Model based testing of VHDL programs by Ayav, Tolga et al.
Model Based Testing of VHDL Programs
Tolga Ayav Tugkan Tuglular Fevzi Belli
Izmir Institute of Technology
Department of Computer Engineering
35430 Urla Izmir, Turkey
{tolgaayav,tugkantuglular,fevzibelli}@iyte.edu.tr
Abstract
VHDL programs are often validated by means of
test benches constructed from formal system specification.
To include real-time properties of VHDL programs, the
proposed approach first transforms them to concurrently
running network of timed automata and then performs
model checking on properties taken from the specification.
Counterexamples generated by the model checker are used
to form a test bench. The approach is validated by a case
study composed of a nontrivial application running on a
microprocessor. As presented, the approach enables testing
both hardware and software at once.
I. Introduction
Circuit functionality is usually defined by VHDL due
to its non-ambiguous and clear definition [1]. A subset of
VHDL, called synthesizable VHDL, is used for register
transfer level (RTL) design, i.e., the first stage of digital
integrated circuit design. RTL design is the most difficult
part since it is extremely hard to check whether the
RTL meets the specifications. Many techniques, such as
extensive logic simulation and formal proof models are
quite useful; yet none of them is able to offer a satisfy-
ing solution to the problem. Another approach is model
checking, which provides guarantees over the reachable
states. However, model checking comes with its state-space
explosion problem. Another approach is to generate test
cases following a coverage criteria [2] and apply to the
system under test (SUT).
When the SUT is a VHDL program, it is not feasible to
test after synthesizing. Therefore, before synthesizing ei-
ther simulation tools or test benches are used to test VHDL
programs [3]. A test bench is, as understood in this paper,
a possibly non-synthesizable VHDL code that provides
stimulus to the SUT. For this purpose, VHDL program
should be transformed to a network of timed automata. To
test a concurrently running network of timed automata, a
software test bench with clock signal is necessary.
Automatic transformation of VHDL to Timed Automata
(TA) is first explored by Nehme [4]. In his thesis, automatic
transformation of VHDL to TA is achieved by parsing
VHDL code and generating truth table from it and then
finite state machine is built from truth table. He designed
and implemented so-called VAT tool, which not only
transforms VHDL to TA but also is used for verification
and validation of embedded systems written in VHDL. In
one of the case studies, he used UPPAAL to verify that
the model represents the code exactly. However, his study
did not comment on test case generation using a model
checker for validation purposes.
Model checkers are used to verify properties of a SUT
through its state-based model specifying its behavior [5]. A
model checker expects properties to be specified as tempo-
ral logic formulae, such as “if state A is reached, then state
B must be reached within t time units”. Such properties
are checked over all reachable states of the model. If a
property can not be satisfied, the model checker tries to
produce a counterexample as a sequence of states [6].
Various research [7], [8] utilized counterexamples as test
sequences. Another approach used mutant-based model
checking to ensure safety properties [9]. Neither of these
studies conceived time in the specification. Therefore, time
did not appear in the test cases.
Eles et al. [10] worked on the specification of timing
constraints in VHDL for high-level synthesis to verify
consistency and operation scheduling under timing con-
straints. To achieve this goal, they developed a notation
capturing timing constraints for high-level synthesis with
VHDL and an iterative approach to improve VHDL code
with back annotation using synthesized times. However,
the modeling approach was not TA and testing was not
considered. Hessel et al. [11] demonstrated how to au-
2015 IEEE 39th Annual International Computers, Software & Applications Conference
0730-3157/15 $31.00 © 2015 IEEE
DOI 10.1109/COMPSAC.2015.198
427
tomatically generate efficient real-time conformance test
cases from timed automata specifications. The test cases
are generated using UPPAAL with optimal execution time.
However, test goal generation, test oracle generation and
test result checking was not considered in their work.
The problem described in this paper could have been
solved also using timed Petri nets for modeling. We
decided, however, to model with timed automata as they
have already been used in project work. Thus, they were
available to no further costs. In future work, timed Petri
nets will be considered, especially for comparison of
different modeling techniques for VHDL testing. [12].
