Sabine Glesner

Model checking SystemC designs using timed automata

SystemC is widely used for modeling and simulation in hardware/software co-design. Due to the lack of a complete formal semantics, it is not possible to verify SystemC designs. In this paper, we present an approach to overcome this problem by defining the semantics of SystemC by a mapping from SystemC designs into the well-defined semantics of Uppaal timed automata. The informally defined behavior and the structure of SystemC designs are completely preserved in the generated Uppaal models. The resulting Uppaal models allow us to use the Uppaal model checker and the Uppaal tool suite, including simulation and visualization tools. The model checker can be used to verify important properties such as liveness, deadlock freedom or compliance with timing constraints. We have implemented the presented transformation, applied it to two examples and verified liveness, safety and timing properties by model checking, thus showing the applicability of our approach in practice.

Slicing MATLAB simulink models

MATLAB Simulink is the most widely used industrial tool for developing complex embedded systems in the automotive sector. The resulting Simulink models often consist of more than ten thousand blocks and a large number of hierarchy levels. To ensure the quality of such models, automated static analyses and slicing are necessary to cope with this complexity. In particular, static analyses are required that operate directly on the models. In this article, we present an approach for slicing Simulink Models using dependence graphs and demonstrate its efficiency using case studies from the automotive and avionics domain. With slicing, the complexity of a model can be reduced for a given point of interest by removing unrelated model elements, thus paving the way for subsequent static quality assurance methods.

Transforming SystemC Transaction Level Models into UPPAAL timed automata

The SystemC Transaction Level Modeling (TLM) standard is widely used for modeling and simulation in hardware/software co-design. However, the semantics of the TLM core interfaces is only informally defined. This makes it impossible to apply formal verification techniques to transaction level models that conform to the TLM standard. To solve this problem, we propose a formal semantics of the TLM transport mechanisms using timed automata. We achieve this by providing a set of timed automata templates that precisely capture the semantics of the TLM core interfaces. Then, we use this set to transform a given SystemC-TLM model into a semantically equivalent timed automata model. The transformation is an extension of our previously proposed transformation from SystemC into Uppaal timed automata and can be used to verify safety, liveness, and timing properties of TLM models using the Uppaal model checker. We demonstrate the applicability and performance of our approach with two case studies, namely a loosely-timed model that uses a blocking transport and an approximately-timed model that uses a 4-phase non-blocking transport.

Formal verification of dead code elimination in Isabelle/HOL

Correct compilers are a vital precondition to ensure software correctness. Optimizations are the most error-prone phases in compilers. In this paper, we formally verify dead code elimination (DCE) within the theorem prover Isabelle/HOL. DCE is a popular optimization in compilers which is typically performed on the intermediate representation. In our work, we reformulate the algorithm for DCE so that it is applicable to static single assignment (SSA) form which is a state of the art intermediate representation in modern compilers, thereby showing that DCE is significantly simpler on SSA form than on classical intermediate representations. Moreover, we formally prove our algorithm correct within the theorem prover Isabelle/HOL. Our program equivalence criterion used in this proof is based on bisimulation and, hence, captures also the case of non-termination adequately. Finally we report on our implementation of this verified DCE algorithm in the industrial-strength scale compiler system.

Verified Code Generation for Embedded Systems

Abstract Digital signal processors provide specialized SIMD (single instruction multiple data) operations designed to dramatically increase performance in embedded systems. While these operations are simple to understand, their unusual functions and their parallelism make it difficult for automatic code generation algorithms to use them effectively. In this paper, we present a new optimizing code generation method that can deploy these operations successfully while also verifying that the generated code is a correct translation of the input program.

Optimizing Code Generation from SSA Form: A Comparison Between Two Formal Correctness Proofs in Isabelle/HOL

Correctness of compilers is a vital precondition for the correctness of the software translated by them. In this paper, we present two approaches for the formalization of static single assignment (SSA) form together with two corresponding formal proofs in the Isabelle/HOL system, each showing the correctness of code generation. Our comparison between the two proofs shows that it is very important to find adequate formalizations in formal proofs since they can simplify the verification task considerably. Our formal correctness proofs do not only verify the correctness of a certain class of code generation algorithms but also give us sufficient, easily checkable correctness criteria characterizing correct compilation results obtained from implementations (compilers) of these algorithms. These correctness criteria can be used in a compiler result checker.

Calculating Prioritized Interaction Test Sets with Constraints Using Binary Decision Diagrams

Combinatorial interaction testing has become an established technique to systematically determine test sets for highly-configurable software systems. The generation of minimal test sets that fullfill the demanded coverage criteria is an NP-complete problem. Constraint handling and integrated test case prioritization, features necessary for practical use, further complicate the problem. We present a novel algorithm that exploits our observation that the combinatorial interaction testing problem with constraints can be modelled as a single propositional logic formula. Our test set calculation algorithm uses binary decision diagrams as efficient data structure for this formula. The algorithm supports constraints and prioritization. Our evaluation results prove its cost effectiveness. For many benchmark problems the algorithm calculates the best results compared to other greedy approaches.

Only the Best Can Make It: Optimal Component Selection

In Component-based Software Engineering (CBSE), the construction of cost-optimal component systems is a nontrivial task. It requires not only to optimally select components and their adaptors but also to take their interplay into account. In this paper, by employing methods from the area of compiler construction and especially optimizing code generation, we present a unified approach to the construction of component systems, which allows us to first select an optimal set of components and adaptors and afterwards to create a working system by providing the necessary glue code. With our two case studies, we demonstrate that our approach is efficient and generally applicable in practical scenarios.

A HW/SW co-verification framework for SystemC

SystemC is widely used for modeling and simulation in hardware/software co-design. However, existing verification techniques are mostly ad-hoc and non-systematic. In this article, we present a systematic, comprehensive, and formally founded co-verification framework for digital HW/SW systems that are modeled in SystemC. The framework is based on a formal semantics of SystemC and uses a combination of model checking and testing, whereby testing includes both the automated generation of timed inputs and automated conformance evaluation. We demonstrate its performance and its error detecting capability with two case studies, namely a packet switch and an anti-slip regulation and anti-lock braking system.

An approach for machine-assisted verification of Timed CSP specifications

The real-time process calculus Timed CSP is capable of expressing properties such as deadlock-freedom and real-time constraints. It is therefore well-suited to model and verify embedded software. However, proofs about Timed CSP specifications are not ensured to be correct since comprehensive machine-assistance for Timed CSP is not yet available. In this paper, we present our formalization of Timed CSP in the Isabelle/HOL theorem prover, which we have formulated as an operational coalgebraic semantics together with bisimulation equivalences and coalgebraic invariants. This allows for semi-automated and mechanically checked proofs about Timed CSP specifications. Mechanically checked proofs enhance confidence in verification because corner cases cannot be overlooked. We additionally apply our formalization to an abstract specification with real-time constraints. This is the basis for our current work, in which we verify a simple real-time operating system deployed on a satellite. As this operating system has to cope with arbitrarily many threads, we use verification techniques from the area of parameterized systems for which we outline their formalization.