Results comp FMEA#2879
Open
aschemmel-tech wants to merge 2 commits into
Open
Conversation
|
|
|
The created documentation from the pull request is available at: docu-html |
aschemmel-tech
force-pushed
the
aschemmel-tech-results-fmea
branch
from
b7763c2 to
51e76dc
Compare
Refers: #2490
aschemmel-tech
force-pushed
the
aschemmel-tech-results-fmea
branch
from
51e76dc to
653a0a4
Compare
FScholPer
previously approved these changes
May 8, 2026
4og
requested changes
May 8, 2026
Member
4og
left a comment
4og
left a comment
There was a problem hiding this comment.
Needs review for result lib experts
mihajlo-k
reviewed
May 11, 2026
Contributor
mihajlo-k
left a comment
mihajlo-k
left a comment
There was a problem hiding this comment.
Added some more context and some suggestions
Comment on lines
+103
to
+110
| .. comp_saf_fmea:: Result Enum Type Mismatch | ||
| :violates: comp_arc_dyn__baselibs__result | ||
| :id: comp_saf_fmea__result__enum_type_mismatch | ||
| :fault_id: CO_01_01 | ||
| :failure_effect: User would understand a wrong error type (based on different error domains) | ||
| :mitigation_issue: https://github.com/eclipse-score/score/issues/2880 | ||
| :sufficient: no | ||
| :status: valid |
Contributor
There was a problem hiding this comment.
Suggested change
| .. comp_saf_fmea:: Result Enum Type Mismatch | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__enum_type_mismatch | |
| :fault_id: CO_01_01 | |
| :failure_effect: User would understand a wrong error type (based on different error domains) | |
| :mitigation_issue: https://github.com/eclipse-score/score/issues/2880 | |
| :sufficient: no | |
| :status: valid | |
| .. comp_saf_fmea:: Result Error Code Cross-Domain Misinterpretation | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__enum_type_mismatch | |
| :fault_id: CO_01_01 | |
| :failure_effect: When retrieving error information, the error code is returned as a domain-agnostic integer. If the user interprets this code under a different error domain than the one that produced it, the error is misidentified, potentially leading to incorrect error reaction. | |
| :mitigation_issue: https://github.com/eclipse-score/score/issues/2880 | |
| :sufficient: no | |
| :status: valid |
Comment on lines
+112
to
+113
| Only if the user would use the error information not only for debug reasons but for selecting the | ||
| type of error reaction this error may have an error impact. We need to make the user aware of this. |
Contributor
There was a problem hiding this comment.
Suggested change
| Only if the user would use the error information not only for debug reasons but for selecting the | |
| type of error reaction this error may have an error impact. We need to make the user aware of this. | |
| If the user relies on the error code not only for diagnostic purposes but for selecting an error reaction path, misinterpreting the code under a wrong domain could lead to an incorrect safety-relevant decision. An Assumption of Use shall ensure the user verifies the error domain before interpreting the error code. |
| * - CO_01_01 | ||
| - minimum constraint boundary is violated | ||
| - yes | ||
| - Used enum types may not match - see :need:`comp_saf_fmea__result__enum_type_mismatch` |
Contributor
There was a problem hiding this comment.
Suggested change
| - Used enum types may not match - see :need:`comp_saf_fmea__result__enum_type_mismatch` | |
| - The error code returned is not bound to a specific error domain at the type level. A user may interpret the code against the wrong domain, violating the constraint that error codes are only meaningful within their originating domain (see :need:`comp_saf_fmea__result__enum_type_mismatch`). |
Comment on lines
+115
to
+123
| .. comp_saf_fmea:: Result Error Message Unavailability | ||
| :violates: comp_arc_dyn__baselibs__result | ||
| :id: comp_saf_fmea__result__error_message_unavail | ||
| :fault_id: MF_01_05 | ||
| :failure_effect: Accessing error message could result in undefined behaviour | ||
| :mitigated_by: aou_req__result__resource_lifetime | ||
| :mitigation_issue: https://github.com/eclipse-score/score/issues/2880 | ||
| :sufficient: no | ||
| :status: valid |
Contributor
There was a problem hiding this comment.
