Hardware-software covalidation involves the cosimulation of a system description with a functional test sequence. Functional test generation is heavily dependent on manual interaction, making it a time-consuming and expensive process. We present an automatic test generation technique to detect design errors in hardwaresoftware systems. The design errors targeted are those caused by incorrect synchronization between concurrent taskdprocesses whose detection is dependent on event timing. We formulate the test generation problem as a non-linear program on integer variables and we use a public domain finite.domain solver to solve the problem. We present the formulation and show the results of test generation for a number of potential design errors.
Introduction
Hardware-software systems are pervasive in the electronics systems industry. The widespread use of these systems in cost-critical and life-critical applications motivates the need for a systematic approach to verify functionality. Several obstacles to the verification of hardware-software systems make this a challenging problem. To manage the complexity of the problem, covalidation techniques in which functionality is verified by simulating (or emulating) a system description with a given test input sequence are being considered.
Hardware-software systems are built from separate components which are not globally synchronized. 
Test Generation Process
The goal of test pattern generation is to identify a timed test sequence of input pattems which will cause the detection conditions of a given timing fault to be satisfied. Figure 1 depicts our test generation process for hardware-software systems. The input of test generation is a system undertest described as a network of Codesign Finite State Machine (CFSMs). The Computation Constraints Generator (CCG) is the program which generates a set of computation constraints that describes the behavior of the system under test. To enforce the fault detection conditions, Fault Detection Constraints are added to the computation constraints to generate the Automatic Test Pattern Generation (ATPG) constraints. If a given timing fault can be detected, a test sequence will be identified after solving the ATPG constraints using the public-domain G-Prolog solver [6] .
SynchronizatiodTiming Fault Model
A synchronization error occurs when a signal has the incorrect value at the time when the signal's value is being used by a process. Synchronization errors can be the result of timing problems at the communication interface between processes. If a signal's value is assigned either earlier or later than expected, it is possible that a process which uses the value will receive an unexpected value. In previous work Figure 2 . The system contains 3 CFSMs, one representing the highway signal, one representing the road signal, and one representing a timer used to control the lights.
Each edge in the CFSMs is labeled cause + reaction, unless the edge does not involve a reaction in which case only the cause is shown. The highway signal remains green by default. Occasionally, cars from the country road arrive at the traffic signal. The traffic signal for the country road tums green only long enough to let the cars on the country road pass. As soon as there are no cars on the country road, its traffic light turns yellow and then red and the traffic signal on the highway tums green again. A sensor is used to detect cars waiting on the country road. 
Synchronization Errors in CFSMs
In order to apply the proposed fault model to CFSMS,' we must identify definition and use statements in a CFSM. Signal definitions exist at each reaction associated with an edge because the reactions assign values to signals. Signal uses are the causes of each edge because the value of a signal causing a transition must be detected. By this definition, a definitionuse pair maps to a pair of edges in the CFSM network; one edge includes the definition as one of its reactions, and the other edge includes the use as one of its causes.
An MTE fault may occur on either a value signal or a trigger signal. An example of an MTE fault on a trigger signal can be seen in example of Figure 2 . The *short signal is expected while the HIGHWAY CFSM is in the yellow (Y) state. If there is an MTE,,,~, fault on the *short signal causing it to be asserted while the HIGHWAY is in the green (G) state, then the system will deadlock when the HIGHWAY light enters the yellow state.
Detection of Synchronizatiofliming Faults
The timing fault associated with a signal is detected only if there is a use of the signal inside the error span of the fault. The error span extends from the erroneous time step to the correct time step. Unfortunately, the precise position of the error span is not known since simulation of the faulty circuit reveals only the erroneous time step. It is clear, however, that the error span must extend, either forward or backward in time, from the erroneous time step. In order to ensure that a use occurrence is within the error span of a fault, the use occurrence must be "close" to the corresponding definition occurrence in time. If the definition and use are close in time, then a small error in timing will cause the definition and use to be reordered and cause the fault to be detected. This detection criterion is different for a fault on a trigger signal because the use will move in time with the definition which triggers it. In the system of Figure 2 , the assertion of the *short signal can move in time as long as it occurs while the HIGHWAY CFSM is in the yellow state. For this reason, the detection of MTJ3 faults on trigger signals requires that the definition occur when the using CFSM is in an incorrect state. For example, an MTE,,,l, fault on the *short signal in Figure 2 is detected if the definition occurs when HIGHWAY is the green state, rather than the yellow state.
