IEC Certification Kit

Polyspace® Code ProverTM

Reference Workflow

R2015a
How to Contact MathWorks
Latest news: www.mathworks.com
Sales and services: www.mathworks.com/sales_and_services
User community: www.mathworks.com/matlabcentral
Technical support: www.mathworks.com/support/contact_us
Phone: 508-647-7000
The MathWorks, Inc.
3 Apple Hill Drive
Natick, MA 01760-2098
IEC Certification Kit: Polyspace® Code ProverTM Reference Workflow
© COPYRIGHT 2013–2015 by The MathWorks, Inc.
The software described in this document is furnished under a license agreement. The software may be used or copied only under
the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written
consent from The MathWorks, Inc.
FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the
federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees
that this software or documentation qualifies as commercial computer software or commercial computer software documentation
as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and
conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification,
reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or
other entity acquiring for or through the federal government)and shall supersede any conflicting contractual terms or conditions.
If this License fails to meet the government’s needs or is inconsistent in any respect with federal procurement law, the
government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.
Trademarks
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a
list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective
holders.
Patents
MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more
information.
Revision History
September 2013 New for Version 3.2 (Applies to Release 2013b)
March 2014 Revised for Version 3.3 (Applies to Release 2014a)
October 2014 Revised for Version 3.4 (Applies to Release 2014b)
March 2015 Revised for Version 3.5 (Applies to Release 2015a)
Contents
1 Introduction ...................................................................................................................................... 1-1
1.1 Overview ................................................................................................................................. 1-2
2 Integration of Polyspace Code Prover into the Software Life Cycle ................................................ 2-1
2.1 Workflow Overview ................................................................................................................ 2-2
2.2 Tool Use Cases ........................................................................................................................ 2-5
[PCP_UC1] Semantic code analysis with abstract interpretation of C/C++ code to detect
systematic and potential run-time errors ...................................................................................... 2-5
[PCP_UC2] Semantic code analysis with abstract interpretation of C/C++ code to detect
unreachable code .......................................................................................................................... 2-5
[PCP_UC3] Semantic analysis of the calling relationships in the C/C++ code ........................... 2-5
[PCP_UC4] Semantic analysis of global variable usage in the C/C++ code ............................... 2-6
[PCP_UC5] Reporting of software quality metrics ...................................................................... 2-6
[PCP_UC6] Semantic analysis of C/C++ code to assess interface between components ............ 2-6
Applicable ISO 26262, IEC 61508, and EN 50128 Requirements............................................... 2-7
Error Prevention and Detection Measures.................................................................................... 2-8
[M1] Preceding or Subsequent Dynamic Verification (Testing) of the Software ........................ 2-8
[M1_lim] Limited Preceding or Subsequent Dynamic Verification (Testing) of the Software ... 2-8
[M2] Specified Procedure for Corrective Action on Failure of Source Code Verification or
Analysis........................................................................................................................................ 2-8
[M3] Selective Review and Analysis of Source Code Portions not Reached by Testing ............. 2-9
[M4] Check of the underlying verification and analysis results for critical issues....................... 2-9
[M_MISC1] Revision Control and Configuration Management to Identify the Artifacts to be
Verified; Use of Checksums ........................................................................................................ 2-9
[M_MISC2] Competency of the Project Team ............................................................................ 2-9
[M_MISC3] Adherence to Installation Instructions; Integrity of Tool Installation ..................... 2-9
[M_MISC4] Analysis of Available Bug Report Information ....................................................... 2-9
3 Additional Considerations ................................................................................................................ 3-1
3.1 Options Impacting Analysis or Verification ............................................................................ 3-2
3.2 Configuration Management and Revision Control .................................................................. 3-3
3.3 Competency of the Project Team ............................................................................................ 3-4
3.4 Installation Integrity and Release Compatibility ..................................................................... 3-5
3.5 Bug Reporting ......................................................................................................................... 3-6
3.6 Deviation from the Reference Workflow ................................................................................ 3-7
3.7 Integration with the Software Safety Life Cycle ..................................................................... 3-8
4 Workflow Overview......................................................................................................................... 4-1
5 Conformance Demonstration Template ........................................................................................... 5-1
6 References ........................................................................................................................................ 6-1

v
vi
1 Introduction
1.1 Overview
Polyspace® Code Prover™ detects and proves the absence of overflow, divide-by-zero, out-of-
bounds array access, and certain other run-time errors in embedded software written in the C and
C++ programming languages.

