Optimized Transformation and Verification of SystemC Methods

Concurrent designs can be automatically verified by transforming them into an automata-based representation and by model checking the resulting model. However, when transforming a concurrent design into an automata-based representation, each method has to be translated into a single automaton. This produces a significant overhead for model checking. In this paper, we present an optimization of our previously proposed transformation from SystemC into Uppaal timed automata. The main idea is that we analyze whether SystemC methods can be executed atomically and then we use the results for generating a reduced automata model. We have implemented the optimized transformation in ourSystemC to Timed Automata Transformation Engine (STATE) and demonstrate the effect of our optimization with experimental results from micro benchmarks, a simple producer-consumer example, and from an Anti-Slip Regulation and Anti-lock Braking System (ASR/ABS)

Model checking SystemC designs using timed automata

SystemC is widely used for modeling and simulation in hard-ware/software co-design. Due to the lack of a complete for-mal semantics, it is not possible to verify SystemC designs. In this paper, we present an approach to overcome this prob-lem by defining the semantics of SystemC by a mapping from SystemC designs into the well-defined semantics of Uppaal timed automata. The informally defined behavior and the structure of SystemC designs are completely preserved in the generated Uppaal models. The resulting Uppaal models allow us to use the Uppaal model checker and the Uppaal tool suite, including simulation and visualization tools. The model checker can be used to verify important properties such as liveness, deadlock freedom or compliance with tim-ing constraints. We have implemented the presented trans-formation, applied it to two examples and verified liveness, safety and timing properties by model checking, thus show-ing the applicability of our approach in practice

Test Input Partitioning for Automated Testing of Satellite On-board Image Processing Algorithms

On-board image processing technologies in the satellite domain are subject to extremely strict requirements with respect to reliability and accuracy in hard real-time. Due to their large input domain, it is infeasible to execute all possible test cases. To overcome this problem, we define a novel test approach that efficiently and systematically captures the input domain of satellite on-board image processing applications. To achieve this, we first present a dedicated partitioning into equivalence classes for each input parameter. Then, we define multidimensional coverage criteria to assess a given test suite for its coverage on the complete input domain. Finally, we present a test generation algorithm that automatically inserts missing test cases into a given test suite based on our multidimensional coverage criteria. This results in a reasonably small test suite that covers the whole input domain of satellite on-board image processing applications. We demonstrate the effectiveness of our approach with experimental results from the ESA medium-class mission PLATO

Ein Framework für die automatisierte HW/SW Co-Verifikation von SystemC-Modellen mit Hilfe von Timed Automata

