# Simulink<sup>®</sup> Design Verifier™ 1 User's Guide

# MATLAB<sup>®</sup> SIMULINK<sup>®</sup>



### How to Contact The MathWorks



(a)

www.mathworks.comWebcomp.soft-sys.matlabNewsgroupwww.mathworks.com/contact\_TS.htmlTechnical Support

suggest@mathworks.com bugs@mathworks.com doc@mathworks.com service@mathworks.com info@mathworks.com Product enhancement suggestions Bug reports Documentation error reports Order status, license renewals, passcodes Sales, pricing, and general information



508-647-7001 (Fax)

508-647-7000 (Phone)

The MathWorks, Inc. 3 Apple Hill Drive Natick, MA 01760-2098

For contact information about worldwide offices, see the MathWorks Web site.

Simulink<sup>®</sup> Design Verifier<sup>™</sup> User's Guide

© COPYRIGHT 2007–2008 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written consent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees that this software or documentation qualifies as commercial computer software or commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for or through the federal government) and shall supersede any conflicting contractual terms or conditions. If this License fails to meet the government's needs or is inconsistent in any respect with federal procurement law, the government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

#### Trademarks

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.

#### Patents

The MathWorks products are protected by one or more U.S. patents. Please see www.mathworks.com/patents for more information.

#### **Revision History**

| May 2007       | Online only | New for V   |
|----------------|-------------|-------------|
| September 2007 | Online only | Revised for |
| March 2008     | Online only | Revised for |
| October 2008   | Online only | Revised for |

New for Version 1.0 (Release 2007a+) Revised for Version 1.1 (Release 2007b) Revised for Version 1.2 (Release 2008a) Revised for Version 1.3 (Release 2008b)

# Acknowledgment

The Simulink<sup>®</sup> Design Verifier<sup>™</sup> software uses Prover Plug-In<sup>®</sup> products from Prover<sup>®</sup> Technology to generate test cases and prove model properties.



Acknowledgment

# Contents

# Acknowledgment

# **Getting Started**

| Product Overview                                                                                                                                                                                            | 1-2                              |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| Before You Begin<br>What You Need to Know<br>Required Products                                                                                                                                              | 1-3<br>1-3<br>1-3                |
| Starting the Simulink® Design Verifier Software                                                                                                                                                             | 1-4                              |
| Analyzing a Model         About This Demo         Opening the Model         Generating Test Cases         Exploring the Test Harness         Interpreting the Simulink® Design Verifier HTML         Report | 1-6<br>1-6<br>1-8<br>1-9<br>1-12 |
| Analyzing a Subsystem                                                                                                                                                                                       | 1-23                             |
| Basic Workflow for Using the Simulink® Design Verifier<br>Software                                                                                                                                          | 1-27                             |
| Learning More<br>Next Step<br>Product Help<br>The MathWorks Online                                                                                                                                          | 1-28<br>1-28<br>1-28<br>1-29     |

# How the Simulink<sup>®</sup> Design Verifier Software Works

# 2

| Model Analysis with Simulink <sup>®</sup> Design Verifier<br>Software | 2-2 |
|-----------------------------------------------------------------------|-----|
| Analyzing a Simple Model                                              | 2-3 |
| Analyzing Large Models                                                | 2-5 |
| Approximations                                                        | 2-6 |
| Approximations During Model Analysis                                  | 2-6 |
| Types of Approximations                                               | 2-6 |
| Converting Floating-Point Arithmetic to Rational-Number               |     |
| Arithmetic                                                            | 2-6 |
| Linearizing 2-D Lookup Tables                                         | 2-7 |
| Unrolling While Loops                                                 | 2-7 |
| Ensuring the Validity of the Analysis                                 | 2-7 |

### Ensuring Compatibility with the Simulink<sup>®</sup> Design Verifier Software

| Checking Model Compatibility                   | 3-2  |
|------------------------------------------------|------|
| Unsupported Simulink Software Features         | 3-6  |
| List of Unsupported Simulink Software Features | 3-6  |
| Limitations of Simulink Block Support          | 3-6  |
| Unsupported Stateflow Software Features        | 3-8  |
| Limitations of Support for the Embedded MATLAB |      |
| Subset                                         | 3-10 |
| List of Unsupported Embedded MATLAB Subset     |      |
| Features                                       | 3-10 |
| reatures                                       | 9-10 |

| Limitations of Embedded MATLAB Library Function |        |
|-------------------------------------------------|--------|
| Support                                         | 3 - 11 |
|                                                 |        |
| Limitations of Fixed-Point Support              | 3-12   |

### Working with Block Replacements

| About Block Replacements                                                                                                                    | 4-2                       |
|---------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|
| Built-In Block Replacements                                                                                                                 | 4-3                       |
| Template for Block Replacement Rules                                                                                                        | 4-6                       |
| Creating Custom Block Replacements<br>About Custom Block Replacements<br>Constructing Replacement Blocks<br>Writing Block Replacement Rules | 4-7<br>4-7<br>4-7<br>4-10 |
| Executing Block Replacements<br>Configuring Block Replacements<br>Replacing Blocks in a Model                                               | 4-15<br>4-15<br>4-16      |

4

5

### **Specifying Parameter Configurations**

| About Parameter Configurations        | 5-2 |
|---------------------------------------|-----|
| Template for Parameter Configurations | 5-3 |
| Defining Parameter Configurations     | 5-4 |
| Parameter Configuration Example       | 5-7 |

| About This Example                   | 5-7    |
|--------------------------------------|--------|
| Constructing the Example Model       | 5-8    |
| Parameterizing the Constant Block    | 5-10   |
| Specifying a Parameter Configuration | 5 - 11 |
| Analyzing the Example Model          | 5 - 13 |
| Simulating the Test Cases            | 5 - 15 |

# Configuring Simulink® Design Verifier Options

# 6

| Viewing Simulink <sup>®</sup> Design Verifier Options     | 6-2  |
|-----------------------------------------------------------|------|
| Configuring Simulink <sup>®</sup> Design Verifier Options | 6-5  |
| Design Verifier Pane                                      | 6-5  |
| Block Replacements Pane                                   | 6-7  |
| Parameters Pane                                           | 6-8  |
| Test Generation Pane                                      | 6-9  |
| Property Proving Pane                                     | 6-11 |
| Results Pane                                              | 6-13 |
| Report Pane                                               | 6-16 |
| Saving Simulink <sup>®</sup> Design Verifier Options      | 6-18 |

# **Generating Test Cases**

| About Test Case Generation                  | 7-2  |
|---------------------------------------------|------|
| Basic Workflow for Generating Test Cases    | 7-3  |
| Generating Test Cases for a Model           | 7-4  |
| About This Example                          | 7-4  |
| Constructing the Example Model              | 7-5  |
| Checking Compatibility of the Example Model | 7-6  |
| Configuring Test Generation Options         | 7-10 |

| Analyzing the Example Model          Customizing Test Generation          Reanalyzing the Example Model |      |
|---------------------------------------------------------------------------------------------------------|------|
| Generating Test Cases for a Subsystem                                                                   | 7-28 |

# **Proving Properties of a Model**

| About Property Proofs                       | 8-2                                                       |
|---------------------------------------------|-----------------------------------------------------------|
| Basic Workflow for Proving Model Properties | 8-3                                                       |
| Proving Properties in a Model               | 8-4<br>8-5<br>8-6<br>8-10<br>8-13<br>8-15<br>8-21<br>8-23 |
| Proving Properties in a Subsystem           | 8-26                                                      |

# **Reviewing the Results**

| Examining Simulink <sup>®</sup> Design Verifier Data Files | 9-2 |
|------------------------------------------------------------|-----|
| About Simulink <sup>®</sup> Design Verifier Data Files     | 9-2 |
| Overview of the sldvData Structure                         | 9-2 |
| Model Information Fields in sldvData                       | 9-3 |
| Simulating Models with Simulink® Design Verifier Data      |     |
| Files                                                      | 9-7 |

| Exploring Test Harness Models                               | 9-8  |
|-------------------------------------------------------------|------|
| About Test Harness Models                                   | 9-8  |
| Anatomy of a Test Harness                                   | 9-8  |
| Simulating the Test Harness                                 | 9-12 |
| Creating a SystemTest TEST-File                             | 9-14 |
| Understanding Simulink <sup>®</sup> Design Verifier Reports | 9-17 |
| About Simulink <sup>®</sup> Design Verifier Reports         | 9-17 |
| Front Matter                                                | 9-17 |
| Summary Chapter                                             | 9-18 |
| Analysis Information Chapter                                | 9-19 |
| Test / Proof Objectives Status Chapter                      | 9-23 |
| Model Items Chapter                                         | 0.97 |
|                                                             | 9-27 |

### Analyzing Large Models and Improving Performance

| Sources of Model Complexity                                                                                                                                                                      | 10-2                                         |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
| Analyzing a Large ModelTypes of Large Model ProblemsUsing the Default Parameter ValuesModifying the Analysis ParametersUsing the Large Model OptimizationStopping the Analysis Before Completion | 10-3<br>10-3<br>10-4<br>10-5<br>10-5<br>10-6 |
| Managing Model Data to Simplify the AnalysisSimplifying Data TypesConstraining Data                                                                                                              | 10-8<br>10-8<br>10-8                         |
| Partitioning Model Inputs and Generating Tests<br>Incrementally                                                                                                                                  | 10-12                                        |
| Analyzing the Model Using a Bottom-Up Approach                                                                                                                                                   | 10-14                                        |

| Analyzing Logical Operations                      | 10-15 |
|---------------------------------------------------|-------|
| Handling Models with Large State Spaces           | 10-16 |
| Handling Problems with Counters and Timers        | 10-17 |
| Techniques for Proving Properties of Large Models | 10-19 |

# **Function Reference**

# **Block Reference**

# **Configuration Parameters**

# 13

11

| Design Verifier Pane                                                                 | 13 - 2                             |
|--------------------------------------------------------------------------------------|------------------------------------|
| Design Verifier Pane Overview                                                        | 13 - 3                             |
| Mode                                                                                 | 13 - 4                             |
| Maximum analysis time                                                                | 13-5                               |
| Display unsatisfiable test objectives                                                | 13-6                               |
| Output directory                                                                     | 13-7                               |
| Make output file names unique by adding a suffix                                     | 13-8                               |
| Design Verifier Pane: Block Replacements            Block Replacements Pane Overview | 13-9<br>13-10                      |
| Apply block replacementsList of block replacement rulesFile path of the output model | $13-10 \\ 13-11 \\ 13-12 \\ 13-13$ |

| Apply parametersParameter configuration file              | 13-16<br>13-17 |
|-----------------------------------------------------------|----------------|
|                                                           | 10-17          |
| Design Verifier Pane: Test Generation                     | 13-18          |
| Test Generation Pane Overview                             | 13-19          |
| Model coverage objectives                                 | 13-20          |
| Test conditions                                           | 13 - 21        |
| Test objectives                                           | 13 - 22        |
| Maximum test case steps                                   | 13 - 23        |
| Test suite optimization                                   | 13-24          |
| Design Verifier Pane: Property Proving                    | 13-26          |
| Property Proving Pane Overview                            | 13-27          |
| Assertion blocks                                          | 13-28          |
| Proof assumptions                                         | 13-29          |
| Strategy                                                  | 13-30          |
| Maximum violation steps                                   | 13-31          |
| Design Verifier Pane: Results                             | 13-32          |
| Results Pane Overview                                     | 13-34          |
| Save test data to file                                    | 13-35          |
| Data file name                                            | 13-36          |
| Include expected output values                            | 13 - 37        |
| Randomize data that does not affect outcome               | 13-39          |
| Save test harness as model                                | 13-41          |
| Harness model file name                                   | 13 - 42        |
| Reference input model in generated harness                | 13 - 43        |
| Save test harness as SystemTest TEST-file (will reference |                |
| saved data file)                                          | 13-44          |
| SystemTest file name                                      | 13-45          |
| Design Verifier Pane: Report                              | 13-46          |
| Report Pane Overview                                      | 13-47          |
| Generate report of the results                            | 13-48          |
| Report file name                                          | 13-49          |
| Include screen shots and plots                            | 13-50          |
| Display report                                            | 13-51          |
|                                                           |                |

| Additional Math and Discrete Library | 14-2  |
|--------------------------------------|-------|
| Commonly Used Blocks Library         | 14-3  |
| Continuous Library                   | 14-4  |
| Discontinuities Library              | 14-5  |
| Discrete Library                     | 14-6  |
| Logic and Bit Operations             | 14-7  |
| Lookup Tables Library                | 14-8  |
| Math Operations                      | 14-9  |
| Model Verification Library           | 14-12 |
| Model-Wide Utilities Library         | 14-13 |
| Ports & Subsystems Library           | 14-14 |
| Signal Attributes Library            | 14-15 |
| Signal Routing Library               | 14-16 |
| Sinks Library                        | 14-17 |
| Sources Library                      | 14-18 |
| User-Defined Functions Library       | 14-19 |

# 15

A

# Glossary

## Examples

| Working with Block Replacements     | A-2 |
|-------------------------------------|-----|
| Specifying Parameter Configurations | A-2 |
| Generating Test Cases               | A-2 |
| Proving Properties of a Model       | A-2 |

# Index

# Getting Started

- "Product Overview" on page 1-2
- "Before You Begin" on page 1-3
- "Starting the Simulink® Design Verifier Software" on page 1-4
- "Analyzing a Model" on page 1-6
- "Analyzing a Subsystem" on page 1-23
- "Basic Workflow for Using the Simulink® Design Verifier Software" on page 1-27
- "Learning More" on page 1-28

1

# **Product Overview**

The Simulink Design Verifier software extends the Simulink<sup>®</sup> product by performing exhaustive formal analyses of your models to confirm that they behave correctly.

The Simulink Design Verifier software allows you to perform the following tasks:

- Generate test cases that achieve model coverage and custom objectives you specify in a model.
- Prove properties that you specify in a model, and identify examples of any property violations.
- Detect unreachable design elements in a model, such as inaccessible subsystems, illegal switch conditions, and unachievable states.
- Produce detailed reports regarding test case generation and property proofs.

# **Before You Begin**

### In this section ...

"What You Need to Know" on page 1-3

"Required Products" on page 1-3

# What You Need to Know

Getting started with the Simulink Design Verifier software requires that you have some experience using model coverage, as well as building and running Simulink models.

To learn more about these topics, see the following:

- "Using Model Coverage" in the Simulink<sup>®</sup> Verification and Validation™ User's Guide
- Simulink Getting Started Guide and Simulink User's Guide

# **Required Products**

You must have the following products installed to use the Simulink Design Verifier software:

- MATLAB®
- Simulink
- Simulink Verification and Validation

If you want to use the Simulink Design Verifier software with Stateflow<sup>®</sup> charts, you must have the following software product:

• Stateflow

1

# Starting the Simulink Design Verifier Software

The Simulink Design Verifier software is part of your MATLAB installation.

To open the Simulink Design Verifier block library:

• Type simulink at the MATLAB prompt to display the Simulink Library Browser, and then select the **Simulink Design Verifier** entry in the contents tree.

| 🙀 Simulink Library Browser                                                                                                                                                                                            |                                                                                                      |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------|
| File Edit View Help                                                                                                                                                                                                   |                                                                                                      |
| 📗 🗅 😅 🛥 📗 Search: Enter part of a                                                                                                                                                                                     | block or library name 💌 🚧 🎬                                                                          |
| Libraries                                                                                                                                                                                                             | Library: Simulink Design Verifier                                                                    |
| <ul> <li>Simulink</li> <li>Real-Time Workshop</li> <li>Simulink Design Verifier</li> <li>Simulink Extras</li> <li>Simulink Verification and Validation</li> <li>Stateflow</li> <li>Virtual Reality Toolbox</li> </ul> | Assumption   Proof Objective   Test Condition   Test Objective     Test Objective     Test Objective |
|                                                                                                                                                                                                                       |                                                                                                      |

• Alternatively, type sldvlib at the MATLAB prompt to display the Simulink Design Verifier library.



# Analyzing a Model

### In this section ...

"About This Demo" on page 1-6

"Opening the Model" on page 1-6

"Generating Test Cases" on page 1-8

"Exploring the Test Harness" on page 1-9

"Interpreting the Simulink® Design Verifier HTML Report" on page 1-12

# **About This Demo**

The following sections describe a demo model, Cruise Control Test Generation. This demo illustrates how to use the Simulink Design Verifier software to generate test cases that achieve complete model coverage. Through this demo, you learn how to analyze models with the Simulink Design Verifier software and interpret the results.

# **Opening the Model**

To open the Cruise Control Test Generation model, enter sldvdemo\_cruise\_control at the MATLAB prompt.

The Cruise Control Test Generation model opens.



### **Generating Test Cases**

You can generate test cases for the Cruise Control Test Generation model. To do so, open the model window and double-click the block labeled **Run**.

The Simulink Design Verifier software begins analyzing the model to generate test cases. During its analysis, the software displays the following log window.

| 🙀 Simulink Design Yerifi                                                                                                 | ier log: sldvdemo_cruise_control  | × |
|--------------------------------------------------------------------------------------------------------------------------|-----------------------------------|---|
| Progress                                                                                                                 |                                   |   |
| Objectives processed<br>Satisfied<br>Falsified<br>Elapsed time                                                           | 34/34<br>34<br>0<br>0:04          |   |
| 07-Jul-2008 10:18:07<br>Starting test generation for<br>Compiling modeldone<br>Translating modeldone<br>Generating tests | r model "sldvdemo_cruise_control" |   |
| SATISFIED<br>Controller/Switch1<br>logical trigger input true (ou                                                        | utput is from 1st input port)     |   |
| SATISFIED<br>Controller/Logical Operator<br>Logic: input port 1 T                                                        | 1                                 | _ |
| 4                                                                                                                        |                                   |   |

The log window updates you on the progress of the Simulink Design Verifier software as it analyzes the model. If you need to terminate an analysis while it is running, click **Stop**.

When the Simulink Design Verifier software completes its analysis, it opens:

- Test harness model: sldvdemo\_cruise\_control\_harness.mdl
- Signal Builder dialog box containing the test-case signals
- HTML report containing the analysis results: sldvdemo\_cruise\_control\_report.html

The sections that follow describe the test harness, the Signal Builder data, and the HTML report in detail.

# **Exploring the Test Harness**

The Simulink Design Verifier software creates a test harness model when it completes its analysis. The test harness for the Cruise Control Test Generation model appears as shown in the following figure.



T

 The block labeled Test Case Explanation is a DocBlock block that documents the generated test cases. Double-click the Test Case Explanation block to view a description of each test case in terms of the objectives that the test case satisfies.

| 📝 Editor - C:\TEMP\docblock-2513-00012207.txt                       |
|---------------------------------------------------------------------|
| File Edit Text Go Tools Debug Desktop Window Help 🛛 🗴 🛪 🗙           |
| ※ 1 (1) (1) (1) (1) (1) (1) (1) (1) (1) (                           |
| * = □ - □.0 + ÷ □.1 × ∞ ∞ ∞ ∞                                       |
| 1 Test Case 1 (8 Objectives)                                        |
| 2 Parameter values:                                                 |
| 3                                                                   |
| 4 1. Controller/PI Controller - enable logical value F @ T=0.00     |
| 5 2. Controller/Switch1 - logical trigger input true (output is fr  |
| 6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00  |
| 7 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00  |
| 8 5. Controller/Logical Operator2 - Logic: MCDC expression for out  |
| 9 6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00   |
| 10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00  |
| 11 8. Controller/Logical Operator - Logic: MCDC expression for outp |
| 12                                                                  |
| 13 Test Case 2 (3 Objectives)                                       |
| 14 Parameter values:                                                |
| 15                                                                  |
| 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 |
| 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00  |
| 18 3. Controller/Logical Operator - Logic: MCDC expression for outp |
| 19                                                                  |
| 20 Test Case 3 (6 Objectives)                                       |
| 21 Parameter values:                                                |
|                                                                     |
| plain text file Ln 2 Col 22 OVR                                     |

- **2** The block labeled Test Unit is a Subsystem block that contains a copy of the original model the software analyzed. Double-click the Test Unit block to view its contents and confirm that it is a copy of the Cruise Control Test Generation model.
- **3** The block labeled Inputs is a Signal Builder block that contains the generated test case signals. Double-click the Inputs block to open the Signal Builder dialog box and view the nine test case signals.



**4** In the Signal Builder dialog box, select the **Test Case 7** tab to display the signal values for Test Case 7.

In Test Case 7 at 0.1 seconds:

- The enable signal remains 1.
- The brake signal transitions from 0 to 1.

- The inc and set signals transition from 1 to 0.
- The dec and speed signals remain 0.

This group of signals achieves the test objectives described in the Test Case Explanation block.

**5** To confirm that the Simulink Design Verifier software achieved complete model coverage, simulate the test harness using all the test cases. In the

Signal Builder dialog box, click the **Run all** button

The Simulink software simulates the test harness using all the test cases, while the Simulink Verification and Validation software collects model coverage information and displays a coverage report with the following summary.



The coverage report indicates the Simulink Design Verifier software generated test cases that achieve complete coverage for the Cruise Control Test Generation model.

### Interpreting the Simulink Design Verifier HTML Report

The Simulink Design Verifier software creates an HTML report that summarizes its analysis results.

If the report is not open in a Web Browser window, open it now. The path name is:

matlabroot\sldv\_output\sldvdemo\_cruise\_control\sldvdemo\_cruise\_control\_report.html

**Note** The log window contains the exact report path name (see "Generating Test Cases" on page 1-8).

The HTML report includes the following chapters.

| Table of Contents                                                                                     |
|-------------------------------------------------------------------------------------------------------|
| 1. Summary<br>2. Analysis Information<br>3. Test Objectives Status<br>4. Model Items<br>5. Test Cases |

Each the following sections for a description of each report chapter:

- "Summary" on page 1-13
- "Analysis Information" on page 1-14
- "Test Objectives Status" on page 1-16
- "Model Items" on page 1-19
- "Test Cases" on page 1-20

### Summary

In the **Table of Contents**, click **Summary** to display the Summary chapter, which includes the following information:

- Name of the model
- Mode of the analysis (test generation or property proving)
- Status of the analysis
- Number of objectives satisfied

| Chapter                     | 1. Summary               |
|-----------------------------|--------------------------|
| Analysis Info               | ormation                 |
| Model:                      | sldvdemo_cruise_control  |
| Mode:                       | TestGeneration           |
| Status:                     | Completed normally       |
| Objectives S<br>Number of C | Status<br>Objectives: 34 |
| Objectives Sa               | -                        |

### **Analysis Information**

In the **Table of Contents**, click **Analysis Information** to display information about the analyzed model and the analysis options.

### **Chapter 2. Analysis Information**

**Table of Contents** 

Model Information Analysis Options Constraints Approximations

### **Model Information**

File: \\mathworks\ah\devel\jobarchive\AsIrtw\latest\_pass\matlab\toolbox\sld\\ Version: 1.49 Time Thu Jun 12 18:31:06 2008 Stamp: Author:

### **Analysis Options**

| Mode:                             | TestGeneration         |
|-----------------------------------|------------------------|
| Test Suite Optimization:          | CombinedObjectives     |
| Maximum Testcase Steps:           | 500 time steps         |
| Test Conditions:                  | UseLocalSettings       |
| Test Objectives:                  | UseLocalSettings       |
| Model Coverage Objectives:        | MCDC                   |
| Maximum Processing Time:          | 60s                    |
| Block Replacement:                | off                    |
| Parameters Analysis:              | on                     |
| Parameters Configuration<br>File: | sldv_params_template.m |
| Save Data:                        | on                     |
| Save Harness:                     | on                     |
| Save Report:                      | on                     |

### Constraints

| Name       | Constraint |
|------------|------------|
| constraint | [0, 100]   |

### Approximations

Simulink Design Verifier performed the following approximations during analysis. These can impact the precision of the results generated by Simulink Design Verifier. Please see the product documentation for further details.

|   | Туре                   | Description                                                                                                                                             |
|---|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Rational approximation | The model includes floating-point arithmetic.<br>Simulink Design Verifier approximates<br>floating-point arithmetic with rational number<br>arithmetic. |

### **Test Objectives Status**

In the **Table of Contents**, click **Test Objectives Status** to display a table of satisfied objectives. The following figure shows a partial list of the objectives satisfied in the Cruise Control Test Generation model.

### **Chapter 3. Test Objectives Status**

Table of Contents

**Objectives Satisfied** 

### **Objectives Satisfied**

Simulink Design Verifier found test cases that exercise these test objectives.

| ¥: | Туре     | Model Item                                              | Description                                                       | Test<br>Case |
|----|----------|---------------------------------------------------------|-------------------------------------------------------------------|--------------|
| 1  | Decision | Controller/PI Controller                                | enable logical value F                                            | 1            |
| 2  | Decision | Controller/PI Controller                                | enable logical value T                                            | 9            |
| 3  | Decision | Controller/Switch1                                      | logical trigger input<br>false (output is from<br>3rd input port) | <u>3</u>     |
| 4  | Decision | Controller/Switch1                                      | logical trigger input<br>true (output is from<br>1st input port)  | <u>1</u>     |
| 5  | Decision | Controller/PI<br>Controller/Discrete-Time<br>Integrator | integration result <=<br>lower limit F                            | 9            |
| 6  | Decision | Controller/PI<br>Controller/Discrete-Time<br>Integrator | integration result <=<br>lower limit T                            | 9            |
| 7  | Decision | Controller/PI<br>Controller/Discrete-Time<br>Integrator | integration result >=<br>upper limit F                            | <u>9</u>     |

The Objectives Satisfied table lists the following information for the model:

- **#** Objective number.
- **Type** Objective type.
- **Model Item** Element in the model for which the objective was tested. Click this link to display the model with this element highlighted.
- **Description** Description of the objective.

• **Test case** — Test case that achieves the objective. Click this link to get more information about that test case.

In the row for objective 17, click the test case number (7) to display more information about test case 7 in the report's Test Cases chapter.

### Test Case 7

### Summary

Length: 0.01 Seconds (2 sample periods) Objective Count: 10

### Objectives

| Step | Time | Model Item                                                                                                                                                                                                                                                                               | Objectives                                                                                                                                                                                                                                                                                                                                                |
|------|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1    | 0    | Controller/Logical Operator<br>Controller/Logical Operator<br>Controller/PI<br>Controller/Discrete-Time Integrator<br>Controller/PI<br>Controller/PI Controller<br>Controller/PI Controller<br>Controller/Logical Operator<br>Controller/Logical Operator<br>Controller/Logical Operator | Logic: input port 2 T<br>Logic: input port 3 T<br>integration result >= upper<br>limit F<br>integration result <= lower<br>limit F<br>enable logical value T<br>Logic: MCDC expression<br>for output with input port 1<br>T<br>Logic: MCDC expression<br>for output with input port 2<br>T<br>Logic: MCDC expression<br>for output with input port 3<br>T |
| 2    | 0.01 | <u>Controller/Logical Operator2</u><br><u>Controller/Logical Operator2</u>                                                                                                                                                                                                               | Logic: input port 2 T<br>Logic: MCDC expression<br>for output with input port 2<br>T                                                                                                                                                                                                                                                                      |

### **Generated Input Data**

| Time   | 0 | 0.01 |
|--------|---|------|
| Step   | 0 | 1    |
| enable | 1 | 1    |
| brake  | 0 | 1    |
| set    | 1 | 0    |
| inc    | 1 | -    |
| dec    | 0 | -    |
| speed  | 0 | 0    |

In this example, Test Case 7 satisfies 10 model coverage objectives. The following signal values achieve the objectives listed in the **Objectives** column of the table:

- The enable signal remains 1.
- The brake signal transitions from 0 to 1 at 0.1 seconds.
- The inc and set signals transition from 1 to 0 at 0.1 seconds.
- The dec and speed signals remain 0.

This information matches what you see in the test harness model. Specifically, the Inputs block in the test harness depicts identical signal values for Test Case 7, and the Test Case Explanation block lists 10 objectives that Test Case 7 achieves (see "Exploring the Test Harness" on page 1-9).

### **Model Items**

In the **Table of Contents**, click **Model Items** to see detailed information about each item in the model that defines coverage objectives. This table includes the status of the objective at the end of the analysis. You can click the links in the table to get detailed information about the satisfied objectives.

### **Chapter 4. Model Items**

#### **Table of Contents**

Controller/PI Controller Controller/Switch1 Controller/PI Controller/Discrete-Time Integrator Controller/Switch2 Controller/Switch3 Controller/Logical Operator1 Controller/Logical Operator2 Controller/Logical Operator

This section presents, for each object in the model defining coverage objectives, the list of objectives and their individual status at the end of the analysis. It should match the coverage report obtained from running the generated test suite on the model, either from the harness model or by using the sldvruntests command.

