Delta-cycles are basic units of SystemC modeling and they are supposed to provide the guarantee of some critical properties about interactions between concurrent processes, like determinism and liveness, which is the basis for higher-level modeling and analysis. However, uncareful design may cause serious problems at the transaction level, which break the properties that we want to ensure at the level of delta-cycles. We propose a formal model based on SystemC waiting-state automata for verifying properties of SystemC models at the transaction level within a delta-cycle and show that this model conforms to the SystemC scheduler up to delta-cycles.
INTRODUCTION
SystemC becomes nowadays a popular language for modeling complex hardware systems. Compared with other hardware description languages, SystemC is more feasible for designing large-scaled complex systems and modeling high level behaviors -it comes with many pre-defined constructs in its syntax, like channels, modules, clocks, etc., which make the compositional system design much easier. SystemC is also equipped with a simulation engine which allows us to simulate a model once it is designed, but pure simulation is not sufficient if we want to ensure that the model satisfies certain properties, especially those safety-related properties. Simulation correctness does not imply logical correctness and verification is still a major issue.
SystemC simulation engine introduces the important notion of delta-cycle as the fundamental simulation unit. In fact, a simulation procedure can be seen as a sequence of delta cycles and all the interactions within a delta cycle are abstracted from the modeling perspective. Such an abstraction is supposed to provide a guarantee that all these interactions should work correctly so that higher-level analysis or verification can be done without considering what goes on inside delta-cycles. However, this is probably the most error-prone part of SystemC modeling, as the final process space within a delta-cycle can be very large and the interaction in between might be extremely complicated. A typical problem is the causality waiting cycles among processes, which causes the unexpected halt of the object system. Furthermore, accessing shared resources may cause competitions between processes, and consequently results in non-deterministic behavior at the delta-cycle level, which is certainly not desired in hardware design.
We propose in this paper a formal model for verifying SystemC up to delta-cycle. This is based on the observation that most important properties depends heavily on how processes get into and get out of a waiting state, which is actually controlled by the underlying event-based engine. We propose first a way of constructing small automata for single processes, by analyzing their waiting status. Then we define algorithms for composing the small process automata and reducing it so as to recognize the abstraction at the level of delta-cycle. These algorithms conform to the SystemC scheduler, which defines the executing semantics of SystemC. Verifications can be done at both the process automata and the final composed automata. We also discuss some extensions based on this model, like adding counters into the automata, so that additional properties can also be verified.
The rest of the paper is structured as follows: Section 2 is an introductory section on SystemC, through a simple example -a clocked FIFO model. We describe in particular how processes in a SystemC model communicate with each other and how the SystemC simulation engine schedules these processes. Then we introduce in Section 3 our formal model -the SystemC waiting-state automata and show how to derive them from single processes. In particular, we define the composition and the reduction at the symbolic level, so that the final automata can recognize the abstraction of the whole system at the level of delta-cycles. Section 4 introduces an extension of the waiting-state automata, by adding counters to include more information in the model and make it possible of verifying more properties. We also make some comparison, in Section 5, between our model and other formal models for SystemC and we conclude the paper in Section 6.
PRELIMINARY OF SYSTEMC

A simple FIFO model
Let us start by a simple SystemC model -an implementation of FIFO with clocks. The structure of the model is shown in Figure 1 . The model contains a First-In-First-Out buffer and two modules cooperating through the buffer -a producer module which continuously puts data into the buffer and a consumer module which continuously retrieves data from the buffer. The two processes are triggered by two individual clocks: Ô ÐÓ and ÐÓ . When a Ô ÐÓ signal arrives, the producer starts producing and tries to write the product into the buffer. Similarly, the ÐÓ signals control the consumer. The two clocks are independent, hence the producing and the consuming can be at different paces.
It is certainly possible that the producer fills all the slots of the buffer and continues writing, or the consumer retrieves all the elements and still tries to consume. In this case, the producer/consumer must wait for the other to release/fill the buffer and this is done by the SystemC events mechanism. The implementation of the modules in SystemC is given in Figure 2 and the assemblage is given in the SystemC main program in Figure 3 .
