Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Similar documents
Formal Verification of Models and Code Prashant Mathapati Application Engineer Polyspace & Model Verification

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Leveraging Formal Methods Based Software Verification to Prove Code Quality & Achieve MISRA compliance

Intro to Proving Absence of Errors in C/C++ Code

WHITE PAPER. 10 Reasons to Use Static Analysis for Embedded Software Development

Verification and Test with Model-Based Design

Model-Based Design for High Integrity Software Development Mike Anthony Senior Application Engineer The MathWorks, Inc.

Increasing Design Confidence Model and Code Verification

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

Increasing Embedded Software Confidence Model and Code Verification. Daniel Martins Application Engineer MathWorks

Automating Best Practices to Improve Design Quality

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Production Code Generation and Verification for Industry Standards Sang-Ho Yoon Senior Application Engineer

2015 The MathWorks, Inc. 1

Utilisation des Méthodes Formelles Sur le code et sur les modèles

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Verification and Validation of High-Integrity Systems

Static Analysis in C/C++ code with Polyspace

Jay Abraham 1 MathWorks, Natick, MA, 01760

Automatización de Métodos y Procesos para Mejorar la Calidad del Diseño

Reducing Design Errors in Complex State Machines using Model-Based Design

Using Model-Based Design in conformance with safety standards

Standardkonforme Absicherung mit Model-Based Design

Implementation and Verification Daniel MARTINS Application Engineer MathWorks

Automating Best Practices to Improve Design Quality

정형기법을활용한 AUTOSAR SWC 의구현확인및정적분석

From Design to Production

IDE for medical device software development. Hyun-Do Lee, Field Application Engineer

Model-Based Design for Safety Critical Automotive Applications

Testing, Validating, and Verifying with Model-Based Design Phil Rottier

Model-Based Design for Safety-Critical and Mission-Critical Applications Bill Potter Technical Marketing April 17, 2008

Simulink 를이용한 효율적인레거시코드 검증방안

A Model-Based Reference Workflow for the Development of Safety-Related Software

Automatic Qualification of Abstract Interpretation-based Static Analysis Tools. Christian Ferdinand, Daniel Kästner AbsInt GmbH 2013

Automated Requirements-Based Testing

Leveraging Formal Verification Throughout the Entire Design Cycle

Generating Industry Standards Production C Code Using Embedded Coder

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

Safety Manual. for ait, Astrée, StackAnalyzer. AbsInt Angewandte Informatik GmbH

Simulink Verification and Validation

Testen zur Absicherung automatisierter Transformationsschritte im Model-Based Design

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

automatisiertensoftwaretests

18-642: Code Style for Compilers

Testing and Validation of Simulink Models with Reactis

By V-cubed Solutions, Inc. Page1. All rights reserved by V-cubed Solutions, Inc.

StackAnalyzer Proving the Absence of Stack Overflows

Verification, Validation and Test in Model Based Design Manohar Reddy

IBM Rational Rhapsody. IBM Rational Rhapsody Kit for ISO 26262, IEC 61508, IEC and EN Overview. Version 1.9

AstréeA From Research To Industry

Seven Roadblocks to 100% Structural Coverage (and how to avoid them)

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

GNAT Pro Innovations for High-Integrity Development

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

ISO compliant verification of functional requirements in the model-based software development process

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

Ein Modell - viele Zielsysteme

Static Analysis of Embedded Systems

Verification and Validation Introducing Simulink Design Verifier

Introduction & Formal Methods

Architecture-driven development of Climate Control Software LMS Imagine.Lab Embedded Software Designer Siemens DF PL

ISO Compliant Automatic Requirements-Based Testing for TargetLink

Verification and Validation

DRYING CONTROL LOGIC DEVELOPMENT USING MODEL BASED DESIGN

Verification and Validation

Verification and Validation

IBM Rational Rhapsody

Towards an industrial use of FLUCTUAT on safety-critical avionics software

AVS: A Test Suite for Automatically Generated Code

Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Best Practices Process & Technology. Sachin Dhiman, Senior Technical Consultant, LDRA

Certification Authorities Software Team (CAST) Position Paper CAST-25

CERTIFIED. Faster & Cheaper Testing. Develop standards compliant C & C++ faster and cheaper, with Cantata automated unit & integration testing.

Simulink for AUTOSAR: Best Practices

Vector Software. Using VectorCAST to Satisfy Software Verification and Validation for ISO W H I T E P A P E R

Simulation-based Test Management and Automation Sang-Ho Yoon Senior Application Engineer

Testing! Prof. Leon Osterweil! CS 520/620! Spring 2013!

Automatic Code Generation Technology Adoption Lessons Learned from Commercial Vehicle Case Studies

ΗΜΥ 317 Τεχνολογία Υπολογισμού

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Better than Hand Generating Highly Optimized Code using Simulink and Embedded Coder

Verification & Validation of Open Source

Part 5. Verification and Validation

Race Catcher. Automatically Pinpoints Concurrency Defects in Multi-threaded JVM Applications with 0% False Positives.

