Equivalence checking between embedded C code and corresponding Stateflow TM diagram specification by Baufreton, Philippe & Segelken, Marc
HAL Id: hal-02270312
https://hal.archives-ouvertes.fr/hal-02270312
Submitted on 24 Aug 2019
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Equivalence checking between embedded C code and
corresponding Stateflow TM diagram specification
Philippe Baufreton, Marc Segelken
To cite this version:
Philippe Baufreton, Marc Segelken. Equivalence checking between embedded C code and correspond-
ing Stateflow TM diagram specification. Embedded Real Time Software and Systems (ERTS2008),
Jan 2008, Toulouse, France. ￿hal-02270312￿
 Equivalence checking between embedded C code and 
corresponding StateflowTM diagram specification 
 
Philippe BAUFRETON1, Marc SEGELKEN2 
1: Hispano-Suiza, Centre de Réau 16/DEE-EL - BP 42 - F-77551 Moissy-Cramayel Cedex - France 
2: OFFIS, Escherweg 2  -  D-26121 Oldenburg  -  Germany 
 
 
 
 
 
 
Abstract
 This paper focuses on a cost-effective 
application of model-checking in Verification & 
Validation of safety critical airborne systems, for 
proving the correspondence between automatic C 
source code and its specification expressed with 
StateflowTM diagram specification. The process 
requires a minimum of user intervention in most 
cases, gives very high confidence and has the 
potential to shift the traditional technical checks 
when qualification is effective. 
 
Keywords: model-checking, verification, safety 
critical applications 
1. Introduction 
Formal techniques can be used for proof of 
correspondence between specification and 
requirements [1] to make sure that the system, as 
described by the specification, establishes and 
preserves the properties in the requirements policy. 
They may also be used for proof of correspondence 
between source code and its specifications [2] – 
Although many formal techniques were initially 
created to provide proof of correctness of code, this 
is rarely done because of the time and expense 
involved, but may be done for particularly critical 
portions of the system.  
 
This paper focuses on StateflowTM specification 
diagrams using the previously described use case 
[2]. In the development process, such diagrams  are 
firstly converted by hand in SSM diagrams before 
the SCADETM automatic C code generator is applied 
(the SCADETM gateway does not support the 
StateflowTM diagrams). Therefore, errors could be 
easily introduced during such manual 
transformations and early detection of errors 
between the embedded code and its original 
StateflowTM specification is a key issue. 
 
 
 
2. Formal process 
The overall principle to achieve such proof of 
correspondence (also called an equivalence check) 
is basically to be able to compare the specification 
and the C production code whatever the 
transformations between the two.  
 
 
Figure 1: Equivalence checking principle 
 
The development process is on one hand, based on 
the SCADETM qualified code generator. Since the 
actual release of the SCADETM gateway does not 
support the StateflowTM diagrams translation into 
SCADETM diagrams, the use of the SSM editor 
interfaced with SCADETM  is firstly used to design the 
StateflowTM diagrams into SSM diagrams to further 
generate lustre files compatible with the code 
generator as described  in Fig. 1.  
 
Since the model checker analyses C code and not 
the specification language itself, a preliminary 
translation of the specification into a code for 
verification (Specification C code) is first necessary. 
This translation requires an independent (in term of 
provider) code generator from the embedded chain 
to produce a code for verification reflecting the 
specification. In that process, the reader should note 
that there is no longer manual transcription of the 
StateflowTM diagram as illustrated in Fig. 2. 
 
Stateflow
specification (A)
Production code (B)
   
Figure 2: Development / Verification chains 
 
A new model in C code is then created comprising 
the C code for verification from the StateflowTM 
specification (A) and the Embedded C code from the 
SSM design (B) to be checked by the HybridTM 
(OFFIS) model-checker. by supplying the same 
inputs to both of them and comparing pair wise the 
outputs for equality. 
Fig. 3 Equivalence checking principle 
 
For this approach, we construct a model 
corresponding to the figure 3 and let B be the node 
corresponding to the embedded C code (generated 
with SCADETM qualified code generator) and A 
should be the node reflecting the specification with 
exactly the same interface as B and taking 
differently compiled C code (Scade-like code from 
Sildex or SimulinkTM coder).  
 
