Testing SW/HW Interfaces with Simulated Systems
Contents
1. 1415 Not Used Receive SA legalization Registers 17 and 16 Transnut 5A Megalization Registers 19 and 18 Broadcast Receive SA ee Registers 21 and 20 Broadcast Transmut SA legalization Registers 23 and 22 not used Mode C ode Transmit et alization Re psters 2 T md 7 m NASA IV amp V Facility Independent Test Capability 15 SITC Independent Test Capability summit1553Registers h typedef struct Issue 1 Part 3 S CcontrolStatuskeg COnUTOlotaclus SsuCmdIntmaskReg cmdiIntmask SuIntLogiIintPendReg intLogPending SuBitTimetagReg bitTimetag SusSrtDescStatusRkeg srtDescstatus unsigned short reserved_1 6 unsigned short illegalization 16 j unsigned short reserved_2 16 unsigned short reserved_3 16 unsigned short reserved_4 16 unsigned short reserved_5 16 unsigned short reserved_o6 16 unsigned short reserved_ 16 unsigned long cardControl SuRegs NASA IV amp V Facility Independent Test Capability IK es a l K Jx offset offset offset offset offset offset offset offset offset offset offset offset offset 0x04 0x08 0x0c 0x10 0x14 Oxle 0x20 Ox3e 0x40 Qx5e 0x60 0x7e 0x80 0x9e OxaQ QOxbe Oxc0 Uxde Oxe0 Oxfe 0x100 we a a vd ny a gi ITC Issue 1 Part 4 Independent Test Capability e Unsigned short That s 2 byte Not 4 byte That s a bug e The programmer s own comment indicates 8 4 byte2. SITC Independent Test Capability Testing HW SW Interfaces in the As Built System ivv itc lists nasa gov http www nasa gov centers ivv jstar ITC html Presenter Steven Seeger sseeger mpl com November 9 2012 SITC Independent Test Capability Agenda e NASA s IV amp V Program e Independent Test Capability ITC ITC Simulation Architecture e Hardware Overview e Project Work Issues Found e Conclusion NASA IV amp V Facility Independent Test Capability Q ITC Independent Verification and eniin ii Validation IV amp V Facility e IV amp V grew out of the Challenger accident in 1986 IV amp V implemented on the Space Shuttle Program e NASA wanted to further expand IV amp V Technical Independence Achieved by IV amp V personnel who use their expertise to assess development processes and products independent of the developer Managerial Independence Requires responsibility for the IV amp V effort to be vested in an organization separate from the organization responsible for performing the system implementation Financial Independence Requires that control of the IV amp V budget be vested in an organization independent the of development organization NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Independent Test Capability e JTC team is chartered to acquire develop and maintain test environments for NASA s IV amp V Program to enable th
3. accesses but there are really 8 2 byte accesses that skip every odd numbered register e The actual hardware will accept the 2 byte access on PowerPC PPC e The hardware model will not It threw an error and halted In order to continue the simulation work either the hardware model must be hacked or the software binary changed to use 4 byte opcodes here instead of 2 byte opcodes NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 1 Part 5 e I llegalization registers allow some 1553 traffic to be ignored e On power on these registers are set to 0 Flight Software FSW does not currently change them In fact the ICD says they are not to be used In the case of a power glitch SEU or access to these registers via memory load a soft reset will not correctly clear them NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 2 Introduction e SpaceWire ESA specification implemented in many NASA projects SPW uses routers to send messages to where they need to go Sender must know where to send messages e Project has board with SpaceWire and a fault injection register e An invalid value is written to the register NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 2 Part 1 Excerpt From ICD Table 4 6 cPCI Address Assignments fo RR continued cPCI A
