SlideShare a Scribd company logo

Tech Days 2015: Model Based Development with QGen

Download as PPTX, PDF
AdaCore, profile picture
AdaCore

Model-Based Development with QGen discusses model-based development using QGen. QGen is a code generator that takes Simulink and Stateflow models as input and generates code in SPARK or MISRA C. It aims to reduce the "us vs them" relationship between system and software engineers by allowing system engineers to develop models that can be directly compiled into code. QGen provides benefits such as decreased verification costs through its qualification evidence and integration with verification, compilation and testing tools. It allows models to be verified by construction through its safe Simulink subset.

Software
1 of 67
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
Tech Days 2015: Model Based Development with QGen
Model-Based Development with QGen S. Tucker Taft November 2015
What is QGen? and Why?
System Engineers vs. Software Engineers “Who needs programmers? Why do we have to depend on them to implement our design?” “Uh boy, not another attempt at Programming with Pictures…”
Who is in charge, and do we really need programmers? System Architects and Engineers develop the original design In a traditional environment, there is a “hand off” to the software engineers - Detailed software design not directly linked to high level design - Design and even architecture may evolve as software development issues arise - Net effect => can become an us vs. them situation
• Hardware and software engineers develop components to satisfy the requirements. • Test engineers develop the test environment to verify the requirements. Model Based System Engineering System engineers analyze, simulate and validate the system design, and allocate requirements to components. Using standard-conforming modeling tools Using a standard- conforming model execution tools System engineers create the models Execution artifacts could include: System behavior, timing and statistics Models can include both hardware and software components. Using standard-based model interchange Courtesy of Ed Seidewitz
So How does Model-Based Approach Help reduce the us vs. them?Model-based approach, there need not be a “hand off” - High-level design (produced by system engineers) is represented in a modeling language that supports automated code generation. - Software engineers are still important: they now focus on providing new or enhanced parameterized building blocks, code-generation capabilities, and infrastructure. Parameterized, annotated, high-performance building blocks in a software development “stack” can become key to commonality and productivity.
Shift to a Model-Based Approach by a customer was a Wakeup call for us Major aerospace customer shifted engineers almost completely to model-based engineering - Simulink, SCADE, etc. with automated code generation Remaining number of users for “conventional” 3rd-generation compiler with IDE: - Five seats -- their tools group Some of our traditional users were disappearing … Needed to broaden our focus and develop a deeper software development “stack”
What exactly is a Software Development Stack? Modeling Tools Drawing, Analysis, Simulation, Autocoding (QGen) Coding Tools Compiling, Analysis, Scheduling, Debugging Architecture Tools Definition, Analysis, Documentation Verification Tools Testing, Analysis, Coverage, Proof Hardware
What is QGen? A qualifiable and customizable code generator from Simulink® and Stateflow® to SPARK and MISRA C A formal model verifier for runtime errors and functional properties An open and extensible framework to integrate heterogeneous models
QGen Main Features Support for a large subset of Simulink® - Around 120 blocks, optional checks for MISRA Guidelines for Simulink® - Stateflow® also supported, since early 2015
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) - Readable and traceable code, no performance penalty
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks - Integration with GNAT Pro compiler for qualified, end-to-end tool chain - Integration with GNATemulator and GNATcoverage for structural coverage analysis (up to MC/DC) without code instrumentation executing embedded object code
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable subset of Ada 2012) Integrated with compilation and testing frameworks Includes a static model verifier - Focus on safety-critical systems - Finds Run-time errors (divisions by zero, overflows, …) - Finds Logical errors (dead execution paths) - Verifies Functional/safety properties (Simulink® assertions blocks)
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Stateflow Safe subset built in: MISRA AC SLSF (guidelines)
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Plus relaxing some rules - For example: limits on hierarchical decomposition
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Plus additional constraints(to further clarify semantics) - Rationale fully clarified in the user guide
QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Tool qualification material - Including validation against Simulink® simulation - DO-178C, EN 50128, ISO-26262 TCL3
QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs
QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code
QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code Easy to customize Decrease tool adaptation costs Can be used to integrate with custom libraries, or other modeling languages such as UML, SysML, …
QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code Easy to customize Decrease tool adaptation costs Can be used to integrate with UML, SysML, … Integrated with verification, compilation and testing tools Decrease tool integration costs
QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code Easy to customize Decrease tool adaptation costs Can be used to integrate with UML, SysML, … Integrated with verification, compilation and testing tools Decrease tool integration costs More practical to use Does not require Matlab after model is exported 10x faster code generation, with no performance penalties on the generated code