### Controller/PI Controller

#### View

| #: | Туре     | Description            | Status    | Test<br>Case |
|----|----------|------------------------|-----------|--------------|
| 1  | Decision | enable logical value F | Satisfied | <u>1</u>     |
| 2  | Decision | enable logical value T | Satisfied | <u>9</u>     |

## Controller/Switch1

| ¥: | Туре     | Description                                                       | Status    | Test<br>Case |
|----|----------|-------------------------------------------------------------------|-----------|--------------|
| 3  | Decision | logical trigger input<br>false (output is from<br>3rd input port) | Satisfied | 3            |
| 4  | Decision | logical trigger input<br>true (output is from<br>1st input port)  | Satisfied | 1            |

### **Test Cases**

In the **Table of Contents**, click **Test Cases** to display detailed information about each generated test case, including:

• Length of time to execute the test case

- Number of objectives satisfied
- Detailed information about the satisfied objectives
- Input data

The Test Cases chapter table of contents contains links to the sections specific to each test case.

### Chapter 5. Test Cases

#### **Table of Contents**

Test Case 1 Test Case 2 Test Case 3 Test Case 4 Test Case 5 Test Case 6 Test Case 7 Test Case 8 Test Case 9

This section contains detailed information about each generated test case.

### Test Case 1

#### Summary

Length: 0 Seconds (1 sample periods) Objective Count: 8

#### Objectives

| Step | Time | Model Item                                                                                                                                                                                                                                   | Objectives                                                                                                                                                                                                                                                                                                          |
|------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1    | 0    | Controller/Logical Operator<br>Controller/Logical Operator2<br>Controller/PI Controller<br>Controller/Logical Operator<br>Controller/Logical Operator2<br>Controller/Logical Operator1<br>Controller/Logical Operator1<br>Controller/Switch1 | Logic: MCDC expression for<br>output with input port 2 F<br>Logic: MCDC expression for<br>output with input port 1 T<br>enable logical value F<br>Logic: input port 2 F<br>Logic: input port 1 T<br>Logic: input port 1 T<br>Logic: input port 1 T<br>logical trigger input true (output<br>is from 1st input port) |

#### **Generated Input Data**

| Time   | 0 |
|--------|---|
| Step   | 0 |
| enable | 1 |
| brake  | 1 |
| set    | 1 |
| inc    | 1 |
| dec    | 0 |
| speed  | 0 |

## Analyzing a Subsystem

In addition to analyzing a model, you can analyze a subsystem within a model. This technique is good for large models, where you want to review the analysis in smaller, manageable reports.

This example analyzes the Controller subsystem in the sldvdemo\_cruise\_control model from "Analyzing a Model" on page 1-6.

- 1 Enter sldvdemo\_cruise\_control at the MATLAB command line to open the Cruise Control Test Generation model.
- 2 Right-click the Controller subsystem, and select Subsystem Parameters.



#### Simulink Design Verifier Cruise Control Test Generation

3 In the Function Block Parameters dialog box, select Treat as atomic unit.

An *atomic subsystem* executes as a unit relative to the parent model; subsystem block execution does not interleave with parent block execution. This makes it possible to extract subsystems for use as standalone models.

You must set the **Treat as atomic unit** parameter to analyze a subsystem with the Simulink Design Verifier software.

| 🙀 Function Block Parameters: Controller      | x |
|----------------------------------------------|---|
| Subsystem                                    | - |
| Select the settings for the subsystem block. |   |
| -Parameters                                  |   |
| Show port labels FromPortIcon                |   |
| Read/Write permissions: ReadWrite            |   |
| Name of error callback function:             |   |
|                                              |   |
| Permit hierarchical resolution: All          |   |
| Treat as atomic unit                         |   |
|                                              | _ |
| OK Cancel Help Apply                         |   |

After you set the parameter, other options become available, but you can ignore them.

- 4 Click Apply and OK to close the dialog box.
- 5 Select File > Save As and save the model under a new name.
- 6 To start the subsystem analysis and generate test cases, right-click the Controller subsystem, and select Design Verifier > Generate Tests for Subsystem.



# Simulink Design Verifier

- **7** The Simulink Design Verifier software creates and opens the following output. Except for the new model, all of these correspond to the model analysis output:
  - A new model containing just the Controller subsystem: Controller.mdl
  - Test harness model: Controller harness.mdl
  - Signal Builder dialog box containing the test-case signals
  - HTML report containing the analysis results: Controller report.htm
- 8 Review the results of the subsystem analysis (harness model and HTML report) and compare them to the results of the full-model analysis described in "Analyzing a Model" on page 1-6.
  - The subsystem analysis analyzes the Controller as a standalone model.

1

• The Controller subsystem contains all the test objectives in the Cruise Control Test Generation model, so both analyses generate the same test cases.

# Basic Workflow for Using the Simulink Design Verifier Software

The *Simulink Design Verifier User's Guide* is organized on the basis of workflow that you follow when generating tests for your model or proving its properties. This workflow is described in the following steps, which cite locations in the documentation that you can refer to for more information:

| Step | Action                                                      | See                                                                                         |
|------|-------------------------------------------------------------|---------------------------------------------------------------------------------------------|
| 1    | Check the compatibility of your model.                      | Chapter 3, "Ensuring Compatibility with the Simulink <sup>®</sup> Design Verifier Software" |
| 2    | Optionally, prepare your model for analysis.                | Chapter 4, "Working with Block<br>Replacements"                                             |
|      |                                                             | Chapter 5, "Specifying Parameter<br>Configurations"                                         |
| 3    | Set Simulink Design Verifier options.                       | Chapter 6, "Configuring Simulink® Design<br>Verifier Options"                               |
| 4    | Generate test cases for your model or prove its properties. | Chapter 7, "Generating Test Cases"<br>Chapter 8, "Proving Properties of a Model"            |
| 5    | Interpret the results.                                      | Chapter 9, "Reviewing the Results"                                                          |

1

### **Learning More**

#### In this section...

"Next Step" on page 1-28  $\,$ 

"Product Help" on page 1-28

"The MathWorks Online" on page 1-29

#### **Next Step**

To begin learning how to use the Simulink Design Verifier software, see Chapter 3, "Ensuring Compatibility with the Simulink<sup>®</sup> Design Verifier Software". Also see the following topics to continue your exploration of the software:

| For                                                                              | See                                                |
|----------------------------------------------------------------------------------|----------------------------------------------------|
| Exercise that walks you through the process of generating test cases for a model | "Generating Test Cases for a Model"<br>on page 7-4 |
| Exercise that walks you through the process of proving a model property          | "Proving Properties in a Model" on page 8-4        |

#### **Product Help**

More information is available with your product installation. In the MATLAB desktop, click for help, and then click the product name in the **Contents** pane.

| For                         | See                            |
|-----------------------------|--------------------------------|
| List of blocks              | Blocks — Alphabetical List     |
| Tutorials                   | Examples in Documentation      |
| More product demonstrations | Simulink Design Verifier Demos |
| What's new in this product  | Release Notes                  |

### The MathWorks Online

Point your Internet browser to the MathWorks Web site for additional information and support at

http://www.mathworks.com/products/sldesignverifier/

# How the Simulink Design Verifier Software Works

- "Model Analysis with Simulink® Design Verifier Software" on page 2-2
- "Analyzing a Simple Model" on page 2-3
- "Analyzing Large Models" on page 2-5
- "Approximations" on page 2-6

## Model Analysis with Simulink Design Verifier Software

Simulink Design Verifier software is an efficient analysis tool that explores the simulation behavior of a model. It searches the possible values of model inputs and block parameters to find a simulation that satisfies test objectives. The software also proves model properties and generates examples of violations.

Such analysis always begins with the initial configuration of the model and can span an arbitrary number of time steps. Generally, there is an infinite number of paths through the model because the values of inputs are independent from one time step to the next, and there is no fixed limit to the number of time steps.

If the software finds no way to reduce the search space, it would continue its analysis indefinitely. Thus, the software limits the analysis by tracking the persistent information in the model such as discrete states, data-store memories, and persistent variables.

After an analysis explores all possible inputs and parameters from all possible configurations, the results equal those of a complete search of every possible infinite sequence of inputs parameters.

## Analyzing a Simple Model

This simple Simulink model includes two Logical Operator blocks and a Memory block.



The persistent information in this model is limited to the Boolean value of the Memory block. The input to the model is a single Boolean value. The following table describes the complete behavior of the model, including the behavior that would result from an arbitrarily long sequence of inputs.

| # | Input | Memory<br>Value | Output of XOR<br>Block = Next<br>Memory Value | Output of AND<br>Block |
|---|-------|-----------------|-----------------------------------------------|------------------------|
| 1 | false | false           | false                                         | false                  |
| 2 | true  | false           | true                                          | false                  |
| 3 | false | true            | true                                          | false                  |
| 4 | true  | true            | false                                         | true                   |

Suppose you want to generate test cases that result in a true output; this goal is your *test objective*. If you run the Simulink Design Verifier software to generate test cases that result in a true output, the software searches this table to see if such a scenario is possible.

After the Simulink Design Verifier software discovers a configuration that satisfies the test objective (in this case, when both the input and the Memory block output are true), it needs to find a path to reach this configuration from the initial conditions. If the initial memory value is true, the test case only needs to be a single time step (row 4) where the input was true.

If the initial memory value is false (the default), the test case must force the memory value to be true. In this example, the path requires two steps:

- 1 The input value is true and the memory value is false (row 2). Thus, the output of the XOR block is true, making the memory value true.
- **2** Now that the input value and memory value are both true (row 4), the output is true, so the analysis achieves the specified test objective.

An infinite number of test cases can cause the output to be true, and regardless of the state value, the output can be held false for an arbitrary time before making it true. When the Simulink Design Verifier software searches, it returns the first test case it encounters that satisfies the objective. This case is invariably the simulation with the fewest time steps. Sometimes you may find this result undesirable because it is unrealistic or does not satisfy some other test requirement.

The same basic principles from this example apply to property proving and test case generation. During test case generation, option parameters explicitly specify the search criteria. For example, you can specify that Simulink Design Verifier software find paths for all outputs or find only those paths that make where the output is true.

During property proving, you specify a functional requirement, or property, that you want the Simulink Design Verifier software to prove, for example, that the output is always true. If the search completes without finding a path that violates the property, the proof of that property completes successfully. If the software finds a path where the output is false, it creates a counterexample that causes the output to be false.

## **Analyzing Large Models**

In larger, more complicated models, the Simulink Design Verifier software uses mathematical techniques to simplify the analysis:

- It identifies portions of the model that do not affect the desired objectives.
- It discovers relationships within the model that reduce the complexity of the search.
- It reuses intermediate results from one objective to another.

In this way, the problem is reduced to a search though the logical values that describe your model.

For detailed information about analyzing large models, see Chapter 10, "Analyzing Large Models and Improving Performance".

## **Approximations**

#### In this section...

"Approximations During Model Analysis" on page 2-6

"Types of Approximations" on page 2-6

"Converting Floating-Point Arithmetic to Rational-Number Arithmetic" on page 2-6

"Linearizing 2-D Lookup Tables" on page 2-7

"Unrolling While Loops" on page 2-7

"Ensuring the Validity of the Analysis" on page 2-7

## **Approximations During Model Analysis**

The Simulink Design Verifier software attempts to generate inputs and parameters to achieve test and proof objectives. However, there could be an infinite number of values for the software to search. To create reasonable limits on the analysis, the software performs approximations to simplify the analysis. The software records any approximations it performed in the Analysis Information chapter of the Simulink Design Verifier HTML report.

### **Types of Approximations**

Simulink Design Verifier software performs three types of approximations when it analyzes a model:

- "Converting Floating-Point Arithmetic to Rational-Number Arithmetic" on page 2-6
- "Linearizing 2-D Lookup Tables" on page 2-7
- "Unrolling While Loops" on page 2-7

# Converting Floating-Point Arithmetic to Rational-Number Arithmetic

The Simulink Design Verifier software simplifies the linear arithmetic of floating-point numbers by approximating them with rational numbers. The software discovers how the logical relationships between these variables affects the proof and test objectives. This analysis enables the software to support supervisory logic that is commonly found in embedded controls designs.

If your model contains floating-point values in the signals, input values, or block parameters, the Simulink Design Verifier software converts those values to rational numbers before performing its analysis.

### Linearizing 2-D Lookup Tables

The Simulink Design Verifier software does not support nonlinear arithmetic. If your model contains any Lookup Table (2-D) blocks, the software approximates nonlinear 2-D interpolation with linear interpolation by fitting planes to each interpolation interval, if necessary.

### **Unrolling While Loops**

If your model or any Stateflow chart in your model contains a while loop, the Simulink Design Verifier software tries to find a bound that allows the while loop to exit. To find a bound, it unrolls the while loop and executes it three times. If the software does not find a bound for a test case generation analysis, it sets the number of loop iterations to three for the purpose of the analysis. If you are performing a property-proving analysis, the analysis terminates.

#### **Ensuring the Validity of the Analysis**

The Simulink Design Verifier software records all approximations it performed in the Analysis Information chapter of the HTML report. (For a description of the contents of this chapter, see "Analysis Information Chapter" on page 9-19.)

Review the analysis results carefully when the software uses approximations. Evaluate your model to identify which blocks or subsystems caused the software to perform the approximations.

In rare cases, an approximation can result in test cases that fail to achieve test objectives, or counterexamples that fail to falsify proof objectives. For example, suppose the software generates a test case signal that should achieve an objective by exceeding a threshold; a floating-point round-off error might prevent that signal from attaining the threshold value.



# Ensuring Compatibility with the Simulink Design Verifier Software

The Simulink Design Verifier software supports a broad range of Simulink and Stateflow software features. However, there are features that the product does not support. Therefore, you must avoid using particular features in models that you plan to analyze with the Simulink Design Verifier software. The following sections identify the unsupported features and describe how to check whether your model is compatible for use with the Simulink Design Verifier software.

- "Checking Model Compatibility" on page 3-2
- "Unsupported Simulink Software Features" on page 3-6
- "Unsupported Stateflow Software Features" on page 3-8
- "Limitations of Support for the Embedded MATLAB Subset" on page 3-10
- "Limitations of Fixed-Point Support" on page 3-12

## **Checking Model Compatibility**

The Simulink Design Verifier software automatically checks the compatibility of your model before it begins the analysis. If it finds an incompatibility, the analysis stops and you need to fix your model before you can continue.

In addition, the software allows you to check whether your model is compatible before analyzing the model. To run this check, select **Tools > Design Verifier > Check Model Compatibility** in the model window.



A log window appears if your model is compatible for analysis.

| Simulink Design Verifier log: sldvdemo_cruise_control                            | ×              |
|----------------------------------------------------------------------------------|----------------|
| 24Jan-2007 17:09:13<br>Checking compatibility of model "sldvdemo_cruise_control" |                |
| Compiling modeldone<br>Checking compatibilitydone                                |                |
| Model "sldvdemo_cruise_control" is compatible with Simulink De                   | sign Verifier. |
|                                                                                  |                |
|                                                                                  |                |
|                                                                                  |                |
|                                                                                  |                |
|                                                                                  |                |
| Save Log                                                                         | Close          |

Otherwise, the Simulink Design Verifier software identifies any incompatibilities in your model. For example, suppose your model specifies the use of an incompatible feature, such as a variable-step solver. When checking the compatibility of your model in this case, the software displays incompatibility errors in the Simulation Diagnostics Viewer (see "Simulation Diagnostics Viewer" in *Simulink User's Guide*).

| ew For   | nt Size       |                 |                |                                                                |
|----------|---------------|-----------------|----------------|----------------------------------------------------------------|
| Mes      | ssage         | Source          | Reported by    | Summary                                                        |
| Desig    | in Ver        | sldvdemo        | simulink       | Simulink Design Verifier can not be used with a variable-ste   |
|          |               |                 |                |                                                                |
|          |               |                 |                |                                                                |
|          |               |                 |                |                                                                |
|          |               |                 |                |                                                                |
|          |               |                 |                |                                                                |
|          |               |                 |                |                                                                |
|          |               |                 |                |                                                                |
| sidvde   | emo_cru       | ise_control     |                |                                                                |
|          |               |                 | t be used with | ) a variable-step solver. You must configure the solver option |
| nulink E |               | /erifier can no | t be used with | a variable-step solver. You must configure the solver option   |
| nulink E | )<br>Design V | /erifier can no | t be used with | a variable-step solver. You must configure the solver option   |
| nulink E | )<br>Design V | /erifier can no | t be used with | n a variable-step solver. You must configure the solver option |
| nulink E | )<br>Design V | /erifier can no | t be used with | a variable-step solver. You must configure the solver option   |
| nulink E | )<br>Design V | /erifier can no | t be used with | a variable-step solver. You must configure the solver option   |
| nulink E | )<br>Design V | /erifier can no | t be used with | a variable-step solver. You must configure the solver option   |
| nulink E | )<br>Design V | /erifier can no | t be used with | a variable-step solver. You must configure the solver option   |

Using the information from the Simulation Diagnostics Viewer, you can determine the cause of an incompatibility and correct it.

**Note** The Simulink Design Verifier software checks the compatibility of a model incrementally. When it detects an incompatibility, it displays an error message and stops the check without completing all the steps. If you receive an error, correct the problem and then recheck whether your model is compatible.

Alternatively, you can use the sldvcompat function to run the compatibility checker programmatically at the command line or in an M-file program. See sldvcompat in the Chapter 11, "Function Reference" for more information.

## **Unsupported Simulink Software Features**

#### In this section ...

"List of Unsupported Simulink Software Features" on page 3-6

"Limitations of Simulink Block Support" on page 3-6

#### List of Unsupported Simulink Software Features

The Simulink Design Verifier software does not support the following Simulink software features. Avoid using these unsupported features in models that you analyze with the Simulink Design Verifier software.

| Feature Not Supported | Remarks                                                                                                                                                                                                                                                                                                                                                                                               |
|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Variable-step solvers | The Simulink Design Verifier software supports<br>only fixed-step solvers (see "Choosing a<br>Fixed-Step Solver" in <i>Simulink User's Guide</i> ).                                                                                                                                                                                                                                                   |
| Complex signals       | The Simulink Design Verifier software supports<br>only real signals (for contrast, see "Complex<br>Signals" in <i>Simulink User's Guide</i> ).                                                                                                                                                                                                                                                        |
| Nonzero start times   | Although Simulink allows you to specify a<br>nonzero simulation start time (see "Specifying<br>a Simulation Start and Stop Time" in <i>Simulink</i><br><i>User's Guide</i> ), the Simulink Design Verifier<br>software generates signal data that begins only<br>at zero. If your model specifies a nonzero start<br>time, the Simulink Design Verifier software<br>ignores it and uses zero instead. |

### **Limitations of Simulink Block Support**

The Simulink Design Verifier software provides various levels of support for Simulink blocks. The software either fully or partially supports particular blocks, while it does not support others. Refrain from using unsupported Simulink blocks in models that you analyze with the Simulink Design Verifier software. Similarly, specify only the block parameters that the Simulink Design Verifier software recognizes for blocks that it partially supports. See Chapter 14, "Simulink Block Support" for a list of Simulink blocks and details regarding whether the Simulink Design Verifier software provides support.

## **Unsupported Stateflow Software Features**

The Simulink Design Verifier software does not support the following Stateflow software features. Avoid using these unsupported features in models that you analyze with the Simulink Design Verifier software.

| Feature Not Supported                                    | Remarks                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|----------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ml namespace operator,<br>ml function, ml<br>expressions | The Simulink Design Verifier software does not<br>support calls to MATLAB functions or access<br>to MATLAB workspace variables, which the<br>Stateflow software allows (see "Using MATLAB<br>Functions and Data in Actions" in the <i>Stateflow</i><br>and <i>Stateflow</i> <sup>®</sup> Coder <sup>TM</sup> User's Guide).                                                                                                                                                                |
| C math functions                                         | The Simulink Design Verifier software supports<br>calls to the following C math functions: abs,<br>ceil, fabs, floor, fmod, labs, ldexp, and pow<br>(only for an integer exponent). However, the<br>Simulink Design Verifier software does not<br>support calls to other C math functions that<br>the Stateflow software allows (see "Calling<br>C Functions in Actions" in the Stateflow and<br>Stateflow Coder User's Guide).                                                            |
| Recursion                                                | The Simulink Design Verifier software does<br>not support recursive functions, which the<br>Stateflow software allows you to implement<br>using graphical functions (see "Using Graphical<br>Functions to Extend Actions" in the <i>Stateflow</i><br>and Stateflow Coder User's Guide). Also, the<br>Simulink Design Verifier software does not<br>support recursion that the Stateflow software<br>allows you to implement using a combination of<br>event broadcasts and function calls. |
| Custom C or C++ code                                     | The Simulink Design Verifier software does<br>not support custom C or C++ code, which<br>the Stateflow software allows (see "Building<br>Targets" in the <i>Stateflow and Stateflow Coder</i><br><i>User's Guide</i> ).                                                                                                                                                                                                                                                                    |

| Feature Not Supported               | Remarks                                                                                                                                                                                                                                                                                                                                       |
|-------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Machine-parented data<br>and events | The Simulink Design Verifier software does<br>not support machine-parented data and events<br>(i.e., defined at the level of the Stateflow<br>machine in the Stateflow hierarchy), which the<br>Stateflow software allows (see "Defining Data"<br>and "Defining Events" in the <i>Stateflow and</i><br><i>Stateflow Coder User's Guide</i> ). |
| Absolute-time temporal<br>logic     | The Simulink Design Verifier software does not<br>support absolute-time temporal logic, which the<br>Stateflow software allows (see "Operators for<br>Absolute-Time Temporal Logic" in the <i>Stateflow</i><br><i>and Stateflow Coder User's Guide</i> ).                                                                                     |

## Limitations of Support for the Embedded MATLAB Subset

#### In this section ...

"List of Unsupported Embedded MATLAB Subset Features" on page 3-10

"Limitations of Embedded MATLAB Library Function Support" on page 3-11

#### List of Unsupported Embedded MATLAB Subset Features

The Simulink Design Verifier software does not support the following features of the Embedded MATLAB<sup>™</sup> Function block in the Simulink software and Embedded MATLAB functions in the Stateflow software. Avoid using these unsupported features in models that you analyze with the Simulink Design Verifier software.

| Feature Not Supported | Remarks                                                                                                                                                                                                                                                  |
|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Complex numbers       | The Simulink Design Verifier software<br>supports only real numbers. However, the<br>Embedded MATLAB subset also supports<br>complex numbers (see "Working with Complex<br>Numbers" in the <i>Embedded MATLAB<sup>TM</sup> User's</i><br><i>Guide</i> ). |
| Characters            | The Simulink Design Verifier software does<br>not support characters, which the Embedded<br>MATLAB subset allows (see "Working with<br>Characters" in the <i>Embedded MATLAB</i> <sup>™</sup><br><i>User's Guide</i> ).                                  |

| Feature Not Supported | Remarks                                                                                                                                                                                                                                                       |
|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| C functions           | The Simulink Design Verifier software does not<br>support calls to external C functions, which the<br>Embedded MATLAB subset allows (see "Calling<br>C Functions from the Embedded MATLAB<br>Subset" in the <i>Embedded MATLAB™ User's</i><br><i>Guide</i> ). |
| Extrinsic functions   | The Simulink Design Verifier software supports<br>extrinsic functions only when they do not<br>affect the output of an Embedded MATLAB<br>function. See "Calling MATLAB Functions" in<br>the <i>Embedded MATLAB™ User's Guide</i> for<br>more information.    |

#### Limitations of Embedded MATLAB Library Function Support

The Simulink Design Verifier software provides various levels of support for Embedded MATLAB library functions. That is, the software either fully or partially supports particular functions, while it does not support others. Refrain from using unsupported Embedded MATLAB library functions in models that you analyze with the Simulink Design Verifier software. See Chapter 15, "Embedded MATLAB Subset Support" for a list of the Embedded MATLAB library functions for which the Simulink Design Verifier software provides no support or limited support.

## **Limitations of Fixed-Point Support**

The Simulink Design Verifier software supports fixed-point data types in models that it analyzes, with one exception.

Parameter configurations do not support fixed-point data types. For more information about configuring Simulink Design Verifier parameters, see Chapter 5, "Specifying Parameter Configurations".

For detailed information about these limitations, see "Tunable Expression Limitations" in the *Real-Time Workshop*<sup>®</sup> User's Guide.

# Working with Block Replacements

The Simulink Design Verifier software allows you to define rules that replace blocks automatically in your model. For example, you can work around an incompatibility by creating a rule that replaces an unsupported Simulink block in your model with a supported block that is functionally equivalent. Or you can customize blocks for analysis by creating a rule that adds constraints or objectives to particular blocks in your model. The following sections introduce block replacements and illustrate a process for writing block replacement rules.

- "About Block Replacements" on page 4-2
- "Built-In Block Replacements" on page 4-3
- "Template for Block Replacement Rules" on page 4-6
- "Creating Custom Block Replacements" on page 4-7
- "Executing Block Replacements" on page 4-15

## **About Block Replacements**

The Simulink Design Verifier software can perform block replacements automatically in a model. That is, it can replace instances of a particular block in your model with an entirely different block. When performing block replacements, the software copies your model and replaces blocks in the copy, leaving your original model unaltered. In this way, you can easily customize a model for analysis with the Simulink Design Verifier software.

The Simulink Design Verifier software replaces blocks automatically in a model using

- Libraries of replacement blocks
- Rules that define which blocks to replace and under what conditions

Block replacements are extensible, allowing you to define your own libraries of replacement blocks and custom block replacement rules. This capability is beneficial if you need to

- Work around an incompatibility, such as the presence of unsupported blocks in your model.
- Customize a block for analysis, such as adding constraints to its input signals or objectives to its output signals.

## **Built-In Block Replacements**

The Simulink Design Verifier software provides a set of block replacement rules and a corresponding library of replacement blocks. These built-in block replacements are useful when analyzing models with the Simulink Design Verifier software. Moreover, they serve as examples that you can examine to learn how to create your own block replacements.

The following table lists the factory default block replacement rules, available in the *matlabroot*\toolbox\sldv\private directory.

| File Name                                                          | Description                                                                                                                                                                                                                                                                                                                                      |
|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| blkrep_rule_lookup_normal.m<br>blkrep_rule_lookup_configss.m       | A rule that replaces Lookup Table blocks with<br>an implementation that includes test objectives<br>for each breakpoint and interval specified by the<br><b>Vector of input values</b> parameter.                                                                                                                                                |
| blkrep_rule_lookup2D_normal.m<br>blkrep_rule_lookup2D_configss.m   | A rule that adds Test Condition/Proof Assumption<br>blocks to the input ports of Lookup Table (2-D)<br>blocks. Each Test Condition/Proof Assumption<br>block constrains signal values to the interval<br>specified by the corresponding breakpoint vector.                                                                                       |
| blkrep_rule_mpswitch2_normal.m<br>blkrep_rule_mpswitch2_configss.m | A rule that adds a Test Condition/Proof<br>Assumption block to the control input port<br>of Multiport Switch blocks whose <b>Number</b><br><b>of inputs</b> parameter specifies 2. The Test<br>Condition/Proof Assumption block constrains<br>signal values to the interval [1, 2] (or [0, 1] if the<br>block uses zero-based indexing).         |
| blkrep_rule_mpswitch3_normal.m<br>blkrep_rule_mpswitch3_configss.m | A rule that adds a Test Condition/Proof<br>Assumption block to the control input port<br>of Multiport Switch blocks whose <b>Number</b><br><b>of inputs</b> parameter specifies <b>3</b> . The Test<br>Condition/Proof Assumption block constrains<br>signal values to the interval [1, 3] (or [0, 2] if the<br>block uses zero-based indexing). |

| File Name                                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                              |
|--------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| blkrep_rule_mpswitch4_normal.m<br>blkrep_rule_mpswitch4_configss.m                                     | A rule that adds a Test Condition/Proof<br>Assumption block to the control input port<br>of Multiport Switch blocks whose <b>Number</b><br><b>of inputs</b> parameter specifies 4. The Test<br>Condition/Proof Assumption block constrains<br>signal values to the interval [1, 4] (or [0, 3] if the<br>block uses zero-based indexing).                                                                                                 |
| blkrep_rule_mpswitch5_normal.m<br>blkrep_rule_mpswitch5_configss.m                                     | A rule that adds a Test Condition/Proof<br>Assumption block to the control input port<br>of Multiport Switch blocks whose <b>Number</b><br><b>of inputs</b> parameter specifies 5. The Test<br>Condition/Proof Assumption block constrains<br>signal values to the interval [1, 5] (or [0, 4] if the<br>block uses zero-based indexing).                                                                                                 |
| blkrep_rule_switch_normal.m<br>blkrep_rule_switch_configss.m                                           | A rule that replaces Switch blocks with an<br>implementation that includes test objectives,<br>requiring each switch position to be exercised<br>when the values of the first and third input ports<br>differ.                                                                                                                                                                                                                           |
| blkrep_rule_selector<br>IndexVecPort_normal.m<br>blkrep_rule_selector<br>IndexVecPort_configss.m       | A rule that adds a Test Condition/Proof<br>Assumption block to the index port of Selector<br>blocks whose <b>Index Option</b> parameter specifies<br><b>Index vector</b> (port). The Test Condition/Proof<br>Assumption block constrains signal values to an<br>interval whose endpoints are derived from the<br>values of the Selector block's <b>Input port size</b> and<br><b>Index mode</b> parameters.                              |
| blkrep_rule_selector<br>StartingIdxPort_normal.m<br>blkrep_rule_selector<br>StartingIdxPort_configss.m | A rule that adds a Test Condition/Proof<br>Assumption block to the index port of Selector<br>blocks whose <b>Index Option</b> parameter<br>specifies <b>Starting index (port)</b> . The Test<br>Condition/Proof Assumption block constrains<br>signal values to an interval whose endpoints are<br>derived from the values of the Selector block's<br><b>Input port size</b> , <b>Output size</b> , and <b>Index mode</b><br>parameters. |

The library of replacement blocks that corresponds to the factory default rules resides at

matlabroot/toolbox/sldv/sldv/sldvblockreplacementlib.mdl

**Note** The Simulink Design Verifier software provides two implementations of each factory default block replacement rule. Rules whose file names end with \_normal.m replace blocks with Subsystem blocks. Rules whose file names end with \_configss.m replace blocks with Configurable Subsystem blocks. See "Writing Block Replacement Rules" on page 4-10 for more information.