Note that, in the previous work, we introduced transfor-
mation from VHDL to timed automata and demonstrate
it with a trivial example [3]. In this paper, we enhance
the approach, and to validate it, present a nontrivial case
study in Section IV. The approach presented in this paper
uses test case generation using model-checking for a circuit
and an application running on that curcuit transformed to a
software. Major improvements presented in this paper are:
1) The approach has considerably been revised to test
both hardware and software at once.
2) To reflect the new approach, the transformation rules
have been modified. The previous paper defined 15
rules, the present paper introduces six new rules.
Thus, we have now 21 rules in a new, uniform
representation format.
3) Therefore, the existing rules have been reformed to
get them adapted to the new representation.
4) Section D, ”Test Bench Generation from a Test
Trace”, is an entirely new section that deserves to be
extended. We kept it brief due to the page limitation.
5) The case study is new; we validate the approach by
a new, non-trivial application.
6) The VHDL code given in Fig.5 is a microprocessor
that also includes a software application, which is
totally different than the one in our introductory
work.
The paper is organized as follows: Section II presents
the VHDL syntax used in this study. Section III explains
the proposed approach in detail. Section IV validates the
approach by a nontrivial case study. Finally, Section V
discusses limitations of the proposed approach while Sec-
tion VI presents conclusion and planned future work.
II. Background
VHDL is a hardware description language and for a
complete grammar definition of it, please see [13] and
[14]. Without loss of generality, we restrict our work to
the following VHDL syntax for the sake of clarity:
P ::= entity N1 is port(R) end N1;
architecture N2 of N1 is
[D] begin C end N2; (Circuit declaration)
C ::= s <= e (Signal assignment)
| s <= e when b (Conditional signal assig .)
| process(W ) is [D] begin S end (Process)
| for v in i1 to i2 generate C (Generate)
| entity N port map(W ) (Comp. instantiation)
| C1;C2 (Parallel composition)
S ::= v:=e (Variable assignment)
| s <= e (Signal assignment)
| a(e1):=e2 (Array assignment)
| if b then S1 else S2 endif (conditional)
| case e when i1 => S1 . . .
when in => Sn end case (conditional)
| for v in 0 to i
loop S end loop (Iteration)
| S1;S2 (sequencing)
b ::= b1  b2 | true | false
| v | s | i | ¬b
| rising_edge(s)
| falling_edge(s)
e ::= i | v | s | a(e) | e1  e2
| e1 + e2 | e1 ∗ e2
D ::= variable v : integer [:= i];
| signal s : std_logic [:= ′1′ |′ 0′];
| signal s : std_logic_vector
(i1 to i2)[:= i3];
| D1;D2
R ::= signal s : std_logic; (Port declaration)
| signal s : std_logic_vector
(i1 to i2);
| R1;R2
where N is either entity or architecture identifier, v is
a variable, s is a signal, a is an array identifier; W
is a possibly empty set of signals; i is an integer; and
 ∈ {≤, <,=, >,≥, and , or, xor}. [D] denotes an
optional block of signal and variable declarations. This
subset of synthesizable VHDL is sufficient to describe
many circuits used in practice. Note that timing statements
like after 1 µs are not synthesizable. This is due to the
fact that this statement cannot be technically realized on a
programmable device since the correct timing can only be
satisfied depending on the frequency of an external clock,
which is unknown to the chip. On the other hand, timing
statements are quite useful for simulation and we need
to use them to create test benches in VHDL. Therefore,
we introduce the following statement in addition to our
restricted synthesizable VHDL syntax in order to be used
for testing purpose only:
s <= e after t (Signal assignment)
where t is a strictly positive integer or∞. Timed automata,
on the other hand, is a valuable tool for designing par-
ticularly real-time systems. In this context, we transform
428
Fig. 1. The approach of circuit testing using
model checker
VHDL programs to serve as equivalent timed automata.
Time specifications are expressed in real-time temporal
logic TCTL, which extends the computation tree logic CTL
with clock variables. For comprehensive definition on the
semantics of TCTL and derivation of operators, one may
refer to [15], [16] and [17].