QGen Development History France- and EU-funded collaborative R&D project From October 2011 to October 2015 10M Euros total budget 19 Partners Leader: Continental Automotive France
QGen Development History Industrial Users Avionics Automotive Space Tech Providers Academia
Using QGen
From command line (does not require Matlab® IDE, ideal for regression testing) qgenc MyModel.mdl [code-generation-options] Using QGen Integrated in Matlab® IDE (ideal for everyday use)
Using QGen Code Generation
Standard code generation - One file for every atomic subsystem - Variables are global (in .adb/.c files) Full inlining, to increase performances - A single file for the entire system - All function calls are inlined - Less memory consumption, less memory copy, more optimization Wrapping to reuse code with different I/O context - Corresponds to Simulink “generate reusable code” - Pass persistent state and I/O data as formal parameters - Allows reusing the same code for multiple I/O contexts Using QGen Code Generation
QGen Demos
Video: QGen for Simulink
Tech Days 2015: Model Based Development with QGen
QGen: Support for Stateflow
Overall Stateflow code generation /* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */ 1 2
Overall Stateflow code generation /* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */ 1 2
/* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */ 1 2 Overall Stateflow code generation
1 2 if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } } Overall Stateflow code generation
1 2 if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } } Overall Stateflow code generation
1 2 if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } } Overall Stateflow code generation
1 2 Overall Stateflow code generation if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } }
1 2 Overall Stateflow code generation if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } }
1 2 Overall Stateflow code generation if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } }
The Big Picture: code generation and testing AdaCore is in the unique position of providing a fully qualifiable end-to-end model compilation chain
The Big Picture: code generation and testing MISRA C or SPARK Embedded Object Code GNATemulator* for PowerPC, ARM, … (Virtual) Processor In the Loop Testing * Already qualified in a DO-178 level A context, both in the US (FAA) and EU (EASA) GNATcoverage* Structural Coverage Analysis (up to MC/DC) without source code instrumentation
Using QGen: Finding Bugs No defensive modeling against division by zero
Video: QGen Tool Integration: Finding Bugs
Tech Days 2015: Model Based Development with QGen
Using QGen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF ON OFF TRUE ERROR OK FALSE OK OK Cruise Control Brake OR Clutch
Using QGen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF
Using QGen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF Formalization of safety property
Using Qgen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF Formalization of safety property System implementation
Video: QGen Tool Integration: Verifying Functional Properties
Tech Days 2015: Model Based Development with QGen
QGen: Current Evaluation State
QGen: Current Evaluation State Continually Tested against industrial-grade models Avionics Automotive Space We currently have customer in: • The Automotive market (major Tier 1 in Japan) • The Aerospace and Defense market (major US player in this market)
QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation - Units with less than 100 blocks takes less than 1s - Model with 7k blocks: more than 20k SLOC generated in 35s - With additional optimization: 60s
QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy - Reusable code for Simulink libraries - Flexible parameter handling (struct, flat, globals, …) - No performance penalty (from both a timing and memory perspective
QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy Very readable and traceable code
QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy Very readable and traceable code Tight tool integration – A major advantage - Code generator - Compiler - Unit testing platform - Structural coverage without instrumentation - Formal verification
QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy Very readable and traceable code Tight tool integration – A major advantage DO-178-like Tool Qualification – A major differentiating factor - Provides Full specification of tool behavior - Incldes Review and verification of tool source code (including structural coverage) - Brings a focus on safety to Simulink
QGen Debugger
Model-Level Debugging • Model-Level Breakpoints • Stop on event • Stop on signal transition • Model-Level Data Display • Trace of Signal over Time • Sequence of Events • Model-Level Stepping • Step one Time increment • Step one Block Computation/Update • Correlate Model Blocks with: • Generated Code • Assembly Code
QGen Debugger Demo
Tech Days 2015: Model Based Development with QGen
Support for Model-Level Debugging • Will support Simulink 2008b and later • Will support displaying and debugging all blocks supported by QGen code generator • Will initially support displaying and debugging Simulink blocks • On Road Map: Stateflow, Truthtables, Lookuptables • No Limitation on depth of subsystem nesting – can drill down as needed • Pricing: Not finalized • Availability: Simulink only: Q3 2016; Simulink + Stateflow: Q1 2017
History and Roadmap 2013-2014 Evaluation by Project P* partners Late 2014 Available for selected customers Feb 2015 QGen commercial availability Spring 2015 Stateflow® support 2016 QGen TQL1 Planning Documents QGen Debugger for Simulink 2017 QGen Debugger for Stateflow and Simulink 2018 QGen TQL1 qualification completed
QGen is the open, tunable and qualifiable model verifier and code generator for Simulink® and Stateflow®