Coding Standards in FACE Conformance. John Thomas, Chris Edwards, and Shan Bhattacharya

Three General Principles of QA. COMP 4004 Fall Notes Adapted from Dr. A. Williams

Green Hills Software, Inc.

Fault Injection & Formal Made for Each Other

Structural Coverage Analysis for Safety-Critical Code - Who Cares? 2015 LDRA Ltd 1

GAIO. Solution. Corporate Profile / Product Catalog. Contact Information

Reuse MATLAB Functions and Simulink Models in UVM Environments with Automatic SystemVerilog DPI Component Generation

SCADE. SCADE Suite Tailored for Critical Applications EMBEDDED SOFTWARE

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

State of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond

Transcription:

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group 2014 The MathWorks, Inc. 1

The Cost of Failure News reports: Recall Due to ECU software bug 2

The Cost of Failure USS Yorktown: Divide-by-zero Error 0 Knots Top speed 3

The Cost of Failure Therac-25: Race Condition, Overflow 6 Casualties due to radiation overdose 4

What do all these systems have in common? Complex software developed to rigorous standards Extensively reviewed, analyzed and tested Yet still succumbed to costly failure 5

When is it safe to ship? 40% - of all bugs are runtime errors IBM Study 33% of all medical devices sold in U.S. between 99 and 05 recalled for software failures - U. of Patras (Greece) Study 6

Reasons for Failure Cause of failure: Design or Code defects resulting in run-time errors What are run-time errors? Also known as latent faults Rarely manifest directly and frequently Effects include Software crashes Unexpected software behavior Exhaustive testing is out of reach, allowing errors to remain in the design and code. 30-40% of errors found in software are run-time errors. 7

Early errors found late are costly. Relative Cost to Fix Defects per Phase Found Requirements Design Code Test Requirements Design Code Phase Found Test 35 30 25 20 15 10 5 0 50 45 40 Test Code Design Requirements Engineers didn t understand the problem to solve! Engineers got the problem, but the solution doesn t work! Relative Cost to Fix The solution works, but the implementation has errors! Source: Return on Investment for Independent Verification & Validation, NASA, 2004 8

Problem Statement Let s look at the problem we are trying to solve What is unique about control logic as oppose to dataflow algorithm? 9

Difficulties with Complex Logic Multiple entry/exit transitions Simultaneous transitions Execution order 10

Difficulties with Complex Logic Complex conditional statements 11

How do you test your models today? Simulation Based Testing Develop test inputs Apply the test inputs to model Analyze the results with Expected output Requirements 12

How do you ensure a test case exercised all simulation pathways? Model Coverage Model coverage is a measure of how thoroughly a test case tests a model and the percentage of pathways that a test case exercises. Model coverage helps you validate your model tests. 13

Simulation Based Testing The quality of your verification activity is based on the input vectors you created. Error or design defect can only be detected if the proper stimulus exists. Requirements 14

% Complete Gaps in Simulation Based Testing The method itself is inefficient in being exhaustive or complete. A set of functional test case that meets MC/DC coverage objective is only a minimum set of test cases. Test cases can t cover every possible combination of different scenarios. Inputs are defined based on what we already knew. What about the unknown? Priority, synchronization, timeout etc 100 We are performing Acceptance test. 0 Effort / Time 15

Formal Verification Formal verification is mathematically rigorous procedures to search through the possible execution paths of your model for design errors, test cases and counterexamples. (Simulink Design Verifier homepage) act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods of mathematics.: (Wikipedia)? 16

Formal Verification Example Example application of formal verification: Error detection in model and code Model: Simulink Design Verifier Code: Polyspace Code Verifier 17

Simulink Design Verifier use cases finding design errors Determine unreachable or dead transitions/states without manually generating any test vectors. Identify missing use cases or missing requirements. Prove correctness of your design Use of condition and objective Use of requirements modeling 18

Determine Unreachable or Dead Transitions/States Without Manually Generating Test Vectors Ensure algorithmic logic is structurally correct during design phase. Early detection Transition expression can never be True 19

Identify Missing Use Cases or Missing Requirements Search for hard to find and/or missing functional test cases. User can use test cases generated by Simulink Design Verifier and reverse engineer missing requirements. Understand missing functional test cases associated with missing requirements or functionalities. Requirements Simulation Why do we have missing coverage? Simulink Design Verifier Generate Test Vector for Missing Coverage Missing Coverage Component Models 20

Automatically Generate Test Cases for Equivalence Testing Quickly create a set of test cases that can be used for meeting the equivalence testing criteria in high-integrity application standards ISO26262 Software-in-the-Loop Processor-in-the-Loop Code Generation Model Simulink Design Verifier Automatic Test Generation Test Harness C Target Processor Component Source Code Production Code Generation 21

