Embedded Systems and

Software Validation

“RoyChoudhury: FM-P374230” — 2009/4/17 — 16:28 — page i — #1

 The Morgan Kaufmann Series in Systems on Silicon
Series Editor: Wayne Wolf, Georgia Institute of Technology

The Designer’s Guide to VHDL, Second Edition

Peter J. Ashenden
The System Designer’s Guide to VHDL-AMS
Peter J. Ashenden, Gregory D. Peterson, and Darrell A. Teegarden
Modeling Embedded Systems and SoCs
Axel Jantsch
ASIC and FPGA Verification: A Guide to Component Modeling
Richard Munden
Multiprocessor Systems-on-Chips
Edited by Ahmed Amine Jerraya and Wayne Wolf
Functional Verification
Bruce Wile, John Goss, and Wolfgang Roesner
Customizable and Configurable Embedded Processors
Edited by Paolo Ienne and Rainer Leupers
Networks-on-Chips: Technology and Tools
Edited by Giovanni De Micheli and Luca Benini
VLSI Test Principles & Architectures
Edited by Laung-Terng Wang, Cheng-Wen Wu, and Xiaoqing Wen
Designing SoCs with Configured Processors
Steve Leibson
ESL Design and Verification
Grant Martin, Andrew Piziali, and Brian Bailey
Aspect-Oriented Programming with e
David Robinson
Reconfigurable Computing: The Theory and Practice of FPGA-Based Computation
Edited by Scott Hauck and André DeHon
System-on-Chip Test Architectures
Edited by Laung-Terng Wang, Charles Stroud, and Nur Touba
Verification Techniques for System-Level Design
Masahiro Fujita, Indradeep Ghosh, and Mukul Prasad
VHDL-2008: Just the New Stuff
Peter J. Ashenden and Jim Lewis
On-Chip Communication Architectures: System on Chip Interconnect
Sudeep Pasricha and Nikil Dutt
Embedded DSP Processor Design: Application Specific Instruction Set Processors
Dake Liu
Processor Description Languages: Applications and Methodologies
Edited by Prabhat Mishra and Nikil Dutt
Three-dimensional Integrated Circuit Design
Vasilis F. Pavlidis and Eby G. Friedman
Electronic Design Automation: Synthesis, Verification, and Test
Edited by Laung-Terng Wang, Kwang-Ting (Tim) Cheng, Yao-Wen Chang
Embedded Systems and Software Validation
Abhik Roychoudhury

“RoyChoudhury: FM-P374230” — 2009/4/17 — 16:28 — page ii — #2

 Embedded Systems and
Software Validation

Abhik Roychoudhury
Department of Computer Science
National University of Singapore

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Morgan Kaufmann Publishers is an imprint of Elsevier

“RoyChoudhury: FM-P374230” — 2009/4/17 — 16:28 — page iii — #3

 Morgan Kaufmann Publishers is an imprint of Elsevier
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA

This book is printed on acid-free paper. 

⬁

Copyright © 2009 by Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any

means, electronic or mechanical, including photocopy, recording, or any information
storage and retrieval system, without permission in writing from the publisher.

Permissions may be sought directly from Elsevier’s Science & Technology Rights
Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333,
E-mail: permissions@elsevier.co.uk. You may also complete your request on-line
via the Elsevier homepage (http://elsevier.com), by selecting “Customer Support” and
then “Obtaining Permissions.”

Library of Congress Cataloging-in-Publication Data

Roychoudhury, Abhik.
Embedded systems and software validation / Abhik Roychoudhury.
p. cm. – (The Morgan Kaufmann series in systems on silicon)
Includes bibliographical references and index.
ISBN 978-0-12-374230-8 (hardcover : alk. paper)
1. Embedded computer systems–Design and construction. 2. Embedded computer
systems–Testing. 3. Computer software–Testing. I. Title.
TK7895.E42R72 2009
004.1–dc22
2009011196