More Related Content

PDF
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
jamieayre
 
PPT
Who Moved My Test Manager
atsc
 
PDF
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
PDF
Soirée du Test Logiciel - SQA monitoring et gestion du risque en organisation...
TelecomValley
 
PDF
Nishant_Automation Engineer-CV
Nishant Shah
 
DOC
CV_AUTOMATION_TEST_ENGINEER
PERLA RAVI THEJA
 
PDF
Siddharth more resume_obj_c
Siddharth More
 
PDF
Neotys PAC 2018 - Bruno Da Silva
Neotys_Partner
 
AdaCore Paris Tech Day 2016: Jose Ruiz - QGen Tech Update
jamieayre
 
Who Moved My Test Manager
atsc
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
Soirée du Test Logiciel - SQA monitoring et gestion du risque en organisation...
TelecomValley
 
Nishant_Automation Engineer-CV
Nishant Shah
 
CV_AUTOMATION_TEST_ENGINEER
PERLA RAVI THEJA
 
Siddharth more resume_obj_c
Siddharth More
 
Neotys PAC 2018 - Bruno Da Silva
Neotys_Partner
 

What's hot (20)

DOC
Naveen_Reddy_Resume
reddhun
 
PDF
Mechatronics engineer
Samuel Narcisse
 
DOCX
Nishar resume
MD NISHAR
 
PDF
DevOps at TestausOSY 20june2017
Jouni Jätyri
 
PDF
Declarative Performance Testing Automation - Automating Performance Testing f...
Vincenzo Ferme
 
PPT
Rhapsody Eclipse
Bill Duncan
 
PDF
How to Deliver Winning Mobile Apps
TechWell
 
PDF
Neotys PAC 2018 - Ramya Ramalinga Moorthy
Neotys_Partner
 
PPT
Rhapsody Systems Software
Bill Duncan
 
PDF
RFT Tutorial 4 How Do We Record A Script Using Rational Functional Tester - RFT
Yogindernath Gupta
 
PPTX
Slicing Models of Real-time Embedded Systems (MDOELS2018)
Reza Ahmadi, PhD
 
PDF
Personalized Defect Prediction
Sung Kim
 
PDF
Automated Formal Verification of SystemC/C++ High-Level Synthesis Models
Sergio Marchese
 
DOCX
Nishar_Resume
MD NISHAR
 
PDF
RFT - Ashish Mathur
Roopa Nadkarni
 
PPTX
PSA Presentation on Rail Projects
John Hertrich
 
PPTX
GDG Cloud meetup november 2019 - kubeflow pipelines
Sven Degroote
 
PPTX
Automation Tools Overview
Murageppa-QA
 
PPTX
The Pursuit of Perfection - Methods, techniques, and tools to achieve robust ...
QA Systems
 
PPT
Alm qc 11_training
jayant25
 
Naveen_Reddy_Resume
reddhun
 
Mechatronics engineer
Samuel Narcisse
 
Nishar resume
MD NISHAR
 
DevOps at TestausOSY 20june2017
Jouni Jätyri
 
Declarative Performance Testing Automation - Automating Performance Testing f...
Vincenzo Ferme
 
Rhapsody Eclipse
Bill Duncan
 
How to Deliver Winning Mobile Apps
TechWell
 
Neotys PAC 2018 - Ramya Ramalinga Moorthy
Neotys_Partner
 
Rhapsody Systems Software
Bill Duncan
 
RFT Tutorial 4 How Do We Record A Script Using Rational Functional Tester - RFT
Yogindernath Gupta
 
Slicing Models of Real-time Embedded Systems (MDOELS2018)
Reza Ahmadi, PhD
 
Personalized Defect Prediction
Sung Kim
 
Automated Formal Verification of SystemC/C++ High-Level Synthesis Models
Sergio Marchese
 
Nishar_Resume
MD NISHAR
 
RFT - Ashish Mathur
Roopa Nadkarni
 
PSA Presentation on Rail Projects
John Hertrich
 
GDG Cloud meetup november 2019 - kubeflow pipelines
Sven Degroote
 
Automation Tools Overview
Murageppa-QA
 
The Pursuit of Perfection - Methods, techniques, and tools to achieve robust ...
QA Systems
 
Alm qc 11_training
jayant25
 
Ad

Viewers also liked (6)

