Design for verification of SystemC transaction level models by Ali Habibi & Sofiène Tahar
Design for Veriﬁcation of SystemC Transaction Level Models
Ali Habibi and Soﬁ` ene Tahar
Department of Electrical and Computer Engineering
Concordia University
1455 de Maisonneuve, West
Montreal, Qu´ ebec, H3G 1M8, Canada
Email: {habibi,tahar}@ece.concordia.ca
Abstract
Transaction level modeling allows exploring several SoC de-
sign architectures leading to better performance and easier veriﬁ-
cation of the ﬁnal product. In this paper, we present an approach
to design and verify SystemC models at the transaction level. We
integrate the veriﬁcation as part of the design-ﬂow. In the pro-
posed approach, we ﬁrst model both the design and the properties
(written in PSL) in UML. Then, we translate them into an in-
termediate format modeled with Abstract State Machines (ASM).
The ASM model is used to generate an FSM of the design includ-
ing the properties. Checking the correctness of the properties is
performed on-the-ﬂy while generating the state machine. Finally,
we translate the veriﬁed design to SystemC and map the proper-
ties to a set of assertions (as monitors in C#) that can be re-used
to validate the design at lower levels through simulation. We il-
lustrate our approach on two case studies including the PCI bus
standard and a generic Master/Slave architecture from the Sys-
temC library.
1. Introduction
SystemC [10] is a relatively new system level language pro-
posed to overcome the problem of the growth in complexity and
sizeofsystemscombiningdiﬀerenttypesofcomponents.SystemC
meetstheneedforasystemlevellanguagethatcanﬁllthegapbe-
tween hardware description languages (HDLs) and traditional
software programming languages. For that reason, it is more im-
portant to focus on deﬁning methodologies and techniques for
SystemC transactional models a ﬁnite set of architecture com-
ponents (memories, CPUs, etc) communicate among each other
over shared resources (buses).
Untilrecently,modelingarchitecturesrequiredpin-levelhard-
ware descriptions, typically RTL level. Great eﬀort is required to
design and verify the models, and simulation at this level of de-
tail is tediously slow. Transaction level modeling is eventually
the best solution. In addition to the design’s approach issue, the
veriﬁcation of a SystemC model is a serious bottleneck in the
design cycle. Going further in complexity and considering hard-
ware/software systems will be out of the range of nowadays used
simulation based techniques.
InconventionalHDLdesigns,deﬁningthesystem’sproperties
andspeciﬁcationisitselfaproblem.Inordertoprovideaneﬃcient
languagetowriteassertionsandproperties,theAccelleraorgani-
zation proposed the Property Speciﬁcation Language (PSL) [1],
which addresses the lack of information about properties and de-
sign characteristics. Nevertheless, deﬁning the language itself is
not enough to improve both the design and veriﬁcation ﬂows.
In this paper, we ﬁrst provide a methodology to design Sys-
temC transactional models starting from the UML level where a
more precise speciﬁcation of the system and its properties are de-
ﬁned. We used a modiﬁed sequence diagram representation to
capture more precise properties description. The UML model is
then mapped to an Abstract State Machines (ASM), a formal
speciﬁcation method for software and hardware systems that has
become successful for specifying and verifying complex systems.
ASMsprovidefeaturestocapturethebehavioralsemanticsofpro-
grammingandmodelinglanguageswherelargesystemsaremod-
eled on a high level of abstraction allowing easier validation and
veriﬁcation operations. We considered AsmL language [8] which
was developed at Microsoft because: (1) it eﬀectively supports
speciﬁcation and rapid prototyping of diﬀerent kinds of models;
(2)itincludesatesterthatcanbeusedtogenerateﬁnitestatema-
chines (FSMs) and test cases.
Toenabletheintegrationofboththemodelandtheproperties
attheASMlevel,weembeddedthePSLsemanticsinASM.Atthis
level, it is possible to verify these properties using model check-
ing. For instance, we encode the property’s evaluation in every
statewhichenablesevaluatingitscorrectnesson-the-ﬂywhileex-
ecuting the FSM generation algorithm (part of the AsmL tool).
