unifying model and code verification · 29 polyspace product family for c/c++ polyspace code prover...
TRANSCRIPT
![Page 1: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/1.jpg)
1© 2016 The MathWorks, Inc.
Unifying Model and Code Verification
![Page 2: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/2.jpg)
2
Motivation
Most controls applications are a combination of
model-based generated code and hand code
How do I efficiently verify this mix of hand code
and generated code?
MathWorks has tools for verifying models and
tools for verifying code
Is there a workflow for me to use these tools in
a complementary, optimum way?
![Page 3: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/3.jpg)
3
Case Study: Cruise Control Application
65 mph
Objective: set cruise control target speed and pedal position
based on driver & vehicle inputs
Cruise Control Application (C code)
• Hand code components
• Model-based Stateflow component
• Model-based S-function component
![Page 4: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/4.jpg)
4
Case Study: Cruise Control Architecture
Cruise Control Application
Read Inputs
Fault Logging
Pedal Command
Control Module
Write Outputs
Hand Code
MBD Gen Code
S-function Code
Target Speed
Control Module
System Inputs
Cruise Power
Brake
Vehicle Speed
Coast/Set
Accel/Resume
Function
Scheduler
System Outputs
Target Speed
Engaged
Pedal Position
![Page 5: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/5.jpg)
6
Workflow for integrated Model-based and Hand Code
Components
![Page 6: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/6.jpg)
7
Hand
Code
MBD Generated Code
S-function
Code
Cruise Control Application
Workflow for integrated Model-based and Hand Code
Components Read Inputs
Fault Logging
Write Outputs
Target Speed
Control Module
Pedal Command
Control Module
![Page 7: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/7.jpg)
8
• Check MISRA compliance (Mdl Advisor)
MISRA-C – Modeling Guidelines Checks
![Page 8: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/8.jpg)
9
Checking Model for MISRA compliance with Model Advisor Target Speed
Control Module
![Page 9: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/9.jpg)
10
Target Speed
Control Module Checking Model for MISRA compliance with Model Advisor
![Page 10: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/10.jpg)
11
Checks model design and code configuration settings
Increases likelihood of generating MISRA C:2012 compliant code
Checking Model for MISRA compliance with Model Advisor Target Speed
Control Module
![Page 11: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/11.jpg)
12
• Check MISRA compliance (Mdl Advisor)
• Check model early for design errors
Design Error Detection
![Page 12: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/12.jpg)
13
Floats to Integers: Checking
the Model for Design Errors
Target Speed
Control Module
Simulink Design Verifier identifies design errors on the model
These “dead logic” errors would prevent successful functional testing
![Page 13: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/13.jpg)
14
Root Cause Analysis/Fix of Dead Logic
Dead logic due to “uint8” operation on incdec/holdrate*10
Fix change the order of operation 10*incdec/holdrate
Design Error Detection reveals
this condition can never be false!
Target Speed
Control Module
![Page 14: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/14.jpg)
15
• Functional testing
(simulation)
Simulation and Test
![Page 15: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/15.jpg)
16
Tests
Functional Testing Workflow
Structural coverage
report
Did we completely
test our model?
Did we meet our
requirements?
Review functional
behavior
Requirements
Design
![Page 16: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/16.jpg)
17
Simulink Test™
Authoring Tests
Managing Tests
Execution of Tests
Key Features
– Test harness
– Test sequence block for
running tests and assessments
– Pass-fail criteria, including
tolerances, limits, and temporal conditions
– Baseline, equivalence, and back-to-back testing
– Automatic report generation to document test outcomes
![Page 17: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/17.jpg)
18
Functional Testing of Pedal Command (S-Function) Pedal Command
Control Module
Coverage analysis for the model and the s-function code.
![Page 18: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/18.jpg)
19
• Code coverage (SIL)
• SIL mode
support
Back-to-Back Cmparison Test (ISO 26262)
![Page 19: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/19.jpg)
20
Check the Generated Code for Equivalent Model Behavior
Integrated SIL mode support for model-to-code equivalence testing
Coverage report for generated code for a detailed equivalence analysis
![Page 20: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/20.jpg)
21
• Automatic Code Reviews
Optional: Automatic Code Reviews
![Page 21: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/21.jpg)
22
Independent code inspection
Code Inspection
Report
?
Model and code development
Normalized Model IR
Normalized Code IR
Model IR Code IR
IR transformations
Matching
EmbeddedCoder
C source code
Simulink Model
Static verification tool.
Checks the generated code against modelTraceability
report
Automatic Code Reviews
.
