Académique Documents
Professionnel Documents
Culture Documents
www.mathworks.com
www.mathworks.com/sales_and_services
User community:
www.mathworks.com/matlabcentral
Technical support:
www.mathworks.com/support/contact_us
Phone:
508-647-7000
Revision History
September 2013
March 2014
October 2014
March 2015
September 2015
Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Overview ................................................................................................................................. 1-2
2 Integration of Polyspace Code Prover into the Software Life Cycle ................................................ 2-1
2.1 Workflow Overview ................................................................................................................ 2-2
2.2 Tool Use Cases ........................................................................................................................ 2-5
[PCP_UC1] Semantic code analysis with abstract interpretation of C/C++ code to detect
systematic and potential run-time errors ...................................................................................... 2-5
[PCP_UC2] Semantic code analysis with abstract interpretation of C/C++ code to detect
unreachable code .......................................................................................................................... 2-5
[PCP_UC3] Semantic analysis of the calling relationships in the C/C++ code ........................... 2-5
[PCP_UC4] Semantic analysis of global variable usage in the C/C++ code ............................... 2-6
[PCP_UC5] Reporting of software quality metrics ...................................................................... 2-6
[PCP_UC6] Semantic analysis of C/C++ code to assess interface between components ............ 2-6
Applicable ISO 26262, IEC 61508, and EN 50128 Requirements............................................... 2-7
Error Prevention and Detection Measures.................................................................................... 2-8
[M1] Preceding or Subsequent Dynamic Verification (Testing) of the Software ........................ 2-8
[M1_lim] Limited Preceding or Subsequent Dynamic Verification (Testing) of the Software ... 2-8
[M2] Specified Procedure for Corrective Action on Failure of Source Code Verification or
Analysis........................................................................................................................................ 2-8
[M3] Selective Review and Analysis of Source Code Portions not Reached by Testing ............. 2-9
[M4] Check of the underlying verification and analysis results for critical issues....................... 2-9
[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to be
Verified; Use of Checksums ........................................................................................................ 2-9
[M_MISC2] Competency of the Project Team ............................................................................ 2-9
[M_MISC3] Adherence to Installation Instructions; Integrity of Tool Installation ..................... 2-9
[M_MISC4] Analysis of Available Bug Report Information ....................................................... 2-9
3 Additional Considerations ................................................................................................................ 3-1
3.1 Options Impacting Analysis or Verification ............................................................................ 3-2
3.2 Configuration Management and Revision Control .................................................................. 3-3
3.3 Competency of the Project Team ............................................................................................ 3-4
3.4 Installation Integrity and Release Compatibility ..................................................................... 3-5
3.5 Bug Reporting ......................................................................................................................... 3-6
3.6 Deviation from the Reference Workflow ................................................................................ 3-7
3.7 Integration with the Software Safety Life Cycle ..................................................................... 3-8
4 Workflow Overview......................................................................................................................... 4-1
5 Conformance Demonstration Template ........................................................................................... 5-1
6 References ........................................................................................................................................ 6-1
vi
1 Introduction
1.1 Overview
Polyspace Code Prover detects and proves the absence of overflow, divide-by-zero, out-ofbounds array access, and certain other run-time errors in embedded software written in the C and
C++ programming languages.
Polyspace Code Prover uses formal methods-based abstract interpretation to formally prove runtime attributes of software. Polyspace Code Prover uses color-coding to indicate run-time status
of each line of code. Additionally, Polyspace Code Prover calculates and provides ranges for
variables and operator parameters at any point of the program, taking into account every
possible configuration (inputs, global variables).
Polyspace Code Prover provides additional capabilities to analyze C and C++ source code as
well as to define, determine, and report software quality metrics.
This document provides a reference workflow for Polyspace Code Prover. In particular, it
describes how to:
Leverage the code verification, unreachable code analysis, call tree computation, global
variable usage analysis, and quality metrics reporting capabilities of Polyspace Code
Prover in the software life cycle
This workflow addresses handwritten, automatically generated, and mixed code. It is applicable
for developing code as well as for auditing code received from others.
Note If you are verifying only generated C or C++ code, see the Embedded Coder reference
workflow provided in IEC Certification Kit: Embedded Coder Reference Workflow before using
this document. Polyspace Code Prover products provide added assurance to the reference
workflow for models and generated code.
The reference workflow presented in this document describes activities intended to comply with
applicable requirements of the overall software safety lifecycles defined by IEC 61508-3[1], ISO
26262[2], and EN 50128[3] respectively, as they relate to verification and analysis of
handwritten, generated, or mixed source code. The workflow addresses risk levels ASIL A ASIL D according to ISO 26262, SIL 1 - SIL 3 according to IEC 61508, and SIL 0 - SIL 4
according to EN 50128.
1-2
Chapter 2, Integration of Polyspace Code Prover into the Software Life Cycle
provides a reference workflow for the Polyspace Code Prover tool. It describes
reference use cases and measures to prevent or detect potential tool errors.
Chapter 6, References lists the standards and guidelines referenced in this document
Disclaimer
While adhering to the recommendations in this document will reduce the risk
that an error is introduced in development and not be detected, it is not a guarantee that the
system being developed will be safe. Conversely, if some of the recommendations in this
document are not followed, it does not mean that the system being developed will be unsafe.
1-3
1-4
Code verification
Unreachable code analysis
Call tree computation
Global variable usage analysis
Software quality metrics reporting
During the development of embedded application software, C or C++ code can be used to
implement the required functionality. The source code can be the result of manual
implementation (see upper part of Figure 1) or automatic code generation (see lower part of
Figure 1) or a combination of both. Handwritten source code and source code created using code
generation can be combined to create the application software for an embedded system.