A code for verification was derived from the 
StateflowTM diagram specification in several ways 
according to the projects. One used the Sildex tool 
(TNI-Software) to transfer the StateflowTM diagram 
into the Signal [3] code, then the compiler was 
activated to first produce the internal data flow graph 
representation and then generate the C code for 
verification. Other possibility was to produce the A 
code with the SimulinkTM coder which is more widely 
used in practice. The other case would be to use 
Sildex for verification since a project used another 
code generator for the embedded code.  
 
One of the three combinations could be selected 
through an interface according to the user’s 
preferences. 
 
 
 
Fig. 4 User interface for Harness Selection 
 
The variations are (SCADETM qualified coder for 
production, Sildex for verification), (SCADETM 
qualified coder for production, SimulinkTM coder 
RTW for verification), (RTW for production, Sildex 
for verification). Technically speaking, every Scade-
like code could be used for verification. In all three 
cases, scripts were created to automate as much as 
possible the creation of the dummy structure, the 
interfaces and calls of A and B while supplying them 
with both codes.  
 
There is no common mode in the verification 
process and the development process. The 
specifications given to the code generators 
(StateflowTM diagram, SSM diagram) are different 
(Signal and Lustre languages modules). Moreover, 
the code generators (Sildex, SCADETM, RTW) are 
developed by separate teams, so having exactly the 
same error in these conditions is very unlikely to 
occur. 
 
If so, such an error should not be detected by the 
proof of correspondence but could be detected by 
the functional tests in force (correspondence 
between the specification and the requirements ) on 
the embedded code since the error would be 
present in both process in such case. 
 
To prove the equivalence, we can either provide a 
huge AND-gate which ensures that all equal-
comparisons are true, or less complex for the 
model-checker, check only equality of one output-
pair with one proof each. This is the way, we used in 
practice.  
 
3. Formal verification tool 
 
HybridTM is a formal verification tool that uses a 
BDD-based symbolic CTL model-checking engine. 
The program models are presented in a restricted 
subset of C, called C4Ver especially defined to 
represent synchronous programs generated with 
Sildex or C code produced by the SCADETM 
qualified code. The properties specification language 
StateflowTM specification
Production C Code
Manual 
transcription 
in SSM editor
Code generation
ScadeTM
SSM
files
StateflowTM specification
Specification C Code
Code generation
C4VER
C code for verification
from StateflowTM
specification
Embedded C code
from SSM design
 is based on a mixture of state expressions including 
simple temporal operators and predefined patterns 
representing most commonly used LTL-formulas. 
Patterns are generic in the sense that their 
arguments could be instantiated by user state-
expressions.  
 
On the editor level the tool provides for pattern 
instances definition, editing, and copying; proofs 
definition as a list of patterns to be satisfied, and a 
list of patterns that should be considered as 
assumptions. On the verification level, the tool 
provides for running the model checking algorithm 
against the given model, representation of the 
verification results, and representation of a counter-
example in case of proof refutation.  
 
The underlying symbolic discrete state model-
checker [7] follows a mathematical algorithm to 
prove (un-) reachability of states violating the 
property. After mapping the C-model to a 
symbolically encoded  labeled transition system by a 
suitable C compiler inside Hybrid, the model-
checker engine algorithm performs a backward 
computation and  optionally in case of simple 
reachability properties a forward computation of 
state sets, that either lead to the violation of the 
property or which are reachable from the initial state, 
respectively  [8]. Due to the compact symbolic 
encoding of these state sets by using BDDs for the 
logical encoding, the algorithm is able to deal with 
discrete state spaces with up to thousands of state-
bits. Once the existence of a path is proven, a 
distance-gradient based search algorithm is used to 
determine a concrete representative path being the 
diagnosis information result. 
 