Problem Formulation
The test generation problem is described as a set of constraints on the set of variables which represent the computation of the CFSM network. We first describe the set of variables which represent a computation, and we then describe the set of constraints on those equations which ensure fault detection.
Computation Variables
Each feasible computation of a CFSM network is represented by the values of a set of integer variables. The variables used to represent a computation are divided into three categories. Each time step is represented using a distinct set of variables, so each variable describes some aspect of a computation at one time step. 
Signal Variables
-These variables collectively contain the values of all signals at a given time step. Each signal variable is referred to as TVp,,, where p refers to a signal in the system and t refers to a time step. The domain of a signal variable is the same as the domain of the signal which it represents. Note that the domains of all trigger signals are binary.
Computation Constraints
In this section we define all of the constraints required to ensure that the solution generated correctly satisfies the execution semantics of CFSMs. Constraint equations are all implications of the following form: antecedent + consequent, where the antecedent is the assignment of a variable to a value and the consequent describes the set of variable assignments which must be asserted to satisfy the semantics of CFSMs. The constraints are divided into three categories based on the type of signal in the antecedent.
State Constraints -These equations describe the conditions which allow a CFSM to be in a state at a given time step. A CFSM can be in state s at time t if one of the following statements is true.
(a) The CFSM is in state s at time t -1 and the CFSM (b) The CFSM is in a state sp at timet -1 and an edge does not traverse an edge at time t -1. from state sp to s is traversed at time t -1.
The equations which express these constraints are produced using the algorithm in Figure 3 . In Figure 3 the resulting constraints are referred to as stateconstrCJ,, where c refers to a CFSM, s refers to a state in that CFSM, and t refers to a time step. In the algorithm, CFSM represents the set of all CFSMs, TMAX is the maximum time step, and ZnEdge, is the set of all edges which enter state s.
Edge Constraints -These equations describe the conditions which allow an edge in a CFSM to be traversed at a given time step. A CFSM will traverse an edge e in that CFSM is all of the following statements are true. 
3.
The equations which express these constraints are produced using the algorithm in Figure 4 . In Figure 4 the resulting constraints are referred to as edgeconstr,,,,, where c refers to a CFSM, e refers to an edge in that CFSM, and t refers to a time step. When considering the trigger conditions for an edge we refer to a trigger pair ( p , v), where p is a signal and v is a value to which signal p must be assigned to trigger the edge. We use p , to refer to the variable which describes the value of signal p at time t . Each edge e is associated with its predecessor state sp and a set of trigger pairs Te, all of which must be satisfied to trigger the edge. The process of creating the edgeconstr related to edge e in CFSM c at time t is described on lines 3-11 in Figure 4 . Lines 7-9 ensure that all the causes related to edge e are satisfied. Lines 12-17 describe the condition when no edge in the CFSM c is triggered at time t .
Signal Constraints -These equations describe the conditions which allow a signal to have a given value at a given time step. First we describe the trigger signal constraints. A trigger signal in CFSM c will have a value of 1 at timet (represented by tsigconstrCf,l) only if at least one edge e which emits the trigger signal is traversed at time t -6 , where 6 is the delay of the edge: A trigger signal having a value of 0 at time t (represented by tsigconstr,,,o) implies that none of these edges is traversed at time t -6 , and is formulated as n (EVcs-8 # e ) . The equations which express these constraints are produced using the algorithm in Figure 5 . In Figure 5 the resulting constraints are referred to as tsigconstr,, , where g refers to a trigger signal, and t refers to a time step. TSZG refers to the set of all trigger signals, and gt refers to the variable representing the value of a trigger signal g at time t . We refer to the set of edges which A value signal will keep its previous value until an edge e which emits the value signal with a different value is traversed. The equations which express these constraints are produced using the algorithm in Figure 6 . In the algorithm, VSZG represents the set of all value signals, Vl represents the set of values for value signal 1, ED1 is the set of edges which emit value signal I , EON),, is the set of edges which emit value signal I to be all the other values except v. Two conditions will set the value of the signal I to be v at time t . First, at least one of the edges emitting the signal with value v is traversed at time t , which is described in lines 5-9 in the Figure 6 ; The other condition is that the signal is already set to be v at time t -l AND none of those edges emitting it to be other values is triggered at time t -6. This is described in lines 10-14 in Figure 6 .