.
EC
SLCI.
.
Simulink Code Inspector ®
![Page 22: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/22.jpg)
23
• Functional testing
(simulation)• Code coverage (SIL)
Simulink Design Verifier – Automatic Test Generation
![Page 23: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/23.jpg)
24
Generate Functional Test Cases Pedal Command
Control Module
SL Design Verifier created test cases to cover all possible
“Decision/Condition” objectives in the model and s-function code.
![Page 24: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/24.jpg)
25
Simulink Design Verifier – Test Generation for ModulesOverview
Input
– Model
– Coverage metric– Decision coverage
– Condition coverage
– MC/DC
– Custom Objectives
(requirements-based)
Optional Input
– Modifiable parameter sets
– Existing coverage data
Results
– Harness model
– Input test signals
– Unreachable objects
– Detailed reports
Test Generation
![Page 25: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/25.jpg)
26
Simulink Design Verifier – Property ProvingOverview
Inputs
Model
Requirements
Optional Inputs
Assumptions
Proof satisfied or
Proof falsified
Counterexample
Detailed reports
Property Proving
![Page 26: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/26.jpg)
27
Simulink Design Verifier – Use Cases
Model Slicing
Design Error Detection
Test Generation
Property Proving
![Page 27: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/27.jpg)
28
Issues Found on HIL Bench…
The Cruise Control powered off during fault testing
And, the Target Speed never exceeded 40 mph
![Page 28: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/28.jpg)
29
Polyspace product family for C/C++
Polyspace Code Prover
– Proves code to be safe and dependable
– Deep verification of software components
– Perform QA signoff for production ready code
Polyspace Bug Finder
– Quickly find bugs in embedded software
– Check code compliance for MISRA and JSF
– Intended for every day use by software engineers
Ada language also supported for proving code
![Page 29: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/29.jpg)
30
Customer Lookup Table: Checking the S-Function Code
for Runtime ErrorsPedal Command
Control Module
![Page 30: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/30.jpg)
31
Root Cause Analysis/Fix of S-Function Run-time Errors Pedal Command
Control Module
![Page 31: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/31.jpg)
32
Configuring Polyspace from the Model Target Speed
Control Module
![Page 32: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/32.jpg)
33
Launching Polyspace from the Model Target Speed
Control Module
![Page 33: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/33.jpg)
34
Review Bug Finder MISRA resultsTarget Speed
Control Module
![Page 34: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/34.jpg)
35
Reduce MISRA violations with “Code Placement” settingTarget Speed
Control Module
![Page 35: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/35.jpg)
36
Justify other violations by adding annotationTarget Speed
Control Module
![Page 36: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/36.jpg)
37
What support is
there for analyzing
the integrated code?
Cruise Control Application
S-function
Code
Hand
Code
MBD
Generated
Code
Read Inputs
Fault Logging
Write Outputs
Target Speed
Control Module
Pedal Command
Control Module
• Check integrated code for run-time errors
Check integrated code
for run-time errors
– Polyspace
![Page 37: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/37.jpg)
38
Why code verification? Code verification is exhaustive!
Proves when code will not fail under any runtime
conditions, reducing robustness testing efforts
Finds unreachable code, runtime errors, boundary
conditions and without testing
Gives insight into runtime behavior and data
ranges
Statically and semantically verifies all possible executions of your code
(considering all possible inputs, paths, variable values)
![Page 38: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/38.jpg)
39
Read Inputs
Write Outputs
Scheduler
Fault Logging
Target Speed
Control Module
Pedal Command
Control Module
Creating a Code Prover project to
check the Integrated Code
![Page 39: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/39.jpg)
40
Code Integration Check with Polyspace:
Non-terminating loop in Hand CodeFault Logging
![Page 40: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/40.jpg)
41
Cause of Cruise Control Powering off during fault testingFault Logging
![Page 41: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/41.jpg)
42
Code Integration Check with Polyspace:
Dead Code Found in Generated Code
Unreachable/Dead code
Maximum target speed = 90Vehicle speed signal propagated to
“CruiseControl_PS.c” [0 … 40]
Target Speed
Control Module
![Page 42: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/42.jpg)
43
Root Cause for Dead Code:
