certkitiec codeprover workflow

8/20/2019 Certkitiec Codeprover Workflow

1/35

IEC Certification Kit

Polyspace® Code Prover TM

Reference Workflow

R2015b


2/35

How to Contact MathWorks

Latest news: www.mathworks.com

Sales and services: www.mathworks.com/sales_and_services

User community: www.mathworks.com/matlabcentral

Technical support: www.mathworks.com/support/contact_us

Phone: 508-647-7000

The MathWorks, Inc.3 Apple Hill Drive Natick, MA 01760-2098

IEC Certification Kit: Polyspace® Code Prover TM Reference Workflow

© COPYRIGHT 2013 – 2015 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under

the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior writtenconsent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the

federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees

that this software or documentation qualifies as commercial computer software or commercial computer software documentation

as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms andconditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or

other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditi ons.

If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, thegovernment agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

Trademarks

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks f or alist of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective

holders.

Patents

MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents f or moreinformation.

http://www.mathworks.com/http://www.mathworks.com/http://www.mathworks.com/sales_and_serviceshttp://www.mathworks.com/sales_and_serviceshttp://www.mathworks.com/matlabcentral/http://www.mathworks.com/matlabcentral/http://www.mathworks.com/support/contact_us/http://www.mathworks.com/support/contact_us/http://www.mathworks.com/trademarkshttp://www.mathworks.com/trademarkshttp://www.mathworks.com/trademarkshttp://www.mathworks.com/patentshttp://www.mathworks.com/patentshttp://www.mathworks.com/patentshttp://www.mathworks.com/patentshttp://www.mathworks.com/trademarkshttp://www.mathworks.com/support/contact_us/http://www.mathworks.com/matlabcentral/http://www.mathworks.com/sales_and_serviceshttp://www.mathworks.com/


3/35

Revision History

September 2013 New for Version 3.2 (Applies to Release 2013b)March 2014 Revised for Version 3.3 (Applies to Release 2014a)

October 2014 Revised for Version 3.4 (Applies to Release 2014b)March 2015 Revised for Version 3.5 (Applies to Release 2015a)

September 2015 Revised for IEC Certification Kit Version 3.6 (Applies to Release 2015b)


4/35


5/35

v

Contents

1

Introduction ...................................................................................................................................... 1-1

1.1 Overview ................................................................................................................................. 1-2

2 Integration of Polyspace Code Prover into the Software Life Cycle ................................................ 2-1

2.1 Workflow Overview ................................................................................................................ 2-2

2.2 Tool Use Cases ........................................................................................................................ 2-5 [PCP_UC1] Semantic code analysis with abstract interpretation of C/C++ code to detect

systematic and potential run-time errors ...................................................................................... 2-5

[PCP_UC2] Semantic code analysis with abstract interpretation of C/C++ code to detect

unreachable code .......................................................................................................................... 2-5

[PCP_UC3] Semantic analysis of the calling relationships in the C/C++ code ........................... 2-5 [PCP_UC4] Semantic analysis of global variable usage in the C/C++ code ............................... 2-6

[PCP_UC5] Reporting of software quality metrics ...................................................................... 2-6

[PCP_UC6] Semantic analysis of C/C++ code to assess interface between components ............ 2-6

Applicable ISO 26262, IEC 61508, and EN 50128 Requirements............................................... 2-7

Error Prevention and Detection Measures.................................................................................... 2-8

[M1] Preceding or Subsequent Dynamic Verification (Testing) of the Software ........................ 2-8 [M1_lim] Limited Preceding or Subsequent Dynamic Verification (Testing) of the Software ... 2-8

[M2] Specified Procedure for Corrective Action on Failure of Source Code Verification orAnalysis........................................................................................................................................ 2-8

[M3] Selective Review and Analysis of Source Code Portions not Reached by Testing ............. 2-9

[M4] Check of the underlying verification and analysis results for critical issues....................... 2-9

[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to beVerified; Use of Checksums ........................................................................................................ 2-9

[M_MISC2] Competency of the Project Team ............................................................................ 2-9 [M_MISC3] Adherence to Installation Instructions; Integrity of Tool Installation ..................... 2-9

[M_MISC4] Analysis of Available Bug Report Information ....................................................... 2-9

3

Additional Considerations ................................................................................................................ 3-1

3.1 Options Impacting Analysis or Verification ............................................................................ 3-2 3.2 Configuration Management and Revision Control .................................................................. 3-3

3.3 Competency of the Project Team ............................................................................................ 3-4

3.4 Installation Integrity and Release Compatibility ..................................................................... 3-5

3.5 Bug Reporting ......................................................................................................................... 3-6

3.6 Deviation from the Reference Workflow ................................................................................ 3-7 3.7 Integration with the Software Safety Life Cycle ..................................................................... 3-8

4

Workflow Overview ......................................................................................................................... 4-1 5 Conformance Demonstration Template ........................................................................................... 5-1

6 References ........................................................................................................................................ 6-1


6/35

vi


7/35

1 Introduction


8/35

1-2

1.1 OverviewPolyspace® Code Prover ™ detects and proves the absence of overflow, divide-by-zero, out-of-

bounds array access, and certain other run-time errors in embedded software written in the C and

C++ programming languages.

