive address, we set the two bits have a value 01.
  • the device comprises means 7 for comparing the content of the second memory 6 with a list of addresses where instructions exist. During the verification of the structural coverage, the content of the memory 6 will be analyzed. When all the pairs of bits corresponding to instructions in the memory 3 have values other than 00, the structural coverage at the instruction level is correct.
  • the structural coverage at the decision level is correct.
  • it comprises autonomous means for supplying the device with electrical power, means independent of means for supplying the processor 2 and the memory 3.
  • the device 5 is not subject to disturbances possible power supply to processor 2 and memory 3.
  • it again to improve the security of the device 5, it includes a non-volatile memory 8 allowing the backup of all the data present in the memory 6, even in the event of cut off the power supply to the device 5.
  • the memory 8 is for example of the type used in read only and with fast electrical programming, a type well known in Anglo-Saxon literature under the name of Flash PROM. In the event of a power cut to the device 5, the content of the backup memory 8 is enriched by the information contained in the memory 6 by a non-exclusive “OR” logic operation.
  • the device 5 comprises means for erasing the entire content of the memory 6, and when there is the memory 8, on an external command conveyed by a link 9. These means are for example made using the component 7.
  • the device 5 includes means for comparing the content of the memory 6 with a list of addresses where software instructions exist. These means are for example produced using the component 7 comprising programmable logic elements. But advantageously, in order not to overload the component 7, one can use a computer external to the device to carry out the comparison. In this case, the component 7 simply makes it possible to unload the content of the two memories 6 and 8 to the external computer by a link 10.
  • the device 5 comprises means to determine in the content of the second memory 6 whether for instructions comprising decision-making choices, the third and fourth values have been activated.
  • a method of implementing the device 5 consists in - erasing all of the content of the memory 6 and possibly of the memory 8 when it exists, - carrying out software validation tests, - comparing the content of the memory 6 and possibly memory 8 when it exists with a list of addresses where instructions exist. Erasing the contents of memories 6 and 8 consists of putting all of their bits back into the same logic state, for example 0.
  • the bits of the memory 6 corresponding to the address of the instruction are placed in a logical state, for example 10, representative of a call by the processor 2 of the address associated with these bits as well as the consecutive address. If the same succession of instructions is called several times by the processor 2, the corresponding bits of the memory 6 remain in the logical state 0.
  • the equipment 1 usually comprises a link 11 allowing the reset to zero of the processor 2.
  • the link 11 is connected to the device 5, for example to the component 7, which thus receives information on the fact that the processor 2 is in operation or is reset to zero.
  • the memorization of the values is interrupted when the processor 2 is reset to zero.
  • a link 12 can convey a signal indicating that the processor 2 performs software validation tests. This signal is subsequently called: "active control".
  • An example of an algorithm used during software validation tests to check the structural coverage of the software is given at the end of the description.
  • the device 5 advantageously comprises means for controlling a flow of data used by the processor 2.
  • the standard DO 178 B also relates to the data implemented by the software. More specifically, the standard DO 178 B imposes two requirements concerning the data. First, all of the defined data must be used by the software. Second, each piece of data must be produced before being used. The second requirement can be expressed by the fact that the value of a data item must be written before being read in the memory location reserved for it.
  • the means for controlling a data flow are for example produced using the component 7 comprising programmable logic elements.
  • Component 7 is then temporarily connected to the data bus during software validation tests.
  • the equipment 1 comprises a data bus 20 connecting the processor 2 to a data memory 21.
  • the data bus 20 is merged with the address bus 4 and the data memory 21 is merged with the memory 3 containing the software.
  • the instructions data are then differentiated by different address ranges.
  • the device 5 can therefore differentiate an instruction from a datum by means of the address passing over the address bus 4.
  • a link 22 connects the processor 2 to the memory 21, a link on which the processor 2 informs the memory 21 that the addressed data must be read or written.
  • the device 5 is connected both to the bus 20 and to the link 22.
  • each location is associated with a location of the memories 6 and 8, location in which a pointer can be stored which can take four current positions. For example, two bits are used to store these four current positions.
  • the first current position for example denoted 00 by means of the two bits, represents the fact that the software has not accessed the corresponding data.
  • the second current position for example denoted 01 by means of the two bits, represents the fact that the software has read the value of the data before having written it.
  • the third current position for example denoted 10 by means of the two bits, represents the fact that the software has written a value of the data before having read it.
  • the fourth current position represents the fact that the software has written a value of the data and read it.
  • the method of the invention consists, for each piece of data, in generating an indicator, called KO indicator, making it possible to know whether the data has been read without having been written beforehand.
  • the KO indicator is an indicator for passing through the second current position denoted 01.
  • the pointer takes the first current position, ie 00.
  • the current position of the pointer of each data is modified according to the use made by the software of the different data.
  • the pointer takes the second current position 01, the KO indicator is activated and remains activated until the end of the validation tests. Similarly, if for a data item, the pointer takes the third current position 10, the OK indicator is activated and remains activated until the end of the validation tests.
  • Each of the two indicators can be stored in memories 6 and 8 on a single bit, each taking the value 1 when it is activated and 0 when it is not. For the result of the data flow check to be positive, that is to say that the two requirements described above are fulfilled, it is necessary that all data is associated only with fourth values and that no indicator of KO has not been validated.
  • the method of the invention consists, for each data item, in generating an indicator, known as an OK indicator, making it possible to know whether the data item has been written without having been read beforehand, then read.
  • the OK indicator is an indicator for passing through the third current position.
  • the indicator is reset each time the processor 2 is reset to zero.
  • the reset signal of the processor 2 is memorized. This memorization can be carried out on one bit and in this case, the logic state 1 corresponds for example to the fact that the processor 2 is in operation and the state logic 0 corresponds for example to the fact that processor 2 is reset to zero. For each data item, the number of resets already carried out on processor 2 is also stored.
  • ⁇ y "10" If not EM ⁇ iAl n J EM6 (Al ⁇ - ⁇ )
  • Ai n represents the address of the instruction of rank n in the writing of the software
  • Al n . ⁇ represents the address of the instruction of rank n-1 in the writing of the software
  • EM6 represents the two bits of memory 6 associated with the address Al n - ⁇ .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a device for controlling the structural coverage of a software program and to a method of implementing said device. According to the invention, the software, which is stored in a first memory (3), comprises instructions which can be located with addresses provided on an address bus (4) connecting the processor (2) to the first memory (3). The inventive device comprises a second memory (6) which is connected to the address bus (4) and which can be used to save values that are associated with each address, said values indicating the conditions for calling up the address associated by the processor (2). The method consists in: deleting all of the contents of the second memory (6), performing validation tests in relation to the software, and comparing the contents of the second memory (6) with a list of addresses at which instructions are located.