## **Template for Block Replacement Rules**

To help you create block replacement rules, the Simulink Design Verifier software provides an annotated M-file template that contains a skeleton implementation of the requisite callbacks. The template resides at

```
matlabroot/toolbox/sldv/sldv/sldvblockreplacetemplate.m
```

To create a block replacement rule, make a copy of the template and edit the copy as necessary to reflect the desired behavior of the rule you are creating. The comments in the template help to explain how to implement your rule. See "Writing Block Replacement Rules" on page 4-10 for information about using the template to write custom block replacement rules.

## **Creating Custom Block Replacements**

#### In this section ...

"About Custom Block Replacements" on page 4-7

"Constructing Replacement Blocks" on page 4-7

"Writing Block Replacement Rules" on page 4-10

#### **About Custom Block Replacements**

The process of creating custom block replacements in the Simulink Design Verifier software consists of the following tasks:

- "Constructing Replacement Blocks" on page 4-7
- "Writing Block Replacement Rules" on page 4-10

The Simulink Design Verifier software imposes several restrictions on replacement blocks. Replacement blocks must

- Use a masked Subsystem block that contains other Simulink blocks.
- Reside in a block library that is available on your MATLAB search path.
- Contain Inport and Outport blocks that have default names (e.g., In1 and Out1).

**Note** Be sure that you have read "Creating Block Masks" in *Simulink User's Guide* before constructing a replacement block.

#### **Constructing Replacement Blocks**

To create a replacement block:

 Create a block library for your replacement block (see "Creating a Library" in *Simulink User's Guide*). For example, from the **File** menu of the Simulink library window, select New > Library. **2** In your library, create a subsystem that represents your replacement block (see "Creating Subsystems" in *Simulink User's Guide*).

This example uses a subsystem named  ${\tt myReplacementBlock},$  which contains a

- Multiport Switch block whose Number of inputs parameter specifies 2
- Test Condition block whose Values parameter specifies {[1, 2]}



**3** Create a mask for your subsystem (see "Masking a Subsystem" in *Simulink User's Guide*).

In this example, the mask dialog box of the subsystem displays a mask parameter that controls the **Require all data port inputs to have the same data type** parameter of the underlying Multiport Switch block. The masked subsystem includes the following specifications in its Mask Editor:

• The **Parameters** pane defines a mask parameter named InputSameDT, which replicates the behavior of the **Require all data port inputs to have the same data type** parameter of the underlying Multiport Switch block.

| 🖄 Mask   | Editor : myReplacem            | entBloc   | k                 |              |               | <u> </u> |
|----------|--------------------------------|-----------|-------------------|--------------|---------------|----------|
| Icon P   | arameters   Initialization     | Docum     | entation          |              |               |          |
|          | Dialog parameters              |           |                   |              |               |          |
| <b>X</b> | Prompt                         |           | Variable          | Туре         | Evaluate      | Tunable  |
|          | Require all data port inp      | outs t    | InputSameDT       | checkbox     |               |          |
| ×        |                                |           |                   |              |               |          |
|          |                                |           |                   |              |               |          |
|          |                                |           |                   |              |               |          |
|          |                                |           |                   |              |               |          |
|          |                                |           |                   |              |               |          |
| -        | J<br>- Options for selected pa | rameter   |                   |              |               |          |
|          | Popups (one per line):         | In dialog | ; 🔽 Show paramete |              | Enable parame | eter     |
|          |                                |           |                   | a <u>I</u> • | Enable param  |          |
|          |                                | Dialog    |                   |              |               |          |
|          |                                | callback  | :                 |              |               |          |
|          |                                |           |                   |              |               |          |
|          |                                |           |                   |              |               |          |
| Unmas    | ik                             |           |                   | OK Ca        | ncel Help     | Apply    |

**Note** When creating mask parameters that control the behavior of parameters associated with their underlying blocks, specify actual parameter names as dialog variables in the Mask Editor. For instance, InputSameDT is the actual parameter name that controls the **Require all data port inputs to have the same data type** parameter of the Multiport Switch block; hence, it specifies the name of the dialog variable in this example.

• The Initialization pane defines the following commands in the Initialization commands field:

```
maskInputSameDT = get_param(gcb,'InputSameDT');
blkName = sprintf('/Multiport\nSwitch')
targetBlock = [gcb, blkName];
set_param(targetBlock,'InputSameDT',maskInputSameDT);
```

**4** Save your block library, e.g., as custom\_rule.mdl, in a directory that is available on your MATLAB search path (see "Search Path" in the MATLAB documentation).

After constructing your replacement block, you are ready to write a custom block replacement rule, which the next section describes.

### Writing Block Replacement Rules

The Simulink Design Verifier software imposes the following restrictions on block replacement rules:

- The M-file that represents a block replacement rule must include particular callbacks. The MathWorks recommends that you use the block replacement rule template as a starting point for writing a custom rule (see "Template for Block Replacement Rules" on page 4-6).
- The M-file that represents a block replacement rule must be available on the MATLAB search path.
- You cannot create a rule that replaces Inport, Outport, or Subsystem blocks in your model.

To write a rule for the replacement block you created in the previous section (see "Constructing Replacement Blocks" on page 4-7):

1 Make a copy of the block replacement rule template

```
matlabroot/toolbox/sldv/sldv/sldvblockreplacetemplate.m
```

saving it with an appropriate file name, e.g., custom\_rule\_switch.m.

**Note** In the remaining steps, you edit the copy of the template that you saved.

2 Rename the function, as defined on the first line of the M-file. The function name should be the same as its file name, without the .m extension. Optionally, you can edit the comments that follow the function declaration to create your own M-file help for this rule.

In this example, the first few lines of custom\_rule\_switch.m declare the function and its M-file help, which appear as follows:

```
function rule = custom rule switch
%CUSTOM RULE SWITCH Custom block replacement rule for
%the Simulink Design Verifier software
°
%
    This block replacement rule identifies Multiport
    Switch blocks whose "Number of inputs" parameter
%
    specifies '2' and "Use zero-based indexing" parameter
%
    specifies 'off'. It replaces such blocks with an
%
%
    implementation that includes a Test Condition block
%
    on the control input signal.
```

**3** Identify the type of block that you wish to replace in your model by specifying its BlockType parameter as the rule.blockType object. Consider using the get\_param function to obtain the value of the BlockType parameter for the block you intend to replace. Alternatively, you can determine this value by referring to "Block-Specific Parameters" in the *Simulink Reference*.

This example replaces Multiport Switch blocks, so the rule.blockType object specifies the appropriate BlockType parameter:

```
%% Target Block Type
%
rule.blockType = 'MultiPortSwitch';
```

**4** Identify the replacement block by specifying its full block path name as the rule.replacementPath object. Consider using the gcb function to get the full block path name.

This example replaces Multiport Switch blocks with the replacement block developed in "Constructing Replacement Blocks" on page 4-7, so the rule.replacementPath object specifies the full block path name:

```
%% Replacement Library
%
rule.replacementPath = sprintf('custom_rule/myReplacementBlock');
```

- 5 Identify the type of subsystem that the Simulink Design Verifier software uses when replacing blocks by specifying a value for the rule.replacementMode object. Valid values include:
  - Normal When using this rule, the Simulink Design Verifier software replaces blocks with a copy of the subsystem specified by the rule.replacementPath object.
  - ConfigurableSubSystem When using this rule, the Simulink Design Verifier software replaces blocks with a Configurable Subsystem block (see Configurable Subsystem in the *Simulink Reference*). The Configurable Subsystem block allows you to choose whether it represents the subsystem specified by the rule.replacementPath object, or the original block before its replacement.

This example replaces Multiport Switch blocks with an ordinary Subsystem block:

```
%% Replacement Mode
%
rule.replacementMode = 'Normal';
```

6 Identify parameter values that the replacement blocks inherit from the blocks being replaced. You achieve inheritance by mapping the parameter names in a structure. Each field of the structure represents a parameter that the replacement block inherits. Specify the value of each field using the token *\$original.parameter*, where *parameter* is the name of the parameter that belongs to the original block. You can determine block parameter names by referring to "Model and Block Parameters" in the Simulink Reference.

The following example defines a structure named parameter that maps the InputSameDT parameter from the original Multiport Switch blocks to their replacement blocks:

```
%% Parameter Handling
%
parameter.InputSameDT = '$original.InputSameDT$';
% Register the parameter mapping for the rule
rule.parameterMap = parameter;
```

7 Customize the subfunction named replacementTestFunction by specifying conditions under which the Simulink Design Verifier software replaces blocks in your model.

The following example instructs the Simulink Design Verifier software to replace only the Multiport Switch blocks whose NumInputPorts and zeroidx parameters specify 2 and off, respectively:

```
function out = replacementTestFunction(blockH)
% Specify the logic that determines when the Simulink Design
% Verifier software replaces a block in your model. For example,
% restrict replacements to only the blocks whose parameters
% specify particular values.
out = false;
numInputPorts = eval(get_param(blockH,'NumInputPorts'));
zeroIdx = eval(get_param(blockH,'zeroidx'));
if numInputPorts==2 && zeroIdx=='off',
    out = true;
end
```

After constructing a replacement block and writing its corresponding block replacement rule, you are ready to execute your custom block replacement (see "Executing Block Replacements" on page 4-15).

# **Executing Block Replacements**

#### In this section...

"Configuring Block Replacements" on page 4-15

"Replacing Blocks in a Model" on page 4-16

### **Configuring Block Replacements**

You must configure block replacement options before executing block replacements in your model. To specify block replacement options using the Simulink GUI:

1 From the Tools menu of your Simulink model, select Design Verifier > Options.

The Configuration Parameters dialog box displays the Simulink Design Verifier options.

2 In the Select tree of the Configuration Parameters dialog box, click the Block Replacements category.

The Configuration Parameters dialog box displays the **Block replacements** pane.

**3** Enable block replacements by selecting the **Apply block replacements** option.

Enabling this option provides access to the List of block replacement rules and File path of the output model options.

**4** In the **List of block replacement rules** box, enter file names of the block replacement rules that you wish to execute. The default value, <**FactoryDefaultRules>**, executes all the factory default rules (see "Built-In Block Replacements" on page 4-3).

You can specify multiple rules as a list delimited by spaces, commas, or carriage returns. The Simulink Design Verifier software executes the rules in the order that you list them. For example, to execute only a subset of the factory default rules followed by the custom block replacement example from "Creating Custom Block Replacements" on page 4-7, enter the following file names:

```
blkrep_rule_mpswitch4_normal
blkrep_rule_lookup_normal
custom_rule_switch
```

**Note** The Simulink Design Verifier software replaces a block in your model only once. If multiple rules apply to the same block, the software replaces the block using the rule with the highest priority.

- **5** In the **File path of the output model** box, specify a directory to which the Simulink Design Verifier software saves the model that results after applying the block replacement rules.
- **6** Click the **OK** button to apply the changes and close the Configuration Parameters dialog box.

Alternatively, you can use the sldvoptions function at the command line to specify the block replacement options associated with a Simulink Design Verifier options object. See sldvoptions in Chapter 11, "Function Reference" for more information.

#### **Replacing Blocks in a Model**

After enabling the **Apply block replacements** option (see "Configuring Block Replacements" on page 4-15), you can execute block replacements in your model by starting a Simulink Design Verifier analysis. For example, to trigger block replacements from the Configuration Parameters dialog box, on the **Design Verifier** pane, click the **Analyze Model** button.

**Note** The Simulink Design Verifier software can execute block replacements only on models that have no unsaved changes.

When performing block replacements, the Simulink Design Verifier software copies your model and replaces blocks in the copy, leaving your original

model unaltered. Upon completing its analysis, the software generates a report that displays information about the block replacements it executed (see "Understanding Simulink<sup>®</sup> Design Verifier Reports" on page 9-17).

Alternatively, you can use the sldvblockreplacement function to execute block replacements from the command line or an M-file program. The syntax of the function is

```
status = sldvblockreplacement('system')
```

where *system* is the name of the model whose blocks you aim to replace. See sldvblockreplacement for more information.

If you execute block replacements programmatically, the Simulink Design Verifier software displays in the MATLAB Command Window a table that lists available block replacement rules:

Configuration of available block replacement rules:

| Type:    | Registration M-File name:                      | Block types:    | Priority: | Active: |
|----------|------------------------------------------------|-----------------|-----------|---------|
| Built-in | blkrep_rule_mpswitch2_normal.m                 | MultiPortSwitch | 5         | 0       |
| Built-in | blkrep_rule_mpswitch2_configss.m               | MultiPortSwitch | 4         | 0       |
| Built-in | blkrep_rule_mpswitch3_normal.m                 | MultiPortSwitch | 3         | 0       |
| Built-in | blkrep_rule_mpswitch3_configss.m               | MultiPortSwitch | 6         | 0       |
| Built-in | blkrep_rule_mpswitch4_normal.m                 | MultiPortSwitch | 1         | 1       |
| Built-in | blkrep_rule_mpswitch4_configss.m               | MultiPortSwitch | 7         | 0       |
| Built-in | blkrep_rule_mpswitch5_normal.m                 | MultiPortSwitch | 2         | 0       |
| Built-in | blkrep_rule_mpswitch5_configss.m               | MultiPortSwitch | 8         | 0       |
| Built-in | blkrep_rule_lookup_normal.m                    | Lookup          | 1         | 1       |
| Built-in | blkrep_rule_lookup_configss.m                  | Lookup          | 2         | 0       |
| Built-in | blkrep_rule_switch_normal.m                    | Switch          | 1         | 0       |
| Built-in | blkrep_rule_switch_configss.m                  | Switch          | 2         | 0       |
| Built-in | blkrep_rule_lookup2D_normal.m                  | Lookup2D        | 1         | 0       |
| Built-in | blkrep_rule_lookup2D_configss.m                | Lookup2D        | 2         | 0       |
| Built-in | blkrep_rule_selectorIndexVecPort_normal.m      | Selector        | 1         | 0       |
| Built-in | blkrep_rule_selectorIndexVecPort_configss.m    | Selector        | 2         | 0       |
| Built-in | blkrep_rule_selectorStartingIdxPort_normal.m   | Selector        | 3         | 0       |
| Built-in | blkrep_rule_selectorStartingIdxPort_configss.m | Selector        | 4         | 0       |
| Custom   | custom_rule_switch.m                           | MultiPortSwitch | 2         | 1       |
|          |                                                |                 |           |         |

The list of available block replacement rules includes all built-in rules and any custom rules that you specified using the **List of block replacement rules** option (see "Configuring Block Replacements" on page 4-15). The columns of the preceding table identify the following information:

- Type the type of rule, either built-in or custom
- Registration M-File name the name of the M-file that expresses the rule
- Block types the BlockType parameter value of the block that the rule replaces
- Priority the priority of execution when multiple rules target the same type of block for replacement
- Active a flag that indicates whether the rule is active (1) or ignored (0)

Also, the Simulink Design Verifier software displays information about the block replacements that it performed. For example, the following message indicates that the software used the custom\_rule\_switch.m rule to replace a Multiport Switch block (of the same name) at the top level of the model:

Performed block replacements:

| Replacement  | rule M-file name: | Replaced block:    |
|--------------|-------------------|--------------------|
| custom_rule_ | _switch.m         | ./Multiport Switch |

# Specifying Parameter Configurations

The Simulink Design Verifier software allows you to treat block parameters in your model as variables in its analysis. The following sections introduce parameter configurations and illustrate a process for specifying constraints on block parameters.

- "About Parameter Configurations" on page 5-2
- "Template for Parameter Configurations" on page 5-3
- "Defining Parameter Configurations" on page 5-4
- "Parameter Configuration Example" on page 5-7

# **About Parameter Configurations**

The Simulink Design Verifier software can treat block parameters in your model as variables during its analysis. For example, suppose you specify a variable that is defined in the MATLAB workspace as the value of a block parameter in your model. You can instruct the Simulink Design Verifier software to treat that parameter as another input variable in its analysis. This allows you to

- Extend the results of a proof to consider the impact of additional parameter values.
- Generate comprehensive test cases for situations in which parameter values must vary to achieve more complete coverage results (for an example, see "Parameter Configuration Example" on page 5-7).

# **Template for Parameter Configurations**

To help you create a parameter configuration file, the Simulink Design Verifier software provides an annotated M-file template:

```
matlabroot/toolbox/sldv/sldv_params_template.m
```

Alternatively, you can access the template from the **Parameters** pane in the Simulink Design Verifier options (see "Parameters Pane" on page 6-8).

To create a parameter configuration file, make a copy of the template and edit the copy. The comments in the template explain the syntax for defining parameter configurations. For more information about defining parameter configurations, see "Defining Parameter Configurations" on page 5-4.

# **Defining Parameter Configurations**

This section describes how to define parameter configurations and outlines the required syntax for their definition.

**1** Define parameter configurations in an M-file function.

The Simulink Design Verifier software provides an annotated template for an M-file function that you can use as a starting point (see "Template for Parameter Configurations" on page 5-3).

**2** Specify parameter configurations using a structure whose fields share the same names as the parameters that you treat as input variables.

For example, suppose you wish to constrain the **Gain** and **Constant value** parameters, m and b, which appear in the following model:



In your parameter configuration file, use the following names for the fields of the structure:

```
params.m
params.b
```

3 Constrain parameters by assigning values to the fields of the structure.

Specify points using the Sldv.Point constructor, which accepts a single value as its argument. Specify intervals using the Sldv.Interval constructor, which requires two input arguments, i.e., a lower bound and an upper bound for the interval. Optionally, you can provide one of the following strings as a third input argument that specifies inclusion or exclusion of the interval endpoints:

• '()' — Defines an open interval.

- '[]' Defines a closed interval.
- '(]' Defines a left-open interval.
- '[)' Defines a right-open interval.

**Note** By default, the Simulink Design Verifier software considers an interval to be closed if you omit its two-character string.

The following example constrains m to 3 and b to any value in the closed interval [0, 10]:

```
params.m = Sldv.Point(3);
params.b = Sldv.Interval(0, 10);
```

If the parameters are scalar, you can omit the constructors and instead specify single values or two-element vectors. For instance, you can alternatively specify the previous example as:

```
params.m = 3;
params.b = [0 10];
```

4 Use cell arrays to specify multiple constraints for a single parameter.

You can specify multiple constraints for a single parameter by using a cell array. In this case, the Simulink Design Verifier software combines the constraints using a logical OR operation during its analysis.

The following example constrains **m** to either 3 or 5, and it constrains **b** to any value in the closed interval [0, 10]:

```
params.m = {3, 5};
params.b = [0 10];
```

**5** Use a 1-by-*n* structure to specify *n* sets of parameters.

You can specify several sets of parameters by expanding the size of your structure.

For instance, the following example uses a 1-by-2 structure to define two sets of parameters:

```
params(1).m = {3, 5};
params(1).b = [0 10];
params(2).m = {12, 15, Sldv.Interval(50, 60, '()')};
params(2).b = 5;
```

The first parameter set constrains m to either 3 or 5, and it constrains b to any value in the closed interval [0, 10]. The second parameter set constrains m to either 12, 15, or any value in the open interval (50, 60), and it constrains b to 5.

# **Parameter Configuration Example**

#### In this section ...

"About This Example" on page 5-7 "Constructing the Example Model" on page 5-8 "Parameterizing the Constant Block" on page 5-10 "Specifying a Parameter Configuration" on page 5-11 "Analyzing the Example Model" on page 5-13 "Simulating the Test Cases" on page 5-15

## **About This Example**

The next five tasks describe how to create and analyze a simple Simulink model, for which you generate test cases that achieve decision coverage. However, in this example, achieving complete decision coverage is possible only when the Simulink Design Verifier software treats a particular block parameter as a variable during its analysis. Toward that end, this example explains how to specify parameter configurations for use with the Simulink Design Verifier software.

The following workflow guides you through the process of completing this example:

| Task | Description                                                            | See                                                    |
|------|------------------------------------------------------------------------|--------------------------------------------------------|
| 1    | Construct the example model.                                           | "Constructing the Example Model" on page 5-8           |
| 2    | Specify a variable as the value of a Constant block parameter.         | "Parameterizing the Constant Block"<br>on page 5-10    |
| 3    | Constrain the value of the variable that the Constant block specifies. | "Specifying a Parameter<br>Configuration" on page 5-11 |

| Task | Description                                                                | See                                        |
|------|----------------------------------------------------------------------------|--------------------------------------------|
| 4    | Generate test cases for your<br>model and interpret the<br>results.        | "Analyzing the Example Model" on page 5-13 |
| 5    | Simulate the test cases<br>and measure the resulting<br>decision coverage. | "Simulating the Test Cases" on page 5-15   |

## **Constructing the Example Model**

In this task, you construct a simple Simulink model that you use throughout the remaining tasks.

- 1 Create an empty Simulink model (see "Creating an Empty Model" in *Simulink User's Guide* for help with this step).
- **2** Copy the following blocks into your empty model window (see "Adding Blocks to Your Model" in the Simulink documentation for help with this step):
  - Two Inport blocks to initiate the input signals, from the Sources library
  - A Multiport Switch block to provide simple logic, from the Signal Routing library
  - A Constant block to control the switch, from the Sources library
  - An Outport block to receive the output signal, from the Sinks library
- **3** In your model window, double-click the Multiport Switch block to access its dialog box and specify its **Number of inputs** option as 2.
- **4** In your model window, connect the blocks so that your model looks like this (see "Connecting Blocks" in *Simulink User's Guide* for help with this step):



**5** In your model window, select **Simulation > Configuration Parameters**.

The Configuration Parameters dialog box appears.

6 In the Select tree on the left side of the Configuration Parameters dialog box, click the Solver category (if not already selected). Under Solver options on the right side, set the Type option to Fixed-step, and then set the Solver option to Discrete (no continuous states).

The Configuration Parameters dialog box appears as follows:

| 🍇 Configuration Parameters:                | untitled/Configuration (Active)                          | × |
|--------------------------------------------|----------------------------------------------------------|---|
| Select:                                    | Simulation time                                          |   |
| Solver<br>Data Import/Export               | Start time: 0.0 Stop time: 10.0                          |   |
| Optimization Diagnostics                   | Solver options                                           |   |
| Sample Time<br>Data Validity               | Type: Fixed-step Solver: Discrete (no continuous states) |   |
| ····Type Conversion<br>····Connectivity    | Fixed-step size (fundamental sample time): auto          |   |
| Compatibility<br>Model Referencing         | Tasking and sample time options                          |   |
| ·····Saving<br>····Hardware Implementation | Periodic sample time constraint: Unconstrained           |   |
| -Model Referencing                         | Tasking mode for periodic sample times: Auto             |   |
| -Simulation Target                         | Automatically handle rate transition for data transfer   |   |
| Custom Code<br>⊡··Real-Time Workshop       | Higher priority value indicates higher task priority     |   |
|                                            |                                                          |   |
| ⊡-HDL Coder                                |                                                          | - |
| Clobal Settings                            |                                                          |   |
| <b>U</b>                                   | OK Cancel Help Apply                                     |   |

- **7** Click the **OK** button to apply your changes and close the Configuration Parameters dialog box.
- 8 Save your model as param\_example.mdl for use in the next step.

### **Parameterizing the Constant Block**

In this task, you parameterize the Constant block in your model. In particular, you specify a variable as the value of the Constant block's **Constant value** parameter.

1 In your model window, double-click the Constant block.

The Constant block parameter dialog box appears.

#### 2 In the Constant value box, enter A.

The Constant block parameter dialog box should look as follows.

| Source Block Parameters: Constant                                                                                                                                                                                                                                    |  |  |  |  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|
| Constant                                                                                                                                                                                                                                                             |  |  |  |  |
| Output the constant specified by the 'Constant value' parameter. If 'Constant value' is a vector and 'Interpret vector parameters as 1-D' is on, treat the constant value as a 1-D array. Otherwise, output a matrix with the same dimensions as the constant value. |  |  |  |  |
| Main Signal Attributes                                                                                                                                                                                                                                               |  |  |  |  |
| Constant value:                                                                                                                                                                                                                                                      |  |  |  |  |
| A                                                                                                                                                                                                                                                                    |  |  |  |  |
| ✓ Interpret vector parameters as 1-D                                                                                                                                                                                                                                 |  |  |  |  |
| Sampling mode: Sample based                                                                                                                                                                                                                                          |  |  |  |  |
| Sample time:                                                                                                                                                                                                                                                         |  |  |  |  |
| inf                                                                                                                                                                                                                                                                  |  |  |  |  |
|                                                                                                                                                                                                                                                                      |  |  |  |  |
| OK Cancel Help                                                                                                                                                                                                                                                       |  |  |  |  |

- **3** Click **OK** to apply your change and close the Constant block parameter dialog box.
- 4 In the MATLAB Command Window, enter

A = 1;

This command defines in the MATLAB workspace a variable named A whose value is 1. The Simulink software resolves the **Constant value** parameter to this variable, initializing its value for simulation.

**5** Save your model for use in the next step.

### **Specifying a Parameter Configuration**

In this task, you customize the parameter configuration file template so that it constrains the variable A.

In your Simulink model window, select Tools > Design Verifier > Options.

The Simulink Design Verifier software displays its options in the Configuration Parameters dialog box.

2 In the Select tree on the left side of the Configuration Parameters dialog box, click the Design Verifier > Parameters category. In the **Parameters** pane on the right side, ensure that the Apply parameters option is enabled.

Enabling the **Apply parameters** option provides access to the **Parameter configuration file** option.

3 Click Edit next to the Parameter configuration file option.

The Simulink Design Verifier software opens sldv\_params\_template.m in an editor.

**4** Edit the template's text so that it appears as follows:

```
function params = param_example_function
% This function defines a parameter configuration for the
% example model that the documentation discusses.
params.A = [1 2];
```

The preceding code renames the function as params\_example\_function and constrains parameter A to the closed interval [1 2].

- **5** Save your changes to the template as params\_example\_function.m in the same directory as the example model.
- 6 In the Configuration Parameters dialog box, click **Browse** next to the **Parameter configuration file** option, and then select your parameter configuration file, params\_example\_function.m.
- **7** Click **OK** to apply your change and close the Configuration Parameters dialog box.
- 8 Save your model for use in the next step.

## **Analyzing the Example Model**

In this task, you execute the Simulink Design Verifier analysis using the parameter configuration file you just created. The software generates test cases and produces results for you to interpret.

 In your Simulink model window, select Tools > Design Verifier > Generate Tests.

The Simulink Design Verifier software begins analyzing your model to generate test cases. When the software completes its analysis, it generates the following items:

- Simulink Design Verifier report The Simulink Design Verifier software displays an HTML report named param\_example\_report.html.
- Test harness The Simulink Design Verifier software displays a harness model named param\_example\_harness.mdl.
- **2** In the Simulink Design Verifier report **Table of Contents**, click **Test** Case 1.

The report displays the Test Case 1 section.

| Tes                         | Test Case 1                |                             |                                                               |  |  |
|-----------------------------|----------------------------|-----------------------------|---------------------------------------------------------------|--|--|
| Sumr                        | nary                       |                             |                                                               |  |  |
| Lengt<br>Objec              |                            | 0 Seconds (1 san<br>ount: 1 | nple periods)                                                 |  |  |
| Objec                       | ctives                     |                             |                                                               |  |  |
| Step                        | Time                       | Model Item                  | Objectives                                                    |  |  |
| 1                           | 0                          | Multiport Switch            | truncated input value =<br>1 (output is from input<br>port 2) |  |  |
|                             | Generated Parameter Values |                             |                                                               |  |  |
| A 1<br>Generated Input Data |                            |                             |                                                               |  |  |
| Time<br>Step<br>In1<br>In2  |                            |                             |                                                               |  |  |

This section provides details about Test Case 1 that the Simulink Design Verifier software generated to satisfy a coverage objective in the model. In this test case, a value of 1 for parameter A satisfies the objective.

