absence of feedback between embedded ... - matlab expo
TRANSCRIPT
![Page 1: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/1.jpg)
1© 2015 The MathWorks, Inc.
Rückwirkungsfreiheit zwischen Embedded
SW-Komponenten – Polyspace hilft!
By Christian Guß
![Page 2: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/2.jpg)
2
Freedom of Interference
What is that?
Timing and Execution Deadlocks Race conditions Sequence error
Memory Corruption of content Access out of bounds Invalid r/w access
Exchange of Information Interface violation Non initialized data Null-Pointers Data size mismatch
When processes and modules working together on shared resourcessome interference issues could occur which are very hard to find…
![Page 3: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/3.jpg)
3
Typical Automotive Software Architecture
Hardware
Microcontroller Abstraction
Layer
Drivers
Services Layer
ECU Abstraction Layer
Runtime Environment
Application
1
Application
N…
Internal Interface
Services
External Autosar
Interface
Internal Interface
Communication
External Autosar
Interface
Internal Interface
Operating
System
External Autosar
Interface
Basic Software
Non Critical Critical
Failure ?Affects ?
…
![Page 4: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/4.jpg)
4
ISO 26262-6: Freedom from interference (Annex D)
Goal: Prevent or detect faults that can cause interference between
software elements (e.g. different software partitions)
• Deadlocks
• Race Conditions
D2.2 Timing and execution
• corruption of content
• out-of-bound pointers and arrays, etc.
• read or write access to memory allocated to another software element
• exhaustive identification of unprotected shared variables
• documentation of read-/write access to global variable
D2.3 Memory
• corruption of information
• loss of information
D2.4 Exchange of information
![Page 5: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/5.jpg)
5
What you could do is…
Problem: Testing, Hardware protection, restrictions and functional protection could be:
very expensive to implement,
not completely protective,
reducing performance.
Robustness-Testing
fault injection
boundary tests
Hardware protection
Memory Protection
Unit
Error Correcting
Code
Functional protection
Cyclic redundancy
check
redundant storage
defensive code
Restrictions
only static memory
allocation
restricted access to memory
Static analysis
Data flow analysis
Control flow analysis
Formal
analysis
(see ISO 26262-6 Annex D)
![Page 6: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/6.jpg)
6
Task 1
Let‘s make an example…
Write bad_glob
Write bad_glob
Part 1
Part 2
Task 2
Read bad_glob
Read bad_glob
Part 1
Part 2
Fix: Critical Section! Problem: When needed?
Overusing can degrade
system performance!
![Page 7: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/7.jpg)
7
![Page 8: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/8.jpg)
8
Polyspace – Data race checks
Find Timing Issues with Multitasking
![Page 9: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/9.jpg)
9
Polyspace - Global Variable Usage Protection
Shared protected global variable
Global variables shared between multiple tasks and protected
from concurrent access by the tasks
Shared unprotected global variable
Global variables shared between multiple tasks but not protected
from concurrent access by the tasks
Non-shared used global variable
Global variables used in a single task
Non-shared unused global variable
Global variables declared but not used
![Page 10: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/10.jpg)
10
Let‘s make another example…
Is it safe to use myarray_init Function?
integration_context impacts myarray_init VeryImportantDataimpacts
hard to find!
calls
![Page 11: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/11.jpg)
11
[1] Dijkstra, “Notes On Structured Programming”, 1972
Problem with testing: Tests aren’t exhaustive
![Page 12: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/12.jpg)
12
![Page 13: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/13.jpg)
13
With Polyspace …
you can proof the existence and absence of memory access errors like:
Polyspace – Proving Memory Safety
Memory safety aims to avoid software errors that cause safety and security vulnerabilities
dealing with random-access memory (RAM) access,
such as corruption of content and read/write access to memory allocated by another software element.
Computer languages such as C and C++ that support arbitrary pointer arithmetic,
casting, and deallocation are typically not memory safe.
![Page 14: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/14.jpg)
14
Let’s make one last example…
External
code
![Page 15: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/15.jpg)
15
![Page 16: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/16.jpg)
16
Example: Optimize design and architecture
Non Robust Module
External
code
Potential
Runtime Error
inside!!!
![Page 17: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/17.jpg)
17
Example: Optimize design and architecture
Non Robust Module
Additional
Range-Limiting
Code
Free from
Runtime Errors
![Page 18: Absence of feedback between embedded ... - MATLAB EXPO](https://reader030.vdocument.in/reader030/viewer/2022012717/61af46be2ead1569b22488f8/html5/thumbnails/18.jpg)
18
Summary
Do you have Multicore applications?
Do you have HW/SW protections?
Do you like to reduce testing effort?
ask for our static analysis solutions
TODAY