Anincorrectpropertydetectionstopsthereachabilityalgorithms
and outputs a sub-portion from the complete FSM which repre-
sents a complete scenario for a counter-example. Eventually, not
all the properties can be veriﬁed due to the state explosion prob-
lem. For this reason, we complement our veriﬁcation methodol-
ogybyintegratingthepropertiesasassertionmonitorsintheﬁnal
SystemCdesign.WecompilethePSLproperty(inASM)toaC#
while the SystemC model (in ASM) is translated SystemC. Both
codes are then combined to form a single model enabling the ver-
iﬁcation of the assertions by simulation.
The rest of this paper is organized as follows: Section II
presents the proposed design methodology. Section III discusses
theproposedveriﬁcationapproach.SectionIVillustratesourap-
proach on two bus structure case studies. Finally, Section V dis-
cusses the related work and concludes the paper.
Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’05) 
1530-1591/05 $ 20.00 IEEE 2. Design Methodology
Ourdesignmethodology,asdisplayedinFigure1,includestwo
parallelpathsconcerningthedesignanditsproperties.Wemodel
the design in the classical way a C++ design is modeled using
UML (i.e., using use cases, class diagrams, etc.) Then, we trans-
late the UML model to ASM in order to perform model checking
of certain properties. These latter are extracted from the UML
sequence diagram and encoded in the PSL syntax. The veriﬁca-
tion process ends to: (1) a completion either with a success or
failure of the property; or (2) a state explosion. The UML up-
dateandUMLtoASMtranslationtasksarerepeateduntilallthe
propertiespasseswithsuccesseithersucceedsordonotcomplete.
Then, we compile the PSL properties into a set of C# classes, us-
ingtheAsmLtooltobeusedasassertionmonitors.Thedesignin
ASMis,fromtheotherside,translatedtoC++(SystemCmodel)
and co-integrated with the assertions for veriﬁcation by simula-
tion.
UML Level
Use Case
Class Diagram
Sequence Diagram
AsmL Tool
P
r
o
p
e
r
t
i
e
s
 
f
a
i
l
s
SystemC Design
ASM Level
PSL Properties
Updates Sequence 
Diagram
SystemC Model in ASM PSL Properties modeled
in ASM
C++/C# Level
PSL Properties modeled
in C#
SystemC modeled
in C++
Compilation
Mapping
Translation
Figure 1. Design and Veriﬁcation Methodology.
2.1. Modeling PSL Properties
PSL is an implementation independent language to deﬁne
properties. PSL is a hierarchical language, where every layer is
built on top of the layer below. This approach allows the express-
ing of complex properties from simple primitives.
2.1.1. UML Model Using UML as a high level of abstrac-
tion for design showed a lot of success when applied to Software.
Main proposals consider either to use UML as new system level
design [2] or as top layer in combination with existent languages
(such as SystemC)[11]. Nevertheless, these proposals neglected
totallyconsideringthepropertiesofthesystem(PSLlikeproper-
ties in particular) while sequence diagrams for example includes
very useful information to set transaction properties for TLM in
particular.
Unfortunately, sequence diagrams do not allow a direct map-
ping to PSL due to two reasons: (1) the complexity of the PSL
propertywhichmayincludetemporaloperators;and(2)theneed
forinstantiationinthePSL.Infact,PSLwasdeﬁnedforarealin-
stances from the design formed from objects while the sequence
diagram considers only classes. For these facts, UML will not
present completely and precisely all PSL property. However, it
can be used to provide a general skeleton of the property that
could be reﬁned and instantiated at the ASM level.
In order to make the UML sequence diagram more adequate
for PSL representation, we introduced the following operators:
Clocks: weusetheoperator tospecifytheclockthatactivatesthe
current action (if there exist one).
Number of cycles: every action can be include the information
about after how many cycles the method is start executing (for
e.g., Mtd[5]() says that the method Mtd is executed for exactly 5
consecutive cycles).
