tech days 2015: model based development with qgen

Model-Based Development with QGen

S. Tucker TaftNovember 2015

What is QGen? and Why?

System Engineers vs. Software Engineers

“Who needs programmers?

Why do we have to depend on

them to implement our design?”

“Uh boy, not another attempt at Programming with

Pictures…”

Who is in charge, and do we really need programmers?System Architects and Engineers develop the original design

In a traditional environment, there is a “hand off”

to the software engineers- Detailed software design not directly linked to high level design- Design and even architecture may evolve as software development issues arise

- Net effect => can become an us vs. them situation

• Hardware and software engineers develop components to satisfy the requirements.

• Test engineers develop the test environment to verify the requirements.

Model Based System Engineering

System engineers analyze, simulate and validate the system design, and allocate

requirements to components.

Using standard-conforming modeling

tools

Using a standard-conforming model

execution tools

System engineers create the

models

Execution artifacts could include:System behavior, timing and statistics

Models can include both hardware and

software components.

Using standard-based model interchange

Courtesy of Ed Seidewitz

So How does Model-Based Approach Help reduce the us vs. them?Model-based approach, there need not be a “hand off”

- High-level design (produced by system engineers) is represented in a modeling language that supports automated code generation.

- Software engineers are still important: they now focus on providing new or enhanced parameterized building blocks, code-generation capabilities, and infrastructure.

Parameterized, annotated, high-performance building blocks in a software development “stack” can become key to commonality and productivity.

Shift to a Model-Based Approach by a customer was a Wakeup call for us

Major aerospace customer shifted engineers almost completely to model-based engineering

- Simulink, SCADE, etc. with automated code generation

Remaining number of users for “conventional” 3rd-generation compiler with IDE:- Five seats -- their tools group

Some of our traditional users were

disappearing …

Needed to broaden our focus

and develop a deeper software

development “stack”

What exactly is a Software Development Stack?

Modeling ToolsDrawing, Analysis, Simulation, Autocoding (QGen)

Coding ToolsCompiling, Analysis, Scheduling, Debugging

Architecture ToolsDefinition, Analysis, Documentation

Verification ToolsTesting, Analysis, Coverage, Proof

Hardw

are

What is QGen?A qualifiable and

customizable code generator

from Simulink® and Stateflow® to SPARK and

MISRA C

A formal model verifier

for runtime errors and functional properties

An open and extensible frameworkto integrate

heterogeneous models

QGen Main Features- Support for a large subset of Simulink®

- Around 120 blocks, optional checks for MISRA Guidelines for Simulink®- Stateflow® also supported, since early 2015


- Code generation producing MISRA C and SPARK (formally provable language)

- Readable and traceable code, no performance penalty



- Integrated with compilation and testing frameworks- Integration with GNAT Pro compiler for qualified, end-to-end tool chain- Integration with GNATemulator and GNATcoverage for structural coverage analysis (up to MC/DC) without code instrumentation executing embedded object code


- Code generation producing MISRA C and SPARK (formally provable subset of Ada 2012)

- Integrated with compilation and testing frameworks

- Includes a static model verifier- Focus on safety-critical systems- Finds Run-time errors (divisions by zero, overflows, …)- Finds Logical errors (dead execution paths)- Verifies Functional/safety properties (Simulink® assertions blocks)




- Includes a static model verifier

- With QGen, you do not need a separate Stateflow modeling standard

Stateflow Safe subset built in: MISRA AC SLSF (guidelines)






Plus relaxing some rules- For example: limits on hierarchical decomposition






Plus additional constraints(to further clarify semantics)- Rationale fully clarified in the user guide






- Tool qualification material- Including validation against Simulink® simulation- DO-178C, EN 50128, ISO-26262 TCL3

QGen Competitive Advantages

Safe Simulink subset: ensure that a model is verifiable by constructionDecrease tool deployment costs and system verification costs



Complete qualification evidenceDecrease verification costs on generated code




Easy to customizeDecrease tool adaptation costs

Can be used to integrate with custom libraries, or other modeling languages such as UML, SysML, …





Can be used to integrate with UML, SysML, …

Integrated with verification, compilation and testing toolsDecrease tool integration costs





Can be used to integrate with UML, SysML, …

Integrated with verification, compilation and testing toolsDecrease tool integration costs

More practical to useDoes not require Matlab after model is exported

10x faster code generation, with no performance penalties on the generated code

QGen Development History- France- and EU-funded collaborative R&D project

- From October 2011 to October 2015

- 10M Euros total budget

- 19 Partners

- Leader: Continental Automotive France

QGen Development HistoryIndustrial Users

Avionics Automotive Space

Tech Providers Academia

Using QGen

From command line (does not require Matlab® IDE, ideal for regression testing)

qgenc MyModel.mdl [code-generation-options]

Using QGen

Integrated in Matlab® IDE (ideal for everyday use)

Using QGen Code Generation

Standard code generation- One file for every atomic subsystem- Variables are global (in .adb/.c files)