Events
SystemC provides many different types of constructs in its syntax for system design, like modules, channels, ports, signals, clocks, etc. Despite of the diversity in syntax, SystemC is essentially an event-driven model, and all communications in SystemC models are implemented using events and the associated wait/notify mechanism. For instance, the FIFO module in the previous example is actually defined as a channel × ÒÒ Ð, and the mutual access to the buffer is implemented through the two events Ö Ú ÒØ and Û Ú ÒØ. SystemC events can be roughly classified into the following three sorts:
First International Workshop on Verification and Evaluation of Computer and Communication Systems
• user-defined events. These are events defined by SystemC programmers in source code.
For instance, the Û Ú ÒØ and the Ö Ú ÒØ as in Figure 2 . Such events are usually triggered by the command ÒÓØ Ý;
• channel events. These are pre-defined SystemC events and they are triggered when something occurs on channels. For instance, an event denoting the arrival of a new value will be triggered whenever some value is written to a × Ù Ö channel. Channel events at different types of channels have different semantics [5, 6] ; • clock events 1 . Clock signals are also seen as events and they are usually defined as × ÐÓ 's in the SystemC main program. e.g., the Ô ÐÓ and ÐÓ in Figure 3 . SystemC core engine is in charge of generating × ÐÓ events at proper time. We never notify a clock event in the program.
We shall not distinguish the first two sorts of events as both of them can be dynamically notified, while the clock events are rather seen as the input events of SystemC models. In fact, we prefer not considering any pre-defined channels or signals in our modeling, but rather taking into account their event-driven implementation. For instance, the FIFO buffer in the previous example is defined as a channel with two actions (ÛÖ Ø ´µ and Ö ´µ) and two internal events (Û Ú ÒØ and Ö Ú ÒØ), and modules connected to FIFO are allowed to call the channel methods but they are not aware of the existence of the channel events. However, for our analysis within delta-cycles, we shall put the method definitions inline in the codes of processes (see the analysis in the beginning of Section 3).
SystemC simulation scheduler
The simulation of SystemC models is managed by the SystemC scheduler, which can be seen as a total event-driven model: communications through ports and channels, clocks, and actions of modules, are all triggered by (different types of) events. The basic unit of the simulation is the so-called delta-cycle and a complete simulation procedure is just a sequence of delta-cycles. The scheduler maintains several tables, among which we are particularly interested in the table of runnable processes (processes that are ready to execute at the current delta-cycle). 1 Clocks are actually seen as typical channels in SystemC -sc_clock is implemented using sc_signal, but from the analysis viewpoint, we would better differentiate them from channel events.
First International Workshop on Verification and Evaluation of Computer and Communication Systems
Here is a brief description of a delta-cycle: a delta-cycle starts with a non-empty runnable process table. The scheduler executes these processes one by one, in a pre-defined order; every runnable process executes until it ends or it is pended again (by a Û Ø command for instance); if any immediate event (e.g. the Û Ú ÒØ generated by the producer process in the FIFO example) is notified during the execution of a runnable processes, it will add processes that are currently sensitive to this event into the runnable process table; delta-events and timed events that are generated during the execution of a process are stored in other tables. The process table is emptied when all runnable processes are executed and the procedure of executing all the runnable processes is called a evaluation phase. The scheduler then checks those delta-events notified in the evaluation phase: if there are processes that are sensitive to these events, then add them into the process table. This procedure is called a delta notification phase. If the process table is non-empty, the scheduler enters the next delta-cycle and executes the evaluation phase again; otherwise, it checks the timed events notified in the evaluation phase and adds processes that sensitive to these timed events into the process table. This is called a timed notification phase. The scheduler then advances the simulation clock and enters the next delta-cycle.