Description

Dispositif de contrôle de la couverture structurelle d'un logiciel et procédé mettant en œuvre le dispositif Device for controlling the structural coverage of software and method implementing the device

L'invention concerne un dispositif de contrôle de la couverture structurelle d'un logiciel et un procédé mettant en œuvre le dispositif. Dans le domaine aéronautique, des normes telle que la norme DO 178 B établie par le département de la défense (Department Of Defence) des Etats Unis imposent des contrôles stricts lors de la validation de logiciels destinée à être embarquer. Le niveau B de cette norme impose une couverture structurelle complète du logiciel au niveau des instructions et des décisions. En d'autres termes, lors de la mise en œuvre du logiciel, toutes les instructions du logiciel doivent être exécutées et toutes les décisions doivent avoir pris tous les choix possibles. A ce jour le contrôle de la couverture structurelle n'est pas réalisé de façon directe. On utilise habituellement une simulation du logiciel adaptée pour fonctionner par exemple sur un ordinateur personnel appelé hôte. Sur cet hôte il est aisé de connaître la couverture structurelle du logiciel. On développe également sur cet hôte un premier test fonctionnel complet du logiciel. Par ailleurs, on développe un second test fonctionnel adapté au processeur, appelé cible, qui recevra le logiciel lors de son fonctionnement normal. Si la couverture structurelle est correcte sur l'hôte et si les deux tests fonctionnels donnent des résultats identiques, on déduit que la couverture structurelle est correcte sur la cible. Le logiciel est généralement développé dans un langage dit de haut niveau, comme par exemple le langage C, puis traduis en langage dit machine n'utilisant que des instructions directement compréhensibles par le processeur utilisant le logiciel. Lorsque le processeur de l'hôte est semblable à celui de la cible, leurs langages machine sont voisins et le type de contrôle décrit plus haut est fiable. Néanmoins lorsque les processeurs de l'hôte et de la cible ont des architectures différentes, leurs langages machines sont également différents. Cette différence entraîne une incertitude sur la déduction de la couverture structurelle sur la cible. Une autre solution consiste à ne réaliser des tests que sur la cible et à ajouter un drapeau dans chaque branche du logiciel. Si, à l'issu des tests fonctionnels tous les drapeaux ont été activés, cela prouve que toutes les branches du logiciel ont été utilisées et donc que la couverture structurelle est correcte. Cette solution présente l'inconvénient d'augmenter le taux de charge du processeur et d'inclure dans le logiciel des instructions, les drapeaux, inutiles à la fonction du logiciel. Ces instructions supplémentaires dégradent la fiabilité du logiciel. L'invention a pour but de pallier les inconvénients décrits plus haut en proposant un dispositif et un procédé de contrôle de la couverture structurelle d'un logiciel, le contrôle se faisant directement sur la cible sans l'intervention d'un hôte et sans modifier le logiciel. A cet effet l'invention a pour objet un dispositif de contrôle de la couverture structurelle d'un logiciel mis en œuvre par un processeur, le logiciel étant stocké dans une première mémoire, le logiciel comportant des instructions localisables par des adresses circulant sur un bus d'adresses reliant le processeur à la première mémoire, caractérisé en ce qu'il comprend une seconde mémoire reliée au bus d'adresses permettant de mémoriser une première et une seconde valeur associées à chaque adresse, la première valeur indiquant que l'adresse associée a été appelée par le processeur et la seconde valeur indiquant que l'adresse associée n'a pas été appelée par le processeur. Ce dispositif permet de vérifier la couverture structurelle au niveau des instructions. Avantageusement, pour vérifier la couverture structurelle au niveau des décisions, la seconde mémoire permet en outre de mémoriser une troisième et une quatrième valeur associées à chaque adresse, la troisième valeur indiquant que l'instruction localisée à l'adresse est suivie immédiatement dans le déroulement du logiciel par une instruction localisée à l'adresse consécutive de l'adresse associée, la quatrième valeur indiquant que l'instruction localisée à l'adresse n'est pas suivie immédiatement, dans le déroulement du logiciel, par une instruction localisée à l'adresse consécutive de l'adresse associée. L'invention a également pour objet un procédé mettant en œuvre un dispositif décrit ci dessus, caractérisé en ce qu'il consiste à - effacer l'ensemble du contenu de la seconde mémoire, - effectuer des tests de validation du logiciel, - comparer le contenu de la seconde mémoire avec une liste des adresses où des instructions existent. Ce procédé permet de vérifier la couverture structurelle au niveau des instructions. Avantageusement, pour de vérifier la couverture structurelle au niveau des décisions, le procédé est complété par l'analyse du contenu de la seconde mémoire. Pour chaque instruction comprenant un choix décisionnel, on vérifie que les troisième et quatrième valeurs ont été renseignées. L'invention sera mieux comprise et d'autres avantages apparaîtront à la lecture de la description détaillée d'un mode de réalisation donné à titre d'exemple, description illustrée par le dessin joint dans lequel : La figure 1 représente sous forme de schéma bloc, un dispositif de contrôle de la couverture structurelle d'un logiciel stocké dans une mémoire et mis en œuvre par un processeur ; la figure 2 représente le dispositif de contrôle de la figure 1 adapté pour le contrôle de flot de données ; la figure 3 représente un exemple de pointeur contrôlant l'emploi de données utilisées par le logiciel. La figure 1 décrit un équipement 1 comportant un processeur 2 relié à une mémoire 3 par un bus d'adresses 4. Un logiciel est stocké dans la mémoire 3 appelée également mémoire programme. Le logiciel comprend des instructions localisables dans la mémoire 3 par des adresses circulant sur le bus d'adresses 4. les instructions permettent au processeur 2 de fonctionner. Le processeur 2 appelle les instructions en fonction d'un organigramme ou d'un algorithme défini lors de la conception du logiciel. Le contrôle de la couverture structurelle du logiciel est réalisé lors de la validation du logiciel. Ce contrôle consiste en une vérification que lors de l'utilisation normale du logiciel, toutes les instructions du logiciel sont mises en œuvre par le processeur 2. On peut également vérifier que toutes les décisions ont pris tous les choix possibles. Un dispositif 5 de contrôle de couverture structurelle comporte une mémoire 6 reliée au bus d'adresses 4. La mémoire 6 est par exemple du type à accès aléatoire, type bien connu dans la littérature anglo-saxonne sous le nom de RAM (Random Accès Memory). La mémoire 6 permet de mémoriser une première et une seconde valeur associées à chaque adresse. La première valeur indique que l'adresse associée a été appelée par le processeur 2 et la seconde valeur indique que l'adresse associée n'a pas été appelée par le processeur 2. Avantageusement, la seconde mémoire 6 permet de mémoriser une troisième et une quatrième valeur associées à chaque adresse. La troisième valeur indique que l'instruction localisée à l'adresse est suivie immédiatement dans le déroulement du logiciel par une instruction localisée à l'adresse suivant immédiatement l'adresse associée. La quatrième valeur indique que l'instruction localisée à l'adresse n'est pas suivie immédiatement, dans le déroulement du logiciel, par une instruction localisée à l'adresse consécutive de l'adresse associée. Avantageusement, les quatre valeurs sont stockables dans deux bits de la seconde mémoire 6. Chaque adresse de la mémoire 3 est associée à deux bits de la mémoire 6. La mémoire 6 comporte au moins deux fois plus de bits que d'adresses utilisées dans la mémoire 3 par les instructions du logiciel. Avantageusement, pour pouvoir utiliser le dispositif 5 quel que soit le logiciel stocké dans la mémoire 3, la mémoire 6 comporte deux fois plus de bits que d'adresses disponibles dans la mémoire 3. Le dispositif 5 comporte des moyens pour donner aux bits de la mémoire 6 un état logique représentatif d'un appel par le processeur 2 de l'adresse associée à ces bits et représentatif du . fait que l'instruction localisée à l'adresse est suivie immédiatement ou non dans le déroulement du logiciel, par une instruction localisée à l'adresse consécutive de l'adresse associée dans la mémoire 3. On définit que deux adresses sont consécutives si elles contiennent deux instructions qui se suivent dans l'écriture du logiciel. Ces moyens comportent par exemple un composant 7 comprenant des éléments logiques programmables. Avantageusement, le dispositif comporte des moyens pour donner aux bits de la seconde mémoire 6 un état logique représentatif d'un appel par le processeur 2 de l'adresse associée et de l'adresse suivant immédiatement l'adresse associée dans le déroulement du logiciel. Ces moyens comportent avantageusement un composant comprenant des éléments logiques programmables. Il est bien entendu possible d'utiliser le composant 7. Les quatre valeurs que peuvent prendre les deux bits associés à une adresse dite courante sont par exemple les suivantes. Tant que l'adresse courante n'a pas été appelée, les deux bits conservent une valeur 00. Les deux bits changent de valeur lorsque l'adresse suivante, dans le déroulement du logiciel est appelée. Si l'adresse suivante est l'adresse consécutive dans l'ordre des adresses de la mémoire 3, on positionne les deux bits à une valeur 10. Si au contraire, l'adresse suivante n'est pas l'adresse consécutive, on positionne les deux bits à une valeur 01. Le positionnement des deux bits se fait de façon cumulative par exemple au moyen d'une fonction logique OU. Plus précisément, si les deux bits correspondant à l'adresse courante ont une valeur 10, que l'adresse courante est à nouveau appelée, et que l'adresse suivante n'est cette fois ci pas l'adresse consécutive, on positionne les deux bits à 01 par l'intermédiaire de la fonction OU et au final, les deux bits prendront une valeur 11. Avantageusement, le dispositif comporte des moyens 7 pour comparer le contenu de la seconde mémoire 6 avec une liste des adresses où des instructions existent. Lors de la vérification de la couverture structurelle on analysera le contenu de la mémoire 6. Lorsque que toutes les paires de bits correspondants à des instructions de la mémoire 3 ont des valeurs différentes de 00, la couverture structurelle au niveau des instructions est correcte. De plus, lorsque que toutes les paires de bits correspondants à des instructions comportant un choix décisionnel, ont des valeurs égales à 11 la couverture structurelle au niveau des décisions est correcte. Avantageusement, pour améliorer la sécurité du dispositif 5, il comporte des moyens autonomes d'alimentation électrique du dispositif, moyens indépendants de moyens d'alimentation du processeur 2 et de la mémoire 3. Ainsi, le dispositif 5 n'est pas soumis aux perturbations éventuelles de l'alimentation du processeur 2 et de la mémoire 3. Avantageusement, toujours pour améliorer la sécurité du dispositif 5, il comporte une mémoire rémanente 8 permettant la sauvegarde de l'ensemble des données présentes dans la mémoire 