For complexity reduction the tool allows to adjust 
domains for integer variables, apply propositional 
abstraction and the use of an automatic iterative 
abstraction refinement extension [6] to cope with 
linear computations on continuous items (i.e. 
variables of type real), that has proven to be quite 
effective for models with loose interaction of 
continuous and discrete parts of the model. 
Symbolic Model-Checking on its own cannot be 
performed with values of type real. On a purely 
discrete system, Hybrid works exactly as a symbolic 
model-checker. If the system controls continuous 
items, it can find a concise representation of those 
by using an automaton that prevents classes of 
spurious counterexamples to ever occur again in 
subsequent iterations during the iterative abstraction 
refinement process. If this process terminates, the 
result is either the affirmation of the property or a 
valid counterexample, also called trace, being a 
complete sequence of variable valuations for all 
variables of the model, including floating point 
values for variables of type real. Although as a semi-
decision procedure not always terminating in theory, 
in practice the approach works for many controller 
designs. 
Fig. 5 Hybrid basic principles 
Figure 5 shows the three main sub-procedures 
which are to be applied in sequence.  
 
First, the C-code and the property is translated to an 
internal simple representation, an imperative 
language called SMI.   
 
Second, abstractions are applied if required before 
translating the model to a logical representation 
required by the model-checker engine being called 
thereafter. The model-checker engine applies the 
previously described algorithm and thus decides the 
validity of the specified property. In case an error 
has been found, in a third step an error trace is 
produced for animation in the original design. In the 
presence of continuous items in the model, the 
second and third step are possibly iterated many 
times until either the validity of the property has been 
proven, or a valid error trace has been found. In the 
latter case the error path of the abstracted model 
being a sequence of input stimuli and internal 
variable valuations is concretized such that 
valuations of continuous variables are included as 
well. 
 
The HybridTM  Man Machine Interface is depicted in 
Figure 6. Properties could be checked one by one 
according to the user selection or even all checked 
sequentially in some batch mode (by Execute All 
key). 
 
 Fig 6. HybridTM Man Machine Interface 
 
4. Description of the work 
 
Our aim is to certify the equality property for each 
signal pair so as to check that the outputs of the 
production code and the specification behave 
identically for all possible executions.  
 
The property is expressed in pattern mode: 
inv_P_immediate with the expression "A_CDEPC =  
B_CDEPC" since the property says: "Both signals 
always (i.e. invariant) have to have exactly the same 
(i.e. =) value". The expected result is "true" with no 
trace being generated in both cases, of course.  
 
The HybridTM performance largely depends on the 
size of the model, the number of inputs and their 
ranges and the complexity of the property to be 
verified. 
 
By default, the integer ranges are set to [-1000, 
+1000], so to cover the whole model, the user needs 
to supply the maximum ranges that might be 
relevant for the model behaviour. This information 
has to be extracted from the specification itself and 
might increase the verification time much depending 
on the model complexity. 
 
The verification is always covering the complete 
behavior provided there is no potential overflow in 
the model. Therefore domains had to be specified 
not being to small to avoid overflow behavior and not 
too big to keep complexity low. An optimal way to 
perform that was done and proposed to the users as 
depicted in Fig. 7. 
 
Fig. 7 Variables ranges definition 
 
In the case of ranges being too restricted compared 
to the specification, HybridTM does a partial but 
correct comparison check of both models (in 
contrast to normal verification where potential 
overflows lead to approximated  verification). 
 
If there is an important behaviour for higher 
numbers, for instance, there are specific reactions of 
the system that are only activated by higher 
numbers (like threshold checks) outside the 
specified range, the model-checker would not cover 
it since it would be be outside the reachable 
behavior. Thus the model might not be fully 
explored, but only partially. 
 
In case of real (float) variable, the specific Ilabs 
algorithm should be applied in its normal mode 
(conservative over-approximation of the behavior) 
so as to preserve confidence in the results. 
 