Above is what is defined as delta-cycles in SystemC scheduler. A detailed explanation and implementation of delta-cycles can be found in SystemC documents [5, 6] . However, for the sake of clarification, we prefer regarding a delta-cycle as starting from a delta notification phase or a timed notification phase. In other words, a delta-cycle in this paper will start with a set of events which add all sensitive processes into the process table, then continue with an evaluation phase.
Take the simple FIFO as an example. Suppose that at the beginning of a delta-cycle we have both Ô ÐÓ signal and ÐÓ signal, which will be seen as events in SystemC. The Ô ÐÓ event then adds the producer process into the process table if the producer is waiting for the clock signal. Note that the producer may wait for a Ö Ú ÒØ instead of a clock signal, and in this case, it will not be added into the process table. Similarly, the ÐÓ event will add the consumer into the process table if it is waiting for the ÐÓ signal. The scheduler then runs the processes in a pre-defined order. For instance, if we run the producer first then the consumer, according to the status of the buffer, there are then two cases of what happens within a delta-cycle:
• if the buffer is not full, the producer will succeed in putting a new product into the buffer, get hung up and wait for the next clock signal. The scheduler moves on to run the consumer until it is pended. During this procedure, two extra events are generated -Û Ú ÒØ and Ö Ú ÒØ and they are added into the event table, but as no process is sensitive to them, nothing is added into the process table and the evaluation phase is over, as well as the present delta-cycle;
• if the buffer is full, the producer will be hung up and waits for a Ö Ú ÒØ. The scheduler continues to run the consumer. This generates a Ö Ú ÒØ, which will add immediately the producer process into the process table again, since it is now sensitive to Ö Ú ÒØ. The scheduler then resumes the execution of the producer, until it is pended for the next clock signal. The evaluation phase, as well as the current delta-cycle, stops here. Note that if there is no ÐÓ at the same cycle, the delta-cycle just stops when the producer is pended for the first time (when it waits for the Ö Ú ÒØ).
Cycles in SystemC scheduling engine
Cycles, like delta-cycle in the SystemC simulation engine, are important to the verification of SystemC models. But cycles are not explicitly defined in the SystemC syntax, and there are usually multiple levels of cycles in a SystemC model.
We give a rough classification here on what can be seen as a cycle in SystemC models:
• the minimal cycle, which is basically the interval between two continuous Û Ø within a single process. For instance, in the producer process ( Figure 4 ), a minimal cycle can be either execution of the three pieces of code C 1 , C 2 or C 3 . We call these cycles the minimal cycles, because we are not interested in the detailed execution of the program. There are of course smaller cycles, e.g., a cycle inside a loop which does not contain any Û Ø, but they The classification here is certainly not exhausted, but it should contain those cycles that appear frequently in most SystemC models. Clearly, these cycles provide different levels of abstractions and can be useful for verifications for particular purposes.
Liveness and determinism
Abstractions at the level of delta-cycles should guarantee some fundamental properties of interactions between concurrent processes. Among others, we cite two properties here: liveness and determinism.
The liveness property is probably the most common one in the field of formal verification. It simply states that the implementation must be deadlock-free, and in SystemC modeling, it means that there is no causality waiting cycles between processes. For instance, in the FIFO example, the producer and the consumer should not wait for each other.
Determinism is a very critical property for hardware design. In SystemC modeling, a deterministic SystemC model should ensure that the behavior is independent of the order of internal process executions. It stresses in particular the determinism at the level of delta-cycles, because nondeterministic behaviors are caused by competitions when multiple processes are accessing shared resources at the same time, and such competitions usually occur within a single deltacycle.
As an example, consider another implementation of FIFO: the producer/consumer does not wait for the other to release/fill the buffer when it is full/empty, and instead, they just return a write/read failure. It is clear that there might be a competition between the producer and the consumer: if at the beginning of a delta-cycle, both producer and consumer are allowed to operate on the buffer (both Ô ÐÓ and ÐÓ are present), we might have different results, as shown in Figure 5 ( Ô´¿µ¸ means that both Ô ÐÓ and ÐÓ signals occur at the same instant and the producer is ready to put the data ¿ into the buffer). If the buffer is full, producing first will cause the new product to be discarded, while consuming first will cause a successful writing to buffer. Non-determinism is hard to detect through simulation, because the SystemC scheduler will fix an execution order for process, though semantically, it should not be fixed. For instance, it may always execute consumer first, then the simulation will return the same result with the same input and we cannot see the non-deterministic behavior from the simulation.
