This scepticism has been driven by the escalating intricacies of vehicle systems, marked by distributed architectures, connectivity demands, virtualisation, and other imperatives that strain testing capabilities and the ability to adhere to standards such as ISO 26262 and ISO 21434.
Yet recent advances in academic research and computational potency have fractured these preconceptions by clearly demonstrating that 100% code and input coverage is achievable, offering unprecedented advantages to teams engaged in safety- and security-critical designs.
Static and dynamic testing methods have helped automotive manufacturers take on the task of testing and certification, but using formal methods - an area of computer science dedicated to the application of rigorous mathematical techniques to verify design and implementation properties - to drive test results to even higher levels of accuracy and detail helps guarantee safety, security, and reliability for automotive software.
When it comes to vehicle electronics, Exhaustive Static Analysis tools are beacons of innovation that are meticulously engineered to incorporate the capabilities of formal methods into the well-established testing and compliance procedures of automotive testing teams. These cutting-edge tools bring with them a host of compelling advantages that effectively supersede conventional testing and static analysis methods.
For example, Exhaustive Static Analysis tools deliver:
• Unparalleled application coverage of up to 100%, including all potential functions, statements, paths, decisions, and conditions.
• An unmatched level of input coverage of up to 100%, encompassing all conceivable values within a defined testing scope.
• Mathematical certainty, which ensures that code is free of errors or vulnerabilities, and zero false negatives, resulting in issue-free deployment. The mitigation of false positives, which helps conserving developers' valuable time by eliminating the need to chase after non-issues.
• Robust support for ISO 26262 certification.
Exhaustive Static Analysis redefines the boundaries of test coverage. While traditional "best-effort" test designed tools are often restricted to executing a solitary code branch per run, the Exhaustive Static Analysis approach concurrently explores all branches, achieving unprecedented 100% code and input coverage, which substantially reduces testing time and, therefore, costs.
Improving testing accuracy
Exhaustive Static Analysis tools that take existing vehicle computing hardware into account during testing improve the software test’s accuracy and efficiency. Differences in compiler implementations, hardware architectures, and memory alignment between platforms can lead to drastically different code behaviours. For example:
• On 64-bit targets, long is typically 64 bits and int is typically 32 bits.
• On 32-bit targets, both long and int are typically 32 bits.
These implementation characteristics influence test design, as shown in this code sample:
long double_that(int i) {
return (long)i * 2;
}
double_that(0x7FFFFFF0);
Tests or static analysis methods that are unaware of the underlying implementation do not know whether the final statement causes an integer overflow (32-bit target) or is in fact safe behaviour (64-bit target).
Hardware-aware Exhaustive Static Analysis is seen as being the perfect balance between 100% coverage and the minimum number of (generalised) test cases necessary to achieve it and offers a number of benefits such as: tests can be run without requiring a physical target to be connected to the host; target tests can be run even before the physical hardware is available and test capacity can increase and costs decrease because physical hardware is not required for every developer.
It can be extremely difficult to achieve validation for Advanced Driver Assistance Systems (ADAS) and autonomous vehicles, covering every potential test case and operating scenario. That is because certain situations present unacceptable dangers when executed in real-world settings, and simulations alone do not comprehensively identify safety and security vulnerabilities.
Certain ADAS providers are now taking an unconventional approach by going beyond established testing procedures and methodologies, using Exhaustive Static Analysis to guarantee the safety, dependability, and security of their autonomous driving software platform.
One challenge lies in validating that an ADAS software platform's response to vehicle positioning and its surroundings, including all objects (referred to as "living beings") will not trigger any undefined behaviours that could jeopardise user safety or security.
However, by leveraging formal methods it becomes possible to generalise test inputs and comprehensively identify all instances of undefined behaviours—ranging from buffer overflows to accessing uninitialized variables and division-by-zero scenarios without risk to life or property.
Facilitating ISO 26262
It is vital that automotive software developers are not tethered to outdated testing methodologies. By using the rigorous, independent scrutiny, verification, and evaluation provided by TrustInSoft tools like TrustInSoft Analyzer, manufacturers can redirect their efforts from compliance tasks toward maximising value to their customers in other ways.
It is also important that these tools are usable in the state-of-the-art development processes that are used in the automative sector, which adopt the ISO 26262 standard. To this aim, TrustInSoft Analyzer has been certified by TÜV SÜD as a suitable exhaustive static analyser to be used in safety-related software development according to ISO 26262 for any Automotive Safety Integrity Level (ASIL A to ASIL D).
There are, however, several issues for users of Exhaustive Static Analysis that they need to be aware of.
Firstly, automotive software development cycles that use Exhaustive Static Analysis benefit from a qualified tool that offers a far more thorough and efficient road to what had been a traditionally strenuous certification process.
Secondly, the certification process workload can be shortened significantly thanks to the reduction in testing iterations provided by advanced target emulation, and the tool’s efficiency in providing zero false negatives and up to zero false positives.
Finally, being proactive with Exhaustive Static Analysis today will significantly reduce the likelihood of software bugs and vulnerabilities in the field later on, further improving the overall reliability and security of automotive software systems.
That means that automotive standards can be more efficiently met and iterations reduced moving virtual target emulation and bug detection forward in the development cycle.
TrustInSoft continues to grow in parallel with the automotive sector, and the company’s goal is to integrate deeper into early validation and verification processes by working with other tool providers to jointly adapt to emerging automotive environments such as those in the AUTomotive Open System ARchitecture (AUTOSAR) development partnership.
The company's and its tool’s future are firmly grounded in the power of formal methods applied through exhaustive static analysis, which provides unmatched depth and mathematical precision while retaining the highest degree of software usability.
Author details: Benoît Jubin, Product Owner at TrustInSoft
