Paula Herber

Model checking SystemC designs using timed automata

SystemC is widely used for modeling and simulation in hardware/software co-design. Due to the lack of a complete formal semantics, it is not possible to verify SystemC designs. In this paper, we present an approach to overcome this problem by defining the semantics of SystemC by a mapping from SystemC designs into the well-defined semantics of Uppaal timed automata. The informally defined behavior and the structure of SystemC designs are completely preserved in the generated Uppaal models. The resulting Uppaal models allow us to use the Uppaal model checker and the Uppaal tool suite, including simulation and visualization tools. The model checker can be used to verify important properties such as liveness, deadlock freedom or compliance with timing constraints. We have implemented the presented transformation, applied it to two examples and verified liveness, safety and timing properties by model checking, thus showing the applicability of our approach in practice.

Bit-precise formal verification of discrete-time MATLAB/Simulink models using SMT solving

Matlab/Simulink is widely used for model-based development of embedded systems. In particular, safety-critical applications are increasingly designed in Matlab/Simulink. At the same time, formal verification techniques for Matlab/Simulink are still rare and existing ones do not scale well. In this paper, we present an automatic transformation from discrete-time Matlab/Simulink to the input language of UCLID. UCLID is a toolkit for system verification based on SMT solving. Our approach enables us to use a combination of bounded model checking and inductive invariant checking for the automatic verification of Matlab/Simulink models. To demonstrate the practical applicability of our approach, we have successfully verified the absence of one of the most common errors, i. e. variable over- or underflow, for an industrial design from the automotive domain.

Automated conformance evaluation of SystemC designs using timed automata

SystemC is widely used for modeling and simulation in hardware/software co-design. However, the co-verification techniques used for SystemC designs are mostly ad-hoc and non-systematic. A particularly severe drawback is that simulation results have to be evaluated manually. In previous work, we proposed to overcome this problem by conformance testing. We presented an algorithm that uses an abstract SystemC design to compute expected output traces, which are then compared with those of a refined design to evaluate its correctness. The main disadvantage of the algorithm is that it is very expensive because it computes the output traces offline and has to cope with non-deterministic systems. Furthermore, the designer has to compare the results manually with the outputs of a design under test. In this paper, we present an approach for efficient and fully-automatic conformance evaluation of SystemC designs. To achieve this, we first present optimizations of our previously proposed algorithm for the generation of conformance tests that drastically reduce computation time and memory consumption. The main idea is to exploit the specifics of the SystemC semantics to reduce the number of semantic states that have to be kept in memory during state-space exploration. Second, we present an approach to generate SystemC test benches from a set of expected output traces. These test benches allow fully-automatic test execution and conformance evaluation. Together with our previously presented model checking framework for abstract Sys-temC designs, we yield a fully-automatic HW/SW co-verification framework for SystemC that supports the whole design process. We demonstrate the performance and error detecting capability of our approach with experimental results.

Combining Model Checking and Testing in a Continuous HW/SW Co-verification Process

SystemC is widely used for modeling and simulation in hardware/software co-design. However, the co-verification techniques used for SystemC designs are mostly ad-hoc and non-systematic. In this paper, we present an approach to overcome this problem by a systematic, formally founded quality assurance process. Based on a combination of model checking and conformance testing, we obtain a HW/SW co-verification flow that supports HW/SW co-development throughout the whole design process. In addition, we present a novel test algorithm that generates conformance tests for SystemC designs offline and that can cope with non-deterministic systems. To this end, we use a timed automata model of the SystemC design to compute expected simulation or test results. We have implemented the model checking and conformance testing framework and give experimental results to show the applicability of our approach.

Towards Service-Oriented Design of Hybrid Systems Modeled in Simulink

Simulink is widely used in model-driven design.However, the complexity of hybrid systems that are modeled in Simulink limits the applicability of reuse techniques, which impedes cost-efficient design of complex systems. In particular, a systematic use and reuse of complex submodels, e.g. components with varying structure and functionality, is currently not supported. In this paper, we present an approach for service-oriented design in Simulink. The main idea is that we create a modular representation of complex Simulink structures as services with an expressive and formally defined dynamic interface. A dynamic interface captures not only the types of input and output signals but also their discrete and continuous behavior. Our main contribution is threefold: First, we introduce services in Simulink. Second, we transfer the concept of feature modeling to Simulink to express the variability of a service. Third, we introduce the novel concept of hybrid contracts to define the dynamic interface of a service. With our approach, we enable the designer 1) to define hybrid services that are reusable, and 2) to efficiently develop complex hybrid systems from a given set of services. We demonstrate this with a case study of a hybrid temperature control system.