SYSTEMC WAITING-STATE AUTOMATA
This section introduces a formal model of SystemC, based on the analysis of the "wait/notify" mechanism of SystemC, which plays an important role in the SystemC scheduler and serves as the basic engine of implementing interactions between processes. The basic idea of our model is to consider only those states where processes are hung up, i.e., waiting for some events. In fact, a delta-cycle always starts from a state where all the processes are hung up and the whole cycle can be seen as a sequence of transitions between these waiting-states.
Let us start by an informal analysis of the producer process, as shown in Figure 6 . The two Û Ø statements define the two waiting-states of the automaton, and they divide the program into three pieces (P 1 , P 2 , P 3 in Figure 6 ) according to the execution trace. Each piece of P 1 , P 2 and P 3 executes in an instant, and are seen actually as transitions between the waiting-states.
The objective is then to represent formally how a process controls the transitions between the waiting-states. As shown in Figure 6 , we calculate, for every waiting-state, the entry-condition and the exit-condition. One should not confuse these conditions with pre-conditions/post-conditions of programs: the pre/post-condition assertion says that if a pre-condition of a program P holds before the execution of P , then after the execution, the post-condition holds; the entry/exit-conditions are rather seen as the guard condition for starting/stopping the execution of the Û Ø statements.
The transition from one state to another is then determined by the condition of exiting the source state plus the condition of entering the destination state. For instance, the condition for entering the Ô Û Ø state is ÒÙÑ Ð Ñ == Ñ Ü and the condition for exiting the Ô Û Ø Ð state is a Ô ÐÓ signal, so the guard condition for the transition from Ô Û Ø Ð to Ô Û Ø is an event Ô ÐÓ plus a predicate (ÒÙÑ Ð Ñ == Ñ Ü), defined on the variable ÒÙÑ Ð Ñ (Ñ Ü is a First International Workshop on Verification and Evaluation of Computer and Communication Systems pre-defined constant here). As a transition is actually a piece of program, it can also generate new events and modify the values of variables. For instance, both P 2 and P 3 generate an event Û Ú ÒØ and make the variable ÒÙÑ Ð Ñ decreased by 1. These are the effects of transitions.
SystemC waiting-state automata
Notice that transitions between waiting-states depend not only on the events, but also on variables, especially those variables shared by several processes, e.g., the variable ÒÙÑ Ð Ñ in the FIFO example. Let V be a finite set of variables {x 1 , x 2 , . . . , x n }, where every variable x i has a domain D i which contains the values that can be assigned to x i . D 1 × · · · × D n is called the domain of V, abbreviated as D. We call a function f : D → D, defined over these variables, an effect function over V. Intuitively, e in and the predicate p act as a guard condition: the transition is triggered if and only if all the events in e in are present and the predicate p holds; e out and the function f represents an effect: the transition will generate all the events in e out and f will be applied to the current instantiation of V.
Naturally, we expect that a SystemC automaton represents faithfully the process from which it is derived. However, in a SystemC process, the transition from a waiting-state to another is only triggered by the events and the predicates determine which state the process will enter after being wake up, which means that transition from the same state must have the same set of incoming events (e in ). We say that a SystemC waiting-state automaton A(V) = (S, E, T ) is faithful if for every two transitions t, t ′ , proj 1 6 (t) = proj 1 6 (t ′ ) ⇒ proj 2 6 (t) = proj 2 6 (t ′ ), and for every state s ∈ S, t∈T (s) proj 3 6 (t) always holds.
The automata for the processes of the producer and the consumer are shown in Figure 7 . where we consider only one variable ÒÙÑ Ð Ñ and the definitions of the effect functions inc and dec are obvious:
The function id is the identity function and the empty predicate can be seen as the truth constant.