4. ddress Name Description Reference s Start of Address for Function 4212H Table 5 1 Table 5 Table 6 34 Table 6 80 Space Wire Link Configuration Register Table 6 62 DagqxxxPwrCtrl cpp brdCPciwWrite32 yyyyPwrCtrl brdCChan brdCId builtInTestReg BRDC_LIGHTS_OFF Built In Test Register brdCctrldef h define BRDC LIGHTS OFF Ox3F NASA IV amp V Facility Independent Test Capability 20 SITC Independent Test Capability brdCCtrl cpp XXXX Registers Offset xxxxRegBaseAddr brdCBaseAddr FCSI_REG_ OFFSET Issue 2 Part 2 YYYY Built In Test BIT Registers brdCChan brdCId builtiInTestReg brdCBaseAddr YYYYBIT REG OFFSET Built In Test Register brdCChan brdCId builtInTestReg xxxxRegBaseAddr BUILTINTEST_REG_OFFSET These are in the same scope First value is never used so it is clobbered brdCBaseAddr depends on which brdC board is being worked on ordC_1 O0xcO000000 brdCctrldef h define XXXX_REG OFFSET 0x6000000 define YYYYBIT REG OFFSET 0x7000000 define BUILTINTEST REG OFFSET OX0010 First setting is Oxc7000000 This appears to have been an address for a test port It is not defined in the ICD second setting is OxcO000000 O0x6000000 0x10 spacewire configuration link reg NASA IV amp V Facility Independent Test Capability 21 Issue 2 Part 3 SITC Independent Test Capability Excerpt From ICD Table 5 5 SpaceWire Link Configurat
5. e dynamic analysis of software behaviors for multiple missions e ITC team provides tools for IV amp V analysts to perform independent testing e Develop simulators e Acquire and support hardware for IV amp V e Acquire and integrate existing simulations NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Dynamic vs Static e Static code analysis syntactically verifies code Language rules verified Issues identifiable at compile time are discovered e Dynamic analysis semantically verifies code Behaviors are verified Issues at runtime are discovered e Dynamic analysis yields far fewer false positives than static analysis e Approaches complement each other NASA IV amp V Facility Independent Test Capability Q ITC ITC Simulation Architecture Independent Test Capability System Emulator cPCI Backplane NASA IV amp V Facility Independent Test Capability Q ITC Hardware Software Interaction Independent Test Capability Flight software accesses hardware e FSW typically uses memory mapped registers Registers on external boards cPCI VME etc 1 2 or 4 byte access e Hardware accesses can also be discrete lines General Purpose Input Output GPIO CompactPCI cPCI discretes NASA IV amp V Facility Independent Test Capability Q ITC Hardware Software a a Interface Control Document ICD e Access to hardware d
6. efined in a HW SW ICD Define memory map Describe registers e Bits e Fields e ICD is a hardware user manual for software Informs software engineer of the right way and sometimes the wrong way to do things NASA IV amp V Facility Independent Test Capability SITC Hardware Modeling Independent Test Capability ITC team provides executable environment for software binaries Emulated hardware written as software NASA specific hardware models created by ITC Re creation of hardware interfaces from ICD Memory mapped IO registers etc Behavior modeled from description in ICD HW SW ICD rules checked in the model at very minimal cost Regression testing ICD verification NASA IV amp V Facility Independent Test Capability SITC Method Independent Test Capability When modeling hardware behaviors should be driven by the ICD Preconditions for some operation as defined in the ICD should be checked by the model Log any undefined behavioral states as defined by ICD If the ICD defines behavior outside the level of detail for the Simulation it can be ignored If behavior affects pre or post conditions it must be minimally implemented to perform these checks Not all timing requirements need to be modeled but if the ICD makes a statement like this bit must not be set until 1 ms after that bit then timing must be taken into account NASA IV amp V Facility Indepe
7. has two Summit 1553 chips with several 16 bit registers accessed as 32 bit accesses providing two 16 bit accesses at once Excerpt From ICD The same 2 word concatenation occurs when the IFSW uses the cPCI bus to read from or write to the registers that are internal to the DXE5 chips As shown in Table 6 1 and Table 6 5 a dword read from one of the cPCI addresses used for the DXE5 internal registers returns the contents of a consecutive pair of 16 bit DXE5 registers And a dword written to one of the cPCI addresses used for the DXE5 internal registers actually affects the contents of a consecutive pair of 16 bit DXE5 registers Summit1553 c clear all 16 16 bit illegalization regs with 8 32 bit writes for i 0 i lt 8 i f summitRtRegs gt illegalization i 2 NASA IV amp V Facility Independent Test Capability 14 SITC Independent Test Capability Issue 1 Part 2 Excerpt From ICD Table 6 1 Packed 32 bit Read Write Accesses for RT DAES Internal Registers cPCI Address Bits 31 16 Bits 15 0 Operational Status Register 1 Control Register 0 Interrupt Mask Register 3 Cwrent Command Register 2 Interrupt Log List Pointer Register 5 Pending Interrupt Register 4 Time Tag Register 7 Built In Test BIT Word Register 6 1553 Status Word Bits Register 9 RI Desenptor Pointer Register Register 11 is Not Used Register 10 is Not Used Register 13 is Not Used Register 12 is Not Used Register 15 1s Not Used Register