Speed Sensor Input Hand Code
Changing analog-to-digital converter from 14 to 12-bit results in dead code
MASK – accounts for scaling down
for new ADC from 14-bit to 12-bit
Overlooked changing
CONV_FACTOR for new ADC
Read Inputs
![Page 43: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/43.jpg)
45
• Functional testing
(simulation)
• Check model early for design errors
• Check MISRA compliance (Mdl Advisor)
• Check s-function code
for run-time errors
• Check MISRA
compliance (Polyspace)
• Code coverage (SIL)
• SIL mode
support
• Check integrated code
for run-time errors
Workflow Summary:
Complementary Model & Code Verification
MBD
Generated
Code
Hand
Code
![Page 44: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/44.jpg)
46
ISO 26262 Structure
• VocabularyISO 26262-1
• Management of functional safetyISO 26262-2
• Concept phaseISO 26262-3
• Product development: system levelISO 26262-4
• Product development: hardware levelISO 26262-5
• Product development: software levelISO 26262-6
• Production and operationISO 26262-7
• Supporting processesISO 26262-8
• ASIL-oriented and safety-oriented analysesISO 26262-9
• GuidelineISO 26262-10
Model-Based Design
Early verification and
validation
Code generation
Tool classification
and qualification
![Page 45: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/45.jpg)
47
ISO 26262 Tool Qualification Approach - Details
I. Tool Classification II. Tool Qualification
TI 2
TI 1
TD 3
TD 1
TD 2
TCL 3
TCL 2
TCL 1
Tool
error
detection
Tool
confidence
level
High
Medium
Incre
asin
g
qualific
atio
n
require
men
tsTool
impact ASIL
Qualification
methods for TCL2
Qualification
methods for TCL3
UC
1..n
Tool
use
cases
Qualification
not required
![Page 46: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/46.jpg)
48
Qualification of MathWorks Tools
Tool qualification may involve multiple parties
Tool user
Responsible for final tool qualification
in the context of the application
Tool vendor
Conducts generic pre-classification and
pre- qualification based on reference
use cases / reference workflow
3rd party assessor (optional)
Provides independent assessment of
reference workflow and pre-qualification
artifacts
ISO 26262 Tool Qualification Kit
Tool User
Project-specific adaptation
MathWorks
Pre-classification /
qualification based on
typical use cases (reference
workflows)
TÜV SÜD
Independent Assessment
![Page 47: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/47.jpg)
49
Independent Assessment by TÜV SÜD Example
Certificate Assessment Report
![Page 48: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/48.jpg)
50
A Complementary Model and Code Verification Process …
Model and code checks before functional testing to minimize rework
Perform functional, dynamic testing with model and code structural
analysis with automation, and reuse of test assets
Analyze the code to find issues resulting from the integration of
o hand code
o s-function code
o model-based generated code
Includes formal methods analysis to go beyond functional testing
Enables more, early testing of the model and code
Continual increase in design confidence
![Page 49: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/49.jpg)
51
Thank You!
![Page 50: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/50.jpg)
52
Process Compliance Demonstration
Annotated method tables with suggestions on how to use Model-Based Design
processes and tools to apply the methods listed in ISO 26262-6
![Page 51: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/51.jpg)
53
ISO 26262 – Walk-through and Inspection
„[..] unit specification
design and
implementation can be
verified at the model
level.“
ISO 26262 (2011)
![Page 52: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/52.jpg)
54
Qualification of Model-Based Design Tools
pre-qualified for all ASILs according to ISO 26262
Embedded Coder
Simulink Design VerifierSimulink Verification and Validation
Polyspace Bug Finder
Polyspace Code Prover
Simulink Test
![Page 53: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/53.jpg)
55
Defects detected by Polyspace Bug FinderNumerical
Integer division by zero
Float division by zero
Integer conversion overflow
Unsigned integer conversion overflow
Sign change integer conversion
overflow
Float conversion overflow
Integer overflow
Unsigned integer overflow
Float overflow
Invalid use of std. library integer routine
Invalid use of std. library float routine
Shift of a negative value
Shift operation overflow
Static memory
Array access out of bounds
Null pointer
Pointer access out of bounds
Unreliable cast of function pointer
Unreliable cast of pointer
Invalid use of std. library memory
routine
Invalid use of standard library string
routine
Arithmetic operation with NULL pointer
Wrong allocated object size for cast
Local address escape
Buffer overflow from incorrect string
format specifier
Dynamic memory