**3** Scroll down to the Test Case 2 section in the **Test Cases** chapter.

| Tes                  | Test Case 2                                                |                  |                                                               |  |  |
|----------------------|------------------------------------------------------------|------------------|---------------------------------------------------------------|--|--|
| Sumi                 | mary                                                       |                  |                                                               |  |  |
| -                    | Length: 0 Seconds (1 sample periods)<br>Objective Count: 1 |                  |                                                               |  |  |
| Obje                 | ctives                                                     |                  |                                                               |  |  |
| Step                 | Time                                                       | Model Item       | Objectives                                                    |  |  |
| 1                    | 0                                                          | Multiport Switch | truncated input value =<br>2 (output is from input<br>port 3) |  |  |
| Gene                 | erated                                                     | Parameter Values |                                                               |  |  |
| Para<br>A            | ParameterValueA2                                           |                  |                                                               |  |  |
| Generated Input Data |                                                            |                  |                                                               |  |  |
|                      | Time 0<br>Step 0<br>In1 -                                  |                  |                                                               |  |  |

This section provides details about Test Case 2, which satisfies another coverage objective in the model. In this test case, a value of 2 for parameter A satisfies the objective.

## Simulating the Test Cases

In this final task, you simulate the test cases that the Simulink Design Verifier software generated in "Simulating the Test Cases" on page 5-15. In addition, you review the coverage report that results from the simulation.

1 Open the test harness model named param\_example\_harness.mdl (if it is not already open).



**2** The block labeled Inputs in the test harness model is a Signal Builder block that contains the test case signals. Double-click the Inputs block to view the test case signals.



**3** In the Signal Builder dialog box, click the **Run all** button

The Simulink software simulates each of the test cases in succession, collects coverage data for each simulation, and displays an HTML report of the combined coverage results at the end of the last simulation.

4 In the model coverage report, review the Summary section:



This section summarizes the coverage results for the harness model and its Test Unit subsystem. Observe that the subsystem achieves 100% decision coverage.

5 In the Summary section, click the Test Unit subsystem.

The report displays detailed coverage results for the Test Unit subsystem.

| 2. Subsystem " <u>Test Unit (copied from</u><br>param_example)" |                                                                                                                                            |                                 |  |  |  |
|-----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------|--|--|--|
| Parent:                                                         | Parent: /param_example_harness1                                                                                                            |                                 |  |  |  |
| Metric                                                          | Coverage (this<br>object)                                                                                                                  | Coverage (inc.<br>descendants)  |  |  |  |
| Cyclomatic<br>Complexity                                        | 0                                                                                                                                          | 1                               |  |  |  |
| Decision (D1)                                                   | NA                                                                                                                                         | 100% (2/2) decision<br>outcomes |  |  |  |
| MultiPortSwitch blo<br>Parent:                                  | IultiPortSwitch block " <u>Multiport Switch</u> "         Parent:       param_example_harness1/Test<br>Unit (copied from<br>param_example) |                                 |  |  |  |
| Metric                                                          | Cover                                                                                                                                      | age                             |  |  |  |
| Cyclomatic Comp                                                 | olexity 1                                                                                                                                  | 1                               |  |  |  |
| Decision (D1)                                                   | 100%<br>outcon                                                                                                                             | (2/2) decision<br>nes           |  |  |  |
| Decisions analy                                                 | /zed:                                                                                                                                      |                                 |  |  |  |
| truncated input                                                 | truncated input value 10                                                                                                                   |                                 |  |  |  |
| = 1 (output is                                                  | = 1 (output is from input port 2)                                                                                                          |                                 |  |  |  |
| = 2 (output is                                                  | s from input port 3)                                                                                                                       | 2/4                             |  |  |  |

This section reveals that the Multiport Switch block achieves complete decision coverage because the test cases exercise each of its switch pathways.

# Configuring Simulink Design Verifier Options

This chapter provides an overview of the Simulink Design Verifier options that you specify typically with the Configuration Parameters dialog box. The following sections step you through the Simulink Design Verifier dialog panes and describe its options.

- "Viewing Simulink<sup>®</sup> Design Verifier Options" on page 6-2
- "Configuring Simulink<sup>®</sup> Design Verifier Options" on page 6-5
- "Saving Simulink<sup>®</sup> Design Verifier Options" on page 6-18

# **Viewing Simulink Design Verifier Options**

The Simulink Design Verifier software provides numerous options that control its behavior when analyzing models. To view its options, from the **Tools** menu of your Simulink model, select **Design Verifier > Options**.



The Simulink Design Verifier software displays its options in the Configuration Parameters dialog box.

| 🍇 Configuration Parameters:                                                                                                          | sldvdemo_flipflop/Configuration (Active)                                                                        | ×  |
|--------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|----|
| Select:                                                                                                                              | Analysis options                                                                                                | -1 |
| Solver<br>Data Import/Export                                                                                                         | Mode: Test generation                                                                                           |    |
| Optimization                                                                                                                         | Maximum analysis time (s): 60                                                                                   |    |
| Diagnostics<br>Diagnostics<br>Sample Time<br>Data Validity<br>                                                                       | Image: Display unsatisfiable test objectives       Output       Output directory:     sldv_output/\$ModelName\$ |    |
| Compatibility                                                                                                                        |                                                                                                                 |    |
| ····Model Referencing<br>····Saving                                                                                                  | Make output file names unique by adding a suffix                                                                |    |
|                                                                                                                                      | Check Model Compatibility                                                                                       |    |
|                                                                                                                                      | Analyze Model                                                                                                   |    |
| Custom Code                                                                                                                          |                                                                                                                 | -  |
| ⊡-Real-Time Workshop                                                                                                                 |                                                                                                                 |    |
| Comments                                                                                                                             |                                                                                                                 |    |
| Symbols                                                                                                                              |                                                                                                                 |    |
| Custom Code                                                                                                                          |                                                                                                                 |    |
| Debug                                                                                                                                |                                                                                                                 |    |
| Interface                                                                                                                            |                                                                                                                 |    |
| Design Verifier     Block Replacements     Were replacements     Were replacements     Were reports     Were reports     Were report |                                                                                                                 | Ţ  |
| 0                                                                                                                                    | OK Cancel Help Appl                                                                                             | y  |

Typically, you specify values for these options using the Configuration Parameters dialog box. See "Configuration Parameters Dialog Box" in *Simulink Graphical User Interface* for more information about working with this interface. **Note** By default, Simulink Design Verifier options do not appear in a model's Configuration Parameters dialog box. If you select **Design Verifier > Options** from a model's **Tools** menu, the Simulink Design Verifier software associates its options with that model. Afterward, you can access those options directly from the Configuration Parameters dialog box or Model Explorer (see "The Model Explorer" in *Simulink User's Guide*).

Alternatively, you can use the sldvoptions function to view Simulink Design Verifier options at the command line. Use the following syntax to access and view programmatically the options associated with the Simulink model *system*:

```
opts = sldvoptions('system');
get(opts)
```

See sldvoptions in Chapter 11, "Function Reference" for more information.

# **Configuring Simulink Design Verifier Options**

"Design Verifier Pane" on page 6-5 "Block Replacements Pane" on page 6-7 "Parameters Pane" on page 6-8 "Test Generation Pane" on page 6-9 "Property Proving Pane" on page 6-11 "Results Pane" on page 6-13 "Report Pane" on page 6-16

## **Design Verifier Pane**

The **Design Verifier** pane allows you to specify analysis options and configure Simulink Design Verifier output.

| - Analysis options                               |                           |                           |
|--------------------------------------------------|---------------------------|---------------------------|
| Mode:                                            | Test generation           | •                         |
| Maximum analysis time:                           | 600                       |                           |
| Display unsatisfiable test objectives            |                           |                           |
| - Output                                         |                           |                           |
| Output directory:                                | sldv_output/\$ModelName\$ |                           |
| Make output file names unique by adding a suffix |                           |                           |
|                                                  |                           | Check Model Compatibility |
|                                                  |                           | Analyze Model             |

The **Design Verifier** pane contains the following groups of options:

- "Analysis options" on page 6-6
- "Output" on page 6-6

#### **Analysis options**

This group contains controls that enable you to specify how the Simulink Design Verifier software analyzes Simulink models. It contains the following controls.

**Mode.** Specifies the mode in which the Simulink Design Verifier software operates, either Test generation (the default) or Property proving.

**Maximum analysis time.** Specifies the maximum time (in seconds) that the Simulink Design Verifier software spends analyzing the model. The default value is 600 seconds.

**Display unsatisfiable test objectives.** If selected, this option causes the Simulink Design Verifier software to display a warning message in the Simulation Diagnostics Viewer when it cannot satisfy a test objective.

**Tip** If you select **Display unsatisfiable test objectives**, first, set the **Test suite optimization** option to the Combined objectives strategy and analyze the model. If that test returns objectives without outcomes, select the Individual objectives strategy and reanalyze the model. The Individual objectives strategy analyzes each objective independently and is better at identifying unsatisfiable objectives.

#### Output

This group contains controls that enable you to configure Simulink Design Verifier output. It contains the following controls.

**Output directory.** Specifies a directory to which the Simulink Design Verifier software writes its output. Enter a path that is either absolute or relative to the current directory.

The default value is sldv\_output/\$ModelName\$, where \$ModelName\$ is a token that represents the model name.

**Make output file names unique by adding a suffix.** If selected, this option causes the Simulink Design Verifier software to append an incremental numeric suffix to output file names. Selecting this option prevents the software from overwriting existing files that have the same name.

# **Block Replacements Pane**

The **Block Replacements** pane allows you to specify options that control how the Simulink Design Verifier software preprocesses the models it analyzes.

| -Block replacements                                     |  |  |  |  |
|---------------------------------------------------------|--|--|--|--|
| Apply block replacements                                |  |  |  |  |
| List of block replacement rules (in order of priority): |  |  |  |  |
|                                                         |  |  |  |  |
|                                                         |  |  |  |  |
|                                                         |  |  |  |  |
|                                                         |  |  |  |  |
|                                                         |  |  |  |  |
|                                                         |  |  |  |  |
|                                                         |  |  |  |  |
| Output model                                            |  |  |  |  |
| File path of the output model:                          |  |  |  |  |
|                                                         |  |  |  |  |

### **Block replacements**

This group contains controls that enable you to specify block replacement options. It contains the following controls.

**Apply block replacements.** If selected, this option causes the Simulink Design Verifier software to replace blocks in the model before its analysis (see Chapter 4, "Working with Block Replacements"). By default, this option is disabled. Enabling this option provides access to the **List of block replacement rules** and **File path of the output model** options.

**List of block replacement rules.** Specifies a list of block replacement rules that the Simulink Design Verifier software processes before analyzing the model. This option is accessible only if **Apply block replacements** is selected. The software processes the block replacement rules in the order that you list them.

Specify block replacement rules as a list delimited by spaces, commas, or carriage returns (see "Configuring Block Replacements" on page 4-15).

The default value is <FactoryDefaultRules>. If you specify the default value, the Simulink Design Verifier software uses its factory default block replacement rules (see "Built-In Block Replacements" on page 4-3).

**File path of the output model.** Specifies a directory for the model that results after applying the block replacement rules. Enter a path name that is either absolute or relative to the path name specified as the **Output directory**. This option is accessible only if **Apply block replacements** is selected.

The default value is  $ModelName\_replacement$ , where ModelName is a token that represents the model name.

# **Parameters Pane**

The **Parameters** pane allows you to specify options that control how the Simulink Design Verifier software uses parameter configurations when analyzing models.

| Parameters                                           |        |      |
|------------------------------------------------------|--------|------|
| Apply parameters                                     |        |      |
| Parameter configuration file: sldv_params_template.m | Browse | Edit |
|                                                      |        |      |

### **Parameters**

This group contains controls that enable you to specify parameter configurations. It contains the following controls.

**Apply parameters.** If selected (the default), this option causes the Simulink Design Verifier software to use parameter configurations when analyzing a model (see Chapter 5, "Specifying Parameter Configurations"). Enabling this option provides access to the **Parameter configuration file** option.

**Parameter configuration file.** Specifies an M-file function that defines parameter configurations for a model. Click the **Browse** button to select an existing M-file function using a file chooser dialog box. Click the **Edit** button to open the specified M-file function in an editor.

The default value is sldv\_params\_template.m, a template that you can edit and save. The comments in the template explain the syntax you use to specify parameter configurations.

**Tip** See the Parameter Identification Example demo for an illustration of how to use parameter configurations when generating tests cases for a Simulink model.

# **Test Generation Pane**

The **Test Generation** pane allows you to specify options that control how the Simulink Design Verifier software generates tests for the models it analyzes.

| -Test generation           |                     |  |  |  |
|----------------------------|---------------------|--|--|--|
| Model coverage objectives: | MCDC                |  |  |  |
| Test conditions:           | Enable all          |  |  |  |
| Test objectives:           | Enable all          |  |  |  |
| Maximum test case steps:   | 500                 |  |  |  |
| Test suite optimization:   | Combined objectives |  |  |  |
|                            |                     |  |  |  |

### **Test generation**

This group contains controls that enable you to specify test generation options. It contains the following controls.

**Model coverage objectives.** Specifies the type of model coverage that the Simulink Design Verifier software attempts to achieve. Select either Decision, Condition Decision, MCDC, or None.

**Test conditions.** This option allows you to enable or disable Test Condition blocks in the current model either globally or locally. Select one of the following options:

- Use local settings Enables or disables Test Condition blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.
- Enable all Enables all Test Condition blocks in the model regardless of the settings of their **Enable** parameters.
- Disable all Disables all Test Condition blocks in the model regardless of the settings of their **Enable** parameters.

**Test objectives.** This option allows you to enable or disable Test Objective blocks in the current model either globally or locally. Select one of the following options:

- Use local settings Enables or disables Test Objective blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.
- Enable all Enables all Test Objective blocks in the model regardless of the settings of their **Enable** parameters.
- Disable all Disables all Test Objective blocks in the model regardless of the settings of their **Enable** parameters.

**Maximum test case steps.** Specifies the maximum number of simulation steps the Simulink Design Verifier software takes when attempting to satisfy a test objective.

**Test suite optimization.** This option allows you to specify the optimization strategy that the Simulink Design Verifier software uses when generating test cases. Select one of the following options:

• Combined objectives — Minimizes the number of test cases in a suite by generating test cases that address more than one test objective. Each test case tends to be long, i.e., it includes many time steps.

This option does not necessarily find unsatisfiable objectives, and often leaves them undecided. To identify unsatisfiable objectives, first, run the Combined objectives strategy to generate test cases. If the analysis returns objectives without outcomes, set the optimization strategy to Individual objectives and rerun the analysis to identify any unsatisfiable objectives.

• Individual objectives — Maximizes the number of test cases in a suite by generating test cases that each address only one test objective. Each test case tends to be short, i.e., it includes only a few time steps.

Since each test case is analyzed independently, use this strategy to find unsatisfiable objectives.

• Large model — Minimizes the number of test cases in a suite by generating cases that address more than one test objective. This strategy is tailored for large models that contain nonlinearities and numerous test objectives; consequently, it tends to use all the time that the **Maximum analysis** time option allots.

# **Property Proving Pane**

The **Property Proving** pane allows you to specify options that control how the Simulink Design Verifier software proves properties for the models it analyzes.

| -Property proving        |                |  |  |  |
|--------------------------|----------------|--|--|--|
| Assertion blocks:        | Enable all     |  |  |  |
| Proof assumptions:       | Enable all     |  |  |  |
| Strategy:                | Find violation |  |  |  |
| Maximum violation steps: | 20             |  |  |  |
|                          |                |  |  |  |

### **Property proving**

This group contains controls that enable you to specify property-proving options. It contains the following controls.

**Assertion blocks.** This option allows you to enable or disable Assertion blocks in the current model either globally or locally. Select one of the following options:

- Use local settings Enables or disables Assertion blocks based on the value of the **Enable assertion** parameter of each block. If a block's **Enable assertion** parameter is selected, the block is enabled; otherwise, the block is disabled.
- Enable all Enables all Assertion blocks in the model regardless of the settings of their **Enable assertion** parameters.
- Disable all Disables all Assertion blocks in the model regardless of the settings of their **Enable assertion** parameters.

**Proof assumptions.** This option allows you to enable or disable Proof Assumption blocks in the current model either globally or locally. Select one of the following options:

- Use local settings Enables or disables Proof Assumption blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.
- Enable all Enables all Proof Assumption blocks in the model regardless of the settings of their **Enable** parameters.
- Disable all Disables all Proof Assumption blocks in the model regardless of the settings of their **Enable** parameters.

**Strategy.** Specifies the strategy the Simulink Design Verifier software uses when proving properties. Select one of the following options:

• Find violation — If this strategy is selected, the Simulink Design Verifier software searches for property violations within the number of simulation steps specified by the **Maximum violation steps** option. Enabling this option provides access to the **Maximum violation steps** option.

- **Prove** If this strategy is selected, the Simulink Design Verifier software performs property proofs.
- Prove with violation detection This strategy combines the Find violation and Prove strategies. If selected, the Simulink Design Verifier software searches for property violations within the number of simulation steps specified by the **Maximum violation steps** option; then it attempts to prove properties for which it failed to detect a violation. Enabling this option provides access to the **Maximum violation steps** option.

See "Techniques for Proving Properties of Large Models" on page 10-19.

**Maximum violation steps.** Specifies the maximum number of simulation steps over which the Simulink Design Verifier software searches for property violations. The software does not search beyond the maximum number of simulation steps that you specify; it does not identify violations that occur later in a simulation. This option is accessible only if **Strategy** specifies either Find violation or Prove with violation detection.

# **Results Pane**

The **Results** pane allows you to specify options that control how the Simulink Design Verifier software handles the results that it generates.

| Data file options                                                          |                                |  |  |  |
|----------------------------------------------------------------------------|--------------------------------|--|--|--|
| Save test data to file                                                     |                                |  |  |  |
| Data file name:                                                            | \$ModelName\$_sldvdata         |  |  |  |
| Include expected                                                           | d output values                |  |  |  |
| 🔲 Randomize data                                                           | that do not affect the outcome |  |  |  |
| -Harness model optio                                                       | ns                             |  |  |  |
| 🔽 Save test harnes                                                         | ss as model                    |  |  |  |
| Harness model file n                                                       | ame: \$ModelName\$_harness     |  |  |  |
| Reference input model in generated harness                                 |                                |  |  |  |
| -SystemTest options                                                        |                                |  |  |  |
| Save test harness as SystemTest TEST-file (will reference saved data file) |                                |  |  |  |
| SystemTest file name                                                       | e:                             |  |  |  |

The **Results** pane contains the following groups of options:

- "Data file options" on page 6-14
- "Harness model options" on page 6-15
- "SystemTest options" on page 6-16

### **Data file options**

This group contains controls that enable you to specify how the Simulink Design Verifier software handles the MAT-file it produces. It contains the following controls.

**Save test data to file.** If selected, this option causes the Simulink Design Verifier software to save the test data it generates to a MAT-file. Enabling this option provides access to the **Data file name** option.

**Data file name.** Specifies a file name for the MAT-file containing the generated test data. Enter a path name that is either absolute or relative to the directory specified by **Output directory**. This option is accessible only if **Save test data to file** is selected.

The default value is  $ModelName_sldvdata$ , where ModelName is a token that represents the model name.

**Include expected output values.** If selected, this option causes the Simulink Design Verifier software to simulate the model using the test case signals that it produces. For each test case, the software collects the simulation output values associated with Outport blocks in the top-level system and includes those values in the MAT-file that it generates (see "TestCases Field / CounterExamples Field" on page 9-5).

**Randomize data that does not affect outcome.** If selected, this option causes the Simulink Design Verifier software to assign random values instead of zeros to test case or counterexample signals that have no impact on test or proof objectives in a model. In the Simulink Design Verifier report, the Generated Input Data table always displays a dash (–) for such signals (see "Test Cases / Properties Chapter" on page 9-27).

### Harness model options

This group contains controls that enable you to specify how the Simulink Design Verifier software handles the test harness it produces. It contains the following controls.

**Save test harness as model.** If selected, this option causes the Simulink Design Verifier software to save the test harness it generates as a model file. Enabling this option provides access to the **Harness model file name** option.

**Harness model file name.** Specifies a file name for the test harness model. Enter a path name that is either absolute or relative to the path name specified by **Output directory**. This option is accessible only if **Save test harness as model** is selected.

The default value is **\$ModelName\$\_harness**, where **\$ModelName\$** is a token that represents the model name.

**Reference input model in generated harness.** If selected, this option causes the Simulink Design Verifier software to use model reference to run the input model in the generated test harness instead of inserting a copy of the input model.

### SystemTest options

Save test harness as SystemTest TEST-file (will reference saved data file). If selected, this option causes the Simulink Design Verifier software to produce the .test configuration file for running generated test cases inside the SystemTest<sup>™</sup> environment. Enter a path name that is either absolute or relative to the path name specified by **Output directory**. Enabling this option provides access to the **SystemTest file name** option.

**SystemTest file name.** Specifies a file name for the SystemTest TEST-file. Enter a path name that is either absolute or relative to the path name specified by **Output directory**. This option is accessible only if the **Save test harness as SystemTest TEST-file (will reference saved data file)** is selected.

The default value is **\$ModelName\$\_harness**, where **\$ModelName\$** is a token that represents the model name.

# **Report Pane**

The **Report** pane allows you to specify options that control how the Simulink Design Verifier software reports its results.



### Report

This group contains controls that enable you to specify report options. It contains the following controls.

**Generate report of the results.** If selected, this option causes the Simulink Design Verifier software to save the HTML report it generates. If you select this option, you must also enable the **Save test harness as model** option (see "Harness model options" on page 6-15).

Enabling this option provides access to the **Report file name**, **Include** screen shots and plots, and **Display report** options.

**Report file name.** Specifies a file name for the HTML report. Enter a path name that is either absolute or relative to the directory specified by **Output directory**. This option is accessible only if **Generate report of the results** is selected.

The default value is **\$ModelName\$\_report**, where **\$ModelName\$** is a token that represents the model name.

**Include screen shots and plots.** If selected, this option causes the Simulink Design Verifier software to capture and include images in the HTML report it generates after completing its analysis. This option is disabled by default. It is accessible only if **Generate report of the results** is selected.

**Display report.** If selected, this option causes the Simulink Design Verifier software to display the HTML report it generates after completing its analysis. This option is enabled by default. It is accessible only if **Generate report of the results** is selected.

# **Saving Simulink Design Verifier Options**

The Simulink Design Verifier software stores its options as a configuration set component attached to your model file (see "Configuration Sets" in *Simulink User's Guide*). To save the values of Simulink Design Verifier options that you specified for your model, simply save your model (see "Saving a Model" in *Simulink User's Guide*).

# Generating Test Cases

This chapter describes how to use the Simulink Design Verifier software to generate test cases for a model. The following sections introduce the notion of test case generation and present an example in which you generate test cases for a simple Simulink model:

- "About Test Case Generation" on page 7-2
- "Basic Workflow for Generating Test Cases" on page 7-3
- "Generating Test Cases for a Model" on page 7-4
- "Generating Test Cases for a Subsystem" on page 7-28

# **About Test Case Generation**

The Simulink Design Verifier software can generate test cases that satisfy your model's coverage objectives, including:

- Decision coverage
- Condition coverage
- Modified condition/decision coverage (MC/DC)

Test cases assist you in confirming that a model behaves correctly by demonstrating how its blocks execute in different modes. When generating test cases, the software performs a formal analysis of your model. After completing its analysis, the software produces a report that details its results and a test harness model that contains test cases. Simply review the report and simulate the test harness model to confirm that the test cases achieve your model's coverage objectives.

The software provides two blocks that allow you to customize test cases for your Simulink models:

- The Test Objective block defines the values of a signal that a test case must satisfy.
- The Test Condition block constrains the values of a signal during an analysis.

The Simulink Design Verifier software also provides two functions that extend the Stateflow action language, allowing you to customize test cases for your Stateflow charts. These functions behave identically to the Test Objective and Test Condition blocks. Use the following syntax to invoke these functions in a Stateflow chart:

```
dv.test(expr, "{values}")
dv.condition(expr, "{values}")
```

where expr represents the objective or condition, e.g., x > 0, and the optional argument values specifies the intervals that comprise the test objective or condition. For more information about the values argument, see "Specifying Test Objectives" on page 12-19 and "Specifying Test Conditions" on page 12-13.

# **Basic Workflow for Generating Test Cases**

Here is the recommended workflow for generating test cases for your model:

- 1 Ensure that your model is compatible for use with the Simulink Design Verifier software (for an example, see "Checking Compatibility of the Example Model" on page 7-6).
- **2** Optionally, instrument your model with blocks that specify test objectives and test conditions (for an example, see "Customizing Test Generation" on page 7-20).
- **3** Specify Simulink Design Verifier options that control how it generates test cases for your model (for an example, see "Configuring Test Generation Options" on page 7-10).
- **4** Execute the Simulink Design Verifier analysis and review its results (for examples, see "Analyzing the Example Model" on page 7-12 and "Reanalyzing the Example Model" on page 7-22).

# **Generating Test Cases for a Model**

### In this section ...

"About This Example" on page 7-4 "Constructing the Example Model" on page 7-5 "Checking Compatibility of the Example Model" on page 7-6 "Configuring Test Generation Options" on page 7-10 "Analyzing the Example Model" on page 7-12 "Customizing Test Generation" on page 7-20 "Reanalyzing the Example Model" on page 7-22

# **About This Example**

The sections that follow describe a simple Simulink model, for which you generate test cases that achieve decision coverage. This example will help you understand the test-generation capabilities of the Simulink Design Verifier software.

The following workflow guides you through the process of completing this example.

| Task | Description                                                                            | See                                                          |  |
|------|----------------------------------------------------------------------------------------|--------------------------------------------------------------|--|
| 1    | Construct the example model.                                                           | "Constructing the Example Model" on page 7-5                 |  |
| 2    | Ensure your model's<br>compatibility with the<br>Simulink Design Verifier<br>software. | "Checking Compatibility of the<br>Example Model" on page 7-6 |  |
| 3    | Configure the Simulink<br>Design Verifier software to<br>generate tests.               | "Configuring Test Generation<br>Options" on page 7-10        |  |
| 4    | Generate test cases for your<br>model and interpret the<br>results.                    | "Analyzing the Example Model" on page 7-12                   |  |

| Task | Description                                                                  | See                                          |
|------|------------------------------------------------------------------------------|----------------------------------------------|
| 5    | Add a Test Condition block to customize test generation.                     | "Customizing Test Generation" on page 7-20   |
| 6    | Generate test cases for<br>your modified model and<br>interpret the results. | "Reanalyzing the Example Model" on page 7-22 |

# **Constructing the Example Model**

In this task, you construct a simple Simulink model that you use throughout the remaining tasks:

- 1 Create a new Simulink model.
- 2 Copy the following blocks into your empty model window:
  - An Inport block, from the Sources library, to initiate the input signal whose value the Simulink Design Verifier software controls
  - A Switch block to provide simple logic, from the Signal Routing library
  - Two Constant blocks to serve as Switch block data inputs, from the Sources library
  - An Outport block to receive the output signal, from the Sinks library
- **3** Double-click one of the Constant blocks in your model and specify its **Constant value** parameter as **2**.
- **4** Connect the blocks so that your model appears similar to the following diagram.

7



5 Save your model as example.mdl for use in the remaining tasks.

# **Checking Compatibility of the Example Model**

In this task, you ensure that your model is compatible for use with the Simulink Design Verifier software. Specifically, you check the compatibility of the example model:

 In your Simulink model window, select Tools > Design Verifier > Check Model Compatibility.

The Simulink Design Verifier software displays the following log window, which indicates that your model is incompatible.



It also displays the following incompatibility error in the Simulation Diagnostics Viewer.

| 🚺 Simulink Design Verifier Errors: example |                |                 |             |                 |                 |                |
|--------------------------------------------|----------------|-----------------|-------------|-----------------|-----------------|----------------|
| View                                       | View Font Size |                 |             |                 |                 |                |
|                                            | Message        | Source          | Reported by |                 | Summary         |                |
|                                            | Design Ver     | example         | simulink    | Simulink Desi   | gn Verifier can | not be used    |
| L                                          |                |                 |             |                 |                 |                |
|                                            |                |                 |             |                 |                 |                |
| L                                          |                |                 |             |                 |                 |                |
|                                            |                |                 |             |                 |                 |                |
|                                            | example        |                 |             |                 |                 |                |
|                                            | -              |                 |             | a variable-step | o solver. You m | iust configure |
| the s                                      | olver options  | for a fixed-ste | p solver    |                 |                 |                |
|                                            |                |                 |             |                 |                 |                |
|                                            |                |                 |             |                 |                 |                |
|                                            |                |                 |             |                 |                 |                |
|                                            |                |                 |             |                 | Open H          | lelp Close     |
|                                            |                |                 |             |                 |                 |                |

The error message informs you that the Simulink Design Verifier software does not support variable-step solvers. To work around this incompatibility, you must use a fixed-step solver.

- 2 In your Simulink model window, select Simulation > Configuration Parameters to display the Configuration Parameters dialog box.
- **3** In the **Select** tree on the left side of the Configuration Parameters dialog box, click the **Solver** category (if not already selected). Under **Solver options** on the right side, set the **Type** option to Fixed-step and set the **Solver** option to Discrete (no continuous states).