Suggested change
| .. comp_saf_fmea:: Result Error Message Unavailability | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__error_message_unavail | |
| :fault_id: MF_01_05 | |
| :failure_effect: Accessing error message could result in undefined behaviour | |
| :mitigated_by: aou_req__result__resource_lifetime | |
| :mitigation_issue: https://github.com/eclipse-score/score/issues/2880 | |
| :sufficient: no | |
| :status: valid | |
| .. comp_saf_fmea:: Result Error Message Lifetime Violation | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__error_message_unavail | |
| :fault_id: MF_01_05 | |
| :failure_effect: The error message provided during error construction is stored as a non-owning reference. If the referenced data is no longer valid when the user retrieves the error message, accessing it results in undefined behavior. | |
| :mitigated_by: aou_req__result__resource_lifetime | |
| :mitigation_issue: https://github.com/eclipse-score/score/issues/2880 | |
| :sufficient: no | |
| :status: valid |
| :sufficient: no | ||
| :status: valid | ||
|
|
||
| The linked AoU cares about unavailability of other return objects, but also the error message may be unavailable. |
Contributor
There was a problem hiding this comment.
Suggested change
| The linked AoU cares about unavailability of other return objects, but also the error message may be unavailable. | |
| The existing Assumption of Use for resource lifetime addresses the validity of error domain objects and referenced resources. However, it does not explicitly cover the user-provided error message, which is equally subject to lifetime constraints. The AoU should be extended to explicitly include the error message data, or a separate AoU should be established for it. |
| * - MF_01_05 | ||
| - message is corrupted | ||
| - yes | ||
| - Error message string is destroyed before accessing it by the user - see :need:`comp_saf_fmea__result__error_message_unavail` |
Contributor
There was a problem hiding this comment.
Suggested change
| - Error message string is destroyed before accessing it by the user - see :need:`comp_saf_fmea__result__error_message_unavail` | |
| - The error message carried within the error object does not own the underlying data. If the data source is destroyed before the error message is accessed by the user, the message reference becomes invalid (see :need:`comp_saf_fmea__result__error_message_unavail`). |
Comment on lines
+127
to
+134
| .. comp_saf_fmea:: Result No Return | ||
| :violates: comp_arc_dyn__baselibs__result | ||
| :id: comp_saf_fmea__result__no_return | ||
| :fault_id: MF_01_06 | ||
| :failure_effect: Accessing value object could result in undefined behaviour (e.g. usage of wrong value) | ||
| :mitigated_by: aou_req__result__value_handling, aou_req__result__error_reaction | ||
| :sufficient: yes | ||
| :status: valid |
Contributor
There was a problem hiding this comment.
correction: effect is not UB, but deterministic termination.
also I don't think aou_req__result__error_reaction applies here, since it's rather about reacting to an error.
Suggested change
| .. comp_saf_fmea:: Result No Return | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__no_return | |
| :fault_id: MF_01_06 | |
| :failure_effect: Accessing value object could result in undefined behaviour (e.g. usage of wrong value) | |
| :mitigated_by: aou_req__result__value_handling, aou_req__result__error_reaction | |
| :sufficient: yes | |
| :status: valid | |
| .. comp_saf_fmea:: Result Unchecked Value or Error Access | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__no_return | |
| :fault_id: MF_01_06 | |
| :failure_effect: If the user calls value without the result containing a value, or calls error without the result containing an error, the program will terminate. This may occur when the user does not check the state of the result before accessing it. | |
| :mitigated_by: aou_req__result__value_handling | |
| :sufficient: yes | |
| :status: valid |
Comment on lines
+136
to
+137
| If a value or a error is not returned this will be noticed by the user and reacted upon. This is ensured | ||
| additionally by the provided AoU. |
Contributor
There was a problem hiding this comment.