PPTX
Models of inclusive education
Priyanka Chaurasia
 
PPTX
E governance
Goa App
 
PPT
Inclusive Practices
alicanc
 
PDF
Strategic Planning Models
Jo Balucanag - Bitonio
 
PPT
Ppt's of e governance
Shelly
 
PPTX
Presentation on inclusive education
DFC2011
 
Models of inclusive education
Priyanka Chaurasia
 
E governance
Goa App
 
Inclusive Practices
alicanc
 
Strategic Planning Models
Jo Balucanag - Bitonio
 
Ppt's of e governance
Shelly
 
Presentation on inclusive education
DFC2011
 
Ad

Similar to Tech Days 2015: Model Based Development with QGen (20)

PPTX
GNAT Pro User Day: QGen: Simulink® static verification and code generation
AdaCore
 
PPTX
QGen GNAT Industrial User Day
matteobordinadacore
 
PPTX
Tech Days 2015: AdaCore Directions
AdaCore
 
PPTX
Project P Open Workshop
matteobordinadacore
 
PPT
Embedded system
mangal das
 
PPT
Embedded 100912065920-phpapp02
Atv Reddy
 
PDF
F1270089476650
Anil Kumar
 
PPT
Embedded
Aravindharamanan S
 
PPTX
Develop High-bandwidth/low latency electronic systems for AI/ML application
Deepak Shankar
 
PDF
Simulink Stateflow workshop
MATLABISRAEL
 
PPT
Modelling simulation (1)
Cathryn Kuteesa
 
PPTX
Bertrand Meyer - Challenges in computing research at SIT Insights in Technolo...
Schaffhausen Institute of Technology
 
PDF
Modelling Systems Practical Tools and Techniques in Software Development 2nd ...
trnfoep1208
 
PDF
Innovations In Softwaredefined Networking And Network Functions Virtualizatio...
becitbabri
 
PPTX
Bertrand Meyer - Challenges in computing research at SIT Insights in Technolo...
Schaffhausen Institute of Technology
 
PPTX
Closing the Design Cycle Loop with Executable Requirements and OSLC - IBM Int...
Modelon
 
PDF
Project P erts2012
AdaCore
 
PPT
Software.ppt
Dr. Rajyalakshmi G
 
PPT
Software engineering
Fahe Em
 
PPT
Software engineering
Fahe Em
 
GNAT Pro User Day: QGen: Simulink® static verification and code generation
AdaCore
 
QGen GNAT Industrial User Day
matteobordinadacore
 
Tech Days 2015: AdaCore Directions
AdaCore
 
Project P Open Workshop
matteobordinadacore
 
Embedded system
mangal das
 
Embedded 100912065920-phpapp02
Atv Reddy
 
F1270089476650
Anil Kumar
 
Embedded
Aravindharamanan S
 
Develop High-bandwidth/low latency electronic systems for AI/ML application
Deepak Shankar
 
Simulink Stateflow workshop
MATLABISRAEL
 
Modelling simulation (1)
Cathryn Kuteesa
 
Bertrand Meyer - Challenges in computing research at SIT Insights in Technolo...
Schaffhausen Institute of Technology
 
Modelling Systems Practical Tools and Techniques in Software Development 2nd ...
trnfoep1208
 
Innovations In Softwaredefined Networking And Network Functions Virtualizatio...
becitbabri
 
Bertrand Meyer - Challenges in computing research at SIT Insights in Technolo...
Schaffhausen Institute of Technology
 
Closing the Design Cycle Loop with Executable Requirements and OSLC - IBM Int...
Modelon
 
Project P erts2012
AdaCore
 
Software.ppt
Dr. Rajyalakshmi G
 
Software engineering
Fahe Em
 
Software engineering
Fahe Em
 

More from AdaCore (20)

PDF
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
PDF
Have we a Human Ecosystem?
AdaCore
 
PDF
Rust and the coming age of high integrity languages
AdaCore
 
PDF
SPARKNaCl: A verified, fast cryptographic library
AdaCore
 
PDF
Developing Future High Integrity Processing Solutions
AdaCore
 
PDF
Taming event-driven software via formal verification
AdaCore
 
PDF
Pushing the Boundary of Mostly Automatic Program Proof
AdaCore
 
PDF
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
PDF
Product Lines and Ecosystems: from customization to configuration
AdaCore
 
PDF
Securing the Future of Safety and Security of Embedded Software
AdaCore
 
PDF
Spark / Ada for Safe and Secure Firmware Development
AdaCore
 
PDF
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
AdaCore
 
PDF
The Future of Aerospace – More Software Please!
AdaCore
 
PDF
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore
 
PDF
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
AdaCore
 
PDF
Software Engineering for Robotics - The RoboStar Technology
AdaCore
 
PDF
MISRA C in an ISO 26262 context
AdaCore
 
PPTX
Application of theorem proving for safety-critical vehicle software
AdaCore
 
PDF
The Application of Formal Methods to Railway Signalling Software
AdaCore
 
PDF
Bounded Model Checking for C Programs in an Enterprise Environment
AdaCore
 
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
Have we a Human Ecosystem?
AdaCore
 
