BCSF
BCSF
BCSF
of Simulink Models
with Reactis
RSITR 1.11
October 19, 2013
www.reactive-systems.com
Contents
1 Introduction 1
2 An Overview of Reactis 2
2.1 Reactis Tester . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Reactis Simulator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Reactis Validator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6 Conclusions 12
1. Introduction
Reactis helps engineers build better software faster by automating many
verification and validation tasks in a model-based design process.
Over the past decade, many engineering organizations have deployed model-based design to address
the exploding complexity of embedded control software. In model-based design, executable visual
models of embedded control software are developed in advance of system implementation. The models
may be used to drive the development of control software, and may also serve as a basis for software and
system testing. One benefit of model-based design is that it allows engineers to begin debugging and
validation activities at design time, when the cost of detecting and dealing with design defects is much
smaller than at the software and system implementation level. Another is that models may be used as a
baseline for assessing implementation behavior during system testing and validation. For these reasons,
judicious use of modeling can lead to quite dramatic over-all reductions in the cost of control-system
development, especially when robust tool support is available.
The Reactis tool suite of Reactive Systems, Inc., substantially enhances the gains organizations
realize from model-based design by automating many testing and validation activities. Reactis works
with models implemented in the Simulink/Stateflow notation offered by MathWorks. Using Reactis,
engineers may:
• generate tests from a model that thoroughly exercise the model (structural testing);
• find runtime errors (e.g. overflow errors, divide-by-zero errors) in a model;
• execute the model and track coverage (e.g. MC/DC);
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 1
• perform functional tests to check whether or not a model can violate its requirements;
• use a Reactis test suite as an oracle to check whether code conforms to a model.
Reactis also includes an array of sophisticated model debug features (e.g. breakpoints, scopes,
reverse execution). In this paper, we discuss how Reactis and model-based design may be used to
automate different verification and validation activities in your software quality assurance process. In
particular, we show how the tool may be used to develop more robust models, how it can streamline
software and system testing, and how it may be used to support the reverse-engineering of models from
legacy code.
2. An Overview of Reactis
A model-based design environment involving Reactis, Simulink and Stateflow is depicted in Figure 1.
Reactis contains three core components: Tester, which provides automated test generation from models;
Simulator, which enables you to visualize model execution to debug models and track coverage; and
Validator, which offers automated checks of Simulink models for violations of user-specified require-
ments. The remainder of this section describes these components in more detail.
Figure 1: Reactis is used in a model-based design process using Simulink/Stateflow models. Reactis is
a standalone application that reads the .mdl/.slx files produced by the MathWorks environment.
Model testing and debugging. The tests may be run on the models themselves to detect runtime errors
and to study and revise model behavior.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 2
Regression testing of models. The tests may be run on a new versions of models to flag differing
behaviors in new versions.
Reverse engineering of models from source. Tests may be generated from models derived from legacy
code in order to check conformance between model and legacy code.
Reactis Tester enables engineers to maximize the effectiveness of testing while reducing the time actu-
ally spent on testing.
Figure 2: Reactis Tester automatically generates comprehensive yet compact test suites.
Simulink-specific: Conditional subsystems. Branches of the following blocks: Dead Zone, Logical
Operator, MinMax, Multiport Switch, Relational Operator, Saturation, Switch. Lookup tables.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 3
Figure 3: Structure of a Reactis-generated test.
Stateflow-specific: States. Condition actions. Transition actions. Child State Exit via Parent Transition
(CSEPT).
Generic: Decisions from logic blocks in Simulink, transition segments in Stateflow, or in C code a
boolean-valued expression used to determine which execution path to follow. Conditions (the
atomic predicates that are the building blocks of decisions). Modified Condition/Decision Cover-
age (MC/DC) targets. Multiple Condition Coverage (MCC) targets. Boundary Values of top-level
inputs.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 4
enables the early detection of design errors and inconsistencies and reduces the effort required for design
reviews. Some checks that may be performed with Validator include the following.
• Will a plane’s thrust reversers ever engage when the aircraft is airborne?
A primary benefit of model-based design is that it allows the detection and correction of system-
design defects at design (i.e. modeling) time, when they are much less expensive and time consuming
to correct, rather than at system-implementation and testing time. Moreover, with proper tool support,
the probability of detecting defects at the model level can be significantly increased. In this section,
we elaborate on the advanced model-validation capabilities of Reactis that help engineers build better
models.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 5
Figure 4: Debugging Simulink models with Reactis Tester and Reactis Simulator
As depicted, input values come from Test 6 of a Tester-generated test suite. The other model-
debugging facilities illustrated in the figure are as follows.
• You may take forward or reverse execution steps when simulating model behavior.
• You may dynamically open scopes to view the values of Stateflow variables or Simulink blocks
and signals. An example scope, depicting how the value of Stateflow variable mode varies over
time, is shown. This scope was opened by right-clicking on the mode variable in the diagram
panel and selecting “Open Scope.”
• You may query the current value of any Simulink block or signal, Stateflow variable, or C variable
by hovering over it with the mouse.
• You may set execution breakpoints. In the example, a breakpoint has been set in state Active.