The Configuration Parameters dialog box should look like this.

| 🍇 Configuration Parameters:                                 | untitled/Configuration (Active)                                                                                                          |
|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| Select:                                                     | Simulation time                                                                                                                          |
| -Solver<br>Data Import/Export                               | Start time: 0.0 Stop time: 10.0                                                                                                          |
| Optimization<br>Diagnostics<br>Sample Time                  | Solver options                                                                                                                           |
| ····Data Validity<br>····Type Conversion<br>···Connectivity | Type:       Fixed-step       Solver:       Discrete (no continuous states)         Fixed-step size (fundamental sample time):       auto |
| ····Compatibility<br>····Model Referencing                  | Tasking and sample time options                                                                                                          |
| ·····Saving<br>····Hardware Implementation                  | Periodic sample time constraint: Unconstrained                                                                                           |
| Model Referencing                                           | Tasking mode for periodic sample times: Auto                                                                                             |
| Simulation TargetSymbolsCustom Code                         | Automatically handle rate transition for data transfer                                                                                   |
|                                                             |                                                                                                                                          |
| ···Report<br>···Comments<br>····Symbols                     |                                                                                                                                          |
| Custom Code<br>Debug<br>Interface                           |                                                                                                                                          |
| - HDL Coder                                                 |                                                                                                                                          |
| 0                                                           | OK Cancel Help Apply                                                                                                                     |

- **4** Click **OK** to apply your changes and close the Configuration Parameters dialog box.
- 5 Recheck the compatibility of your model. In your Simulink model window, select Tools > Design Verifier > Check Model Compatibility.

The Simulink Design Verifier software displays the following log window, which confirms that your model is compatible for analysis.

7

| Simulink Design Verifier log: example                               |
|---------------------------------------------------------------------|
| 17-Apr-2007 18:15:41<br>Checking compatibility of model ''example'' |
| Compiling modeldone<br>Checking compatibilitydone                   |
| Model "example" is compatible with Simulink Design Verifier.        |
|                                                                     |
|                                                                     |
|                                                                     |
|                                                                     |
|                                                                     |
|                                                                     |
| Save Log Close                                                      |

6 Save your model for use in the next task.

# **Configuring Test Generation Options**

In this task, you configure the Simulink Design Verifier software to generate test cases that achieve complete decision coverage for your simple model:

 In your Simulink model window, select Tools > Design Verifier > Options.

The Simulink Design Verifier options appear in the Configuration Parameters dialog box.

2 In the Select tree on the left side of the Configuration Parameters dialog box, click the Design Verifier category (if not already selected). Under Analysis options on the right side, ensure that the Mode option specifies Test generation.

- **3** In the **Select** tree on the left side of the Configuration Parameters dialog box, click the **Test Generation** category.
- **4** On the **Test Generation** pane, set the value of the **Model coverage objectives** parameter to **Decision**.

The Configuration Parameters dialog box appears as follows.

| 🎭 Configuration Parameters: example/Configuration (Active)                                                                                                                                                                       |                                     |                                     |        |      |          |  |  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|-------------------------------------|--------|------|----------|--|--|
| Select:                                                                                                                                                                                                                          | Test generation                     |                                     |        |      |          |  |  |
| Solver<br>Data Import/Export                                                                                                                                                                                                     | Model coverage objectives:          |                                     |        |      | <b>_</b> |  |  |
| Optimization                                                                                                                                                                                                                     | Test conditions: Use local settings |                                     |        |      |          |  |  |
| ⊡- Diagnostics                                                                                                                                                                                                                   | Test objectives:                    | Test objectives: Use local settings |        |      |          |  |  |
| Sample Time<br>Data Validity                                                                                                                                                                                                     | Maximum test case steps:            | 500                                 |        |      |          |  |  |
| Type Conversion                                                                                                                                                                                                                  | Test suite optimization:            | Combined objectives                 |        |      | <b>•</b> |  |  |
| Connectivity     Compatibility     Model Referencing     Hardware Implementation     Model Referencing     Design Verifier     Block Replacements     Parameters     Test Generation     Property Proving     Results     Report |                                     |                                     |        |      |          |  |  |
|                                                                                                                                                                                                                                  |                                     | ОК                                  | Cancel | Help | Apply    |  |  |

- **5** Click **OK** to apply your change and close the Configuration Parameters dialog box.
- **6** Save your model for use in the next task.



**Note** On the **Test Generation** pane, you can optionally specify values for other parameters that control how the Simulink Design Verifier software generates test cases for your model. See "Test Generation Pane" on page 6-9 for more information.

# **Analyzing the Example Model**

In this task, you execute the Simulink Design Verifier analysis you configured in the previous task. The software generates test cases for your example model and produces results for you to interpret:

1 In your model window, select **Tools > Design Verifier > Generate Tests**.

The Simulink Design Verifier software begins analyzing your model to generate test cases. During its analysis, the software displays a log window.

| 🙀 Simulink Design Verifier log: DefaultBlockDiagram                        | ×    |
|----------------------------------------------------------------------------|------|
| Progress                                                                   |      |
| Objectives processed 0/0<br>Satisfied 0<br>Falsified 0<br>Elapsed time 0.0 |      |
| 30Jan-2007 18:10:00<br>Starting property proving for model "example"       |      |
| Compiling model                                                            |      |
|                                                                            |      |
|                                                                            |      |
|                                                                            |      |
|                                                                            |      |
|                                                                            | Stop |

The log window updates you on the progress of the analysis, providing information such as the number of test objectives processed and how many of those objectives were satisfied. The log window includes a **Stop** button that you can click to terminate the proof at any time.

When the software completes its analysis, it displays the following items:

• An HTML report named example\_report.html

- A test harness model named example\_harness.mdl
- A Signal Builder window containing the test-case signals

The remaining steps in this section help you interpret the results that you obtained.

2 Review the Simulink Design Verifier report, starting with the **Table of Contents**, whose items you can click to navigate the report.



**3** In the **Table of Contents**, click Summary to display the report's Summary chapter.

| Chapter 1. Summary           |                                                 |  |
|------------------------------|-------------------------------------------------|--|
| Analysis Info                | ormation                                        |  |
| Model:<br>Mode:<br>Status:   | example<br>TestGeneration<br>Completed normally |  |
| Objectives S                 | itatus                                          |  |
| Number of C<br>Objectives Sa | -                                               |  |

The Summary chapter lists information about the model and the status of the objectives—satisfied or not.

**4** In the **Table of Contents**, click Analysis Information to display the report's Analysis Information chapter.

# Table of Contents Model Information Analysis Options Approximations Model Information File: C:\test\_sldv\example.mdl Version: 1.4 Time Stamp: Thu Jun 19 10:02:51 2008 Author: slemaire

**Chapter 2. Analysis Information** 

### **Analysis Options**

| Mode:                      | TestGeneration     |
|----------------------------|--------------------|
| Test Suite Optimization:   | CombinedObjectives |
| Maximum Testcase Steps:    | 500 time steps     |
| Test Conditions:           | UseLocalSettings   |
| Test Objectives:           | UseLocalSettings   |
| Model Coverage Objectives: | Decision           |
| Maximum Processing Time:   | 600s               |
| Block Replacement:         | off                |
| Parameters Analysis:       | off                |
| Save Data:                 | on                 |
| Save Harness:              | on                 |
| Save Report:               | on                 |
|                            |                    |

# Approximations

Simulink Design Verifier performed the following approximations during analysis. These can impact the precision of the results generated by Simulink Design Verifier. Please see the product documentation for further details.

|   | Туре | Description                                                                                                                                             |
|---|------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 |      | The model includes floating-point arithmetic.<br>Simulink Design Verifier approximates<br>floating-point arithmetic with rational number<br>arithmetic. |

The Analysis Information chapter provides information about:

7

- The model you analyzed
- The options you specified for the analysis
- Approximations the software performed during the analysis
- **5** In the **Table of Contents**, click **Test Objectives Status** to display the report's Test Objectives Status chapter.

# **Chapter 3. Test Objectives Status**

Table of Contents

**Objectives Satisfied** 

# **Objectives Satisfied**

Simulink Design Verifier found test cases that exercise these test objectives.

| #: | Туре     | Model Item | Description                                                      | Test<br>Case |
|----|----------|------------|------------------------------------------------------------------|--------------|
| 1  | Decision | Switch     | trigger >= threshold false<br>(output is from 3rd input<br>port) | 2            |
| 2  | Decision | Switch     | trigger >= threshold true<br>(output is from 1st input<br>port)  | 1            |

This table indicates that the software satisfied both test objectives associated with the Switch block in your model, for which it generated two test cases.

**6** Under the **Test Case** column of the table, click **2** to display the report's Test Case 2 section.

| Tes                 | at Ca   | ase 2                       |                                                                  |
|---------------------|---------|-----------------------------|------------------------------------------------------------------|
| Sumi                | mary    |                             |                                                                  |
|                     | ctive C | 0 Seconds (1 sam<br>ount: 1 | ple periods)                                                     |
| Obje                | ctives  |                             |                                                                  |
| Step                | Time    | Model Item                  | Objectives                                                       |
| 1                   | 0       | <u>Switch</u>               | trigger >= threshold<br>false (output is from 3rd<br>input port) |
| Gene                | erated  | Input Data                  |                                                                  |
| Time<br>Step<br>In1 |         |                             |                                                                  |

This section provides details about a test case that the Simulink Design Verifier software generated to achieve an objective in your model. This test case achieves test objective 1, which involves the Switch block passing its third input. Specifically, the software determined that a value of -1 for the Switch block control signal enables the block to pass its third input.

7 Review the harness model named example\_harness.mdl.



The harness model contains the following items:

- Signal Builder block named Inputs Groups of signals that achieve test objectives in your model
- Subsystem block named Test Unit A copy of your model
- DocBlock named Test Case Explanation A text description of the test cases that the Simulink Design Verifier software generates

**Note** See the *Simulink Reference* for more information about interacting with blocks such as the Signal Builder, Subsystem, and DocBlock.

**8** To simulate the test harness and confirm that the test cases achieve complete decision coverage, double-click the Inputs block to display the Signal Builder dialog box.



**9** In the Signal Builder dialog box, click the **Run all** button



The Simulink Design Verifier software simulates the test harness using all the test cases, collects model coverage information, and displays a coverage report that includes the following Summary.

| Summary                           |        |
|-----------------------------------|--------|
| Model Hierarchy/Complexity:       | Test 1 |
|                                   | D1     |
| 1. example harness                | 2 100% |
| 2 Test Unit (copied from example) | 1 100% |

The coverage report indicates that the software generated test cases that achieve complete decision coverage for your example model (see "Understanding Model Coverage Reports" in the *Simulink Verification and Validation User's Guide*).

# **Customizing Test Generation**

In this task, you modify the example model for which you attained complete decision coverage. Specifically, you customize test generation by adding and configuring a Test Condition block:

1 In the MATLAB Command Window, enter sldvlib to display the Simulink Design Verifier library.



- **2** Copy the Test Condition block to your model by dragging it from the Simulink Design Verifier library to your model window.
- **3** In the model window, insert the Test Condition block between the Switch and Outport blocks.



4 Double-click the Test Condition block in your model to access its attributes.

The Test Condition block parameter dialog box appears.

**5** In the **Values** box, enter [-0.1, 0.1]. When generating test cases for this model, the Simulink Design Verifier software constrains the signal values entering the Switch block control port to the specified interval.

| 🙀 Function Block Parameters: Test Condition 🛛 🔀                                                                                                                                                                                                                                                                                                                                                                      |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design Verifier Test Condition (mask) (link)                                                                                                                                                                                                                                                                                                                                                                         |
| Constrains signal values in Simulink Design Verifier test cases. The 'Values'<br>parameter constrains the block input signal. Two element vectors specify intervals.<br>Cell arrays specify lists. The signal must satisfy at least one of the values or<br>intervals at every time step.<br>Example Values:<br>true<br>{[0 1], 2, [4 5], 6}<br>{Sldv.Interval(-2, -1), Sldv.Point(0), Sldv.Interval(0, 1, '()'), 1} |
| Parameters                                                                                                                                                                                                                                                                                                                                                                                                           |
| Finable                                                                                                                                                                                                                                                                                                                                                                                                              |
| Type Test Condition                                                                                                                                                                                                                                                                                                                                                                                                  |
| Values                                                                                                                                                                                                                                                                                                                                                                                                               |
| [-0.1, 0.1]                                                                                                                                                                                                                                                                                                                                                                                                          |
| Display values                                                                                                                                                                                                                                                                                                                                                                                                       |
| ✓ Pass through style (show Outport)                                                                                                                                                                                                                                                                                                                                                                                  |
| ) Pass through style (show outport)                                                                                                                                                                                                                                                                                                                                                                                  |
|                                                                                                                                                                                                                                                                                                                                                                                                                      |
|                                                                                                                                                                                                                                                                                                                                                                                                                      |
| OK Cancel Help Apply                                                                                                                                                                                                                                                                                                                                                                                                 |

- **6** Click **OK** to apply your changes and close the Test Condition block parameter dialog box.
- 7 Save your model for use in the next task.

# **Reanalyzing the Example Model**

In this task, you analyze the example model with the Test Condition block. To observe how the Test Condition block affects test generation, compare the result of this analysis to the result that you obtained in "Analyzing the Example Model" on page 7-12.

1 In the model window, select Tools > Design Verifier > Generate Tests.

The Simulink Design Verifier software displays a log window and begins analyzing your model to generate test cases.

When the software completes the analysis, it displays a new Simulink Design Verifier report named example\_report1.html.

2 To begin reviewing the report, in the Table of Contents, click Summary.

| Chapter 1. Summary               |                                                 |  |
|----------------------------------|-------------------------------------------------|--|
| Analysis Inform                  | nation                                          |  |
| Model:<br>Mode:<br>Status:       | example<br>TestGeneration<br>Completed normally |  |
| Objectives Status                |                                                 |  |
| Number of Ob<br>Objectives Satis |                                                 |  |

The Summary chapter indicates that the Simulink Design Verifier software satisfied two test objectives in your model.

**3** In the **Table of Contents**, click Analysis Information. Scroll to the bottom of this chapter, to the Constraints section.

| Constraints    |             |  |
|----------------|-------------|--|
| Name           | Constraint  |  |
| Test Condition | [-0.1, 0.1] |  |
| rest condition | [-0.1, 0.1] |  |

This section lists the Test Condition block that you added to constrain the value of the Switch block control signal to the interval [-0.1, 0.1].

4 In the Table of Contents, click Test Objectives Status.

# **Chapter 3. Test Objectives Status**

### Table of Contents

**Objectives Satisfied** 

# **Objectives Satisfied**

Simulink Design Verifier found test cases that exercise these test objectives.

| #: | Туре     | Model Item | Description                                                      | Test<br>Case |
|----|----------|------------|------------------------------------------------------------------|--------------|
| 1  | Decision | Switch     | trigger >= threshold false<br>(output is from 3rd input<br>port) | 2            |
| 2  | Decision | Switch     | trigger >= threshold true<br>(output is from 1st input<br>port)  | 1            |

This table indicates that the Simulink Design Verifier software satisfied both test objectives associated with the Switch block in your model, for which it generated two test cases.

5 Under the Test Cases column of the table, click 2.

| Objective Count: 1                                       |                                 |  |  |  |
|----------------------------------------------------------|---------------------------------|--|--|--|
| Objective Count: 1 Objectives                            |                                 |  |  |  |
| Step Time Model Item Objectives                          |                                 |  |  |  |
|                                                          | Step Time Model Item Objectives |  |  |  |
| 1 0 <u>Switch</u> trigger >= threst<br>(output is from 3 |                                 |  |  |  |

This section provides details about a test case that the software generated to achieve an objective in your model. This test case achieves test objective 1, which involves the Switch block passing its third input. Although the Test Condition block restricted the domain of input signals to the interval [-0.1, 0.1], the software determined that a value of -0.05 for the Switch block control signal satisfies the objective.

- **6** To confirm that the test case achieves complete decision coverage, go to the harness model named example\_harness1.mdl.
- **7** Double-click the Inputs block to display the Signal Builder dialog box.



8 In the Signal Builder dialog box, click the **Run all** button



The Simulink software simulates the test harness using both test cases, collects model coverage information, and displays a coverage report whose Summary section appears as follows.



The coverage report indicates the Simulink Design Verifier software generated test cases that achieve complete decision coverage for your example model.

## **Generating Test Cases for a Subsystem**

If you have a large model, you can generate test cases for subsystems in the model and review the analysis in smaller, manageable reports. The workflow for generating test cases for a subsystem is as follows:

- **1** Open the model that contains the subsystem.
- 2 Make the subsystem atomic.
- **3** Run the Simulink Design Verifier software using the **Generate Tests for Subsystem** option.
- 4 Review the results.

The tutorial in "Analyzing a Subsystem" on page 1-23 explains how to analyze the Controller subsystem in the Cruise Control Test Generation model.

# Proving Properties of a Model

This chapter describes how to use the Simulink Design Verifier software to prove properties of your model. The following sections introduce the notion of property proofs and present an example in which you prove a property of a simple Simulink model:

- "About Property Proofs" on page 8-2
- "Basic Workflow for Proving Model Properties" on page 8-3
- "Proving Properties in a Model" on page 8-4
- "Proving Properties in a Subsystem" on page 8-26

## **About Property Proofs**

The Simulink Design Verifier software can prove properties of your model. Here, the term *property* refers to a logical expression of signal values in a model. For example, you can specify that a signal in your model should attain a particular value or range of values during simulation. You can then use the Simulink Design Verifier software to prove whether such properties are valid. The software performs a formal analysis of your model to prove or disprove the specified properties. If the software disproves a property, it provides a counterexample that demonstrates a property violation.

The Simulink Design Verifier software provides two blocks that allow you to specify properties in your Simulink models. Use the Proof Objective block to define the values of a signal that the Simulink Design Verifier software will prove. Use the Proof Assumption block to constrain the values of a signal during a proof. For more information about these blocks, refer to Chapter 12, "Block Reference".

**Note** Blocks from the Model Verification library in the Simulink software behave like a Proof Objective block during Simulink Design Verifier proofs. Hence, you can use Assertion blocks and other Model Verification blocks to specify properties of your model. See "Model Verification" in the *Simulink Reference* for more information about these blocks.

The Simulink Design Verifier software also provides two functions that extend the Stateflow action language, allowing you to specify properties in your Stateflow charts. These functions behave identically to the Proof Objective and Proof Assumption blocks. Use the following syntax to invoke these functions in a Stateflow chart:

```
dv.prove(expr, "{values}")
dv.assume(expr, "{values}")
```

where expr represents the objective or assumption, e.g., x > 0, and the optional argument values specifies the intervals that comprise the proof objective or assumption. For more information about the values argument, see "Specifying Proof Objectives" on page 12-8 and "Specifying Proof Assumptions" on page 12-2.

## **Basic Workflow for Proving Model Properties**

Here is the recommended workflow for proving properties of your model:

- 1 Ensure that your model is compatible for use with the Simulink Design Verifier software (for an example, see "Checking Compatibility of the Example Model" on page 8-6).
- **2** Instrument your model with blocks that specify proof objectives and proof assumptions (for examples, see "Instrumenting the Example Model" on page 8-10 and "Customizing the Example Proof" on page 8-21).
- **3** Specify Simulink Design Verifier options that control how it proves the properties of your model (for an example, see "Configuring Property-Proving Options" on page 8-13).
- **4** Execute the Simulink Design Verifier analysis and review its results (for examples, see "Analyzing the Example Model" on page 8-15 and "Reanalyzing the Example Model" on page 8-23).

See "Proving Properties in a Model" on page 8-4 for an exercise that demonstrates this workflow.

# **Proving Properties in a Model**

#### In this section ...

"About This Example" on page 8-4 "Constructing the Example Model" on page 8-5 "Checking Compatibility of the Example Model" on page 8-6 "Instrumenting the Example Model" on page 8-10 "Configuring Property-Proving Options" on page 8-13 "Analyzing the Example Model" on page 8-15 "Customizing the Example Proof" on page 8-21 "Reanalyzing the Example Model" on page 8-23

## **About This Example**

The sections that follow describe a simple Simulink model, for which you prove a property that you specify using a Proof Objective block. This example will help you understand the property-proving capabilities of the Simulink Design Verifier software.

The following workflow guides you through the process of completing this example:

| Task | Description                                                                            | See                                                          |
|------|----------------------------------------------------------------------------------------|--------------------------------------------------------------|
| 1    | Construct the example model.                                                           | "Constructing the Example Model" on page 8-5                 |
| 2    | Ensure your model's<br>compatibility with the<br>Simulink Design Verifier<br>software. | "Checking Compatibility of the<br>Example Model" on page 8-6 |
| 3    | Add a Proof Objective block<br>to your model to prepare for<br>its proof.              | "Instrumenting the Example Model"<br>on page 8-10            |

| Task | Description                                                                | See                                                    |
|------|----------------------------------------------------------------------------|--------------------------------------------------------|
| 4    | Configure the Simulink<br>Design Verifier software to<br>prove properties. | "Configuring Property-Proving<br>Options" on page 8-13 |
| 5    | Prove a property of your<br>model and interpret the<br>results.            | "Analyzing the Example Model" on page 8-15             |
| 6    | Add a Proof Assumption<br>block to customize the proof.                    | "Customizing the Example Proof" on page 8-21           |
| 7    | Prove a property of your<br>modified model and<br>interpret the results.   | "Reanalyzing the Example Model" on page 8-23           |

## **Constructing the Example Model**

In this task, you construct a simple Simulink model that you use throughout the remaining tasks. To complete this task, perform the following steps:

- **1** Create an empty Simulink model.
- 2 Copy the following blocks into your empty model window:
  - An Inport block, from the Sources library, to initiate the input signal whose value the Simulink Design Verifier software controls
  - A Compare To Zero block to provide simple logic, from the Logic and Bit Operations library
  - An Outport block to receive the output signal, from the Sinks library
- **3** Connect these blocks such that your model appears similar to the following.



4 Save your model as example.mdl for use in the next task.

## **Checking Compatibility of the Example Model**

In this task, you ensure that a model is compatible for use with the Simulink Design Verifier software. Specifically, you check the compatibility of the simple Simulink model that you created in the previous task. To complete this task, perform the following steps:

 In your Simulink model window, select Tools > Design Verifier > Check Model Compatibility.

The Simulink Design Verifier software displays the following log window, which indicates that your model is incompatible.

| 🙀 Simulink Design Verifier log: example                                                                                                 | ×     |
|-----------------------------------------------------------------------------------------------------------------------------------------|-------|
| 16-Apr-2007 14:57:16<br>Checking compatibility of model "example"                                                                       |       |
| Model "example" <b>is not compatible</b> with Simulink Design Verifier<br>Refer to the Simulink Diagnostics window for more information |       |
|                                                                                                                                         |       |
|                                                                                                                                         |       |
|                                                                                                                                         |       |
|                                                                                                                                         |       |
|                                                                                                                                         |       |
| Save Log                                                                                                                                | Close |

It also displays the following incompatibility error in the Simulation Diagnostics Viewer.

| Message Source Reported by Summary |                |                |                 |                                            |  |
|------------------------------------|----------------|----------------|-----------------|--------------------------------------------|--|
|                                    | Design Ver     | example        | simulink        | Simulink Design Verifier can not be used   |  |
|                                    |                |                |                 |                                            |  |
|                                    |                |                |                 |                                            |  |
|                                    |                |                |                 |                                            |  |
|                                    |                |                |                 |                                            |  |
|                                    |                |                |                 |                                            |  |
| e                                  | xample         |                |                 |                                            |  |
|                                    | •              | Verifier can n | ot be used with | a variable-step solver. You must configure |  |
| mu                                 | •              |                |                 | a variable-step solver. You must configure |  |
| mu                                 | llink Design V |                |                 | a variable-step solver. You must configure |  |
| mu                                 | llink Design V |                |                 | a variable-step solver. You must configure |  |

The error message informs you that the Simulink Design Verifier software does not support variable-step solvers. To work around this incompatibility, you must use a fixed-step solver.

2 In your Simulink model window, select Simulation > Configuration Parameters.

The Configuration Parameters dialog box appears.

**3** In the **Select** tree on the left side of the Configuration Parameters dialog box, click the **Solver** category (if not already selected). Under **Solver options** on the right side, set the **Type** option to Fixed-step, and then set the **Solver** option to Discrete (no continuous states).

| 🍇 Configuration Parameters:                                 | untitled/Configuration (Active)                                                                                                          |
|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| Select:                                                     | Simulation time                                                                                                                          |
| -Solver<br>Data Import/Export                               | Start time: 0.0 Stop time: 10.0                                                                                                          |
| Optimization<br>Diagnostics<br>Sample Time                  | Solver options                                                                                                                           |
| ····Data Validity<br>····Type Conversion<br>···Connectivity | Type:       Fixed-step       Solver:       Discrete (no continuous states)         Fixed-step size (fundamental sample time):       auto |
| ····Compatibility<br>····Model Referencing                  | Tasking and sample time options                                                                                                          |
| ·····Saving<br>····Hardware Implementation                  | Periodic sample time constraint: Unconstrained                                                                                           |
| Model Referencing                                           | Tasking mode for periodic sample times: Auto                                                                                             |
| Simulation TargetSymbolsCustom Code                         | Automatically handle rate transition for data transfer                                                                                   |
|                                                             |                                                                                                                                          |
| ···Report<br>···Comments<br>····Symbols                     |                                                                                                                                          |
| Custom Code<br>Debug<br>Interface                           |                                                                                                                                          |
| - HDL Coder                                                 |                                                                                                                                          |
| 0                                                           | OK Cancel Help Apply                                                                                                                     |

- **4** Click the **OK** button to apply your changes and close the Configuration Parameters dialog box.
- 5 Recheck the compatibility of your model. In your Simulink model window, select Tools > Design Verifier > Check Model Compatibility.

The Simulink Design Verifier software displays the following log window, which confirms that your model is compatible for analysis.

|   | 🖬 Simulink Design Verifier log: example                             |
|---|---------------------------------------------------------------------|
|   | 16-Apr-2007 15:21:18<br>Checking compatibility of model ''example'' |
|   | Compiling modeldone<br>Checking compatibilitydone                   |
| l | Model "example" is compatible with Simulink Design Verifier.        |
| l |                                                                     |
| l |                                                                     |
| l |                                                                     |
| l |                                                                     |
|   |                                                                     |
|   |                                                                     |
|   | Save Log Close                                                      |

6 Save your example.mdl model for use in the next task.

## Instrumenting the Example Model

In this task, you prepare your example model so that you can prove its properties with the Simulink Design Verifier software. Specifically, you instrument the model by adding and configuring a Proof Objective block. To complete this task, perform the following steps:

1 In the MATLAB Command Window, enter sldvlib.

The Simulink Design Verifier library appears.



- **2** Copy the Proof Objective block to your model by dragging it from the Simulink Design Verifier library to your model window.
- **3** In your model window, insert the Proof Objective block between the Compare To Zero and Outport blocks (see "Inserting Blocks in a Line" in the Simulink documentation for help with this step).



**4** Double-click the Proof Objective block in your model to access its attributes.

The Proof Objective block parameter dialog box appears.

**5** In the **Values** box, enter 1. The Simulink Design Verifier software will attempt to prove that the signal output by the Compare To Zero block always attains this value for any signals that it receives.

| 🙀 Function Block Parameters: Proof Objective                                                                                                                                                                                                                                             |  |  |  |  |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|--|
| Design Verifier Proof Objective (mask) (link)                                                                                                                                                                                                                                            |  |  |  |  |  |
| Proves signal values using Simulink Design Verifier. The 'Values' parameter specifies<br>input signal values to prove. Two element vectors specify intervals. Cell arrays<br>specify lists. Signals are proven to satisfy at least one of the values or intervals at<br>every time step. |  |  |  |  |  |
| Example Values:                                                                                                                                                                                                                                                                          |  |  |  |  |  |
| true<br>{1, 2, [4 5]}                                                                                                                                                                                                                                                                    |  |  |  |  |  |
| Parameters                                                                                                                                                                                                                                                                               |  |  |  |  |  |
| 🔽 Enable                                                                                                                                                                                                                                                                                 |  |  |  |  |  |
| Type Proof Objective                                                                                                                                                                                                                                                                     |  |  |  |  |  |
| Values                                                                                                                                                                                                                                                                                   |  |  |  |  |  |
| 1                                                                                                                                                                                                                                                                                        |  |  |  |  |  |
| ✓ Display values                                                                                                                                                                                                                                                                         |  |  |  |  |  |
| Pass through style (show Outport)                                                                                                                                                                                                                                                        |  |  |  |  |  |
| OK Cancel Help Apply                                                                                                                                                                                                                                                                     |  |  |  |  |  |

- **6** Click **OK** to apply your changes and close the Proof Objective block parameter dialog box.
- 7 Save your example.mdl model for use in the next task.

## **Configuring Property-Proving Options**

In this task, you configure the Simulink Design Verifier software to prove properties of the simple Simulink model that you instrumented. To complete this task, perform the following steps:

 In your Simulink model window, select Tools > Design Verifier > Options (see "Viewing Simulink<sup>®</sup> Design Verifier Options" on page 6-2 for help with this step).