Rust and the coming age of high integrity languages
AdaCore
 
SPARKNaCl: A verified, fast cryptographic library
AdaCore
 
Developing Future High Integrity Processing Solutions
AdaCore
 
Taming event-driven software via formal verification
AdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
AdaCore
 
RCA OCORA: Safe Computing Platform using open standards
AdaCore
 
Product Lines and Ecosystems: from customization to configuration
AdaCore
 
Securing the Future of Safety and Security of Embedded Software
AdaCore
 
Spark / Ada for Safe and Secure Firmware Development
AdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
AdaCore
 
The Future of Aerospace – More Software Please!
AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
AdaCore
 
MISRA C in an ISO 26262 context
AdaCore
 
Application of theorem proving for safety-critical vehicle software
AdaCore
 
The Application of Formal Methods to Railway Signalling Software
AdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
AdaCore
 

Recently uploaded (20)

PDF
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
PDF
49784907924775488180_LRN2959_Data_Pump_23ai.pdf
Abilash868456
 
PPTX
Visualising Data with Scatterplots in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
What to consider before purchasing Microsoft 365 Business Premium_PDF.pdf
Q-Advise
 
PDF
QAware_Mario-Leander_Reimer_Architecting and Building a K8s-based AI Platform...
QAware GmbH
 
PDF
Community & News Update Q2 Meet Up 2025
VictoriaMetrics
 
PPTX
PFAS Reporting Requirements 2026 Are You Submission Ready Certivo.pptx
Certivo Inc
 
PDF
Build Multi-agent using Agent Development Kit
FadyIbrahim23
 
PDF
Protecting the Digital World Cyber Securit
dnthakkar16
 
PPTX
Why Use Open Source Reporting Tools for Business Intelligence.pptx
Varsha Nayak
 
PPTX
Odoo Integration Services by Candidroot Solutions
CandidRoot Solutions Private Limited
 
PPTX
ConcordeApp: Engineering Global Impact & Unlocking Billions in Event ROI with AI
chastechaste14
 
PDF
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
PDF
Jenkins: An open-source automation server powering CI/CD Automation
SaikatBasu37
 
PDF
Exploring AI Agents in Process Industries
amoreira6
 
PPTX
TestNG for Java Testing and Automation testing
ssuser0213cb
 
PPTX
The-Dawn-of-AI-Reshaping-Our-World.pptxx
parthbhanushali307
 
PPTX
Presentation of Computer CLASS 2 .pptx
darshilchaudhary558
 
PPT
Activate_Methodology_Summary presentatio
annapureddyn
 
PPTX
Explanation about Structures in C language.pptx
Veeral Rathod
 
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
49784907924775488180_LRN2959_Data_Pump_23ai.pdf
Abilash868456
 
Visualising Data with Scatterplots in IBM SPSS Statistics.pptx
Version 1 Analytics
 
What to consider before purchasing Microsoft 365 Business Premium_PDF.pdf
Q-Advise
 
QAware_Mario-Leander_Reimer_Architecting and Building a K8s-based AI Platform...
QAware GmbH
 
Community & News Update Q2 Meet Up 2025
VictoriaMetrics
 
PFAS Reporting Requirements 2026 Are You Submission Ready Certivo.pptx
Certivo Inc
 
Build Multi-agent using Agent Development Kit
FadyIbrahim23
 
Protecting the Digital World Cyber Securit
dnthakkar16
 
Why Use Open Source Reporting Tools for Business Intelligence.pptx
Varsha Nayak
 
Odoo Integration Services by Candidroot Solutions
CandidRoot Solutions Private Limited
 
ConcordeApp: Engineering Global Impact & Unlocking Billions in Event ROI with AI
chastechaste14
 
On Software Engineers' Productivity - Beyond Misleading Metrics
Romén Rodríguez-Gil
 
