hierarchical states, distributed simulation and co-execution, non-regression testing of SDL design.
This work has been initiated two years ago within the DARPA-RASSP program (RASSP, 1995) , and is being completed within the current ESPRIT-COMITY project (COMITY, 1997). 2. The SOL technology 2.1. SOL, a graphical formalism for real-time system modeling SDL is a specification and design language (ITU- ZI00, 1996) which has been standardized by the ITU (International Telecommunications Union). SDL is based on communicating finite state machines. The latter, called processes in SDL, are extended by data and communicate together by exchanging asynchronous messages, called signals. These signals are stored in FIFO queues, there is one common queue for each process. A complete set of graphical and formal symbols allows the designer to describe all the dynamics of a process. Main constructs available are: sending and receiving of signals, value assignment, timer manipulation, creation and deletion of process instances, function calls.
All these features make SDL well-suited for the design of event-driven, multitasking and distributed systems. SDL is largely used for the development of softwareintensive applications, for example in Telecom systems. SDL-based tools allow the validation of a system design, and the automatic transformation of SDL descriptions into executable code.
SDL is often used jointly with MSC, Message Sequence Chart (ITU-Z120, 1996) , which is also an ITU recommendation. Basically MSC diagrams correspond to chronologies of horizontal arrows, representing exchanged events, drawn on vertical bars, representing system's components. Figure 1 below depicts SDL and the associated MSC formalism. These graphical notations allows for intuitive modeling of systems. Moreover their underlying semantics guarantee the "one diagram, one meaning" postulate, and allow to check the consistency between MSC and SDL diagrams. 
SOL-based tools
MSC SDL has been experimented in RASSP through the application of the ObjectGEODE toolset to a signal processing application. ObjectGEODE (VERILOG, 1997) is an environment that supports the SDL language ( Figure 2 ): it provides a graphical interface to specify in SDL, as well as with associated languages MSC and UML (OMG-UML, 1997), efficient simulation tools, and full C autocoding capability that targets usual real-time operating systems. De 'ignTrllcer Therefore, the designer with ObjectGEODE can model its system, perform a formal verification by simulation (three modes are available: interactive, random and exhaustive), and generate automatically the code for producing the executable software application.
Limitations and extensions to SOL for HW-SW co-design
However the SDL notation and tools have two major limitations when dealing with HW -SW co-design and co-simulation:
• Describing the behavior of HW -SW system by means of nested states which represent the system's working modes is natural. Unfortunately SDL does not support a hierarchy of states, and actions cannot be associated to the entry or the exit of a state. • The command program (SW part) and the signal processor (HW part) must be tested independently. Unfortunately ObjectGEODE simulation is monolithic: the complete model is simulated as a whole and parts cannot be tested separately.
In order to solve these issues, extensions have been specified and developed. The project has started in mid-1997, in the context of a sub-contracting to Lockheed Martin Advanced Technology Labs (LM-ATL, 1997), to realize a project in the framework of RASSP.
In addition, another extension has been developed to automate non-regression testing: SDL operators are used to model the call to functions driving the signal processor; thus the SDL simulation has been extended to include these functions calls in the generated MSCs, and a semantic comparator has been developed to detect discrepancies in the chronologies of functions calls (including input parameters).
3. RASSP and the engineering of signal processing applications RASSP, for Rapid Prototyping of Application Specific Signal Processors, is "a major DARP AfTri-Service initiative to reinvent the development process of embedded digital signal processors (DSPs)", as announced in the statement of purpose (RASSP, 1995) . They aim to achieve no less than a "4x reduction in the time from concept to fielded prototype on both new designs and design upgrades, with similar improvements in life cycle cost, quality and supportability".
1. RASSP design methodology
A general overview of RASSP methodology for the design of embedded DSPs is represented in Figure 3 below. The system is formally specified and the resulting model can be executed via simulation. New methods for partitioning that enable reuse of existing designs and evaluation of each HW/SW solution are applied. Finally, physical prototypes are automatically generated for both HW and SW parts. A typical large scale architecture consists of a signal processing system which communicates with a command/control system. The signal processing system performs the high-bandwidth encoding/decoding and executes on DSPs. The signal processing system is modeled using a dataflow graph (DFG), and the command program (CP) is represented by a finite state machine. The command program is strongly related to the signal processing system, but it is often designed as part of the commandlcontrol system.