Temporal operators: these includes operators specifying if the
method will be always executed (A), eventually executed (E),
executedUntilaconditionisfulﬁlled(U),etc.These,infact,rep-
resent a mapping to the PSL temporal operators (second layer of
PSL).
Sequence operations: includes information about the order of ex-
ecuting certain sequences (for e.g., next, prev etc.)
Text output: refers to a message that is displayed in case the
method fails. This is included in PSL to track the progress of
the assertion based veriﬁcation.
Method duration: certain methods are supposed to execute for a
certain number of cycles (for e.g., reading for memory may take
4 cycles). So, we added an operator $ to specify such an informa-
tion.
Figure 2 gives an example of a sequence diagram describing a
PSL property saying that if a bus sends a new request, then in
the next cycle the arbiter will be notiﬁed and will make the ar-
bitration. In the third cycle, the Master starts sending. The bus
is released in the 4 cycle and a notiﬁcation will be sent, eventu-
ally, by the slave to the bus who will forward it in the next cycle
to the Master.
Figure 2. Example of a Modiﬁed UML Sequence diagram.
When mapping to ASM the UML sequence diagram needs to
be instantiated according to the design objects. For instance we
need to specify, for example, that the notiﬁcation must be to the
original master and not to all the masters.
2.1.2. ASM Model Abstract State Machines (ASM) [7] is a
formal speciﬁcation method for software and hardware systems
that has become successful for specifying and verifying complex
Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’05) 
1530-1591/05 $ 20.00 IEEE systems. There are many languages that have been developed for
ASMs, the recent one is AsmL [8] which was developed at Mi-
crosoft. The AsmL tester can also be used to generate ﬁnite state
machines (FSMs) and test cases. We notice that AsmL is lan-
guage that supports object-oriented modeling at higher level of
abstractionincomparisontoC++andJava.So,itisnotagraph-
icalrepresentationbutaprogramminglanguagethatcanbeused
to describe system models either as abstract state machines or
programming models.
There are two ways to embed PSL properties into the design,
either into the design code itself or by adding them as external
monitors. We adopted the ﬁrst approach, where all the parame-
ters ofPSLproperties are deﬁnedas objects.Theobjective ofthe
embedding is to reuse PSL properties, as embedded in ASM, at
lower design levels since the AsmL tool can automatically com-
pilethemintoaC#or.NETcode,whichcanbecompiledandex-
ecuted with the concrete SystemC level or as a stand-alone mod-
ule.
PSL properties are deﬁned in a hierarchical way inspired from
the hardware design modular concept. For this reason we deﬁned
the embedding in a similar structure, where all the components
are deﬁned as objects and every PSL layer extends its lower layer
using the inheritance feature of AsmL.
Boolean Layer:
This layer is the basic layer of PSL. Even though it is called
Boolean layer, it includes types other than Boolean such as inte-
gers and bit vectors. We embedded this layer in ASM by deﬁn-
ing classes for all types and expressions including their methods.
Our embedding is based on the semi–formal semantics presented
in the reference manual [1], and the formal semantics deﬁnition
in HOL [4].
The embedding of the PSL Boolean layer mainly includes:
(1) Expression type class includes the basic 5 types: Boolean,
PSLBit, PSLBitVector, Numeric and String.B o t hBoolean and
String typesaredirectlyinheritedfromtheASM’sAsmL.Boolean
and AsmL.String, respectively.
(2) PSL Expressions includes constructing properties using the
implication and equivalence operators.
(3) PSL Built Functions include all the functions deﬁned by PSL
to operate at the Boolean layer. We distinguish here two meth-
ods:amethodthatprovidesthepreviousvaluesofavariable(e.g.,
prev())andamethodthatprovidesthefuturevaluesofavariable
(e.g., next()).
Temporal Layer:
The most important part of this layer is the SERE feature,
which embedding mainly includes:
(1) Sequential Expressions, where a SERE is deﬁned as an AsmL
sequenceofBoolean.Itoﬀersseveraloperationstoconstruct,ma-
nipulate and evaluate the SERE expression. (2) Properties in-
cluding the operations necessary to create properties from se-
quential expressions. It also controls when and how the sequence
is to be veriﬁed (i.e., the property “verify the sequence is true af-
ter n states” is deﬁned as PSL Property.EvaluateNext(n)).
