Protocol-Inspired Hardware Testing by He, Ji & Turner, Kenneth J
Ji He and Kenneth J. Turner. Protocol-Inspired Hardware Testing. In Gyula
Csopaki, Sarolta Dibuz and Katalin Tarnay, editors, Proc. Testing
Communicating Systems XII, pages 131-147, Kluwer Academic Publishers,








is discussed.It is shown that the ioconf (input-outputconformance)approach
usedin protocoltestingcanbeappliedto generatetestsfor a synchronoushard-
waredesignusingits formalspecification.Thegeneratedtestsareautomatically









tial effort to ensuredesigncorrectnessprior to manufacture. Dill (Digital
Logic in Lotos [14, 15,16,25]) is anapproachanda languagefor specifying
digital circuits usingLotos (Languageof TemporalOrderingSpecification
[12]). Theformalbasisof Lotos supportsrigorousspecificationandanalysis,
bothcrucialfor correctcircuit design.
The inspirationfor the work presentedin this papercomesfrom confor-
mancetestingof communicationsprotocols. Thepaperthusconcernstesting
of communicatingsystems,but in this casehardwaredevicesratherthanpro-
tocol entities. In formally basedprotocol testing, testsare derived from a
formal specificationandthenusedto checka concreteimplementation.This
1
2
is regardedasa blackbox whoseoperationhasto becheckedagainstits spec-
ification. Essentiallythis is the way that the functionality of a digital circuit
is tested.Moreover, asin a communicationssystemeachpartof a circuit has
to communicatewith theotherparts. As a novel applicationof conformance
testing,it is thereforeworthwhileinvestigatinghow protocoltestingideascan
beappliedto validationof digital hardware.
In electronics,theequivalenttermis designverification, designvalidation
or functional testing. Thetermtestingin this areaappliesto checkingmanu-






Conformancetesting usesexperimentationto check an implementation





is givenby anLTS (LabelledTransitionSystem).Theimplementationof the
samecircuit is describedby VHDL (VHSIC HardwareDescriptionLanguage
[10]). The behaviour of a VHDL programis presumedto be modelledby
an IOLTS (Input-OutputLabelledTransitionSystem).This modelis merely
assumedto exist – it neednotbeknown explicitly. Makingtheassumptionthat
animplementationhasaformalmodelis referredtoasthetesthypothesis. This
makesit possibleto expressconformanceof animplementationwith respectits
specificationusinga formal relation. Onesuchrelation, ioconf (input-output
conformance[24]), is usedasthecriterionfor correcthardwaredesign.
The test suite for a circuit is generatedfrom a Lotos specificationfol-
lowing an algorithmbasedon that proposedby Tretmans[24]. The authors
haveextendedCADP(CæsarAldébaranDevelopmentPackage[6]) togenerate
hardwaretestsuitesautomatically. Eachtestcasein thegeneratedtestsuiteis
a sequenceof input andoutputsignals. Designingtestcasesasinput-output
sequencesis closeto engineeringpracticein hardware testing. Moreover, it
allows testexecutionandobtainingtestverdictsto be completelyautomated.
This is achieved by a VHDL testbenchthat executesand evaluatesthe test
cases. If thereis an inconsistency betweenthe formal specificationand its
VHDL implementation,theimplementationis regardedasincorrect.
Protocol-InspiredHardwareTesting 3
Section2. introducesthe theoryfor testingan IOLTS. This is followed by
its applicationto testingdigital circuits in Section3. Section4. examinesthe
techniquesin two casestudies.
1.3 RELATED WORK
Test theoriesfor LTSswerefirst studiedmore thana decadeago. These
theoriesaim to defineimplementationrelationsby explicitly using external
testsandobservations(e.g. [4, 19]). Apart from definingan implementation
relation,conformancetestinginvolvesfinding a setof testsfor a specification
to distinguishbetweencorrectandincorrectimplementations.[2] elaborates
a theoryfor testingsystemsspecifiedin Lotos. Severaltestgenerationalgo-
rithmsfor anLTS andfor BasicLotos have beenproposed,e.g.[17, 20]. In
[23, 24] the testingtheory for an LTS is refinedfor communicatingsystems
thatdistinguishinputsandoutputs.This is amorerealisticview of systems.
Forvalidatinghardwaredesigns,simulationhasbeenandisstill thepredom-
inantmethodin industry. In themain, testcasesfor simulationaremanually
definedor arerandomlygenerated.Recentdevelopmentsfor improving thisad
hocapproachlie in combiningformalmethodswith traditionalsimulationtech-
niques.In [26] designverificationtestsaregeneratedfrom behavioural VHDL
programsusingtraditionalsoftwaretestingmethods.In [8, 18] testgeneration
is basedon anFSM (Finite StateMachine)or ECFM (ExtractedControlFlow
Machine)thatrepresentsthecontrollogic of acircuit. Thegeneratedtestcases
arethenappliedto bothhigherlevel andlower level specificationsin Verilog
[11] or VHDL. Verdictsareobtainedby comparingoutputsfrom thetwo lev-
els. Theseapproachesextract a formal model from a circuit designanduse
techniquesbasedon FSM testingtheory. But in this paper, testsarederived
from higherlevel specificationsusingconformancetestingtheoryfor LTSs.
In [21] testgenerationis basedon a higher level FSM specificationusing
a commercialtool. Testsarethenappliedusinga VHDL simulator. Unfortu-
natelythis methodcannothandlenon-determinismin specifications.Its aim
is to fill the gap betweenabstracttestsand concretetest signals. Of direct
relevanceto thecurrentwork, theCADPtoolsethasatestgenerationtool TGV
[7] underdevelopment.Theimplementationrelationexploitedby TGV is very
similar to ioconfusedin thispaper. TGV wasstill to bereleasedat thetimeof
writing, andsowasnotavailableto theauthorsfor evaluation.
2. TESTING IO TRANSITION SYSTEMS
2.1 IOLTS AND IOCONF
Conformancetestinginvolvescheckingthecorrectnessof animplementation
againstits specificationby externaltestsandobservations.To formally define
4
an implementationrelation,a testhypothesisis neededthat implementations
canbeexpressedbyaformalmodel.In traditionalconformancetestingtheories
for LTSs,both thespecificationandthe IUT aremodelledasLTSs. An IUT
communicateswith its environmentthroughsymmetricinteractions,henceits
environmentasexpressedby testsis alsomodelledasanLTS.
An LTS is a quadruple〈S,L, T, s0〉 whereS is a setof states,L is a setof
observableactions,T ⊆ S×(L∪{τ})×S is thetransitionrelation,ands0 ∈ S
is theinitial state.Theclassof transitionsystemswith actionsin L is denoted
by LT S(L). A transitionin T is alsodenotedas s
µ
→ s′ if (s, µ, s′) ∈ T .
Thespecialactionτ 6∈ L representsanunobservable(or internal)action. The
following notationsarecommonlyusedfor LTSs.
Letp = 〈S,L, T, s0〉 beanLTSwith s, s′ ∈ S, andletµi ∈ L∪{τ}, ai ∈ L,
L? denotesthesetof all finite actionsequencesof L andσ ∈ L?. Thefollowing
definitionsthenapply:
s
µ1·...·µn−→ s′ =def ∃s0, . . . , sn : s = s0
µ1−→ s1
µ2−→ . . .