Polyspace Code Prover uses formal methods-based abstract interpretation to formally prove run-
time attributes of software. Polyspace Code Prover uses color-coding to indicate run-time status
of each line of code. Additionally, Polyspace Code Prover calculates and provides ranges for
variables and operator parameters at any point of the program, taking into account every
possible configuration (inputs, global variables).

Polyspace Code Prover provides additional capabilities to analyze C and C++ source code as
well as to define, determine, and report software quality metrics.

This document provides a reference workflow for Polyspace Code Prover. In particular, it
describes how to:

 Leverage the code verification, unreachable code analysis, call tree computation, global
variable usage analysis, and quality metrics reporting capabilities of Polyspace Code
Prover in the software life cycle
 Check that these capabilities are functioning as expected

This workflow addresses handwritten, automatically generated, and mixed code. It is applicable
for developing code as well as for auditing code received from others.

Note If you are verifying only generated C or C++ code, see the Embedded Coder® reference
workflow provided in IEC Certification Kit: Embedded Coder Reference Workflow before using
this document. Polyspace Code Prover products provide added assurance to the reference
workflow for models and generated code.

The reference workflow presented in this document describes activities intended to comply with
applicable requirements of the overall software safety lifecycles defined by IEC 61508-3[1], ISO
26262[2], and EN 50128[3] respectively, as they relate to verification and analysis of
handwritten, generated, or mixed source code. The workflow addresses risk levels ASIL A -
ASIL D according to ISO 26262, SIL 1 - SIL 3 according to IEC 61508, and SIL 0 - SIL 4
according to EN 50128.

1-2
The document is organized as follows:

 Chapter 2, “Integration of Polyspace Code Prover into the Software Life Cycle”
provides a reference workflow for the Polyspace Code Prover tool. It describes
reference use cases and measures to prevent or detect potential tool errors.
 Chapter 3, “Additional Considerations” describes tool options that impact verification
results, and other considerations such as tailoring and bug reporting.
 Chapter 4, “Workflow Overview” summarizes the workflow in a tabular way.
 Chapter 5, “Conformance Demonstration Template” references a template that can be
used to demonstrate conformance with this reference workflow.
 Chapter 6, “References” lists the standards and guidelines referenced in this document

Disclaimer While adhering to the recommendations in this document will reduce the risk
that an error is introduced in development and not be detected, it is not a guarantee that the
system being developed will be safe. Conversely, if some of the recommendations in this
document are not followed, it does not mean that the system being developed will be unsafe.

1-3
1-4
2 Integration of Polyspace Code
Prover into the Software Life
Cycle
2.1 Workflow Overview
This section describes use cases for the following capabilities of Polyspace Code Prover as part
of the software life cycle:

 Code verification
 Unreachable code analysis
 Call tree computation
 Global variable usage analysis
 Software quality metrics reporting
During the development of embedded application software, C or C++ code can be used to
implement the required functionality. The source code can be the result of manual
implementation (see upper part of Figure 1) or automatic code generation (see lower part of
Figure 1) or a combination of both. Handwritten source code and source code created using code
generation can be combined to create the application software for an embedded system.

2-2
 Figure 1: Software life cycle (development activities and artifacts)1,2
You can use the code verification, unreachable code analysis, call tree computation, global
variable usage analysis, and software quality metrics reporting capabilities of Polyspace Code
Prover to verify or analyze C or C++ source code regardless of its origin. Figure 2 identifies the
development artifacts that can be verified or analyzed by Polyspace Code.

1
Solid arrows in the figure indicate the succession of software development activities.
2
The model uses for production code generation can contain handwritten source code. For example: C code contained in user S-
functions. This mixed-code use case is indicated by the dashed arrow in the figure.

2-3
Figure 2: Integration of source code analysis and verification into the software
life cycle

Note For generated code, this workflow can also be used to provide added
assurance to the one described in

IEC Certification Kit: Embedded Coder Reference Workflow

2-4
2.2 Tool Use Cases
The Polyspace Bug Finder tool use cases, described in the Polyspace Bug Finder Reference
Workflow, R2015a, are applicable Polyspace Code Prover use cases.

Additionally, it is assumed that the Polyspace Code Prover tool is used as described by one or
more of the following use cases:

[PCP_UC1] Semantic code analysis with abstract

interpretation of C/C++ code to detect systematic and
potential run-time errors
The Polyspace Code Prover tool is used to identify systematic and potential run-time errors in C
or C++ source code.