Polyspace Code Prover uses formal methods-based abstract interpretation to formally prove run-

time attributes of software. Polyspace Code Prover uses color-coding to indicate run-time status

of each line of code. Additionally, Polyspace Code Prover calculates and provides ranges forvariables and operator parameters at any point of the program, taking into account every

possible configuration (inputs, global variables).

Polyspace Code Prover provides additional capabilities to analyze C and C++ source code as

well as to define, determine, and report software quality metrics.

This document provides a reference workflow for Polyspace Code Prover. In particular, itdescribes how to:

Leverage the code verification, unreachable code analysis, call tree computation, globalvariable usage analysis, and quality metrics reporting capabilities of Polyspace Code

Prover in the software life cycle

Check that these capabilities are functioning as expected

This workflow addresses handwritten, automatically generated, and mixed code. It is applicablefor developing code as well as for auditing code received from others.

Note If you are verifying only generated C or C++ code, see the Embedded Coder ® reference

workflow provided in IEC Certification Kit: Embedded Coder Reference Workflow before usingthis document. Polyspace Code Prover products provide added assurance to the reference

workflow for models and generated code.

The reference workflow presented in this document describes activities intended to comply withapplicable requirements of the overall software safety lifecycles defined by IEC 61508-3[1], ISO

26262[2], and EN 50128[3] respectively, as they relate to verification and analysis of

handwritten, generated, or mixed source code. The workflow addresses risk levels ASIL A -

ASIL D according to ISO 26262, SIL 1 - SIL 3 according to IEC 61508, and SIL 0 - SIL 4according to EN 50128.


9/35

1-3

The document is organized as follows:

Chapter 2, “Integration of Polyspace Code Prover into the Software Life Cycle”

provides a reference workflow for the Polyspace Code Prover tool. It describesreference use cases and measures to prevent or detect potential tool errors.

Chapter 3, “Additional Considerations” describes tool options that impact verificationresults, and other considerations such as tailoring and bug reporting.

Chapter 4, “Workflow Overview” summarizes the workflow in a tabular way.

Chapter 5, “Conformance Demonstration Template” references a template that can beused to demonstrate conformance with this reference workflow.

Chapter 6, “References” lists the standards and guidelines referenced in this document

Disclaimer While adhering to the recommendations in this document will reduce the risk

that an error is introduced in development and not be detected, it is not a guarantee that thesystem being developed will be safe. Conversely, if some of the recommendations in this

document are not followed, it does not mean that the system being developed will be unsafe.


10/35

1-4


11/35

2 Integration of Polyspace CodeProver into the Software Life

Cycle


12/35

2-2

2.1 Workflow OverviewThis section describes use cases for the following capabilities of Polyspace Code Prover as part

of the software life cycle:

Code verification

Unreachable code analysis

Call tree computation

Global variable usage analysis

Software quality metrics reporting

During the development of embedded application software, C or C++ code can be used toimplement the required functionality. The source code can be the result of manualimplementation (see upper part of Figure 1) or automatic code generation (see lower part of

Figure 1) or a combination of both. Handwritten source code and source code created using codegeneration can be combined to create the application software for an embedded system.


13/35

2-3

Figure 1: Software life cycle (development activities and artifacts)1,2

You can use the code verification, unreachable code analysis, call tree computation, global

variable usage analysis, and software quality metrics reporting capabilities of Polyspace CodeProver to verify or analyze C or C++ source code regardless of its origin. Figure 2 identifies the

development artifacts that can be verified or analyzed by Polyspace Code.

1 Solid arrows in the figure indicate the succession of software development activities.

2 The model uses for production code generation can contain handwritten source code. For example: C code contained in user S-functions. This mixed-code use case is indicated by the dashed arrow in the figure.


14/35

2-4

Figure 2: Integration of source code analysis and verification into the softwarelife cycle

Note For generated code, this workflow can also be used to provide added assurance to the

one described in

IEC Certification Kit: Embedded Coder Reference Workflow


15/35

2-5

2.2 Tool Use CasesThe Polyspace Bug Finder tool use cases, described in the Polyspace Bug Finder Reference

Workflow, R2015b, are applicable Polyspace Code Prover use cases.