Figure 3 shows the example of the PSL SERE.Evaluate(),
which checks if a sequence is true in a certain path. This method
is activated according to an INIT signal that must be set by the
property.
Veriﬁcation Layer:
class PSL_SERE
// Memebers
var m_size as Integer = 0 var m_seq as Seq of Boolean
var m_cycle as Seq of Integer var m_actualState as Integer = 0
var m_evaluation as SERE_Evaluation = NOT_STARTED
// Methods
public Evaluate() as SERE_Evaluation
require m_evaluationState = INIT
if(me.m_seq(m_actualState) = false)
m_evaluation := FAILED return FAILED
else
if m_actualState = m_size
m_actualState := m_actualState + 1 return IN_PROGRESS
else
m_actualState := 0 return SUCCEEDED
Figure 3. Embedding PSL SERE in ASM.
This layer is intended to tell the veriﬁcation tool how to per-
form the veriﬁcation process. It allows to construct assertions
from properties and to specify relations between them. The em-
bedding mainly includes:
(1) Veriﬁcation Directives to specify how the property will be
interpreted (assertion, requirement, restriction or assumption).
This class extends the PSL Property class from the temporal
layer.
(2) Veriﬁcation Unit is a compact way to include several proper-
ties together. The embedded class includes several operations to
add/remove and update the unit’s list of properties.
Modeling Layer:
Thislayerisnotusedinourveriﬁcationapproachsinceitisin-
tended for VHDL and Verilog ﬂavors of PSL. So we did not con-
sider it in our embedding.
2.2. Modeling SystemC
SystemCisbuiltonstandardC++.Thecorelanguageconsists
ofanevent-drivensimulatorasthebase.Itworkswitheventsand
processes. The other core language elements consist of modules
andportsforrepresentingstructures.Interfacesandchannelsare
used to describe communications. SystemC provides data-types
for hardware modelling and certain types of software program-
ming as well.
2.2.1. ASM Model The design model at the ASM level is
purelyobject-orientedwhereeveryclassincludesasetofparame-
ters and methods. The particularity of this model resides in the
factthatitwillbeusedtogenerateanFSMusingthereachability
algorithm embedded AsmL tool. So, a speciﬁc style of program-
mingisrequiredinadditiontoapreciseconﬁgurationofthealgo-
rithm.BeforegoingfurtherintothedetailsoftheASMmodel,we
will discuss the FSM generation algorithm which will give a bet-
ter idea about the requirements of the ASM model.
The FSM generation algorithm requires as input: domains,
methods, actions and variables (optional inputs are ﬁlters, ac-
tion groups and properties). The transitions in the FSM are the
method calls (including argument values) in the test sequences.
The methods in the model program that appear in the transi-
tions are called actions. The states in the FSM are determined
by the values of selected variables in the model program, called
state variables. The algorithm generates the FSM by executing
Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’05) 
1530-1591/05 $ 20.00 IEEE the model program in a special execution environment, keeping
track of the actions it performs and recording the states it vis-
its. This process is called exploration. Usually a model program
implies so many states and transitions that it is not feasible to in-
clude them all in the FSM, so it is a must to limit the number of
states and transitions that the tool explores.
The ﬁnal FSM will, according to the algorithm’s conﬁguar-
ion options, represent only a portion – an under-approximation
– of the huge FSM that would result if the model program could
be explored completely. Critical information to ensure the cor-
rectness of certain properties concerning identifying the actions
and state variables in the FSM. Domains, ﬁnite collections of val-
ues from which method arguments are taken, are deﬁned in order
enable better coverage on particular issues. Filters express stop-
pingconditionsthatlimitexploration(usedtostoptheFSMgen-
eration if a property fails, for e.g.).
