EXAMENSARBETE I INBYGGDA SYSTEM 120 HP, AVANCERAD NIVÅ STOCKHOLM, SVERIGE 2016 Survey of Modelling Formalisms for MISRA-C:1998 Software Architecture Modelling JOAKIM GUSTAVSSON KTH KUNGLIGA TEKNISKA HÖGSKOLAN SKOLAN FÖR INDUSTRIELL TEKNIK OCH MANAGEMENT Survey of Modelling Formalisms for MISRA-C:1998 Software Architecture Modelling JOAKIM GUSTAVSSON Master’s Thesis at ITM Supervisor: Jonas Westman Examiner: De-Jiu Chen TRITA MMK 2016:08 MES 011 Abstract The complexity of electrical and electronic automotive systems have increased steadily over the previous decades, with modern vehicles containing as many as 50-70 Elec- tronic Control Units, and several CAN-communication net- works. In order to address the increasing complexity of these safety-critical embedded systems, safety standards such as ISO 26262 are making their way to the market, posing strong restrictions on the development process of automotive systems in order to ensure safety. With cur- rent automotive actors possessing large existing source code bases for their ECUs, primarily written in the C program- ming language, the demands posed on software architec- tural models by ISO 26262 are proving to be a challenge to meet given the difficulties of modelling low-level languages such as C. This thesis aims to survey currently existing modelling formalisms with regards to their ability to model automotive embedded C source code in a way that facili- tates ISO 26262 compliance. A delimitation is made to the use of the MISRA-C:1998 subset of the C programming language, a safer subset commonly used in automotive in- dustry. A short ontology is proposed, coupled with a metric for evaluating the completeness of a modelling formalism. Requirements are posed on suitable modelling formalisms, and AADL, Lustre, SysML and Promela are identified as promising candidates for modelling embedded C code. Se- mantic constructions present in the C language are iden- tified, and a mapping between these constructions and se- mantic constructions present in the selected modelling for- malisms is made and analyzed using the completeness eval- uation framework that was proposed. Architectural De- scription Languages (ADL), such as AADL, are identified as being the most promising with regards to modelling em- bedded C code. Control Flow Graphs are identified as a promising augmentation to ADLs in order to deal with their lack of control flow semantics. Referat Granskning av Modelleringsformalismer för Modellering av MISRA-C:1998 Arkitekturer Komplexiteten hos de el-system som finns i moderna fordon har stadigt ökat över de senaste decennierna, där moderna fordon kan innehålla så många som 50-70 elektro- niska kontrollkretsar, och flera CAN-nätverk för kommuni- kation mellan dessa. För att kunna hantera den ökade kom- plexiteten hos dessa säkerhetskritiska inbyggda system så har säkerhetsstandarder som ISO 26262 börjat giva sig till känna på marknaden. Denna standard ställer strikta krav på utvecklingsprocessen för inbygda system för att styrka deras säkerhet. Då flertalet aktörer inom fordonsindustrin redan besitter stora mängder källkod för de kontrollkretsar som de använder, ofta skriven i låg-nivå programmerings- språket C, har dessa ökade krav som ställs av ISO 26262 visat sig svåra att möta. Den här rapporten ämnar att granska på marknaden förekommande modelleringsforma- lismer, samt att utvärdera deras potential för att modellera inbyggd C källkod på ett sätt som underlättar uppfyllan- det av de krav som ställts av ISO 26262. En begränsning görs till den delmängd av C som specificeras av MISRA- C:1998 standarden, en vanlig standard inom fordonsindu- strin för att underlätta i utvecklandet av säker källkod. En kort ontologi presenteras tillsammans med ett ramverk för att utvärdera komplettheten av en modelleringsforma- lism. Ett antal krav ställs på de modelleringsformalismer som skall utvärderas, och AADL, Lustre, SysML och Pro- mela identifieras som lovande formalismer för modellering av C källkod. Semantiska element i C identifieras, och en mappning mellan dessa element och element i de identi- ferade modelleringsformalismerna genomförs och utvärde- ras enligt det tidigare föreslagna ramverket. Architectural Description Languages (ADLs), såsom AADL, identiferas som lovande för att modellera C källkod. Kontrollflödes- grafer identifieras som lovade för att hantera den svaghet som ADLs har rörande modellering av kontrollflöden. Acknowledgements First and foremost I would like to thank my thesis supervisor Jonas Westman, who throughout the course of the thesis project always showed a great interest in my research, and was always there to come with feedback, suggestions or interesting discussions, which served as inspiration for the direction of the work. Without him this thesis would never