Therefore, model execution will be suspended when control reaches this state during simulation,
allowing the user to carefully examine the model before continuing simulation. Simulation may
be resumed in any input mode, i.e. reading inputs from the test, generating them randomly, or
querying the user for them.
• As shown in the execution snapshot, the current simulation state of the model is highlighted in
green and portions of the model that have not yet been exercised during simulation are highlighted
in red for easy recognition.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 6
Figure 5: Reactis Simulator offers an advanced debug environment for Simulink models.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 7
Figure 6: Reactis Validator automates functional testing.
be included in the model’s hierarchy tree, just as library links are in a model. Note that the diagram
objectives are stored in a separate library and the .mdl/.slx file containing the controller model remains
unchanged.
Because of its sophisticated model-debugging capabilities, the Reactis tool suite provides signif-
icant added value to the MathWorks Simulink/Stateflow modeling environment. The great virtue of
model-level debugging is that it enables engineers to debug a software design before any source code is
generated. The earlier logic errors are detected, the less costly they are to fix.
The benefits of model debugging and validation have been discussed above. A question that im-
mediately presents itself is: How can the effort expended on these activities be “reused” to support the
testing of system implementations? This is the question addressed in this section.
1. For each test in the suite, execute the software using the input values contained in the test.
2. Compare the output values produced by the software with those stored in the test.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 8
This methodology is referred to as model-based software testing or back-to-back testing. Its key
advantage is that the model serves as an “oracle” for testing purposes: the outputs produced by the
model can be used as a basis for assessing those generated by the software. If the software does not
agree with the model, then the developer can assume that the problem lies within the source code.
The net effect of model-based testing with Reactis is better-quality software at a lower cost. Because
good test data is generated and run automatically, less engineer time is required to create and run tests.
Because the tests are thorough, the probability of finding bugs is maximized. Because the test suites are
compact they may be run quickly. In sum, Reactis dramatically reduces the costs of testing embedded
control software.
Figure 7 illustrates how the Reactis tool suite can provide advanced model-based testing of source
code. As the figure indicates, the model-based testing protocol supported by Reactis is as follows:
1. The developer provides as input to Reactis a .mdl/.slx file representing the validated Simulink/Stateflow
model of the system under development.
2. Reactis Tester is used to automatically generate a test suite that thoroughly exercises the given
model according to the various coverage metrics supported by Reactis.
3. The developer may deploy Reactis Simulator to visualize test execution and to fine tune the tests
in the test suite to further improve model coverage.
4. The test suite and the software implementing the model are fed as inputs into a test harness to
automate the source-code testing process.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 9
5. By comparing the outputs produced by the software against the model-generated outputs (stored
in the test), deviations in the behavior of the source code from the model are readily detectable
and help the developer ensure that the source code conforms to the model.
6. Testing concludes when the source code passes all the tests in the test suite.
1. The Simulink / Stateflow modeling environment is used to draft a model of the legacy code.
2. The resulting .mdl/.slx file is fed into Reactis Tester which then automatically generates a test
suite from the model. The result is an .rst file (a Reactis test-suite file). The generated test suite
thoroughly exercises the draft model according to various coverage metrics. Example coverage
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 10
Figure 8: Reverse engineering models from legacy code using Reactis.
metrics include Stateflow state and transition coverage, Simulink branch coverage, and MC/DC
coverage. Tester also eliminates redundancy in the test suite it generates in order to eliminate
unnecessary test steps.
3. Reactis Simulator may then be used to visualize the execution of the tests produced by Reactis
Tester, and also to fine-tune the test suite to further improve model coverage.
4. The test suite is exported as a CSV file and given as input to a test harness to automate the process
of applying the tests to the legacy code.
5. By comparing the outputs produced by the software and the model on the tests in the test suite,
deviations in the behavior of the model from the legacy code are readily detectable and can be
used to guide the user in refining the model to ensure that it faithfully captures the behavior of
the legacy system.
6. Reverse engineering of the model concludes when the code passes all tests generated from the
model.
The beauty of having a model to go along with a legacy system is that the model serves as a formal
and executable specification of the code, thereby easing the tasks of code maintenance, documentation,
and evolution.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 11
6. Conclusions
In this paper we have described several ways that the Reactis tool suite provides significant added value
to the market-leading MathWorks Simulink/Stateflow modeling environment. Through its sophisticated
model-debugging capabilities, Reactis enables engineers to debug a software design before system im-
plementation is undertaken. The earlier design errors are detected, the less costly they are to fix, so
better model debugging can reduce overall software costs. We also discussed how the comprehensive
yet compact test suites produced by Reactis can dramatically reduce the costs of checking for confor-
mance between a model and system and of reverse-engineering a model from existing control software.
By automating tasks that currently require significant manual effort, Reactis cuts development costs.
By enabling more thorough testing and validation to be undertaken, it also enables errors to be detected
and fixed before systems are fielded and therefore cuts recall and liability costs.
Reactis is available now from Reactive Systems, Inc. Please see the Company’s web site at www.reactive-
systems.com for ordering information and for instructions on how to download a free 30-day evaluation
copy of the software.
Copyright
c 2002-2013 Reactive Systems, Inc. All rights reserved. 12