Jenkins: An open-source automation server powering CI/CD Automation
SaikatBasu37
 
Exploring AI Agents in Process Industries
amoreira6
 
TestNG for Java Testing and Automation testing
ssuser0213cb
 
The-Dawn-of-AI-Reshaping-Our-World.pptxx
parthbhanushali307
 
Presentation of Computer CLASS 2 .pptx
darshilchaudhary558
 
Activate_Methodology_Summary presentatio
annapureddyn
 
Explanation about Structures in C language.pptx
Veeral Rathod
 

Tech Days 2015: Model Based Development with QGen

  • 2. Model-Based Development with QGen S. Tucker Taft November 2015
  • 3. What is QGen? and Why?
  • 4. System Engineers vs. Software Engineers “Who needs programmers? Why do we have to depend on them to implement our design?” “Uh boy, not another attempt at Programming with Pictures…”
  • 5. Who is in charge, and do we really need programmers? System Architects and Engineers develop the original design In a traditional environment, there is a “hand off” to the software engineers - Detailed software design not directly linked to high level design - Design and even architecture may evolve as software development issues arise - Net effect => can become an us vs. them situation
  • 6. • Hardware and software engineers develop components to satisfy the requirements. • Test engineers develop the test environment to verify the requirements. Model Based System Engineering System engineers analyze, simulate and validate the system design, and allocate requirements to components. Using standard-conforming modeling tools Using a standard- conforming model execution tools System engineers create the models Execution artifacts could include: System behavior, timing and statistics Models can include both hardware and software components. Using standard-based model interchange Courtesy of Ed Seidewitz
  • 7. So How does Model-Based Approach Help reduce the us vs. them?Model-based approach, there need not be a “hand off” - High-level design (produced by system engineers) is represented in a modeling language that supports automated code generation. - Software engineers are still important: they now focus on providing new or enhanced parameterized building blocks, code-generation capabilities, and infrastructure. Parameterized, annotated, high-performance building blocks in a software development “stack” can become key to commonality and productivity.
  • 8. Shift to a Model-Based Approach by a customer was a Wakeup call for us Major aerospace customer shifted engineers almost completely to model-based engineering - Simulink, SCADE, etc. with automated code generation Remaining number of users for “conventional” 3rd-generation compiler with IDE: - Five seats -- their tools group Some of our traditional users were disappearing … Needed to broaden our focus and develop a deeper software development “stack”
  • 9. What exactly is a Software Development Stack? Modeling Tools Drawing, Analysis, Simulation, Autocoding (QGen) Coding Tools Compiling, Analysis, Scheduling, Debugging Architecture Tools Definition, Analysis, Documentation Verification Tools Testing, Analysis, Coverage, Proof Hardware
  • 10. What is QGen? A qualifiable and customizable code generator from Simulink® and Stateflow® to SPARK and MISRA C A formal model verifier for runtime errors and functional properties An open and extensible framework to integrate heterogeneous models
  • 11. QGen Main Features Support for a large subset of Simulink® - Around 120 blocks, optional checks for MISRA Guidelines for Simulink® - Stateflow® also supported, since early 2015
  • 12. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) - Readable and traceable code, no performance penalty
  • 13. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks - Integration with GNAT Pro compiler for qualified, end-to-end tool chain - Integration with GNATemulator and GNATcoverage for structural coverage analysis (up to MC/DC) without code instrumentation executing embedded object code
  • 14. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable subset of Ada 2012) Integrated with compilation and testing frameworks Includes a static model verifier - Focus on safety-critical systems - Finds Run-time errors (divisions by zero, overflows, …) - Finds Logical errors (dead execution paths) - Verifies Functional/safety properties (Simulink® assertions blocks)
  • 15. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Stateflow Safe subset built in: MISRA AC SLSF (guidelines)
  • 16. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Plus relaxing some rules - For example: limits on hierarchical decomposition
  • 17. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Plus additional constraints(to further clarify semantics) - Rationale fully clarified in the user guide
  • 18. QGen Main Features Support for a large subset of Simulink® Code generation producing MISRA C and SPARK (formally provable language) Integrated with compilation and testing frameworks Includes a static model verifier With QGen, you do not need a separate Stateflow modeling standard Tool qualification material - Including validation against Simulink® simulation - DO-178C, EN 50128, ISO-26262 TCL3
  • 19. QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs
  • 20. QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code
  • 21. QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code Easy to customize Decrease tool adaptation costs Can be used to integrate with custom libraries, or other modeling languages such as UML, SysML, …
  • 22. QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code Easy to customize Decrease tool adaptation costs Can be used to integrate with UML, SysML, … Integrated with verification, compilation and testing tools Decrease tool integration costs
  • 23. QGen Competitive Advantages Safe Simulink subset: ensure that a model is verifiable by construction Decrease tool deployment costs and system verification costs Complete qualification evidence Decrease verification costs on generated code Easy to customize Decrease tool adaptation costs Can be used to integrate with UML, SysML, … Integrated with verification, compilation and testing tools Decrease tool integration costs More practical to use Does not require Matlab after model is exported 10x faster code generation, with no performance penalties on the generated code