⇒ s′ =def s = s
′ or s τ ·...·τ−→ s′
s
a








a1·...·an=⇒ s′ =def ∃s0 . . . sn : s = s0
a1⇒ s1
a2⇒ . . .














init(p) =def {µ ∈ L ∪ {τ} | p
µ
→}








Many realworld systemscommunicatewith theirenvironmentin adifferent
way from anLTS.Thereis a cleardistinctionbetweenthe inputsandoutputs
of a system. The inputs of a systemare always enabledand cannotrefuse
the actionsofferedby the environment. After the systemconsumesan input
andproducesits outputs,theenvironmenthasto accepttheoutputs. In other
words,sucha systemwill never reject inputsandits environmentwill never
block outputs.Communicationis thusno longersymmetric.In [24] this kind
of behaviour is modelledasanIOLTS,which is aspecialkind of LTS.
An IOLTS (Input-OutputLabelledTransitionSystem)p is anLTSin which
thesetof actionsL is partitionedinto input actionsLI andoutputactionsLU
suchthatLI ∪ LU = L andLI ∩ LU = ∅. (The suffix U derives from the
Dutch/Germanword for out.)




Intuitively this meansthat input actionsarealwaysenabledin any state. The
classof input-outputtransitionsystemswith input actionsin LI and output
actionsin LU is denotedby IOLT S(LI , LU ) ⊆ LT S(LI ∪ LU ).
Severalimplementationrelationshavebeendefinedto expressconformance
of an implementationto its specification. In theserelations,specifications
aremodelledasLTSsandimplementationsaremodelledasIOLTSs. This is
becauseanLTS cangive a moreabstractview of a system,while anIOLTS is
closerto reality. ThespecificationLTScanberegardedasapartiallyspecified
IOLTSin thesensethattherearesomestatesin thespecificationthatcanrefuse
inputactions.Therearetwo reasonsto write suchkindsof specifications.One
is that it doesnot matterhow implementationsrespondto unspecifiedinputs.
Theotheris thattheenvironmentis assumednot to offer suchinputs,sothere
is no needto specifythem.
To definetheimplementationrelationioconf, severalotherdefinitionshave
to be introduced.Let p ∈ LT S(LI ∪ LU ), s bea statein theLTS andSbea
stateset.Then:
A statesof p is quiescent, denotedby δ(s), if ∀µ ∈ LU ∪{τ} : s 6
µ
−→
A quiescenttrace of p is a traceσ which mayleadto a quiescentstate:
∃p′ ∈ (p after σ) : δ(p′)
out(s) =def {x ∈ LU | s
x
→} ∪ {δ | δ(s)}
out(S) =def
⋃
{out(s) | s ∈ S}
From the definition, a quiescentstateis one that cannotperformany output
transitionsor an internal transition. out(s)definesall the outputactionsthat
a statecan perform. This includesthe quiescent‘action’ δ that meansthe
statecannotperform any output actions. Let i ∈ IOLT S(LI , LU ), s ∈
LT S(LI ∪ LU ). Then:
i ioconf s =def ∀σ ∈ traces(s) : out(i after σ) ⊆ out(s after σ)
This meansthatanimplementationis correctif, afterall tracesσ of thespeci-
fication,theimplementationoutputscanalsobeproducedby thespecification.
An implementationcannotproduceoutputswhicharenotexpectedby thespec-
ification. Sincethisalsoholdsfor δ, theimplementationmaynotoutputif the
specificationcannotdo so.
2.2 TEST GENERATION FOR IOCONF
To support the generationof test casesfor ioconf, an intermediateLTS
termedthe suspensionautomaton is built from the specificationLTS. The
suspensionautomatonΓp of anLTS p is obtainedby addingself-loopss
δ
→ s
for all quiescentstatesandthendeterminisingthe resultingautomaton.The
importantpropertiesof a suspensionautomatonarethatit is deterministicand
for σ ∈ L?, out(Γp afterσ) = out(p afterσ). As will beseenlater, checking
6
ioconf can be easily reducedto checkingtraceinclusion on the suspension
automaton.