5. Results 
 
The proof of correspondence was successfully 
exercised  for all StateflowTM diagrams of a thrust 
reverse controller and partly applied to an engine 
control system of a military air fighter. The 
verification process has been automated to a large 
extent to minimise the user intervention and was 
able to check industrial size StateflowTM diagrams 
implementation. 
 
During about two months, about 60 proofs of 
equivalence were fully achieved for the two above 
projects which represent more than 100 properties. 
Sometimes errors were detected during formal 
verification process (wrong priority match between 
StateflowTM diagram and SSM) with less effort 
compared to the current process based on manual 
Technical Checks (TC).  
 
Such checking improves the confidence in the C 
code for production since it faithfully represents the 
StateflowTM diagram specification, in other words, 
the C code preserves the properties of the 
specification. In absence of errors, equivalence is 
fully proven.  
 
In case of inconsistency, the generated trace (fig 8.) 
is very useful to debug the model since it focuses on 
the source of the inconsistency with relevant details. 
To our experience, since there is an integer variable 
for the active state, checking the equivalence of 
these integers gave a first level of confidence. In 
case of error for that property, it is not necessary to 
check the other properties since the model should 
be first modified. Then the new formal process is 
applied again to make sure that the intended 
modification is done without side-effects (regression 
 
 matter) and that all the equivalences of outputs are 
correct. 
 
Implementation
Specification
 
Fig. 8 Generated trace showing inconsistency 
This process has been considered easy to use by 
the practitioners and much cheaper than the actual 
Technical Checks in force for a better level of 
quality, compared to the traditional technical checks 
relying on mental activity and subject to 
discrepancies. 
 
Below is a time consuming comparison between 
both verification processes: 
Fig. 9. Time comparison 
The statistical speedup is about 4 ~ 6 in terms of 
time spent by the engineer to achieve the verification 
(the elapsed machine time in couple of minutes for 
each property is not excluded here) by comparison 
with the technical checks. The formal verification 
process is cheaper for a better level of quality (due 
to a complete verification with model checking) and 
avoid to a large extent the human factor. 
 
6. Qualification 
 
The purpose of the verification tool qualification is to 
demonstrate that the tool works as expected in order 
to further be able to take credit on its usage as an 
alternative mean of verification. The further use of a 
qualified verification tool authorise to give up the 
Technical Checks in force. 
 
HybridTM qualification as a verification tool could be 
feasible since pre-qualification was initiated in the 
frame of the Safeair 2 project. Data should be 
collected based on the actual usage of the tool (up 
to now, more than 100 properties were checked with 
always the same type of property). Also, the options 
of the model-checker are always the same and the 
Ilabs algorithm is selected only for cases where real 
type variables occur in the models, which is normally 
not the case for StateflowTM diagrams. Inputs ranges 
are also to be considered to make sure that the 
verification is complete (not partial). 
 
Properties should be checked with independence for 
level A software according to DO-178B/ED-12B [4] 
(very simple since the property type is strictly always 
the same) thus the C code structure since generated 
with scripts should also be checked (or also 
qualified).  
 
To gain confidence in the model-checker itself, a 
qualification plan was initiated [5] within normal and 
abnormal conditions. Errors should be manually 
introduced in the embedded code reflecting an error 
in the stateflow2ssm manual convert. The results of 
the equivalence checking are then compared with 
the expected results obtained by the classical 
methodology. To complete the qualification of the 
new process, verification of the opposite property 
(signals should be at least different once) could be 
considered as well to give more confidence in the 
model-checker daily usage.  
 
A common mode in both code generations could 
exist but is highly improbable (a double source for 
verification could be subsumed). Therefore, such an 
error as present in the production code as well, 
should be detected by the functional tests in force. A 
proof of correspondence between the StateflowTM 
diagram specification and their requirements using 
the previously described use case [1] could be done 
with formal verification by HybridTM as well thus out 
of the scope of this paper.  
 
