From 48fbdb98cce4042092009588722ea2d5e450ae72 Mon Sep 17 00:00:00 2001 From: manuelfehlhammer Date: Mon, 16 Mar 2026 10:09:29 +0100 Subject: [PATCH 1/3] Add method FMEA Issue: No --- .../root_causes/proxy/call_method/BUILD | 22 +++++++++++ .../proxy/call_method/call_blocks_fta.puml | 26 +++++++++++++ .../call_method/wrong_in_args_used_fta.puml | 38 +++++++++++++++++++ .../call_method/wrong_method_called_fta.puml | 28 ++++++++++++++ .../call_method/wrong_results_used_fta.puml | 37 ++++++++++++++++++ 5 files changed, 151 insertions(+) create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_method_called_fta.puml create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD new file mode 100644 index 000000000..8e17f2e9f --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD @@ -0,0 +1,22 @@ +# ******************************************************************************* +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* + +filegroup( + name = "wrong_method_called_fta", + srcs = [ + "wrong_method_called_fta.puml", + ], + visibility = ["//visibility:public"], +) + + diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml new file mode 100644 index 000000000..103edbe1a --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml @@ -0,0 +1,26 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Method Call blocks", "Communication.CallBlocks") + +$OrGate("Gate1", "TopEvent") +$BasicEvent("Method call blocks in message-passing at the caller side -> send blocked", "Event2", "Gate1") +$BasicEvent("Method call blocks in user-handler at the callee side", "Event3", "Gate1") +$BasicEvent("Method call blocks in reply at the callee side -> send blocked ", "Event4", "Gate1") + + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml new file mode 100644 index 000000000..92d106faf --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml @@ -0,0 +1,38 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Wrong input arguments used", "Communication.WrongInArgsUsed") + +$OrGate("Gate1", "TopEvent") +$IntermediateEvent("Caller failed to provide correct InArgs", "Event2", "Gate1") +$IntermediateEvent("Callee used wrong InArgs", "Event6", "Gate1") +$OrGate("Gate2", "Event2") +$IntermediateEvent("Caller did not provide InArgs", "Event3", "Gate2") +$OrGate("Gate3", "Event3") +$BasicEvent("Caller signalled call before providing InArgs", "Event5", "Gate3") +$BasicEvent("Someone else signalled call wrongly", "Event7", "Gate3") + +$BasicEvent("Caller provided InArgs in wrong location", "Event8", "Gate2") +$BasicEvent("Caller provided InArgs in wrong layout", "Event9", "Gate2") +$OrGate("Gate4", "Event6") +$BasicEvent("Callee used InArgs from wrong location", "Event10", "Gate4") +$BasicEvent("Callee used InArgs in wrong layout", "Event11", "Gate4") +$BasicEvent("Callee used InArgs while concurrently updated", "Event12", "Gate4") +$BasicEvent("InArgs corrupted by 3d party", "Event13", "Gate4") + + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_method_called_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_method_called_fta.puml new file mode 100644 index 000000000..c0f1be7b8 --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_method_called_fta.puml @@ -0,0 +1,28 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Wrong method called", "Communication.WrongMethodCalled") + +$OrGate("Gate1", "TopEvent") +$IntermediateEvent("MethodId mismatch provider/consumer", "Event2", "Gate1") +$IntermediateEvent("Wrong user handler called", "Event4", "Gate1") +$IntermediateEvent("Wrongly configured", "Event3", "Event2") +$TransferIn("Transfer2", "Event3") +$BasicEvent("User Handler assignment wrong", "Communication.UserMethodCallHandlerAssignmentWrong", "Event4") +$BasicEvent("MethodId corrupted", "Event5", "Event2") + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml new file mode 100644 index 000000000..43dd4fb3b --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml @@ -0,0 +1,37 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Wrong call result used", "Communication.WrongResultsUsed") + +$OrGate("Gate1", "TopEvent") +$IntermediateEvent("Callee failed to provide correct result", "Event2", "Gate1") +$IntermediateEvent("Caller accesses wrong result", "Event6", "Gate1") +$OrGate("Gate2", "Event2") +$IntermediateEvent("Callee did not provide result", "Event3", "Gate2") +$OrGate("Gate3", "Event3") +$BasicEvent("Callee signalled call finished before providing result", "Event5", "Gate3") +$BasicEvent("Someone else signalled call finished wrongly", "Event7", "Gate3") + +$BasicEvent("Callee provided result in wrong location", "Event8", "Gate2") +$BasicEvent("Callee provided result in wrong layout", "Event9", "Gate2") +$OrGate("Gate4", "Event6") +$BasicEvent("Caller used result from wrong location", "Event10", "Gate4") +$BasicEvent("Caller used result in wrong layout", "Event11", "Gate4") +$BasicEvent("Caller used result while concurrently updated", "Event12", "Gate4") + + +@enduml From 8c81b87024dd6382f5ec0579e7d77b7dbca24d01 Mon Sep 17 00:00:00 2001 From: manuelfehlhammer Date: Thu, 19 Mar 2026 19:11:47 +0100 Subject: [PATCH 2/3] Fix FMEA section assignment, etc. Reordered FMEA items into correct sections. Added missing item. Removed outdated items. --- .../safety_analysis/failure_modes.trlc | 811 +++++++++--------- 1 file changed, 402 insertions(+), 409 deletions(-) diff --git a/score/mw/com/requirements/safety_analysis/failure_modes.trlc b/score/mw/com/requirements/safety_analysis/failure_modes.trlc index 7f424d412..bc6a54e6d 100644 --- a/score/mw/com/requirements/safety_analysis/failure_modes.trlc +++ b/score/mw/com/requirements/safety_analysis/failure_modes.trlc @@ -16,302 +16,6 @@ import ScoreReq section "LoLa" { - // ID: 6366726 - ScoreReq.FailureMode InMemoryConfigurationWrong { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "The in-memory (cpp representation) does not match the on file-system JSON configuration." - failureeffect = "Other functionality relies on a correct configuration. Without that, multiple functions can not operate normally which could lead to the violation of a safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "The wrong user-configuration which could cause an abnormal behavior of the mw-implementation is covered via four AoUs. The broken file is ensured via a safety-certified file system. The broken JSON is covered via a safety-certified JSON-Parser implementation. The read-in-logic to our in-memory is covered via a specific preventive measure." - interface = "mw.com.Runtime.Initialize" - } - - // ID: 6165662 - ScoreReq.FailureMode CreationOfSkeletonNotPossible { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "It is not possible to create a skeleton instance" - failureeffect = "No communication possible." - version = 1 - safety = ScoreReq.Asil.B - rationale = "We added an AoU that no Safety-goal shall be harmed, if a service is not offered. Thus, this failure cannot have any safety-related bad effect." - interface = "mw.com.Skeleton.Create" - } - - // ID: 31544607 - ScoreReq.FailureMode ServiceOfferedWithoutInitialFieldValue { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A service is offered, although at least one of its field has no initial value set by the provider." - failureeffect = "A user expects after seeing a service offered, in a call to GetNewSamples(), that he would at least get one new sample. This could hinder the expected semantics on user side, and thus affect any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "By explicitly requesting this case in our requirements and testing the requirement we make sure that the error case is tackled. The not working update functionality is covered already by other FMEA elements in Section SendAnEventOrField" - interface = "mw.com.Skeleton.OfferService" - } - - // ID: 6156955 - ScoreReq.FailureMode ServiceNotOffered { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A skeleton service is offering a service, but the service is silently not offered. Note: offered in this case means, that it is also connectable" - failureeffect = "No communication between process will happen, thus no information can be exchanged, thus any overall system functionality can stop." - version = 1 - safety = ScoreReq.Asil.B - rationale = "We added an AoU that no Safety-goal shall be harmed, if a service is not offered. Thus, this failure cannot have any safety-related bad effect." - interface = "mw.com.Skeleton.OfferService" - } - - // ID: 6164063 - ScoreReq.FailureMode ServiceOfferedOnWrongBinding { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A skeleton is offering a service on the wrong binding. Meaning, the service is not offered on the intended binding, but on an unintended one." - failureeffect = "No communication between processes will happen, thus, no information can be exchanged, thus, any overall system functionality can malfunction. The point that a service is offered on another binding should not have any effect, since no consumer will expect the service on this binding." - version = 1 - safety = ScoreReq.Asil.B - rationale = "If a service is offered on the wrong binding, then it will not be visible on the expected binding. Thus, we can handle this part as if the service would not be offered at all. For the wrong binding, where the service is offered, no consumer expects the service, thus, no bad influence can happen." - interface = "mw.com.Skeleton.OfferService" - } - - // ID: 6164070 - ScoreReq.FailureMode ServiceOfferedUnderWrongIds { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A skeleton is offering a service with wrong identifiers. This can include a service id, a instance id or also the service version." - failureeffect = "The actual intended communication will not happen, thus potential causing a complete loss of system functionality. In the worst case, the wrong identifiers are used by another service. In that case a wrong consumer could think that he found the right service, leading to a case where garbage data is transmitted, causing any potential issues in the whole system functionality (e.g. violating the top level safety goal)." - version = 1 - safety = ScoreReq.Asil.B - rationale = "If a service is offered on a wrong binding, then the initial service is not offered. Covered by our AoU (\"No guarantee in availability of services\"). It looks different if we overwrite this way another service. This is prevented with explicit preventive measures for each root cause. The Service Discovery Marker files are already handled in the failure mode \"ServiceNotOffered\"" - interface = "mw.com.Skeleton.OfferService" - } - - // ID: 6164082 - ScoreReq.FailureMode OffersAlreadyOfferedService { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A skeleton offers a service that was already offered. Either by another process or by itself." - failureeffect = "Already existing communication could break up. Or data could be overwritten while transmitted. In any case this could cause potential garbage data, which could cause a complete malfunction of the system." - version = 1 - safety = ScoreReq.Asil.B - rationale = "We avoid to overwrite shared memory segments of different processes by having ownership by a single UID which is assigned to a process. (This was in place before the FMEA) In addition we support partial restart, which is implemented and traced according to ASIL-B which enables to re-offer a previously offered service in a sane manner. To identify already offered services, control measures via marker files have been introduced." - interface = "mw.com.Skeleton.OfferService" - } - - // ID: 6164086 - ScoreReq.FailureMode ServiceOnlyPartiallyOffered { - guideword = ScoreReq.GuideWord.PartialFunction - description = "A skeleton offers a service, which is not visible to all consumers, but only to parts of them." - failureeffect = "This is equal to the case service not offered, thus no information can be exchanged, thus any overall system functionality can stop." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Since both sub-trees (config is wrong, no ASIL level) are captured via different fault trees, we only need to ensure that all events are actually always registered. This is ensured via an preventive measure." - interface = "mw.com.Skeleton.OfferService" - } - - // ID: 6164171 - ScoreReq.FailureMode ServiceOnlyPartiallyStopOffered { - guideword = ScoreReq.GuideWord.PartialFunction - description = "A skeleton stop offers a service, but the service is still seen a partial set of consumers." - failureeffect = "A service is found by a consumer, even though it shall no longer be found. This shall have no bad influence, since then no data will be send." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Since we agreed on not harming a safety goal on the sudden death of an producer, a partial stop offer (which could be part of a sudden death) can not have any bad effect." - interface = "mw.com.Skeleton.StopOfferService" - } - - // ID: 6164217 - ScoreReq.FailureMode ServiceStopOfferingWrongIds { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A skeleton is stop offering a service under wrong IDs. This can include a service id, a instance id or also the service version." - failureeffect = "A wrong service is stop offered. This means that another service might no longer be found, even though it should be found. It could also cause garbage data, depending on the service discovery mechanism. This could cause a complete loss of functionality and influence customer functions" - version = 1 - safety = ScoreReq.Asil.B - rationale = "If a service is stopped on the wrong id, that means that another service is no longer found (AoU existing). The case is that our service is not stopped it all (already covered by second AoU)." - interface = "mw.com.Skeleton.StopOfferService" - } - - // ID: 6164265 - ScoreReq.FailureMode MemoryAllocatedInWrongSection { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "The memory for an event is allocated in the wrong memory section (e.g. in Heap, another Shared Memory segment or the stack)." - failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Any user faults are covered by the AoU, that no user provided types shall be used with the mw::com. The following faults * \"Middleware provided type is wrong\" * \"Shared memory resource not forwarded\" * \"Shared Memory Factory returns wrong memory resource\" * \"Shared Memory resource returns wrong proxy\" * \"Forwarded wrong shared memory segment from the beginning\" * \"Shared Memory Resource opens wrong shared memory segment\" * Stack allocations are prevented by ensure correct working functionality assigned by single requirements. ProxyID overwritten is the most critical part, which needs another safety mechanism. An accidentally overwrite will be covered by additional checks (e.g. CRC). An OffsetPTR corruption would be covered by our active bound checking, so this is no new issue that could occur." - } - - // ID: 6164791 - ScoreReq.FailureMode TooFewMemoryAllocated { - guideword = ScoreReq.GuideWord.PartialFunction - description = "The event allocation allocates too few memory (including no memory at all)." - failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." - version = 1 - safety = ScoreReq.Asil.B - rationale = "1. \"Literally wrong number of slots reserved\": Covered by preventive measure \"reserve configured number of slots\" 2. \"More than one SampleAllocateePtr in parallel\": Covered by AoUs (\"one producer, one allocatee ptr\", \"no-copy on send, while holding allocatee ptr\", since copy-send calls allocate implicitly) 3. \"Holds more sample ptr than announced\": Covered by \"a proxy instance shall not retrieve more sample ptr...\" 4. \"Holds more sample ptr than configured\": Covered by AoUs (\"configured maximum number of subscriber\", \" configured maximum number of elements\") 5. \"slot allocation logic broken\": Covered by \"Slot allocation synchronisation\" 6. \"Mapping of wrong EventId\": Covered by \"EventFqId shall be constructed from the associated configuration values\" 7. \"Shared memory truncation fails\": Is controlled by \" A process shall terminate, if the truncation of a shared memory segment fails.\" by transitioning into a safe state. 8. The necessary size calculation cannot fail, since it is just a sizeof() 9. \"Allocate claims to few memory\": Is covered by \"SharedMemoryResource shall allocate the requested memory on an allocate call\" Note: A Proxy can either be a \"regular\" proxy, or an \"ipc tracing\" proxy." - interface = "mw.com.Event.Allocate" - } - - // ID: 6164966 - ScoreReq.FailureMode SendingEventChangesUserData { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A call to send manipulates the data that was provided by the caller." - failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Most of the possible errors have been discussed with [ISSUE:Failuremode TooFewMemoryAllocated]. The issue with the generic trace API is covered by its custom preventive measure. Only the direct manipulation is a net yet covered possible fault cause. Which is addressed with our preventive measure." - interface = "mw.com.Event.Send" - } - - // ID: 6164996 - ScoreReq.FailureMode SendingEventOnlyPartiallyNotifiesConsumer { - guideword = ScoreReq.GuideWord.PartialFunction - description = "When data is sent, consumers that have a callback registered, are only partially notified." - failureeffect = "This could cause that data is not processed, causing a complete outage of the system. In the worst case the safety goal could be violated." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Our AoU states that the fault shall not cause safety goal violations. Thus, no additional measures are required." - interface = "mw.com.Event.Send" - } - - // ID: 6165326 - ScoreReq.FailureMode SendingEventSendsToWrongConsumer { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "An event or field is sent to the wrong consumer." - failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." - version = 1 - safety = ScoreReq.Asil.B - rationale = "All possible fault causes are already addressed with [ISSUE:Failuremode TooFewMemoryAllocated]" - interface = "mw.com.Event.Send" - } - - // ID: 6165624 - ScoreReq.FailureMode SendingEventDoesNotFreeResources { - guideword = ScoreReq.GuideWord.PartialFunction - description = "Resources in the middleware that have been allocated with a previous allocation, are not freed after returning from send/update." - failureeffect = "This could lead to a resource exhaustion of the system. Leading to a situation where no communication would be possible." - version = 1 - safety = ScoreReq.Asil.B - rationale = "All three steps that could fail during freeing the resources are prevented by their respective requirements." - interface = "mw.com.Event.Send" - } - - // ID: 6165759 - ScoreReq.FailureMode WrongResourcesFreed { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A destruction of one skeleton instances, frees the resources of another skeleton instance." - failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." - version = 1 - safety = ScoreReq.Asil.B - rationale = "A wrong freeing of resources would only be possible by a wrong holding of resources, which is avoided by our two preventive measures." - interface = "mw.com.Skeleton.Destroy" - } - - // ID: 6165782 - ScoreReq.FailureMode NoResourcesFreed { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "The resources allocated on construction and during operation are not freed on destruction." - failureeffect = "Can cause an overall resource exhaustion." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Another safety argument is added that shall avoid that no resources are freed." - interface = "mw.com.Skeleton.Destroy" - } - - // ID: 31546222 - ScoreReq.FailureMode StartFindServiceCallbackCalledUnexpectedly { - guideword = ScoreReq.GuideWord.ExceedingFunction - description = "The user-provided callback is invoked, even though it should not be invoked." - failureeffect = "In the worst case, the callback is invoked all the time, which could lead to: The user thinks that a new proxy is found and creates a proxy with an already used handle; A DDoS is performed, where one thread is constantly blocked. Both can lead to violations of safety goals." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Called even though StopFindService has been called, is tackled by the preventive measure: Proxy StopFindService. Called redundantly, is tackled by the preventive measure: \"Invoke FindServiceHandler...\" Wrong inotify events, are impossible, since these come from the OS, which is safety certified (no restriction found in the safety manual). Watches are set wrongly, is tackled by our preventive measure: Correct watches per Instance Identifier" - interface = "mw.com.Proxy.StartFindService" - } - - // ID: 6166029 - ScoreReq.FailureMode ServiceNotFound { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A proxy does not find a service instance, even though it was offered by a skeleton." - failureeffect = "No communication between process will happen, thus no information can be exchanged, thus any overall system functionality can stop." - version = 1 - safety = ScoreReq.Asil.B - rationale = "" - interface = "mw.com.Proxy.FindService" - } - - // ID: 6166047 - ScoreReq.FailureMode WrongServiceFound { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A proxy instance finds a wrong service. This could be either a wrong service instance or a completely wrong service." - failureeffect = "The actual intended communication will not happen, thus potential causing a complete loss of system functionality. In the worst case, the wrong identifiers are used by another service. In that case a wrong consumer could think that he found the right service, leading to a case where garbage data is transmitted, causing any potential issues in the whole system functionality (e.g. violating the top level safety goal)." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Both faults of wrongly configured and offered under wrong service IDs are covered by other analysis (Failuremode ServiceOfferedUnderWrongIds). For the InstanceSpecifier to Identifier we have the preventive measure \"InstanceSpecifier resolution can not retrieve wrong InstanceIdentifier resolution can not retrieve wrong InstanceIdentifier The last fault is covered by the ensured correct mapping of InstanceIdentifier to path." - interface = "mw.com.Proxy.FindService" - } - - // ID: 6166060 - ScoreReq.FailureMode ServiceIsFoundButDoesNotExist { - guideword = ScoreReq.GuideWord.ExceedingFunction - description = "Finding a service, returns a service, even though no service instance was offered." - failureeffect = "No communication between process will happen, thus no information can be exchanged, thus any overall system functionality can stop." - version = 1 - safety = ScoreReq.Asil.B - rationale = "The first root cause cannot happen, since otherwise the Operating System would make stupid stuff. mmap will not map any memory if a file does not exist. \"Service was offered, but not unlinked on stop offer\", is covered by our AoU that we do not notify on termination of the provider side. The other three faults are covered by the two preventive measures." - interface = "mw.com.Proxy.FindService" - } - - // ID: 31545522 - ScoreReq.FailureMode TheSizeReturnedIsBiggerThenTheActualValue { - guideword = ScoreReq.GuideWord.ExceedingFunction - description = "The user receives a size, that is bigger then the actual value." - failureeffect = "Undefined behavior due to wrong memory access." - version = 1 - safety = ScoreReq.Asil.B - rationale = "A manipulated size is tackled, by \"Size information in read-only memory\". The right location is ensured via \"Location of type-meta-information information for Generic Proxy\" The wrong set size, is covered by \"The type-meta-information shall be calculated based on the provided event/field type" - interface = "mw.com.GenericProxyEvent.GetSampleSize" - } - - // ID: 31545538 - ScoreReq.FailureMode TheSizeReturnedIsSmallerThenTheActualSize { - guideword = ScoreReq.GuideWord.PartialFunction - description = "The user receives a size, that is smaller then the actual value." - failureeffect = "Only seeing a subset of the data, thus a potential violation of any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Potential faults and measures are the same as [ISSUE:Failuremode TheSizeReturnedIsBiggerThenTheActualValue]" - potentialcause = "Same as [ISSUE:Failuremode TheSizeReturnedIsBiggerThenTheActualValue]" - interface = "mw.com.GenericProxyEvent.GetSampleSize" - } - - // ID: 31545581 - ScoreReq.FailureMode WrongIndicationIfFormatIsSerialized { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A user, using HasSerializedFormat(), receives the wrong value." - failureeffect = "Missinterpretation of data, can lead to any safety violation." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Hard-coded value, not faults possible." - potentialcause = "Hard-coded value, no faults possible." - interface = "mw.com.GenericProxyEvent.HasSerializedFormat" - } - - // ID: 31551259 - ScoreReq.FailureMode NotEnoughMemoryToAllocate { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "Memory for an event or field can not be allocated, because the underlying memory resource is exhausted." - failureeffect = "N/A" - version = 1 - safety = ScoreReq.Asil.B - } - - // ID: 6166260 - ScoreReq.FailureMode SubscribesViaWrongAsilChannel { - guideword = ScoreReq.GuideWord.PartialFunction - description = "A proxy uses wrong subscription channel (QM instead of ASIL-B)." - failureeffect = "A subscription might no reach the producer causing the same effects as described in ." - version = 1 - safety = ScoreReq.Asil.B - rationale = "This issue can only happen due to a wrong selection of paths in message passing itself. This cases are already covered on the \"not subscribe\" part, mentioned." - potentialcause = "Same error root causes as in [ISSUE:FailureMode DoesNotSubscribe]" - } - // ID: 6165713 ScoreReq.FailureMode AnyFunctionBlocksLongerThanExpected { guideword = ScoreReq.GuideWord.DelayedFunction @@ -323,6 +27,17 @@ section "LoLa" { potentialcause = "e.g. - Blocked mutex (e.g. dead-lock) - Wrong synchronization algorithm - endless loop - crashed services" } + // ID: 6366726 + ScoreReq.FailureMode InMemoryConfigurationWrong { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "The in-memory (cpp representation) does not match the on file-system JSON configuration." + failureeffect = "Other functionality relies on a correct configuration. Without that, multiple functions can not operate normally which could lead to the violation of a safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "The wrong user-configuration which could cause an abnormal behavior of the mw-implementation is covered via four AoUs. The broken file is ensured via a safety-certified file system. The broken JSON is covered via a safety-certified JSON-Parser implementation. The read-in-logic to our in-memory is covered via a specific preventive measure." + interface = "mw.com.Runtime.Initialize" + } + // ID: 6370893 ScoreReq.FailureMode FunctionCalledFromMultipleThreads { guideword = ScoreReq.GuideWord.UnintendedFunction @@ -345,25 +60,104 @@ section "LoLa" { potentialcause = "aragen was not implemented according to safety standards and no code-review or safety analysis was performed. Thus any potential issue could happen." } + // ID: 6370915 + ScoreReq.FailureMode MisusedApis { + guideword = ScoreReq.GuideWord.ExceedingFunction + description = "APIs are invoked in either an invalid context or non public APIs are invoked." + failureeffect = "Calling non-public APIs or calling them in the wrong context can lead to un-predictable side-effects. This could cause in the worst case transmitting garbage data, which could cause a violation of any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Each potential cause is covered with a custom AoU." + potentialcause = "Potential causes are: - calling APIs of implementation namespace (aka implementation details, thus avoiding public contracts) - Invoking APIs from static context (aka static lifetime) -> can cause issues with static initialization - Using a different operating system as design for (different underlying AoUs and safety measures) - Throwing callbacks could lead to untested code-paths." + } + section "Skeleton" { section "Creation" { - // ID: 6370915 - ScoreReq.FailureMode MisusedApis { - guideword = ScoreReq.GuideWord.ExceedingFunction - description = "APIs are invoked in either an invalid context or non public APIs are invoked." - failureeffect = "Calling non-public APIs or calling them in the wrong context can lead to un-predictable side-effects. This could cause in the worst case transmitting garbage data, which could cause a violation of any safety goal." + // ID: 6165662 + ScoreReq.FailureMode CreationOfSkeletonNotPossible { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "It is not possible to create a skeleton instance" + failureeffect = "No communication possible." version = 1 safety = ScoreReq.Asil.B - rationale = "Each potential cause is covered with a custom AoU." - potentialcause = "Potential causes are: - calling APIs of implementation namespace (aka implementation details, thus avoiding public contracts) - Invoking APIs from static context (aka static lifetime) -> can cause issues with static initialization - Using a different operating system as design for (different underlying AoUs and safety measures) - Throwing callbacks could lead to untested code-paths." + rationale = "We added an AoU that no Safety-goal shall be harmed, if a service is not offered. Thus, this failure cannot have any safety-related bad effect." + interface = "mw.com.Skeleton.Create" } - } section "OfferAService" { + // ID: 31544607 + ScoreReq.FailureMode ServiceOfferedWithoutInitialFieldValue { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A service is offered, although at least one of its field has no initial value set by the provider." + failureeffect = "A user expects after seeing a service offered, in a call to GetNewSamples(), that he would at least get one new sample. This could hinder the expected semantics on user side, and thus affect any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "By explicitly requesting this case in our requirements and testing the requirement we make sure that the error case is tackled. The not working update functionality is covered already by other FMEA elements in Section SendAnEventOrField" + interface = "mw.com.Skeleton.OfferService" + } + + // ID: 6156955 + ScoreReq.FailureMode ServiceNotOffered { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A skeleton service is offering a service, but the service is silently not offered. Note: offered in this case means, that it is also connectable" + failureeffect = "No communication between process will happen, thus no information can be exchanged, thus any overall system functionality can stop." + version = 1 + safety = ScoreReq.Asil.B + rationale = "We added an AoU that no Safety-goal shall be harmed, if a service is not offered. Thus, this failure cannot have any safety-related bad effect." + interface = "mw.com.Skeleton.OfferService" + } + + // ID: 6164063 + ScoreReq.FailureMode ServiceOfferedOnWrongBinding { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A skeleton is offering a service on the wrong binding. Meaning, the service is not offered on the intended binding, but on an unintended one." + failureeffect = "No communication between processes will happen, thus, no information can be exchanged, thus, any overall system functionality can malfunction. The point that a service is offered on another binding should not have any effect, since no consumer will expect the service on this binding." + version = 1 + safety = ScoreReq.Asil.B + rationale = "If a service is offered on the wrong binding, then it will not be visible on the expected binding. Thus, we can handle this part as if the service would not be offered at all. For the wrong binding, where the service is offered, no consumer expects the service, thus, no bad influence can happen." + interface = "mw.com.Skeleton.OfferService" + } + + // ID: 6164070 + ScoreReq.FailureMode ServiceOfferedUnderWrongIds { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A skeleton is offering a service with wrong identifiers. This can include a service id, a instance id or also the service version." + failureeffect = "The actual intended communication will not happen, thus potential causing a complete loss of system functionality. In the worst case, the wrong identifiers are used by another service. In that case a wrong consumer could think that he found the right service, leading to a case where garbage data is transmitted, causing any potential issues in the whole system functionality (e.g. violating the top level safety goal)." + version = 1 + safety = ScoreReq.Asil.B + rationale = "If a service is offered on a wrong binding, then the initial service is not offered. Covered by our AoU (\"No guarantee in availability of services\"). It looks different if we overwrite this way another service. This is prevented with explicit preventive measures for each root cause. The Service Discovery Marker files are already handled in the failure mode \"ServiceNotOffered\"" + interface = "mw.com.Skeleton.OfferService" + } + + // ID: 6164082 + ScoreReq.FailureMode OffersAlreadyOfferedService { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A skeleton offers a service that was already offered. Either by another process or by itself." + failureeffect = "Already existing communication could break up. Or data could be overwritten while transmitted. In any case this could cause potential garbage data, which could cause a complete malfunction of the system." + version = 1 + safety = ScoreReq.Asil.B + rationale = "We avoid to overwrite shared memory segments of different processes by having ownership by a single UID which is assigned to a process. (This was in place before the FMEA) In addition we support partial restart, which is implemented and traced according to ASIL-B which enables to re-offer a previously offered service in a sane manner. To identify already offered services, control measures via marker files have been introduced." + interface = "mw.com.Skeleton.OfferService" + } + + // ID: 6164086 + ScoreReq.FailureMode ServiceOnlyPartiallyOffered { + guideword = ScoreReq.GuideWord.PartialFunction + description = "A skeleton offers a service, which is not visible to all consumers, but only to parts of them." + failureeffect = "This is equal to the case service not offered, thus no information can be exchanged, thus any overall system functionality can stop." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Since both sub-trees (config is wrong, no ASIL level) are captured via different fault trees, we only need to ensure that all events are actually always registered. This is ensured via an preventive measure." + interface = "mw.com.Skeleton.OfferService" + } + } + + section "StopOfferAService" { + // ID: 6164141 ScoreReq.FailureMode ServiceOfferingNotStopped { guideword = ScoreReq.GuideWord.LossOfFunction @@ -374,6 +168,17 @@ section "LoLa" { rationale = "A sudden death of a producer also does not follow the stop offer service protocol. Thus, the service is still available, but no events are sent. Stop Offer service is a strict subset of the sudden death of a producer, therefor this case is covered by the mentioned AoU." } + // ID: 6164171 + ScoreReq.FailureMode ServiceOnlyPartiallyStopOffered { + guideword = ScoreReq.GuideWord.PartialFunction + description = "A skeleton stop offers a service, but the service is still seen a partial set of consumers." + failureeffect = "A service is found by a consumer, even though it shall no longer be found. This shall have no bad influence, since then no data will be send." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Since we agreed on not harming a safety goal on the sudden death of an producer, a partial stop offer (which could be part of a sudden death) can not have any bad effect." + interface = "mw.com.Skeleton.StopOfferService" + } + // ID: 6164197 ScoreReq.FailureMode ServiceStopOfferedOnWrongBinding { guideword = ScoreReq.GuideWord.UnintendedFunction @@ -385,6 +190,41 @@ section "LoLa" { potentialcause = "Same as Failuremode ServiceOfferingNotStopped" } + // ID: 6164217 + ScoreReq.FailureMode ServiceStopOfferingWrongIds { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A skeleton is stop offering a service under wrong IDs. This can include a service id, a instance id or also the service version." + failureeffect = "A wrong service is stop offered. This means that another service might no longer be found, even though it should be found. It could also cause garbage data, depending on the service discovery mechanism. This could cause a complete loss of functionality and influence customer functions" + version = 1 + safety = ScoreReq.Asil.B + rationale = "If a service is stopped on the wrong id, that means that another service is no longer found (AoU existing). The case is that our service is not stopped it all (already covered by second AoU)." + interface = "mw.com.Skeleton.StopOfferService" + } + } + + section "AllocateAnEventOrField" { + + // ID: 6164265 + ScoreReq.FailureMode MemoryAllocatedInWrongSection { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "The memory for an event is allocated in the wrong memory section (e.g. in Heap, another Shared Memory segment or the stack)." + failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Any user faults are covered by the AoU, that no user provided types shall be used with the mw::com. The following faults * \"Middleware provided type is wrong\" * \"Shared memory resource not forwarded\" * \"Shared Memory Factory returns wrong memory resource\" * \"Shared Memory resource returns wrong proxy\" * \"Forwarded wrong shared memory segment from the beginning\" * \"Shared Memory Resource opens wrong shared memory segment\" * Stack allocations are prevented by ensure correct working functionality assigned by single requirements. ProxyID overwritten is the most critical part, which needs another safety mechanism. An accidentally overwrite will be covered by additional checks (e.g. CRC). An OffsetPTR corruption would be covered by our active bound checking, so this is no new issue that could occur." + } + + // ID: 6164791 + ScoreReq.FailureMode TooFewMemoryAllocated { + guideword = ScoreReq.GuideWord.PartialFunction + description = "The event allocation allocates too few memory (including no memory at all)." + failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." + version = 1 + safety = ScoreReq.Asil.B + rationale = "1. \"Literally wrong number of slots reserved\": Covered by preventive measure \"reserve configured number of slots\" 2. \"More than one SampleAllocateePtr in parallel\": Covered by AoUs (\"one producer, one allocatee ptr\", \"no-copy on send, while holding allocatee ptr\", since copy-send calls allocate implicitly) 3. \"Holds more sample ptr than announced\": Covered by \"a proxy instance shall not retrieve more sample ptr...