The command program (Figure 4) can be seen as an interface between the signal processing system and the rest of the command/control system. It translates systemderived or user inputs into commands accepted by the signal processing system and forwards the results produced. 
Hierarchical states
SDL users have often expressed the need to describe hierarchical state machines. This is for example the case in the autocoding project (Figure 4) , where hierarchical states are used to model the system operational modes monitored by the command program. In addition when handling hierarchical states, we need entering/leaving mechanisms; this can be achieved by entry/exit actions that are used in the autocoding project, to reprogram the signal processor when switching the modes. Thus based on Harel's Statechart notation (Harel, 1996) , we have introduced nested states and entry/exit actions in the SDL language.
Compared to the standardized SDL, the solution has consisted in introducing the concept of macro-state: a macro-state corresponds to an SDL Transition diagram, i.e. a diagram made of transitions starting from sub-states, the latter can themselves be macro-states.
Entry and exit actions have also been introduced in a similar way: two partial transitions, one starting from a label named "Entry", another one starting from a label named "Exit", can be added to a Transition diagram associated to a macro-state. The resulting behavior is that all the transitions starting from this macro-state are enriched at the beginning by the "Exit" transition, and all the transitions ending to this macrostate are enriched at the end by the "Entry" transition. When building the model, the designer can use macro-states and entry and exit actions in accordance with the rules given above. In order to simulate the model or to produce the executable code from this model, it is necessary to start a utility flattening the nested transitions and introducing the entry and exit actions, in such a way that the resulting model conforms to the SDL notation (ITU-ZlOO, 1996) .
Distributed simulation and co-execution
The designer may want to execute the HW and SW parts separately. For this purpose, ObjectGEODE toolset has been enhanced by introducing the concepts of MuT (Model under Test) and TM (Test Model): the MuT represents the signal processor, it is driven by the TM which represents the SW command program (Figure 5) .
At the modeling stage, the complete model is built in two parts: MuT and TM. This means that the SDL system has been modeled in the form of a partition of two SDL blocks.
At the simulation stage, the designer can simulate the MuT and the TM on two separate machines, allowing real independent execution. The authorized exchanges between the TM and the MuT consist in signals and data.
At the code generation stage, the designer can generate the C code for the MuT only and then drive the execution of the generated C code on the target, from the TM side which still runs in simulation mode, i.e. the simulated TM plays the role of a User Interface for the MuT.
~OL SOL §

Test Model
Simulation TCP/IP Communication User Interface (UI) Figure 5 . Co-simulation / Co-execution SOL-SOL
Non-regression testing
Model under Test
Simulation or Code generation
Command Program (CP) In order to automate non-regression testing, the ObjectGEODE simulator has been enhanced with a semantic comparator of MSCs. The main objective was to perform incremental testing while system design is evolving. During simulation, MSCs are produced reflecting the exchanges observed between the different components of the system (Figure 6) .
First of all, the production of MSCs has been enriched by taking into account the calls of functions (in SDL, this corresponds to the call of Abstract Data Types operators). Input parameter values are also taken into account. From the HW-SW comodeling point of view, the functions represent the lower level signal processor control commands such as create queue, write variable etc .. 
Discrepancies detected
Then during a simulation session, the designer can generate the MSC corresponding to the current scenario. Afterwards, the designer can compare the produced MSC with another reference MSC. Semantic discrepancies are detected and can be located graphically in the SDL design.
Current tool achievements & further work
The previous three extensions have been developed in the context of RASSP. They are now being completed in the COMITY project whose objective is to develop a set of techniques and tools for the design and prototyping of embedded systems, with application to telecommunication, automotive and aerospace domains.
The extension to support hierarchical states is already available in the latest commercial release of ObjectGEODE, as well as an MSC comparator but limited to a syntactical comparison only.
At last, we are currently implementing a new coupling between the ObjectGEODE toolset and a VHDL generator through a partitioning module for HW -SW co-design (EETimes, 1998) .
Conclusion
The extensions that have been developed in this project, bring highly valuable benefits to the SDL designer in the field of embedded systems. Thus HW -SW system design can be simulated and verified earlier; the designer realizes an abstract modeling and simulation takes place at system level. Behavioral design errors are detected faster, non-regression testing is performed semi-automatically, and the design process is always repeatable.