6, même en cas de coupure de l'alimentation électrique du dispositif 5. La mémoire 8 est par exemple du type utilisé en lecture seulement et à programmation électrique rapide, type bien connu dans la littérature anglo-saxonne sous le nom de Flash PROM. En cas de coupure de l'alimentation électrique du dispositif 5, le contenu de la mémoire de sauvegarde 8 est enrichi par les informations contenues dans la mémoire 6 par une opération logique « OU » non exclusif.The invention relates to a device for controlling the structural coverage of software and to a method implementing the device. In the aeronautical field, standards such as the DO 178 B standard established by the Department of Defense of the United States impose strict controls during the validation of software intended to be embedded. Level B of this standard requires complete structural software coverage at the instruction and decision level. In other words, when implementing the software, all of the software's instructions must be executed and all decisions must have taken all possible choices. To date, the control of structural coverage has not been carried out directly. Usually a simulation of the software adapted to operate for example on a personal computer called a host is used. On this host it is easy to know the structural coverage of the software. We are also developing on this host a first complete functional test of the software. In addition, we are developing a second functional test adapted to the processor, called the target, which will receive the software during its normal operation. If the structural coverage is correct on the host and if the two functional tests give identical results, it is deduced that the structural coverage is correct on the target. The software is generally developed in a so-called high level language, such as for example the C language, then translated into said machine language using only instructions directly understandable by the processor using the software. When the host processor is similar to that of the target, their machine languages are similar and the type of control described above is reliable. However, when the host and target processors have different architectures, their machine languages are also different. This difference leads to uncertainty about the deduction of structural coverage on the target. Another solution consists in carrying out tests only on the target and in adding a flag in each branch of the software. If, at the end of the functional tests, all the flags were activated, this proves that all the branches of the software have been used and therefore the structural coverage is correct. This solution has the disadvantage of increasing the rate of load of the processor and of including in the software of the instructions, the flags, useless with the function of the software. These additional instructions degrade the reliability of the software. The invention aims to overcome the drawbacks described above by proposing a device and a method for controlling the structural coverage of software, the control being carried out directly on the target without the intervention of a host and without modifying The software. To this end, the subject of the invention is a device for controlling the structural coverage of software implemented by a processor, the software being stored in a first memory, the software comprising instructions which can be located by addresses circulating on a bus. of addresses connecting the processor to the first memory, characterized in that it comprises a second memory connected to the address bus making it possible to store a first and a second value associated with each address, the first value indicating that the associated address was called by the processor and the second value indicating that the associated address was not called by the processor. This device makes it possible to check the structural coverage at the instruction level. Advantageously, to check the structural coverage at the decision level, the second memory also makes it possible to store a third and a fourth value associated with each address, the third value indicating that the instruction located at the address is immediately followed in the course of the software by an instruction located at the consecutive address of the associated address, the fourth value indicating that the instruction located at the address is not immediately followed, in the course of the software, by an instruction located at the consecutive address of the associated address. The subject of the invention is also a method implementing a device described above, characterized in that it consists in - erasing the entire content of the second memory, - carrying out software validation tests, - comparing the contents of the second memory with a list of addresses where instructions exist. This process verifies the structural coverage at the instruction level. Advantageously, to check the structural coverage at the decision level, the method is supplemented by the analysis of the content of the second memory. For each instruction including a decisional choice, it is checked that the third and fourth values have been entered. The invention will be better understood and other advantages will appear on reading the detailed description of an embodiment given by way of example, description illustrated by the attached drawing in which: FIG. 1 represents in the form of a block diagram , a device for controlling the structural coverage of software stored in a memory and implemented by a processor; FIG. 2 represents the control device of FIG. 1 adapted for the control of data flow; FIG. 3 represents an example of a pointer controlling the use of data used by the software. FIG. 1 describes an item of equipment 1 comprising a processor 2 connected to a memory 3 by an address bus 4. Software is stored in memory 3 also called program memory. The software includes instructions that can be located in the memory 3 by addresses circulating on the address bus 4. the instructions allow the processor 2 to operate. The processor 2 calls the instructions according to a flowchart or an algorithm defined during the design of the software. The structural coverage of the software is checked during software validation. This check consists of a check that during normal use of the software, all the instructions of the software are implemented by the processor 2. It can also be checked that all the decisions have taken all the possible choices. A device 5 for controlling structural coverage comprises a memory 6 connected to the address bus 4. The memory 6 is for example of the random access type, a type well known in the Anglo-Saxon literature under the name of RAM (Random Access Memory) ). The memory 6 makes it possible to store a first and a second value associated with each address. The first value indicates that the associated address has been called by processor 2 and the second value indicates that the associated address has not been called by processor 2. Advantageously, the second memory 6 makes it possible to store a third and a fourth value associated with each address. The third value indicates that the instruction located at the address is immediately followed in the course of the software by an instruction located at the address immediately following the associated address. The fourth value indicates that the instruction located at the address is not immediately followed, in the course of the software, by an instruction located at the consecutive address of the associated address. Advantageously, the four values can be stored in two bits of the second memory 6. Each address of the memory 3 is associated with two bits of the memory 6. The memory 6 comprises at least twice as many bits as addresses used in the memory 3 by software instructions. Advantageously, in order to be able to use the device 5 regardless of the software stored in the memory 3, the memory 6 comprises twice as many bits as addresses available in the memory 3. The device 5 includes means for giving the bits of the memory 6 a logic state representative of a call by processor 2 of the address associated with these bits and representative of. fact that the instruction located at the address is followed immediately or not immediately in the course of the software, by an instruction located at the consecutive address of the associated address in the memory 3. It is defined that two addresses are consecutive if they contain two instructions that follow in writing the software. These means comprise for example a component 7 comprising programmable logic elements. Advantageously, the device comprises means for giving the bits of the second memory 6 a logical state representative of a call by the processor 2 of the associated address and of the address immediately following the associated address in the course of the software. These means advantageously include a component comprising programmable logic elements. It is of course possible to use the component 7. The four values which the two bits associated with a so-called current address can take are for example the following. As long as the current address was not called, the two bits keep a value of 00. The two bits change value when the next address, in the course of the software is called. If the next address is the consecutive address in the order of the addresses of memory 3, the two bits are set to a value 10. If on the contrary, the next address is not the consecutive address, we set the two bits have a value 01. The positioning of the two bits is done cumulatively, for example by means of an OR logic function. More precisely, if the two bits corresponding to the current address have a value 10, that the current address is called again, and that the next address is not this time the consecutive address, the two are positioned bits at 01 via the OR function and ultimately, the two bits will take a value 11. Advantageously, the device comprises means 7 for comparing the content of the second memory 6 with a list of addresses where instructions exist. During the verification of the structural coverage, the content of the memory 6 will be analyzed. When all the pairs of bits corresponding to instructions in the memory 3 have values other than 00, the structural coverage at the instruction level is correct. Furthermore, when all the pairs of bits corresponding to instructions comprising a decisional choice have values equal to 11, the structural coverage at the decision level is correct. Advantageously, to improve the security of the device 5, it comprises autonomous means for supplying the device with electrical power, means independent of means for supplying the processor 2 and the memory 3. Thus, the device 5 is not subject to disturbances possible power supply to processor 2 and memory 3. Advantageously, again to improve the security of the device 5, it includes a non-volatile memory 8 allowing the backup of all the data present in the memory 6, even in the event of cut off the power supply to the device 5. The memory 8 is for example of the type used in read only and with fast electrical programming, a type well known in Anglo-Saxon literature under the name of Flash PROM. In the event of a power cut to the device 5, the content of the backup memory 8 is enriched by the information contained in the memory 6 by a non-exclusive “OR” logic operation.