Code verification provided by Polyspace Code Prover proves the absence of overflow, divide-
by-zero, out-of-bounds array access, and certain other run-time errors in the source code, as
described in the Polyspace Code Prover User’s Guide, R2015a.

This verification uses formal-methods based on abstract interpretation techniques. It can be

applied to handwritten as well as generated source code.

[PCP_UC2] Semantic code analysis with abstract

interpretation of C/C++ code to detect unreachable code
Gray checks provided by the Polyspace Code Prover tool are used to identify unreachable code
branches in C or C++ source code. This verification uses formal-methods based on abstract
interpretation of the source code.

This analysis can be applied to handwritten as well as generated source code.

[PCP_UC3] Semantic analysis of the calling relationships

in the C/C++ code
The Polyspace Code Prover tool is used to extract control flow information from C or C++
source code. The extracted information is used by Polyspace Code Prover to generate an
application call tree.

Generated call graphs can e.g. be reviewed to analyze the control flow or to identify recursive
function calls.

2-5
This analysis can be applied to handwritten as well as generated source code.

[PCP_UC4] Semantic analysis of global variable usage in

the C/C++ code
The Polyspace Code Prover tool is used to extract data flow information from C or C++ source
code with regards to the usage of global variables. For each global variable in the source code,
Polyspace Code Prover provides the following information:

 Number and location(s) of read and write access(es) to global variables, directly or
through pointer access
 Type value ranges for individual access operations
 Shared variables and associated concurrent access protection

The variable access information can e.g. be reviewed to analyze the data flow.

This analysis can be applied to handwritten as well as generated source code.

[PCP_UC5] Reporting of software quality metrics

The Polyspace Code Prover tool is used to define, determine, and report quality metrics for C or
C++ source code. The reports are based on analysis and verification results provided by
Polyspace Code Prover and Polyspace Bug Finder.

Software quality metrics can be applied to handwritten as well as generated source code.

Note The analysis and verification results provided by Polyspace Code Prover can be used to
assess the quality of the C or C++ source code with respect to defined software quality goals, for
example Software Quality Objectives SQO-2 to SQO-6 according to [4].

[PCP_UC6] Semantic analysis of C/C++ code to assess

interface between components
The Polyspace Code Prover tool is used to detect interface error between components.

Polyspace Code Prover provides the following information:

 Function-call with an incorrect number of arguments.

 Function-call with an incorrect type of arguments.

This analysis can be applied to handwritten and generated source code.

2-6
Applicable ISO 26262, IEC 61508, and EN 50128
Requirements
Using Polyspace Code Prover to perform the verification and analysis activities described in the
above use cases supports a variety of objectives and measures listed in functional safety
standards.

ISO 26262, IEC 61508, and EN 50128 techniques and measures that can be supported by using
Polyspace Code Prover are described in:

• IEC Certification Kit: Model-Based Design for ISO 26262

• IEC Certification Kit: Model-Based Design for IEC 61508
• IEC Certification Kit: Model-Based Design for EN 50128

In these documents, for information on use cases, refer to items labeled with:
 ‘Polyspace Code Prover – Code verification’ for use case [PCP_UC1], [PCP_UC6]
 ‘Polyspace Code Prover – Unreachable code analysis’ for use case [PCP_UC2] ,
[PCP_UC6]
 ‘Polyspace Code Prover – Call tree computation’ for use case [PCP_UC3]
 ‘Polyspace Code Prover – Global variable usage analysis’ for use case [PCP_UC4]
 ‘Polyspace Code Prover – Code metrics’ and ‘Polyspace Bug Finder – Code metrics’
for use case [PCP_UC5]

2-7
Error Prevention and Detection Measures
It is assumed that the user carries out the following measures to check the seamless functioning
of the verification and analysis capabilities provided by Polyspace Code Prover and to verify
their results.

[M1] Preceding or Subsequent Dynamic Verification

(Testing) of the Software
Before or after verifying or analyzing the source code with Polyspace Code Prover:

 Dynamically verify (test) the executable code corresponding to the C or C++ source
code.