The Simulink Design Verifier software displays its options in the Configuration Parameters dialog box.

2 In the **Select** tree on the left side of the Configuration Parameters dialog box, click the **Design Verifier** category (if not already selected). Under **Analysis options** on the right side, set the **Mode** option to **Property** proving.

| Configuration Parameters: example/Configuration (Active)                                                                                                                                      |                                                                                                                                                                                                                                                                     |  |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Select:                                                                                                                                                                                       | - Analysis options                                                                                                                                                                                                                                                  |  |  |  |
| Solver     Data Import/Export     Optimization     Oiagnostics    Sample Time    Data Validity    Type Conversion    Connectivity    Compatibility                                            | Mode:       Property proving         Maximum analysis time:       600         Image: Display unsatisfiable test objectives         Output         Output directory:       sldv_output/\$ModelName\$         Image: Make output file names unique by adding a suffix |  |  |  |
| Model Referencing     Hardware Implementation     Model Referencing     Design Verifier     Block Replacements     Parameters     Test Generation     Property Proving     Results     Report | Check Model Compatibility<br>Analyze Model                                                                                                                                                                                                                          |  |  |  |
|                                                                                                                                                                                               | OK Cancel Help Apply                                                                                                                                                                                                                                                |  |  |  |

**3** Click **OK** to apply your changes and close the Configuration Parameters dialog box.

**Note** Using the **Property Proving** pane, you can optionally specify values for other parameters that control how the Simulink Design Verifier software proves properties of your model. See "Property Proving Pane" on page 6-11 for more information.

4 Save your example.mdl model for use in the next task.

## Analyzing the Example Model

In this task, you execute the Simulink Design Verifier analysis. The software proves a property of your example model and produces results for you to interpret. To complete this task, perform the following steps:

1 In your Simulink model window, select Tools > Design Verifier > Prove Properties.

The Simulink Design Verifier software begins analyzing your model to prove its properties. During its analysis, the software displays a log window.

| 🙀 Simulink Design Vei                                                      | rifier log: DefaultBlockDiagram | ×    |
|----------------------------------------------------------------------------|---------------------------------|------|
| Progress<br>Objectives processed<br>Satisfied<br>Falsified<br>Elapsed time | 0/0<br>0<br>0<br>0.0            |      |
| 30-Jan-2007 18:10:00<br>Starting property proving<br>Compiling model       | for model ''example''           |      |
| ,                                                                          |                                 | Stop |

The Simulink Design Verifier log window updates you on the progress of the proof, providing information such as the number of objectives processed and how many of those objectives were either satisfied or falsified. Also, this dialog box includes a **Stop** button that you can click to terminate the proof at any time.

When the Simulink Design Verifier software completes its analysis, it displays the following items:

- Simulink Design Verifier report an HTML report named example\_report.html.
- Test harness a harness model named example\_harness.mdl.
- Signal Builder dialog box Signals that falsify the proof objective in this model.

The remaining steps in this section help you interpret the results that you obtained.

**2** Review the Simulink Design Verifier report. The report includes the following **Table of Contents** whose items you can click to navigate to particular chapters and sections.

3 In the Table of Contents, click Summary.



The Summary provides an overview of the analysis results, and it indicates that the Simulink Design Verifier software identified a counterexample that falsifies an objective in your model. **4** Scroll back to the top of the browser window. In the **Table of Contents**, click **Proof Objectives Status**.

| Objectives Falsified with Counterexamples |                              |                 |              |                |  |
|-------------------------------------------|------------------------------|-----------------|--------------|----------------|--|
| #:                                        | Туре                         | Model Item      | Description  | Counterexample |  |
| 1                                         | Custom<br>Proof<br>Objective | Proof Objective | Objective: 1 | <u>1</u>       |  |

The Objectives Falsified with Counterexamples table lists the proof objectives that the Simulink Design Verifier software disproved using a counterexample it generated. You can locate the objective in your model window by clicking Proof Objective; the software highlights the corresponding Proof Objective block in your model window.

**5** In the Objectives Falsified with Counterexamples table under the **Counterexample** column, click 1.

| Proof Objective                                                                   |    |   |
|-----------------------------------------------------------------------------------|----|---|
| Summary                                                                           |    |   |
| Model Item: <u>Proof Objective</u><br>Property: Objective: 1<br>Status: Falsified |    |   |
| Counter Example                                                                   |    |   |
| Time                                                                              | 0  | 1 |
| Step                                                                              | 0  |   |
| In1                                                                               | 99 |   |

This section displays information about proof objective 1 and provides details about the counterexample that the Simulink Design Verifier software generated to disprove that objective. In this counterexample, a signal value of 99 falsifies the objective that you specified using the Proof Objective block. That is, 99 is not less than or equal to 0, which causes the Compare To Zero block to return 0 (false) instead of 1 (true).

6 Review the harness model named example\_harness.mdl.



The harness model contains the following items:

- Signal Builder block named Inputs A group of signals that falsify proof objectives.
- Subsystem block named Test Unit A copy of your model.
- DocBlock named Test Case Explanation A textual description of the counterexamples that the software generates.

**Note** See the *Simulink Reference* for more information about interacting with blocks such as the Signal Builder, Subsystem, and DocBlock.

You can simulate the harness model to observe the counterexample that falsifies the proof objective in your model:

**7** In the MATLAB Command Window, enter simulink to open the Simulink library (if it is not already open).

The Simulink library window appears.

- **8** From the Sinks library, copy a Scope block into your harness model window. The Scope block allows you to see the value of the signal output by the Compare To Zero block in your model.
- **9** In your harness model window, connect the output signal of the Test Unit subsystem to the Scope block.

Your model should appear similar to the following:



10 In your harness model window, select Simulation > Start to begin the simulation.

The Simulink software simulates the harness model.



**11** In your harness model window, double-click the Scope block to open its display window.

The Scope block displays the value of the signal output by the Compare To Zero block in your model. In this example, the Compare To Zero block returns 0 (false) throughout the simulation. Recall that you specified that the proof objective in your model is 1 (true). Hence, the counterexample that the Signal Builder block supplies falsifies the proof objective.

## **Customizing the Example Proof**

In this task, you modify the simple Simulink model whose proof objective the Simulink Design Verifier software disproved in the previous task. Specifically, you customize the proof by adding and configuring a Proof Assumption block. To complete this task, perform the following steps:

1 If the Simulink Design Verifier library is not already open, type sldvlib in the MATLAB Command Window.

The Simulink Design Verifier library appears.

- 2 Copy the Proof Assumption block to your model (example.mdl) by dragging it from the Simulink Design Verifier library to your model window.
- **3** In your model window, insert the Proof Assumption block between the Inport and Compare To Zero blocks.



**4** Double-click the Proof Assumption block in your model to access its attributes.

The Proof Assumption block parameter dialog box appears.

**5** In the Values box, enter [-1, 0]. When proving properties of this model, the Simulink Design Verifier software will constrain the signal values entering the Compare To Zero block to the specified interval.

| Function Block Parameters: Assumption                                                                                                                                                                                                                                                                                                                                                                                                          |  |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| Design Verifier Assumption (mask) (link)                                                                                                                                                                                                                                                                                                                                                                                                       |  |  |
| Assumes signal values when Simulink Design Verifier proves model properties. The input signal is assumed to be one of the values listed in the 'Values' parameter. Two element vectors specify intervals. Cell arrays specify lists. The signal must match one of the listed values or intervals at every time step.<br>Example Values:<br>true<br>{[0 1], 2, [4 5], 6}<br>{Sldv.Interval(-2, -1), Sldv.Point(0), Sldv.Interval(0, 1, '0'), 1} |  |  |
| - Parameters                                                                                                                                                                                                                                                                                                                                                                                                                                   |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                |  |  |
| Type Assumption                                                                                                                                                                                                                                                                                                                                                                                                                                |  |  |
| Values                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |
| [-1, 0]                                                                                                                                                                                                                                                                                                                                                                                                                                        |  |  |
| Display values                                                                                                                                                                                                                                                                                                                                                                                                                                 |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                |  |  |
| Pass through style (show Outport)                                                                                                                                                                                                                                                                                                                                                                                                              |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                |  |  |
| OK Cancel Help Apply                                                                                                                                                                                                                                                                                                                                                                                                                           |  |  |

- **6** Click **OK** to apply your changes and close the Proof Assumption block parameter dialog box.
- 7 Save your example.mdl model for use in the next task.

## **Reanalyzing the Example Model**

In this task, you execute the Simulink Design Verifier analysis on the model that you modified. To observe how Proof Assumption blocks affect proofs, compare the result of this analysis to the result that you obtained in a previous task (see "Analyzing the Example Model" on page 8-15). To complete this task, perform the following steps:

 In your Simulink model window, select Tools > Design Verifier > Prove Properties.

The Simulink Design Verifier software displays a log window and begins analyzing your model to prove its properties.

When the software completes the analysis, it displays a new Simulink Design Verifier report named example\_report1.html.

**Note** If the Simulink Design Verifier software satisfies all proof objectives in your model, it does not generate a harness model.

- 2 Review the Simulink Design Verifier report.
- 3 In the Table of Contents, click Summary.

| Chapter 1. Summary                                    |                                                  |  |
|-------------------------------------------------------|--------------------------------------------------|--|
| Analysis Information                                  |                                                  |  |
| Model:<br>Mode:<br>Status:                            | example<br>PropertyProving<br>Completed normally |  |
| Objectives Status                                     |                                                  |  |
| Number of Objectives: 1<br>Objectives Proven Valid: 1 |                                                  |  |

The Summary chapter of indicates that the Simulink Design Verifier software proved an objective in your model.

**4** Scroll back to the top of the browser window. In the **Table of Contents**, click **Proof Objectives Status**.

| Objectives Proven Valid |                              |                 |              |                |
|-------------------------|------------------------------|-----------------|--------------|----------------|
| #:                      | Туре                         | Model Item      | Description  | Counterexample |
| 1                       | Custom<br>Proof<br>Objective | Proof Objective | Objective: 1 | n/a            |

The Objectives Proven Valid table lists the proof objectives that the Simulink Design Verifier software proved to be valid.

5 Scroll down to view the Properties chapter or go to the top of the browser window and click Properties in the Table of Contents.

| Proof Objective                                                                      |  |  |
|--------------------------------------------------------------------------------------|--|--|
| Summary                                                                              |  |  |
| Model Item: <u>Proof Objective</u><br>Property: Objective: 1<br>Status: Proven valid |  |  |

The Proof Objective summary indicates that the Simulink Design Verifier software proved an objective that you specified in your model. Because the Proof Assumption block restricted the domain of the input signals to the interval [-1, 0], the software was able to prove that this interval contains no values that are greater than zero, thereby satisfying the proof objective.

## **Proving Properties in a Subsystem**

If you have a large model, you can prove the properties of a subsystem in the model and review the analyses in smaller, manageable reports. The workflow for proving properties in a subsystem is as follows:

- **1** Open the model that contains the subsystem.
- **2** Make the subsystem atomic.
- **3** Run the Simulink Design Verifier software using the **Prove Properties of Subsystem** option.
- 4 Review the results.

The tutorial in "Analyzing a Subsystem" on page 1-23 explains how to generate test cases for the Controller subsystem in the Cruise Control Test Generation model. The steps for proving properties are similar, except that you select the **Prove Properties of Subsystem** option instead of the **Generate Tests for Subsystem** option.

# Reviewing the Results

The Simulink Design Verifier software produces several artifacts after it analyzes your model. Depending on the analysis, the software can generate a data file, a test harness model, a SystemTest file, and a report. The following sections describe each of these items:

- "Examining Simulink® Design Verifier Data Files" on page 9-2
- "Exploring Test Harness Models" on page 9-8
- "Creating a SystemTest TEST-File" on page 9-14
- "Understanding Simulink® Design Verifier Reports" on page 9-17

## **Examining Simulink Design Verifier Data Files**

#### In this section ...

"About Simulink<sup>®</sup> Design Verifier Data Files" on page 9-2

"Overview of the sldvData Structure" on page 9-2

"Model Information Fields in sldvData" on page 9-3

"Simulating Models with Simulink® Design Verifier Data Files" on page 9-7

## **About Simulink Design Verifier Data Files**

When you enable the **Save test data to file** parameter (see "Results Pane" on page 6-13), the Simulink Design Verifier software generates a data file when it completes its analysis. The data file is a MAT-file that contains a structure named sldvData. This structure stores all the data the software gathers and produces during the analysis. Although the software displays the same data graphically in the test harness model and report, you can use the data file to conduct your own analysis or to generate a custom report.

## **Overview of the sldvData Structure**

When the Simulink Design Verifier software completes its analysis, it produces a MAT-file that contains a structure named sldvData. To explore the contents of the sldvData structure:

- I Generate test cases for the sldvdemo\_flipflop model (see "Analyzing a Model" on page 1-6).
- 2 To load the data file, at the MATLAB prompt, enter the following command:

```
load('sldv_output\sldvdemo_flipflop\sldvdemo_flipflop_sldvdata.mat')
```

The MATLAB software loads the sldvData structure into its workspace. This structure contains the Simulink Design Verifier analysis results of the sldvdemo\_flipflop model.

3 Enter sldvData to display the field names that constitute the structure:

```
sldvData =
```

```
ModelInformation: [1x1 struct]
AnalysisInformation: [1x1 struct]
ModelObjects: [1x2 struct]
Objectives: [1x12 struct]
TestCases: [1x4 struct]
Version: '1.3'
```

See "Structures" in the MATLAB documentation for more information about working with structures.

## Model Information Fields in sldvData

The following sections describe the fields in the sldvData structure:

- "ModelInformation Field" on page 9-3
- "AnalysisInformation Field" on page 9-4
- "ModelObjects Field" on page 9-4
- "Objectives Field" on page 9-5
- "TestCases Field / CounterExamples Field" on page 9-5
- "Version Field" on page 9-7

#### **ModelInformation Field**

In the sldvData structure, the ModelInformation field contains information about the model you analyzed. The following table describes each subfield of the ModelInformation field.

| Subfield Name    | Description                                                                            |
|------------------|----------------------------------------------------------------------------------------|
| Name             | String specifying the model name.                                                      |
| Version          | String specifying the model number.                                                    |
| Author           | String specifying the user name.                                                       |
| SubsystemPath    | String representing the full path name of the subsystem (if any) that was analyzed.    |
| ReplacementModel | String specifying the name of the model (if any) that contains the block replacements. |

9

#### **AnalysisInformation Field**

In the sldvData structure, the AnalysisInformation field lists settings of particular analysis options and related information. The following table describes each subfield of the AnalysisInformation field.

| Subfield Name  | Description                                                                                          |
|----------------|------------------------------------------------------------------------------------------------------|
| Status         | String specifying the completion status of the Simulink Design Verifier analysis.                    |
| Options        | Deep copy of the Simulink Design Verifier options object used during the analysis.                   |
| InputPortInfo  | Cell array of structures specifying information about<br>each Inport block in the top-level system.  |
| OutputPortInfo | Cell array of structures specifying information about<br>each Outport block in the top-level system. |
| SampleTimes    | For internal use only.                                                                               |

#### **ModelObjects Field**

In the sldvData structure, the ModelObjects field lists the model items and their associated objectives. The following table describes each subfield of the ModelObjects field.

| Subfield Name | Description                                                                                             |
|---------------|---------------------------------------------------------------------------------------------------------|
| descr         | String specifying the full path to a model object, including objects in a Stateflow chart.              |
| typeDesc      | String specifies the block type of the model object.                                                    |
| slPath        | String specifying the full path to a Simulink model object.                                             |
| sfObjType     | String specifying the type of a Stateflow object, e.g., <b>S</b> for state and <b>T</b> for transition. |
| sfObjNum      | Integer representing the unique identifier of a Stateflow object.                                       |
| objectives    | Vector of integers representing the indices of objectives associated with a model object.               |

#### **Objectives Field**

In the sldvData structure, the Objectives field lists information about each objective, such as its type, status, and description. The following table describes each subfield of the Objectives field.

| Subfield Name    | Description                                                                                  |
|------------------|----------------------------------------------------------------------------------------------|
| type             | String specifying the type of an objective.                                                  |
| status           | String specifying the status of an objective.                                                |
| descr            | String specifying the description of an objective.                                           |
| label            | String specifying the label of an objective.                                                 |
| outcomeValue     | Integer specifying an objective's outcome.                                                   |
| coveragePointIdx | Integer representing the index of a coverage point<br>with which an objective is associated. |
| modelObjectIdx   | Integer representing the index of a model object with which an objective is associated.      |
| testCaseIdx      | Integer representing the index of a test case or counterexample that addresses an objective. |

## TestCases Field / CounterExamples Field

In the sldvData structure, this field can have two names, depending on the type of check:

- If you set the **Mode** parameter to Test generation, the TestCases field lists information about each test case, such as its signal values and the test objectives it achieves.
- If you set the **Mode** parameter to Property proving, the CounterExamples field lists information about each counterexample and the proof objective it falsifies.

The following table describes each subfield of the TestCases / CounterExamples field.

| Subfield Name | Description                                                                                                             |
|---------------|-------------------------------------------------------------------------------------------------------------------------|
| timeValues    | Vector specifying the time values associated with signals in a test case or counterexample.                             |
| dataValues    | Cell array specifying the data values associated with signals in a test case or counterexample.                         |
| paramValues   | Structure specifying the parameter values associated<br>with a test case or counterexample. Its fields include:         |
|               | name — String specifying the name of a parameter.                                                                       |
|               | value — Number specifying the value of a parameter.                                                                     |
|               | <b>noEffect</b> — Logical value specifying whether a parameter's value affects an objective.                            |
| stepValues    | Vector specifying the number of time steps that comprise signals in a test case or counterexample.                      |
| objectives    | Structure specifying objectives that a test case or a counterexample addresses. Its fields include:                     |
|               | objectiveIdx — Integer representing the index of an objective that a test case achieves or a counterexample falsifies.  |
|               | atTime — Time value at which either a test case<br>achieves an objective or a counterexample falsifies an<br>objective. |
|               | atStep — Time step at which either a test case<br>achieves an objective or a counterexample falsifies an<br>objective.  |

| Subfield Name  | Description                                                                                                                                                                                                                                                                                                                     |
|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| dataNoEffect   | Cell array of logical vectors specifying whether a signal's data values affect an objective. The vector uses 1 to indicate that a signal's data value does not affect an objective; otherwise, it uses 0.                                                                                                                       |
| expectedOutput | Cell array of vectors specifying the output values<br>that result from simulating the model using the<br>test case signals. Each cell represents the output<br>values associated with a different Outport block in<br>the top-level system. This subfield is populated if you<br>select <b>Include expected output values</b> . |

#### **Version Field**

In the sldvData structure, the Version field is a string specifying the version of the Simulink Design Verifier software that verified the model.

# Simulating Models with Simulink Design Verifier Data Files

The sldvruntest function simulates a model using test cases or counterexamples that reside in a Simulink Design Verifier data file. For example, suppose the following command specifies the location of the data file that the Simulink Design Verifier software produced after analyzing the sldvdemo\_flipflop model (see "Analyzing a Model" on page 1-6):

sldvDataFile = 'sldv\_output\sldvdemo\_flipflop\sldvdemo\_flipflop\_sldvdata.mat'

Use the sldvruntest function to simulate the sldvdemo\_flipflop model using test case 2 in the data file:

```
output = sldvruntest('sldvdemo_flipflop', sldvDataFile, 2)
```

See sldvruntest in Chapter 11, "Function Reference" for more information.

# **Exploring Test Harness Models**

#### In this section ...

"About Test Harness Models" on page 9-8

"Anatomy of a Test Harness" on page 9-8

"Simulating the Test Harness" on page 9-12

## **About Test Harness Models**

When you enable the **Save test harness as model** parameter (see "Results Pane" on page 6-13), the Simulink Design Verifier software generates a test harness model after it completes its analysis. If the software's **Mode** parameter specifies **Test generation**, the harness model contains test cases that achieve test objectives. Otherwise, the software's **Mode** parameter specifies **Property proving** and the harness model contains counterexamples that falsify proof objectives.

**Note** The Simulink Design Verifier software can generate a harness model only when the top level of the system you are analyzing contains an Inport block.

#### **Anatomy of a Test Harness**

When the Simulink Design Verifier software completes its analysis, it produces a test harness model that looks like this:



The harness model contains the following items:

• **Test Case Explanation** — This DocBlock documents the test cases or counterexamples that the Simulink Design Verifier software generates. Double-click the Test Case Explanation block to view a description of each test case or counterexample. The block lists either the test objectives that each test case achieves (as in the next graphic) or the proof objectives that each counterexample falsifies.

9

| File Edit Text Go Tools Debug Desktop Window Help       Image: Constraint of the state of the s                                                                                                                                                                                                                                                               | Selitor - C:\TEMP\docblock-2513-00012207.txt                                                            | _ D ×    |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|----------|
| <pre>     Test Case 1 (8 Objectives)     Parameter values:     A     1. Controller/PI Controller - enable logical value F @ T=0.00     2. Controller/Switch1 - logical trigger input true (output is from 1s     3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00     4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00     5. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00     6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00     7. Controller/Logical Operator - Logic: input port 1 T @ T=0.00     7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00     10    7. Controller/Logical Operator - Logic: MCDC expression for output wi     8. Controller/Logical Operator - Logic: input port 2 F @ T=0.00     11    8. Controller/Logical Operator - Logic: input port 1 F @ T=0.00     12     13 Test Case 2 (3 Objectives)     14    Parameter values:     15     1. Controller/Logical Operator - Logic: input port 1 F @ T=0.00     17    2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00     18    3. Controller/Logical Operator - Logic: MCDC expression for output wi     19     20 Test Case 3 (6 Objectives)     21    Parameter values:     14 </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | File Edit Text Go Tools Debug Desktop Window Help                                                       | X 5 K    |
| <pre>1 Test Case 1 (8 Objectives) 2 Parameter values: 3 4 1. Controller/PI Controller - enable logical value F @ T=0.00 5 2. Controller/Switch1 - logical trigger input true (output is from 1s 6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00 7 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00 8 5. Controller/Logical Operator - Logic: input port 1 T @ T=0.00 10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00 11 8. Controller/Logical Operator - Logic: MCDC expression for output wi 12 13 Test Case 2 (3 Objectives) 14 Parameter values: 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 19 4. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 10 5. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 11 6. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 12 7. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 13 Test Case 3 (6 Objectives) 14 Parameter values: 15 14 Test Case 3 (6 Objectives) 15 15 15 16 10. Controller/Logical Operator - Logic: MCDC expression for output wi 19 20 Test Case 3 (6 Objectives) 21 Parameter values: 21 Parameter values: 22 Parameter values: 33 Controller/Logical Operator - Logic: MCDC expression for output wi 34 Parameter values: 34</pre>                                                                                                                                                                                                                  | : 🛅 🖆 📓   ८ ங 🛍 १ ९   🤞 🗃 -   🏘 🖛 🔶   📾 - 🗃 🛣 🖬 💽                                                       | » 🗆 🔻    |
| <pre>2 Parameter values:<br/>3<br/>4 1. Controller/PI Controller - enable logical value F @ T=0.00<br/>5 2. Controller/Switch1 - logical trigger input true (output is from 1s<br/>6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00<br/>7 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00<br/>8 5. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br/>10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00<br/>11 8. Controller/Logical Operator - Logic: MCDC expression for output wi<br/>12<br/>13 Test Case 2 (3 Objectives)<br/>14 Parameter values:<br/>15<br/>16 1. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>18 3. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>19 7 est Case 3 (6 Objectives)<br/>20 Test Case 3 (6 Objectives)<br/>21 Parameter values:<br/>32 7 est Case 3 (6 Objectives)<br/>33 7 est Case 3 (6 Objectives)<br/>34 7 est Case 3 (6 Objectives)<br/>35 7 est Case 3 (6 Objectives)<br/>36 7 est Case 3 (6 Objectives)<br/>37 7 est Case 3 (6 Objectives)<br/>30 7 est Case 3 (6 Objectives)<br/>31 7 est Case 3 (6 Objectives)<br/>32 7 est Case 3 (6 Objectives)<br/>33 7 est Case 3 (6 Objectives)<br/>34 7 est Case 3 (6 Objectives)<br/>35 7 est Case 3 (6 Objectives)<br/>36 7 est Case 3 (6 Objectives)<br/>37 7 est Case 3 (6 Objectives)<br/>38 7 est Case 3 (6 Objectives)<br/>39 7 est Case 3 (6 Objectives)<br/>30 7 est Case 3 (6 Objectives)<br/>31 7 est Case 3 (6 Objectives)<br/>32 7 est Case 3 (6 Objectives)<br/>33 7 est Case 3 (6 Objectives)<br/>34 7 est Case 3 (6 Objectives)<br/>35 7 est Case 3 (6 Objectives)<br/>36 7 est Case 3 (6 Objectives)<br/>37 7 est Case 3 (6 Objectives)<br/>38 7 est Case 3 (6 Objectives)<br/>39 7 est Case 3 (6 Objectives)<br/>30 7 est Case 3 (6 Objectives)<br/>31 7 est Case 3 (6 Objectives)<br/>32 7 est Case 3 (6 Objectives)<br/>33 7 est Case 3 (6 Objectives)<br/>34 7 est Case 3 (6 Objectives)<br/>35 7 est Case 3 (6 Objectives)<br/>36 7 est Case 3 (6 Objectives)<br/>37 7 est Case 3 est Case 3</pre> | +□     -□     1.0     +   ÷ □.1     ×   % <sup>4</sup> / <sub>2</sub> % <sup>4</sup> / <sub>2</sub>   ● |          |
| 3<br>1. Controller/PI Controller - enable logical value F @ T=0.00<br>2. Controller/Switch1 - logical trigger input true (output is from 1s<br>3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00<br>4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00<br>5. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br>7. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br>8. Controller/Logical Operator - Logic: input port 2 F @ T=0.00<br>8. Controller/Logical Operator - Logic: MCDC expression for output wi<br>12<br>13 Test Case 2 (3 Objectives)<br>14 Parameter values:<br>15<br>16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>18 3. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>19 2. Test Case 3 (6 Objectives)<br>19 Parameter values:<br>10 Test Case 3 (6 Objectives)<br>14 Parameter values:<br>15 Controller/Logical Operator - Logic: MCDC expression for output wi<br>19 Dest Case 3 (6 Objectives)<br>10 Test Case 3 (6 Objectives)<br>11 Parameter values:<br>12 Controller/Logical Operator - Logic: MCDC expression for output wi<br>19 Dest Case 3 (6 Objectives)<br>10 Test Case 3 (6 Objectives)<br>11 Parameter values:<br>12 Controller/Logical Operator - Logic: MCDC expression for output wi<br>19 Dest Case 3 (6 Objectives)<br>10 Test Case 3 (6 Objectives)<br>11 Parameter values:<br>12 Parameter values:<br>13 Dest Case 3 (6 Objectives)<br>14 Parameter values:<br>14 Parameter values:<br>15 Parameter values                          | 1 Test Case 1 (8 Objectives)                                                                            |          |
| 4 1. Controller/PI Controller - enable logical value F @ T=0.00 5 2. Controller/Switch1 - logical trigger input true (output is from 1s 6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00 7 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00 8 5. Controller/Logical Operator - Logic: MCDC expression for output w 9 6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00 10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00 10 7. Controller/Logical Operator - Logic: MCDC expression for output wi 12 13 Test Case 2 (3 Objectives) 14 Parameter values: 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 19 Test Case 3 (6 Objectives) 20 Test Case 3 (6 Objectives) 21 Parameter values: 4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 2 Parameter values:                                                                                     |          |
| <pre>5 2. Controller/Switch1 - logical trigger input true (output is from 1s<br/>6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00<br/>7 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00<br/>8 5. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br/>10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00<br/>11 8. Controller/Logical Operator - Logic: MCDC expression for output wi<br/>12<br/>13 Test Case 2 (3 Objectives)<br/>14 Parameter values:<br/>15<br/>16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br/>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>18 3. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>19 7 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>20 Test Case 3 (6 Objectives)<br/>21 Parameter values:<br/>4 </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 3                                                                                                       |          |
| 6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.00<br>4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00<br>5. Controller/Logical Operator2 - Logic: MCDC expression for output w<br>6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br>7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00<br>8. Controller/Logical Operator - Logic: MCDC expression for output wi<br>2. Controller/Logical Operator - Logic: MCDC expression for output wi<br>3. Test Case 2 (3 Objectives)<br>4. Parameter values:<br>5. 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br>7. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>8. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>7. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>8. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>7. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>8. Controller/Logical Operator - Logic: MCDC expression for output wi<br>9. Test Case 3 (6 Objectives)<br>2. Parameter values:<br>4. ************************************                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 4 1. Controller/PI Controller - enable logical value F @ T=0.00                                         |          |
| 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00 5. Controller/Logical Operator2 - Logic: MCDC expression for output w 6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00 8. Controller/Logical Operator - Logic: MCDC expression for output wi 12 13 Test Case 2 (3 Objectives) 14 Parameter values: 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 19 Test Case 3 (6 Objectives) 20 Test Case 3 (6 Objectives) 21 Parameter values: 4                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 5 2. Controller/Switch1 - logical trigger input true (output is                                         | from 1s  |
| 8 5. Controller/Logical Operator2 - Logic: MCDC expression for output w<br>6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br>7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00<br>8. Controller/Logical Operator - Logic: MCDC expression for output wi<br>21<br>3 Test Case 2 (3 Objectives)<br>4 Parameter values:<br>5<br>16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>18 3. Controller/Logical Operator - Logic: MCDC expression for output wi<br>19<br>20 Test Case 3 (6 Objectives)<br>21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 6 3. Controller/Logical Operator1 - Logic: input port 1 T @ T=O                                         | .00      |
| <pre>9 6. Controller/Logical Operator - Logic: input port 1 T @ T=0.00<br/>7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00<br/>8. Controller/Logical Operator - Logic: MCDC expression for output wi<br/>12<br/>13 Test Case 2 (3 Objectives)<br/>14 Parameter values:<br/>15<br/>16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br/>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>18 3. Controller/Logical Operator - Logic: MCDC expression for output wi<br/>19<br/>20 Test Case 3 (6 Objectives)<br/>21 Parameter values:</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | 7 4. Controller/Logical Operator2 - Logic: input port 1 T @ T=O                                         | .00      |
| <pre>10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.00 11 8. Controller/Logical Operator - Logic: MCDC expression for output wi 12 13 Test Case 2 (3 Objectives) 14 Parameter values: 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: MCDC expression for output wi 19 20 Test Case 3 (6 Objectives) 21 Parameter values: </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 8 5. Controller/Logical Operator2 - Logic: MCDC expression for                                          | output w |
| <pre>11 8. Controller/Logical Operator - Logic: MCDC expression for output wi 12 13 Test Case 2 (3 Objectives) 14 Parameter values: 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: MCDC expression for output wi 19 20 Test Case 3 (6 Objectives) 21 Parameter values: </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 9 6. Controller/Logical Operator - Logic: input port 1 T @ T=O.                                         | 00       |
| <pre>12 13 Test Case 2 (3 Objectives) 14 Parameter values: 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: MCDC expression for output wi 19 20 Test Case 3 (6 Objectives) 21 Parameter values: </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 10 7. Controller/Logical Operator - Logic: input port 2 F @ T=0.                                        | 00       |
| 13 Test Case 2 (3 Objectives)<br>14 Parameter values:<br>15<br>16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>18 3. Controller/Logical Operator - Logic: MCDC expression for output wi<br>19<br>20 Test Case 3 (6 Objectives)<br>21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | 11 8. Controller/Logical Operator - Logic: MCDC expression for o                                        | utput wi |
| <pre>14 Parameter values:<br/>15<br/>16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br/>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br/>18 3. Controller/Logical Operator - Logic: MCDC expression for output wi<br/>19<br/>20 Test Case 3 (6 Objectives)<br/>21 Parameter values:<br/>4</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | 12                                                                                                      |          |
| <pre>15 15 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: MCDC expression for output wi 19 20 Test Case 3 (6 Objectives) 21 Parameter values: </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 13 Test Case 2 (3 Objectives)                                                                           |          |
| 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00<br>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00<br>18 3. Controller/Logical Operator - Logic: MCDC expression for output wi<br>19<br>20 Test Case 3 (6 Objectives)<br>21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 14 Parameter values:                                                                                    |          |
| <pre>17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.00 18 3. Controller/Logical Operator - Logic: MCDC expression for output wi 19 20 Test Case 3 (6 Objectives) 21 Parameter values: </pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 15                                                                                                      |          |
| 18 3. Controller/Logical Operator - Logic: MCDC expression for output wi<br>19<br>20 Test Case 3 (6 Objectives)<br>21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 16 1. Controller/Logical Operator1 - Logic: input port 1 F @ T=O                                        | .00      |
| 19<br>20 Test Case 3 (6 Objectives)<br>21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 17 2. Controller/Logical Operator - Logic: input port 1 F @ T=0.                                        | 00       |
| 20 Test Case 3 (6 Objectives)<br>21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 18 3. Controller/Logical Operator - Logic: MCDC expression for o                                        | utput wi |
| 21 Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 19                                                                                                      |          |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 20 Test Case 3 (6 Objectives)                                                                           |          |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | 21 Parameter values:                                                                                    | <b>_</b> |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                                                         | ▶        |
| plain text file Ln 1 Col 1 OVR                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | plain text file Ln 1 Col                                                                                | 1 OVR    |