III. Proposed Approach: Test Bench Con-
struction for VHDL Programs
VHDL programs are written according to the functional
specification and can be executed using a simulator to
check whether specified properties are held or not. To
check specified properties in our approach, first the model
of the system, i.e., VHDL program, is generated using
transformation rules introduced in this paper. The obtained
model is a timed automata and can be verified using
model checker. As explained in Section I, verifying large
programs is not feasible due to state-space explosion
problem. In our approach, the negation of each specified
property is fed to the model checker and its output, as in
the form of counterexample, is used to generate a test case.
A test bench is constructed by following generated test
cases, where the test bench is utilized to test the VHDL
program. This approach can be seen in Fig. 1.
A. Transforming VHDL Programs to Timed
Automata
In the previous work, we defined the transformation
function F [P] that converts a given program P to timed
automata [3]. In this study, we slightly modified the
transformation rules depending on the VHDL syntax given
in Section II. Due to the page limitation, the transformation
rules are given in a technical report [18]. Note that the time
constants, denoted with δ in each rule, can be extracted
precisely from the time reports generated by hardware
synthesizers.
B. Test Case Generation
Our objective guided test case generation algorithm
employs a model checker. In the first step, the property
declared by the test objective is supplied to the model
checker. If the model checker finds a counter-example,
the trace found by the model checker is used to define
a test case. Then the end location of the counter-example
is removed from the model and the model checker is asked
to find another counter-example. This process is repeated
until the model checker finds no counter-example. This
way, the set of property directed test cases are generated. In
the second step, the original model is loaded to the model
checker and then the property declared by the test objective
is negated. The negated property is supplied to the model
checker. If the model checker finds a counter-example, the
trace found by the model checker is used to define another
test case. Then the end location of the counter-example is
removed from the model and the model checker is asked
to find another counter-example. This process is repeated
until the model checker finds no counter-example. This
way, the set of negated property directed test cases are
generated. The union of property directed test cases and
negated property directed test cases constitutes the set of
test cases for a test objective. Our objective guided test
case generation algorithm should be repeated for each test
objective.
Once all the test objectives are consumed and objective
guided test cases are generated, the visited locations and/or
edges are marked as visited. Then the third step of our
high-level test case generation algorithm is executed on
the unvisited points. The graph obtained by unvisited
points (i.e. locations and/or edges) should be traversed to
obtain coverage guided test cases. It is suggested to find
a spanning set of entities for some coverage to obtain
test cases from a graph [19]. In addition to that, Belli
and Budnik [20] suggested minimizing the spanning set
to obtain minimum length test cases.
C. Test Bench Generation from a Test
Trace
From test sequences, test bench in VHDL can be
generated straightforwardly. These test benches are used
to simulate the target circuits, i.e., to test them. A test
trace or sequence can be given in the following form:
< [(t, t1), (i,a1); (o,b1)], . . . , [(t, tk), (i,ak); (o,bk)] >
where t is global clock, i = [i1, i2, · · · , in] and o =
[o1, o2, · · · , om] are the vectors of input and output signals
429
respectively. aj and bj are the associated vectors contain-
ing the values (j ∈ {1, 2, . . . , k}). From a given test trace,
the test bench in VHDL can be constructed as given in
Fig. 2. As seen in Fig. 2, a VHDL test bench consists of
library ieee;
use ieee.std_logic_1164.all;
use ieee.std_logic_arith.all;
entity testenv is
port(
i: out type;
end testenv;
architecture imp of testenv is
type state_type is (s0,s1,...,sk);
signal state : state_type := s0;
begin
Timing : process
begin
state <= s1 after t1, ..., sk after tk;
wait;
end process;
Output : process(state)
begin
case state is
when s1 => i <= a1;
when s2 => i <= a2;
.
.
.
when sk => i <= ak;
end process;
end imp;
Fig. 2. Test bench in VHDL, which is gener-
ated from a test trace
two processes, labeled with “Timing” and “Output”. Test
sequence has k states and the current state information
is stored in register state. The former process provides
the state changes in appropriate times and the latter one
produces the necessary signals in each state.