Additionally, it is assumed that the Polyspace Code Prover tool is used as described by one or

more of the following use cases:

[PCP_UC1] Semantic code analysis with abstractinterpretation of C/C++ code to detect systematic and

potential run-time errorsThe Polyspace Code Prover tool is used to identify systematic and potential run-time errors in Cor C++ source code.

Code verification provided by Polyspace Code Prover proves the absence of overflow, divide-

by-zero, out-of-bounds array access, and certain other run-time errors in the source code, asdescribed in the Polyspace Code Prover User’s Guide, R2015b.

This verification uses formal-methods based on abstract interpretation techniques. It can beapplied to handwritten as well as generated source code.

[PCP_UC2] Semantic code analysis with abstractinterpretation of C/C++ code to detect unreachable code

Gray checks provided by the Polyspace Code Prover tool are used to identify unreachable code

branches in C or C++ source code. This verification uses formal-methods based on abstract

interpretation of the source code.

This analysis can be applied to handwritten as well as generated source code.

[PCP_UC3] Semantic analysis of the calling relationshipsin the C/C++ code

The Polyspace Code Prover tool is used to extract control flow information from C or C++

source code. The extracted information is used by Polyspace Code Prover to generate anapplication call tree.

Generated call graphs can e.g. be reviewed to analyze the control flow or to identify recursive

function calls.


16/35

2-6


[PCP_UC4] Semantic analysis of global variable usage inthe C/C++ code

The Polyspace Code Prover tool is used to extract data flow information from C or C++ sourcecode with regards to the usage of global variables. For each global variable in the source code,

Polyspace Code Prover provides the following information:

Number and location(s) of read and write access(es) to global variables, directly orthrough pointer access

Type value ranges for individual access operations Shared variables and associated concurrent access protection

The variable access information can e.g. be reviewed to analyze the data flow.


[PCP_UC5] Reporting of software quality metrics

The Polyspace Code Prover tool is used to define, determine, and report quality metrics for C orC++ source code. The reports are based on analysis and verification results provided byPolyspace Code Prover and Polyspace Bug Finder.

Software quality metrics can be applied to handwritten as well as generated source code.

Note The analysis and verification results provided by Polyspace Code Prover can be used toassess the quality of the C or C++ source code with respect to defined software quality goals, for

example Software Quality Objectives SQO-2 to SQO-6 according to [4].

[PCP_UC6] Semantic analysis of C/C++ code to assessinterface between components

The Polyspace Code Prover tool is used to detect interface error between components.

Polyspace Code Prover provides the following information:

Function-call with an incorrect number of arguments.

Function-call with an incorrect type of arguments.

This analysis can be applied to handwritten and generated source code.


17/35

2-7

Applicable ISO 26262, IEC 61508, and EN 50128Requirements

Using Polyspace Code Prover to perform the verification and analysis activities described in the

above use cases supports a variety of objectives and measures listed in functional safety

standards.

ISO 26262, IEC 61508, and EN 50128 techniques and measures that can be supported by using

Polyspace Code Prover are described in:

• IEC Certification Kit: Model -Based Design for ISO 26262

• IEC Certification Kit: Model -Based Design for IEC 61508• IEC Certification Kit: Model -Based Design for EN 50128

In these documents, for information on use cases, refer to items labeled with:

‘Polyspace Code Prover – Code verification’ for use case [PCP_UC1], [PCP_UC6]

‘Polyspace Code Prover – Unreachable code analysis’ for use case [PCP_UC2] ,[PCP_UC6]

‘Polyspace Code Prover – Call tree computation’ for use case [PCP_UC3]

‘Polyspace Code Prover – Global variable usage analysis’ for use case [PCP_UC4] ‘Polyspace Code Prover – Code metrics’ and ‘Polyspace Bug Finder – Code metrics’

for use case [PCP_UC5]


18/35

2-8

Error Prevention and Detection Measures

It is assumed that the user carries out the following measures to check the seamless functioning

of the verification and analysis capabilities provided by Polyspace Code Prover and to verifytheir results.

[M1] Preceding or Subsequent Dynamic Verification(Testing) of the Software

Before or after verifying or analyzing the source code with Polyspace Code Prover:

Dynamically verify (test) the executable code corresponding to the C or C++ sourcecode.

[M1_lim] Limited Preceding or Subsequent DynamicVerification (Testing) of the Software

Before or after verifying or analyzing the source code with Polyspace Code Prover:

Dynamically verify (test) the executable code corresponding to the C or C++ sourcecode without specifically aiming at detecting run-time errors.