Cette opération logique est effectuée bit à bit pour deux bits de la mémoire 6 et deux bits correspondants de la mémoire 8. Avantageusement, le dispositif 5 comporte des moyens pour effacer l'ensemble du contenu de la mémoire 6, et lorsqu'elle existe de la mémoire 8, sur un ordre extérieur véhiculé par une liaison 9. Ces moyens sont par exemple réalisés à l'aide du composant 7. Avantageusement, le dispositif 5 comporte des moyens pour comparer le contenu de la mémoire 6 avec une liste des adresses où des instructions du logiciel existent. Ces moyens sont par exemple réalisés à l'aide du composant 7 comprenant des éléments logiques programmables. Mais avantageusement, pour ne pas surcharger le composant 7, on peut utiliser un ordinateur extérieur au dispositif pour effectuer la comparaison. Dans ce cas, le composant 7 permet simplement de décharger le contenu des deux mémoires 6 et 8 vers l'ordinateur extérieur par une liaison 10. Le déchargement a lieu sur ordre extérieur véhiculé par la liaison 9. Avantageusement, le dispositif 5 comporte des moyens pour déterminer dans le contenu de la seconde mémoire 6 si pour des instructions comportant des choix décisionnels, les .troisième et quatrièmes valeurs ont été activées. Un procédé de mise en œuvre du dispositif 5 consiste à - effacer l'ensemble du contenu de la mémoire 6 et éventuellement de la mémoire 8 lorsqu'elle existe, - effectuer des tests de validation du logiciel, - comparer le contenu de la mémoire 6 et éventuellement de la mémoire 8 lorsqu'elle existe avec une liste des adresses où des instructions existent. L'effacement du contenu des mémoires 6 et 8 consiste à remettre l'ensemble de leurs bits à un même état logique, par exemple 0. Dans cet exemple, lors des tests de validation du logiciel, lorsqu'une instruction est appelée par le processeur 2, les bits de la mémoire 6 correspondant à l'adresse de l'instruction, sont placés à un état logique, par exemple 10, représentatif d'un appel par le processeur 2 de l'adresse associée à ces bits ainsi que de l'adresse consécutive. Si la même succession d'instructions est appelée plusieurs fois par le processeur 2, les bits correspondants de la mémoire 6 reste à l'état logique 0. L'équipement 1 comporte habituellement une liaison 11 permettant la remise à zéro du processeur 2. Avantageusement, la liaison 11 est raccordée au dispositif 5, par exemple au composant 7, qui reçoit ainsi une information sur le fait que le processeur 2 est en fonctionnement ou est remis à zéro. Avantageusement, lors des tests de validation, la mémorisation des valeurs est interrompue lorsque le processeur 2 est remis à zéro. Avantageusement, une liaison 12 peut véhiculer un signal indiquant que le processeur 2 effectue des tests de validation du logiciel. Ce signal est appelé par la suite : « contrôle actif ». Un exemple d'algorithme utilisé lors des tests de validation du logiciel pour contrôler la couverture structurelle du logiciel est donné en fin de description. Illustré par la figure 2, le dispositif 5 comporte avantageusement, des moyens de contrôle d'un flot de données utilisées par le processeur 2. En effet, la norme DO 178 B concerne également les données mise en œuvre par le logiciel. Plus précisément, la norme DO 178 B impose deux exigences concemant les données. Premièrement, toutes les données définies doivent être utilisées par le logiciel. Deuxièmement, chaque donnée doit être produite avant d'être utilisée. La deuxième exigence peut s'exprimer par le fait que la valeur d'une donnée doit être écrite avant d'être lue dans l'emplacement mémoire qui lui est réservé. Les moyens de contrôle d'un flot de données sont par exemple réalisés à l'aide du composant 7 comprenant des éléments logiques programmables. Le composant 7 est alors raccordé temporairement au bus de données pendant les tests de validation du logiciel. L'équipement 1 comporte un bus de données 20 raccordant le processeur 2 à une mémoire 21 de données. Dans de nombreux équipements le bus de données 20 est confondu avec le bus d'adresses 4 et la mémoire 21 de données est confondue avec la mémoire 3 contenant le logiciel. On différencie alors les données des instructions par des tranches d'adresses différentes. Le dispositif 5 pourra donc différencier une instruction d'une donnée au moyen de l'adresse transitant sur le bus d'adresse 4. Une liaison 22 relie le processeur 2 à la mémoire 21, liaison sur laquelle le processeur 2 informe la mémoire 21 du fait que la donnée adressée doit être lue ou écrite. Le dispositif 5 est raccordé à la fois sur le bus 20 et sur la liaison 22. les mémoires 6 et 8 du dispositif sont avantageusement utilisées pour contrôler l'utilisation des données définies dans la mémoire 21. A chaque donnée, on associe un emplacement des mémoires 6 et 8, emplacement dans lequel on peut stocker un pointeur pouvant prendre quatre positions courantes. On utilise par exemple deux bits pour mémoriser ces quatre positions courantes. La première position courante, par exemple notée 00 au moyen des deux bits, représente le fait que le logiciel n'a pas accédé à la donnée correspondante. La seconde position courante, par exemple notée 01 au moyen des deux bits, représente le fait que le logiciel a lu la valeur de la donnée avant de l'avoir écrite. La troisième position courante, par exemple notée 10 au moyen des deux bits, représente le fait que le logiciel a écrit une valeur de la donnée avant de l'avoir lue. La quatrième position courante par exemple notée 11 au moyen des deux bits, représente le fait que le logiciel a écrit une valeur de la donnée et l'a lue. Avantageusement, lors des tests de validation, le procédé de l'invention consiste, pour chaque donnée, à générer un indicateur, dit indicateur de KO, permettant de savoir si la donnée a été lue sans avoir été écrite au préalable.. Autrement dit, l'indicateur de KO est un indicateur de passage par la deuxième position courante notée 01. Lors de l'effacement du contenu des mémoires 6 et 8, pour chaque donnée, le pointeur prend la première position courante, c'est à dire 00. Lors des tests de validation du logiciel, la position courante du pointeur de chaque donnée est modifiée en fonction de l'utilisation faite par le logiciel des différentes données. Si pour une donnée, le pointeur prend la deuxième position courante 01, l'indicateur de KO est activé et reste activé jusqu'à la fin des tests de validation. De même, si pour une donnée, le pointeur prend la troisième position courante 10, l'indicateur de OK est activé et reste activé jusqu'à la fin des tests de validation. Chacun des deux indicateurs peut être mémorisé dans les mémoires 6 et 8 sur un seul bit chacun prenant la valeur 1 lorsqu'il est activé et 0 lorsqu'il ne l'est pas. Pour que le résultat du contrôle de flot de donnée soit positif, c'est à dire que les deux exigences décrites plus haut soit remplies, il est nécessaire qu'à toutes les données ne soit associées que des quatrièmes valeurs et qu'aucun indicateur de KO n'ait été validé. Avantageusement, lors des tests de validation, le procédé de l'invention consiste, pour chaque donnée, à générer un indicateur, dit indicateur de OK, permettant de savoir si la donnée a été écrite sans avoir été lue au préalable, puis lue. Autrement dit, l'indicateur de OK est un indicateur de passage par la troisième position courante. Avantageusement, l'indicateur est réinitialisé à chaque fois que le processeur 2 est remis à zéro. Pour ce faire, on mémorise le signal de remise à zéro du processeur 2. On peut réaliser cette mémorisation sur un bit et dans ce cas, l'état logique 1 correspond par exemple au fait que le processeur 2 est en fonctionnement et l'état logique 0 correspond par exemple au fait que le processeur 2 est remis à zéro. Pour chaque donnée, on mémorise également le nombre de remises à zéro déjà effectuées sur le processeur 2. Si lors du test de validation, pour une donnée le nombre de remise à zéro mémorisé ne correspond pas au nombre de remise à