A test caset is anLTS< S,LI ∪ LU ∪ {δ}, T, s0 > suchthat:
t is deterministicandhasfinite behaviour
ScontainstheterminalstatesPassandFail, with init(Pass)= init(Fail)
= ∅
for any states ∈ S of thetestcase,s 6= PassorFail, eitherinit(s) = {a}
for somea ∈ LI , or init(s) = LU ∪ {δ}.
Theclassof testcasesoverLU andLI is denotedasT EST (LU , LI). A test
suite T is a setof testcases:T ⊆ T EST (LU , LI). LI andLU referto inputs
andoutputsfrom thepointof view of theIUT, soLI representstheoutputsand
LU theinputsof testcases.
Thefollowing testgenerationalgorithmis basedon thesuspensionautoma-
ton obtainedfrom an LTS. It is a slightly modifiedversionof theonein [24]
which generatestestsaccordingto variousimplementationrelations.Thefol-
lowing oneis tailoredfor the ioconfrelation.
Test Generation Algorithm: Let Γ be the suspensionautomatonof an LTS
s, and let F = traces(s). Then a test caset ∈ T EST (LU , LI) is obtained
by finite, recursive applicationof oneof thefollowing threenon-deterministic
choices:
Choice1: Terminatethetestcase:t := Pass.
Choice2: Give a further input to the implementation: t := a; t′. Here,
a ∈ LI suchthatF ′ = {σ ∈ L?I | a · σ ∈ F} 6= ∅. To obtaint
′ the




Choice3: Checkthenext outputsof theimplementation:
t :=
∑
{x; Fail | x ∈ LU ∪ {δ}, x 6∈ out(Γ)}∑
{x; tx | x ∈ LU , x ∈ out(Γ)}
δ; Passif δ ∈ out(Γ)
wheretx is obtainedby recursively applying the algorithmfor {σ ∈
L?δ | x · σ ∈ F}, andΓ
′ arisesfrom Γ x→ Γ′.
Thefirst choiceterminatesthetestgenerationprocedure.Sincespecifications
usuallyhave infinite behaviour, testgenerationhasto bestoppedatsomepoint.
Thesecondchoicegivesthenext input to theimplementation.Sinceinputsare
alwaysenabled,thisstepwill never resultin deadlockwhenaninput is applied
to theIUT. It is thereforenotpossibleto reacha terminalPassor Fail state.To
avoid unnecessarynon-determinismduring testing,only oneinput is applied
Protocol-InspiredHardwareTesting 7
eachtime. Thethird stepchecksthenext outputof theimplementation,i.e. for
eachx ∈ LU ∪ {δ} it is checked if out (Γi afterσ) ⊆ out(Γs afterσ). Here,
σ is thetracewhich hasbeenproducedsofar. Any implementationproducing
an output x that doesnot belong to out(Γs) will result in a Fail terminal
state,indicatinganon-conformingimplementation.For all otheroutputsx, the
generationproceduremaycontinue.However δ doesnotbelongto trace(s)so
a Passterminalstateresultsandno furthersequencesneedbechecked. This
testgenerationalgorithmguaranteesoundtestcaseswith respectto ioconf,
andthesetof all possibletestcasesthatcanbeobtainedis exhaustive.
3. TESTING SYNCHRONOUS CIRCUITS
3.1 SYNCHRONOUSCIRCUIT MODEL
Theideaof applyingtheabove theoryto validatinghardwarecircuitscomes
naturally. The Dill approachusesLotos to specifydigital circuits, so the
behaviour of circuitsis expressedby anLTS.Ontheotherhand,realhardware
communicateswith its environmentvia input andoutputports.An IOLTS is a
realisticmodelsinceinputsarealwaysacceptedby circuits.
In this paper, only synchronous circuits are considered. Synchronous
circuitsarealsoreferredto asclockedsincetheiroperationis controlledby one
or moreclocks.Theclassicalsynchronouscircuit modelis shown in Figure1.
In thismodel,thecombinationalogicprovidestheprimaryoutputsandinternal
outputsaccordingto the primary inputsandinternal inputs. Internaloutputs
arethenfedinto stateholdcomponentsto producetheinternalinputs.Changes
of theinternalinputsaresynchronisedwith theclock, in otherwordsthey are





