Note [M1_lim] is a variation of [M1] where the test process is not be optimized to detect run-time errors. For example, you can specifically detect run-time errors by injecting randomsamples of software inputs that stress the software, without checking the functional results. The

likelihood of detecting systematic or potential run-time errors by testing might be low when

using [M1_lim]. For details see section ‘Tool Classification Summary’ in IEC Certification Kit: Polyspace Code Prover ISO 26262 Tool Qualification Package.

[M2] Specified Procedure for Corrective Action on Failureof Source Code Verification or Analysis

After verifying or analyzing the source code with Polyspace Code Prover:

Analyze the identified issues using a defined procedure for corrective action.

The procedure for corrective action includes manual analysis and review of the issuesuncovered.


19/35

2-9

[M3] Selective Review and Analysis of Source CodePortions not Reached by Testing

After dynamically verifying (testing) the source code:

Review and analyze the portions of the C or C++ source code that were not reached bytesting.

Note [M3] is intended to be used in conjunction with [M1] or [M1_lim] respectively. Fordetails, see section ‘Tool Classification Summary’ in IEC Certification Kit: Polyspace Code

Prover ISO 26262 Tool Qualification Package.

[M4] Check of the underlying verification and analysisresults for critical issues

Check the individual verification and analysis results that are the basis for the quality metrics

reported by Polyspace Code Prover for critical issues that require further attention.

[M_MISC1] Revision Control and Configuration

Management to Identify the Artifacts to be Verified; Use ofChecksums

Apply configuration management to the artifacts to be verified or analyzed using Polyspace

Code Prover.

[M_MISC2] Competency of the Project Team

Those carrying out verification or analysis activities using Polyspace Code Prover shall becompetent for the activities undertaken.

[M_MISC3] Adherence to Installation Instructions;Integrity of Tool Installation

Adhere to the installation instructions for Polyspace Code Prover (including dependent tools)

and verify the version and integrity of the tool.

Validate modifications or additions made to the shipping product(s), if applicable.

[M_MISC4] Analysis of Available Bug Report Information

Assess and analyze bug report information for Polyspace Code Prover provided by MathWorks ® and comply with the recommendations and workarounds, if applicable.


20/35

2-10


21/35

3 Additional Considerations

When implementing this reference workflow, consider the following topics:


22/35

3-2

3.1 Options Impacting Analysis or VerificationThe options you select in your Polyspace project impact your analysis or verification results.

The options should be justified and selected to fit the needs of the project.

For more information on Polyspace options, see the Polyspace Code Prover Reference.


23/35

3-3

3.2 Configuration Management and Revision ControlConfiguration management shall be applied to the artifacts to be verified or validated, as well as

to other work products specified in the respective standard or in this document.


24/35

3-4

3.3 Competency of the Project TeamAs described in Software Quality Objectives for Source Code [4], Section 3.2.2:

Those carrying out coding and verification activities shall be competent for theactivities undertaken.

Coding and verification activities should be conducted by independent roles.

The applicable safety standard may provide additional guidance on the required degree ofindependence.


25/35

3-5

3.4 Installation Integrity and Release CompatibilityThe tool user shall adhere to the installation instructions for Polyspace Code Prover (including

dependent tools).

The tool user shall verify the version of Polyspace Code Prover and the integrity of the tool’s

installation (including dependent tools).

Note You can use the ver command in MATLAB® to display the current versions of

MATLAB, Polyspace® Bug Finder ™, Polyspace Code Prover, and other MathWorks products.

The tool user shall validate modifications or additions to shipping product(s), if applicable.


26/35

3-6

3.5 Bug ReportingThe tool user shall assess bug report information provided by the tool vendors and comply with

the recommendations and workarounds, if applicable.

After deployment of the application under development, bug report information shall also be

assessed by the tool user on a regular basis.

The tool user shall carry out corrective actions if deployed applications are affected by bugs inthe tools identified after deployment.

Issues with Polyspace Code Prover shall be reported.

Note You can use the bug reports section of the MathWorks web site

www.mathworks.com/support/bugreports to view and report bugs related to Polyspace

Code Prover.

Note You can use the IEC Certification Kit Model Advisor check Display bug reports forPolyspace Code Prover to display bug report information for this product.

http://www.mathworks.com/support/bugreportshttp://www.mathworks.com/support/bugreportshttp://www.mathworks.com/support/bugreports


27/35

3-7

3.6 Deviation from the Reference WorkflowIn some instances, deviation from the reference workflow explained in this document might

occur. In these cases, a defined deviation procedure shall be used to document and justifydeviations from the workflow.