zéro courant du processeur 2, on remet le pointeur à la première position courante notée 00. Un exemple d'algorithme utilisé lors des tests de validation du logiciel pour contrôler le flot de données utilisées par le processeur 2. This logical operation is carried out bit by bit for two bits of the memory 6 and two corresponding bits of the memory 8. Advantageously, the device 5 comprises means for erasing the entire content of the memory 6, and when there is the memory 8, on an external command conveyed by a link 9. These means are for example made using the component 7. Advantageously, the device 5 includes means for comparing the content of the memory 6 with a list of addresses where software instructions exist. These means are for example produced using the component 7 comprising programmable logic elements. But advantageously, in order not to overload the component 7, one can use a computer external to the device to carry out the comparison. In this case, the component 7 simply makes it possible to unload the content of the two memories 6 and 8 to the external computer by a link 10. The unloading takes place on an external order conveyed by the link 9. Advantageously, the device 5 comprises means to determine in the content of the second memory 6 whether for instructions comprising decision-making choices, the third and fourth values have been activated. A method of implementing the device 5 consists in - erasing all of the content of the memory 6 and possibly of the memory 8 when it exists, - carrying out software validation tests, - comparing the content of the memory 6 and possibly memory 8 when it exists with a list of addresses where instructions exist. Erasing the contents of memories 6 and 8 consists of putting all of their bits back into the same logic state, for example 0. In this example, during software validation tests, when an instruction is called by the processor 2, the bits of the memory 6 corresponding to the address of the instruction, are placed in a logical state, for example 10, representative of a call by the processor 2 of the address associated with these bits as well as the consecutive address. If the same succession of instructions is called several times by the processor 2, the corresponding bits of the memory 6 remain in the logical state 0. The equipment 1 usually comprises a link 11 allowing the reset to zero of the processor 2. Advantageously , the link 11 is connected to the device 5, for example to the component 7, which thus receives information on the fact that the processor 2 is in operation or is reset to zero. Advantageously, during the validation tests, the memorization of the values is interrupted when the processor 2 is reset to zero. Advantageously, a link 12 can convey a signal indicating that the processor 2 performs software validation tests. This signal is subsequently called: "active control". An example of an algorithm used during software validation tests to check the structural coverage of the software is given at the end of the description. Illustrated in FIG. 2, the device 5 advantageously comprises means for controlling a flow of data used by the processor 2. In fact, the standard DO 178 B also relates to the data implemented by the software. More specifically, the standard DO 178 B imposes two requirements concerning the data. First, all of the defined data must be used by the software. Second, each piece of data must be produced before being used. The second requirement can be expressed by the fact that the value of a data item must be written before being read in the memory location reserved for it. The means for controlling a data flow are for example produced using the component 7 comprising programmable logic elements. Component 7 is then temporarily connected to the data bus during software validation tests. The equipment 1 comprises a data bus 20 connecting the processor 2 to a data memory 21. In many equipment the data bus 20 is merged with the address bus 4 and the data memory 21 is merged with the memory 3 containing the software. The instructions data are then differentiated by different address ranges. The device 5 can therefore differentiate an instruction from a datum by means of the address passing over the address bus 4. A link 22 connects the processor 2 to the memory 21, a link on which the processor 2 informs the memory 21 that the addressed data must be read or written. The device 5 is connected both to the bus 20 and to the link 22. the memories 6 and 8 of the device are advantageously used to control the use of the data defined in the memory 21. Each location is associated with a location of the memories 6 and 8, location in which a pointer can be stored which can take four current positions. For example, two bits are used to store these four current positions. The first current position, for example denoted 00 by means of the two bits, represents the fact that the software has not accessed the corresponding data. The second current position, for example denoted 01 by means of the two bits, represents the fact that the software has read the value of the data before having written it. The third current position, for example denoted 10 by means of the two bits, represents the fact that the software has written a value of the data before having read it. The fourth current position, for example denoted 11 by means of the two bits, represents the fact that the software has written a value of the data and read it. Advantageously, during validation tests, the method of the invention consists, for each piece of data, in generating an indicator, called KO indicator, making it possible to know whether the data has been read without having been written beforehand. In other words, the KO indicator is an indicator for passing through the second current position denoted 01. When erasing the content of memories 6 and 8, for each datum, the pointer takes the first current position, ie 00. During software validation tests, the current position of the pointer of each data is modified according to the use made by the software of the different data. If for a datum, the pointer takes the second current position 01, the KO indicator is activated and remains activated until the end of the validation tests. Similarly, if for a data item, the pointer takes the third current position 10, the OK indicator is activated and remains activated until the end of the validation tests. Each of the two indicators can be stored in memories 6 and 8 on a single bit, each taking the value 1 when it is activated and 0 when it is not. For the result of the data flow check to be positive, that is to say that the two requirements described above are fulfilled, it is necessary that all data is associated only with fourth values and that no indicator of KO has not been validated. Advantageously, during validation tests, the method of the invention consists, for each data item, in generating an indicator, known as an OK indicator, making it possible to know whether the data item has been written without having been read beforehand, then read. In other words, the OK indicator is an indicator for passing through the third current position. Advantageously, the indicator is reset each time the processor 2 is reset to zero. To do this, the reset signal of the processor 2 is memorized. This memorization can be carried out on one bit and in this case, the logic state 1 corresponds for example to the fact that the processor 2 is in operation and the state logic 0 corresponds for example to the fact that processor 2 is reset to zero. For each data item, the number of resets already carried out on processor 2 is also stored. If during a validation test, for a given item, the number of resets stored does not correspond to the number of current resets of processor 2 , the pointer is returned to the first current position denoted 00. An example of an algorithm used during software validation tests to control the flow of data used by processor 2.

