GNAT Pro User Day: QGen: Simulink® static verification and code generation
Download as PPTX, PDF0 likes5,955 views
Qgen is a qualifiable and customizable code generator for Simulink and Stateflow that enables the generation of Spark and MISRA C code, providing formal verification of runtime errors and functional properties. It supports a wide subset of Simulink blocks, includes a static model verifier, and offers off-the-shelf qualification materials for various safety standards. Developed through a collaborative R&D project, Qgen integrates seamlessly with MATLAB and enables advanced code generation and verification capabilities.
![How does QGen work? 2/2
Integrated in Matlab® (ideal for everyday use)
From command line (does not require Matlab®, ideal for regression testing)
qgenc MyModel.mdl [code-generation-options]](https://image.slidesharecdn.com/qgen-140930130126-phpapp02/85/GNAT-Pro-User-Day-QGen-Simulink-static-verification-and-code-generation-9-320.jpg)
GNAT Pro User Day: QGen: Simulink® static verification and code generation
- 2. QGen: Simulink® static verification and code generation Presented by Matteo Bordin bordin@adacore.com
- 3. What is QGen? A qualifiable and customizable code generator from Simulink® and Stateflow® to SPARK and MISRA C A formal model verifier for runtime errors and functional properties An extendable framework to integrate heterogeneous models
- 4. Main features 1/2 Support for a large subset of Simulink® Around 120 blocks, optional checks for MISRA Simulink® Stateflow® support expected in Spring 2015 Code generation for SPARK and MISRA C Readable and traceable code, no performance penalty Ships with static model verifier Run-time errors (divisions by zero, overflows, …) Logical errors (dead execution paths) Functional properties (Simulink® assertions blocks)
- 5. Main features 2/2 Off-the-shelf qualification material Including validation against Simulink® simulation DO-178C, EN 50128, ISO-26262 TCL3 Highly tunable thanks to visible intermediate representation “Plug-and-play” transformations using Eclipse tools or XML manipulation Optimized code generation Generation of additional artifacts: Makefiles, docs, metrics, … Integrating with UML/SysML/AADL or in house DSLs
- 6. Product development history 1/2 France and EU -funded collaborative R&D project From October 2011 to October 2015 10M Euros total budget 19 Partners Leader: Continental Automotive France
- 7. Product development history 2/2
- 8. How does QGen work? 1/2 Simulink® model importer QGen intermediate representation (EMF metamodel) SPARK & MISRA C code generator model verifier
- 9. How does QGen work? 2/2 Integrated in Matlab® (ideal for everyday use) From command line (does not require Matlab®, ideal for regression testing) qgenc MyModel.mdl [code-generation-options]
- 10. QGen and DO-178 DO-330 (Tool Qualification Document) Precise identification of certification credit for code generator qualification Identification of credit w.r.t qualification strategy (TQL1 vs TQL5)
- 11. Using QGen - Verification Simulink® model QGen intermediate representation Verification Formalism importer model verifier Verification results round-trip Advanced + traceability data *already qualified as part of a DO-178 Verification Tool / TQL5 Verification Engine*
- 12. Using QGen - finding bugs No defensive modeling against division by zero
- 14. Using QGen - verifying functional properties ON OFF TRUE ERROR OK FALSE OK OK Brake OR Clutch Cruise Control The Cruise Control shall never be ON after the driver pushed the Brake or clutch pedal
- 15. Using QGen - verifying functional properties Formalization of safety property System implementation The Cruise Control shall never be ON after the driver pushed the Brake or clutch pedal
- 17. Using QGen - mixing proof & test Integration of legacy code via S-Function blocks How to prove the complete system (model + legacy code) is safe? How to extract model-relevant properties from legacy code? S-Functions written in C Difficult to automatically extract information Source code may not be available Rely on design-by-contact Wrap C code in automatically generated Ada stubs Decorate Ada stubs using pre/post conditions Rely on pre/post conditions for model verification Test C code against pre/post conditions
- 18. Using QGen - mixing proof & test S-Function written in C
- 20. Using QGen - mixing proof & test Availability of Static Analysis C S-Function Incomplete Model Static Analys C S-Function with Ada 2012 wrapper (design by contract) Static Analysis for Model Test for S-Function Ada S-Function Static Analysis on both Model and Source code Static Analysis holds for both C and Ada code generation!
- 21. Using QGen - Code Generation
- 22. Using QGen - Code Generation Standard code generation One file for every atomic subsystem Variables are global (in .adb/.c files) Full inlining, to increase performances A single file for the entire system All function calls are inlined Less memory consumption, less memory copy, more optimization Wrapping to reuse code with different I/O Corresponds to Simulink “generate reusable code” Pass persistent state and I/O as formal parameters Allows reusing the same code for multiple I/O data
- 24. QGen - an open and extensible framework Simulink Model Black Box Source Code Source Code Traditional Code Generators Simulink Model Access to intermediate representations Makefile generation Processor customization Modeling standard checking Additional verification Integration with UML Extract traceability data
- 25. Customizing QGen: use case 1 A new processor is adopted, which provides intrinsic optimized functions Ex.: saturated sum How to reuse existing models? While benefitting from new processor functionalities? Relying on S-Functions requires changing them And potentially re-execute some verification activities! We rather change the code generator!
- 26. Customizing QGen: use case 1 Exploit process-specific instructions … -- inlined code for saturated sum Int32 tmp := a + b; if tmp > Int16’Last then out := Int16’Last; elsif tmp < Int16’First then out := Int16’First; else out := tmp; end if; … … -- use processor-specific lib out := zaddwss (a, b); …
- 27. Customizing QGen: use case 1 Intermediate representation 1 Intermediate representation 2 Intermediate representation 3 Intermediate representation 4 Intermediate representation 5 Intermediate representation 6 Source Code >> qgenc myModel.mdl —steps psgdxe >> python custom_saturate.py myModel_x.xmi >> qgenc myModel_x.xmi —language ada ECore-compliant XMI Python Script (150 SLOC)
- 28. Customizing QGen: use case 2 Communication between control engineers and software architects Simulink models hide information relevant for software architecture Execution rates, data flow constraints, … How can this information be communicated to a software architect? Extraction of architectural concerns from Simulink model Extract AADL model out of Simulink Can be used to produce allocation models Can be used to execute real-time analysis
- 29. Customizing QGen: use case 2 Intermediate representation 1 ECore-compliant XMI Acceleo / ATL transformation >> qgen myModel.mdl —steps pe Extraction of real-time architectural constraints by generating an AADL model
- 30. QGen: roadmap 2013 - 2014 End of 2014 February 2015 Spring 2015 Q4 2015 evaluation by project P partners first selected customer pre-release QGen 1.0 available Stateflow® support full qualification material In the pipeline: static stack analysis, AUTOSAR, …
- 31. QGEN is the open, tunable and qualifiable model verifier and code generator for Simulink® and Stateflow® pre-release for selected customers: Q4 2014 version 1.0: February 2015
- 32. QGen: Simulink® static verification and code generation Presented by Matteo Bordin bordin@adacore.com