Use of previously freed pointer
Unprotected dynamic memory allocation
Release of previously deallocated pointer
Invalid free of pointer
Memory leak
Programming
Invalid use of = operator
Invalid use of == operator
Declaration mismatch
Invalid use of floating point operation
Wrap-around on unsigned integer
Assertion
Invalid use of other standard lib. routine
Missing null in string array
Qualifier removed in conversion
Wrong type used in sizeof
Format string specifiers and arguments
mismatch
Writing to const qualified object
Good practice
Large pass-by-value argument
More than one statement
Delete of void pointer
Hard-coded buffer size / loop boundary
Unused parameter
Dataflow
Write without further read
Non-initialized variable
Non-initialized pointer
Variable shadowing
Missing or invalid return statement
Dead code
Partially access array
Uncalled function
Pointer to non initialized value converted to
const pointer
Code deactivated by constant false
condition
Unreachable code
Useless if
Concurrency
Race condition (atomic / non atomic)
Missing lock/unlock
Deadlock
Double lock/unlock
Resources management
Use of previously closed resource
Resource leak
Writing to read-only resource
Security / tainted data (38 checkers)
chroot misuse
Use of dangerous standard function
Mismatch between data length and size
Use of non-secure temporary file
Sensitive heap not cleared
Tainted array index
Tainted external command
Tainted integer division
Object oriented (12 checkers)
Object slicing
Copy constructor not called
Member not initialized in constructor
…
![Page 54: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/54.jpg)
56
Defects detected by Polyspace Bug FinderNumerical
Integer division by zero
Float division by zero
Integer conversion overflow
Unsigned integer conversion overflow
Sign change integer conversion
overflow
Float conversion overflow
Integer overflow
Unsigned integer overflow
Float overflow
Invalid use of std. library integer routine
Invalid use of std. library float routine
Shift of a negative value
Shift operation overflow
Static memory
Array access out of bounds
Null pointer
Pointer access out of bounds
Unreliable cast of function pointer
Unreliable cast of pointer
Invalid use of std. library memory
routine
Invalid use of standard library string
routine
Arithmetic operation with NULL pointer
Wrong allocated object size for cast
Local address escape
Buffer overflow from incorrect string
format specifier
Dynamic memory
Use of previously freed pointer
Unprotected dynamic memory allocation
Release of previously deallocated pointer
Invalid free of pointer
Memory leak
Programming
Invalid use of = operator
Invalid use of == operator
Declaration mismatch
Invalid use of floating point operation
Wrap-around on unsigned integer
Assertion
Invalid use of other standard lib. routine
Missing null in string array
Qualifier removed in conversion
Wrong type used in sizeof
Format string specifiers and arguments
mismatch
Writing to const qualified object
Good practice
Large pass-by-value argument
More than one statement
Delete of void pointer
Hard-coded buffer size / loop boundary
Unused parameter
Dataflow
Write without further read
Non-initialized variable
Non-initialized pointer
Variable shadowing
Missing or invalid return statement
Dead code
Partially access array
Uncalled function
Pointer to non initialized value converted to
const pointer
Code deactivated by constant false
condition
Unreachable code
Useless if
Concurrency
Race condition (atomic / non atomic)
Missing lock/unlock
Deadlock
Double lock/unlock
Resources management
Use of previously closed resource
Resource leak
Writing to read-only resource
Checkers inherited from Code Prover
Security / tainted data (38 checkers)
chroot misuse
Use of dangerous standard function
Mismatch between data length and size
Use of non-secure temporary file
Sensitive heap not cleared
Tainted array index
Tainted external command
Tainted integer division
Object oriented (12 checkers)
Object slicing
Copy constructor not called
Member not initialized in constructor
…
![Page 55: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/55.jpg)
57
Full list of run-time error checks in Polyspace Code Prover
C run-time checks
Unreachable Code
Out of Bounds Array Index
Division by Zero
Non-Initialized Variable
Scalar and Float Overflow (left shift on signed variables, float underflow
versus values near zero)
Initialized Return Value
Shift Operations (shift amount in 0..31/0..63, left operand of left shift is
negative)
Illegal Dereferenced Pointer (illegal pointer access to variable of
structure field, pointer within bounds)
Correctness Condition (array conversion must not extend range,
function pointer does not point to a valid function)
Non-Initialized Pointer
User Assertion
Non-Termination of Call (non-termination of calls and loops, arithmetic
expressions)
Known Non-Termination of Call
