Abstract
Introduction
With the increasing complexity of electronic systems, the focus of design effort is moving towards higher abstraction levels in order to improve design productivity. In the last decades much research has been directed towards automating the different steps in the design trajectory. Currently most of the research in this area is focussed on architectural synthesis, hardware software co-design and system level synthesis. As a result, the initial design specification is moving more and more to the system level.
Complex systems usually contain subsystems of different nature, and therefore the design of such systems involves several design trajectories and synthesis systems. As a consequence, it is not desirable to specify such heterogeneous systems in a single generic language; every subsystem can be modelled best with the most natural and appropriate description language. A unified design environment in which different models can be combined and simulated in a homogeneous way, offers more flexibility than a unified language or model. A well-known example is the Ptolemy framework developed at Berkeley [4] .
The validation of the design specification is an important step in the design process, because undetected errors may cause expensive redesigns and delay the design project. Because of the increasing level of complexity, it is becoming more and more time-consuming for a designer to obtain an acceptable level of confidence in the correctness of the design specification. This problem can be alleviated by a tighter integration of evaluation and analysis methods into the design environment [ 1] [5] . These methods facilitate the task of interpreting the detailed simulation results.
This paper discusses how a discrete event simulator can be extended with a technique to analyse the event trace during a simulation run. Section 2 gives an overview of related work. In section 3 the concept of discrete event monitor is introduced as a method to check if the simulated behaviour is consistent with the specified requirements. The subject of section 4 is a specification language for these discrete event monitors. Some results are reported in section 5 .
Background
In practice simulation is the most important technique to validate a specification. Although this method cannot guarantee the correctness of a design in all circumstances, it is fully accepted in the design community. Formal verification methods can also be applied for validation, and promise a better coverage of errors [lo]. Although impressive progress has been made in this area of research, most formal verification tools very easily get stuck at their limits in real design situations. Therefore these methods are limited to the validation of very abstract specifications that only model some selected aspects of a design. It is our opinion that simulation will remain a very important technique during the prototyping, validation and debugging of adesign specification.
Most hardware description languages are primarily aimed at specifying a design by describing a model that implements the desired behaviour at some level of abstraction. Only limited support is provided to express the properties the model should comply with. For example VHDL only provides the 'assert' construct to check constraints on the state of a model at specific points in time. More complex conditions involving time can only be included by extending the description of the system with extra modules. It may even be necessary to extend the interface of existing modules in the design to make parts of the internal state observable from the outside. These modifications usually lead to less comprehensible models and may even introduce new errors into the design.
In [l] the VAL kanguage is proposed as an annotation language for VHDL. It extends the language with a small set of new constructs for abstract specification. For example it is possible to express complex timing constraints on signals.
A preprocessor is used to translate an annotated description to a regular VHDL description which automatically checks if the simulated behaviour complies with the abstract specifications. In [8] the I'anguage is extended with so-called pattem event mappings to reduce the complexity of the simulation results. It is based on recursively recognizing ' and naming pattems of events. This enables the designer to view the simulation results on a higher level of abstraction, and therefore effectively reduces the amount of information that has to be inspected. The presented implemenkltion "ilyses the event traces of the simulation in a post-processing step.
There exist numerous methods to specify requirements imposed on a design. For ex,ample timing diagrams are frequently used to specify both qualitative and quantitative timing constraints. In [3] a formal version of these diagrams is proposed, which also covers more complex aspects such as timing constraints on conditional and iterative event sequences. It would be very useful if such constraints could be combined with a design specification, independent of the kanguages used to describe this specification.
Discrete Event Monitors
A complex and time-consuming part of the validation process is the analysis of the simulation results and the detection of erroneous behaviour. Therefore the ability to check if the simulated behaviour is consistent with a given set of requirements, would improve the efficiency of the valid?-tion process, especially if this is done during a simulation run. This involves the two subproblems of specifying how the design is supposed to behave, and comparing the simulated behaviour with the specified requirements. In this section the latter problem is discussed for the class of event driven simulators. This class covers many simulators used todly at various abstractions levels, including simulators for popular hardware description languages like VHDL and Verilog.
In adiscrete event simulator, the behaviour of the simulation model is characterized by the event trace that is generated during a simulation run. This applies to different simulation algorithms, models of computation and abstraction levels. Therefore the event trace forms a good foundation for a general analysis mechanism which inspects the events executed for specific state v'ariables and nets in the model. The main requirements for such amechanism are that it does not influence the simulation results and has an acceptable effect on the performance of the simulator. Therefore the concept of discrete event monitor (DEM) is introduced. A DEM is an object which observes the events generated and processed for specific elements in the simulation model.