Figure 1 SynchronousCircuit Model
8
Becauseonlycircuitbehaviour (notdesign)isspecifiedin Lotos for testing
purposes,this paperaddressesonly behavioural modelling of synchronous
circuits. Otherissuessuchasstructuralmodellingarediscussedelsewhere[16].
A clocksignalcanbespecifiedexplici tly orimplicitly accordingtoconvenience.
Lotos eventsrepresentsignallevelsduringaclockcycle. Circuit behaviour is
specifiedwith referenceto a clock signal. After anactive clock transition,the
primaryoutputsandinternaloutputsareupdatedaccordingtotheprimaryinputs
andinternalinputs.Therestof this sectiongivestwo illustrative examples.
A JK flip-flop is a single-bitmemoryelementwith control inputsJ andK.
If they arebothsetto 0, theflip-flop staysin thesamestate. If they areboth
set to 1, the flip-flop inverts its currentvalue. If J andK areset to different
values,thevalueof J is stored. Theoutputis conventionallycalledQ, while
its complementis NQ (not Q). The JK flip-flop specificationbelow fixesthe
order in which inputsandoutputsoccur. This might not be a restrictionof
real hardware. However the orderdoesnot influencethe functionality of the
flip-flop, sothereis noneedto distinguishwhich inputor outputhappensfirst.
By restrictingtheeventorder, thestatespacecanbesubstantiallyreducedwhen
acomponenthasmultiple inputsand/oroutputs.
behaviour JK [J, K, Q, NQ] (0) (* initial stateis 0 *)
where
processJK [J, K, Q, NQ] (dtQ : Bit) : noexit :
J ?newJ : Bit; K ?newK : Bit; (* getnew J andK *)
( [(newJ eq0) and(newK eq0)] > (* both0 - samestate*)
Q !dtQ; NQ !not(dtQ); (* outputcurrentvalues*)
JK [J, K, Q, NQ] (dtQ)
[(newJ eq1) and(newK eq1)] > (* both1 - flip state*)
Q !not (dtQ); NQ !dtQ; (* invert outputs*)
JK [J, K, Q, NQ] (not (dtQ))
[newJ nenewK] > (* bothdiffer - take J *)
Q !newJ; NQ !not (newJ); (* useJ asinput *)
JK [J, K, Q, NQ] (newJ) )
endproc (* JK *)
TheSinglePulser[22] is astandardhardwareverificationbenchmark.It is a
clockedsequentialdevice with a one-bitinput anda one-bitoutput. It outputs
a one-cycle pulsewhenthereis a pulseon its input. The SinglePulsercan
thusbeusedto debounceaswitch,for example.Twokindsof implementations
are allowed. The output pulsemay be assertedon the positive-going cd or
negative-goingeb inputtransition,sothespecificationis non-deterministic.Test
generationfor theSinglePulserwill becoveredin Section4.1. This example
is introducednow to illustratetheissuesin modellingsynchronouscircuits.
processSP[Ip, Op] : noexit : (* SinglePulser*)
i; SP P [Ip, Op] (0) (* +ve triggeredimplementation*)
Protocol-InspiredHardwareTesting 9
i; SP N [Ip, Op] (0) (*-ve triggeredimplementation*)
where
processSP P[Ip, Op] (dtI: Bit) : noexit :
Ip ?newI : Bit; (* getnew input *)
( Op !1 [(dtI eq0) and(newI eq1)]; (* output1 on0 >1 input *)
SP P [Ip, Op] (newI)
Op !0 [not ((dtI eq0) and(newI eq1))]; (* elseoutput0 *)
SP P [Ip, Op] (newI) )
endproc (* SP P*)
processSP N [Ip, Op] (dtI: Bit) : noexit :
Ip ?newI : Bit; (* getnew input *)
( Op !1 [(dtI eq1) and(newI eq0)]; (* output1 on1 >0 input *)
SP N [Ip, Op] (newI)
Op !0 [not ((dtI eq1) and(newI eq0))]; (* elseoutput0 *)
SP N [Ip, Op] (newI) )
endproc (* SP N *)
endproc (* SP*)
The LTSs that are observationally equivalent to the above Lotos spec-
ifications appearin figure 2. Observational equivalenceis usedheresince
conformancetestingrelatesonly to externalbehaviour of circuits. Theequiv-
alenceis preserves all external behaviour and hasmuch smallerstatespace
comparedto theoriginal specifications.Figure3 shows suspensionautomata
built from theLTSs.Self-loopsin thisfiguredenoteδ (quiescentstate)actions.

