Non-Termination of Loop
Standard Library Function Call
Absolute Address
Inspection Points
C++ run-time checks
Unreachable Code
Out of Bounds Array Index
Division by Zero
Non-Initialized Variable
Scalar and Float Overflow
Shift Operations
Pointer of function Not Null
Function Returns a Value
Illegal Dereferenced Pointer
Correctness Condition
Non-Initialized Pointer
Exception Handling (calls to throws, destructor or delete
throws, main/tasks/C_lib_func throws, exception raised is
not specified in the throw list, throw during catch
parameter construction, continue execution in__except)
User Assertion
Object Oriented Programming (invalid pointer to member,
call of pure virtual function, incorrect type for this-pointer)
Non-Termination of Call
Non Termination of Loop
Absolute Address
Potential Call
C++ Specific Checks (positive array size, incorrect typeid
argument, incorrect dynamic_cast on reference)
static void pointer_arithmetic (void) {
int array[100];
int *p = array;
int i;
for (i = 0; i < 100; i++) {
*p = 0;
p++;
}
if (get_bus_status() > 0) {
if (get_oil_pressure() > 0) {
*p = 5;
} else {
i++;
}
}
i = get_bus_status();
if (i >= 0) {
*(p - i) = 10;
}
}
Green: reliablesafe pointer access
Red: faultyout of bounds error
Gray: deadunreachable code
Orange: unprovenmay be unsafe for some
conditions
![Page 56: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/56.jpg)
58
Examples of software safety requirements
Initiation Architecture Design/Implementation Unit Testing Integration Testing
Polyspace Metrics
Detect and correct areas with high complexity
Table 1 – Topics to be covered by modelling and coding guidelines
![Page 57: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/57.jpg)
59
Enforcement of coding guidelines
Examples of software safety requirements
Initiation Architecture Design/Implementation Unit Testing Integration Testing
Polyspace
Metrics
Table 1 – Topics to be covered by modelling and coding guidelines
Polyspace Metrics
![Page 58: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/58.jpg)
65
Reference Workflow Model-Based Design for ISO 26262
Traceability matrix analysis
(IEC Certification Kit) or
model vs. code coverage (Simulink V&V)
Simulation / model testing
(Simulink, Simulink Test)
Model coverage
Req. Mgmt. Int.
(Simulink V&V)
Modeling standards checking (Simulink V&V)PIL test (Embedded Coder)
Simulink/Stateflow Embedded Coder Third-party tool
![Page 59: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/59.jpg)
66
Advanced Reference WorkflowAdditional Best Practices
Traceability matrix analysis
(IEC Certification Kit) or
model vs. code coverage (Simulink V&V)
MISRA-C checking (Polyspace products)
Simulation / model testing
(Simulink, Simulink Test)
Model coverage
Req. Mgmt. Int.
(Simulink V&V)
Modeling standards checking (Simulink V&V)
Property Proving, Design Error Detection
(Simulink Design Verifier)
PIL test (Embedded Coder)
Test generation
(Simulink Design Verifier)
Run-time error detection
(Polyspace products)
Simulink/Stateflow Embedded Coder Third-party tool
![Page 60: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/60.jpg)
67
• Check s-function code
for run-time errors
• Check MISRA
compliance (Polyspace)
• Check integrated code
for run-time errors
Workflow Summary:
Complementary Model & Code Verification
![Page 61: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/61.jpg)
68
System-Level
Specification
Subsystem
Design
Subsystem
Implementation
Subsystem
Integration & Test
System-Level
Integration & Test
Complete
Integration
& Test
DESIGN
Environment Models
Physical Components
Algorithms
REQUIREMENTS
IMPLEMENTATION
MCU DSP FPGA ASIC
Structured
Text
VHDL,
VerilogC, C++
PLC
Code Verification
and Validation
Integration Testing
User Acceptance
Testing
Component Design
Model-Based DesignVerification and Validation
Research
Data Modeling
Algorithm
Development
Data analysis
Requirements Traceability
• Navigation and Reports
Modeling Standards Checking
• Automatic Review
Testing and Test Automation
• Test Authoring
• Coverage Analysis
• Automatic Test Case Generation
Property Proving
• Quickly find incorrect behavior
• Prove correctness of behavior
Static Analysis on Model and Code
• Identify defects
• Prove absence of runtime errors
• Compliance to coding standards
Compliance to ISO 26262
• Workflow and tool qualification
![Page 62: Unifying Model and Code Verification · 29 Polyspace product family for C/C++ Polyspace Code Prover –Proves code to be safe and dependable –Deep verification of software components](https://reader033.vdocuments.site/reader033/viewer/2022060214/5f0579977e708231d413252c/html5/thumbnails/62.jpg)
69
Verification on Code Level – Polyspace
Finds bugs
Checks coding rule conformance (MISRA/JSF/Custom)
Provides metrics (Cyclomatic complexity etc.)
Proves the existence and absence of errors
Indicates when you’ve reached the desired quality level