Formal Methods based Static Code Analysis Find run-time errors In legacy or hand code In the model caused by mixed code integration In the design - when missed by the workflow Prove the absence of run-time errors Prove code is free of run-time errors Check MISRA or MISRA AC AGC compliance Prepare for independent code verification (DO-178B, IEC 61508, ) Check workflow integrity, including mixed environments Browse code-model level to verify the implementation Catch defects missed by the workflow Find implementation errors 23

sophistication Augmenting Static Code Analysis with Formal Methods low Static code analysis scan source code to automate verification Range from unsound methods to sound techniques Compiler warnings Incompatible type detection, etc. Bug finding Pattern matching, heuristics, data/control flow high Formal methods Sound proof based techniques, applied to source code Can show SW is robust for wide operating conditions 24

Polyspace Formal Methods based Static Code Analysis Exhaustively verify code Detect and prove absence of runtime errors Precisely determines and propagates variable ranges Languages supported C, C++, and Ada Verify SW robustness Analyze for full range operating conditions OR Specified ranges of parameters and inputs 25

Polyspace in Model Based Design Polyspace results on generated code are traced back to the model Available for Embedded Coder, dspace TargetLink, and Telelogic Rhapsody 26

Proving Absence of Runtime Errors You Can Prove That: c = a + b; will never overflow j = arr[i]; i will always be within array bounds *ptr = 12; will never be an illegal dereference w = x / (y + z); y never equal to -z or visa versa (divide by zero) And many more 27

Example: Proving Absence of Run-time Errors There are none. Proven 28

Why prove the absence of run-time errors? Implications of verification, static analysis & unit testing T0 +3 months +6 months Improvement is possible and measurable Number of operations x input values Static analysis One-time improvement, but nothing measurably proven 0% proven reliable............... Required for functional testing. Not suitable to prove code correctness 29

Formal DO-178B Methods Verification Certification Supplement and Credit Existing to DO-178C Processes and DO-278A Table Allows A-5 the (ref use section: of Formal 6.3.4b, 6.3.4c, Methods 6.3.4d, Analysis 6.3.4f) for verification of: Dataflow, control flow Software requirements Dead code Can Software Compliance I get certification design with standards credit (MISRA, if I use JSF++) formal verification techniques Source code in my process? Arithmetic overflow, resource contention, uninitialized variables, Executable object code Adds an objective that the formal analysis method must Table be shown A-6 (ref to section: be sound 6.4.2.1, 6.4.2.2, 6.4.3) Uninitialized variables, parameter passing errors, data corruption, What does this mean Incorrect loop/logic decisions, arithmetic faults, violations of array limits, Polyspace is a formal methods tool for analysis of source code As a Criteria 2 tool, partial credit may be taken for analysis of executable object code and this is included in the DO Diagnostics of runtime failure, operation under full range conditions, Qualification non terminating Kit loops, DO Qualification Kit already includes a Theoretical Foundation document to justify the soundness of Abstract Interpretation 30

ISO 26262 Certification of MathWorks Products TÜV SÜD certified: Real-Time Workshop Embedded Coder Simulink Design Verifier Simulink Verification and Validation Polyspace products for C/C++ For use in development processes which need to comply with IEC 61508, ISO 26262, or EN 50128 Note: The products listed above were not developed using certified processes 31

TRW Automotive Develops and Tests Electric Parking Brake Using Simulink and Simulink Design Verifier Challenge Design tests for an electric parking brake control system Solution Use Simulink Design Verifier to automatically generate tests that maximize model coverage and enable systematic design verification Results Test development time reduced from days to hours 100% model coverage achieved Formal testing begun two months into the project Link to user story Electronic parking brake control system. Everyone knows that errors are much less expensive to fix when you find them early. With Simulink Design Verifier, we build on the advantages of Model-Based Design by performing formal testing in the first phases of development." Christoph Hellwig TRW 32

Nissan Increases Software Reliability with Polyspace Products for C/C++ Challenge Identify hard-to-find run-time errors to improve software quality The Nissan Fairlady Z. Solution Use MathWorks tools to exhaustively analyse Nissan and supplier code Results Suppliers' bugs detected and measured Software reliability improved Polyspace products for C/C++ adopted by Nissan suppliers "Polyspace products for C/C++ can ensure a level of software reliability that is unmatched by any tools in the industry. Mitsuhiko Kikuchi, Nissan 33

Key Takeaways Simulink Design Verifier: Design Error Detection Dead Logic, Divide by Zero etc Test Case Generation Decision, Condition and MC/DC Coverage. Property Proving To prove or disprove specified property Polyspace: Prove code correctness: Provide sustainable quality measures Identify which part of the code is reliable Detect run-time errors: Clean functional tests of run-time errors Detect software errors quickly and early 35

Thank You 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback