Functional test generation for dynamic validation of current system level designs is a challenging task. Manual test writing or automated random test generation techniques are often used for such validation practices. However, directing tests to particular reachable states of a SystemC model is often difficult, especially when these models are large and complex. In this work, we present a model-driven methodology for generating directed tests that take the SystemC model under validation to specific reachable states. This allows the validation to uncover very specific scenarios which lead to different corner cases. Our formal modeling is done entirely within the Microsoft SpecExplorer tool to describe the specification of the system under validation in the notation of AsmL. We also exploit SpecExplorer's abilities for state space exploration for our test generations, and its APIs for connecting the model to implementation programs to drive the validation of SystemC models with the generated test cases.
INTRODUCTION
SystemC [16] is increasingly being used for system level modeling and simulation during the first phases in a product's design cycle. The modeling and simulation undergoes ample validation and debugging before resulting in a functionally correct SystemC implementation model. Validation by simulation requires designers to generate a set of input sequences that exercise all the relevant and important properties of the system. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. A property of the system describes a characteristic of that system. For example, a FIFO component may ignore inputs when it is full. Testing this property requires the input sequences that transition the system to that state. Thus, one needs to generate input sequences which cover trivial and nontrivial cases of a system. However, coming up with these input sequences is not always trivial. This is particularly true for large and complex designs where it is difficult to identify and describe the input sequences to reach a particular state [5, 13] . Furthermore, there may be multiple paths (different input sequences) that transition the system to the same state. Authors in [5] provide test case generation by performing static analysis on the SystemC source and then use supporting tools for generating tests. This approach is often limited by the strength of the static analysis tools, and the lack of flexibility in describing the reachable states of interest for directed test generation. Also, static analysis requires sophisticated syntactic analysis and the construction of a semantic model, which for a language like SystemC built on C++ is difficult due to the lack of formal semantics. In fact, [5, 13] does not precisely describe a semantics for SystemC. For this reason, it is important to provide designers with a methodology and set of tools that ease the burden of directed test case generation and diagnosis.
SpecExplorer is a tool developed by Microsoft for model-based specification with support for conformance testing. The essence of SpecExplorer is in describing the system under investigation as a model program either in AsmL [17] or Spec# [14] and performing conformance tests on an implementation model in the form of some software implementation. The model program in AsmL serves as a formal specification of the intended system because AsmL employs the Abstract State Machine (ASM) [4, 9] formalism. From here on, we use "specification" interchangeably with "model program". ASMs allow for specifying hardware or software systems at the desired level of abstraction by which the specification can focus on only the crucial aspects of the intended system. The added quality of ASM specifications being executable, aids in verifying whether the specification satisfies the requirements, whether the implementation satisfies the specification and transitively whether the implementation satisfies the requirements. This makes ASMs and SpecExplorer a suitable formalism and tool respectively for semantic modeling, simulation and as we show in this paper, for exploration and test case generation.
Previous works in [12, 11, 8] use SpecExplorer to put forward a development and verification methodology for SystemC. Except their focus is on the assertion based verification of SystemC designs using Property Specification Language (PSL). Their work mentions test case generation as a possibility but this important aspect of validation was largely ignored. We were not able to employ any of the work done by these authors because their tools are unavailable. Figure 1: Discrete-Event semantics using AsmL
Authors of [13] propose labeled Kripke structure based semantics for SystemC and predicate abstraction techniques from these structures for verification. They treat every thread as a labeled Kripke structure and then define a parallel composition operator to compose the threads. They also provide formal semantics to SystemC. This is similar to work by [5] with the formal semantics for SystemC. Our work is different in that we provide a model-driven approach opposed to extracting a formal model from the implementation. The authors of [13] create their abstract model from the implementation. Moreover, they do not present any algorithms for traversing the parallely composed Kripke structures for test generation.
The authors in [15] presented the ASM-based SystemC semantics that was later augmented for the newer versions of SystemC by [12] . However, the original ASM semantics in [15] In this work, we present a model-driven methodology for not only specifying and developing but also validating system level designs for SystemC. Figure 2 shows a block level schematic of the model-driven methodology. We create an abstract model from a natural language specification and this abstract model is what we call the semantic model. It is specified using AsmL (an implementation language for ASMs). Since SystemC follows the DiscreteEvent (DE) simulation semantics, we provide an AsmL specification for the DE semantics such that designers can mimic the modeling style of SystemC while using AsmL for their intended design. The specification for the intended system can then be executed with the DE specification. For testing whether an implementation model satisfies the specification, SpecExplorer provides tools for exploration and test case generation. Exploration results in generating an automaton from the specification. This automaton is then used for creating test cases. However, SpecExplorer only allows links to C# and Visual Basic implementation models, but for our purpose we require bindings to the implementation model in SystemC. To do this, we provide two wrappers that export functions of the SystemC library and the implementation model to libraries that are used in SpecExplorer. These functions are used in a C# interface wrapper and then bound in SpecExplorer. Figure 2 represents the wrappers as the link between the simulator and implementation. We use SpecExplorer's exploration and test case generation to create tests that are directed to reach certain interesting states of the intended design and at the same time executed for checking whether the implementation model conforms to the specification.
Main Contributions
This work presents a methodology for specification, model-driven development and validation of SystemC models. This methodology is based on Microsoft SpecExplorer. In this paper:
• We provide a formal semantics for SystemC DE simulation using ASMs as the semantic foundation.
• Using Microsoft's AsmL, we provide an executable AsmL specification for SystemC DE simulation and show how abstract ASM models of intended designs can be simulated within Microsoft SpecExplorer according to our abstract DE semantics. Source code for this AsmL executable semantics for SystemC DE is available at our website [7] .
• We show how to do directed test generation and diagnosis for bug finding for an implementation by using SpecExplorer's test generation tool.
BACKGROUND

Abstract State Machines
Simply stated, Abstract State Machines (ASMs) [4, 9] are finite sets of transition rules. A transition rule consists of a guard and an action. A transition rule looks like if Guard then Updates where the "Guard" evaluates to a Boolean value and "Updates" is a finite set of assignments. The set of assignments update values of variables of the state. These assignments are depicted as
where t0 to tn are parameters and f denotes a function or a variable (a 0-ary function). At each given state (also referred to as a step), the parameters t0 to tn are evaluated first to obtain their values denoted by v k for k = {0, ..., n} respectively. Upon the evaluation of v k , the functions in the Updates set are evaluated. Hence, f (v1, ..., vn) is updated to v0. A run of an ASM simultaneously updates all transition rules whose guard evaluates to true in that state.
There are several ASM variants whose basis is the standard ASM as described above. Examples of the variants are Turbo-ASMs [4] , synchronous ASMs and distributed/ asynchronous ASMs [4, 15] . Each of these variants posses certain descriptive capabilities. For example, Turbo-ASMs are appropriate for expressing sequential composition, while loops and other specific constructs aiding in composability.
SpecExplorer & Exploration
SpecExplorer is a modeling, simulation and exploration environment developed by Microsoft [17, 1] that is used for modelbased specification and conformance testing of software systems. The language used for specification can be either AsmL [10, 3] , a derivative of ASMs or Spec# [14, 2] .
SpecExplorer provides methods for generating automata based on the designer's input for exploring the specification. The designer specifies the actions of interest in the exploration settings, for an FSM to be generated. These actions are functions in the specification. They can be classified into four types: controllable, observable, scenario and probe [17] . Controllable actions are the functions that are invoked by SpecExplorer and observable are the actions that SpecExplorer waits for a response from the implementation model. Probe actions simply query for state information and scenario actions provide a way of reaching a starting state for the exploration. Selectively exploring transitions of the specification is possible via a variety of methods such as parameter selection, method restriction, state filtering and state groupings. We direct the reader to [17, 6] for further information regarding exploration techniques in SpecExplorer.
Accepting states describe the states at which a test must finish. These accepting states are defined using a state-based expression. For example, a simple true suggests that all states are accepting states and FULL = true suggests that only the states where the state variable FULL is true are accepting states. The test case generator uses this state-based expression and computes all possible paths from the initial state to the accepting states given that all other constraints such as state filters are satisfied. Our methodology uses the accepting states and methods for selectively exploring transitions for directing the test case generation and diagnosis.
Discrete-Event Semantics using ASMs
Our Discrete-Event semantics specification uses Turbo-ASMs with object-orientation and polymorphism capabilities of AsmL. We specify the simulation semantics in the DiscreteEvent class shown in Figure 1 . The numbers associated with each function shows the order in which these are executed. For example, after the instantiations of the variables in (1), the entry point is the triggerDiscreteEvent function marked with (2) . Note that we use AsmL's parallel constructs such as the forall in triggerBehaviors to specify parallel execution of the behaviors. This corresponds well to the unspecified execution order of the processes in SystemC's simulation semantics. We have created additional classes that help the designer in describing a semantic model in AsmL so that it follows our Discrete-Event simulation semantics. Examples are the deNode class that represents the behavior of a specific process and the deGraph that represents the netlist of the entire design. Anyhow, we do not present these here because the focus here is test generation. The entire semantics is downloadable via the web at [7] .
The simulation begins with a function start that is not shown in Figure 1 . This function updates the state variables stopTime and designGraph that hold the duration of the simulation and a structural graph of the system being modeled respectively. After the values of these two variables are updated, the simulation begins by invoking triggerDiscreteEvent. This initializes the simulation by triggering every behavior in the system that in turn generate events. After this, the simulation iterates through the evaluate, update and proceedTime functions. In AsmL until fixpoint only terminates when there are no updates available or there is an inconsistency in which the simulation throws an exception. The processEvents function retrieves a set of events that match simClock and these events are triggered via triggerBehaviors. The update function invokes an update on all specified channels very much like SystemC and the proceedTime forwards the simulation time by calling nextEvent. The nextEvent returns an event from the event set. The semantics of this enforce the processing of all delta events first before the next timed event.
DESIGN FLOW
The necessary components in employing this design flow are shown in Figure 3 . We separate these components into four phases. These phase separations also describe the steps that a designer takes in using this methodology. Note that modular development of the system is possible and recommended, but in our description here, we assume the designer fully describes the system in each phase before proceeding to the next. This is done here to describe the methodology concisely and transparently. We also annotate Figure 3 with functions specific for a hardware FIFO component as our intended system (and from here on referred to it as that). We later describe this example in detail in Section 4.
Semantic modeling & simulation
A typical usage mode of this methodology starts in phase A. In this phase, the designer creates the semantic model using constructs introduced by our DE simulator in AsmL. For example, our semantic model of the FIFO component contains class declarations for the FIFO component, a test driver and a clock. The modeling is fashioned to be similar to SystemC's modeling style so that there can be a direct mapping from the specification to the implementation. We show two of the important functions invoked by the driver that provide stimulus for the system. They are WriteRequest and ReadRequest. These functions also specify the contract between the specification and the implementation model during test case generation. Once the semantic model is specified in AsmL, SpecExplorer's model simulator is used to validate the semantic model by simulation. One can also use some of the model checking links of SpecExplorer but we did not explore that for now.
SystemC modeling, simulation & wrappers
Modeling
The second phase B is where the designer implements the FIFO component in SystemC, which we call the Implementation model. It also contains some of the same functions that are listed in the Semantic model in phase A. This is a result of having a clear specification of the system before moving to an implementa- 
Simulation
The implementation model is simulated with the OSCI SystemC [16] simulator and if required, any other supporting tools may be used. This is standard practice when developing systems in SystemC.
Wrapper generation
Once the designer is satisfied with the simulation, two sets of wrappers must be created. The first wrapper exports functions from the SystemC library and the second exports functions from implementation model.
SystemC wrapper.
From the SystemC library, the only function that has to be exported is sc start(). This function is responsible for executing the SystemC simulation. Note that this is done only once and then can be reused, because this same exported function is used for executing the simulation for different implementation models. However, we require the SystemC library to be a static library. This enables invocations of exported functions from a C# program. This does not incur any changes to the original source code but instead, we declare the sc main() in an additional source code file to allow for static compilation.
Implementation model wrapper.
For the implementation model the designer must be aware of the functions that stimulate the system. This is because the test cases generated will invoke these functions to make transitions in the implementation model. For the FIFO component the designer may have implemented a driver component during the modeling and simulation to control the signals for write and read requests. These inputs stimulate the FIFO component and should be the signals that are toggled during the execution of the test cases. Therefore, we first add global functions WriteRequest and ReadRequest that change the value on the respective write and read signals and then export these functions. In addition, we export two functions necessary for setting up and cleaning up the simulation denoted by FifoSetup and FifoCleanUp. The setup function creates a global instance of the FIFO component and its respective input and output signals, and the clean up releases any dynamically allocated memory during the setup. Once these functions are exported, a C# program can simulate the FIFO component using the exported functions.
C# interface for SpecExplorer & SystemC
Phase C glues SpecExplorer with SystemC via C# such that the execution of the test cases generated by SpecExplorer symmetrically perform transitions in the implementation model. This conveniently allows the test cases to traverse the implementation model's state space as it does in the generated automaton in SpecExplorer.
The C# interface imports functions from the SystemC and the implementation model wrappers. These imported functions act as regular global functions in the C# program. We create an abstract C# class with members for the setup, clean up, requesting a write, and requesting a read. Each of these members invoke the imported functions. This allows SpecExplorer to invoke the members in the abstract C# class that in turn invoke the functions exported in the wrappers. It is necessary for the C# class members to have the exact function signatures as described in the specification. For example, WriteRequest takes an input argument of integer type and returns a void, so the C# class member must have this exact same type signature. If this does not conform, then the bindings from SpecExplorer are not possible. Furthermore, the C# program must be compiled as a class library to load it as a reference in SpecExplorer.
Validation, test case generation & execution
The final phase D is where the test case generation and execution are done. This validation phase again requires some setup but it is necessary to have the components described in phases A to C completed before proceeding with this phase. In this phase, the designer decides what properties of the system are to be tested. Based on that decision the designer selects actions in the exploration settings and the accepting states where the tests should terminate. Then an automaton is generated. Before executing these test cases, bindings to the actions selected for exploration must be made. These actions are bound to members in the C# class library. The execution of the test cases makes transitions in the automaton generated in SpecExplorer and simultaneously stimulates the inputs in the implementation model making the respective state transitions. Inconsistencies and errors can be detected in this validation phase. SpecExplorer also shows a trace of the path taken on each test and the point at which a failed test case throws an exception. This helps the diagnosis of problems in the implementation.
RESULTS: VALIDATION OF FIFO
We elaborate on the FIFO component example in this section by presenting a block diagram in Figure 4 . This is a simple FIFO component parameterized by n that represents the size of the FIFO. The inputs to the FIFO are WR, RD, DI and CLK and the outputs are If the FIFO is not full, then the data available at DI is stored in the FIFO. Otherwise, the data is not inserted. The RD input requests a read on the FIFO. This extracts the top data element and outputs it onto DO while raising the signal on DV signifying that a data is valid. FULL is raised high when the FIFO reaches its maximum size n and EMPTY when the number of elements in the FIFO are zero. This FIFO component is triggered on the rising edge of the clock CLK and every request takes two clock cycles. The RESET simply clears out the FIFO and again takes two clock cycles.
AsmL specification & SystemC implementation
We present the crux of the FIFO component's behavior as an FSM in Figure 5 for both the semantic and implementation model. The FSM has three states INIT, REQUESTS and WAIT. The initial state of the FSM is INIT after which it enters the REQUESTS state. Upon receiving a request of either read or write, the FULL and EMPTY states are updated via the Full and Empty functions. If a write is requested, then the respective states and flags are updated and the same is done if a read was requested. The write request is given priority whenever both requests are simultaneously made. After the requests are serviced, the state of the FSM is changed to WAIT, which is when some of the state variable values are reset and the state is returned back to accepting requests at the next step. Note that the WAIT state in the SystemC implementation model could use SystemC's wait if a SystemC SC THREAD process type is used. In our implementation model we use SC METHOD SystemC processes and hence the need for an internal WAIT state. The lines marked with a star are added only during exploration to better focus on the states of interest. Due to the lack of space we do not elaborate on the techniques used for pruning the state space. 
Test cases for specific properties
Notice that we have intentionally commented out code fragments in Figure 5 that can possibly cause an overflow and an underflow situation. This depicts possible modeling errors and bugs in the implementation. Now, we present test case generation for validating whether these two basic but essential properties of the FIFO hold. The overflow situation occurs when a write is requested and when the FIFO is full. An underflow occurs when a read is requested and the FIFO is empty.
To generate test cases for the overflow property, we must perform n+1 number of successful writes without any read requests. Knowing that the FULL status is evaluated only when a request is issued, it is possible to direct the test case generator to generate all possible paths for n+1 write requests. The necessary steps in doing this are: 1) adding WriteRequest and FSM as controllable actions in the exploration settings, 2) changing the default input values written onto DI as just 1 and 3) setting the accepting state as all states when the FULL state variable evaluates to true. This results in all possible input sequences to the state where FULL is enabled. The expected automaton from these constraints should be simple, where every transition attempts at enabling WriteRequest with the value 1. The corresponding automaton generated by SpecExplorer is shown in Figure 6 (a). The accepting states are shaded and every transition performs a write request with a value 1. It is possible to vary the values as well but the concept is easily understood by simplifying the automaton with only one input value.
Executing test cases generated from this automaton raises an exception when the fourth successful write request is made. This suggests that there is a discrepancy between the specification and the implementation at the particular state when the FIFO is full. SpecExplorer provides an interface for viewing and following the transitions taken in the test cases before the exception was thrown. This is important because it makes it easier for a designer to locate the transition at which a possible error exists. Furthermore, a backtrace to the initial state shows the diagnosis or the input sequence that leads to this erroneous state. This is advantageous for the designer because the error can also be duplicated. Evidently, the code fragment marked as a possible overflow situation in Figure 5 causes this erroneous behavior. Removing this yields in successful execution of the test cases.
Generating test cases for validating the underflow property is done using a similar approach. The required steps in checking for underflow require the following: 1) adding ReadRequest and FSM as controllable actions in the exploration settings and 2) making the accepting state to be when the EMPTY state variable evaluates to true. The resulting automaton is shown in Figure 6(b) .
Executing the test cases for this automaton again shows that there is a violation in the implementation. This occurs at the first successful ReadRequest. This is correct because at the first read request, the FIFO has no elements stored in it, which causes EMPTY to be enabled. Since our implementation model shown in Figure 5 has the error marked as a possible underflow, the implementation throws an exception at this first read request. Once again, by uncommenting the erroneous fragments, the test cases all succeed.
CONCLUSIONS
We present a model-driven methodology for validating systems modeled in SystemC. Our approach uses the formal semantic foundation of ASMs via AsmL for semantic modeling and simulation. This formal specification captures the requirements of the intended system at a high abstraction level and defines a contract with the implementation model. The formal specification in AsmL helps in serving any necessary proof obligations required for the designs as well. The designer can then follow this specification when creating the implementation model and since ASMs describe state ma- chines, the mapping to SystemC implementation is intuitive and natural. After the wrapper generations, SpecExplorer's test case generation can be directed to generate test cases for reaching interesting states in the system. A diagnosis is also provided on these test case executions. SpecExplorer has previously been used for proposing verification methodologies for SystemC designs, but not for test case generation and execution. This is an important addition to the validation of SystemC designs. The FIFO example described in detail discusses the exploration techniques necessary in employing this methodology. Our methodology is distinct from most other methodologies that extract a formal model from SystemC designs, which is error prone in absence of precise formal semantics of SystemC. In our case, we first capture precise semantics of simulation in AsmL, and then model the intended design in AsmL to use it as a model for "model-driven" validation, which is different from extracting semantic models directly from the implementation. Even though we present our methodology as a model-driven validation approach from the semantic model to the implementation model, it is possible to write semantic models from existing designs and then the semantic model can be used for test case generation purposes.
Our overall experience in using this methodology has been positive in evaluating whether the semantic and implementation models conform to each other. The main difficulty as discussed was in knowing how to use SpecExplorer and its methods for state space pruning and exploration. This is especially true for large and complex designs. However, this methodology scales effectively due to the ease in raising the abstraction level using ASMs. This makes it much easier to focus on only the essential aspects of the system. Furthermore, after familiarizing with the techniques of state space pruning and exploration, the task of directing the test case generation is routine. Our semantic and implementation models and wrappers will be available on our website.