• **Inputs** — This Signal Builder block contains signals that comprise the test cases or counterexamples that the Simulink Design Verifier software generated. Double-click the Inputs block to open the Signal Builder dialog box and view its signals.

9-10

| _         |             | -                   | _cruise_con  | trol_harn    | ess/Inputs    | ;)       |                   |          |                      | _          |          |
|-----------|-------------|---------------------|--------------|--------------|---------------|----------|-------------------|----------|----------------------|------------|----------|
|           |             | Signal Ax           | •            | L U          | <u>।</u> दिंग | lð ta    | . 🖂 🕨             | = •      | all   🔒 🞝            | *          |          |
| Test      | Case 1      | Teet Cae            |              |              |               |          |                   |          | Case 6 \ T           | ect Cace 7 |          |
|           | Case I      |                     | e 2 j Test   | Caseu        | / Test Ca     | 5647     |                   |          | 24360 (1             |            |          |
|           | enable      |                     |              |              |               |          |                   |          |                      |            |          |
|           |             |                     |              |              |               |          |                   |          |                      |            |          |
|           | brake       |                     |              |              |               |          |                   |          |                      |            |          |
|           |             |                     |              |              | <u> </u>      |          |                   | i        |                      |            |          |
|           | set         |                     |              |              |               |          |                   |          |                      |            |          |
|           |             |                     |              | <u> </u>     |               |          |                   |          |                      |            |          |
| 1         | _inc        |                     |              |              |               |          |                   |          |                      |            |          |
| q         |             | <u> </u>            | <u>.</u>     | <u>i</u>     |               | <u> </u> |                   | <u> </u> |                      |            |          |
| 0         | _dec        |                     |              |              |               |          |                   |          |                      |            |          |
| -1  -     |             | i<br>               | i<br>;       | <u> </u><br> |               |          | i                 | i        | i                    | į          |          |
| 0         | speed_      |                     |              |              | <u> </u>      |          |                   |          |                      |            | -        |
| -1 L<br>0 | 0.0         | <u>I</u><br>001 0.0 | 1<br>302 0.0 | 1<br>003 0   | ).004 (       |          | 0.006             | 0.007    | 0.008                | 0.009      | <br>0.01 |
|           |             |                     |              |              | Tin           | ne (sec  | )                 |          |                      |            |          |
| Name      |             |                     | Left Po      | int<br>T     | Right Poi     | nt       | enable<br>brake   |          | (sho<br>(sho         | m)         |          |
| Index     |             | -                   | T:<br>Y:     | v            |               |          | set<br>inc<br>dec |          | (sho<br>(sho<br>(sho | m)         |          |
|           | seqment Y p | nosition            |              |              | 1             |          | speed             |          | (sho                 |            | -        |
| . ayaat a | ginone i k  |                     |              |              |               |          |                   |          |                      |            |          |

Each signal group represents a unique test case or counterexample. In the Signal Builder dialog box, select a group's tab to view the signals associated with a particular test case or counterexample. See "Working with Signal Groups" in *Simulink User's Guide* for more information about interacting with the Signal Builder dialog box.

- **Size-Type** This Subsystem block transmits signals from the Inputs block to the Test Unit block. It ensures that the signals are of the appropriate size and data type, which the Test Unit block expects.
- **Test Unit** This Subsystem block contains a copy of the original model that the Simulink Design Verifier software analyzed.



# Simulating the Test Harness

The test harness model enables you to simulate a copy of your original model using the test cases or counterexamples that the Simulink Design Verifier software generates. Using the test harness model, you can simulate:

- A counterexample
- A single test case, for which the Simulink Verification and Validation software collects and displays model coverage information
- All test cases, for which the Simulink Verification and Validation software collects and displays cumulative model coverage information

**Note** By default, the Simulink Design Verifier software enables coverage reporting for test harness models that contain test cases. Although it enables coverage reporting with particular options selected, you can customize the settings to meet your needs. For more information, see "Specifying Model Coverage Reporting Options" in the *Simulink Verification and Validation User's Guide*.

To simulate a single test case or counterexample:

1 In the test harness model, double-click the Inputs block.

The Signal Builder dialog box appears.

**2** In the Signal Builder dialog box, select the tab associated with a particular test case or counterexample.

The Signal Builder dialog displays the signals that comprise the selected test case or counterexample.

**3** In the Signal Builder dialog box, click the **Start simulation** button

The Simulink software simulates the test harness model using the signals associated with the selected test case or counterexample. When simulating a test case, the Simulink Verification and Validation software collects model coverage information and displays a coverage report.

To simulate all test cases and measure their combined model coverage:

**1** In the test harness model, double-click the Inputs block.

The Signal Builder dialog box appears.

2 In the Signal Builder dialog box, click the **Run all** button

The Simulink software simulates the test harness model using all test cases, while the Simulink Verification and Validation software collects model coverage information and displays a coverage report.

See "Simulating with Signal Groups" in *Simulink User's Guide* for more information about simulating models containing Signal Builder blocks.

# **Creating a SystemTest TEST-File**

If you have installed the SystemTest software with your MATLAB application, you can specify that the Simulink Design Verifier software create a SystemTest TEST-file when it analyzes a model. Creating a TEST-file allows you to configure and collect model coverage results and run the test cases from inside the SystemTest environment.

In addition, if you have a model with a large number of inputs, this feature eliminates the overhead of creating the test harness. However, you can create both a test harness and a TEST-file in the same analysis.

To create a TEST-file for the sldvdemo\_cruise\_control model, perform these steps:

- 1 Type sldvdemo\_cruise\_control at the MATLAB command prompt to open the Cruise Control Test Generation model.
- 2 Select Simulation > Configuration Parameters to open the Configuration Parameters dialog box.
- 3 In the Select pane, under Design Verifier, select Results.
- 4 On the **Results** pane, under **SystemTest options**, select **Save test** harness as **SystemTest TEST-file** (will reference saved data file).



- **5** If you prefer a file name other than the default, specify the **SystemTest file name**.
- **6** Under **Data File options**, verify that**Save test data to file** is selected. You must select this option to generate a TEST-file.

| –Data file options–                           |                        |  |  |
|-----------------------------------------------|------------------------|--|--|
| Save test data to file                        |                        |  |  |
| Data file name:                               | \$ModelName\$_sldvdata |  |  |
| Include expected output values                |                        |  |  |
| Randomize data that do not affect the outcome |                        |  |  |

7 If you do not need the Simulink Design Verifier test harness in addition to the TEST-file, under Harness model options, clear Save text harness as model.

| Harness model options                      |
|--------------------------------------------|
| Save test harness as model                 |
| Harness model file name:                   |
| Reference input model in generated harness |

- 8 Click Apply and OK to save the changes and exit the Configuration Parameters dialog box.
- **9** Double-click the Run block in the sldvdemo\_cruise\_control model to start the analysis.

When the software is creating the TEST-file, the following status box appears.

| Loading C:\uise_control\sldvdemo_cruise_control_harness.test | × |
|--------------------------------------------------------------|---|
| Loading TEST-file                                            |   |
|                                                              |   |

When the analysis completes, the SystemTest desktop opens the TEST-file, which, for this example, is saved as

matlabroot\sldvdemo\_output\sldv\_cruise\_control\sldvdemo\_cruise\_control\_harness.test



In the **Test Browser** pane, the 10 iterations under Main Test correspond to the 10 test cases the Simulink Design Verifier software generates and describes in the Test Case Explanation block of the test harness.

For information about running the test cases using the SystemTest software, see "Creating a Simulink Design Verifier Data File Test Vector" in the *SystemTest User's Guide*.

# **Understanding Simulink Design Verifier Reports**

#### In this section...

"About Simulink<sup>®</sup> Design Verifier Reports" on page 9-17
"Front Matter" on page 9-17
"Summary Chapter" on page 9-18
"Analysis Information Chapter" on page 9-19
"Test / Proof Objectives Status Chapter" on page 9-23
"Model Items Chapter" on page 9-27
"Test Cases / Properties Chapter" on page 9-27

#### **About Simulink Design Verifier Reports**

When you enable the **Generate report of the results** parameter (see "Report Pane" on page 6-16), the Simulink Design Verifier software generates an HTML report after it completes its analysis. If the software's **Mode** parameter specifies **Test generation**, the report describes the model's test objectives and any corresponding test cases that result from the analysis. Otherwise, the software's **Mode** parameter specifies **Property proving**, and the report describes the model's proof objectives and any counterexamples that result from the analysis.

#### **Front Matter**

The report begins with two sections: title and table of contents.



The title section lists the following information:

- Model or subsystem name the Simulink Design Verifier software analyzed
- User name associated with the current MATLAB session
- Date and time that the Simulink Design Verifier software generated the report

The table of contents follows the title section. Clicking items in the table of contents allows you to navigate quickly to particular chapters and sections.

#### **Summary Chapter**

The Summary chapter of the HTML report provides an overview of the Simulink Design Verifier analysis.

| Chapter 1.                 | Summary                                                         |
|----------------------------|-----------------------------------------------------------------|
| Analysis Informa           | tion                                                            |
| Model:<br>Mode:<br>Status: | sldvdemo_cruise_control<br>TestGeneration<br>Completed normally |
| Objectives Status          | 3                                                               |
| Number of Object           |                                                                 |
| Objectives Satisfie        | ed: 40                                                          |

#### **Analysis Information Chapter**

The Analysis Information chapter of the HTML report includes the following sections:

- "Model Information" on page 9-19
- "Analysis Options" on page 9-20
- "Constraints" on page 9-20
- "Block Replacements Summary" on page 9-21
- "Approximations" on page 9-22

#### **Model Information**

The Model Information section provides the following information about the current version of the model:

- Path and file name of the model that the Simulink Design Verifier software analyzed
- Model version
- Date and time that the model was last saved
- Name of the person who last saved the model

#### Model Information

| File:       | C:\test_sldv\sldvdemo_flipflop.mdl |
|-------------|------------------------------------|
| Version:    | 1.15                               |
| Time Stamp: | Fri Jun 27 15:38:15 2008           |
| Author:     | slemaire                           |
|             |                                    |

See "Managing Model Versions" in *Simulink User's Guide* for details about specifying this information for your models.

#### **Analysis Options**

The Analysis Options section provides information about the Simulink Design Verifier analysis settings.

The Analysis Options section lists the parameters that affected the Simulink Design Verifier analysis. See "sldvoptions Object Parameters" on page 11-8 for more information about the parameters that this section displays.

| Mode:TestGenerationTest Suite Optimization:CombinedObjectivesMaximum Testcase Steps:500 time steps                                                                                                                                                                                                                                   | Analysis Options                                                                                                                                                                                                                                                                                |                                                                                                                                                                                                  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Test Conditions:UseLocalSettingsTest Objectives:UseLocalSettingsModel Coverage Objectives:MCDCMaximum Processing Time:60sBlock Replacement:onBlock Replacement Rules: <factorydefaultrules>Parameters Analysis:onParameters Configuration File:sldv_params_template.mSave Data:onSave Harness:onSave Report:on</factorydefaultrules> | Test Suite Optimization:<br>Maximum Testcase Steps:<br>Test Conditions:<br>Test Objectives:<br>Model Coverage Objectives:<br>Maximum Processing Time:<br>Block Replacement:<br>Block Replacement Rules:<br>Parameters Analysis:<br>Parameters Configuration File<br>Save Data:<br>Save Harness: | CombinedObjectives<br>500 time steps<br>UseLocalSettings<br>UseLocalSettings<br>MCDC<br>60s<br>on<br><factorydefaultrules><br/>on<br/>sldv_params_template.m<br/>on<br/>on</factorydefaultrules> |

#### **Constraints**

The Constraints section provides information about any test conditions that the Simulink Design Verifier software applied when it analyzed a model. You can locate the constraint in your model by clicking **constraint**; the software highlights the corresponding Test Condition block in your model window and opens a new window showing the block in detail.

| Constra           | aints      |
|-------------------|------------|
| Name              | Constraint |
| <u>constraint</u> | [0, 100]   |
| <u>constraint</u> | [0, 100]   |

#### **Block Replacements Summary**

The Block Replacements Summary provides an overview of the block replacements that the Simulink Design Verifier software executed. It appears only if the Simulink Design Verifier software replaced any blocks in a model.

Each row of the table corresponds to a particular block replacement rule that the Simulink Design Verifier software applied to the model. The table lists the following:

- Name of the M-file that represents the block replacement rule and the value of the BlockType parameter the rule specifies
- Description of the rule that the MaskDescription parameter of the replacement block specifies
- Names of any blocks that the Simulink Design Verifier software replaced in the model

To locate a particular block replacement in your model, click on the name for that replacement in the Replaced Blocks column of the table; the software highlights the affected block in your model window and opens a new window that displays the block in detail.

| #: | Replacement Rule / Block Type               | Rule Description                                                                                                                                                   | Replaced<br>Blocks |
|----|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------|
| 1  | blkrep_rule_lookup_normal.m /Lookup         | Inserts test<br>objectives for each<br>interval of 1-D<br>lookup table<br>blocks.                                                                                  | Lookup Table       |
| 2  | blkrep_rule_switch_normal.m /Switch         | Inserts test<br>objectives for<br>switch blocks that<br>require each<br>switch position be<br>demonstrated<br>when the values of<br>input ports 1 and 3<br>differ. |                    |
| 3  | sldvdemo_custom_blkrep_rule_sqrt.m<br>/Math | Approximates the<br>mathematical<br>function sqrt using<br>lookup table. The<br>input range is<br>constrained to [0<br>10000].                                     | Math Function      |

Block Replacements Summary

See Chapter 4, "Working with Block Replacements" for more information.

#### **Approximations**

Each row of the Approximations table describes a specific type of approximation that the Simulink Design Verifier software used during its analysis of the model.



#### Approximations

Simulink Design Verifier performed the following approximations during analysis. These can impact the precision of the results generated by Simulink Design Verifier. Please see the product documentation for further details.

|   | Туре                   | Description                                                                                                                                          |
|---|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Rational approximation | The model includes floating-point arithmetic.<br>Simulink Design Verifier approximates floating-point<br>arithmetic with rational number arithmetic. |

**Note** Review the analysis results carefully when the software uses approximations. In rare cases, an approximation may result in test cases that fail to achieve test objectives or counterexamples that fail to falsify proof objectives. For example, a floating-point-roundoff error might prevent a signal from exceeding a designated threshold value.

# Test / Proof Objectives Status Chapter

The Test / Proof Objectives Status chapter of the HTML report summarizes all test or proof objectives in a model, including an objective's type, the model item to which it corresponds, and its description. This chapter displays each objective in one of the following tables associated with the objective's status:

• **Objectives Undecided** — Lists the test or proof objectives for which the Simulink Design Verifier software was unable to determine an outcome in the allotted time. In this property-proving example, either the software exceeded its analysis time limit (which the **Maximum analysis time** parameter specifies), or you aborted the analysis before it completed processing these objectives.

# **Objectives Undecided**

Simulink Design Verifier was not able to process these objectives with the current options.

| #: | Туре                         | Model Item                | Description  | Counterexample |
|----|------------------------------|---------------------------|--------------|----------------|
| 1  | Custom<br>Proof<br>Objective | Verify Output/FoutCorrect | Objective: T | n/a            |
| 2  | Custom<br>Proof<br>Objective | Verify Output/ToutCorrect | Objective: T | n/a            |

• **Objectives Producing Errors** — Lists the test or proof objectives for which the Simulink Design Verifier software encountered errors during its analysis. In this example, analyzing these objectives involves nonlinear arithmetic, which the software does not support. Thus, errors occur and appear in the report.

| Objectives Producing Errors |          |                            |                                                                  |              |
|-----------------------------|----------|----------------------------|------------------------------------------------------------------|--------------|
| #:                          | Туре     | Model Item                 | Description                                                      | Test<br>Case |
| 4                           | Decision | Mode switch                | logical trigger input true<br>(output is from 1st input<br>port) | n/a          |
| 8                           | Decision | Basic Roll Mode/Integrator | integration result <=<br>lower limit T                           | n/a          |
| 10                          | Decision | Basic Roll Mode/Integrator | integration result >=<br>upper limit T                           | n/a          |

If the Simulink Design Verifier software's **Mode** parameter specifies **Test** generation, the Status section also includes the following tables:

• **Objectives Proven Unsatisfiable** — Lists the test objectives that the Simulink Design Verifier software determined could not be satisfied. In this example, the software found that there are no test cases that achieve these objectives.

#### **Objectives Proven Unsatisfiable**

Simulink Design Verifier proved that there does not exist any test case exercising these test objectives. This often indicates the presence of dead-code in the model. Other possible reasons can be inactive blocks in the model due to parameter configuration or test constraints such as given using Test Condition blocks. In rare cases, the approximations performed by Simulink Design Verifier can make objectives impossible to achieve.

| #: | Туре                     | Model Item | Description    | Test<br>Case |
|----|--------------------------|------------|----------------|--------------|
| 1  | Custom Test<br>Objective | True       | Objective: 100 | n/a          |

• **Objectives Satisfied** — Lists test objectives that the Simulink Design Verifier software satisfied. In this example, the software generated test cases that achieve the specified objectives.

|           | Dbjectives Satisfied |                           |                                                             |                        |  |  |
|-----------|----------------------|---------------------------|-------------------------------------------------------------|------------------------|--|--|
| Sim<br>#: | ulink Desigr         | n Verifier found test cas | ses that exercise these test objec                          | tives.<br>Test<br>Case |  |  |
| 1         | Decision             | PI Controller             | enable logical value F                                      | 2                      |  |  |
| 2         | Decision             | PI Controller             | enable logical value T                                      | 1                      |  |  |
| 3         | Decision             | P Controller              | enable logical value F                                      | 1                      |  |  |
| 4         | Decision             | P Controller              | enable logical value T                                      | 2                      |  |  |
| 5         | Decision             | mp switch                 | integer input value = 1<br>(output is from input port<br>2) |                        |  |  |
| 6         | Decision             | mp switch                 | integer input value = 2<br>(output is from input port<br>3) | 2                      |  |  |

• **Objectives Satisfied - No Test Case** — Lists test objectives that the Simulink Design Verifier software satisfied without generating test cases.

| Oł | Objectives Satisfied - No Test Case |            |                        |              |
|----|-------------------------------------|------------|------------------------|--------------|
| #: | Туре                                | Model Item | Description            | Test<br>Case |
| 2  | Decision                            | Saturation | input > lower limit T  | n/a          |
| 3  | Decision                            | Saturation | input >= upper limit F | n/a          |
| 4  | Decision                            | Saturation | input >= upper limit T | n/a          |

If the Simulink Design Verifier software's **Mode** parameter specifies **Property proving**, the Status section includes:

• **Objectives Proven Valid** — Lists the proof objectives that the Simulink Design Verifier software proved valid.

| Oł | Objectives Proven Valid      |                 |              |                |  |  |  |
|----|------------------------------|-----------------|--------------|----------------|--|--|--|
| #: | Туре                         | Model Item      | Description  | Counterexample |  |  |  |
| 1  | Custom<br>Proof<br>Objective | Proof Objective | Objective: 1 | n/a            |  |  |  |

• **Objectives Falsified with Counterexamples** — Lists the proof objectives that the Simulink Design Verifier software disproved. In this example, the software generated at least one counterexample that falsifies the specified objectives.

#### Objectives Falsified with Counterexamples

| #: | Туре   | Model Item                      | Description | Counterexample |
|----|--------|---------------------------------|-------------|----------------|
| 1  | Assert | Verify True<br>Output/Assertion | assert      | 1              |

• **Objectives Falsified - No Counterexample** — Lists the proof objectives that the Simulink Design Verifier software disproved without generating counterexamples. this occurs if, for example, you specified a proof objective on a signal whose value the software cannot control, or the software encountered a divide-by-zero error when instantiating a counterexample.



| OI | Objectives Falsified - No Counterexample |                  |              |                |  |  |  |
|----|------------------------------------------|------------------|--------------|----------------|--|--|--|
| #: | Туре                                     | Model Item       | Description  | Counterexample |  |  |  |
| 1  | Custom<br>Proof<br>Objective             | Proof Objective  | Objective: F | n/a            |  |  |  |
| 2  | Custom<br>Proof<br>Objective             | Proof Objective1 | Objective: T | n/a            |  |  |  |

# **Model Items Chapter**

The Model Items chapter of the HTML report includes a table for each object in the model that defines coverage objectives. The table for a particular object lists all of the associated objectives, the objective types, objective descriptions, and the status of each objective at the end of the analysis.

The table for an individual object in the model will look similar to this one for the TK switch in the Roll Reference subsystem.

To highlight a given object in your model, click View at the upper-left corner of the table; the software opens a new window that displays the object in detail. To view the details of the test case that was applied to a specific objective, click the test case number in the last column of the table.

| Roll Reference/TK switch |          |                                                                   |                   |     |  |
|--------------------------|----------|-------------------------------------------------------------------|-------------------|-----|--|
|                          |          |                                                                   |                   |     |  |
| 27                       | Decision | logical trigger input<br>false (output is from<br>3rd input port) | Produced<br>error | n/a |  |
| 28                       | Decision | logical trigger input<br>true (output is from 1st<br>input port)  | Satisfied         | 1   |  |

# **Test Cases / Properties Chapter**

The Test Cases / Counterexamples chapter of the HTML report provides an overview of the test cases or counterexamples that the Simulink Design

Verifier software generated during its analysis. Depending on whether the software's **Mode** parameter specifies **Test** generation or Property proving, this chapter includes sections associated with the following:

- "Test Cases" on page 9-28
- "Properties" on page 9-29

#### **Test Cases**

If the Simulink Design Verifier software's **Mode** parameter specifies **Test** generation, the report's Test Cases chapter includes a series of sections that summarize the test cases the software generated.

| Test Case 1    |          |                                          |                                                            |  |  |  |  |
|----------------|----------|------------------------------------------|------------------------------------------------------------|--|--|--|--|
| Sumr           | nary     |                                          |                                                            |  |  |  |  |
| Lengt<br>Objec |          | 0 Seconds (1 sample periods)<br>Count: 8 |                                                            |  |  |  |  |
| Objec          | ctives   | 1                                        |                                                            |  |  |  |  |
| Step           | Time     | e Model Item                             | Objectives                                                 |  |  |  |  |
|                |          | Controller/Switch1                       | logical trigger input true (output is from 1st input port) |  |  |  |  |
|                |          | Controller/Logical Operator1             | Logic: input port 1 T                                      |  |  |  |  |
|                |          | Controller/Logical Operator2             | Logic: input port 1 T                                      |  |  |  |  |
| 1              | 0        | Controller/Logical Operator              | Logic: input port 1 T                                      |  |  |  |  |
| '              | 0        | Controller/Logical Operator              | Logic: input port 2 F                                      |  |  |  |  |
|                |          | Controller/PI Controller                 | enable logical value F                                     |  |  |  |  |
|                |          | Controller/Logical Operator2             | Logic: MCDC expression for output with input port 1 T      |  |  |  |  |
|                |          | Controller/Logical Operator              | Logic: MCDC expression for output with input port 2 F      |  |  |  |  |
| Gene           | rated    | I Input Data                             |                                                            |  |  |  |  |
| Time           | 0        |                                          |                                                            |  |  |  |  |
| Step           | 0        |                                          |                                                            |  |  |  |  |
|                | enable 1 |                                          |                                                            |  |  |  |  |
| brake 1        |          |                                          |                                                            |  |  |  |  |
| set 1          |          |                                          |                                                            |  |  |  |  |
| inc            | 1        |                                          |                                                            |  |  |  |  |
| dec            | 0        |                                          |                                                            |  |  |  |  |
| speed          | d  U     |                                          |                                                            |  |  |  |  |

Each section lists the following information about a test case:

• Length of the signals that comprise the test case

- Total number of test objectives that the test case achieves
- Time step and corresponding time at which the test case achieves particular test objectives
- Values of the signals that comprise the test case

**Note** The Generated Input Data table can display a dash (-) instead of a number as a signal value. In this case, the value of the signal at that time step does not affect the test objective. In the test harness model, the Inputs block represents these values with zeros unless you enable the **Randomize data that does not affect outcome** parameter (see "Randomize data that does not affect outcome" on page 13-39).

#### **Properties**

If the Simulink Design Verifier software's **Mode** parameter specifies **Property proving**, the report's Properties chapter includes a series of sections that summarize the proof objectives and any counterexamples the software generated.

If the software proves an objective is valid, this report chapter displays a summary section similar to this one.

| Proof Objective                    |                                                          |  |  |  |  |
|------------------------------------|----------------------------------------------------------|--|--|--|--|
| Summary                            | Summary                                                  |  |  |  |  |
| Model Item<br>Property:<br>Status: | : <u>Proof Objective</u><br>Objective: 1<br>Proven valid |  |  |  |  |

If the software falsifies an objective, this report chapter has a summary section that to the one in the following figure.