Clearly, these two automata are faithful if we consider the domain of the variable ÒÙÑ Ð Ñ as the interval [0, Ñ Ü].
In fact, since the two automata are derived by analyzing the waiting states of processes, as we have seen in the beginning of this section, a transition actually represents the execution The automata for the producer and the consumer within a minimal cycle, i.e., the execution of a process between two continuous Û Ø. We call such an automaton a minimal-step waiting-state automata. We assume that every mininmal-step automaton is total, i.e., every state has some successor. Otherwise, it means that the single process itself may cause a deadlock, which is not the case we study here.
Symbolic composition and reduction
The global strategy of verifying SystemC models using waiting-state automata is to define first a minimal-step automaton for every process, and compose them together so as to achieve a bigger automaton for the whole SystemC model which can be finally passed to the model-checking procedure.
The symbolic composition follows the parallel composition of labeled Kripke structures [1] derived from CSP. However, our symbolic composition is followed by a reduction procedure, which enables more aggressive abstractions on the result model. Abstraction is a common way to handle more and more complex system. Other typical abstractions include, for instance, replacing internal events of the composition with more abstract notions like counters and constraints on counters.
With respect to the hiding of variables [8] , such replacements keep functionality properties after the abstraction and to introduce progressively QoS properties.
Symbolic composition
Definition 2 Given two SystemC waiting-state automata A(V) = (S, E, T ) and A ′ (V) = (S ′ , E ′ , T ′ ), over the same set V of variables, the combination of the two SystemC waiting-state automata is still a SystemC waiting-state automaton
where T ′′ is the smallest set of transitions such that: 
The composed automaton of the two minimal-step automata in Figure 7 is given in Appendix A (Figure 10 ).
First International Workshop on Verification and Evaluation of Computer and Communication Systems
Note that in the last case of defining transitions of the composed automaton, we can replace the effect function f • f ′ of the new transition by f ′ • f , but the composed automata might not be equivalent since f • f ′ and f ′ • f are not always equal. This is the case where the composition will result in potential non-deterministic behaviors and we call a transition with an effect function
The symbolic composition of SystemC automata can be used to check the determinism of a SystemC model: we define the corresponding minimal-step automaton for every process and compose them together; if the composed automata does not contain any non-deterministic transition, we can then assert that the model is deterministic.
Detecting non-deterministic transitions can be done without doing the composition. Because the above definition includes all composes of effect functions of the two component automata, we can simply check whether
However, such a detection might be too strict in the sense that some non-deterministic transitions may never be triggered and does not change the deterministic behavior of the model. This is often because the guard condition of these "impossible transitions" will never be true, e.g., p and p ′ in the above definition are two contradicting predicates. Actually, such transitions can be removed after the composition as a refinement, and clearly, checking the non-existence of non-deterministic transitions based on the refined composition will increase the precision of the detection of the non-determinism of SystemC models.
SystemC processes running in parallel may cause causality waiting cycles and it is also represented in the composition of SystemC waiting-state automata. This is related the liveness property mentioned in Section 2 and the verification requires in the first place the detection of "unsafe states" containing mutually waiting processes, for further analysis based on the automata, e.g., the reachability analysis.
First, for every state s in a SystemC automaton, write e in (s) for the set t∈T (S) proj 2 6 (t) (the set of events that trigger transitions from this state), and e out (s) for the set t∈T (S) proj 4 6 (t). Consider two minimal-step automata A 1 (V) = (S 1 , E 1 , T 1 ) and A 2 (V) = (S 2 , E 2 , T 2 ). We say that a state (s 1 , s 2 ) (s 1 ∈ S 1 , s 2 ∈ S 2 ) in the composed automaton A 1 × A 2 is a potential unsafe state if e in (s 1 )∩e out (s 2 ) = ∅ and e in (s 2 )∩e out (s 1 ) = ∅. For instance, in the FIFO example, the composition of the producer automaton and the consumer automaton ( Figure 7) gives rise to a potential unsafe state (Ô Û Ø , Û Ø Ô). Indeed, it is an unsafe state where the two processes are waiting for each other.