Eingebettete Systeme sind in der heutigen Welt allgegenwärtig. Sie werden zunehmend auch in Bereichen eingesetzt, in denen ein Fehler zu hohen finanziellen Verlusten oder sogar zu Verletzungen und Todesfällen führen kann, zum Beispiel im Automobilbereich. Als Folge davon wird es immer wichtiger, die Korrektheit eingebetteter Systeme mit systematischen und umfassenden Verifikationstechniken sicher zu stellen. Eine besondere Herausforderung ist dabei, dass in eingebetteten Systemen Hardware- und Software-Anteile eng miteinander verflochten sind. Um solche heterogenen Systeme zu modellieren und zu simulieren wird häufig die Systembeschreibungssprache SystemC eingea setzt. Die Verifikationstechniken, die für SystemC eingesetzt werden, sind jedoch uberwiegend ad hoc und unsystematisch. Die Verifikation ist daher entweder sehr teuer oder die Ergebnisse sind nicht zuverlässig. In dieser Arbeit stellen wir einen Ansatz zur Lösung dieses Problems vor. Wir präsentieren einen systematischen, umfassenden und formal fundierten Qualitätssicherungsprozess, der die HW/SW Co-Verifikation durchgängig über den gesamten Entwurfsprozess ermöglicht. Die ubergeordnete Idee ist, eine Kombination von Model Checking und Konformitätstesten anzuwenden. Model Checking verwenden wir um zu zeigen, dass ein abstrakter Entwurf eine gegebene Anforderungsspezifikation erfüllt. Anschließend erzeugen wir Konformitätstests um zu prüfen, ob ein verfeinerter Entwurf konform zu diesem abstrakten Entwurf ist. Mit diesem Ansatz erhalten wir Garantien über bestimmte Eigenschaften des abstrakten Entwurfs und stellen gleichzeitig die Konsistenz verfeinerter Entwürfe über den Entwurfsablauf hinweg sicher. Das Ergebnis ist ein Qualitätssicherungsprozess, der den Entwicklungsprozess von der abstrakten Spezifikation bis zur finalen Implementierung unterstützt. Um eine formale Basis für unseren Ansatz zu etablieren, definieren wir eine formale Semantik für SystemC. Zu diesem Zweck bilden wir die informell definierte Semantik von SystemC auf die formal wohl-definierte Semantik von Uppaal Timed Automata ab. Basierend auf dieser Abbildung können wir einen gegebenen SystemC Entwurf automatisch in ein semantisch äquivalentes Uppaal Modell transformieren. Dies ermöglicht auch die Anwendung des Uppaal Model Checkers. Damit können wir wichtige Eigenschaften, zum Beispiel Lebendigkeit, Sicherheit oder die Einhaltung von Zeitschranken, vollautomatisch verifizieren. Neben dem Model Checking bildet die von uns definierte formale Semantik für SystemC auch eine Basis für Konformitätstests. Wir stellen einen Algorithmus vor, der aus einem abstrakten Modell alle möglichen (zeitbehafteten) Ausgaben berechnet und aus diesen automatisch SystemC Test Benches erzeugt. Diese können einen beliebigen verfeinerten Entwurf ausführen und automatisch prüfen, ob die Ausgaben dieses Entwurfs in der Spezifikation erlaubt sind oder nicht, also ob der verfeinerte Entwurf konform zum abstrakten Enwturf ist. Mit der Kombination aus Model Checking und Konformitätstesten erhalten wir ein Framework für die automatisierte HW/SW Co-Verifikation von SystemC Entwürfen mit Hilfe von Timed Automata (VeriSTA). Das Framework ist voll-automatisch anwendbar und unterstützt den gesamten HW/SW Co-Design Prozess. Wir haben das VeriSTA Framework vollständig umgesetzt und demonstrieren seine Leistungsfähigkeit mit experimentellen Ergebnissen.Embedded systems are usually composed of deeply integrated hardware and software components. They are often used in domains where a failure results in high financial losses or even in serious injury or death. As a consequence, it is indispensable to ensure the correctness of the digital components that control these systems with systematic and comprehensive verification techniques. To model and simulate complex HW/SW systems, the system level design language SystemC is widely used. However, the co-verification techniques used for SystemC are mostly ad-hoc and non-systematic. With that, it is either very expensive to verify a given design, or the results are not reliable. In this thesis, we present an approach to overcome this problem by a systematic, comprehensive, and formally founded quality assurance process, which allows automated co-verification of digital HW/SW systems that are modeled in SystemC. The main idea is to apply model checking to verify that an abstract design meets a requirements specification and to generate conformance tests to check whether refined designs conform to this abstract design. With that, we obtain guarantees about the abstract design, which serves as a specification, and we can ensure the consistency of each refined design to that. The result is a HW/SW co-verification flow that supports the HW/SW co-development process continuously from abstract design down to the final implementation. To establish a formal basis for our HW/SW co-verification approach, we define a formal semantics for SystemC. To this end, we present a mapping from SystemC to Uppaal timed automata, which have a formally well-defined semantics. Using this mapping, we can automatically transform a given SystemC design into a semantically equivalent Uppaal model. Furthermore, the resulting Uppaal model allows the application of the Uppaal model checker. With that, we can verify important properties of a SystemC design fully automatically, for example, liveness, safety, or the compliance with timing constraints. These properties are guaranteed for all possible input scenarios. In addition to the formal semantics that allows model checking, we present a novel test algorithm for SystemC. The algorithm uses the Uppaal model of a given high-level SystemC design to generate conformance tests for lower abstraction levels. Existing algorithms for the generation of conformance tests from timed automata models either support only deterministic subclasses of timed automata or compute expected results online during the test execution. The first is inacceptable because SystemC designs are inherently nondeterministic. The latter makes it impossible to reuse the conformance tests in multiple refinement steps. The algorithm presented in this thesis generates conformance tests offline and it can cope with non-deterministic systems. The result is a set of SystemC test benches that can be used to check automatically whether a refined design conforms to a given abstract design. Together with our model checking approach for abstract SystemC designs, we obtain a framework for the automated HW/SW co-Verification of SystemC designs using Timed Automata (VeriSTA). The framework is fully automatically applicable and continuously supports the whole HW/SW co-design process. We implemented the complete VeriSTA framework and demonstrate its performance and its error detecting capability with experimental results

Bit-Precise Formal Verification for SystemC Using Satisfiability Modulo Theories Solving