2-2
Solid arrows in the figure indicate the succession of software development activities.
The model uses for production code generation can contain handwritten source code. For example: C code contained in user Sfunctions. This mixed-code use case is indicated by the dashed arrow in the figure.
2-3
Figure 2: Integration of source code analysis and verification into the software
life cycle
Note For generated code, this workflow can also be used to provide added assurance to the
one described in
IEC Certification Kit: Embedded Coder Reference Workflow
2-4
2-5
Number and location(s) of read and write access(es) to global variables, directly or
through pointer access
Type value ranges for individual access operations
Shared variables and associated concurrent access protection
The variable access information can e.g. be reviewed to analyze the data flow.
This analysis can be applied to handwritten as well as generated source code.
2-6
Polyspace Code Prover Code verification for use case [PCP_UC1], [PCP_UC6]
Polyspace Code Prover Unreachable code analysis for use case [PCP_UC2] ,
[PCP_UC6]
Polyspace Code Prover Call tree computation for use case [PCP_UC3]
Polyspace Code Prover Global variable usage analysis for use case [PCP_UC4]
Polyspace Code Prover Code metrics and Polyspace Bug Finder Code metrics
for use case [PCP_UC5]
2-7
Dynamically verify (test) the executable code corresponding to the C or C++ source
code.
Dynamically verify (test) the executable code corresponding to the C or C++ source
code without specifically aiming at detecting run-time errors.
Note [M1_lim] is a variation of [M1] where the test process is not be optimized to detect runtime errors. For example, you can specifically detect run-time errors by injecting random
samples of software inputs that stress the software, without checking the functional results. The
likelihood of detecting systematic or potential run-time errors by testing might be low when
using [M1_lim]. For details see section Tool Classification Summary in IEC Certification Kit:
Polyspace Code Prover ISO 26262 Tool Qualification Package.
Analyze the identified issues using a defined procedure for corrective action.
The procedure for corrective action includes manual analysis and review of the issues
uncovered.
2-8
Review and analyze the portions of the C or C++ source code that were not reached by
testing.
Note [M3] is intended to be used in conjunction with [M1] or [M1_lim] respectively. For
details, see section Tool Classification Summary in IEC Certification Kit: Polyspace Code
Prover ISO 26262 Tool Qualification Package.
2-9
2-10
3 Additional Considerations
When implementing this reference workflow, consider the following topics:
3-2
3-3
Those carrying out coding and verification activities shall be competent for the
activities undertaken.
Coding and verification activities should be conducted by independent roles.
The applicable safety standard may provide additional guidance on the required degree of
independence.
3-4
3-5
You can use the bug reports section of the MathWorks web site
Code Prover.
Note You can use the IEC Certification Kit Model Advisor check Display bug reports for
Polyspace Code Prover to display bug report information for this product.
3-6
3-7
3-8
4 Workflow Overview
Objective
Prerequisites
Call tree
computation
Global variable
usage analysis
Work Products
Raw code verification results with
potential and systematic run-time errors
(.pscp files and dependent files)
Reviewed and commented code
verification results (.pscp files and
dependent files)
Verified C or C++ source code
Call tree
<projectname>_Call_Tree file
(.html, .pdf, .rtf, .docx, or .xml)
Reviewed call tree
<projectname>_Call_Tree file
(.html, .pdf, .rtf, .docx, or .xml)
Analyzed C or C++ source code
Dictionary containing information about
global variables
<projectname>_Variable_View
file (.html, .pdf, .rtf, .docx, or .xml)
Reviewed dictionary
<projectname>_Variable_View
file (.html, .pdf, .rtf, .docx, or .xml)
Analyzed C or C++ source code
4-2
Activity
Objective
Prerequisites
Work Products
Software quality level for the
application
Software quality objectives for each
module
Software quality metrics results
displayed in Web Dashboard or
exported via Polyspace GUI (.html,
.pdf, .rtf, .docx, or .xml file)
4-3
4-4
5 Conformance Demonstration
Template
To justify that the requirements outlined in this document have been satisfied you must provide
evidence for the activities that have been carried out.
The IEC Certification Kit product provides an editable Conformance Demonstration Template that can
be used to demonstrate conformance with the parts of ISO 26262-6, IEC 61508-3, or EN 50128
covered in this document.
To access the conformance demonstration template, on the MATLAB command line, type
certkitiec to open the Artifacts Explorer. The template is in Polyspace Code Prover.
For each technique or measure:
In the third column, state to what degree you applied the technique or measure for the
application under consideration by using one of the phrases Used, Used to a limited degree,
or Not used.
In the fourth column, state how you used the technique or measure in the application under
consideration. If the reference workflow includes alternative means for compliance, indicate
what variant you used. In addition, enter a reference to the document (for example, test
report or review documentation) that satisfies the requirement.
5-2
6 References
[1] IEC 61508-3:2010. International Standard IEC 61508 Functional safety of electrical / electronic /
programmable electronic safety-related systems Part 3: Software requirements. Second edition,
2010.
[2] ISO 26262-6:2011. Road vehicles Functional safety Part 6: Product development: software
level. International Standard, 2011.
[3] EN 50128:2011. Railway applications - Communication, signalling and processing systems Software for railway control and protection systems. International Standard 2011.
[4] The MathWorks. Software Quality Objectives for Source Code. Version 3.0, 2012.