intro to proving absence of errors in c/c++ code develop ... · rocket & payload lost. 3 ......
TRANSCRIPT
![Page 1: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/1.jpg)
1© 2016 The MathWorks, Inc.
Intro to Proving Absence of Errors in C/C++ Code
Develop high quality embedded software
Kristian Lindqvist
Senior Pilot Engineer
MathWorks
![Page 2: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/2.jpg)
2
The Cost of Failure…
$7,500,000,000
Ariane 5:
Overflow Error
Rocket & payload lost
![Page 3: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/3.jpg)
3
The Cost of Failure…
Recall
News reports:
Due to ECU software bug
![Page 4: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/4.jpg)
4
The Cost of Failure…
0 KnotsTop speed
0
USS Yorktown:
Divide-by-zero Error
![Page 5: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/5.jpg)
5
The Cost of Failure…
Casualtiesdue to radiation overdose
6
Therac-25:
Race Condition,
Overflow
![Page 6: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/6.jpg)
6
What do all these systems have in common?
Complex software developed to rigorous standards
Extensively reviewed, analyzed and tested
Yet still failed
![Page 7: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/7.jpg)
7
Examples of software bugs and errors
Run-time errors
Concurrency issues
Programming errors
Dead or unreachable code
Static and dynamic memory errors
![Page 8: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/8.jpg)
8
Testing is not enough!
Good design and testing
– Helps eliminate functional errors
Implementation correctness -
Robustness
– Undetected run-time errors will cause
catastrophic failure
Tests needed to catch all the
defects
Tests needed
for coverage
![Page 9: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/9.jpg)
9
Can you find a bug?
![Page 10: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/10.jpg)
10
Can you find a bug?
Could there be a bug on this line?
![Page 11: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/11.jpg)
11
Consider the operation: x / (x - y)
Potential run-time errors
– Variables x and y may not be initialized
– An overflow on subtraction
– If x == y, then a divide by zero will occur
How to prove that run-time errors do or do not exist?
![Page 12: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/12.jpg)
12
Exhaustive testing
If both inputs are signed int32
– Full range inputs: -231-1 .. +231-1
– All combinations of two inputs: 4.61X1018 test-cases
Test time on a Windows host machine
– 2.2GHz T7500 Intel processor
– 4 million test-cases took 9.284 seconds
– Exhaustive testing time: 339,413 years
Exhaustive Testing is Impossible
![Page 13: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/13.jpg)
13
Polyspace demonstration
where_are_errors
![Page 14: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/14.jpg)
22
static void pointer_arithmetic (void) {
int array[100];
int *p = array;
int i;
for (i = 0; i < 100; i++) {
*p = 0;
p++;
}
if (get_bus_status() > 0) {
if (get_oil_pressure() > 0) {
*p = 5;
} else {
i++;
}
}
i = get_bus_status();
if (i >= 0) {
*(p - i) = 10;
}
}
Results from Polyspace
Green: reliablesafe pointer access
Red: faultyout of bounds error
Gray: deadunreachable code
Orange: unprovenmay be unsafe for some
conditions
variable ‘I’ (int32): [0 .. 99]
assignment of ‘I’ (int32): [1 .. 100]
Range datatool tip
Purple: violationMISRA-C/C++ or JSF++
code rules
![Page 15: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/15.jpg)
23
How is Polyspace code verification unique?
Statically verifies all possible executions of your code
(considering all possible inputs, paths, variable values)
Proves when code will not fail under any runtime conditions
Finds runtime errors, boundary conditions and unreachable code
without exhaustive testing
Gives insight into runtime behavior and data ranges
Mathematically sound – has no false negatives
![Page 16: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/16.jpg)
24
Detailed Polyspace demonstration
demo_c
![Page 17: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/17.jpg)
25
Why verify code in Model-Based Design?
May contain S-Functions (handwritten code)
Generated code may interface with legacy or driver code
Interface may cause downstream run-time errors
Inadequate model verification to eliminate constructional errors
Certification may require verification at code level
![Page 18: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/18.jpg)
26
Benefits of running Polyspace from Simulink
Find bugs in S-Functions in isolation
Check compliance for MISRA (or MISRA-AC-AGC)
Annotate models to justify code rule violations
Trace code verification results back to Simulink models
Qualify integrated code (generated code and handwritten code)
Independent verification of generated code
Easily produce reports and artifacts for certification
![Page 19: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/19.jpg)
27
Traceability from code to models
Polyspace Bug Finder and Polyspace Code Prover verification results,
including MISRA analysis can be traced from code to model
![Page 20: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/20.jpg)
29
Polyspace product family for C/C++
Polyspace Code Prover
– Proves code to be safe and dependable
– Deep verification of software components
– Perform QA signoff for production ready code
Polyspace Bug Finder
– Quickly find bugs in embedded software
– Check code compliance for MISRA and JSF
– Intended for every day use by software engineers
Ada language also supported for proving code
![Page 21: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/21.jpg)
30
How does Polyspace help you?
Finds bugs and security vulnerabilities
Checks coding rule conformance (MISRA/JSF/Custom/CWE*)
Provides metrics (Cyclomatic complexity etc)
Proves the existence and absence of errors
Indicates when you’ve reached the desired quality level
Certification help for DO-178 C, ISO 26262, EN 50128, IEC 62304,
IEC 61508
![Page 22: Intro to Proving Absence of Errors in C/C++ Code Develop ... · Rocket & payload lost. 3 ... Can you find a bug? 10 Can you find a bug? Could there be a bug on this line? 11 Consider](https://reader033.vdocuments.site/reader033/viewer/2022052104/603fd7539334e660f96a592b/html5/thumbnails/22.jpg)
31
Thank You!