Although it can be implemented as apost-processing step of a simulation run, it is intended to be embedded in the discrete event simulator itself. In an incremental simulation environment [6] [9] , this concept especially contributes to efficient validation of system behaviour, as it can be used to observe the events that model the differences with respect to the previous simulation run. A DEM specification consists of 3 pafls: an interface part, a declaration part and a part that defines the functions supported by the DEM (see figure 1) .
In the interface part the variables which relate to the simulation model and other DEMs are specified. During insklntiation of the DEM each variable in the interface part is attached to a real object in the simulation model or 'another instantiation of a DEM. This mapping is described sep'mtely to make the specifications reusable. Currently the following types of variables are allowed in the interface p' art:
A net variable is used to access the events which are scheduled for the net to which this variable is atklched. A module variable is used to access the intemal variables of the module it is attached to. A DEM variable is the port on which higher level events can be scheduled by a monitor. Such an event will immediately activate the monitors that are attxhed to this variable. Note that amonitor can only schedule events that activate other DEMs, but it is not allowed to schedule events that influence the simulation model itself. In the declaration part, sklte variables are declared: they are used to store additional data of the monitor and may have different (abstract) types. Each instantiation of a monitor allocates its own state variables, which can be accessed by the DEM's intemal functions. Currently the following internal functions can be specified:
The init function, which is called before the First event is processed. This function c' an be used to initialize DEM variables and to allocate additional resources required by the monitor. Note that state variables are allocated during instantiation of the DEM. The report function of a monitor is used to evaluate the current state of a monitor and to collect statistical information of a simulation run. In the algorithm depicted in figure 2 , the operation of DEMs within a discrete event algorithm is shown. The algorithm presented here uses a fixed-time increment strategy, but the same extension can also be used in a simulation algorithm which is based on a next-event time advance approach. First the simulation model is initialized by initializing all nets and modules (1-2). The behavioural descriptions of all modules are executed to activate the modules. This results in the generation of events, which will be processed by the simulation loop. The last step of the initialization phase is the activation of all monitors, just before the processing of events starts (3) . 
Fig. 2. Simulation algorithm including DEM interface
Preprocessing events ( 5 ) entails checking if an event can be discarded or not. In general an event is discarded if processing the event does not result in a new net value, although thisalso depends on the event's type. If an event is discarded, its type is changed to cancelled, which implies that the event will not cause any modules to be evaluated. Otherwise the net is set to its new value. After preprocessing, the values of the event's attributes are fixed. In the next phase of the simulation algorithm (U), the events are used to determine which modules have to be evaluated, which results in the generation of new events. Therefore, theevaluation of the DEMs is best performed between the preprocessing phase, which determines the changes in the state of the A DEM can pass information to another DEM by scheduling higher level events for that DEM, which raises the level of abstraction and therefore reduces the number of events that have to be examined. If an error is detected at the highest abstraction level, it can be traced back to its source in the simulation model itself. This is achieved by annotating the source of the event into the event itself. Interacting DEMs can be represented as a directed acyclic graph. Usually this graph is a tree. If a DEM schedules an event for another monitor, this monitor is immediately activated. No additional delay model is associated with these events, since this could be the source of more misunderstandings about the interpretation of the simulation results.
Discrete Event Automata
This section discusses a specification language for discrete event monitors. The reasons to introduce this language are twofold. It provides the means to compactly define discrete event monitors which hide the implementation details from the user. Furthermore it serves as an intermediate language to facilitate the integration of other specification methods like timing diagrams. The underlying model of the language is a deterministic state machine in which transitions are labelled with conditions and actions. The conditions define for which events a transition is executed; in addition, these conditions may depend on the values of state variables and the attributes of the event. The actions describe the effects of atransition, which may include the generation of events for other discrete event monitors. This model is chosen, because it is sufficiently expressive for describing a large class of constraints, and can be executed efficiently during a simulation run. The term discrete event automaton (DEA) is used to denote a description in this language.
In figure 3 an example is given of a DEA which validates the correctness of a dual rail encoded interface. This example is used to illustrate the main aspects of the language. The header specifies the name of the DEA and declares its parameters. In this particular case, the parameters are the three nets on which the communication takes place. The body of the description consists of two sections, which respectively declare the state variables and specify the behaviour. Optional-ly, a third section can be added to customize the way the information about the state of the DEA is reported to the user.