For a model M including a set of classes, C = {c1,...,c n},
where n is the total number of classes in M. For every class ci in
C, we denote its set of methods by c
mth
i and the set of members
by c
mem
i . We deﬁned a set of rules (called RFSM) to guarantee
the generation of an FSM representing a portion of the complete
system’s FSM; these include:
Rule R
1
FSM: For every class ci in C,w eh a v et od e ﬁ n eal i s to f
instantiations of the class. This ensures that the algorithm will
not through an exception.
Rule R
2
FSM:Theﬁrstlyexecutedmethodinthedesignmustver-
ify that all the objects from the class domains were correctly in-
stantiated. This ensures that the algorithm will not misbehave.
Rule R
3
FSM: For every class ci in C, every method in c
mem
i must
includealistofpre-conditions tospecifywhenthealgorithmcon-
siders this method in the exploration process. This ensues that in
every state we only explore the involved methods.
Rule R
4
FSM: For every class ci in C, domains for all members in
c
mem
i must be inherited from AsmL types and restricted to the
possible values the system can accept (in particular for inputs).
Thiswillallowexploringknowntypesandlimitstherisksofstate
explosion.
The optimal scenario is to explore all the methods and do-
mains in the model; nevertheless, this is not possible all the time
due to the state space explosion. For this reason, working care-
fully the domains and the set of actions is the very critical path
in the FSM generation process. For illustration purpose, Figure
4 shows a generic ASM model with a method including a precon-
dition (denoted by the require keyword) setting that the method
needs the system to be initialized (SystemInit = true) and that it
hasbothvariablesm gnt andm req settofalse beforeitcanbeex-
ecuted.Suchaconditionsdeﬁnestrictlyatwhichstatethesystem
can execute a particular set actions.
2.2.2. Translation to C++ Once the ASM model veriﬁed
using the properties describing its behaviour, we translate it to
SystemC according to a set of rules to ensure that the ﬁnal Sys-
temC model preserves the original ASM code properties. The
transformation is purely syntactical, it is performed to certain
rules (that we call RC++) that could be summarized in the fol-
lowing:
Rule R
1
C++: ”Basic types”: ASM basic types are all mapped to
their equivalent SystemC types (e.g. Integer to int, Byte to un-
class PCI_Arbiter
private var m_ActiveMaster as Integer = -1
private var m_req as Boolean = false
private var m_gnt as Boolean = false
public PCI_Arbiter()
public PCI_ArbiterUpdate_m_req()
require (SystemInit = true) and me.m_gnt = false and me.m_req = false
me.m_ActiveMaster := min id | id in Masters_Range where
(MASTERS(id).m_req = true)
me.m_req := true
Figure 4. An Example of an ASM Model.
signed char, etc.). AsmL includes the same types as C++ which
are used for SystemC also.
Rule R
2
C++: ”Class Translation”: this includes two separate
rules for variables and methods:
Rule R
2.1
C++: ”Class Members”: are translated into SystemC sig-
nals having the same basic type. For e.g., var m val as Integer is
translated to sc signal<int> m val.
Rule R
2.2
C++: ”Class Methods”: in ASM contain two parts ﬁrst
one deﬁning the post-/pre-conditions for its execution and the
method itself. The ﬁrst part is integrated in the SystemC mod-
ule’s constructor. For instance, a method Send deﬁned in ASM
withthefollowingpre-conditionrequireclk=true isinsertedinthe
SystemCmoduleconstructorareaas”SC THREAD(Send); sen-
sitive << clk;”. The method itself is integrated as it is in the Sys-
temC module (we just modify the basic types according to the
Rule 1).
Rule R
3
C++:”GlobalModules”:areintegratedintheSystemC’s
mainproceduresc main.Thenamingmappingisusedtolinkdif-
ferent modules together.
3. Veriﬁcation Methodology
The veriﬁcation process is decomposed into two parts: (1) by
model checking at the ASM level; and (2) by assertion based ver-
iﬁcation at the C++/C# level.