  • 24. QGen Development History France- and EU-funded collaborative R&D project From October 2011 to October 2015 10M Euros total budget 19 Partners Leader: Continental Automotive France
  • 25. QGen Development History Industrial Users Avionics Automotive Space Tech Providers Academia
  • 27. From command line (does not require Matlab® IDE, ideal for regression testing) qgenc MyModel.mdl [code-generation-options] Using QGen Integrated in Matlab® IDE (ideal for everyday use)
  • 28. Using QGen Code Generation
  • 29. Standard code generation - One file for every atomic subsystem - Variables are global (in .adb/.c files) Full inlining, to increase performances - A single file for the entire system - All function calls are inlined - Less memory consumption, less memory copy, more optimization Wrapping to reuse code with different I/O context - Corresponds to Simulink “generate reusable code” - Pass persistent state and I/O data as formal parameters - Allows reusing the same code for multiple I/O contexts Using QGen Code Generation
  • 34. Overall Stateflow code generation /* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */ 1 2
  • 35. Overall Stateflow code generation /* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */ 1 2
  • 36. /* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */ 1 2 Overall Stateflow code generation
  • 37. 1 2 if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } } Overall Stateflow code generation
  • 38. 1 2 if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } } Overall Stateflow code generation
  • 39. 1 2 if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } } Overall Stateflow code generation
  • 40. 1 2 Overall Stateflow code generation if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } }
  • 41. 1 2 Overall Stateflow code generation if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } }
  • 42. 1 2 Overall Stateflow code generation if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ } } if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; } } else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ } }
  • 43. The Big Picture: code generation and testing AdaCore is in the unique position of providing a fully qualifiable end-to-end model compilation chain
  • 44. The Big Picture: code generation and testing MISRA C or SPARK Embedded Object Code GNATemulator* for PowerPC, ARM, … (Virtual) Processor In the Loop Testing * Already qualified in a DO-178 level A context, both in the US (FAA) and EU (EASA) GNATcoverage* Structural Coverage Analysis (up to MC/DC) without source code instrumentation
  • 45. Using QGen: Finding Bugs No defensive modeling against division by zero
  • 48. Using QGen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF ON OFF TRUE ERROR OK FALSE OK OK Cruise Control Brake OR Clutch
  • 49. Using QGen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF
  • 50. Using QGen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF Formalization of safety property
  • 51. Using Qgen: Verifying functional properties If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be OFF Formalization of safety property System implementation
  • 55. QGen: Current Evaluation State Continually Tested against industrial-grade models Avionics Automotive Space We currently have customer in: • The Automotive market (major Tier 1 in Japan) • The Aerospace and Defense market (major US player in this market)
  • 56. QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation - Units with less than 100 blocks takes less than 1s - Model with 7k blocks: more than 20k SLOC generated in 35s - With additional optimization: 60s
  • 57. QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy - Reusable code for Simulink libraries - Flexible parameter handling (struct, flat, globals, …) - No performance penalty (from both a timing and memory perspective
  • 58. QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy Very readable and traceable code
  • 59. QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy Very readable and traceable code Tight tool integration – A major advantage - Code generator - Compiler - Unit testing platform - Structural coverage without instrumentation - Formal verification
  • 60. QGen: Current Evaluation State Continually Tested against Industrial-Grade models Fast Code generation Practical code generation strategy Very readable and traceable code Tight tool integration – A major advantage DO-178-like Tool Qualification – A major differentiating factor - Provides Full specification of tool behavior - Incldes Review and verification of tool source code (including structural coverage) - Brings a focus on safety to Simulink
  • 62. Model-Level Debugging • Model-Level Breakpoints • Stop on event • Stop on signal transition • Model-Level Data Display • Trace of Signal over Time • Sequence of Events • Model-Level Stepping • Step one Time increment • Step one Block Computation/Update • Correlate Model Blocks with: • Generated Code • Assembly Code
  • 65. Support for Model-Level Debugging • Will support Simulink 2008b and later • Will support displaying and debugging all blocks supported by QGen code generator • Will initially support displaying and debugging Simulink blocks • On Road Map: Stateflow, Truthtables, Lookuptables • No Limitation on depth of subsystem nesting – can drill down as needed • Pricing: Not finalized • Availability: Simulink only: Q3 2016; Simulink + Stateflow: Q1 2017
  • 66. History and Roadmap 2013-2014 Evaluation by Project P* partners Late 2014 Available for selected customers Feb 2015 QGen commercial availability Spring 2015 Stateflow® support 2016 QGen TQL1 Planning Documents QGen Debugger for Simulink 2017 QGen Debugger for Stateflow and Simulink 2018 QGen TQL1 qualification completed
  • 67. QGen is the open, tunable and qualifiable model verifier and code generator for Simulink® and Stateflow®