IV. Case Study
We demonstrate our approach through a well-known
seat belt controller application. Our design conducts the
soft microprocessor called µPabs3 . The seat belt con-
troller application is coded in µPabs3 ’s assembly. Thus,
our SUT is both the seat belt controller program and the
microprocessor itself.
A. Microprocessor µPabs3
µPabs3 is a fully behavioral VHDL model of a 8-
bit small microprocessor designed for educative purposes
[21]. It includes almost all essential parts of a general
purpose processor. µPabs3 has 3 special purpose (IP, IR,
FLGS), 25 general purpose (R0-R8 and R16-R31) and
6 general/special purpose registers (R9-R15 : TRIS, P0,
TMRH, TMRL, DPTRH, DPTRL, SP). For procedure calls
Fig. 3. µPabs3 connection diagram for the
case study
and interrupt mechanism, a stack can also be defined on
R31 to R16.
Execution of 32-bit commands movbi, movwi, jb and
jnb take 4 clock cycles (fetch, decode, fetch2 and execute
cycles) and the 16-bit rest take 3 clock cycles (fetch,
decode and execute cycles).
Due to the space limitation, the VHDL code of µPabs3
cannot be given here. The microprocessor’s connection
diagram for the seat belt application is given in Fig. 3.
For further details on µPabs3 and its complete VHDL
program, refer to [21].
TABLE I. µPabs3 commands
Command Meaning Cycles
mov dst, src dst ← src 3
movbi dst, imm8 dst ← imm8 4
movwi dst, imm16 dst,dst+1 ← imm16 4
movx @DPTR, src (DPTR) ← src 3
movx dst, @DPTR dst ← (DPTR) 3
add dst, src dst ← dst + src 3
sub dst, src dst ← dst - src 3
mul dst, src dst,src ← dst * src 3
inc reg reg ← reg + 1 3
dec reg reg ← reg - 1 3
and dst, src dst ← dst & src 3
jnz add10 if Z=0 then (SP,SP+1)←IP, 3
SP←SP-2, IP ← add10
jtne add10 if TZ=0 then (SP,SP+1)←IP, 3
SP←SP-2, IP ← add10
jb reg, imm3, add10 if reg(imm3)=1 then IP ← add10, 4
jnb reg, imm3, add10 if reg(imm3)=0 then IP ← add10, 4
jmp add10 IP ← add10 3
call add10 (SP,SP-1)←IP, SP←SP-2 3
IP ← add10
ret IP ← (SP+1,SP+2), SP←SP+2 3
banksel b BNK ← b 3
setb reg, imm3 reg(imm3) ← 1 3
clrb reg, imm3 reg(imm3) ← 0 3
tmr b TON ← b 3
nop - 3
halt - 3
In Table I, dst and src indicate register addresses from
R0 to R31. Register addresses can also be used with and
indirect addressing prefix @, e.g., mov @R1, R2.
430
B. Seat Belt Controller
Seat belt controller is widely used in vehicles. In our
case study, we implement this controller using µPabs3 .
The FSM diagram shown in Fig. 4 explains how it works.
The assembly program implementing the controller can be
Fig. 4. FSM of the seat-belt controller
written as seen in Fig. 5.
MOV TRIS, 00011000B ; PORT DIRECTIONS
IDLE: TMR 0 ; TIMER OFF
CLRB P0,4 ; LOCK FREE
JNB P0,0, IDLE
SEATED: MOVWI TMR,100
TMR 1 ; TIMER ON
S2: JB P0,1,BELTED
JNB P0,0,IDLE
JTNE S2
BUZZER: SETB P0,3 ; BUZZER ON
JB P0,1,BELTED
JNB P0,0,IDLE
JMP BUZZER
BELTED: TMR 0
CLRB P0,3 ; BUZZER OFF
JNB P0,1,SEATED
JMP BELTED
EXT_ISR: SETB P0,4 ; LOCK SEAT BELT
JB P0,2,EXT_ISR
RET
Fig. 5. Assembly program for the seat belt
controller
C. Test Case Generation Using Model
Checker
As a model checker, we use UPPAAL1. UPPAAL ex-
tends the timed automata with additional features such as
bounded integers variables, constants, urgent and commit-
ted locations, synchronization channels, etc.[22].