[M1_lim] Limited Preceding or Subsequent Dynamic

Verification (Testing) of the Software
Before or after verifying or analyzing the source code with Polyspace Code Prover:

 Dynamically verify (test) the executable code corresponding to the C or C++ source
code without specifically aiming at detecting run-time errors.
Note [M1_lim] is a variation of [M1] where the test process is not be optimized to detect run-
time errors. For example, you can specifically detect run-time errors by injecting random
samples of software inputs that stress the software, without checking the functional results. The
likelihood of detecting systematic or potential run-time errors by testing might be low when
using [M1_lim]. For details see section ‘Tool Classification Summary’ in IEC Certification
Kit: Polyspace Code Prover ISO 26262 Tool Qualification Package.

[M2] Specified Procedure for Corrective Action on Failure

of Source Code Verification or Analysis
After verifying or analyzing the source code with Polyspace Code Prover:

 Analyze the identified issues using a defined procedure for corrective action.
The procedure for corrective action includes manual analysis and review of the issues
uncovered.

2-8
[M3] Selective Review and Analysis of Source Code
Portions not Reached by Testing
After dynamically verifying (testing) the source code:

 Review and analyze the portions of the C or C++ source code that were not reached by
testing.
Note [M3] is intended to be used in conjunction with [M1] or [M1_lim] respectively. For
details, see section ‘Tool Classification Summary’ in IEC Certification Kit: Polyspace Code
Prover ISO 26262 Tool Qualification Package.

[M4] Check of the underlying verification and analysis

results for critical issues
Check the individual verification and analysis results that are the basis for the quality metrics
reported by Polyspace Code Prover for critical issues that require further attention.

[M_MISC1] Revision Control and Configuration

Management to Identify the Artifacts to be Verified; Use of
Checksums
Apply configuration management to the artifacts to be verified or analyzed using Polyspace
Code Prover.

[M_MISC2] Competency of the Project Team

Those carrying out verification or analysis activities using Polyspace Code Prover shall be
competent for the activities undertaken.

[M_MISC3] Adherence to Installation Instructions;

Integrity of Tool Installation
Adhere to the installation instructions for Polyspace Code Prover (including dependent tools)
and verify the version and integrity of the tool.

Validate modifications or additions made to the shipping product(s), if applicable.

[M_MISC4] Analysis of Available Bug Report Information

Assess and analyze bug report information for Polyspace Code Prover provided by MathWorks ®
and comply with the recommendations and workarounds, if applicable.

2-9
2-10
3 Additional Considerations

When implementing this reference workflow, consider the following topics:

3.1 Options Impacting Analysis or Verification
The options you select in your Polyspace project impact your analysis or verification results.
The options should be justified and selected to fit the needs of the project.

For more information on Polyspace options, see the Polyspace Code Prover Reference.

3-2
3.2 Configuration Management and Revision Control
Configuration management shall be applied to the artifacts to be verified or validated, as well as
to other work products specified in the respective standard or in this document.

3-3
3.3 Competency of the Project Team
As described in Software Quality Objectives for Source Code [4], Section 3.2.2:

 Those carrying out coding and verification activities shall be competent for the
activities undertaken.
 Coding and verification activities should be conducted by independent roles.
The applicable safety standard may provide additional guidance on the required degree of
independence.

3-4
3.4 Installation Integrity and Release Compatibility
The tool user shall adhere to the installation instructions for Polyspace Code Prover (including
dependent tools).

The tool user shall verify the version of Polyspace Code Prover and the integrity of the tool’s
installation (including dependent tools).

Note You can use the ver command in MATLAB® to display the current versions of
MATLAB, Polyspace® Bug Finder™, Polyspace Code Prover, and other MathWorks products.

The tool user shall validate modifications or additions to shipping product(s), if applicable.

3-5
3.5 Bug Reporting
The tool user shall assess bug report information provided by the tool vendors and comply with
the recommendations and workarounds, if applicable.

After deployment of the application under development, bug report information shall also be
assessed by the tool user on a regular basis.

The tool user shall carry out corrective actions if deployed applications are affected by bugs in
the tools identified after deployment.

Issues with Polyspace Code Prover shall be reported.

Note You can use the bug reports section of the MathWorks web site
www.mathworks.com/support/bugreports to view and report bugs related to Polyspace
Code Prover.

Note You can use the IEC Certification Kit Model Advisor check Display bug reports for
Polyspace Code Prover to display bug report information for this product.

3-6
3.6 Deviation from the Reference Workflow
In some instances, deviation from the reference workflow explained in this document might
occur. In these cases, a defined deviation procedure shall be used to document and justify
deviations from the workflow.

3-7
3.7 Integration with the Software Safety Life Cycle
The application-specific verification and validation activities shall be integrated with the overall
software safety life cycle for the application under consideration.