28/35

3-8

3.7 Integration with the Software Safety Life CycleThe application-specific verification and validation activities shall be integrated with the overall

software safety life cycle for the application under consideration.

The applicable safety standard provides additional guidance on additional objectives and

requirements for the overall software safety life cycle.


29/35

4 Workflow Overview


30/35

4-2

Table A. 1 Objectives, Prerequisites, and Work Products

Activity Objective Prerequisites Work Products

Code verification Prove the absenceof certain classesof run-time errorsin C or C++ source

code

• C source code (e.g. .c and.h files) or C++ source(e.g. .cpp and .hpp files)code to be verified

• Data range specification• Polyspace configuration

and project information(.psprj and .ppm files)

• Procedures for correctiveaction

• Raw code verification results with potential and systematic run-time errors(.pscp files and dependent files)

• Reviewed and commented code

verification results (.pscp files anddependent files)

• Verified C or C++ source code

Unreachable codeanalysis

Identifyunreachable code branches in C or

C++ source code

• C source code (e.g. .c and.h files) or C++ source(e.g. .cpp and .hpp files)

code to be analyzed• Data range specification• Polyspace configuration

and project information

(.psprj and .ppm files)• Procedures for corrective

action

• Raw code analysis results withunreachable code branches (.pscp filesand dependent files)

• Reviewed and commented codeanalysis results (.pscp files anddependent files)

• Analyzed C or C++ source code

Call tree

computation

Analyze the calling

relationships in Cor C++ source code

• C source code (e.g. .c and

.h files) or C++ source(e.g. .cpp and .hpp files)code to be analyzed

• Polyspace configuration


• Procedures for corrective

action

• Call tree

_Call_Tree file(.html, .pdf, .rtf, .docx, or .xml)

• Reviewed call tree

_Call_Tree file(.html, .pdf, .rtf, .docx, or .xml)


Global variableusage analysis

Analyze the usageof global variablesin C or C++ source

code

• C source code (e.g. .c and.h files) or C++ source(e.g. .cpp and .hpp files)

code to be analyzed• Polyspace configuration


• Procedures for corrective

action

• Dictionary containing information aboutglobal variables_Variable_View file (.html, .pdf, .rtf, .docx, or .xml)

• Reviewed dictionary_Variable_View file (.html, .pdf, .rtf, .docx, or .xml)



31/35

4-3

Activity Objective Prerequisites Work Products

Software qualitymetrics reporting

Define, determine,and report quality

metrics for C orC++ source code

based on analysis /verification results provided by

Polyspace Bug

Finder and/orPolyspace CodeProver

• C source code (e.g. .c and.h files) or C++ source

(e.g. .cpp and .hpp files)code to be analyzed

• Analysis / verificationresults provided byPolyspace Bug Finder

and / or Polyspace Code

Prover

• Software quality level for theapplication

• Software quality objectives for eachmodule• Software quality metrics results

displayed in Web Dashboard orexported via Polyspace GUI (.html,

.pdf, .rtf, .docx, or .xml file)


32/35

4-4


33/35

5 Conformance DemonstrationTemplate

To justify that the requirements outlined in this document have been satisfied you must provide

evidence for the activities that have been carried out.

The IEC Certification Kit product provides an editable Conformance Demonstration Template that can

be used to demonstrate conformance with the parts of ISO 26262-6, IEC 61508-3, or EN 50128

covered in this document.

To access the conformance demonstration template, on the MATLAB® command line, type

certkitiec to open the Artifacts Explorer. The template is in Polyspace Code Prover.

For each technique or measure:

In the third column, state to what degree you applied the technique or measure for theapplication under consideration by using one of the phrases Used, Used to a limited degree,

or Not used.

In the fourth column, state how you used the technique or measure in the application underconsideration. If the reference workflow includes alternative means for compliance, indicate

what variant you used. In addition, enter a reference to the document (for example, test

report or review documentation) that satisfies the requirement.


34/35

5-2


35/35

6 References

[1] IEC 61508-3:2010. International Standard IEC 61508 Functional safety of electrical / electronic /

programmable electronic safety-related systems — Part 3: Software requirements. Second edition,

2010.

[2] ISO 26262-6:2011. Road vehicles — Functional safety — Part 6: Product development: softwarelevel. International Standard, 2011.

[3] EN 50128:2011. Railway applications - Communication, signalling and processing systems -Software for railway control and protection systems. International Standard 2011.

[4] The MathWorks. Software Quality Objectives for Source Code. Version 3.0, 2012.

certkitiec codeprover workflow

Documents