1© 2013 The MathWorks, Inc.

Utilisation desMéthodes FormellesSur le code et sur les modèles

Patrick MunierCo-fondateur de PolySpace TechnologiesPolyspace Development Manager, MathWorksPatrick.Munier@mathworks.fr

Forum Méthodes FormellesJune 28th 2013, Toulouse

2

Formal Methods at MathWorks

Provide tools for Model and Code verification– For “pure” Model (does it really exist?)– For “pure” hand-code– For mixed generated and hand-code

Provide tools for early and late verification– Used by Design Engineers (1)– Used by Developers (2)– Used by Quality Engineers (3)

Cover from Bug Finding to Proving absence of bugs

3

Complementarity betweenModel and Code Verification

Control Algorithm,Fault Detection,

Supervisory Logic

Model

MATLAB Need for Model Verification

Stateflow

Simulink

4

Complementarity betweenModel and Code Verification

ECU

RTOS, Fault Logging,Service Tool

Interface

Control Algorithm,Fault Detection,

Supervisory Logic

Utility (I/O Driver,

Lookup Table, etc.)

C

Model

C

Integrated Code

Hand-code(S-Function)

Need for Code Verification

5

Internal representation

orC/C++ codegeneration

MathWorks V&V Technologies

Model/CodingRules Checking

SymbolicExecution

CompilationTechnics Proving absence of

runtime errors

SAT Solver

AbstractInterpretation

Engine

Provingproperties

BugsFinding

C/C++Hand-code

MATLAB

Stateflow

Simulink

C, C++, …

6

MathWorks V&V Technologies

Model/CodingRules Checking

MATLAB

Proving absence of runtime errors

Provingproperties

BugsFinding

Model V&V tools

Simulink Design Verifier

Code V&V tools

Polyspace

Stateflow

Simulink

C, C++, …

7

Model VerificationSimulink Design Verifier

Simulink and Stateflow models, atomic subsystems, and subcharts

Model harness with test cases

Models or subsystems augmented with design properties

Detailed report and violations

Property proving

Model with highlighted violations

8

“Verify as early as possible” Target System

Verifycompliancetostandards(e.g.,MISRA,JSF++)

Findbugs

Proveabsenceofruntimeerrors

Verifyproperties

Use of FormalMethods

Code VerificationPolyspace

9

Challenges of Formal Method based tools?

Easy to use (automatic, non-intrusive)– Tools are easy to launch by Design Engineers,

Developers and Quality Engineers Take into account all dialects, compilers, flavors of Visual Studio, VxWorks, …

– Results are easy to understand

– Results are relevant (False Positive / False Negatives)

– Review of results is easy and powerful

High quality– Validation of Formal-Method-based tools is challenging

– There are needs for certification

10

Code VerificationEasy understanding of results

Proven

11

Easy Launching and ReviewExample: Eclipse plugin*

Launch Polyspace

from Eclipse

Review

results in Eclipse

* Also integrated in Simulink, and

available as a separate GUI

12

Easy and powerful review of results

List of Files

List of checks

Check’s detailReview/Justify means

Source code

Data Dictionary

Call Tree

13

Generated CodeLink results back to Simulink Models

14

Intervals Congruences Polyhedra Aliases Trace partitioning Multi-linear

Relevance of results – More about Precision

15

Maths, even good maths, are not enough … Provide information about environment

– Range of Data (e.g., Calibration data in asap2 format)– Automatic stubs of unknown functions– Multi-tasking information (i.e., Critical sections)

Fix/comment/justify the orange– And generate customizable reports

Follow a predefined Software Quality Objective (“SQO”)

Powertrain Diesel

16

Polyspace Validation

+38 000 tests (all languages mixed)– C language: +30 millions of LOC

Hundreds of customer’s code– “Pathological” codes,

non favorable to Polyspace

Polyspace on Polyspace codeMathWorks

Measure of oranges Measure of analysis time

Certification kit for ISO 26262Qualification kit for DO178B/C

17

Conclusion

Formal Methods are used successfully in MathWorks products

They are used for Model and Code verification

MathWorks picked up the challengeof making them easy to use and robust

18

Thank you