The applicable safety standard provides additional guidance on additional objectives and
requirements for the overall software safety life cycle.

3-8
4 Workflow Overview
Table A. 1 Objectives, Prerequisites, and Work Products

Activity Objective Prerequisites Work Products

Code verification Prove the absence of • C source code (e.g. .c and • Raw code verification results with
certain classes of .h files) or C++ source (e.g. potential and systematic run-time
run-time errors in C .cpp and .hpp files) code to errors (.pscp files and dependent files)
or C++ source code be verified • Reviewed and commented code
• Data range specification verification results (.pscp files and
• Polyspace configuration dependent files)
and project information • Verified C or C++ source code
(.psprj and .ppm files)
• Procedures for corrective
action
Unreachable code Identify unreachable • C source code (e.g. .c and • Raw code analysis results with
analysis code branches in C .h files) or C++ source (e.g. unreachable code branches (.pscp
or C++ source code .cpp and .hpp files) code to files and dependent files)
be analyzed • Reviewed and commented code
• Data range specification analysis results (.pscp files and
• Polyspace configuration dependent files)
and project information • Analyzed C or C++ source code
(.psprj and .ppm files)
• Procedures for corrective
action
Call tree Analyze the calling • C source code (e.g. .c and • Call tree
computation relationships in C or .h files) or C++ source (e.g. <projectname>_Call_Tree
C++ source code .cpp and .hpp files) code to file (.html, .pdf, .rtf, .docx, or .xml)
be analyzed • Reviewed call tree
• Polyspace configuration <projectname>_Call_Tree
and project information file (.html, .pdf, .rtf, .docx, or .xml)
(.psprj and .ppm files) • Analyzed C or C++ source code
• Procedures for corrective
action
Global variable Analyze the usage of • C source code (e.g. .c and • Dictionary containing information
usage analysis global variables in C .h files) or C++ source (e.g. about global variables
or C++ source code .cpp and .hpp files) code to <projectname>_Variable_Vi
be analyzed ew file (.html, .pdf, .rtf, .docx, or
• Polyspace configuration .xml)
and project information • Reviewed dictionary
(.psprj and .ppm files) <projectname>_Variable_Vi
• Procedures for corrective ew file (.html, .pdf, .rtf, .docx, or
action .xml)
• Analyzed C or C++ source code

4-2
Activity Objective Prerequisites Work Products
Software quality Define, determine, • C source code (e.g. .c and • Software quality level for the
metrics reporting and report quality .h files) or C++ source (e.g. application
metrics for C or C++ .cpp and .hpp files) code to • Software quality objectives for each
source code based on be analyzed module
analysis / • Analysis / verification • Software quality metrics results
verification results results provided by displayed in Web Dashboard or
provided by Polyspace Bug Finder exported via Polyspace GUI (.html,
Polyspace Bug and / or Polyspace Code .pdf, .rtf, .docx, or .xml file)
Finder and/or Prover
Polyspace Code
Prover

4-3
4-4
5 Conformance Demonstration
Template

To justify that the requirements outlined in this document have been satisfied you must provide
evidence for the activities that have been carried out.

The IEC Certification Kit product provides an editable Conformance Demonstration Template that can
be used to demonstrate conformance with the parts of ISO 26262-6, IEC 61508-3, or EN 50128
covered in this document.

To access the conformance demonstration template, on the MATLAB® command line, type
certkitiec to open the Artifacts Explorer. The template is in Polyspace Code Prover > r2015a.

For each technique or measure:

 In the third column, state to what degree you applied the technique or measure for the
application under consideration by using one of the phrases Used, Used to a limited degree,
or Not used.
 In the fourth column, state how you used the technique or measure in the application under
consideration. If the reference workflow includes alternative means for compliance, indicate
what variant you used. In addition, enter a reference to the document (for example, test
report or review documentation) that satisfies the requirement.
5-2
6 References

[1] IEC 61508-3:2010. International Standard IEC 61508 Functional safety of electrical / electronic /
programmable electronic safety-related systems — Part 3: Software requirements. Second edition,
2010.

[2] ISO 26262-6:2011. Road vehicles — Functional safety — Part 6: Product development: software
level. International Standard, 2011.

[3] EN 50128:2011. Railway applications - Communication, signalling and processing systems -

Software for railway control and protection systems. International Standard 2011.

[4] The MathWorks. Software Quality Objectives for Source Code. Version 3.0, 2012.