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

ISBN 13: 978-0-12-374230-8

For information on all Morgan Kaufmann publications,

visit our Web site at www.mkp.com or www.elsevierdirect.com

Printed and bound in United States of America

09 10 9 8 7 6 5 4 3 2 1

“RoyChoudhury: FM-P374230” — 2009/4/17 — 16:28 — page iv — #4

 To Jishnu

“RoyChoudhury: FM-P374230” — 2009/4/17 — 16:28 — page v — #5

“RoyChoudhury: FM-P374230” — 2009/4/17 — 16:28 — page vi — #6
Contents

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

CHAPTER 1 Introduction 1

CHAPTER 2 Model Validation 7

2.1 Platform versus System Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Criteria for Design Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 Informal Requirements: A Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.1 The Requirements Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.3.2 Simplification of the Informal Requirements . . . . . . . . . . . . 14
2.4 Common Modeling Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.1 Finite-State Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4.2 Communicating FSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4.3 Message Sequence Chart–Based Models . . . . . . . . . . . . . . . . 27
2.5 Remarks about Modeling Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2.6 Model Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.6.1 FSM Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.6.2 Simulating MSC-Based System Models . . . . . . . . . . . . . . . . . 46
2.7 Model-Based Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.8 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.8.1 Property Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
2.8.2 Checking Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
2.9 The SPIN Validation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.10 The SMV Validation Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.11 Case Study: Air-Traffic Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
2.12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
2.13 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

CHAPTER 3 Communication Validation 95

3.1 Common Incompatibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.1.1 Sending/Receiving Signals in Different Order. . . . . . . . . . . 99
3.1.2 Handling a Different Signal Alphabet . . . . . . . . . . . . . . . . . . . . 100
3.1.3 Mismatch in Data Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
3.1.4 Mismatch in Data Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
3.2 Converter Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
3.2.1 Representing Native Protocols and Converters . . . . . . . . . . 106
3.2.2 Basic Ideas for Converter Synthesis . . . . . . . . . . . . . . . . . . . . . . 108
3.2.3 Various Strategies for Protocol Conversion . . . . . . . . . . . . . . 115 vii

“RoyChoudhury: ToC-P374230” — 2009/4/17 — 17:42 — page vii — #1

viii Contents

3.2.4 Avoiding No-Progress Cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

3.2.5 Speculative Transmission to Avoid Deadlocks. . . . . . . . . . . 118
3.3 Changing a Working Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
3.4 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
3.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

CHAPTER 4 Performance Validation 125

4.1 The Conventional Abstraction of Time . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.2 Predicting Execution Time of a Program. . . . . . . . . . . . . . . . . . . . . . . . . 131
4.2.1 WCET Calculation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.2.2 Modeling of Microarchitecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.3 Interference within a Processing Element . . . . . . . . . . . . . . . . . . . . . . . . 154
4.3.1 Interrupts from Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
4.3.2 Contention and Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
4.3.3 Sharing a Processor Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
4.4 System-Level Communication Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 165
4.5 Designing Systems with Predictable Timing . . . . . . . . . . . . . . . . . . . . . 169
4.5.1 Scratchpad Memories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
4.5.2 Time-Triggered Communication . . . . . . . . . . . . . . . . . . . . . . . . . 174
4.6 Emerging Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
4.7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
4.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

CHAPTER 5 Functionality Validation 181

5.1 Dynamic or Trace-Based Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
5.1.1 Dynamic Slicing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
5.1.2 Fault Localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
5.1.3 Directed Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
5.2 Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
5.2.1 Predicate Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
5.2.2 Software Checking via Predicate Abstraction. . . . . . . . . . . . 218
5.2.3 Combining Formal Verification with Testing . . . . . . . . . . . . 225
5.3 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Bibliography 233

Index 241

“RoyChoudhury: ToC-P374230” — 2009/4/17 — 17:42 — page viii — #2

 Acknowledgments

This book owes a lot to all my students, colleagues, and co-workers. It is by working
with them over the past decade that I have discovered the issues and challenges
in the field of embedded systems validation. So, first and foremost, I must thank
them all.
I have written this book off and on, in the course of my teaching and research
work at the National University of Singapore (NUS). Funding from a University
Research Council project at NUS is gratefully acknowledged.
A leave from NUS in 2007 to the Indian Institute of Science (IISc) infused in me
the energy to start writing the book. The calm environs of the IISc campus helped
set the mood for writing this book.
The support of Elsevier staff was instrumental in ensuring that the book has
proceeded on schedule.
Finally, playing with my 5-year-old son Jishnu allowed me to absorb the pressures
of writing the book in the midst of various deadlines and commitments. Thanks,
Jishnu!
Singapore
19 January 2009