Potential unsafe states can be effectively detected when the component automata are given, but this is still a very coarse detection in the sense that potential unsafe states are not necessarily unsafe. A precise detection of unsafe states require probably user interference. Definition 2 of automata composition can be extended in a regular way to the case of more than two processes, but the definition would be much more complicated, so we rest on the version of composing two automata and the composition of more that two automata can be done by applying repeatedly the composing in Definition 2.
Symbolic reduction
In a SystemC waiting-state automaton, it is possible that the effect of a certain transition will immediately trigger another transition, e.g., the following two transitions is called the contractum of (t 1 , t 2 ). In the FIFO example, we can find examples of such reducible transitions, e.g., in the composed automaton of the two minimal-step automata (see Figure 10 ), the transition
will immediately trigger the transition
so we can replace these two transitions by a new transition
Since the automaton is composed from two small automata representing two processes, such a reduction actually represents an interaction between the two processes within a single delta-cycle.
In general, a minimal-step waiting-state automaton does not contain any reducible transitions, and in our verification strategy, reductions are usually required when we compose all the minimal-step automata together. As we are intend to define a model that represents the behavior at the level of delta-cycles and hides all interactions within a delta-cycle, the reduction algorithm should be consistent with the SystemC scheduler. The reduced automaton is (S, E, T ′ ).
Algorithm 1 (Symbolic reduction) Given a SystemC minimal-step waiting-state automaton
The composed automaton for the FIFO model is reducible (in Figure 10 ), and applying this algorithm to that automaton, we shall get a reduced automaton, as shown in Figure 11 .
If we are given a SystemC model with a set of parallel processes {P 1 , . . . , P n }, let A formal verification of SystemC models can be done at the level of delta-cycles, using the SystemC waiting-state automata, together with the composition and the reduction algorithms. Note that at this stage, we might divide the events in E of the final automaton into two sets -the set of environment events and the other of internal events. The environment events are events generated by the SystemC engine, which are typically "time events" such as clock events. By distinguishing between these two sorts of events, we can again reduce the automaton by removing those transitions depending on non-environment events, i.e., transitions whose e in contains events that are not in the set of environment events. For instance, the automaton in Figure 11 can be again reduced to the one in Figure 12 . Interestingly, we can conclude easily from the new automaton that the state (Ô Û Ø , Û Ø Ô) is an unsafe state since there is no transition getting out of it. Indeed, this state is exactly the deadlock state where the producer and the consumer are waiting for each other.
Besides the automaton, the model-checking procedure requires in addition a sequence of event sets, every set of which contains the environment events that the SystemC engine generate at the beginning of the corresponding delta-cycle. Then we pass this sequence and the automaton of the SystemC model to a model-checking tool as in [10, 8] , and check whether those unsafe states can be reached.
EXTENDING SYSTEMC WAITING-STATE AUTOMATA WITH COUNTERS
By counting how many times a transition is triggered during the execution of an automaton, we obtain more information about the model and consequently, we are able to verify additional relevant properties for system design. This can be done by adding a counter for every transition in the automaton.
Again, let us take the FIFO example and consider the two small automata for the processes of the producer and the consumer. Figure 8 shows both automata annotated with counters. For instance, γ 3
Û counts the times of executing the transition from Ô Û Ø Ð to Ô Û Ø , and it is actually the number of times that the producer enters the waiting-state Ô Û Ø . These counters provide meaningful information about the behavior of the whole system. For instance, a "read" can only occur if a "write" occurs before it, and this property can be represented using counters, i.e., the total count of transitions representing a "read" is always less or equal to the total count of those representing a "write". Formally, it should always hold that:
We can furthermore formulate some properties that may require more precise information, using both counters and system variables, e.g., the following property:
Also, the entry-conditions and exit-conditions presented in section 3.1 can be extended by adding conditions on transition counters. For instance, the condition for exiting the Û Ø Ð state is a ÐÓ signal plus the condition γ 1
Such relations on counters can be inferred during the construction stage of the waiting-state automaton using for instance techniques based on abstract interpretation as in [12, 13, 11] . Abstract interpretation can also be done after the construction stage. In [9] , Lustre descriptions are generated from synchronous SystemC so that the tool NBAC verification and slicing tool can be applied [7] . • s and s ′ are two states in S, representing respectively the initial state and the end state of the transition; • e in and e out are two sets of events: e in ⊆ E, e out ⊆ E; • p is a predicate defined over variables in V and counters C, i.e., FV (p) ⊆ V ∪ C; • f is an effect function over V.