Figure 2 LTSsfor theJK Flip-FlopandSinglePulser
Themodellingapproachdiscussedabovehassomeimplicationsfor testing.
Firstly, Lotos eventsrepresentstablesignalvaluesin a specificclock cycle.
Whentestinga circuit, applyinginputsandobservingoutputsshouldalsobe






























Figure 3 SuspensionAutomatafor theJK Flip-FlopandSinglePulser
Fail Fail Fail Fail



















δ Q!1 Q!0 NQ!1 NQ!0
Figure 4 SeveralTestsof theJK Flip-FlopandSinglePulser
sincethe clock cycle is alwayschosensuchthat the circuit hasenoughtime
to settledown. Secondly, asstablevaluesof inputsandoutputsshouldappear
oncein every clock cycle, thereis no needto worry abouttheδ actionwhich
indicatestheabsenceof outputs.It is thereforelessinterestingto generatetests
caseslike JK t2 that checkabsenceof outputs. They arethereforeexcluded
from the outputsof the testgenerator. Finally, asdiscussedearlierthe order
of inputsandoutputsis fixed to restrict the statespace. In test caseJK t1,
the testgivesa Fail verdictwhenthefirst NQ !0 is observed. This would not
havehappenedif thefull statespacehadbeengenerated.Thewayto solve this
problemis discussedin Section3.2.
Thesetwo examplesalsoindicatewhy the ioconf relationis a suitableim-
plementationrelationfor validatingsynchronouscircuits. If a specificationis
deterministicthenioconfrequiresthat,for all possibleinput sequences,all the
Protocol-InspiredHardwareTesting 11
outputsof an implementationshouldagreewith thosegiven by the specifi-
cation. This is strongenoughto distinguisherroneousimplementationsfrom
correctones.Ontheotherhand,it alsopermitsnon-deterministicspecifications
to be tested. For the exampleof the SinglePulser, a correctimplementation
mayproducetheoutputpulseafteracd or eb input. Thiscanbeproperlycaptured
by the ioconf relation. For exampleif input is initially presumedto be 0 and
thenit changesto 1, theoutputof a cd implementationshouldbe1 (or 0 for a eb
implementation).As seenin testcaseSpt1 of Figure4, bothdesigndecisions
canpassthetestsoimplementationfreedomis respected.
3.2 TEST GENERATION AND EXECUTION
Thetestcasesgeneratedfrom thealgorithmin Section2.2have theform of
a tree.Thismighthaveastraightforwardmappingto TTCN (TreeandTabular
CombinedNotation[13]). However, thework presentedherefocusesoninves-
tigatingtheideaof applyingprotocoltestingtheoryto hardwarevalidation. In
this context it is preferableto have testcasesof a simplerform thateasestest
executionandanalysis.
A naturalway to think abouttestcasesfor synchronouscircuits is: for the
giveninputs,whatshouldtheoutputsbe?Thisindicatesthattestcasescanbein
theform of tracewith alternationof inputsandoutputs.For example,testcase
JK t1 canbestoredin a file of theform: J!1; K!0; Q!1; NQ!0; Pass. In other
words,transitionsleadingto theFail verdictarenotexplicitly recorded.When
implementationshave outputsdifferentfrom theonedefinedin thetestcase,a
Fail verdictshouldbegeneratedautomatically. Moreover, theside-efectof not
recordingsequencesleadingto Fail easilysolvesthe problemresultingfrom
fixing theorderof outputsin specifications.
This methodworkswell with deterministicspecifications.However when
the specificationhas non-deterministicbehaviour, simply generatingtraces
from a tree raisesproblems. For example, the test tree of Spt1 cannotbe
rewritten as Ip!1; Op!1; Ip!1; Op!0; Pass and Ip!1; Op!0; Pass. If a cd
implementationweretestedby thefirst case,it would begivena Fail verdict.
Conversely, a eb implementationwould fail thesecondtest. Actually, bothof
themmightbecorrectimplementations.Theproblemis thatanimplementation
hasto passall thetestcasesin a testsuitebeforeit is regardedascorrect.But
for thisexample,passingonly oneof thetestcasesis necessary. This is solved
by markingoutputsatacontradictorybranchto indicatethatthecorresponding
testis inconclusive whenthemarkedoutputsarenotmatchedby theIUT.
At somenodeof a suspensionautomaton,supposethe testgenerationpro-
gramfinds that thereare two possibleoutput transitionswith the samegate
offering differentvalues.Both of theoutputsshouldbemarkedwhenthecor-
respondingsequencesaregenerated,meaningthey arenotnecessarilymatched
12
by the implementation. Coming back to the exampleabove, the teststhen
becomeIp!1; Op!1?; Ip!1; Op!0; Passand Ip!1; Op!0?, Pass. When out-
put Op!1 from the implementationis comparedto thesecondtestcase,the?
meansthisoutputdoesnothave to bematchedandothertestoutputsshouldbe
checked. If this outputis matchedby anothertestbranch,comparisoncontin-
uesto determineif thesubsequentbehaviour is satisfied.As digital signalsare
strictly binary in theDill model,if testgenerationproducesbothtracesthen