ix

“RoyChoudhury: Acknowledgments-P374230” — 2009/4/17 — 2:42 — page ix — #1

“RoyChoudhury: Acknowledgments-P374230” — 2009/4/17 — 2:42 — page x — #2
Preface

This book attempts to cover the issues in validation of embedded software and
systems. There are many books on this topic, as a Web search with the appropriate
search terms will reveal. So, why this book?
There are several ways to answer the question. The first, most direct answer is that
the current books mostly deal with the programming and/or co-design of embedded
systems. Validation is often discussed almost as an afterthought. In this book, we
treat validation as a first-class citizen in the design process, weaving it into the design
process itself.
The focus of our book is on validation, but from an embedded software and sys-
tems perspective. The methods we have covered (testing/model-checking) can also
be covered from a completely general perspective, focusing only on the techniques,
rather than on how they fit into the system design process. But we have not done so.
Even though the focus of the book is on validation methods, we clearly show how it
fits into system design. As an example, we present and discuss the model-checking
method twice in two different ways — once at the level of system model (Chapter 2)
and again at the level of system implementation (Chapter 5).
Finally, being rooted in embedded software and systems, the focus of our book
is not restricted to functionality validation. We have covered at least two other
aspects — debugging of performance and communication behavior. As a result, this
book contains analysis methods that are rarely found in a single book — testing
(informal validation), model checking (formal validation), worst-case execution time
analysis (static analysis for program performance), schedulability analysis (system
level performance analysis), and so on — all blended under one cover, with the goal
of reliable embedded system design.
As for the chapters of the book, Chapter 1 gives a general introduction to the issues
in embedded system validation. Differences between functionality and performance
validation are discussed at a general level.
Chapter 2 discusses model-level validation. It starts with generic discussions on
system structure and behavior, and zooms into behavioral modeling notations such
as finite-state machines (FSMs) and message sequence charts (MSCs). Simulation,
testing, and formal verification of these models are discussed. We discuss model-
based testing, where test cases generated from the model are tried out on the system
implementation. We also discuss property verification, and the well-known model-
checking method. The chapter ends with a nice hands-on discussion of practical
validation tools such as SPIN and SMV. Thus, this chapter corresponds to model-level
debugging.

xi

“RoyChoudhury: Preface-P374230” — 2009/4/17 — 2:42 — page xi — #1

xii Preface

Chapter 3 discusses the issues in resolving communication incompatibilities

between embedded system components. We discuss different strategies for resolving
such incompatibilities, such as endowing the components with appropriate inter-
faces, and/or constructing a centralized communication protocol converter. Thus,
this chapter corresponds to communication debugging.
Chapter 4 discusses system-level performance validation. We start with software
timing analysis, in particular worst-case execution time (WCET) analysis. This is
followed by the estimation of time spent as a result of different interferences in a pro-
gram execution — from the external environment, or from other executing programs
on the same or different processing elements. Suitable analysis methods to estimate
the time due to such interferences are discussed. We then discuss mechanisms to
combat execution-time unpredictability via system-level support. In particular, we
discuss compiler-controlled memories or scratchpad memories. The chapter con-
cludes with a discussion on time predictability issues in emerging applications.
Thus, this chapter corresponds to performance debugging.
Chapter 5 discusses functionality debugging of embedded software. We discuss
both formal and informal approaches, with almost equal emphasis on testing and
formal verification. The first half of the chapter involves validation methods built
on testing or dynamic analysis. The second half of the chapter concentrates on
formal verification, in particular software model checking. The chapter concludes
with a discussion on combining formal verification with testing. Thus, this chapter
corresponds to software debugging.
Apart from some debugging/validation methods being common to Chapters 2
and 5, the readers may try to read the chapters independently. A senior undergraduate
or graduate course on this topic may, however, read the chapters in sequence, that
is, Chapters 2, 3, 4, 5.

ABOUT THE AUTHOR

Abhik Roychoudhury received his M.S. and Ph.D. in Computer Science from the
State University of New York at Stony Brook in 1997 and 2000, respectively. His
research has focused on formal verification and analysis methods for system design,
with focus on embedded software and systems. In these areas, his research group has
been involved in building practical program analysis and software productivity tools
that enhance software quality as well as programmer productivity. Two meaningful
examples of such endeavors are the JSlice dynamic analysis tool for Java program
debugging, and the Chronos static analysis tool for ensuring time-predictable exe-
cution of embedded software. His awards include a 2008 IBM Faculty Award. Since
2001, Abhik has been at the School of Computing in the National University of
Singapore, where he is currently an Associate Professor.

“RoyChoudhury: Preface-P374230” — 2009/4/17 — 2:42 — page xii — #2