3.1. Model Checking
PSL properties are embedded in ASM as assertions, the as-
sertion here means the validity of the property. It provides a
unique view of the property in every system’s state. It also simu-
lates the design with the property as a monitor. We build the as-
sertion starting from basic Boolean components, sequences, and
then veriﬁcation units. We encapsulate sequences in the veriﬁca-
tion unit as an assertion which is embedded in the design. Given
a set of Boolean items x1,x 2,...,x n, and y1,y 2,...,y m belong-
ing to the Boolean layer, and the sequences, S1 and S2 belonging
to the temporal layer, we can deﬁne: S1 = {x1,x 2,...,x n}, and
S2 = {y1,y 2,...,y m} and then use assertions to check any PSL
operation between S1 and S2 such as S1 OP S2, where OP is a
PSLoperator(e.g.,implication(⇒),orequivalence(⇔)).Theas-
sertion is built as follows:
1. Add all the Boolean items to the sequences:
∀ ii n1 to n : S1.AddElement(xi)
∀ ji n1 to m : S2.AddElement(yi)
Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’05) 
1530-1591/05 $ 20.00 IEEE 2. Create the property: P := S1 OP S2
3. Deﬁne the veriﬁcation unit as an assertion, say A, that in-
cludes the above property: A.Add(P)
This property is embedded in every state in the FSM generated
by the AsmL tool and is represented by two Boolean state vari-
ablesP eval andP value (saying,respectively,ifthepropertycan
be evaluated and the value of the property in the current state).
A violated propertyis detected once P eval = true and P value =
false. We set the previous condition as ﬁlter for the FSM gen-
eration algorithm. This way the generation stops when an er-
ror is detected. The generated portion of the state machine, at
this point, can be used to identify the problem through a sce-
nario of a counter-example. For multiple properties, the ﬁlter is
set as conjunction of all the conditions for the separate proper-
ties. This technique minimizes radically the number of the state
variables (the FSM size and its generation time). A correct veriﬁ-
cation process results on the generation of the system’s FSM (ac-
cording the conﬁguration ﬁle constraints).
3.2. Assertion Based Veriﬁcation
We target to add the assertion as an external monitor to the
SystemC design. We consider three steps:
(1) Updating the SystemC design to interface to the assertion.
(2) Generating the assertion (in C#) from its ASM description.
(3) Integrating the assertion in the design.
ThetranslationtoC#ofthePSLassertionsembeddedinASM
is a matter of compilation using the AsmL tool. Most of the ef-
fort is spent in updating the SystemC design to get it connected
theassertionmonitor.Forinstance,wevalidatetheassertionsyn-
tacticallybygeneratingthelistofitsinvolvedvariables.Then,we
perform a type check to make sure the variables are well instanti-
ated in the SystemC design. For instance, the signals (variables)
that are used in the assertion must be seen as external signals so
that they can be input to the assertion monitor. So, modify the
SystemCdesigntomaketherequiredvariablesvisibletothemon-
itor. This transformation does not aﬀect the behavior of the code
as it will only be accessed in a read–only mode.
Once the design is updated, we add the required instantia-
tion of the assertion to bind it to the existing SystemC design
modules. The assertion monitor, acting as part of the design, can
do the following: (1) stop the simulation when the assertion is
ﬁred;(2)writeareportabouttheassertionstatusandallitsvari-
ables;and(3)sendawarningsignaltoothermodules(ifrequired).
We note that the internal code of the assertion is C# so the de-
signer can update it or do any other functionalities that can be
coded in C#.
4. Experimental Results
In order to illustrate the proposed design and veriﬁcation
methodology, we considered two models: (1) PCI (Peripheral
Component Interconnect) [6] Local Bus standard; and (2) an ex-
tension of the Master/Slave Bus structure provided by the Sys-
temC distribution [10]. Both models include ceratin properties,
suchasliveness,thatcannotbeveriﬁedusingsimulationwhichre-
quires using formal veriﬁcation techniques such as model check-
ing. Moreover, we aim evaluating the performance of the over-
all approach according to the system’s size, which can be per-
Number Model Checking Simula-
of CPU Number of FSM -tion
Mas. Sla. Time (s) Nodes Trans. δ (ns)
1 1 2.31 20 25 24.31
1 2 2.93 39 53 29.32
3 1 26.01 236 341 29.76
2 2 26.84 293 449 30.89
2 3 101.37 658 1117 32.74
3 2 574.18 1881 3153 34.03
3 3 6836.01 6346 12097 36.82
Table 1. PCI Bus: Model Checking and Simulation Re-
sults.