1UPPAAL is a toolbox for verification of real-time systems
jointly developed by Uppsala University and Aalborg University
(http://www.uppaal.com).
crash=0
crash=1, t=0
t<=20
IDLE
seat=1
belt=0
belt=1
seat=0 t>2
SEATED CRASHBELTED
Fig. 6. Test automaton representing the car
driver and a crash
Assume that the specification of seat belt controller
running on µPabs3 contains the following two properties:
P1 : ∀  ¬(seat ∧ ¬belt ∧ ¬buzzer ∧ t > 100Tclk)
P2 : crash  ≤4Tclk lock
The first property imposes that seat belt controller never
reaches to a state where the driver is seated and not
fastened the seat belt and buzzer is not activated even
though the timer is expired. The second property tells that
if crash happened, lock signal is activated within 4 ∗ Tclk
time units.
The VHDL code of the microprocessor is transformed
to its equivalent TA in UPPAAL. Since the processor
contains the program memory, the assembly program for
the seat belt control application is also included in the
resulting TA. In order to run the verifier, we can use the
test automaton representing the driver’s behavior as given
in Fig. 6. According to the test automaton, the driver may
seat, fasten the seat belt, then contrarily unfasten the seat
belt and leave the car without any invariants and time
conditions, i.e., the driver performs each action in the
time range of [0,∞). The model is validated against this
behavior.
When these properties are fed to the model checker, it
immediately finds counterexamples. From these returned
test traces, the test bench is constructed as explained in
Section III-C, which may reveal possible error(s) in SUT.
In this case study, the test bench helps us to reveal the
following coding error in the microprocessor’s VHDL pro-
gram: Fig. 7 shows an excerpt from the VHDL program.
Here, the condition expression in line 294 is erroneous.
The “>=” operator is corrected as “>” and then Property
P1 is shown to be satisfied.
V. Limitations and Threats to Validity
The completeness of transformation rules for given BNF
is questionable unless it is proved. It has the highest
priority in our future work. Moreover, the scalability of
our approach with respect to state explosion and run-time
behavior should be discussed and also presented with a
larger case study using the operational values obtained
from our approach. This requires full automatization of
431
Fig. 7. Excerpt from the microprocessor’s
VHDL code
testing process. Currently, transformations and checking
test results are performed manually. Moreover, the com-
plexity of test computation, which would be a key issue
for industrial use of our approach, should be presented for
each step of our approach.
VI. Conclusion and Future Work
In this paper, we proposed an approach towards test
bench generation for VHDL programs. First, VHDL pro-
grams are transformed to timed automata, which consti-
tutes the model under consideration, through the intro-
duced transformation rules, and then negation of specified
properties written in temporal logic are fed to model
checker. Once all the properties are covered, the obtained
test suite is used to construct the test bench for the SUT.
The novelty of this approach lies in transformation of
VHDL to timed automata and automatic generation of
VHDL test bench exploiting software engineering meth-
ods. The approach is validated by means of a nontrivial
case study. Larger scale applications and their compar-
isons, which are under work, are supposed to rectify the
shortcomings of this example, e.g., one case study is
unable to incur a full coverage of practical problems known
by software testing community. Moreover, we would like
to explore the differences of our approach from other
approaches, such as the ones based on Petri nets. Finally,
test case generation for timed automata will be further
investigated.
References
[1] V. A. Pedroni, Circuit Design with VHDL. MIT Press, 2004.
[2] H. Zhu, P. A. V. Hall, and J. H. R. May, “Software unit test coverage
and adequacy,” ACM Comput. Surv., vol. 29, no. 4, pp. 366–427,
1997.
[3] T. Ayav, T. Tuglular, and F. Belli, “Towards test case generation
for synthesizable VHDL programs using model checker,” in 2nd
Workshop on Model-Based Verification & Validation, June 9-11
2010.
[4] C. Nehme, “The vat tool, automatic transformation of vhdl to
timed automata,” Master’s thesis, Aeronautics and Astronautics at
Massachusetts Institute of Technology, June 2004.