Exemple d'algorithme utilisé lors des tests de validation du logiciel pour contrôler la couverture structurelle du logicielExample of algorithm used during software validation tests to control the structural coverage of the software

Si le microprocesseur 2 n'est pas remis à zéro Si le signal "contrôle actif est présent Si l'adresse d'une instruction correspond à une zone de mémoire 3 Si l'adresse de l'instruction précédente Aln-1 en mémoire 3 est telle que Ain = Alπ.ι + 1 EMβiAln.-,) = EM6(Aln- |θy « 10 » Si non EMβiAlnJ = EM6(Alπ-ι) |OL^ « 01 » Fin Si Fin Si Fin Si Fin SiIf microprocessor 2 is not reset If the "active control is present" signal If the address of an instruction corresponds to a memory area 3 If the address of the previous instruction Aln-1 in memory 3 is such that Ai n = Al π .ι + 1 EMβiAln.-,) = EM6 (Al n - | θy "10" If not EMβiAl n J = EM6 (Al π -ι) | OL ^ "01" End If End If End If End If

Dans cet algorithme, Ain représente l'adresse de l'instruction de rang n dans l'écriture du logiciel, Aln.ι représente l'adresse de l'instruction de rang n-1 dans l'écriture du logiciel, EM6 représente les deux bits de la mémoire 6 associés à l'adresse Aln-ι . In this algorithm, Ai n represents the address of the instruction of rank n in the writing of the software, Al n .ι represents the address of the instruction of rank n-1 in the writing of the software, EM6 represents the two bits of memory 6 associated with the address Al n -ι.

Exemple d'algorithme utilisé lors des tests de validation du logiciel pour contrôler le flot de données utilisées par le processeurExample of algorithm used during software validation tests to control the flow of data used by the processor

Si le microprocesseur 2 n'est pas remis à zéro Si la position mémorisée du signal de remise à zéro du processeur 2 est à "0" • on incrémente le compteur courant de nombre de remise à zéro et on indique une position mémorisée de remise à zéro à "1" Fin Si Si le signal "contrôl actif est positionné Si l'adresse sur le bus d'adresse correspond à une zone de mémoire de données Si le nombre de remise à zéro du dernier passage à cette adresse ne correspond pas au compteur de reset courant • on indique que le dernier passage à cette adresse correspond au compteur de nombre de remise à zéro courant • on met la "position courante" à "00" Fin Si Si le signal "écriture lecture " est positionné à "lecture " • nouvelle "position courante" = OUfancienne "position courante";"01") Sinon • nouvelle "position courante" = OUfancienne "position courante";! 0") Fin Si Si "position courante" = "01" • on positionne l'indicateur de KO à "1" Fin Si Si "position courante" = "11 " • on positionne l'indicateur de OK à "1" Fin Si Fin Si Fin Si Sinon • on indique une position mémorisée du signal de remise à zéro du processeur 2 à "0" Fin Si If the microprocessor 2 is not reset If the memorized position of the reset signal of processor 2 is at "0" • the current counter of the reset number is incremented and a memorized reset position is indicated zero to "1" End If If the "active control" signal is set If the address on the address bus corresponds to a data memory area If the number of resets to zero of the last pass to this address does not correspond to the current reset counter • it indicates that the last passage at this address corresponds to the current reset number counter • the "current position" is set to "00" End If If the "write read" signal is set to "read "• new" current position "= OUfancienne" current position ";" 01 ") Otherwise • new" current position "= OUfancienne" current position ";! 0") End If If "current position" = "01" • set KO indicator at "1" End If If "current position te "=" 11 "• set the OK indicator to" 1 "End If End If End If Otherwise • indicate a memorized position of the reset signal from processor 2 to" 0 "End If