Suggested change
| If a value or a error is not returned this will be noticed by the user and reacted upon. This is ensured | |
| additionally by the provided AoU. | |
| If the user accesses the value or the error without first verifying the state of the result, the program will deterministically terminate. The provided Assumptions of Use require the user to check and handle both states before access. |
|
|
||
| .. attention:: | ||
| The above directive must be updated according to your component FMEA. | ||
| .. comp_saf_fmea:: Result Stop User |
Contributor
There was a problem hiding this comment.
Now when I think about this one it seems too generic. Any library accepting callbacks might suffer from this.
Contributor
Author
There was a problem hiding this comment.
I would keep - we have a generic (platform level) AoU to cover this.
| * - EX_01_05 | ||
| - processing changes to arbitrary process | ||
| - no | ||
| - Not a problem of result lib as this is a libray and not a process |
Contributor
There was a problem hiding this comment.
Suggested change
| - Not a problem of result lib as this is a libray and not a process | |
| - Not a problem of result lib as this is a library and not a process |
mihajlo-k
reviewed
May 12, 2026
Contributor
mihajlo-k
left a comment
mihajlo-k
left a comment
There was a problem hiding this comment.
Since we are keeping comp_saf_fmea__result__stop_user I would suggest some changes.
Comment on lines
+143
to
+152
| .. comp_saf_fmea:: Result Stop User | ||
| :violates: comp_arc_dyn__baselibs__result | ||
| :id: comp_saf_fmea__result__stop_user | ||
| :fault_id: EX_01_06 | ||
| :failure_effect: User could be stopped by a function provided as a result from another user | ||
| :mitigated_by: aou_req__platform__flow_monitoring | ||
| :sufficient: yes | ||
| :status: valid | ||
|
|
||
| - The above "code-block" directive must be updated | ||
| - Fill in all the needed information in the <brackets> | ||
| Stopping its own execution has to be managed by the user via program flow monitoring, see AoU. |
Contributor
There was a problem hiding this comment.
I would keep - we have a generic (platform level) AoU to cover this.
In that case I would propose some changes that provide a bit more clarity:
Suggested change
| .. comp_saf_fmea:: Result Stop User | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__stop_user | |
| :fault_id: EX_01_06 | |
| :failure_effect: User could be stopped by a function provided as a result from another user | |
| :mitigated_by: aou_req__platform__flow_monitoring | |
| :sufficient: yes | |
| :status: valid | |
| - The above "code-block" directive must be updated | |
| - Fill in all the needed information in the <brackets> | |
| Stopping its own execution has to be managed by the user via program flow monitoring, see AoU. | |
| .. comp_saf_fmea:: Result User-Provided Operation Blocks Execution | |
| :violates: comp_arc_dyn__baselibs__result | |
| :id: comp_saf_fmea__result__stop_user | |
| :fault_id: EX_01_06 | |
| :failure_effect: The user provides a transformation or error handling operation to the Result library. If this operation does not terminate (e.g., infinite loop), the calling execution is blocked indefinitely. | |
| :mitigated_by: aou_req__platform__flow_monitoring | |
| :sufficient: yes | |
| :status: valid | |
| The Result library invokes user-provided operations synchronously during transformation of values or errors. Ensuring these operations terminate is outside the scope of the library and is the responsibility of the user via program flow monitoring, as covered by the referenced platform-level Assumption of Use. |
| * - EX_01_06 | ||
| - processing is not complete (infinite loop) | ||
| - yes | ||
| - User gives back a function as return which induces stop of user execution - see :need:`comp_saf_fmea__result__stop_user` |
Contributor
There was a problem hiding this comment.
Suggested change
| - User gives back a function as return which induces stop of user execution - see :need:`comp_saf_fmea__result__stop_user` | |
| - The Result library accepts user-provided operations for value and error transformation. If such an operation does not complete, the calling execution is halted (see :need:`comp_saf_fmea__result__stop_user`). |
Refers: #2490
aschemmel-tech
force-pushed
the
aschemmel-tech-results-fmea
branch
from
5973b4a to
7a44ace
Compare
mihajlo-k
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refers: #2490