STATE -- A SystemC to Timed Automata Transformation Engine

SystemC is a system level design language that is widely used in hardware/software codesign. As the semantics of SystemC is only informally defined, verification of SystemC designs is mainly done using simulation and testing. With that, faults can be detected but it is impossible to verify the correctness of a given system for all possible executions. In this paper, we present our SystemC to Timed Automata Transformation Engine. STATE takes a SystemC design as input and transforms it into a UPPAAL timed automata model. This enables automated formal verification of SystemC designs using the UPPAAL model checker. To ease debugging, the transformation keeps the structure of the original SystemC design transparent to the designer in the resulting UPPAAL model. The current version of STATE supports many relevant SystemC language elements, including complex interactions between processes, dynamic sensitivity and timing behavior, structs, arrays, pointers, as well as the TLM 2.0 standard. We demonstrate the practical applicability of STATE with three case studies, including an industrial design of an AMBA bus.

Deductive Verification of Hybrid Control Systems Modeled in Simulink with KeYmaera X

Hybrid control systems are, due to their ever-increasing complexity, more and more developed in model-driven design languages like Simulink. At the same time, they are often used in safety-critical applications like automotive or medical systems. Ensuring the correctness of Simulink models is challenging, as their semantics is only informally defined. There exist some approaches to formalize the Simulink semantics, however, most of them are restricted to a discrete subset. To overcome this problem, we present an approach to map the informally defined execution semantics of hybrid Simulink models into the formally well-defined semantics of differential dynamic logic ( Open image in new window ). In doing so, we provide a formal foundation for Simulink, and we enable deductive formal verification of hybrid Simulink models with an interactive theorem prover for hybrid systems, namely KeYmaera X. Our approach supports a large subset of Simulink, including time-discrete and time-continuous blocks, and generates compact and comprehensible Open image in new window models fully-automatically. We show the applicability of our approach with a temperature control system and an industrial case study of a multi-object distance warner.

Optimized Transformation and Verification of SystemC Methods

Concurrent designs can be automatically verified by transforming them into an automata-based representation and by model checking the resulting model. However, when transforming a concurrent design into an automata-based representation, each method has to be translated into a single automaton. This produces a significant overhead for model checking. In this paper, we present an optimization of our previously proposed transformation from SystemC into Uppaal timed automata. The main idea is that we analyze whether SystemC methods can be executed atomically and then we use the results for generating a reduced automata model. We have implemented the optimized transformation in our SystemC to T imed A utomata T ransformation E ngine ( STATE ) and demonstrate the effect of our optimization with experimental results from micro benchmarks, a simple producer-consumer example, and from an Anti-Slip Regulation and Anti-lock Braking System (ASR/ABS).

Automatic Analysis and Abstraction for Model Checking HW/SW Co-Designs modeled in SystemC

Embedded systems usually consist of deeply integrated hardware and software components. As a consequence, modular verification is not easily possible. One important step towards modular verification of integrated HW/SW systems is to automatically compute abstractions of components that influence the overall system behavior but are not relevant for a given property. In this paper, we present an automatic abstraction technique for HW/SW co-designs modeled in SystemC. The key idea is to use a variant of classical abstract interpretation that is tailored for the specific semantics of SystemC. Our main contributions are the following: First, we present an analysis that determines data-dependencies between variables and equivalent data values with respect to conditional branches while taking the timing behavior and scheduling policies of SystemC into consideration. Second, we use the results for slicing and variable abstraction to significantly reduce the semantic state space of a given SystemC design and again produce a valid abstract design. Our abstraction technique makes it possible to automatically verify properties for comparatively large designs with the UPPAAL model checker, which cannot be handled without our approach. We demonstrate this with two case studies from the SystemC reference implementation.

Proving Correctness of Refactorings for Hybrid Simulink Models with Control Flow

Hybrid models are highly relevant for the development of embedded systems because they cover both their continuous and discrete aspects. To master the increasing complexity of embedded systems design, transformation techniques such as automated refactoring play an important role, as they allow for simplifying (sub)models. In safety-critical environments, it is crucial to formally verify the behavioural equivalence of source and transformed target model. For data-flow models that contain control flow entities, this is a major challenge because small deviations of trigger values at control flow elements can yield diverging behaviour of the systems. In this paper, we present our approach that enables the semi-automated verification of the behavioural equivalence of hybrid MATLAB/Simulink models. To this end, we define a static analysis that derives proof obligations to estimate the worst case deviation between model and refactored model. Our approach can be applied to many practical applications such as in the automotive or aerospace industry where MATLAB/Simulink is a de-facto standard.