no erroneousbehavioursof animplementationwill bemissed.
Test generationis mainly basedon traversing suspensionautomata. If
Choice1 is made,testcasegenerationis completeanda new testcasecanbe
begun. Appendinganinputactionto a tracecorrespondsto selectingChoice2
in thetestgenerationalgorithm.Appendinganoutputevent,possiblywith a?
mark,equatesto Choice3.
As specificationsusuallyhave infinite behaviour, especiallyif they involve
iterations,a testcasecanhardly be a completetraceunlessthe circuit hasa
deadlockstate. Thereforea testsuitecannever cover all the behaviour of a
specification.How to generatea testsuitewith goodcoverageis animportant
themefor testingtheorybasedon LTSs,andis expectedto be addressedat a
laterstageof thework presentedhere. In this paper, whento terminatea test
caseandtestsuiteselectionaremainlybasedon heuristics.
If covering all behaviour is not achievable, then covering all transitions
might be a second-bestchoice. A suspensionautomatonis a directedgraph.
Generatinga sequencethat visits every edgein the graphat leastonceis the
Chinesepostman problem [5] that generatesa transition tour . A single
transitiontour existsonly for a stronglyconnectedgraphin which every node
in thegraphhasa pathto every othernode. Otherwise,morethanonetour is
neededtocoverall thetransitions.Assuspensionautomatamaynotbestrongly
connected,it is not possibleto make direct useof transitiontour generation
algorithms(e.g.[9]) that guaranteetheshortesttour for a stronglyconnected
graphs.In thework presentedhere,theapproachof [8] is adoptedbecauseit is
suitablefor all kindsof directedgraph.In thismethod,depth-firstsearch(DFS)
isusedwheneverpossibleasit naturallyrecordsthetransitionstraversed.When
anunvisitededgecannotby reachedby by DFS,breadth-firstsearch(BFS) is
exploited to find a statethat hasanunvisited edge;DFS thencontinuesfrom
this state. The whole procedurerepeatsuntil this is no unvisited edgein the
graph.
The CADP toolsetsupportsan applicationprogramminginterfacethat al-
lows user-written programsto manipulatethe statespaceof a given Lotos
specification.Theprogramminginterfaceis usedto apply the testgeneration
algorithmto synchronouscircuits. For example,Figure5 showsatestcasethat
is generatedfor theJK Flip-Flop. Notethatthetestcasesareinfluencedby the
orderin whichsuspensionautomatonedgesarestored.Thisorderis adjustable
Protocol-InspiredHardwareTesting 13
by changingparameterspassedto CADP. If morecoverageis required,thetest
generatorcanbere-runby usingdifferentparametersfor moretestcases.
Cycle J K Q NQ Cycle J K Q NQ
1 1 1 1 0 2 1 1 0 1
3 0 1 0 1 4 1 0 1 0
5 0 0 1 0 6 1 1 0 1
7 0 0 0 1
Figure 5 Partof theTestSuiteGeneratedfor theJK Flip-Flop
Eachtour generatedin this way is a test caseand is saved in a test file.
The accumulatedtest casesare passedto a VHDL simulatorthat handlesa
lower-level implementationof the circuit. A VHDL testbenchis designedto
allows thetestcasesto beappliedandexecutedagainsttheVHDL description
of thecircuit. Thetestbenchmainlyconsistsof two processesthatareexecuted
concurrently. The first processgeneratesclock signalsfor the circuit under
test. Thesecondprocessreadsthe testsuitefile andgenerates ignalstimuli
accordingto theinputsof eachtestcase.It alsocomparestheoutputsgenerated
by theVHDL simulatorwith theoutputvaluesspecifiedby testcase,giving a
Fail verdictandabortingthesimulationif they arenot thesame.Thetestbench
alsohasto determinewhento apply the input stimuli andto checktheoutput
result. This needssomeknowledge of the circuit realisation,such as the
propagationdelaysof componentsin thecircuit. Specialcareshouldbegiven
to thoseoutputswhich aremarked ? asdiscussedearlier. Betweentwo test
cases,a resetsignal is generatedby the testbenchto re-initialise the circuit
undertest.Theassumptionis madethatacircuit canalwaysbecorrectlyreset.
TheLotos specificationsdiscussedpreviouslydonotspecifyresetbehaviour,
soa testneednotbegeneratedto ensurethatresetis correctlyachieved.
Thereis a peculiarsituationfor which thetestgenerationprogramis not so
suitable,namelywhena circuit implementationmay have non-deterministic
behaviour. For suchspecifications,most testcasesbecomeinconclusive for
many correctand incorrectimplementations.This makes the test suite less
meaningful. Fortunately, this is not so problematicsincedigital circuits are
rarelyallowedtobenon-deterministic. AlthoughtheSinglePulserspecification
is non-deterministic,bothof its implementationshavedeterministicbehaviour.
4. CASE STUDIES
In this section,testgenerationand executionareappliedto two standard








