Design Article
Verify automatically generated flight code for DO-178
Tom Erkkinen, MathWorks
3/16/2012 10:01 AM EDT
Automatically generating code from simulation models is a key development activity in Model-Based Design that inherently reduces the time and effort teams spend on hand coding. Successful deployment to a high performance embedded system requires production of extremely efficient code. Code efficiency objectives include minimizing memory usage and maximizing execution speed. Successful deployment for military and defense systems also requires the ability to rigorously verify the code. Code verification objectives include compliance to requirements and conformance to standards.
This article describes how to measure code efficiency and perform code verification activities using MATLAB and Simulink product family Release 2011b, featuring the Embedded Coder for flight code generation. The development and verification activities discussed are intended to satisfy DO-178B and upcoming DO-178C objectives, including the Model-Based Development and Verification supplement planned for release with the DO-178C update. Not every tool or DO-178 objective is examined; rather, the focus of this article is on new technologies. Qualification kits are available for the described verification tools.
Source code assessment
Code efficiency
Code efficiency metrics are divided into two broad categories. The first measures memory usage in terms of RAM, ROM, and stack size; the second measures execution cycle counts or speed. Embedded Coder helps software engineers analyze and optimize the memory footprint of generated code by producing a code metrics report after code generation. This report shows Lines of code, global RAM and stack size based on a static analysis of the source code and knowledge of the target hardware characteristics, such as integer word sizes. The analysis is static because it does not take into account the cross-compilation and execution of the code. This allows engineers to perform a quick pass for optimizing memory usage based on the source code, for example, by trying different data types or modifying logic in the model. However, the next analysis and optimization phase would require the full embedded tool chain for on-board memory utilization and execution time assessment, as described in Executable Object Code Assessment below.
Figure 2: Simulink code inspector report
(Click on image to enlarge)
This article describes how to measure code efficiency and perform code verification activities using MATLAB and Simulink product family Release 2011b, featuring the Embedded Coder for flight code generation. The development and verification activities discussed are intended to satisfy DO-178B and upcoming DO-178C objectives, including the Model-Based Development and Verification supplement planned for release with the DO-178C update. Not every tool or DO-178 objective is examined; rather, the focus of this article is on new technologies. Qualification kits are available for the described verification tools.
Source code assessment
Code efficiency
Code efficiency metrics are divided into two broad categories. The first measures memory usage in terms of RAM, ROM, and stack size; the second measures execution cycle counts or speed. Embedded Coder helps software engineers analyze and optimize the memory footprint of generated code by producing a code metrics report after code generation. This report shows Lines of code, global RAM and stack size based on a static analysis of the source code and knowledge of the target hardware characteristics, such as integer word sizes. The analysis is static because it does not take into account the cross-compilation and execution of the code. This allows engineers to perform a quick pass for optimizing memory usage based on the source code, for example, by trying different data types or modifying logic in the model. However, the next analysis and optimization phase would require the full embedded tool chain for on-board memory utilization and execution time assessment, as described in Executable Object Code Assessment below.
Figure 1: Static code metrics report
Source code verification relies heavily on code reviews and requirements traceability analysis. A new product from MathWorks, Simulink Code Inspector, automatically performs a structural analysis of the generated source code and assesses its compliance with the low-level requirements model. The inspection checks if every line of code has a corresponding element or block in the model. Likewise, it checks elements in the model to determine whether they are structurally equivalent to operations, operators, and data in the generated code. It then produces a detailed model-to-code and code-to-model traceability analysis report.
(Click on image to enlarge)
Code verificationSource code verification relies heavily on code reviews and requirements traceability analysis. A new product from MathWorks, Simulink Code Inspector, automatically performs a structural analysis of the generated source code and assesses its compliance with the low-level requirements model. The inspection checks if every line of code has a corresponding element or block in the model. Likewise, it checks elements in the model to determine whether they are structurally equivalent to operations, operators, and data in the generated code. It then produces a detailed model-to-code and code-to-model traceability analysis report.
Figure 2: Simulink code inspector report
(Click on image to enlarge)
Additional source code verification activities include ensuring compliance with industry code standards such as the MISRA AC AGC: Guidelines for the application of MISRA-C:2004 in the context of automatic code generation. With the R2011a release, Embedded Coder introduced a code generation objective that lets developers influence the code generator output based on the MISRA-C standard. MISRA-C analysis tools can then be applied to check the code. For example, Polyspace code verifier products analyze code for MISRA AC AGC and MISRA-C:2004. Polyspace can also determine if the code has runtime errors such as divide-by-zero and array-out-of-bound conditions. Simulink Code Inspector with Polyspace can be used to address all code verification objectives in DO-178 Table A5 involving source code analysis. Objectives such as worst case execution time would need to use the executable object code and additional techniques and tools such as those described below.
Figure 3: MISRA-C:2004 code generation objective specification
Figure 3: MISRA-C:2004 code generation objective specification
|
|
|
|
|
Navigate to related information