[5] F. Belli and B. Gu¨ldali, “A holistic approach to test-driven model
checking,” in IEA/AIE’2005: Proceedings of the 18th international
conference on Innovations in Applied Artificial Intelligence. Lon-
don, UK: Springer-Verlag, 2005, pp. 321–331.
[6] G. Fraser, F. Wotawa, and P. Ammann, “Testing with model
checkers: a survey,” Softw. Test., Verif. Reliab., vol. 19, no. 3, pp.
215–261, 2009.
[7] P. Ammann, P. E. Black, and W. Majurski, “Using model checking
to generate tests from specifications,” in ICFEM, 1998, pp. 46–.
[8] G. Devaraj, M. P. E. Heimdahl, and D. Liang, “Coverage-directed
test generation with model checkers: Challenges and opportunities,”
in COMPSAC (1), 2005, pp. 455–462.
[9] F. Belli, A. Hollmann, and Z. Chen, “Mutant-based model-checking
to ensure accessibility and safety aspects of human computer
interfaces,” in ICTA, 2009, pp. 65–74.
[10] P. Eles, K. Kuchcinski, Z. Peng, and A. Doboli, “Specification of
timing constraints in vhdl for high-level synthesis,” 1994.
[11] A. H. Kim, K. G. Larsen, B. Nielsen, P. Pettersson, and A. Skou,
“Time-optimal real-time test case generation using uppaal,” in In
FATES03. SpringerVerlag, 2003, pp. 114–130.
[12] G. J. Holzmann, Design and validation of computer protocols.
Upper Saddle River, NJ, USA: Prentice-Hall, Inc., 1991.
[13] IEEE, Std 1076-2000: IEEE Standard VHDL Language Reference
Manual, IEEE, 2000.
[14] J. Gillenwater, G. Malecha, C. Salama, A. Y. Zhu, W. Taha,
J. Grundy, and J. O’Leary, “Synthesizable high level hardware
descriptions: using statically typed two-level languages to guarantee
verilog synthesizability,” in PEPM ’08: Proceedings of the 2008
ACM SIGPLAN symposium on Partial evaluation and semantics-
based program manipulation. New York, NY, USA: ACM, 2008,
pp. 41–50.
[15] M. Bourahla and M. Benmohamed, “Verification of real-time sys-
tems by abstraction of time constraints,” in IPDPS ’03: Proceedings
of the 17th International Symposium on Parallel and Distributed
Processing. Washington, DC, USA: IEEE Computer Society, 2003,
p. 238.1.
[16] Y. Tachi and S. Yamane, “Real-time symbolic model checking for
hard real-time systems,” in RTCSA ’99: Proceedings of the Sixth
International Conference on Real-Time Computing Systems and
Applications. Washington, DC, USA: IEEE Computer Society,
1999, p. 496.
[17] D. M. Gabbay, I. Hodkinson, and M. Reynolds, Temporal logic (vol.
1): mathematical foundations and computational aspects. New
York, NY, USA: Oxford University Press, Inc., 1994.
[18] T. Ayav, T. Tuglular, and F. Belli, “Transforming VHDL
to timed automata,” Izmir Institute of Technology, on web:
“http://www.iyte.edu.tr/∼tolgaayav/DCSoC/IYTE-COMPENG-
2015-001.pdf”, Tech. Rep., 2015.
[19] M. Marre and A. Bertolino, “Using spanning sets for coverage
testing,” IEEE Transactions on Software Engineering, vol. 29, pp.
974–984, 2003.
[20] F. Belli and C. J. Budnik, “Minimal spanning set for coverage
testing of interactive systems,” in ICTAC, 2004, pp. 220–234.
[21] T. Ayav, “Lecture notes of ceng311 computer architecture: Design
notes of microprocessor µPabs ,” Izmir Institute of Technology,
on web: “http://www.iyte.edu.tr/∼tolgaayav/courses/ceng311/ De-
sign Notes of Microprocessor uPabs Ver-08a.pdf”, Tech. Rep.,
2008.
[22] G. Behrmann, R. David, and K. G. Larsen, “A tutorial on uppaal.”
Springer, 2004, pp. 200–236.
432