The main construct to define the behaviour of a DEA is the select statement, which specifies a single state of the automaton and the transitions leaving that state. Every state can be given aname, although this is not shown in the example. The transitions are defined by a set of event labels and the corresponding actions. An event label specifies the object for which the event must be scheduled, the value of the event, and optionally the event type. By default, a transition brings the automaton to the next sequential state. The usual control structures are provided to support the description of conditional and repeating behaviour patterns. As a result, many requirements can be described very concisely by a DEA. The event statement can be used to generate events for other DEAs. In the example, every successful data transfer results in a new event. In this particular case, no destination is given, so the event is generated for the hierarchical parent of this automaton if it exists. This example illustrates how DEAs can be used to implement event pattern mappings [8] . These mappings are especially useful for comparing a detailed simulation model with aspecification at a higher level of abstraction.
In figure 4 it is shown how a simple timing diagram is converted to aDEA. A time out is specified to detect the absence of events. To convert an arbitrary timing diagram to a DEA, a similar construction as used in [ 111 can be applied. In that paper it is shown how timing diagrams can be converted to so-called simulation graphs. These simulation graphs can ... directly be interpreted as DEAs. Therefore a similar conversion can be used to translate timing diagrams to DEAs. With the available conditional and loop constructs, it is also possible to translate more complex timing diagrams as proposed in [3] , which specify repeating and conditional event sequences and the corresponding timing constraints.
Implementation and experiments
To evaluate the presented methods, we have integrated DEM support in the simulator of the ESCAPE design environment [7] . ESCAPE is a highly interactive and flexible tool, which can be used to prototype, validate and debug complex heterogeneous systems. It consists of a graphics editor and an integrated event driven simulator. Incremental updating of data structures, direct presentation of simulation results and the usage of animation allow fast exploration of the design space. Different models of computation c' an be used to specify a system. All models are fit within the semantics of an event driven simulator.
In ESCAPE, aDEM is specified in a special format based on the language C. An integrated preprocessor resolves the addresses of all variables and generates a regular C file, which is compiled and dynamically linked into the address space of the simulator. The implementation supports multiple instantiations of a monitor and even on the fly modifications of a DEM configuration during a simulation run. A separate compiler is provided to translate a DEA specification into a DEM description.
We have used DEMs to validate event traces of various examples. The primitive components of all examples are modelled using a Lisp-like hardware description language. The following examples are presented in table 1:
An implementation of an asynchronous two place ripple buffer [2] . For this example, the absence of unexpected request and acknowledgement events has been validated.
An abstract model of a railroad. The model is composed of two abstraction layers: one layer models the environment, in particular the transportation of the trains, <and the other one models the control aspects of the system. The handshake protocol used to move the trains has been validated. An architectural model for a Kulisch inner product chip [12] . The timing of the adder stations in the model has been validated. These examples differ considerably in size and complexity, both in structural and behavioural respect. The complexity of the DEMs is comparable to that of the DEA shown in figure 3 .
The results show that little overhead is introduced by extending the simulation algorithm to support DEMs. Of course this also depends on the complexity and internal structure of the simulation model and the connected DEMs. For these particular examples, the total decrease in performance is less than 7%. Comparable results have been found for other simulation models. This demonstrates the efficiency of the proposed methods and the applied implementation techniques. 
Conclusions
The validation of a design specification is a complex and time-consuming task. To facilitate this task, we have proposed a new method for consistency checking in discrete simulation models. During a simulation run, the event trace is analysed to detect any inconsistencies with the specified requirements. Discrete event monitors are used for this purpose. Every monitor observes the behaviour of a specific part of the simulation model. Hierarchy can be usedin monitor descriptions to reduce the level of detail. The method is not restricted to aspecific abstraction level or computational model.
Discrete event automata are proposed as a specification language for discrete event monitors. The underlying model of deterministic state machines is chosen, because it is sufficiently expressive, and results in descriptions that can be executed efficiently. Discrete event automata also serve as an intermediate language to transform other specification methods to discreteevent monitors. This has been illustrated for timing diagrams.
The proposed methods have been implemented in the ES-CAPE design environment. Experiments demonstrate that they provide a good trade-off between accurate analysis of simulation results and run-time simulation performance decrease.