8. ion Register 0x000010 Bits Description Default Cause a panty emor 101 gt Generate Panty Error on Link Rx Data Generate Parity Error on Link Tx Data Writes Ox3f That s writing reserved bits and undocumented pattern in parity error injection NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 2 Part 4 e Hardware model had two errors logged Writing 1 to reserved field Writing unknown pattern to defined field e Impact is that they will incorrectly inject fault into system if the register is not updated later NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability e Summit 1553 chip uses SRAM module e Project uses module twice the required size providing two banks Issue 3 Introduction e The software is written to use the wrong bank NASA IV amp V Facility Independent Test Capability Issue 3 Part 1 SITC Independent Test Capability Excerpt From CD The two Bank Select bits one for each of the two separate BC and RT memories are both initialized to 0 at CQDH subsystem power on and they should never be changed to 1 unless there has been some kind of SRAM problem If changing a Bank Select bit is ever required then the IFSW must make any change at the very beginning of its two 1553B SRAM initialization sequences and before any descriptor table entries or data values or other information ha
9. ndent Test Capability SITC Independent Test Capability Benefits of Approach e Can detect correct or incorrect use of hardware as described in ICD Undefined behavioral states are detected e Regression testing for free e Examples Use some bank of memory unless a problem detected Do not access some register before hardware indicates completion of some operation Only write certain bit patterns in a field Verifies FSW follows rules correctly NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Case Study e ITC is developing a project simulator Rad750 CPU cPCI backplane Board A Board B Board C x3 e Core of work is modeling the three types of boards e Boards created entirely from several ICDs e During the course of development three major issues were discovered in the FSW NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 1 Introduction e ICD describes interface to Summit 1553 chip MIL STD 1553 A or B is structured communication bus commonly used in aerospace Bus consists of a single bus controller and several remote terminals e Summit 1553 chip Commonly used part Has several 16 bit registers e Issue clearing illegalization registers NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 1 Part 1 e Board A
10. ve been written to the selected bank of SRAM NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Issue 3 Part 2 brdACard h define BRDA 1553 CFG USE UPPER BANK 0x00000001 Summit1553 c if SsummitStop summitRtRegs OK amp amp summitReset SummitRtRegs BRDA_1553_CFG_USE_UPPER_BANK OK amp amp summitClearMem unsigned long SummitRtMem unsigned long ordABaseAddr BRDA_1553_ RT SRAM ADDR_END OK static STATUS summitReset SuRegs p unsigned long bankSel As you can see bank 1 is selected for this Summit chip Happens to be RT This is a violation of the ICD NASA IV amp V Facility Independent Test Capability SITC Independent Test Capability Conclusion e Analysis of implemented software should include its use of hardware If functionality is correct and unless hardware is implemented with certain tricks the developers will never realize these violations are occurring e Software only simulators provide mechanisms to support vigorous IV amp V activities e Build software only simulations with sufficient level of detail so that ICD errors like these can be found for free NASA IV amp V Facility Independent Test Capability
Download Pdf Manuals
Related Search