Part 2: System-Level DesignInternational audienceHardware/software codesigns are often modeled with the system level design language SystemC. Especially for safety critical applications, it is crucial to guarantee that such a design meets its requirement. In this paper, we present an approach to formally verify SystemC designs using the UCLID satisfiability modulo theories (SMT) solver. UCLID supports finite precision bitvector arithmetics. Thus, we can handle SystemC designs on a bit-precise level, which enables us to formally verify deeply integrated hardware/software systems that comprise detailed hardware models. At the same time, we exploit UCLID’s ability to handle symbolic variables and use k-inductive invariant checking for SystemC designs. With this inductive approach, we can counteract the state space explosion problem, which model checking approaches suffer from. We demonstrate the practical applicability of our approach with a SystemC design that comprises a bit- and cycle-accurate model of a UART and software that reads data from the UART

A Genetic Algorithm for Automated Test Generation for Satellite On-board Image Processing Applications

Satellite on-board image processing technologies are subject to extremely strict requirements with respect to reliability and accuracy in hard real-time. In this paper, we address the problem of automatically selecting test cases that are specifically tailored to provoke mission-critical behavior of satellite on-board image processing applications. Because such applications possess large input domains, it is infeasible to exhaustively execute all possible test cases. In particular, because of their complex computations, it is difficult to find specific test cases that provoke mission-critical behavior. To overcome this problem, we define a test approach that is based on a genetic algorithm. The goal is to automatically generate test cases that provoke worst case execution times and inaccurate results of the satellite on-board image processing application. For this purpose, we define a two-criteria fitness function that is novel in the satellite domain. We show the efficiency of our test approach on experimental results from the Fine Guidance System of the ESA medium-class mission PLATO

A Genetic Algorithm with Tournament Selection for Automated Testing of Satellite On-Board Image Processing

In the satellite domain, on-board image processing technologies are subject to extremely strict requirements with respect to reliability and accuracy in hard real-time. In this paper, we address the problem of automatically selecting test cases from a huge input domain that are specifically tailored to provoke mission-critical behavior of satellite on-board image processing applications. Due to the large input domain of such applications, it is infeasible to exhaustively execute all possible test cases. Moreover, the high number of input parameters and complex computations make it difficult to find specific test cases that cause mission-critical behavior. To overcome this problem, we define a test approach that is based on a genetic algorithm combined with input parameter partitioning. We partition the input parameters into equivalence classes to automatically generate a reduced search space with complete coverage of the input domain. Based on the reduced search space, we run a genetic algorithm to automatically select test cases that provoke worst case execution times and inaccurate results of the satellite on-board image processing application. For this purpose, we define a two-criteria fitness function and evaluate two different selection methods with a case study from the satellite domain. We show the efficiency of our test approach on experimental results from the Fine Guidance System of the ESA medium-class mission PLATO

Automated conformance evaluation of SystemC designs using timed automata

Abstract—SystemC is widely used for modeling and simulation in hardware/software co-design. However, the co-verification techniques used for SystemC designs are mostly ad-hoc and non-systematic. A particularly severe drawback is that simulation results have to be evaluated manually. In previous work, we proposed to overcome this problem by conformance testing. We presented an algorithm that uses an abstract SystemC design to compute expected output traces, which are then compared with those of a refined design to evaluate its correctness. The main disadvantage of the algorithm is that it is very expensive because it computes the output traces offline and has to cope with non-deterministic systems. Furthermore, the designer has to compare the results manually with the outputs of a design under test. In this paper, we present an approach for efficient and fully-automatic conformance evaluation of SystemC designs. To achieve this, we first present optimizations of our previously proposed algorithm for the generation of conformance tests that drastically reduce computation time and memory consumption. The main idea is to exploit the specifics of the SystemC semantics to reduce the number of semantic states that have to be kept in memory during state-space exploration. Second, we present an approach to generate SystemC test benches from a set of expected output traces. These test benches allow fully-automatic test execution and conformance evaluation. Together with our previously presented model checking framework for abstract Sys-temC designs, we yield a fully-automatic HW/SW co-verification framework for SystemC that supports the whole design process. We demonstrate the performance and error detecting capability of our approach with experimental results. I

Timed Path Conditions in MATLAB/Simulink

Part 2: System-Level DesignInternational audienceMATLAB/Simulink is a widely-used industrial tool for the development of complex embedded systems. However, due to the complexity and the dynamic character of the developed models, their analysis is a difficult challenge, in particular if timing aspects are involved. In this paper, we present an approach for the construction of timed path conditions for MATLAB/Simulink models. Timed path conditions allow for fine-grained conclusions about the existence of possibly critical paths through a model containing time-dependent elements. With the help of timed path conditions, it is possible to identify interference and non-interference between model parts. Furthermore, they have the potential to reduce the complexity of models to improve verifiability, reason about compliance with security policies as well as generate feasible, efficient test cases. We demonstrate the applicability of our approach with a shared buffer for public as well as confidential data