formed by varying the number of masters and slaves. The experi-
ments were conducted on a Pentium IV processor (2.4 GHz) with
512 MB of memory.
4.1. Models Description
PCIboastsa32-bitdatapath,33MHzclockspeedandamaxi-
mumdatatransferrateof132MB/sec.EachPCImasterhasapair
ofarbitrationlinesthatconnectitdirectlytothePCIbusarbiter.
In the PCI environment, bus arbitration can take place while an-
other master is still in control of the bus. Data is transferred be-
tween an initiator which is the bus master, and a target, which
is the bus slave. PCI supports several masters and slaves and al-
lows stopping transactions.
TheSystemC Master/Slave busrepresentsa more generic bus
structure including a set of Masters, a set of slaves an arbiter
and a shared bus. The arbiter is responsible for choosing the ap-
propriate master when there is more than one connected to the
bus.Therearetwopossiblemodesforthebus:(1)Blocking Mode,
where data is moved through the bus in a burst–mode; and (2)
Non-Blocking Mode, where the master reads or writes a single
data word.
4.2. Model Checking
Formodelcheckingweconsiders,forbothmodels,asetofprop-
ertiesdescribingallthepossiblescenariosoftransactionsoverthe
bus (reading, writing, arbitration, etc.). The machine time (user
time) needed for verifying the properties depends on the com-
plexity of the original model as well as the property parameters.
The time CPU required for the model checking of the proper-
ties of the PCI bus for diﬀerent numbers of masters and slaves is
given in Table 1. We note that the numbers of states and transi-
tions increase exponentially as a function of the number of mas-
ters and slaves connected to the bus which explains the need for
a sharp deﬁnition of the exploration domains and active actions.
Similar results for the generic Master/Slave case study are given
in Table 2, where, for Masters, ”B” refers to Blocking and ”NB”
to Non-Blocking.
Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’05) 
1530-1591/05 $ 20.00 IEEE Number of Model Checking Simula-
Sla. Mast. CPU Num. of FSM -tion
B NB Time(s) Nod. Tran. δ(ns)
2 1 1 3.54 14 22 27.04
2 3 3 142.32 146 531 31.44
2 3 4 402.32 276 1174 33.02
2 4 4 1192.57 530 2584 35.41
3 1 1 4.32 15 27 28.01
3 3 3 186.64 147 723 36.85
3 3 4 518.73 278 1622 38.82
3 4 4 1541.32 535 3606 40.08
4 1 1 5.21 17 31 29.92
4 3 3 214.46 148 915 39.41
4 3 4 630.48 280 2070 41.11
4 4 4 2002.54 538 4630 43.25
Table 2. Master/Slave Bus: Model Checking and Simula-
tion Results.
4.3. Assertion Based Veriﬁcation
The last column in Table 1 shows a simulation evaluation of
the PCI bus when implemented in SystemC including the asser-
tions monitors. We display the average execution time per clock
cycle(calledδ andgiveninns)asafunctionofthenumberofmas-
tersandslavesconnectedtothebus.Thisshowsaveryshorttime
(few seconds) to simulate million of cycles which oﬀers good cov-
erage for the assertions. In this case also, we obtained similar re-
sults for the generic Master/Slave model as shown in the last col-
umn of the Table 2.