with its automataformsin Figures2 and3. Thedeterministicdesigngiven in
thebenchmarkdocumentationissuesanoutputafterapositive transitionof the
input. Thetestgenerationprogramproducestestcasessuchas:
TestCase1: Ip!0; Op!0; Ip!0, Op!0; Ip!1; Op!0?; Ip!0; Op!1; Ip!0; Op!0;
Ip!1; Op!0; Ip!1; Op!0; Pass
TestCase2: Ip!1; Op!1?; Ip!0; Op!0; Ip!0; Op!0; Ip!1; Op!1; Ip!1; Op!0;
Pass
WhentheVHDL testbenchis usedto executethefirst testcase,simulation
is interruptedafterthethird clock cycle whenaninput of 1 hasbeensupplied.
Thecircuit outputs1 but theexpectedtestoutputis 0. As thisoutputis marked
with ?, thesimulatorconcludesthatthetestis inconclusive for thisdesign.The
secondtest, however, successfullypassesthe simulation, indicating that the
implementationcanberegardedascorrect.Notethatthesinglepulserdoesnot
havearesetinput,sosimulationhasto berestartedwhenthecircuit is checked
againstthesecondtestcase.
4.2 BLACK-JACK DEALER
TheBlack-JackdealerinputsareCard ReadyandCard Value (Ace..King,
Clubs..Spades).Its outputshave booleanvalues: Hit (card needed),Stand
(staywith currentcards)andBroke (total exceeds21). TheCard Readyand
Hit signalsareusedfor a handshake with a humanoperator. Aceshave value
1 or 11 at the choiceof the player. Numberedcardshave valuesfrom 2 to
10. Jack,QueenandKing countas10. The Black-Jackdealeris repeatedly
presentedwith cards.It mustassertStand(whenits scoreis 17to 21)or Broke
(whenits scoreexceeds21). In eithercasethenext cardstartsanew game.
In theLotos specificationof theBlack Jackdealer, a new datatypeValue
is definedto representhecardvalue.AlthoughtheLotos standarddatatype
NaturalNumbermightappearsuitable,CADPcannotgeneratethecorrespond-
ing LTS for an infinite datatype like this. The key point in the specification
is how to handlethe ambiguousvalueof an Ace. To solve the problem,the
specificationusesthemethodgivenby [27]. Specificationbehaviour occupies
about80linesincludingcomments.(Thecircuit diagramis alsoaboutapage.)
UsingCADP andthe testgeneratorprogramwritten by the authors,a test
suitefor theBlack-JackDealerwasderived. Thetestsuiteis ableto test181
Protocol-InspiredHardwareTesting 15
differenthandsof cardsthat a dealermay hold. The VHDL implementation
givenin [27] wasevaluatedagainstthis testsuite.
Although thecircuit wasexpectedto passthe testsuite,a Fail verdict was
recordedafterthedealerwasgiventhefollowing cards:5,5,3, 2,1, 10. In this
casethedealershouldbeBroke becausethesumof thecardsis 26. However
thecircuit outputsneitherStandnorBrokesinceit considersthetotal to bejust
16. OthercardcombinationsincludinganAceandcausingBrokeexhibitedthe
sameproblem.Thisshowedtheproblemwasrelatedto processinganAce.
The circuit shouldinitially take an Ace as 11. It shouldbe re-valuedas
1 (subtracting10 from the sum) the first time the resultwould be Broke. If
thefollowing cardswouldmake thesumexceed21,no re-valuationshouldbe
doneasno Ace is 11. But thegivenbenchmarkdesignstill re-valuestheAce
card,so the circuit is not Broke in this case. Carefully simulatingthe circuit
discovereda problemwith oneof theflag registers(Ace11Flag in [22]). This
indicatesif thereis anAce to be11. It is not resetto zeroproperlybecausethe
effective durationof thesignalusedto resetit (ClearAce11Flag) is too short.
By slightly modifyingthecircuit to removethecauseof thisshortduration,the
circuit wasableto successfullypassthetestsuite.
5. CONCLUSION AND FUTURE WORK
The framework of formal methodsin protocol testinghasbeenusedfor
testingdigital circuits. Theprotocoltestingimplementationrelationioconfhas
beenjustifiedassuitablefor testingsynchronoushardwarecircuits. A prototype
tool hasbeendevelopedto generateandexecutetestcasesautomatically. The
approachhasbeenvalidatedon standardhardwareverificationbenchmarks.It
is noteworthy that it could find an error in a publishedcircuit designfor the
Black-JackDealer.
Futurework will includeapplyingtestselectiontechniqueswhile generating
testcases.Testcasesareguaranteedto cover all the transitionsof the speci-
ficationstatespace,but no furthercoverageinformationcanbeprovided. To
progressfurtherwill involve defininga suitablecoveragefunctionor exploit-
ing someexisting selectionmethodologies(e.g.[1, 3]). Applying themethod
presentedin this paperto higher-level specificationof digital circuitswill also
beinteresting.In theexamplesof thispaper, specificationis relatively closeto
real implementation.For example,signalsarein one-to-onecorrespondence
betweenbothlevels. Thismakesthetaskof mappingthetestcasesto theactual
implementationvery easy. But when specificationis more abstract,greater
effort will beneededto make thiscorrespondence.
References
[1] J.Alilo vic-CurgusandS.T. Vuong.A metricbasedtheoryof testselection
16
andcoverage. In A. A. S. Danthine,G. Leduc,andP. Wolper, editors,
Proc. Protocol Specification,Testingand Verification XIII , pages289–
304.North-Holland,1993.
[2] E.Brinksma.A theoryfor thederivationof tests.In S.AggarwalandK. K.
Sabnani,editors,Proc. Protocol Specification,Testingand Verification
VIII . North-Holland,Amsterdam,Netherlands,June1988.
[3] O. Charlesand R. Groz. Basing test coverageon a formalization of
test hypotheses.In M. Kim, S. Kang, and K. Hong, editors,Interna-
tional Workshopon TestingCommunicatingSystemsX, pages109–124.
Chapman-Hall,London,UK, 1997.
[4] R.DeNicolaandM. C. B. Hennessy. Testingequivalencesfor processes.
Theoryof ComputerScience, pages83–133,1984.
[5] J. EdmondsandE. L. Johnson.Matching,Euler toursandthe Chinese
postman.MathematicalProgramming, 5:88–124,1972.
[6] J.-C.Ferńandez,H. Garavel, A. Kerbrat,R. Mateescu,L. Mounier, and
M. Sighireanu.CADP(Cæsar/Aldébaran DevelopmentPackage):A
protocolvalidationandverificationtoolbox. In R. Alur andT. A. Hen-
zinger, editors,Proc. 8th. Conferenceon Computer-Aided Verification,
number1102 in LectureNotes in ComputerScience,pages437–440.
Springer-Verlag,Berlin, Germany, Aug. 1996.
[7] J. C. Fernandez,C. Jard,T. Jéron,andC. Viho. Usingon-the-flyverifi-
cationtechniquesfor thegenerationof testsuites. In R. Alur andT. A.
Henzinger, editors,ComputerAidedVerification’96, volume1102of Lec-
tureNotesin ComputerScience, pages348–359.Springer-Verlag,Berlin,
Germany, 1996.
[8] R. C. Ho, C. H. Yang,M. A. Horowitz, and D. L. Dill. Architecture
validationfor processors.In Proc.22nd.AnnualInternationalSynposium
onComputerArchitecture, 1995.
[9] G.J.Holzmann.DesignandValidationof ComputerProtocols. Prentice-
Hall, EnglewoodCliffs, New Jersey, USA, 1991.
[10] IEEE. VHSICHardware DesignLanguage. IEEE 1076. Institution of
ElectricalandElectronicEngineersPress,New York, USA, 1993.
[11] IEEE. IEEE Standard Hardware DesignLanguage basedon theVerilog
Hardware DescriptionLanguage. IEEE 1364. Institution of Electrical
andElectronicEngineersPress,New York, USA, 1995.
[12] ISO/IEC. InformationProcessingSystems– OpenSystemsInterconnec-




