2. What is QGen?A qualifiable and customizable code generator
fromSimulink and Stateflow to SPARK and MISRA CA formal model
verifier for runtime errors and functional propertiesAn extendable
framework to integrate heterogeneous models 3. Main features
1/2Support for a large subset of SimulinkAround 120 blocks,
optional checks for MISRA SimulinkStateflow support expected in
Spring 2015Code generation for SPARK and MISRA CReadable and
traceable code, no performance penaltyShips with static model
verifierRun-time errors (divisions by zero, overflows, )Logical
errors (dead execution paths)Functional properties (Simulink
assertions blocks) 4. Main features 2/2Off-the-shelf qualification
materialIncluding validation against Simulink simulationDO-178C, EN
50128, ISO-26262 TCL3Highly tunable thanks to visible intermediate
representationPlug-and-play transformations using Eclipse tools or
XML manipulationOptimized code generationGeneration of additional
artifacts: Makefiles, docs, metrics, Integrating with
UML/SysML/AADL or in house DSLs 5. Product development history
1/2France and EU -funded collaborative R&D projectFrom October
2011 to October 201510M Euros total budget19 PartnersLeader:
Continental Automotive France 6. Product development history 2/2 7.
How does QGen work? 1/2Simulink modelimporterQGen intermediate
representation (EMF metamodel)SPARK & MISRA Ccode
generatormodel verifier 8. How does QGen work? 2/2Integrated in
Matlab (ideal for everyday use)From command line (does not require
Matlab, ideal for regression testing)qgenc MyModel.mdl
[code-generation-options] 9. QGen and DO-178DO-330 (Tool
Qualification Document)Precise identification of certification
credit for code generator qualificationIdentification of credit
w.r.t qualification strategy (TQL1 vs TQL5) 10. Using QGen -
VerificationSimulink modelQGen intermediate
representationVerificationFormalismimportermodel
verifierVerification resultsround-tripAdvanced+traceability
data*already qualified as part of a DO-178 Verification Tool /
TQL5VerificationEngine* 11. Using QGen - finding bugsNo defensive
modeling against division by zero 12. Using QGen - verifying
functional propertiesON OFFTRUE ERROR OKFALSE OK OKBrake
ORClutchCruise ControlThe Cruise Control shall never be ON afterthe
driver pushed the Brake or clutch pedal 13. Using QGen - verifying
functional propertiesFormalization of safety propertySystem
implementationThe Cruise Control shall never be ON afterthe driver
pushed the Brake or clutch pedal 14. Using QGen - mixing proof
& testIntegration of legacy code via S-Function blocksHow to
prove the complete system (model + legacy code) is safe?How to
extract model-relevant properties from legacy code?S-Functions
written in CDifficult to automatically extract informationSource
code may not be availableRely on design-by-contactWrap C code in
automatically generated Ada stubsDecorate Ada stubs using pre/post
conditionsRely on pre/post conditions for model verificationTest C
code against pre/post conditions 15. Using QGen - mixing proof
& testS-Function written in C 16. Using QGen - mixing proof
& testAvailability of Static AnalysisC S-Function Incomplete
Model Static AnalysC S-Function with Ada 2012 wrapper(design by
contract)Static Analysis for ModelTest for S-FunctionAda
S-FunctionStatic Analysis on both Modeland Source codeStatic
Analysis holds for bothC and Ada code generation! 17. Using QGen -
Code Generation 18. Using QGen - Code GenerationStandard code
generationOne file for every atomic subsystemVariables are global
(in .adb/.c files)Full inlining, to increase performancesA single
file for the entire systemAll function calls are inlinedLess memory
consumption, less memory copy, more optimizationWrapping to reuse
code with different I/OCorresponds to Simulink generate reusable
codePass persistent state and I/O as formal parametersAllows
reusing the same code for multiple I/O data 19. QGen - an open and
extensible frameworkSimulink ModelBlack BoxSource CodeSource
CodeTraditional Code GeneratorsSimulink ModelAccess to intermediate
representationsMakefilegenerationProcessorcustomizationModeling
standardcheckingAdditionalverificationIntegration with UMLExtract
traceabilitydata 20. Customizing QGen: use case 1A new processor is
adopted, which provides intrinsic optimized functionsEx.: saturated
sumHow to reuse existing models?While benefitting from new
processor functionalities?Relying on S-Functions requires changing
themAnd potentially re-execute some verification activities!We
rather change the code generator! 21. Customizing QGen: use case
1Exploit process-specific instructions-- inlined code for saturated
sumInt32 tmp := a + b;if tmp > Int16Last thenout :=
Int16Last;elsif tmp < Int16First thenout := Int16First;elseout
:= tmp;end if;-- use processor-specific libout := zaddwss (a, b);
22. Customizing QGen: use case 1Intermediaterepresentation
1Intermediaterepresentation 2Intermediaterepresentation
3Intermediaterepresentation 4Intermediaterepresentation
5Intermediaterepresentation 6Source Code>> qgenc myModel.mdl
steps psgdxe>> python custom_saturate.py
myModel_x.xmi>> qgenc myModel_x.xmi language
adaECore-compliant XMIPython Script(150 SLOC) 23. Customizing QGen:
use case 2Communication between control engineers and software
architectsSimulink models hide information relevant for software
architectureExecution rates, data flow constraints, How can this
information be communicated to a software architect?Extraction of
architectural concerns from Simulink modelExtract AADL model out of
SimulinkCan be used to produce allocation modelsCan be used to
execute real-time analysis 24. Customizing QGen: use case
2Intermediaterepresentation 1ECore-compliant XMIAcceleo /
ATLtransformation>> qgen myModel.mdl steps peExtraction of
real-time architectural constraintsby generating an AADL model 25.
QGen: roadmap2013 - 2014End of 2014February 2015Spring 2015Q4
2015evaluation by project P partnersfirst selected customer
pre-releaseQGen 1.0 availableStateflow supportfull qualification
materialIn the pipeline: static stack analysis, AUTOSAR, 26. QGEN
is the open, tunable and qualifiablemodel verifier and code
generatorfor Simulink and Stateflowpre-release for selected
customers: Q4 2014version 1.0: February 2015 27. QGen: Simulink
static verificationand code generationPresented byMatteo
[email protected]
