2. QGen: Simulink® static verification
and code generation
Presented by
Matteo Bordin
bordin@adacore.com
3. What is QGen?
A qualifiable and customizable code generator from
Simulink® and Stateflow® to SPARK and MISRA C
A formal model verifier for runtime errors and functional properties
An extendable framework to integrate heterogeneous models
4. Main features 1/2
Support for a large subset of Simulink®
Around 120 blocks, optional checks for MISRA Simulink®
Stateflow® support expected in Spring 2015
Code generation for SPARK and MISRA C
Readable and traceable code, no performance penalty
Ships with static model verifier
Run-time errors (divisions by zero, overflows, …)
Logical errors (dead execution paths)
Functional properties (Simulink® assertions blocks)
5. Main features 2/2
Off-the-shelf qualification material
Including validation against Simulink® simulation
DO-178C, EN 50128, ISO-26262 TCL3
Highly tunable thanks to visible intermediate representation
“Plug-and-play” transformations using Eclipse tools or XML manipulation
Optimized code generation
Generation of additional artifacts: Makefiles, docs, metrics, …
Integrating with UML/SysML/AADL or in house DSLs
6. Product development history 1/2
France and EU -funded collaborative R&D project
From October 2011 to October 2015
10M Euros total budget
19 Partners
Leader: Continental Automotive France
8. How does QGen work? 1/2
Simulink® model
importer
QGen intermediate representation (EMF metamodel)
SPARK & MISRA C
code generator
model verifier
9. How does QGen work? 2/2
Integrated in Matlab® (ideal for everyday use)
From command line (does not require Matlab®, ideal for regression testing)
qgenc MyModel.mdl [code-generation-options]
10. QGen and DO-178
DO-330 (Tool Qualification Document)
Precise identification of certification credit for code generator qualification
Identification of credit w.r.t qualification strategy (TQL1 vs TQL5)
11. Using QGen - Verification
Simulink® model
QGen intermediate representation
Verification
Formalism
importer
model verifier
Verification results
round-trip
Advanced
+
traceability data
*already qualified as part of a DO-178 Verification Tool / TQL5
Verification
Engine*
12. Using QGen - finding bugs
No defensive modeling against division by zero
13.
14. Using QGen - verifying functional properties
ON OFF
TRUE ERROR OK
FALSE OK OK
Brake OR
Clutch
Cruise Control
The Cruise Control shall never be ON after
the driver pushed the Brake or clutch pedal
15. Using QGen - verifying functional properties
Formalization of safety property
System implementation
The Cruise Control shall never be ON after
the driver pushed the Brake or clutch pedal
16.
17. Using QGen - mixing proof & test
Integration of legacy code via S-Function blocks
How to prove the complete system (model + legacy code) is safe?
How to extract model-relevant properties from legacy code?
S-Functions written in C
Difficult to automatically extract information
Source code may not be available
Rely on design-by-contact
Wrap C code in automatically generated Ada stubs
Decorate Ada stubs using pre/post conditions
Rely on pre/post conditions for model verification
Test C code against pre/post conditions
18. Using QGen - mixing proof & test
S-Function written in C
19.
20. Using QGen - mixing proof & test
Availability of Static Analysis
C S-Function Incomplete Model Static Analys
C S-Function with Ada 2012 wrapper
(design by contract)
Static Analysis for Model
Test for S-Function
Ada S-Function
Static Analysis on both Model
and Source code
Static Analysis holds for both
C and Ada code generation!
22. Using QGen - Code Generation
Standard code generation
One file for every atomic subsystem
Variables are global (in .adb/.c files)
Full inlining, to increase performances
A single file for the entire system
All function calls are inlined
Less memory consumption, less memory copy, more optimization
Wrapping to reuse code with different I/O
Corresponds to Simulink “generate reusable code”
Pass persistent state and I/O as formal parameters
Allows reusing the same code for multiple I/O data
23.
24. QGen - an open and extensible framework
Simulink Model
Black Box
Source Code
Source Code
Traditional Code Generators
Simulink Model
Access to intermediate representations
Makefile
generation
Processor
customization
Modeling standard
checking
Additional
verification
Integration with UML
Extract traceability
data
25. Customizing QGen: use case 1
A new processor is adopted, which provides intrinsic optimized functions
Ex.: saturated sum
How to reuse existing models?
While benefitting from new processor functionalities?
Relying on S-Functions requires changing them
And potentially re-execute some verification activities!
We rather change the code generator!
26. Customizing QGen: use case 1
Exploit process-specific instructions
…
-- inlined code for saturated sum
tmp := a + b;
if tmp > Int16’Last then
out := Int16’Last;
elsif tmp < Int16’First then
out := Int16’First;
else
out := tmp;
end if;
…
…
-- use processor-specific lib
out := zaddwss (a, b);
…
28. Customizing QGen: use case 2
Communication between control engineers and software architects
Simulink models hide information relevant for software architecture
Execution rates, data flow constraints, …
How can this information be communicated to a software architect?
Extraction of architectural concerns from Simulink model
Extract AADL model out of Simulink
Can be used to produce allocation models
Can be used to execute real-time analysis
29. Customizing QGen: use case 2
Intermediate
representation 1
ECore-compliant
XMI
Acceleo / ATL
transformation
>> qgen myModel.mdl —steps pe
Extraction of real-time architectural constraints
by generating an AADL model
30. QGen: roadmap
2013 - 2014
End of 2014
February 2015
Spring 2015
Q4 2015
evaluation by project P partners
first selected customer pre-release
QGen 1.0 available
Stateflow® support
full qualification material
In the pipeline: static stack analysis, AUTOSAR, …
31. QGEN is the open, tunable and qualifiable
model verifier and code generator
for Simulink® and Stateflow®
pre-release for selected customers: Q4 2014
version 1.0: February 2015
32. QGen: Simulink® static verification
and code generation
Presented by
Matteo Bordin
bordin@adacore.com