\" 4. \"Holds more sample ptr than configured\": Covered by AoUs (\"configured maximum number of subscriber\", \" configured maximum number of elements\") 5. \"slot allocation logic broken\": Covered by \"Slot allocation synchronisation\" 6. \"Mapping of wrong EventId\": Covered by \"EventFqId shall be constructed from the associated configuration values\" 7. \"Shared memory truncation fails\": Is controlled by \" A process shall terminate, if the truncation of a shared memory segment fails.\" by transitioning into a safe state. 8. The necessary size calculation cannot fail, since it is just a sizeof() 9. \"Allocate claims to few memory\": Is covered by \"SharedMemoryResource shall allocate the requested memory on an allocate call\" Note: A Proxy can either be a \"regular\" proxy, or an \"ipc tracing\" proxy." + interface = "mw.com.Event.Allocate" + } + // ID: 6164809 ScoreReq.FailureMode WronglyAlignedMemoryAllocated { guideword = ScoreReq.GuideWord.UnintendedFunction @@ -396,10 +236,6 @@ section "LoLa" { potentialcause = "This issue can only happen if the alignment calculation within the SharedMemoryResource fails." } - } - - section "StopOfferAService" { - // ID: 6164821 ScoreReq.FailureMode TooMuchMemoryAllocated { guideword = ScoreReq.GuideWord.ExceedingFunction @@ -421,6 +257,20 @@ section "LoLa" { rationale = "Our preventive measure ensure that the allocation within a Shared Memory Resource works as expected." potentialcause = "The only possibility is a mistake in the allocation strategy of a Shared Memory Resource." } + } + + section "SendAnEventOrField" { + + // ID: 6164966 + ScoreReq.FailureMode SendingEventChangesUserData { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A call to send manipulates the data that was provided by the caller." + failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Most of the possible errors have been discussed with [ISSUE:Failuremode TooFewMemoryAllocated]. The issue with the generic trace API is covered by its custom preventive measure. Only the direct manipulation is a net yet covered possible fault cause. Which is addressed with our preventive measure." + interface = "mw.com.Event.Send" + } // ID: 6164982 ScoreReq.FailureMode SendingAnEventOrFieldSendsDataOnlyPartially { @@ -433,9 +283,27 @@ section "LoLa" { potentialcause = "This issue cannot happen. If then it is a memory allocation topic and covered by [ISSUE:Failuremode TooFewMemoryAllocated]" } - } + // ID: 6164996 + ScoreReq.FailureMode SendingEventOnlyPartiallyNotifiesConsumer { + guideword = ScoreReq.GuideWord.PartialFunction + description = "When data is sent, consumers that have a callback registered, are only partially notified." + failureeffect = "This could cause that data is not processed, causing a complete outage of the system. In the worst case the safety goal could be violated." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Our AoU states that the fault shall not cause safety goal violations. Thus, no additional measures are required." + interface = "mw.com.Event.Send" + } - section "AllocateAnEventOrField" { + // ID: 6165326 + ScoreReq.FailureMode SendingEventSendsToWrongConsumer { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "An event or field is sent to the wrong consumer." + failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." + version = 1 + safety = ScoreReq.Asil.B + rationale = "All possible fault causes are already addressed with [ISSUE:Failuremode TooFewMemoryAllocated]" + interface = "mw.com.Event.Send" + } // ID: 6165344 ScoreReq.FailureMode SendingAnEventOrFieldSendsSameSampleNtimes { @@ -448,6 +316,42 @@ section "LoLa" { potentialcause = "The only possibility that this happens is on copy-on send. For that copy-on send would need to call allocate multiple times." } + // ID: 6165624 + ScoreReq.FailureMode SendingEventDoesNotFreeResources { + guideword = ScoreReq.GuideWord.PartialFunction + description = "Resources in the middleware that have been allocated with a previous allocation, are not freed after returning from send/update." + failureeffect = "This could lead to a resource exhaustion of the system. Leading to a situation where no communication would be possible." + version = 1 + safety = ScoreReq.Asil.B + rationale = "All three steps that could fail during freeing the resources are prevented by their respective requirements." + interface = "mw.com.Event.Send" + } + } + + section "Destruction" { + + // ID: 6165759 + ScoreReq.FailureMode WrongResourcesFreed { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A destruction of one skeleton instances, frees the resources of another skeleton instance." + failureeffect = "This could cause transmitting garbage data between processes, causing a complete outage of the system. In the worst case the safety goal could be violated." + version = 1 + safety = ScoreReq.Asil.B + rationale = "A wrong freeing of resources would only be possible by a wrong holding of resources, which is avoided by our two preventive measures." + interface = "mw.com.Skeleton.Destroy" + } + + // ID: 6165782 + ScoreReq.FailureMode NoResourcesFreed { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "The resources allocated on construction and during operation are not freed on destruction." + failureeffect = "Can cause an overall resource exhaustion." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Another safety argument is added that shall avoid that no resources are freed." + interface = "mw.com.Skeleton.Destroy" + } + // ID: 6165797 ScoreReq.FailureMode EarlyCleanUp { guideword = ScoreReq.GuideWord.ExceedingFunction @@ -458,10 +362,65 @@ section "LoLa" { rationale = "By only freeing resources on destruction, we can avoid early resource clean ups." potentialcause = "nearly the same as [ISSUE:Failuremode NoResourcesFreed] The only difference is that unlink / unmap will happen early." } + } + + section "Proxy" { + + section "Start Find Service" { + // ID: 31546222 + ScoreReq.FailureMode StartFindServiceCallbackCalledUnexpectedly { + guideword = ScoreReq.GuideWord.ExceedingFunction + description = "The user-provided callback is invoked, even though it should not be invoked." + failureeffect = "In the worst case, the callback is invoked all the time, which could lead to: The user thinks that a new proxy is found and creates a proxy with an already used handle; A DDoS is performed, where one thread is constantly blocked. Both can lead to violations of safety goals." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Called even though StopFindService has been called, is tackled by the preventive measure: Proxy StopFindService. Called redundantly, is tackled by the preventive measure: \"Invoke FindServiceHandler...\" Wrong inotify events, are impossible, since these come from the OS, which is safety certified (no restriction found in the safety manual). Watches are set wrongly, is tackled by our preventive measure: Correct watches per Instance Identifier" + interface = "mw.com.Proxy.StartFindService" + } } - section "SendAnEventOrField" { + section "Find Service" { + + // ID: 6166029 + ScoreReq.FailureMode ServiceNotFound { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A proxy does not find a service instance, even though it was offered by a skeleton." + failureeffect = "No communication between process will happen, thus no information can be exchanged, thus any overall system functionality can stop." + version = 1 + safety = ScoreReq.Asil.B + rationale = "" + interface = "mw.com.Proxy.FindService" + } + + // ID: 6166047 + ScoreReq.FailureMode WrongServiceFound { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A proxy instance finds a wrong service. This could be either a wrong service instance or a completely wrong service." + failureeffect = "The actual intended communication will not happen, thus potential causing a complete loss of system functionality. In the worst case, the wrong identifiers are used by another service. In that case a wrong consumer could think that he found the right service, leading to a case where garbage data is transmitted, causing any potential issues in the whole system functionality (e.g. violating the top level safety goal)." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Both faults of wrongly configured and offered under wrong service IDs are covered by other analysis (Failuremode ServiceOfferedUnderWrongIds). For the InstanceSpecifier to Identifier we have the preventive measure \"InstanceSpecifier resolution can not retrieve wrong InstanceIdentifier resolution can not retrieve wrong InstanceIdentifier The last fault is covered by the ensured correct mapping of InstanceIdentifier to path." + interface = "mw.com.Proxy.FindService" + } + } + + section "Construction" { + + // ID: 6166060 + ScoreReq.FailureMode ServiceIsFoundButDoesNotExist { + guideword = ScoreReq.GuideWord.ExceedingFunction + description = "Finding a service, returns a service, even though no service instance was offered." + failureeffect = "No communication between process will happen, thus no information can be exchanged, thus any overall system functionality can stop." + version = 1 + safety = ScoreReq.Asil.B + rationale = "The first root cause cannot happen, since otherwise the Operating System would make stupid stuff. mmap will not map any memory if a file does not exist. \"Service was offered, but not unlinked on stop offer\", is covered by our AoU that we do not notify on termination of the provider side. The other three faults are covered by the two preventive measures." + interface = "mw.com.Proxy.FindService" + } + + } + + section "Stop Find Service" { // ID: 31546507 ScoreReq.FailureMode StartedFindServiceIsNotStopped { @@ -484,10 +443,9 @@ section "LoLa" { rationale = "Both potential effects are made clear to our customers via AoUs and is thus expected." potentialcause = "Messed up handling of handles (only possibility, no tree needed)" } - } - section "Destruction" { + section "Subscribe for an Event" { // ID: 6166213 ScoreReq.FailureMode SubscribeToWrongEvent { @@ -509,14 +467,6 @@ section "LoLa" { rationale = "Both possible root cause are checked with preventive measures." } - } - - } - - section "Proxy" { - - section "FindService" { - // ID: 6166225 ScoreReq.FailureMode DoesNotSubscribe { guideword = ScoreReq.GuideWord.LossOfFunction @@ -527,6 +477,9 @@ section "LoLa" { rationale = "-" potentialcause = "the only possible fault is, that the shared memory segment or event is wrongly choosen, but this was already checked before while creating, so this can not really happen." } + } + + section "SetReceiveHandler for an Event" { // ID: 6166297 ScoreReq.FailureMode ReceiveHandlerNotInvoked { @@ -539,10 +492,6 @@ section "LoLa" { potentialcause = "N/A because root-cause covered by AoU." } - } - - section "SubscribeForAnEvent" { - // ID: 6166301 ScoreReq.FailureMode ReceiveHandlerInvokedWithWrongEvent { guideword = ScoreReq.GuideWord.UnintendedFunction @@ -574,10 +523,9 @@ section "LoLa" { rationale = "N/A because root-cause covered by AoU." potentialcause = "N/A because root-cause covered by AoU." } - } - section "SetReceiveHandler" { + section "GetNewSamples for an Event" { // ID: 6166331 ScoreReq.FailureMode CallbackNotInvokedDespiteSamplesAvailable { @@ -632,10 +580,9 @@ section "LoLa" { potentialcause = "Same as [ISSUE:FailureMode ReturnsWrongSampleCount]" interface = "mw.com.Event.GetNewSamples" } - } - section "GetNewSamples" { + section "GetFreeSampleCount for an Event" { // ID: 6166359 ScoreReq.FailureMode ReturnsWrongFreeSampleCount { @@ -648,6 +595,20 @@ section "LoLa" { potentialcause = "Internal counter of free and used samples broken." } + // ID: 6166362 + ScoreReq.FailureMode SucceedsDespiteAnError { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A GetFreeSampleCount() returns succeeds eventhough it should return an error." + failureeffect = "We never return there an error, we are just forced by the AUTOSAR API to follow this signature. But since we never return there an error, this case can never happen and thus there is no effect of failure. There is no need to provide an error, because our underlying implementation has no error path since all preconditions are always fulfilled." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Succeeding instead of an error, implies that the returned value is wrong. Thus the same as [ISSUE:FailureMode ReturnsWrongFreeSampleCount] + potentialcause = "Same as [ISSUE:FailureMode ReturnsWrongFreeSampleCount]" + } + } + + section "Unsubscribe for an Event" { + // ID: 6166363 ScoreReq.FailureMode DoesNotUnsubscribe { guideword = ScoreReq.GuideWord.LossOfFunction @@ -669,10 +630,6 @@ section "LoLa" { potentialcause = "Same as [ISSUE:Failuremode SubscribeToWrongEvent]" } - } - - section "GetFreeSampleCount" { - // ID: 6166365 ScoreReq.FailureMode DoesNotImplicitRemoveReceiveHandler { guideword = ScoreReq.GuideWord.PartialFunction @@ -683,91 +640,127 @@ section "LoLa" { rationale = "Only one possible failure that is covered with a preventive measure." potentialcause = "Only possible fault is that the receive handler is not removed on unsubscription." } - - // ID: 31545325 - ScoreReq.FailureMode MapContainingNonexistentEvents { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "The map that is visible to the user, contains events that are not actually existing (e.g. in the configuration)." - failureeffect = "A user could take wrong actions based on this information and thus affect any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Can only happen, if user misconfigures the system." - } - - // ID: 31545231 - ScoreReq.FailureMode IncompleteMapOfEvents { - guideword = ScoreReq.GuideWord.PartialFunction - description = "The user gets presented not all events the generic proxy supports." - failureeffect = "Due to the map not complete, this will lead to missed data, because the user is not aware that these events are actually there. This could affect any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Special case of [ISSUE:Failuremode MapContainingNonexistentEvents]" - potentialcause = "Same as [ISSUE:Failuremode MapContainingNonexistentEvents]" - } - } - section "Unsubscribe" { - - // ID: 6166375 - ScoreReq.FailureMode DoesNotFreeResourcesOnDestruction { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A SampleAllocateePtr or SamplePtr is destroyed, which should lead to a freeing of resources, but caused by a fault they are not freed." - failureeffect = "Resource exhaustion. Could block further communication which could lead to failures on provider and consumer side, which on the other hand could lead to a violation of a safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "This failure mode can be avoided by ensuring an always valid slot and ensuring a correct slot-change logic. Which both is presented as preventive measure." - } - - // ID: 6166378 - ScoreReq.FailureMode FreesWrongResources { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A SampleAllocateePtr or SamplePtr free the wrong resources associated with them." - failureeffect = "Communication of data-garbage or resource exhaustion, which both could harm an overall safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" - potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction] with the only difference that a slot could now be valid but the wrong one." + section "Generic Proxy" { + + section "Generic access to Generic Proxy Events { + + // ID: 31545325 + ScoreReq.FailureMode MapContainingNonexistentEvents { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "The map that is visible to the user, contains events that are not actually existing (e.g. in the configuration)." + failureeffect = "A user could take wrong actions based on this information and thus affect any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Can only happen, if user misconfigures the system." + } + + // ID: 31545231 + ScoreReq.FailureMode IncompleteMapOfEvents { + guideword = ScoreReq.GuideWord.PartialFunction + description = "The user gets presented not all events the generic proxy supports." + failureeffect = "Due to the map not complete, this will lead to missed data, because the user is not aware that these events are actually there. This could affect any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Special case of [ISSUE:Failuremode MapContainingNonexistentEvents]" + potentialcause = "Same as [ISSUE:Failuremode MapContainingNonexistentEvents]" + } + } + + section "Generic Proxy Event" { + + // ID: 31545522 + ScoreReq.FailureMode TheSizeReturnedIsBiggerThenTheActualValue { + guideword = ScoreReq.GuideWord.ExceedingFunction + description = "The user receives a size, that is bigger then the actual value." + failureeffect = "Undefined behavior due to wrong memory access." + version = 1 + safety = ScoreReq.Asil.B + rationale = "A manipulated size is tackled, by \"Size information in read-only memory\". The right location is ensured via \"Location of type-meta-information information for Generic Proxy\" The wrong set size, is covered by \"The type-meta-information shall be calculated based on the provided event/field type" + interface = "mw.com.GenericProxyEvent.GetSampleSize" + } + + // ID: 31545538 + ScoreReq.FailureMode TheSizeReturnedIsSmallerThenTheActualSize { + guideword = ScoreReq.GuideWord.PartialFunction + description = "The user receives a size, that is smaller then the actual value." + failureeffect = "Only seeing a subset of the data, thus a potential violation of any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Potential faults and measures are the same as [ISSUE:Failuremode TheSizeReturnedIsBiggerThenTheActualValue]" + potentialcause = "Same as [ISSUE:Failuremode TheSizeReturnedIsBiggerThenTheActualValue]" + interface = "mw.com.GenericProxyEvent.GetSampleSize" + } + + // ID: 31545581 + ScoreReq.FailureMode WrongIndicationIfFormatIsSerialized { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A user, using HasSerializedFormat(), receives the wrong value." + failureeffect = "Missinterpretation of data, can lead to any safety violation." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Hard-coded value, not faults possible." + potentialcause = "Hard-coded value, no faults possible." + interface = "mw.com.GenericProxyEvent.HasSerializedFormat" + } } + } + } - // ID: 6166381 - ScoreReq.FailureMode DoesNotReserveResources { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A SamplePtr or SampleAllocateePtr do not increase their respective ref-counts and thus avoid data changes." - failureeffect = "Data is manipulated from different processes because they think its not owned. Which could cause garbage data and thus harm any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Same as [ISSUE:FailureMode DoesNotFreeResourcesOnDestruction] since a decrease of the ref-count has the same issues as an increas." - potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" - } - - // ID: 6166382 - ScoreReq.FailureMode DoesNotUpdateFreeSampleCountCorrectly { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "When a SamplePtr gets created or destroyed for a given event instance, the Free Sample Count of this instance doesn't get updated accordingly" - failureeffect = "Users may not know, if they are allowed to retrieve new Samples at all and may therefore fail to get new data! This may violate any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "By ensuring a correct behavior of the SamplePtr, this fault can be omitted." - potentialcause = "The only possible cause is a wrong behavior of our reference counting mechanism." - } + section "SmartPointer" { + // ID: 6166375 + ScoreReq.FailureMode DoesNotFreeResourcesOnDestruction { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A SampleAllocateePtr or SamplePtr is destroyed, which should lead to a freeing of resources, but caused by a fault they are not freed." + failureeffect = "Resource exhaustion. Could block further communication which could lead to failures on provider and consumer side, which on the other hand could lead to a violation of a safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "This failure mode can be avoided by ensuring an always valid slot and ensuring a correct slot-change logic. Which both is presented as preventive measure." } - section "SmartPointer" { + // ID: 6166378 + ScoreReq.FailureMode FreesWrongResources { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A SampleAllocateePtr or SamplePtr free the wrong resources associated with them." + failureeffect = "Communication of data-garbage or resource exhaustion, which both could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" + potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction] with the only difference that a slot could now be valid but the wrong one." + } - // ID: 6166385 - ScoreReq.FailureMode ReturnsWrongData { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "On dereferenciation of a SamplePtr or SampleAllocateePtr wrong data is returned." - failureeffect = "If you cannot trust the data in the smart pointer, then the data can be garbage, which could break safe communication, which could harm any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "The validity of the slot is ensured by a preventive measure, while the validity of the memory data is ensure by AoUs." - } + // ID: 6166381 + ScoreReq.FailureMode DoesNotReserveResources { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A SamplePtr or SampleAllocateePtr do not increase their respective ref-counts and thus avoid data changes." + failureeffect = "Data is manipulated from different processes because they think its not owned. Which could cause garbage data and thus harm any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Same as [ISSUE:FailureMode DoesNotFreeResourcesOnDestruction] since a decrease of the ref-count has the same issues as an increas." + potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" + } + // ID: 6166382 + ScoreReq.FailureMode DoesNotUpdateFreeSampleCountCorrectly { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "When a SamplePtr gets created or destroyed for a given event instance, the Free Sample Count of this instance doesn't get updated accordingly" + failureeffect = "Users may not know, if they are allowed to retrieve new Samples at all and may therefore fail to get new data! This may violate any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "By ensuring a correct behavior of the SamplePtr, this fault can be omitted." + potentialcause = "The only possible cause is a wrong behavior of our reference counting mechanism." } + // ID: 6166385 + ScoreReq.FailureMode ReturnsWrongData { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "On dereferenciation of a SamplePtr or SampleAllocateePtr wrong data is returned." + failureeffect = "If you cannot trust the data in the smart pointer, then the data can be garbage, which could break safe communication, which could harm any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "The validity of the slot is ensured by a preventive measure, while the validity of the memory data is ensure by AoUs." + } } - -} +} \ No newline at end of file From cb43662f0ce17fa8390464e3cf5253b0e81ab049 Mon Sep 17 00:00:00 2001 From: manuelfehlhammer Date: Fri, 20 Mar 2026 13:12:17 +0100 Subject: [PATCH 3/3] restructured FMEA folders Separated method-call fmea into client and server side. Added explicit fmea for MethodSignatureElementPtr. --- .../mw/com/requirements/safety_analysis/BUILD | 2 +- .../com/requirements/safety_analysis/aou.trlc | 18 ++ .../safety_analysis/failure_modes.trlc | 238 ++++++++++++++---- .../safety_analysis/root_causes/proxy/BUILD | 1 + .../root_causes/proxy/call_method/BUILD | 8 +- .../proxy/call_method/call_blocks_fta.puml | 6 +- .../wrong_in_args_provided_fta.puml | 32 +++ .../call_method/wrong_results_used_fta.puml | 19 +- .../root_causes/skeleton/BUILD | 3 + .../handle_method_call}/BUILD | 13 +- .../wrong_in_args_used_fta.puml | 24 +- .../wrong_method_called_fta.puml | 0 .../wrong_results_provided_fta.puml | 32 +++ .../root_causes/smart_pointer/BUILD | 21 ++ .../method_signature_element_ptr/BUILD | 21 ++ ..._freeing_resources_on_destruction_fta.puml | 25 ++ .../points_to_wrong_data_fta.puml | 29 +++ .../sample_ptr_sample_allocate_ptr/BUILD | 21 ++ ...not_free_resources_on_destruction_fta.puml | 2 +- .../returns_wrong_data_fta.puml | 2 +- 20 files changed, 423 insertions(+), 94 deletions(-) create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_provided_fta.puml rename score/mw/com/requirements/safety_analysis/root_causes/{smart_pointer_sample_allocate_ptr => skeleton/handle_method_call}/BUILD (70%) rename score/mw/com/requirements/safety_analysis/root_causes/{proxy/call_method => skeleton/handle_method_call}/wrong_in_args_used_fta.puml (52%) rename score/mw/com/requirements/safety_analysis/root_causes/{proxy/call_method => skeleton/handle_method_call}/wrong_method_called_fta.puml (100%) create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_results_provided_fta.puml create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/BUILD create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/BUILD create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/failure_freeing_resources_on_destruction_fta.puml create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/points_to_wrong_data_fta.puml create mode 100644 score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/BUILD rename score/mw/com/requirements/safety_analysis/root_causes/{smart_pointer_sample_allocate_ptr => smart_pointer/sample_ptr_sample_allocate_ptr}/does_not_free_resources_on_destruction_fta.puml (91%) rename score/mw/com/requirements/safety_analysis/root_causes/{smart_pointer_sample_allocate_ptr => smart_pointer/sample_ptr_sample_allocate_ptr}/returns_wrong_data_fta.puml (89%) diff --git a/score/mw/com/requirements/safety_analysis/BUILD b/score/mw/com/requirements/safety_analysis/BUILD index a6ae25fe4..f1723672f 100644 --- a/score/mw/com/requirements/safety_analysis/BUILD +++ b/score/mw/com/requirements/safety_analysis/BUILD @@ -50,7 +50,7 @@ filegroup( "@//score/mw/com/requirements/safety_analysis/root_causes:general", "@//score/mw/com/requirements/safety_analysis/root_causes/proxy:root_causes_proxy", "@//score/mw/com/requirements/safety_analysis/root_causes/skeleton:root_causes_skeleton", - "@//score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr:smart_pointer_sample_allocate_ptr", + "@//score/mw/com/requirements/safety_analysis/root_causes/smart_pointer:smart_pointer_fta", ], visibility = ["//visibility:public"], ) diff --git a/score/mw/com/requirements/safety_analysis/aou.trlc b/score/mw/com/requirements/safety_analysis/aou.trlc index f0ba9c7ee..f77554024 100644 --- a/score/mw/com/requirements/safety_analysis/aou.trlc +++ b/score/mw/com/requirements/safety_analysis/aou.trlc @@ -351,3 +351,21 @@ ScoreReq.AoU EnsureTheIntegrityAndReliabilityOfCommunication { version = 1 mitigates = "" } + +/* added for method FMEA */ + +ScoreReq.AoU NoGuaranteesForTimelyMethodCallExecution { + description = "It shall be ensured that a blocking method call will not harm a safety goal." + safety = ScoreReq.Asil.B + note = "It is not guaranteed that a method call initiated by the caller will arrive at the callee, neither in which latency this will happen. It is also not guaranteed, that the completion of the call is notified to the caller at all, neither in which latency this will happen. This is caused by underlying OS/HW safety claims - see also [NoGuaranteesForNotifications]. The runtime of a user-provided method-handler is not supervised at all." + version = 1 + mitigates = "Communication.CallBlocksOnCaller, Communication.CallBlocksOnCallee, Communication.CallBlocksOnUserHandler" +} + +ScoreReq.PreventiveMeasure MethodInArgPtrMatches { + description = "It shall be ensured that the memory locations of the method call in-arguments provided at the caller side are exactly the same as the memory locations as used at the callee side." + safety = ScoreReq.Asil.B + note = "It is not guaranteed that a method call initiated by the caller will arrive at the callee, neither in which latency this will happen. It is also not guaranteed, that the completion of the call is notified to the caller at all, neither in which latency this will happen. This is caused by underlying OS/HW safety claims - see also [NoGuaranteesForNotifications]." + version = 1 + mitigates = "Communication.CallBlocksOnCaller, Communication.CallBlocksOnCallee, Communication.CallBlocksOnUserHandler" +} diff --git a/score/mw/com/requirements/safety_analysis/failure_modes.trlc b/score/mw/com/requirements/safety_analysis/failure_modes.trlc index bc6a54e6d..9ceaec2f7 100644 --- a/score/mw/com/requirements/safety_analysis/failure_modes.trlc +++ b/score/mw/com/requirements/safety_analysis/failure_modes.trlc @@ -363,7 +363,61 @@ section "LoLa" { potentialcause = "nearly the same as [ISSUE:Failuremode NoResourcesFreed] The only difference is that unlink / unmap will happen early." } } + section "Handle Method Calls" { + + // Fault-Tree $TopEvent [Communication.WrongInArgsUsed] + // Reference as mitigation measures: + // - Callee used InArgs in wrong layout: Mitigated by AoU ScoreReq.AoU SameCompilerSettingsForProviderAndConsumerSide + // - Callee used InArgs while concurrently updated: Mitigated by AoU ScoreReq.AoU ValidityOfPointerOnLoLaPointer. ToDo: extend this AoU for MethodElementPtrs! + // Reference as prevention measures: + // - Callee used InArgs from wrong location: ToDo: Requirement, that we make sure, that the provided MethodInArgPtrs are actually pointing to the right location. + // - Callee used InArgs before being provided: ToDo: Requirement, that we make sure, that the user handler is only called, when the provided in-arg references are pointing to completely setup in-arg. + // - InArgs corrupted by 3d party: ToDo: Requirement: shm-objects created for method calls need to be accessible only to service provider instance and the proxy instance. + ScoreReq.FailureMode WrongMethodInArgsProvided { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "Unintended input arguments are provided to a service method call. Therefore, the method call gets executed with wrong input data." + failureeffect = "Communication of data-garbage, which could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "For all causes, we have either preventive measures or AoUs. Thus, no additional measures are required." + potentialcause = "A: Either the user interpreted the InArgs in the wrong layout or accesses the InArgs after return from the call. B: The mw::com implementation signals the call before all InArgs are provided or provides in-arg pointers to the wrong location." + } + + // Fault-Tree $TopEvent [Communication.WrongMethodCalled] + // Reference as mitigation measures: + // - Wrongly configured: Is covered here: [ISSUE:Failuremode [InMemoryConfigurationWrong] + // Reference as prevention measures: + // - User Handler assignment wrong: ToDo: Requirement, that we make sure, that the user provided handlers are assigned to the right method and that the assignment is not corrupted and the lookup is safe. + // - MethodId corrupted: ToDo: Requirement, that we assure, that the methodid gets not corrupted on its way from the caller to the callee and then also within the callee. + ScoreReq.FailureMode WrongMethodCalled { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "Either the wrong user provided method handler is called or no user handler is called at all. Therefore, the method call results are invalid/garbage." + failureeffect = "Communication of data-garbage, which could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "For all causes, we have either preventive measures or AoUs. Thus, no additional measures are required." + potentialcause = "A: The configuration between provider and consumer mismatches regarding method identification. B: The methodid used in assignment of user provided handlers is corrupted or the assignment/storage/lookup of the user provided handler fails." + } + // Fault-Tree $TopEvent [Communication.WrongResultsProvided] + // Reference as mitigation measures: + // - Callee provided result in wrong layout: Mitigated by AoU ScoreReq.AoU SameCompilerSettingsForProviderAndConsumerSide + // - Callee signalled call finished before or without providing result completely: ToDo: Add an AoU, which states, that a user provided method handler always has to completely update the return-type reference before returning from its handler. + // - Callee (user layer) concurrently updates result after returning from handler : ToDo: Eventually add an explicit/new AoU or extend the AoU ScoreReq.AoU ValidityOfPointerOnLoLaPointer for return value references, which states, that the user handler is not allowed to update any reference )by storing the address) after returning from a handler being called by mw::com. + // Reference as prevention measures: + // - Callee provided result in wrong location: ToDo: Requirement, that we make sure, that the result-reference provided to the user-handler is actually pointing to the right location, where the caller expects the result. + // - Callee (mw::com layer) concurrently updates result after signaling call finished : ToDo: Requirement, that we make sure, that there is no write access to the result location after the method-return has been signalled to the caller. + ScoreReq.FailureMode WrongResultsProvided { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "The result of a method call is either not provided in the expected location, leaving uninitialized data in the expected location or it is provided in an inconsistent state. Therefore, the method call results are invalid/garbage." + failureeffect = "Communication of data-garbage, which could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "For all causes, we have either preventive measures or AoUs. Thus, no additional measures are required." + potentialcause = "A: The user handler either returns without providing a valid result or it writes it in an incorrect format. B: The user handler gets invoked with an invalid return-value reference." + } + } + } section "Proxy" { section "Start Find Service" { @@ -706,61 +760,151 @@ section "LoLa" { } } } + + section "Call Method" { + // Fault-Tree $TopEvent [Communication.CallBlocks] + // Reference as mitigation for all three leaf-nodes/BasicEvents in the fault-tree: ScoreReq.AoU [NoGuaranteesForTimelyMethodCallExecution] + ScoreReq.FailureMode MethodCallBlocksLongerThanExpected { + guideword = ScoreReq.GuideWord.DelayedFunction + description = "A call to a service-method on the client/consumer side blocks longer than expected (or indefinite). This is a specific instance of FailureMode [AnyFunctionBlocksLongerThanExpected], but since with service-methods we have concrete root causes in the form of message-passing behaviour and behaviour of user-provided handler, we have this specific failure mode." + failureeffect = "This could cause a halt of parts of/or the whole system." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Our system anyhow imposes a watchdog to check for safety-related and time related paths. Thus, we do not try to safety qualify ever aspect and guarantee any execution timings." + potentialcause = "Underlying message-passing mechanism is blocked (e.g. the opposite side is not receiving messages) or the user provided handler is blocking." + } + + // Fault-Tree $TopEvent [Communication.WrongInArgsProvided] + // Reference as mitigation measures: + // - Caller provided InArgs in wrong layout: Mitigated by AoU ScoreReq.AoU SameCompilerSettingsForProviderAndConsumerSide + // - Caller updates InArgs concurrently after call signalling: Mitigated by AoU ScoreReq.AoU ValidityOfPointerOnLoLaPointer. ToDo: extend this AoU for MethodElementPtrs! + // Reference as prevention measures: + // - Call signalled before InArgs completely provided: ToDo: Requirement, that we make sure, that all MethodInArgPtrs are set/provided, before signalling the call. + // - Caller provided InArgs in wrong location: ToDo: Requirement, that we make sure, that the provided MethodInArgPtrs are actually pointing to the right location. + ScoreReq.FailureMode WrongMethodInArgsProvided { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "Unintended input arguments are provided to a service method call. Therefore, the method call gets executed with wrong input data." + failureeffect = "Communication of data-garbage, which could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "For all causes, we have either preventive measures or AoUs. Thus, no additional measures are required." + potentialcause = "A: Either the user provides the InArgs in the wrong layout or updates the InArgs concurrently after call signalling. B: The mw::com implementation signals the call before all InArgs are provided or provides in-arg pointers to the wrong location." + } + + // Fault-Tree $TopEvent [Communication.WrongResultsUsed] + // Reference as mitigation measures: + // - Caller used result in wrong layout: Mitigated by AoU ScoreReq.AoU SameCompilerSettingsForProviderAndConsumerSide + // - Caller used result while concurrently updated: Mitigated by AoU ScoreReq.AoU ValidityOfPointerOnLoLaPointer. ToDo: extend this AoU for MethodElementPtrs! + // Reference as prevention measures: + // - Caller used result from wrong location: ToDo: Requirement, that we make sure, that MethodReturnPtr points to the correct location in shm. + // - Caller used result before fully provided: ToDo: Requirement, that we make sure, that the MethodReturnPtr is only set/provided, when method call being signalled as finished. + ScoreReq.FailureMode WrongMethodInArgsProvided { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "Unintended results are provided from a service method call. Therefore, the caller of the method works on wrong data." + failureeffect = "Communication of data-garbage, which could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "For all causes, we have either preventive measures or AoUs. Thus, no additional measures are required." + potentialcause = "A: Either the user interpreted the Result in the wrong layout or accesses it after signalling, that he is done with its usage. B: The mw::com implementation signals the call being done before the return value is fully provided or provides result pointers to the wrong location." + } + } } + + + section "SmartPointer" { - // ID: 6166375 - ScoreReq.FailureMode DoesNotFreeResourcesOnDestruction { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A SampleAllocateePtr or SamplePtr is destroyed, which should lead to a freeing of resources, but caused by a fault they are not freed." - failureeffect = "Resource exhaustion. Could block further communication which could lead to failures on provider and consumer side, which on the other hand could lead to a violation of a safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "This failure mode can be avoided by ensuring an always valid slot and ensuring a correct slot-change logic. Which both is presented as preventive measure." - } + section "SamplePtr and SampleAllocateePtr" { - // ID: 6166378 - ScoreReq.FailureMode FreesWrongResources { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "A SampleAllocateePtr or SamplePtr free the wrong resources associated with them." - failureeffect = "Communication of data-garbage or resource exhaustion, which both could harm an overall safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" - potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction] with the only difference that a slot could now be valid but the wrong one." - } + // ID: 6166375 + ScoreReq.FailureMode DoesNotFreeResourcesOnDestruction { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A SampleAllocateePtr or SamplePtr is destroyed, which should lead to a freeing of resources, but caused by a fault they are not freed." + failureeffect = "Resource exhaustion. Could block further communication which could lead to failures on provider and consumer side, which on the other hand could lead to a violation of a safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "This failure mode can be avoided by ensuring an always valid slot and ensuring a correct slot-change logic. Which both is presented as preventive measure." + } - // ID: 6166381 - ScoreReq.FailureMode DoesNotReserveResources { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "A SamplePtr or SampleAllocateePtr do not increase their respective ref-counts and thus avoid data changes." - failureeffect = "Data is manipulated from different processes because they think its not owned. Which could cause garbage data and thus harm any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "Same as [ISSUE:FailureMode DoesNotFreeResourcesOnDestruction] since a decrease of the ref-count has the same issues as an increas." - potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" - } + // ID: 6166378 + ScoreReq.FailureMode FreesWrongResources { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "A SampleAllocateePtr or SamplePtr free the wrong resources associated with them." + failureeffect = "Communication of data-garbage or resource exhaustion, which both could harm an overall safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" + potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction] with the only difference that a slot could now be valid but the wrong one." + } + + // ID: 6166381 + ScoreReq.FailureMode DoesNotReserveResources { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "A SamplePtr or SampleAllocateePtr do not increase their respective ref-counts and thus avoid data changes." + failureeffect = "Data is manipulated from different processes because they think its not owned. Which could cause garbage data and thus harm any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Same as [ISSUE:FailureMode DoesNotFreeResourcesOnDestruction] since a decrease of the ref-count has the same issues as an increas." + potentialcause = "Same as [ISSUE:Failuremode DoesNotFreeResourcesOnDestruction]" + } - // ID: 6166382 - ScoreReq.FailureMode DoesNotUpdateFreeSampleCountCorrectly { - guideword = ScoreReq.GuideWord.LossOfFunction - description = "When a SamplePtr gets created or destroyed for a given event instance, the Free Sample Count of this instance doesn't get updated accordingly" - failureeffect = "Users may not know, if they are allowed to retrieve new Samples at all and may therefore fail to get new data! This may violate any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "By ensuring a correct behavior of the SamplePtr, this fault can be omitted." - potentialcause = "The only possible cause is a wrong behavior of our reference counting mechanism." + // ID: 6166382 + ScoreReq.FailureMode DoesNotUpdateFreeSampleCountCorrectly { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "When a SamplePtr gets created or destroyed for a given event instance, the Free Sample Count of this instance doesn't get updated accordingly" + failureeffect = "Users may not know, if they are allowed to retrieve new Samples at all and may therefore fail to get new data! This may violate any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "By ensuring a correct behavior of the SamplePtr, this fault can be omitted." + potentialcause = "The only possible cause is a wrong behavior of our reference counting mechanism." + } + + // ID: 6166385 + ScoreReq.FailureMode ReturnsWrongData { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "On dereferenciation of a SamplePtr or SampleAllocateePtr wrong data is returned." + failureeffect = "If you cannot trust the data in the smart pointer, then the data can be garbage, which could break safe communication, which could harm any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "The validity of the slot is ensured by a preventive measure, while the validity of the memory data is ensure by AoUs." + } } - // ID: 6166385 - ScoreReq.FailureMode ReturnsWrongData { - guideword = ScoreReq.GuideWord.UnintendedFunction - description = "On dereferenciation of a SamplePtr or SampleAllocateePtr wrong data is returned." - failureeffect = "If you cannot trust the data in the smart pointer, then the data can be garbage, which could break safe communication, which could harm any safety goal." - version = 1 - safety = ScoreReq.Asil.B - rationale = "The validity of the slot is ensured by a preventive measure, while the validity of the memory data is ensure by AoUs." + section "MethodSignatureElementPtr" { + + // Fault-Tree $TopEvent [Communication.MethodSignatureElementPtrWrongTarget] + // Reference as mitigation measures: + // - References outdated valid memory inside shared-memory: Mitigated by AoU ScoreReq.AoU ValidityOfPointerOnLoLaPointer. ToDo: extend this AoU for MethodElementPtrs! + // Reference as prevention measures: + // - References wrong valid memory outside shared-memory: ToDo: This is either a lifetime issue (the memory was previously a mapped shm-region, which is now unmapped) or it was always in wrong memory, thus the following prevention holds. + // - References wrong valid memory inside shared-memory: ToDo: Requirement, that we make sure, that the provided MethodSignatureElementPtrs are actually pointing to the right locations in shared-memory method-call-queues. + // Reference as control measures: + // - References invalid memory: Access to invalid memory leads to a crash, which harms availability but no safety goal. + ScoreReq.FailureMode MethodSignatureElementPtrWrongTarget { + guideword = ScoreReq.GuideWord.UnintendedFunction + description = "On de-referencing of a MethodSignatureElementPtr wrong data is returned." + failureeffect = "Resolution of the smart pointer to the wrong memory location, leads to garbage data access. This could harm any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "The validity of the method signature element (return value/in-argument) is ensured by a preventive measure, while the validity of the data at this location is ensured by AoUs." + potentialcause = "A: The user didn't obey the lifetime rules of the MethodSignatureElementPtr and thus accesses it after it has been invalidated. B: The pointers were either wrongly initialized or point to locations, which were invalidated before the access happens. + } + + // Fault-Tree $TopEvent [Communication.MethodSignatureElementPtrFailsToFree] + // Reference as mitigation measures: + // - Does not free method signature element: Mitigated by AoU ScoreReq.AoU [NoGuaranteesForTimelyMethodCallExecution] + // Reference as prevention measures: + // - Overwrite of element in use: ToDo: Requirement, that we make sure, that the provided MethodSignatureElementPtrs are actually pointing to the right locations in shared-memory method-call-queues and no double use takes place. + ScoreReq.FailureMode MethodSignatureElementPtrFailsToFree { + guideword = ScoreReq.GuideWord.LossOfFunction + description = "On destruction of a MethodSignatureElementPtr wrong memory is freed or not freed at all." + failureeffect = "Failing to free resources can lead to a loss of function as no further method calls could be processed. This does not harm a safety goal. But freeing the wrong resources could lead to This could harm any safety goal." + version = 1 + safety = ScoreReq.Asil.B + rationale = "Not freeing a method signature element within a call-queue would lead to a further call to be blocked, but since we anyhow do not guarantee any execution timing, this is not a safety issue. Freeing the wrong memory can be tackled by ensuring that the MethodSignatureElementPtrs always point to the right location in shared-memory method-call-queues." + potentialcause = "A: Pointer got corrupted and therefore points to the wrong location. B: The location, where the pointer points to, was falsely re-used." + } } } -} \ No newline at end of file +} diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/proxy/BUILD index 014cc2eb8..68e2aef4d 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/proxy/BUILD +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/BUILD @@ -14,6 +14,7 @@ filegroup( name = "root_causes_proxy", srcs = [ + "//score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method:call_method_fta", "//score/mw/com/requirements/safety_analysis/root_causes/proxy/construction:construction_fta", "//score/mw/com/requirements/safety_analysis/root_causes/proxy/find_service:service_not_found_fta", "//score/mw/com/requirements/safety_analysis/root_causes/proxy/find_service:wrong_service_found_fta", diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD index 8e17f2e9f..e89a6af2f 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/BUILD @@ -12,11 +12,11 @@ # ******************************************************************************* filegroup( - name = "wrong_method_called_fta", + name = "call_method_fta", srcs = [ - "wrong_method_called_fta.puml", + "call_blocks_fta.puml", + "wrong_in_args_provided_fta.puml", + "wrong_results_used_fta.puml", ], visibility = ["//visibility:public"], ) - - diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml index 103edbe1a..7cbbe6b84 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/call_blocks_fta.puml @@ -18,9 +18,9 @@ $TopEvent("Method Call blocks", "Communication.CallBlocks") $OrGate("Gate1", "TopEvent") -$BasicEvent("Method call blocks in message-passing at the caller side -> send blocked", "Event2", "Gate1") -$BasicEvent("Method call blocks in user-handler at the callee side", "Event3", "Gate1") -$BasicEvent("Method call blocks in reply at the callee side -> send blocked ", "Event4", "Gate1") +$BasicEvent("Method call blocks in message-passing at the caller side -> send blocked", "Communication.BlocksOnCaller", "Gate1") +$BasicEvent("Method call blocks in user-handler at the callee side", "Communication.CallBlocksOnUserHandler", "Gate1") +$BasicEvent("Method call blocks in reply at the callee side -> send blocked ", "Communication.CallBlocksOnCallee", "Gate1") @enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_provided_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_provided_fta.puml new file mode 100644 index 000000000..071f0c63d --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_provided_fta.puml @@ -0,0 +1,32 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Wrong input arguments provided", "Communication.WrongInArgsProvided") + +$OrGate("Gate1", "TopEvent") + +$IntermediateEvent("Caller did not/only partially provide InArgs", "Event1", "Gate1") +$OrGate("Gate2", "Event1") +$BasicEvent("Call signalled before InArgs completely provided", "Event2", "Gate2") +$BasicEvent("Caller provided InArgs in wrong location", "Event4", "Gate2") + +$IntermediateEvent("Caller provided wrong InArgs", "Event5", "Gate1") +$OrGate("Gate4", "Event5") +$BasicEvent("Caller provided InArgs in wrong layout", "Communication.InArgsWrongLayout", "Gate4") +$BasicEvent("Caller updates InArgs concurrently after call signalling", "Communication.InArgsUpdateAfterCall", "Gate4") + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml index 43dd4fb3b..a5cdd07af 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml +++ b/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_results_used_fta.puml @@ -18,20 +18,9 @@ $TopEvent("Wrong call result used", "Communication.WrongResultsUsed") $OrGate("Gate1", "TopEvent") -$IntermediateEvent("Callee failed to provide correct result", "Event2", "Gate1") -$IntermediateEvent("Caller accesses wrong result", "Event6", "Gate1") -$OrGate("Gate2", "Event2") -$IntermediateEvent("Callee did not provide result", "Event3", "Gate2") -$OrGate("Gate3", "Event3") -$BasicEvent("Callee signalled call finished before providing result", "Event5", "Gate3") -$BasicEvent("Someone else signalled call finished wrongly", "Event7", "Gate3") - -$BasicEvent("Callee provided result in wrong location", "Event8", "Gate2") -$BasicEvent("Callee provided result in wrong layout", "Event9", "Gate2") -$OrGate("Gate4", "Event6") -$BasicEvent("Caller used result from wrong location", "Event10", "Gate4") -$BasicEvent("Caller used result in wrong layout", "Event11", "Gate4") -$BasicEvent("Caller used result while concurrently updated", "Event12", "Gate4") - +$BasicEvent("Caller used result from wrong location", "Event10", "Gate1") +$BasicEvent("Caller used result in wrong layout", "Event11", "Gate1") +$BasicEvent("Caller used result before fully provided", "Event12", "Gate1") +$BasicEvent("Caller used result while concurrently updated", "Event13", "Gate1") @enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/skeleton/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/BUILD index 832a22e62..f1a484eb0 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/skeleton/BUILD +++ b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/BUILD @@ -19,6 +19,9 @@ filegroup( "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/creation:creation_of_skeleton_not_possible_fta", "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/destruction:no_resources_freed_fta", "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/destruction:wrong_resources_freed_fta", + "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call:wrong_in_args_used_fta", + "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call:wrong_method_called_fta", + "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call:wrong_results_provided_fta", "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/offer_a_service:offers_already_offered_service_fta", "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/offer_a_service:only_partially_offered_fta", "//score/mw/com/requirements/safety_analysis/root_causes/skeleton/offer_a_service:service_offered_under_wrong_id_fta", diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/BUILD similarity index 70% rename from score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/BUILD rename to score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/BUILD index aa270dc93..2e1d7331d 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/BUILD +++ b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/BUILD @@ -12,26 +12,25 @@ # ******************************************************************************* filegroup( - name = "does_not_free_resources_on_destruction_fta", + name = "wrong_in_args_used_fta", srcs = [ - "does_not_free_resources_on_destruction_fta.puml", + "wrong_in_args_used_fta.puml", ], visibility = ["//visibility:public"], ) filegroup( - name = "returns_wrong_data_fta", + name = "wrong_method_called_fta", srcs = [ - "returns_wrong_data_fta.puml", + "wrong_method_called_fta.puml", ], visibility = ["//visibility:public"], ) filegroup( - name = "smart_pointer_sample_allocate_ptr", + name = "wrong_results_provided_fta", srcs = [ - ":does_not_free_resources_on_destruction_fta", - ":returns_wrong_data_fta", + "wrong_results_provided_fta.puml", ], visibility = ["//visibility:public"], ) diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_in_args_used_fta.puml similarity index 52% rename from score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml rename to score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_in_args_used_fta.puml index 92d106faf..3b644f74d 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_in_args_used_fta.puml +++ b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_in_args_used_fta.puml @@ -18,21 +18,15 @@ $TopEvent("Wrong input arguments used", "Communication.WrongInArgsUsed") $OrGate("Gate1", "TopEvent") -$IntermediateEvent("Caller failed to provide correct InArgs", "Event2", "Gate1") -$IntermediateEvent("Callee used wrong InArgs", "Event6", "Gate1") -$OrGate("Gate2", "Event2") -$IntermediateEvent("Caller did not provide InArgs", "Event3", "Gate2") -$OrGate("Gate3", "Event3") -$BasicEvent("Caller signalled call before providing InArgs", "Event5", "Gate3") -$BasicEvent("Someone else signalled call wrongly", "Event7", "Gate3") - -$BasicEvent("Caller provided InArgs in wrong location", "Event8", "Gate2") -$BasicEvent("Caller provided InArgs in wrong layout", "Event9", "Gate2") -$OrGate("Gate4", "Event6") -$BasicEvent("Callee used InArgs from wrong location", "Event10", "Gate4") -$BasicEvent("Callee used InArgs in wrong layout", "Event11", "Gate4") -$BasicEvent("Callee used InArgs while concurrently updated", "Event12", "Gate4") -$BasicEvent("InArgs corrupted by 3d party", "Event13", "Gate4") +$IntermediateEvent("Callee used wrong InArgs", "Event1", "Gate1") +$IntermediateEvent("Callee used corrupted InArgs", "Event2", "Gate1") +$OrGate("Gate2", "Event1") +$OrGate("Gate3", "Event2") +$BasicEvent("Callee used InArgs from wrong location", "Event3", "Gate2") +$BasicEvent("Callee used InArgs before being provided", "Event4", "Gate2") +$BasicEvent("Callee used InArgs in wrong layout", "Event5", "Gate3") +$BasicEvent("Callee used InArgs while concurrently updated", "Event6", "Gate3") +$BasicEvent("InArgs corrupted by 3d party", "Event7", "Gate3") @enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_method_called_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_method_called_fta.puml similarity index 100% rename from score/mw/com/requirements/safety_analysis/root_causes/proxy/call_method/wrong_method_called_fta.puml rename to score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_method_called_fta.puml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_results_provided_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_results_provided_fta.puml new file mode 100644 index 000000000..1c33e0e4f --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/skeleton/handle_method_call/wrong_results_provided_fta.puml @@ -0,0 +1,32 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Wrong call result provided", "Communication.WrongResultsProvided") +$OrGate("Gate1", "TopEvent") +$IntermediateEvent("Callee did provide no result", "Event3", "Gate1") +$IntermediateEvent("Callee did provide wrong result", "Event4", "Gate1") +$OrGate("Gate3", "Event3") +$OrGate("Gate4", "Event4") +$BasicEvent("Callee signalled call finished before or without providing result completely", "Event5", "Gate3") +$BasicEvent("Callee provided result in wrong location", "Event8", "Gate3") + +$BasicEvent("Callee provided result in wrong layout", "Event9", "Gate4") +$BasicEvent("Callee concurrently updates result after signaling it", "Event11", "Gate4") + + + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/BUILD new file mode 100644 index 000000000..5ac0ba547 --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/BUILD @@ -0,0 +1,21 @@ +# ******************************************************************************* +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* + +filegroup( + name = "smart_pointer_fta", + srcs = [ + "//score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr:method_signature_element_ptr_fta", + "//score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr", + ], + visibility = ["//visibility:public"], +) diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/BUILD new file mode 100644 index 000000000..f65579233 --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/BUILD @@ -0,0 +1,21 @@ +# ******************************************************************************* +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* + +filegroup( + name = "method_signature_element_ptr_fta", + srcs = [ + "failure_freeing_resources_on_destruction_fta.puml", + "points_to_wrong_data_fta.puml", + ], + visibility = ["//visibility:public"], +) diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/failure_freeing_resources_on_destruction_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/failure_freeing_resources_on_destruction_fta.puml new file mode 100644 index 000000000..c7937631d --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/failure_freeing_resources_on_destruction_fta.puml @@ -0,0 +1,25 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Failure freeing resources on destruction", "Communication.MethodSignatureElementPtrFailsToFree") + +$OrGate("Gate1", "TopEvent") +$BasicEvent("Does not free method signature element", "Event1", "Gate1") +$IntermediateEvent("Frees wrong method signature element", "Event2", "Gate1") +$BasicEvent("Overwrite of element in use", "Communication.ChangingStateFails", "Event2") + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/points_to_wrong_data_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/points_to_wrong_data_fta.puml new file mode 100644 index 000000000..2875bfdeb --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/method_signature_element_ptr/points_to_wrong_data_fta.puml @@ -0,0 +1,29 @@ +' ******************************************************************************* +' Copyright (c) {year} Contributors to the Eclipse Foundation +' +' See the NOTICE file(s) distributed with this work for additional +' information regarding copyright ownership. +' +' This program and the accompanying materials are made available under the +' terms of the Apache License Version 2.0 which is available at +' https://www.apache.org/licenses/LICENSE-2.0 +' +' SPDX-License-Identifier: Apache-2.0 +' ******************************************************************************* + +@startuml + +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml + +$TopEvent("Points to wrong data", "Communication.MethodSignatureElementPtrWrongTarget") + +$OrGate("Gate1", "TopEvent") +$IntermediateEvent("Shared Memory no longer valid", "Event2", "Gate1") +$BasicEvent("Life-Cycle issues", "Communication.LifeCycleIssues", "Event2") +$IntermediateEvent("Wrong memory location referenced", "Event3", "Gate1") +$OrGate("Gate2", "Event3") +$BasicEvent("References valid memory outside shared-memory", "Event4", "Gate2") +$BasicEvent("References valid memory inside shared-memory", "Event5", "Gate2") +$BasicEvent("References invalid memory", "Event6", "Gate2") + +@enduml diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/BUILD b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/BUILD new file mode 100644 index 000000000..e0b1dd5de --- /dev/null +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/BUILD @@ -0,0 +1,21 @@ +# ******************************************************************************* +# Copyright (c) 2025 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0 +# +# SPDX-License-Identifier: Apache-2.0 +# ******************************************************************************* + +filegroup( + name = "sample_ptr_sample_allocate_ptr", + srcs = [ + "does_not_free_resources_on_destruction_fta.puml", + "returns_wrong_data_fta.puml", + ], + visibility = ["//visibility:public"], +) diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/does_not_free_resources_on_destruction_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/does_not_free_resources_on_destruction_fta.puml similarity index 91% rename from score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/does_not_free_resources_on_destruction_fta.puml rename to score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/does_not_free_resources_on_destruction_fta.puml index 75447c03d..251ed896c 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/does_not_free_resources_on_destruction_fta.puml +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/does_not_free_resources_on_destruction_fta.puml @@ -13,7 +13,7 @@ @startuml -!include ../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml $TopEvent("Does not free resources on destruction", "Communication.DoesNotFreeResourcesOnDestruction") diff --git a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/returns_wrong_data_fta.puml b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/returns_wrong_data_fta.puml similarity index 89% rename from score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/returns_wrong_data_fta.puml rename to score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/returns_wrong_data_fta.puml index c7b66177b..1e7abcf0e 100644 --- a/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer_sample_allocate_ptr/returns_wrong_data_fta.puml +++ b/score/mw/com/requirements/safety_analysis/root_causes/smart_pointer/sample_ptr_sample_allocate_ptr/returns_wrong_data_fta.puml @@ -13,7 +13,7 @@ @startuml -!include ../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml +!include ../../../../../../../../third_party/traceability/doc/sample_library/safety_analysis/fta_metamodel.puml $TopEvent("Returns wrong data", "Communication.ReturnsWrongData")