Claims

REVENDICATIONS 1. Dispositif de contrôle de la couverture structurelle d'un logiciel mis en œuvre par un processeur (2), le logiciel étant stocké dans une première mémoire (3), le logiciel comportant des instructions localisables par des adresses circulant sur un bus d'adresses (4) reliant le processeur (2) à la première mémoire (3), caractérisé en ce qu'il comprend une seconde mémoire (6) reliée au bus d'adresses (4) permettant de mémoriser une première et une seconde valeur associées à chaque adresse, la première valeur indiquant que l'adresse associée a été appelée par le processeur (2) et la seconde valeur indiquant que l'adresse associée n'a pas été appelée par le processeur (2) et en ce que la seconde mémoire (6) permet de mémoriser une troisième et une quatrième valeur associées à chaque adresse, la troisième valeur indiquant que l'instruction localisée à l'adresse est suivie immédiatement dans le déroulement du logiciel par une instruction localisée à l'adresse suivant immédiatement l'adresse associée, la quatrième valeur indiquant que l'instruction localisée à l'adresse n'est pas suivie immédiatement, dans le déroulement du logiciel, par une instruction localisée à l'adresse suivant immédiatement l'adresse associée.1. Device for controlling the structural coverage of software implemented by a processor (2), the software being stored in a first memory (3), the software comprising instructions locatable by addresses circulating on a bus addresses (4) connecting the processor (2) to the first memory (3), characterized in that it comprises a second memory (6) connected to the address bus (4) making it possible to store a first and a second associated value at each address, the first value indicating that the associated address has been called by the processor (2) and the second value indicating that the associated address has not been called by the processor (2) and in that the second memory (6) makes it possible to store a third and a fourth value associated with each address, the third value indicating that the instruction located at the address is immediately followed in the course of the software by an instruction located at the address immediately following the associated address, the fourth value indicating that the instruction located at the address is not immediately followed, in the course of the software, by an instruction located at the address immediately following the associated address. 2. Dispositif selon la revendication 1, caractérisé en ce qu'il comporte des moyens (7) pour comparer le contenu de la seconde mémoire2. Device according to claim 1, characterized in that it comprises means (7) for comparing the content of the second memory (6) avec une liste des adresses où des instructions existent.(6) with a list of addresses where instructions exist. 3. Dispositif selon l'une des revendications précédentes, caractérisé en ce que les quatre valeurs sont stockables dans deux bits de la seconde mémoire (6) et en ce qu'il comporte des moyens pour donner aux bits de la seconde mémoire (6) un état logique représentatif d'un appel par le processeur (2) de l'adresse associée et de l'adresse suivant immédiatement l'adresse associée dans le déroulement du logiciel. 3. Device according to one of the preceding claims, characterized in that the four values can be stored in two bits of the second memory (6) and in that it comprises means for giving the bits of the second memory (6) a logic state representative of a call by the processor (2) of the associated address and of the address immediately following the associated address in the course of the software. 4. Dispositif selon l'une quelconques des revendications précédentes, caractérisé en ce qu'il comporte des moyens (7) pour déterminer dans le contenu de la seconde mémoire (6) si pour des instructions comportant des choix décisionnels, les troisième et quatrièmes valeurs ont été activées. 4. Device according to any one of the preceding claims, characterized in that it comprises means (7) for determining in the content of the second memory (6) whether for instructions comprising decision-making choices, the third and fourth values have been activated. 5. Dispositif selon l'une quelconques des revendications précédentes, caractérisé en ce que les moyens pour donner aux bits de la seconde mémoire (6) un état logique représentatif d'un appel par le processeur (2) de l'adresse associée et de l'adresse suivant immédiatement l'adresse associée dans le déroulement du logiciel comportent un composant (7) comprenant des éléments logiques programmables.5. Device according to any one of the preceding claims, characterized in that the means for giving the bits of the second memory (6) a logical state representative of a call by the processor (2) of the associated address and of the address immediately following the associated address in the course of the software comprises a component (7) comprising programmable logic elements. 6. Dispositif selon l'une des revendications précédentes, caractérisé en ce qu'il comporte des moyens autonomes d'alimentation du dispositif, moyens indépendants de moyens d'alimentation du processeur (2) et de la première mémoire (3).6. Device according to one of the preceding claims, characterized in that it comprises autonomous means for supplying the device, means independent of means for supplying the processor (2) and the first memory (3). 7. Dispositif selon l'une des revendications précédentes, caractérisé en ce que la seconde mémoire (6) est du type à accès aléatoire, en ce que le dispositif (5) comporte de plus une troisième mémoire (8) de sauvegarde destinée à recevoir l'ensemble des données présentes dans le seconde mémoire (6). 7. Device according to one of the preceding claims, characterized in that the second memory (6) is of the random access type, in that the device (5) further comprises a third backup memory (8) intended to receive all the data present in the second memory (6). 8. Dispositif selon l'une des revendications précédentes, caractérisé en ce qu'il comporte des moyens (7) pour effacer l'ensemble du contenu de la seconde mémoire (6) sur un ordre extérieur.8. Device according to one of the preceding claims, characterized in that it comprises means (7) for erasing the entire content of the second memory (6) on an external order. 9. Dispositif selon l'une des revendications précédentes, caractérisé en ce que le dispositif (5) comporte des moyens de contrôle d'un flot de données utilisées par le processeur (2).9. Device according to one of the preceding claims, characterized in that the device (5) comprises means for controlling a flow of data used by the processor (2). 10. Procédé mettant en œuvre un dispositif selon l'une des revendications précédentes, caractérisé en ce qu'il consiste à - effacer l'ensemble du contenu de la seconde mémoire (6), - effectuer des tests de validation du logiciel, - comparer le contenu de la seconde mémoire (6) avec une liste des adresses où des instructions existent. 10. Method implementing a device according to one of the preceding claims, characterized in that it consists in - erasing the entire content of the second memory (6), - carrying out software validation tests, - comparing the content of the second memory (6) with a list of addresses where instructions exist. 11. Procédé selon la revendication 10, mettant en œuvre un dispositif selon la revendication 3, caractérisé en ce qu'il consiste à - analyser le contenu de la seconde mémoire (6) - pour chaque instruction comprenant un choix décisionnel, on vérifie que les troisième et quatrième valeurs ont été renseignées.11. Method according to claim 10, implementing a device according to claim 3, characterized in that it consists in - analyzing the content of the second memory (6) - for each instruction comprising a decisional choice, it is checked that the third and fourth values have been entered. 12. Procédé selon l'une quelconques des revendications 10 ou 11, caractérisé en ce que lors des tests de validation la mémorisation des valeurs est interrompue lorsque le processeur (2) est remis à zéro.12. Method according to any one of claims 10 or 11, characterized in that during validation tests the storage of the values is interrupted when the processor (2) is reset. 13. Procédé selon l'une quelconques des revendications 10 à 12, procédé mettant en œuvre un dispositif comportant des moyens de contrôle d'un flot de données utilisées par le processeur (2), le procédé étant caractérisé en ce que lors des tests de validation, il consiste, pour chaque donnée, à générer un indicateur (OK) permettant de savoir si la donnée a été écrite sans avoir été lue au préalable.13. Method according to any one of claims 10 to 12, method implementing a device comprising means for controlling a data flow used by the processor (2), the method being characterized in that during the tests of validation, it consists, for each data, to generate an indicator (OK) allowing to know if the data was written without having been read beforehand. 14. Procédé selon l'une quelconques des revendications 10 à 13, procédé mettant en œuvre un dispositif comportant des moyens de contrôle d'un flux de données utilisées par le processeur (2), le procédé étant caractérisé en ce que lors des tests de validation, il consiste, pour chaque donnée, à générer un indicateur (KO) permettant de savoir si la donnée a été lue sans avoir été écrite au préalable.14. Method according to any one of claims 10 to 13, method implementing a device comprising means for controlling a data flow used by the processor (2), the method being characterized in that during the tests of validation, it consists, for each piece of data, in generating an indicator (KO) allowing to know if the data has been read without having been written beforehand. 15. Procédé selon l'une quelconques des revendications 13 ou 14, caractérisé en ce que l'indicateur est réinitialisé à chaque fois que le processeur (2) est remis à zéro. 15. Method according to any one of claims 13 or 14, characterized in that the indicator is reset each time the processor (2) is reset to zero.
EP05754129A 2004-06-22 2005-06-21 Device for controlling the structural coverage of a software program and method of implementing said device Withdrawn EP1763757A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR0406783A FR2871907B1 (en) 2004-06-22 2004-06-22 DEVICE FOR CONTROLLING THE STRUCTURAL COVERAGE OF A SOFTWARE AND METHOD IMPLEMENTING THE DEVICE
PCT/EP2005/052892 WO2005124555A2 (en) 2004-06-22 2005-06-21 Device for controlling the structural coverage of a software program and method of implementing said device