Fault Detection Constraints
Additional constraints are required to ensure that the solution generated detects a particular fault. The fault criteria expressed earlier are directly expressed as constraints on the variables associated with the signal involved in a fault. For trigger signals, fault detection is accomplished by forcing a signal definition associated with a fault to occur while the using machine is in the incorrect state. For example, to detect the MTEld, fault on the *short signal in Figure 2 , the *short signal must be asserted while the HIGHWAY in in the green state. This is accomplished by adding the following constraints. Figure 2 presents the network of CFSMs describing a controller for traffic at the intersection of a highway and a country road. Under normal conditions, signal *short should be triggered when the highway traffic light is yellow. If there is a MTE early fault in the system that triggers the *short signal when the traffic light of highway is still green, then the traffic light in the highway will be stuck at yellow and the system will halt. Table 1 shows the results of test generation for this fault. Each signal is assigned a value at each time step. Each row describes state or signal in the system, and each column shows the value of these state or signal at each time step. The ATPG tool required 19Oms to produce the result.
The gas station problem is a simulation of an automated self-serve gas station [12] . Our version of the gas station consists of three processes: the Customer, the Server, and the This system contains 6 potential MTE faults associated with the value signal pump. Table 2 shows the test generation results for MTE late fault on pump. In this case we assume that the initial value of pump is 5 . If the definition of signal pump to value 15 takes more time than the definition of the trigger signal *pump, pump will keep its old value 5 when *pump is triggered, so edge P3 will be triggered instead of the correct edge P1 in CFSM Pump. Functionally this means that a customer paying for 15 gallons receives 5 gallons of . _ . The Generalized Railroad Crossing (GRC) system contains one railroad track protected by a gate and a gate controller.
The track is divided into three regions:
[6] D. Diaz, GNU Prolog: A Native Prolog Compiler with , The GNU Constraint Solving over Finite Domains, Project, www.gnu.org, 1999.
I(intersection), P(an interval preceding the intersection) and notHere(everywhere else). The gate can be in any of four states: down, up, goingDown, and goingup. Initially the train is notHere and the gate is in state up. The track is equipped with two sensors: one located at the beginning of the P, triggered when the front of the train enters, and one at the end of the I, triggered when the train completely leaves the intersection. Table 3 shows the test generation result [81 F. Como, p. Prinetto, and M. Sonza Reorda, 'Testability analysis and ATPG on behavioral RT-level VHDL," in International Test Conference, 1997, pp. 753-759. when there is a MTE early fault on signal *lower. In Table 3 , 'Enter', 'Exit', 'goDown' and 'nHere' represent 'trainEnter', 'trainExit', 'goingDown' and 'notHere' separately. The ATPG tool required lOms to find a test sequence to detect this fault.
Conclusions
We present an automatic test generation technique for the covalidation of hardware-software systems. We formulate the test generation problem as a set of non-linear constraints on integer variables which collectively describe the space of all system computations. The test generation approach targets the detection of errors in synchronization between concur- [113 Palnitkar S., Verilog HDL,, Prentice Hall, 1996. rent processes which arise from timing faults at communication interfaces. Our future work will investigate a new formulation whose constraints include fewer disjunctive clauses which is a significant source of computational complexity in constraint logic programming.
[I31 Bjomer N., Manna z., siopma H. B., and Ufibe T. 