5. Conclusion and Related Work
In this paper, we presented a methodology to design and ver-
ify SystemC transactional models starting from a UML system
speciﬁcationandintegratinganintermediateASMlayer.Wepro-
posed to upgrade the UML sequence diagram in order to cap-
ture transaction related system properties. Then both of the de-
sign at its properties are modeled in ASM to enable performing
model checking. On the other hand, to cover for the state explo-
sion problem that may result due to the system’s complexity, we
completed our approach by oﬀering a methodology to apply as-
sertion based veriﬁcation re-using the already deﬁned PSL prop-
erties. To do so, we deﬁned a set of translation rules to transform
thedesign’smodelinASMtoitsimplementationinSystemC.Ex-
perimental results showed good model checking results even for
complex systems such as the PCI bus standard. The ﬁnal Sys-
temC models also were running a quite fast simulation enabling
to oﬀer better coverage for the whole system state space.
In [4], Gordon used the semi–formal semantics in the
PSL/Sugar documentation to create a deep embedding of the
whole language in the HOL theorem prover [5]. The author de-
scribed how to ‘execute’ the formal semantics of PSL using HOL
to see if it is feasible to implement useful tools that work di-
rectly from the formal semantics by mechanized proof. How-
ever, he did not provide any framework for the veriﬁcation of
PSL for any implementation language. Besides, they do not of-
feranyapproachtore-usethePSLpropertiesasassertion(avery
important feature in PSL).
Gawanmehet.al.[3]completedtheworkofM¨ ulleret. al.[9]to
deﬁnethesemanticsofSystemC2.0usingASM.However,thatse-
mantics could not be used directly to generate the ﬁnite state of
the system because it does not satisfy to the rules we deﬁned in
Section2.2.1.Besides,embeddingthecompleteSystemCsimula-
tor semantics is ASM represent a huge overhead to the FSM gen-
eration.
Severalproposalsforsystemleveldesign,inparticular[11]and
[12], used a combination of UML and SystemC for SoC design in
general (TLM in particular). We are not aware of any other work
that considered ASM as an intermediate layer between UML and
SystemC to enable model checking. Besides, we focused into ex-
tracting and deﬁning the system properties at the early design
stages (from the UML sequence diagram) which makes our work
complementary to existent approaches by oﬀering and in-design
veriﬁcation solution.
References
[1] Accellera Organization. Accellera Property Speciﬁcation
Language reference manual, Version 1.01., 2004.
[2] R. Damasevicius and V. Stuikys. Application of uml for
hardware design based on design process model. In Proceed-
ings of the 2004 conference on Asia South Paciﬁc design au-
tomation, pages 244–249, 2004.
[3] A. Gawanmeh, A. Habibi, and S. Tahar. Enabling SystemC
Veriﬁcation using Abstract State Machines. In Forum on
Speciﬁcation and Design Languages, pages 306–421, Lille,
France, 2004.
[4] M. Gordon. Validating the psl/sugar semantics using auto-
mated reasoning. In Formal Aspects of Computing,p a g e s
306–421, 2003.
[5] M. Gordon and T. Melham. Introduction to HOL: A The-
orem Proving Environment for Higher-Order Logic. Cam-
bridge Univ. Press, 1993.
[6] PCISpecialInterestGroup. http://www.pcisig.com/,2004.
[7] Y.Gurevich. EvolvingAlgebras1993:LipariGuide. InSpec-
iﬁcation and Validation Methods, pages 9–36. 1995.
[8] Microsoft Corporation. AsmL for Microsoft .NET Frame-
work, Microsoft., 2004.
[9] W. M¨ uller, J. Ruf, and W. Rosenstiel. SystemC Methodolo-
gies and Applications. Kluwer Academic Pub., 2003.
[10] Open SystemC Initiative. www.systemc.org, 2004.
[11] C. Schulz-Key, M. Winterholer, T. Schweizer, T. Kuhn, and
W. Rosenstiel. Object-oriented modeling and synthesis of
SystemC speciﬁcations. In Proc. Asia South Paciﬁc Design
Automation, pages 238–243, 2004.
[12] V. Sinha, F. Doucet, C. Siska, R. Gupta, S. Liao, and
A.Ghosh. Yaml:atoolforhardwaredesignvisualizationand
capture. In Proc. Symposium on System Synthesis,p a g e s9 –
14, 2000.
Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’05) 
1530-1591/05 $ 20.00 IEEE 