Publications (1)

Publication Number Publication Date
EP1763757A2 true EP1763757A2 (en) 2007-03-21

Family

ID=34947373

Family Applications (1)

Application Number Title Priority Date Filing Date
EP05754129A Withdrawn EP1763757A2 (en) 2004-06-22 2005-06-21 Device for controlling the structural coverage of a software program and method of implementing said device

Country Status (4)

Country Link
US (1) US7895577B2 (en)
EP (1) EP1763757A2 (en)
FR (1) FR2871907B1 (en)
WO (1) WO2005124555A2 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070745A1 (en) * 2007-09-04 2009-03-12 Mark Everly System and corresponding method for testing software embedded in an electronic device
US9582410B2 (en) 2010-10-27 2017-02-28 International Business Machines Corporation Testing software on a computer system
GB2593356A (en) * 2018-10-15 2021-09-22 Zact Inc Transaction management system

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3577760D1 (en) * 1985-12-30 1990-06-21 Ibm Deutschland METHOD AND DEVICE FOR ANALYZING CONTROL PROGRAMS.
US5050168A (en) * 1989-12-29 1991-09-17 Paterson Timothy L Test coverage analyzer
JPH04239338A (en) * 1991-01-11 1992-08-27 Nec Corp Measuring system for microprogram comprehension rate
US5390323A (en) * 1991-08-05 1995-02-14 Amdahl Corporation Microstore reference logging
US6071316A (en) * 1997-09-29 2000-06-06 Honeywell Inc. Automated validation and verification of computer software
US5968188A (en) * 1998-03-10 1999-10-19 Grammar Engine System for providing real-time code coverage
US6536036B1 (en) * 1998-08-20 2003-03-18 International Business Machines Corporation Method and apparatus for managing code test coverage data
US7111290B1 (en) * 1999-01-28 2006-09-19 Ati International Srl Profiling program execution to identify frequently-executed portions and to assist binary translation
US6959431B1 (en) * 1999-05-13 2005-10-25 Compuware Corporation System and method to measure and report on effectiveness of software program testing
US7143394B1 (en) * 2001-12-21 2006-11-28 Emc Corporation Analyzing software behavior
US6978401B2 (en) * 2002-08-01 2005-12-20 Sun Microsystems, Inc. Software application test coverage analyzer
US20050043913A1 (en) * 2003-08-19 2005-02-24 Rex Hyde Method of determining the level of structural coverage testing of test cases which are written for a program that does not provide for structural coverage testing
US7480899B2 (en) * 2004-03-22 2009-01-20 International Business Machines Corporation Method and apparatus for autonomic test case feedback using hardware assistance for code coverage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2005124555A3 *

Also Published As

Publication number Publication date
WO2005124555A2 (en) 2005-12-29
US20070239959A1 (en) 2007-10-11
WO2005124555A3 (en) 2006-10-05
US7895577B2 (en) 2011-02-22
FR2871907A1 (en) 2005-12-23
FR2871907B1 (en) 2006-09-08

Similar Documents

Publication Publication Date Title
FR2977694A1 (en) MICROPROCESSOR PROTECTS AGAINST A BATTERY OVERFLOW
FR2845175A1 (en) METHOD AND SYSTEM FOR SWITCHING BETWEEN TWO OR MORE IMAGES OF SOFTWARE ON A HOST DEVICE
FR2612316A1 (en) INTEGRATED CIRCUIT BOARD HAVING INTERNAL ERROR INTELLIGENCE CAPABILITY
FR3055992A1 (en) INDEX MANAGEMENT IN A FLASH MEMORY
FR2642544A1 (en) Data processing system with a security program
EP2049967A2 (en) Controlled frequency core processor and method for starting-up said core processor in a programmed manner
FR2473766A1 (en) DISPLAY DEVICE FOR BLOCKS OF SEQUENCES
EP1763757A2 (en) Device for controlling the structural coverage of a software program and method of implementing said device
FR2594984A1 (en) INTEGRATED CIRCUIT BOARD ELEMENT FOR DATA PROCESSING DEVICE
EP0838053B1 (en) Method and device enabling a fixed programme to be developed
EP0543698A1 (en) Device for employment of fault information in a single/multi-computer aircraft system
CN113760631B (en) Page loading time length determining method, device, equipment and storage medium
EP0006485B1 (en) Page addressing mechanism in a data processing system
EP0018238A1 (en) Calculation method and assembly for the presentation of randomly upward or downward biased calculation results, and with determination of the number of correct significant digits
FR2926147A1 (en) On-board computer configuring method for motor vehicle, involves writing collection of switch indexes in zone of memory to select one of pointers in data structure towards one of calibrations of file contained in another zone of memory
FR2475763A1 (en) DIGITAL PROCESSOR WITH PIPELINE STRUCTURE
CA2264896A1 (en) Security module comprising means generating links between main files and auxiliary files
EP3131005A1 (en) Train embedded electronic device comprising a boot program with one or more startpartitions, and the associated train vehicle and system
FR2821449A1 (en) METHOD FOR MANAGING INSTRUCTIONS WITHIN A PROCESSOR WITH DECOUPLED ARCHITECTURE, IN PARTICULAR A PROCESSOR FOR DIGITAL SIGNAL PROCESSING, AND CORRESPONDING PROCESSOR
CN109254862A (en) It is automatically repaired method, mobile terminal and the storage medium of DDR overturning
FR2458844A1 (en) Signal interruption system for micro-programme - inserts alternative address into micro-programme to change micro-instruction priority sequence
EP0020931B1 (en) Programme interrupt processor for computer with instruction pre-fetch
FR2695739A1 (en) Data treatment process for e.g. robot, automatic machine - uses memory area to store boolean data on robot inputs and outputs for treatment by co-processor
WO1999040513A1 (en) Management of interruptions on a computer platform
EP0694886B1 (en) Electronic franking system with a rechargeable operating programm in a flash memory

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20061205

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LI LT LU MC NL PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA HR LV MK YU

DAX Request for extension of the european patent (deleted)
RBV Designated contracting states (corrected)

Designated state(s): DE FR GB

17Q First examination report despatched

Effective date: 20090824

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20160105