Editor's Notes

  • #32: Let’s take a look at QGen’s ability to generate Ada code. We’ll try three different code generation strategies: the first is the most straightforward and generates one file for every atomic subsystem; the second inlines all code, allowing for more optimization by both QGen and the conventional cross-compiler; and the third strategy corresponds to Simulink’s “generate reusable code” mode, which requires wrapping the persistent state in a record type to reuse the same algorithm with different input data.
  • #33: The model we present here is a hierarchical model composed by both atomic and virtual subsystems. [00:17] We’ll now generate code using the most straightforward code generation strategy. To show the model, we use GPS, AdaCore’s IDE for Ada and C development. [00:34] As you can see, QGen generated one file for every atomic subsystem. If we look within the generated code, we see that it is not only very readable but contains precise traceability information in the form of comments. [01:02] Now let’s generate code in inlining mode. After reloading the project inside GPS, we see that QGen has generated just two files. If we look inside these files, we see that the code has been inlined preserving precise traceability information and locality of statements with respect to the subsystem hierarchy. [01:45] Finally, we’ll generate reusable code. So let’s reload the project inside GPS. We see that QGen has produced an additional file that contains the record types for the persistent state and Input/Output of the model. If we look at the generated code, we notice that it has the same structure, is equally traceable, but now uses these new types to access the model persistent state and its I/O.
  • #47: In this demo, we’re going to use QGen to look for bugs, and in particular division by zero. As you can see, the red-circled block is a division block whose input is not protected against potential divisions by zero. The model we see here represent the speedometer of a car.
  • #48: [00:10] The subsystem contains the speedometer algorithm, which relies on Simulink libraries. [00:15] So let’s look for bugs in the model. In order to do this, we’re going to firstly produce a verification model, then analyse it and then ‘round-trip’ the analysis results back to the model. We discover that there is a potential divsion by zero in this block (00:38). [00:43] To solve this issue, we’re going to add some defensive modeling in the Simulink model by checking whether the output of the yellow block is equal to zero. If this is the case, then we produce a constant value equal to 1 as output, so as to avoid the division by zero. [01:08] We then save the model, and re-run the verification. This time, no potential errors have been found.
  • #53: This time, we’ll be using QGen to formally prove properties that have been formalised as Simulink Assertion blocks. The Simulink model describes the behaviour of a cruise control system in a car and the safety property we want to prove, is the following: “If the driver hits the brake or clutch pedal, then the cruise control is deactivated”
  • #54: [00:10] This model represents the cruise control logic. The safety property has been formalised as a Simulink Assertion block whose input represents the truth table we just saw on the slide. [00:20] The subsystem, however contains the logic of the cruise control, that is the algorithm that regulates its activation and deactivation depending on the driver’s input. [00:32] So now, let’s formally verify the model. First of all we need to produce a verification model, then we’ll analyze it and finally roundtrip the verification results back to the model. [00:40] The result of this verification turns out to be an error in the Assertion block. In the next line, we have some more detailed information on why the Assertion block might fail, and in particular, we see that the block causing the error is the Switch block (00:52). Frankly there are no surprises here as the input of the switch block is an ‘AND’ operator between the Brake and the Clutch state. This means that our implementation requires the brake and clutch to be hit at the same time to deactivate the cruise control. (01:00) This contradicts with our safety property which required only one of them to be hit. [01:04] What we can do now is change the operator from AND to OR, save the model and re-execute the verification. In this case, no potential errors are found.
  • #65: 1. We show the generated_src directory containing nothing 2. We edit the project file to show that we say that we use the Simulink language, and where the generated code needs to be placed 3. Click on the .mdl file to open the graphical display of the Simulink model 4. We can click on subsystems to navigate through the model 5. There is a contextual menu to generate the code from the Simulink model 6. Once the code has been generated we can show that the generated_src directory contains the generated code 7. We can open the pid.adb file to show how the generated code looks like, and the traceability comments that QGen places there 8. We can build the application 9. We can open the debugging session 10. We can put the model and the source code side by side (and they will be kept synchronized automatically) 11. We can display the variable computed by the model (V) 12. We can use the contextual menu to set a breakpoint in a block (we see that corresponding breakpoints appear in the sources) 13. We can display variables from the generated code (Unit_Delay_Out1) 14. We can “continue" several times and see we reach the block where we set the breakpoint 15. Clicking on “next” we go to the next block that is executed 15. Clicking on “step” we enter the into the nested subsystems 16. Clicking on “finish” we leave the scope of the current subsystem and go into the one that contains the current 17. And at the end we can show the tooltips with the values of the different variables at execution time