• γ ∈ C is the counter associated to the transition that increments each time it is executed.
The algorithm that performs symbolic reduction on extended waiting-state automata simply merges those counters whose associated transitions are reduced. The reduced automaton is (S, E, T ′ , C ′ ).
Algorithm 2 (Symbolic reduction) Given a SystemC minimal-step waiting-state automaton
RELATED WORK
Several attempts have been made to apply formal verification methods to SystemC. Early work in this direction, notably by Drechsler and Große, focused on verifications at the gate level [2, 3] and were somehow limited to it. In recent years, several formal models are proposed aiming at verifying properties at the transaction level [8, 9, 10] , but to the authors' knowledge, none of them stresses specifically the correctness at the level of delta-cycles, which is mainly the contribution of our model presented in this paper.
Among others, we have mentioned the work by Kroening et al. [8] , pointing out that our symbolic composition is similar to their parallel composition but we do more. In fact, the model in [8] is based on the state/event analysis and it makes use of the formalization of labeled Kripke structures [1] . Having separated labels on states and transitions in the model provides a syntactic way of partitioning a SystemC model into a hardware and a software part. But states in their model include all possible intermediate states within a process, not just those waiting-states as in our model, and they also make a classification of processes as runnable processes, waiting processes, etc., which is basically the implementation idea of SystemC scheduler and is avoided in our model. On the other side, their labels on states allow effective manipulation of program data, which can be a nice mechanism to be introduced into our model so that more properties can be verified.
As for the generation of automata from SystemC models, two algorithms of generating finite state machines are proposed in [4] . These are generation algorithms for traditional model-checking adapted for SystemC and their model generates the states for the whole system from the very beginning, then the algorithms focus on solving the state exploration problem using the grouping technique. Instead, our approach has rather the component assembly nature, where predefined abstractions are done during composition. State exploration is not a big problem in our model, at least at the symbolic level, but these algorithms might be adapted in generating some extended waiting-state automata where more information required to represented in states for further verifications.
CONCLUSION
We propose in this paper a formal model based on traditional model-checking techniques. We define a new form of automata -SystemC waiting-state automata, based on the analysis of the waiting status of SystemC processes. The main goal of this model is to provide the capacity of The procedure of the verification using SystemC waiting-state automata is clear: translate first SystemC processes into SystemC minimal-step waiting-state automata, eventually infer affine relations regarding transition counts of those small automata, combine these small automata together and reduce the resulted automaton to the final one which conforms to the SystemC scheduler, and pass the final automaton to the model-checking procedure. While the composition and the reduction are clearly defined in the paper, the compilation is remained unclarified. A possible approach of compiling SystemC code to waiting-state automata, is to integrate the waiting states into the control flow graphs of processes, with every arrow getting out of a state being labeled by a set of triggering events (e in in SystemC waiting-state automata), and every arrow getting into a state being labeled by a set of effect events (e out in SystemC waiting-state automata). For instance, for the producer process in Figure 6 , we might expect a control flow graph with waiting states as in Figure 9 . Such an intermediate format can be translated into pure SystemC waiting-state automata by abstracting the control information using predicates and symbolic functions.
Future work include case studies of large examples besides the long-term compilation work. Also, the model itself demands probably further refinement so as to fit well in real cases, and proper extensions might be necessary for verifying particular properties.