have been written. I would also like to thank Maxim Olifer, who was always there to help out when I got stuck, and whose active engagement in lunch discussions regarding modelling helped shape the direction of the research. His work on automatic parsing of C code served as a strong inspiration for my own work. I would like to thank the people at the RESA department at Scania, especially Mattias Nyberg and Anton Einarson, who were always there with insight into ”the Scania way”, and could provide valuable insights that could not be found in docu- mentation. I would also give my thanks to the other Master Thesis workers at RESA who kept me motivated by bringing me along to lunch and coffee breaks, where I could clear my mind and engage in interesting discussions. I would like to thank Associate Professor De-Jiu Chen for offering to be the examiner for this thesis. Without him stepping up when everyone else was busy, I would never have been able to start the work in the first place. I would like to extend my thanks to Lars-Ivar Nero and Anita Sehlin, two of the most inspirational teachers I have had the honor of studying under, and without whom I would likely never have pursued Master level studies in the first place. Lastly I would like to thank my family, who have always been there with support when I was feeling down or stressed. They helped keep my spirits high so that I could eventually finish with my research. Contents 1 Introduction 1 1.1 Subject and Purpose ........................... 1 1.2 Delimitations ............................... 3 1.3 Disposition ................................ 3 2 Background 5 2.1 Modelling ................................. 5 2.1.1 Model-Driven Engineering .................... 6 2.1.2 Modelling Formalism Families .................. 7 2.1.3 Reverse Engineering ....................... 9 2.2 Functional Safety Standards ....................... 10 2.2.1 IEC 61508 ............................. 10 2.2.2 ISO 26262 ............................. 11 2.3 The C Programming Language ..................... 14 2.3.1 ANSI-C .............................. 14 2.3.2 Usage in Embedded Systems Development . 14 2.3.3 MISRA-C:1998 .......................... 15 2.3.4 Modelling the C Language .................... 15 2.4 Introduction to Scania .......................... 17 2.5 Related Work ............................... 17 3 The Scania Software Architecture 21 3.1 The Layer Model ............................. 21 3.2 Code Organization ............................ 21 3.3 Communication Channels ........................ 24 3.3.1 CAN ................................ 24 3.3.2 RTDB ............................... 25 3.3.3 Sensors .............................. 25 4 Method and Evaluation Framework 27 4.1 Accurately Representing Software Architectures . 27 4.2 The Concept of Model Views ...................... 29 4.3 Extending Model Completeness ..................... 30 4.4 A Framework for Evaluating Expressiveness . 30 4.4.1 Constructions in C ........................ 31 4.5 Requirements on Modelling Formalisms . 31 4.6 Method of Evaluation .......................... 32 4.6.1 Modelling code or modelling behaviour? . 34 4.7 Weaknesses of Method .......................... 35 5 Coverage Analysis 39 5.1 C Construction Categories ........................ 39 5.1.1 Data Storage ........................... 40 5.1.2 Data Flow ............................. 44 5.1.3 Control Flow ........................... 45 5.1.4 Code Structure .......................... 47 5.1.5 Program Behaviour ....................... 48 5.2 Modelling Formalisms .......................... 51 5.2.1 Evaluated Formalisms ...................... 51 5.2.2 Rejected Formalisms ....................... 52 5.3 Coverage .................................. 53 5.3.1 Fulfilment: Data Storage .................... 53 5.3.2 Fulfilment: Data Flow ...................... 68 5.3.3 Fulfilment: Control Flow .................... 74 5.3.4 Fulfilment: Code Structure ................... 84 5.3.5 Fulfilment: Program Behaviour . 88 5.4 Coverage Summary ............................ 93 6 Discussion 99 6.1 Formalism Coverage ........................... 99 6.1.1 Data Storage ........................... 99 6.1.2 Data Flow .............................100 6.1.3 Control Flow . 101 6.1.4 Code Structure . 101 6.1.5 Program Behaviour . 102 6.2 Augmenting Formalisms . 102 6.3 Automatic Model Generation . 104 6.4 Validation .................................104 6.5 Future Work ...............................106 Bibliography 107 Appendices 112 A Modelling Formalism Requirements 113 B Fulfilment: Data Storage 117 C Fulfilment: Data Flow 127 D Fulfilment: Control Flow 131 E Fulfilment: Code Structure 137 F Fulfilment: Program Behaviour 141 G AADL Examples 147 H Promela Examples 173 I Lustre Examples 185 J SysML Examples