Full inlining, to increase performances- A single file for the entire system- All function calls are inlined- Less memory consumption, less memory copy, more optimization

Wrapping to reuse code with different I/O context- Corresponds to Simulink “generate reusable code”- Pass persistent state and I/O data as formal parameters- Allows reusing the same code for multiple I/O contexts

Using QGen Code Generation

QGen Demos

Video: QGen for Simulink

QGen: Support for Stateflow

Overall Stateflow code generation

/* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */

1 2

/* entering the state machine */ if (!Active) { Active = TRUE; /* Open and enter chart */ s1 = TRUE; /* Enter state s1 */ s1_s11 = TRUE; /* Enter state s11 */ Out1 = 0.0; /* Perform transition for s11a */ s1_s11_s11a = TRUE; /* Enter state s11a */ s1_s12 = TRUE; /* Enter state s12 */ Out2 = 0.0; /* Perform transition for s12a */ s1_s12_s12a = TRUE; /* Enter state s12a */ } else { /* state machine entered previously */

1 2


1 2

if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}


1 2


if (s1_s11_s11a) { if (Out1 > In1) { Out1 += 100.0; /* Exit state s11a */ s1_s11_s11a = FALSE; /* Exit state s11a */ s1_s11_s11b = TRUE; /* Enter state s11b */ } else { Out1++; /* Execute state s11a */ }} if (s1_s12_s12a) { if (slInEvent1) { Out2 += 100.0; /* Exit state s12a */ s1_s12_s12a = FALSE; s1_s12_s12b = TRUE; /* Enter state s12b */ Out2 += -50.0; }} else { if (s1_s12_s12b) { Out2++; /* Execute state s12b */ }}

The Big Picture: code generation and testing

AdaCore is in the unique position of providing a fully qualifiable end-to-end

model compilation chain

The Big Picture: code generation and testing

MISRA C or SPARK

Embedded Object Code

GNATemulator*for PowerPC, ARM, …

(Virtual)Processor In the LoopTesting

* Already qualified in a DO-178 level A context, both in the US (FAA) and

EU (EASA)

GNATcoverage*

Structural Coverage Analysis (up to MC/DC) without source code instrumentation

Using QGen: Finding Bugs

No defensive modeling against division by zero

Video: QGen Tool Integration:

Finding Bugs

Using QGen: Verifying functional properties

If the driver hits the “Brake” or “Clutch” pedals, then the Cruise Control should be

OFF

ON OFF

TRUE ERROR OK

FALSE OK OK

Cruise Control

Brake OR Clutch



OFF



OFF

Formalization of safety property

Using Qgen: Verifying functional properties


OFF

Formalization of safety property

System implementation

Video: QGen Tool Integration:

Verifying Functional Properties

QGen: Current Evaluation State

QGen: Current Evaluation State- Continually Tested against industrial-grade models

Avionics Automotive SpaceWe currently have customer in:

• The Automotive market (major Tier 1 in Japan)

• The Aerospace and Defense market (major US player in this market)

QGen: Current Evaluation State- Continually Tested against Industrial-Grade models

- Fast Code generation- Units with less than 100 blocks takes less than 1s- Model with 7k blocks: more than 20k SLOC generated in 35s- With additional optimization: 60s


- Fast Code generation

- Practical code generation strategy- Reusable code for Simulink libraries- Flexible parameter handling (struct, flat, globals, …)- No performance penalty (from both a timing and memory perspective



- Practical code generation strategy

- Very readable and traceable code





- Tight tool integration – A major advantage- Code generator- Compiler- Unit testing platform- Structural coverage without instrumentation- Formal verification





- Tight tool integration – A major advantage

- DO-178-like Tool Qualification – A major differentiating factor- Provides Full specification of tool behavior- Incldes Review and verification of tool source code (including structural coverage)- Brings a focus on safety to Simulink

QGen Debugger

Model-Level Debugging

• Model-Level Breakpoints• Stop on event• Stop on signal transition

• Model-Level Data Display• Trace of Signal over Time• Sequence of Events

• Model-Level Stepping• Step one Time increment• Step one Block

Computation/Update• Correlate Model Blocks with:

• Generated Code• Assembly Code

QGen Debugger Demo

Support for Model-Level Debugging• Will support Simulink 2008b and later• Will support displaying and debugging all blocks supported by QGen

code generator• Will initially support displaying and debugging Simulink blocks

• On Road Map: Stateflow, Truthtables, Lookuptables• No Limitation on depth of subsystem nesting – can drill down as needed• Pricing: Not finalized• Availability: Simulink only: Q3 2016; Simulink + Stateflow: Q1 2017

History and Roadmap2013-2014

Evaluation by Project P* partners

Late 2014

Available for selected customers

Feb 2015

QGen commercial availability

Spring 2015

Stateflow® support

2016

QGen TQL1 Planning Documents

QGen Debugger for Simulink

2017

QGen Debugger for Stateflow and Simulink

2018

QGen TQL1 qualification completed

QGen is the open, tunable and qualifiable model verifier and code generator for

Simulink® and Stateflow®