[13] ISO/IEC. InformationProcessingSystems– OpenSystemsInterconnec-
tion – ConformanceTestingMethodology andFramework – Part 3: The
TreeandTabular CombinedNotation(TTCN). ISO/IEC9646-3.Interna-
tionalOrganizationfor Standardization,Geneva,Switzerland,1991.
[14] Ji He andK. J.Turner. ExtendedDill: Digital logic with Lotos. Tech-
nical ReportCSM-142,Departmentof ComputingScienceandMathe-
matics,Universityof Stirling, UK, Nov. 1997.
[15] Ji HeandK. J.Turner. TimedDill: Digital logic with Lotos. Technical
ReportCSM-145,Departmentof ComputingScienceandMathematics,
Universityof Stirling, UK, Apr. 1998.
[16] Ji He andK. J.Turner. Modelling andverifying synchronouscircuits in
Dill. TechnicalReportCSM-152,Departmentof ComputingScience
andMathematics,Universityof Stirling, UK, Feb. 1999.
[17] G. Leduc. A framework basedon implementationrelationsfor imple-
mentingLotos specifications.ComputerNetworksand ISDNSystems,
25(1):23–41,Aug. 1992.
[18] D. Moundanos,A. Abraham,andY. V. Hoskote. Abstractiontechniques
for validationcoverageanalysisandtestgeneration.IEEE Transactions
onComputers, 47:2–14,1998.
[19] R. D. Nicola. Extensionalequivalencesfor transition systems. Acta
Informatica, 24:211–237,1987.
[20] D. H. Pitt andD. Freestone.The derivation of conformancetestsfrom
Lotos specifications. IEEE Transactionson Software Engineering,
16(12):1337–1343,Dec.1990.
[21] J.M. T. Romijn,O.Sies,andJ.R.Moonen.A two-level approachtoauto-
matedconformancetestingof VHDL designs.Testingof Communicating
Systems, 10:432–447,1997.
[22] J. Staunstrupand T. Kropf. IFIP WG10.5benchmarkcircuits. http://
goethe.ira.uka.de/hvg/benchmarks.html, July 1996.
[23] J. Tretmans.Conformancetestingwith labelledtransitionsystems:Im-
plementationrelationsandtestgeneration.ComputerNetworksandISDN
Systems, 29:25–59,1996.
[24] J. Tretmans. Testgenerationwith inputs,outputsand repetitive quies-
cence.Software ConceptsandTools, 17:103–120,1996.
[25] K. J.TurnerandR. O. Sinnott.Dill: Specifyingdigital logic in Lotos.
In R. L. Tenney, P. D. Amer, and M. Ü. Uyar, editors,Proc. Formal
Description TechniquesVI, pages71–86.North-Holland,Amsterdam,
Netherlands,1994.
[26] F. VemuriandR. Kalyanaraman.Generationof designverificationtests
from behavioral VHDL programsusingpathenumerationandconstraint
18
programming.IEEE Transactionson Very Large ScaleIntegration Sys-
tems, 3:201–214,1995.
[27] D. Winkel and F. Prosser. The Art of Digital Design. Prentice-Hall,
EnglewoodCliffs, New Jersey, USA, 1980.