Dead code would not be any problem for the 
equivalence checking approach, but would indeed 
not be detected this way. However, the model-
checker could be used to detect dead code e.g. by 
assigning after each C-statement under examination 
a certain value to a dedicated analysis variable so 
that the task for the model-checker later is simply to 
find out whether the dedicated variable can get its 
certain value. However, SCADETM qualified coder 
generates such code only for a robustness matter. 
 
  
TC Project 1 Average
TC ssm / stateflow : 30 to 60 min
TC ssm / C (except kcg 4.2) : 60 min
Sum 90 à 120 min
Project 2
TC stateflow / C > 60 min
Proof
Code generation for verification, harness, 
proof-reading, compilation and properties 
definition
15 min
Formal checking by property (batch mode)                                
> 15 min for large / complex stateflow 
1 ~ 2 min in 95 % 
of the cases         
In case of overflow,  range of local variables 
to be changed
2 min
Proof reading of properties with 
independence 
1 ~ 5 min per 
Stateflow
Sum 20 ~ 25 min
 7. Conclusion 
 
In the absence of errors, this new verification 
process based on light-weight formal methods gives 
improved confidence of the StateflowTM diagrams 
implementation (mathematical equivalence of the 
possible behaviors of both C-codes within the 
specified ranges). It has been automated to a large 
extent to minimize the user intervention and was 
able to check industrial size StateflowTM 
implementation. It has been found quite easy to use 
and cheaper for a better level of quality while 
avoiding to a large extent the human factor. When 
qualification is achieved, such proof of equivalence 
could be used as an alternate mean of verification. 
 
 
 
8. References 
 
[1] SafeAir II Project: “Advanced Systems Development 
Environment: A methodology and a tool-set designed to 
develop aeronautics, automotive and space safety-critical 
systems”. CONVERGENCE’03 
 
[2] D. Richard Kuhn Ramaswamy Chandramouli: “Cost 
Effective Use of Formal Methods in Verification and 
Validation”, National Institute of Standards and 
Technology - Ricky W. Butler NASA Langley Research 
Center 
 
[3] P. LeGuernic, A. Benveniste, P. Bournai, and T. 
Gautier: “Signal , a data flow oriented language for signal 
processing”. IEEE-ASSP, 34(2):362–374, 1986. 2 
 
[4] DO-178B/ED-12B Software Considerations in Airborne 
Systems and Equipment Certification  - Radio Technical 
Commission for Aeronautics, (Ed.) 1992 
 
[5] Philippe Baufreton (Hispano-Suiza), Cyrille Rosay 
(CEAT): “Software aspects of qualification in the SafeAir 
II Project”, Cybernetics and Information Technologies, 
Systems and Applications, CITSA'04, Orlando, USA July, 
2004 
 
[6] M. Segelken. “Abstraction and Counterexample-
guided Construction of Omega-Automata for Model 
Checking of Step-discrete linear Hybrid Models”, . In 
W. Damm and H. Hermanns, editors, Computer Aided 
Verification, 19th International Conference, CAV 2007, 
volume 4590 of LNCS, pages 433–448. Springer-Verlag, 
July 2007. 
 
[7] R. K. Brayton, G. D. Hachtel, A. Sangiovanni-
Vincentelli, F.  Somenzi, A. Aziz, S. -T. Cheng, S. 
Edwards, S. Khatri, Y. Kukimoto, A.  Pardo, S. Qadeer, R. 
K. Ranjan, S. Sarwary, T. R. Shiple, G. Swamy, and  T. 
Villa: “VIS: a system for verification and synthesis”. In 
CAV, volume  1102, pages 428–432. Springer Verlag, 
1996. 
 
[8] E. M. Clarke, O. Grumberg, and D. A. Peled: “Model 
Checking”, volume  ISBN 0-262-03270-8. MIT Press, 
Cambridge, Massachusets, London, England, 1999. 