To highlight the proof objective in your model, click **Proof Objective** in the Summary section.

| FIUU               | FIOD Objective |  |  |  |  |  |  |  |
|--------------------|----------------|--|--|--|--|--|--|--|
| Summ               | Summary        |  |  |  |  |  |  |  |
| Propert<br>Status: |                |  |  |  |  |  |  |  |
| Time               | 0              |  |  |  |  |  |  |  |
| Step               | 0              |  |  |  |  |  |  |  |
| enable             | enable 1       |  |  |  |  |  |  |  |
| brake              | brake 0        |  |  |  |  |  |  |  |
| set                | 0              |  |  |  |  |  |  |  |
| inc                | 1              |  |  |  |  |  |  |  |

0

dec speed 0

Proof Objective

9-30

# 10

# Analyzing Large Models and Improving Performance

- "Sources of Model Complexity" on page 10-2
- "Analyzing a Large Model" on page 10-3
- "Managing Model Data to Simplify the Analysis" on page 10-8
- "Partitioning Model Inputs and Generating Tests Incrementally" on page 10-12
- "Analyzing the Model Using a Bottom-Up Approach" on page 10-14
- "Analyzing Logical Operations" on page 10-15
- "Handling Models with Large State Spaces" on page 10-16
- "Handling Problems with Counters and Timers" on page 10-17
- "Techniques for Proving Properties of Large Models" on page 10-19

# **Sources of Model Complexity**

Some model characteristics can cause problems with a Simulink Design Verifier analysis in the following ways:

- Complexity of model inputs due to:
  - Large number of inputs (The number of inputs can vary, depending on the individual model.)
  - Types of inputs (floating-point values, for example)
  - The way the inputs affect the model state and the objectives of the analysis
- Number of possible simulation paths through a model
- Portions of the model that cannot be reached

The following sections describe techniques designed to reduce the impact of this complexity and achieve the best performance from the Simulink Design Verifier software.

Most of these techniques focus on test generation for large models, but you can use many of them to prove the properties of a large model and generate counterexamples when a property is disproved. In addition, "Techniques for Proving Properties of Large Models" on page 10-19 describes specific techniques for proving properties in a large model.

# Analyzing a Large Model

#### In this section ...

"Types of Large Model Problems" on page 10-3

"Using the Default Parameter Values" on page 10-4

"Modifying the Analysis Parameters" on page 10-5

"Using the Large Model Optimization" on page 10-5

"Stopping the Analysis Before Completion" on page 10-6

#### **Types of Large Model Problems**

The Simulink Design Verifier software may encounter some of these problems when analyzing a large model:

- Unsatisfiable objectives The software proved there are no test cases that exercise these test objectives, and thus did not generate any test cases.
- Undecided objectives The software was not able to satisfy or falsify these objectives.
- Objectives with errors The most common error occurs when a model component uses nonlinear arithmetic, which can affect a test objective.
- Cannot complete the analysis in the time allotted This problem may indicate an area of your model where the software encountered problems, or you may need to increase value of the **Maximum analysis time** parameter.
- Analysis hangs If the number of objectives processed remains constant for a considerable length of time, the software has likely encountered complexity between the model and its objectives.
- Does not achieve a high percentage of model coverage When you ran the test cases on the test harness, the percentage of model coverage was insufficient for your design.

The next few sections describe the initial steps to take when analyzing a large model. Although these steps address test generation, you can use a similar approach when proving properties in a model.

## **Using the Default Parameter Values**

When you generate test cases for a model, whether large or small, the first step is to analyze the model using the Simulink Design Verifier default parameter values:

- 1 Check to see if your model is compatible with the Simulink Design Verifier software, as described in Chapter 3, "Ensuring Compatibility with the Simulink<sup>®</sup> Design Verifier Software".
  - **Parameter Default Value** Description Maximum 600 (seconds) If the analysis does not finish within the specified analysis time time, the analysis times out and terminates. Test suite Combined Generates test cases that optimization objectives address more than one test objective (if possible). MCDC Model coverage Generates test cases objectives that achieve modified condition/decision coverage (MCDC).
- **2** Using the default parameter values, analyze the model. The following table lists three of the default parameter values.

- **3** Review the following information in the Simulink Design Verifier log window while the analysis runs:
  - Number of objectives processed How many objectives were processed? Did the analysis hang after processing a certain number of objectives? The answers to these questions might give you a clue about where a problem might lie.
  - Number of objectives satisfied/Number of objectives falsified Which objectives were falsified?
  - Time elapsed Did the analysis time out, or did it finish within the specified maximum analysis time?

- **4** When the analysis completes, review the Simulink Design Verifier report. This report contains links to the model elements for satisfied and falsified objectives so you can see what portions of the model might have problems.
- **5** If all the test objectives have been satisfied, run the test cases on the test harness to determine model coverage.

If model coverage is sufficient, you do not need to do anything else. If the coverage is not sufficient, take additional steps to improve the analysis performance, as described in the following sections.

**Note** A large percentage of falsified objectives and poor model coverage often indicates that you need to change model parameter values to get complete coverage. This occurs when you have tunable parameters in Constant blocks that are connected to enabled subsystems or the trigger input of Switch blocks. In these situations, configure Simulink Design Verifier parameter support as described in Chapter 5, "Specifying Parameter Configurations".

#### **Modifying the Analysis Parameters**

If the analysis satisfied most but not all of the objectives, try the following steps:

- **1** Increase the **Maximum analysis time** parameter. Such an increase gives the analysis more time to satisfy all the objectives.
- **2** Set the **Model coverage objectives** parameter to Decision. Selecting this option generates only test cases that achieve decision coverage. These test cases are a subset of the MCDC option.
- **3** Rerun the analysis and review the report.

If the results are not satisfactory, try the techniques described in the following sections.

#### Using the Large Model Optimization

Set the **Test suite optimization** parameter to Large model, and rerun the Simulink Design Verifier analysis.

The large model optimization strategy is designed for large, complex models. It may or may not improve the results of your analysis enough to fully test your design.

If there are outstanding test cases you want the software to generate, or additional properties you need to prove, continue with the following techniques.

#### **Stopping the Analysis Before Completion**

Watch the **Objectives processed** value in the log window. If about 50 percent of the **Maximum analysis time** parameter has elapsed and this value does not increase, the model analysis may have trouble processing certain objectives. If the analysis does not progress, take the following steps:

1 Click **Stop** in the log window.

The following dialog box opens.

| Analysis was aborted |                                 |    |  |
|----------------------|---------------------------------|----|--|
| ?                    | Do you want to produce results? |    |  |
|                      | Yes                             | No |  |

2 Click Yes to save the results.

The software creates a test harness and an HTML report.

- **3** Review the results. In the HTML report, review the **Objectives Undecided when the Analysis was Stopped** and **Objectives Producing Errors** sections to identify the model elements that are causing problems.
- **4** Review the model elements that have undecided objectives or objectives with errors to see if any of the following problems are present. Consult the respective sections for specific techniques to improve the analysis:

• Floating-point inputs

See "Managing Model Data to Simplify the Analysis" on page 10-8.

• Nonlinear operations

See "Analyzing the Model Using a Bottom-Up Approach" on page 10-14 and "Analyzing Logical Operations" on page 10-15.

• Large state spaces

See "Handling Models with Large State Spaces" on page 10-16.

• Large timers and time delays

See "Handling Problems with Counters and Timers" on page 10-17.

# Managing Model Data to Simplify the Analysis

#### In this section ...

"Simplifying Data Types" on page 10-8

"Constraining Data" on page 10-8

## **Simplifying Data Types**

One way to simplify your model is to use for the designated signal data type a data type requiring the smallest space for the expected data. For example, do not use an int data type for Boolean data, because only 1 bit is required for Boolean data.

In another example, suppose you have a Sum block with two inputs that are always going to be integers between -10 and 10. In this example, set the **Output data type** parameter to int8, rather than int32 or double, or any other data type that requires more space than necessary.

To display the signal data types in the model window, select **Format > Port/Signal Displays > Port Data Types**.

## **Constraining Data**

Another effective technique for reducing complexity is to restrict the inputs to a set of representative values or, ideally, a single constant value. This process, called *discretization*, treats the input as if it were an enumeration. Discretization allows you to handle nonlinear arithmetic from multiplication and division in the simplest way possible.

The following model has a Product block feeding a Saturation block.



The Simulink Design Verifier software generates errors when attempting to satisfy the upper and lower limits of the Saturation block, because the software does not support nonlinear arithmetic. To work around these errors, restrict one of the inputs to a set of discrete values.

Identify discrete values that are required to satisfy your testing needs. For example, you may have an input for model speed, and your design contains paths of execution that are conditioned on speed above or below thresholds of 80, 150, 600, and 8000 RPM. For an effective analysis, constrain speed values to be 50, 100, 200, 1000, 5000, or 10000 RPM so that every threshold can be either active or inactive.

If you need to use more than two or three values, consider specifying the constrained values using an expression like num2cell(minval:increment:maxval).

Using the previous example model, restrict the second input (y) to be either 1, 2, 5, or 10 using the Test Condition block as shown. The Simulink Design Verifier software produces test cases for all inputs.



You can also constrain signals that are intermediate or output values of the model. Constraining such signals makes it easier to work around multiplication or divisions inside lower-level subsystems that do not depend on model inputs.

**Note** Discretization is best limited to a small number of inputs (less than 10). If your model requires discretization of many inputs, try to achieve model coverage through successive simulations as described in "Partitioning Model Inputs and Generating Tests Incrementally" on page 10-12.

Test Condition blocks do not need to be placed exactly on the inputs. In deciding where to place the constraints in your model, consider the following guidelines:

- Favor constraints on the input values because the software can process inputs easier.
- If you need to place constraints on both the input and the output, for example, to avoid nonlinear arithmetic, one of the constraints should be a range such as [minval maxval]. The software first tests the values at both ends of the range and can return a test case, even if the underlying calculations are nonlinear.
- Make sure that constraints at corresponding input and output points are not contradictory. Do not constrain the output signals to values that are not achievable because of the constraints on the input values.

• Avoid creating constraints that contradict the model. Such contradictions occur when a constraint can never be satisfied because it contradicts some aspect of the model or another constraint. Analyzing contradictory models can cause the Simulink Design Verifier software to hang.

The next figure shows a simple example of a contradictory model. The second input to the Multiply block is the constant 1, but the Test Condition block constrains it to a value of 2, 5, or 10. The software cannot achieve all the test objectives in this model.



• When you work with large models that have many multiplication and division operations, you may find it easier to add constraints to all of the floating-point inputs rather than to identify the precise set of inputs that require constraints.

# Partitioning Model Inputs and Generating Tests Incrementally

As described in "Constraining Data" on page 10-8, you can constrain the values of model inputs using the Simulink Design Verifier Test Condition block.

Like other Simulink parameters, constraint values can be shared across several blocks by referencing a common workspace variable, and they can be initialized from M-files. If you have several inputs related to speed, such as desired speed, measured speed, and average speed, you might choose to constrain all of them to the same set of values.

As an advanced technique for experienced MATLAB programmers, you can use parameterized constraints and successive runs of the Simulink Design Verifier software to implement an incremental test-generation technique:

- **1** Partition model inputs so that some are held constant, some are constrained to sets of constants using the Test Condition block, and some are free.
- **2** Generate test cases and run those test cases to collect model coverage.
- 3 Choose new values and partition the inputs with these new values.
- **4** Generate test cases for missing coverage using sldvgencov and the current test coverage.

**Note** The Extending an Existing Test Suite demo shows how to extend a test suite so that it satisfies missing model coverage.

5 Repeat steps 3 and 4 until you have generated sufficient coverage.

Partition the model inputs that enable further simplification when an analysis runs. Consider the following model, which has three mutually independent enabled subsystems—Normal Mode, Shutdown Mode, and Failure Mode.



You can incrementally generate test cases for each subsystem by constraining the first input to the appropriate constant value before running an analysis. In this way, as you create test cases for each subsystem, the software ignores the complexity of the other two subsystems.

## Analyzing the Model Using a Bottom-Up Approach

Simulink Design Verifier software works most effectively at analyzing large models using a bottom-up approach. In this approach, the software analyzes smaller model components first, which can be faster than using the Large model test suite optimization.

The bottom-up approach offers several advantages:

- It allows you to solve the problems that slow down test generation or property proving in a controlled environment.
- Solving problems with small model components before analyzing the model as a whole is more efficient, especially if you have unreachable components in your model that you can only discover in the context of the model.
- You can iterate more quickly—find a problem and fix it, find another problem and fix it, and so on.
- If one model component has a problem, for example, it's unreachable, that situation can prevent the software from generating tests for *all* the objectives in a large model.

Try this workflow with your large model:

- 1 Break down the model into components of 100–1000 objectives each. Use the sldvextract function to extract components into a new model for analysis purposes.
- **2** Analyze the individual components, starting with the lowest level subsystems.
- **3** Fix any problems by adding constraints or specifying block replacements.
- **4** After you analyze the smaller components, reapply the necessary constraints and substitutions to the original model and analyze the full model.

When you finish a bottom-up analysis, you should have a top-level model that the Simulink Design Verifier software can analyze quickly.

### **Analyzing Logical Operations**

If you have a model with both logical and arithmetic operations, consider analyzing only the logical operations.

The Simulink Design Verifier software does not support nonlinear arithmetic of floating-point numbers, as occurs with multiplication or division, unless one of the multiply operands or the divisor is a constant.

To simplify models that contain integers or floating-point numbers, the software maps the model computations into expressions of Boolean variables. For example, the software might represent an 8-bit number as a set of 8 Boolean values, with one for each digit. It might represent a bitwise OR operation of two 8-bit integers as 8 separate logical OR operations.

Mapping problems of one data type into Boolean variables is complex, and this complexity increases when the software performs such mapping. The software handles models with predominantly logical signals more efficiently than it does those with large integer or floating-point signals.

**Note** Simulink Design Verifier software can handle floating-point inputs when their values impact the design through linear inequalities such as x < y or a > 0.

In addition, input complexity can result from certain cast operations. For example, casting a double to an int8 can introduce a nonlinearity in certain situations.

## Handling Models with Large State Spaces

Persistent design variables (variables that are assigned in one time step and used in a later time step during simulation) affect the complexity of analysis in much the same way as input complexity. You can use one or more of the following techniques to simplify the complexity of the state space you want to search:

- Apply constraints to input signals that are delayed.
- Constraint the inputs to states that are contained within conditionally executed subsystems.
- Limit the number of test case steps by setting the **Maximum test case step** parameter to **20**.
- Increase the sample time for part or all of the model. (This procedure is similar to reducing timer thresholds, as described in "Handling Problems with Counters and Timers" on page 10-17.) A test case you generate at a lower sample rate often has similarities to the test case with a high sample rate that you need to achieve an objective.

States that are computed from previous state values present a special challenge. For example, if you want to restrict the integrator value in a PID controller, you can only use a set of values that includes all reachable values from the initial value. Otherwise, the input must be forced to 0. Neither of these limitations is practical and would probably make test generation or property proving less complete.

Alternatively, you can use any existing simulation data to help satisfy your testing needs. If you have existing test data, run it on your model and collect model coverage. By using the sldvgencov function, you can ignore model coverage objectives that have already been satisfied in simulation when you supply a coverage data object.

**Note** For more information on satisfying missing model coverage, see the Extending an Existing Test Suite demo.

### Handling Problems with Counters and Timers

Complexity from states occurs from both the size of the state representation and the number of time steps required to transition from one state to another. The Simulink Design Verifier software searches through sequences of time steps, starting from the default configuration, to find input values that reach a state that satisfies an objective.

**Note** For the purposes of Simulink Design Verifier analysis, the term *configuration* refers to a set of values for all the persistent information in your model.

The search process investigates all configurations that can be reached in a single time step before considering any of the configurations that can be reached in two time steps. Likewise, the search investigates all configurations that can be reached in two time steps before it considers any configuration that requires three or more time steps, etc.

Models that contain time delays, such as countdown timers, hinder the analysis by forcing the search to span large numbers of time steps. By design, the value of a counter can reach n only when its previous value is n - 1.

You may see similar effects when systems use extensive averaging and filtering to delay the response to a change in inputs. Any aspect of the design that delays the response causes the test sequences to contain more time steps, resulting in longer test cases that are more difficult to identify.

Some basic techniques you can use to improve performance in models that have delays include:

1 Make time delays tunable parameters. Choose very small values when running a Simulink Design Verifier analysis. A system with a logical error when a time delay is set to 2000 steps usually demonstrates that error if the time delay is changed to 2 steps. If your system has several delays, choose small but unique values for each of them so that your delays are progressively satisfied.

- **2** Choose higher-frequency cutoffs for filters and fewer samples to average to minimize filtering delays.
- **3** Make the initial values of counters and timers parameter values that the Simulink Design Verifier software can modify. The software finds initial values that allow shorter test cases to exceed thresholds.

## **Techniques for Proving Properties of Large Models**

Property proving uses the same underlying techniques as test generation and suffers from the same performance limitations. However, unlike test generation, you often cannot simplify the problem without compromising the validity of the results.

You can quickly prove simple proof objectives that are not affected by model dynamics. However, a successful proof requires that the Simulink Design Verifier software search through all reachable configurations of your model—even the ones that are reached only after long time delays. The computation time and memory required to search a model completely often make an exhaustive proof impractical.

Simulink Design Verifier software offers a bounded model-checking capability to examine properties in larger, more complicated models. Bounded model checking restricts the search for property violations to a predefined limit of time steps. If a violation is not detected, it is impossible to violate the property with any input sequence having fewer time steps than the specified limit. However, you cannot prove that the property is true because there might be a counterexample within more time steps than the specified limit.

To configure the software for bounded model checking, on the **Design Verifier > Property Proving** pane of the Configuration Parameters dialog box, specify the value of the **Strategy** parameter as Find violation. When you use this strategy, the **Maximum violation steps** parameter becomes active so that you can specify an upper bound for the number of time steps in the search.

**Note** For more information about the parameters for property proving, see "Property Proving Pane" on page 6-11.

Use the following technique for proving properties in large model combines proving and searching for violations:

1 On the **Design Verifier > Property Proving** pane, set the **Strategy** parameter to **Prove**.

- 2 On the **Design Verifier** pane, use a relatively short value for the **Maximum analysis time** parameter, such as 5–10 minutes. If there are trivial counterexamples—or if your properties do not depend on model dynamics—the analysis should complete in that amount of time.
- **3** Change the **Strategy** parameter to Find violation, and choose a small bound for the **Maximum violation steps** parameter, such as 4, 5, or 6. If your properties have simple counterexamples, the software should discover them.
- **4** If you do not find any violations with a small bound, increase the bound and look for longer counterexamples.
  - **a** Increase the bound in several increments, and observe the processing time and memory consumption. System resources might limit the length of violation that can be searched.
  - **b** In addition, consider the dynamics of your model and the number of time steps needed to transition between an arbitrary pair of configurations. If you choose too large a bound, the violation search can be more complex than the unbounded proof.
- **5** If you can run violation searches with relatively large bounds, e.g., 30–50 time steps, switch back to the **Prove** strategy, and use a longer time limit, such as several hours.



## **Function Reference**

| Purpose     | Replace model blocks to support Simulink Design Verifier analysis                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Syntax      | <pre>[status, newmodel] = sldvblockreplacement(model) [status, newmodel] = sldvblockreplacement(model, options) [status, newmodel] = sldvblockreplacement(model, options,</pre>                                                                                                                                                                                                                                                                                                                                               |
| Description | [status, newmodel] = sldvblockreplacement(model) copies the<br>open model and replaces specified model blocks and other model<br>components to prepare the model for a Simulink Design Verifier<br>analysis. sldvblockreplacement replaces the blocks of the model<br>according to the block replacement rules specified in the configuration<br>settings associated with model, and returns a handle to the new<br>model in newmodel. sldvblockreplacement returns 1 upon successful<br>completion. Otherwise, it returns 0. |
|             | <pre>[status, newmodel] = sldvblockreplacement(model, options)<br/>replaces the blocks of the open model according to the block replacement<br/>rules using the sldvoptions object specified by options, and returns a<br/>handle to the new model in newmodel.</pre>                                                                                                                                                                                                                                                         |
|             | [status, newmodel] = sldvblockreplacement(model, options,<br>showUI) performs the same tasks as sldvblockreplacement(model,<br>options). If you set showUI to false (the default), any errors appear<br>at the MATLAB command line; if you set showUI to true, any errors<br>appear in the Simulation Diagnostics Viewer.                                                                                                                                                                                                     |
| See Also    | sldvoptions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |

| Purpose     | Check model for compatibility with Simulink Design Verifier analysis                                                                                                                                                                                                                                    |  |  |  |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Syntax      | <pre>status = sldvcompat(model) status = sldvcompat(block) status = sldvcompat(model, options)</pre>                                                                                                                                                                                                    |  |  |  |
| Description | <pre>status = sldvcompat(model) returns 1 if the open model is compatible with the Simulink Design Verifier software; otherwise, it returns 0. When checking for compatibility, if you select the Apply block replacements parameter, the Simulink Design Verifier software replaces model blocks</pre> |  |  |  |
|             | <b>Note</b> If you call this function without specifying a model, the function operates on the current open model.                                                                                                                                                                                      |  |  |  |
|             | <pre>status = sldvcompat(block) converts the Simulink block into a<br/>temporary model, and then checks the compatibility of that model<br/>with the Simulink Design Verifier software. The function destroys the<br/>temporary model after the compatibility check.</pre>                              |  |  |  |
|             | <pre>status = sldvcompat(model, options) checks the subsystem specified by the open model for compatibility with the Simulink Design Verifier software using the sldvoptions object specified by options.</pre>                                                                                         |  |  |  |
| Examples    | The following commands open the vdp demo model and check for its compatibility with the Simulink Design Verifier software:                                                                                                                                                                              |  |  |  |
|             | vdp<br>status = sldvcompat('vdp')                                                                                                                                                                                                                                                                       |  |  |  |

The Simulink Design Verifier software displays a result that indicates the vdp model is not compatible:

```
Checking compatibility of model "vdp"
Model "vdp" is not compatible with Simulink Design Verifier
status =
0
```

The following commands open sldvdemo\_flipflop and check for its compatibility with the Simulink Design Verifier software:

```
sldvdemo_flipflop
status = sldvcompat('sldvdemo_flipflop')
```

The Simulink Design Verifier software displays the results that indicate the sldvdemo\_flipflop model is compatible:

```
Checking compatibility of model "sldvdemo_flipflop"
Compiling model...done
Checking compatibility...done
Model "sldvdemo_flipflop" is compatible with
Simulink Design Verifier.
ans =
1
sldvoptions, sldvrun
```

See Also

| Purpose     | Extract subsystem contents into new model for Simulink Design<br>Verifier analysis                                                                                                                                                                                                                                                                                                                                                                                                         |
|-------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Syntax      | <pre>[status, modelH] = sldvextract(blockH) [status, modelH] = sldvextract(blockH, showModel) [status, modelH] = sldvextract(blockH, showModel, showUI) [status, modelH] = sldvextract(blockH, showModel, showUI,</pre>                                                                                                                                                                                                                                                                    |
| Description | <pre>[status, modelH] = sldvextract(blockH) extracts the contents of<br/>the subsystem that blockH specifies and creates a new model that<br/>you can analyze using the Simulink Design Verifier software. The<br/>sldvextract function returns the handle of the new model in modelH. It<br/>returns status as 1 upon successful completion; otherwise, it returns 0.<br/>[status, modelH] = sldvextract(blockH, showModel) opens the<br/>status and blif as successful completion;</pre> |
|             | <pre>extracted model if you set showModel to true. [status, modelH] = sldvextract(blockH, showModel, showUI) performs the same tasks as sldvextract(blockH, showModel, showUI). If you set showUI to false (the default), any errors appear at the MATLAB command line; if you set showUI to true, any errors appear in the Simulation Diagnostics Viewer.</pre>                                                                                                                           |
|             | <pre>[status, modelH] = sldvextract(blockH, showModel, showUI,<br/>isvalid) performs the same tasks as sldvextract(blockH,<br/>showModel, showUI). The isvalid arguments is reserved for internal<br/>use.</pre>                                                                                                                                                                                                                                                                           |

## sldvgencov

| Purpose     | Run Simulink Design Verifier analysis to obtain missing model coverage                                                                                                                                                           |  |  |
|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| Syntax      | [status, cvdo] = sldvgencov(model, options, showUI, startCov)                                                                                                                                                                    |  |  |
| Description | <pre>[status, cvdo] = sldvgencov(model, options, showUI,<br/>startCov) runs a Simulink Design Verifier analysis on the specified<br/>model using the sldvoptions object specified by options.</pre>                              |  |  |
|             | Set showUI to true to open the log window during analysis. Set showUI to false to direct output to the MATLAB command line.                                                                                                      |  |  |
|             | The analysis ignores all model coverage objects that are satisfied in the cvdata object specified by startCov.                                                                                                                   |  |  |
|             | ne sldvgencov function returns 1 for status if the Simulink Design<br>erifier software was successful; otherwise, it returns 0. It also<br>easures the coverage in the new tests and returns the resulting<br>vdata object cvdo. |  |  |
| See Also    | sldvoptions, sldvrun                                                                                                                                                                                                             |  |  |

| Purpose | Merge | e test | case | s and in | itialization | s into | one | model |
|---------|-------|--------|------|----------|--------------|--------|-----|-------|
| C       |       |        |      |          |              |        | _   |       |

Syntax status = sldvharnessmerge(name, models, initialization\_commands)

**Description** status = sldvharnessmerge(name, models, initialization\_commands) collects the test data and initialization commands from each test harness model listed in models and saves them in name. This function assumes that you have created each test harness model with the Simulink Design Verifier software, either with the sldvrun function or the **Tools > Design Verifier > Generate Tests** menu item.

If name does not exist, this function creates it as a copy of the model in models. sldvharnessmerge then copies the data from the other models into this model. If name was created from a previous sldvharnessmerge run, subsequent runs of this function for name maintain the correct structure and initialization from that earlier run. If name matches an existing Simulink model, this function merges the test data from models into name.

- models can be a cell array of model names or an array of model handles.
- initialization\_commands must be a cell array of strings the same length as models. initialization\_commands define parameter settings for the test cases of each test harness model. Each time a model test case executes, the associated initialization command is evaluated in the base workspace.

Consider using sldvharnessmerge with sldvgencov to combine test cases that use different sets of parameter values.

#### See Also sldvgencov

## sldvoptions

| Purpose                             | Access Simulink Design Verifier options object                                                                                                             |
|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Syntax                              | options = sldvoptions<br>options = sldvoptions(model)                                                                                                      |
| Description                         | options = sldvoptions returns a Simulink Design Verifier options<br>object that contains default values for its parameters (described in this<br>section). |
|                                     | <pre>options = sldvoptions(model) returns the Simulink Design Verifier options object attached to the open model.</pre>                                    |
| sldvoptions<br>Object<br>Parameters | The following table describes the parameters that comprise a Simulink Design Verifier options object.                                                      |

| Parameter        | Description                                                                                                                                                             | Values                                               |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|
| Assertions       | Set by the Assertion<br>blocks option on the<br>Design Verifier ><br>Property Proving pane<br>of the Configuration<br>Parameters dialog box.                            | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'} |
| BlockReplacement | Set by the <b>Apply block</b><br>replacements option on<br>the <b>Design Verifier &gt;</b><br>Block Replacements<br>pane of the Configuration<br>Parameters dialog box. | 'on'   {'off'}                                       |

## sldvoptions

| Parameter                           | Description                                                                                                                                                                | Values                                                            |
|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| BlockReplacementModel-<br>FileName  | Set by the File path<br>of the output model<br>option on the Design<br>Verifier > Block<br>Replacements pane<br>of the Configuration<br>Parameters dialog box.             | <pre>string {'\$ModelName\$_replacement'}</pre>                   |
| BlockReplacementRules-<br>List      | Set by the List of block<br>replacement rules<br>option on the Design<br>Verifier > Block<br>Replacements pane<br>of the Configuration<br>Parameters dialog box.           | <pre>string {'<factorydefaultrules>'}</factorydefaultrules></pre> |
| DataFileName                        | Set by the <b>Data file</b><br><b>name</b> option on the<br><b>Design Verifier</b><br><b>&gt; Results</b> pane of<br>the Configuration<br>Parameters dialog box.           | string<br>{'\$ModelName\$_sldvdata'}                              |
| DisplayReport                       | Set by the <b>Display</b><br><b>report</b> option on<br>the <b>Design Verifier</b><br>> <b>Report</b> pane of<br>the Configuration<br>Parameters dialog box.               | {'on'}   'off'                                                    |
| DisplayUnsatisfiable-<br>Objectives | Set by the <b>Display</b><br><b>unsatisfiable test</b><br><b>objectives</b> option on<br>the <b>Design Verifier</b><br>pane of the Configuration<br>Parameters dialog box. | {'on'}   'off'                                                    |

## sldvoptions

| Parameter             | Description                                                                                                                                                                    | Values                              |
|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|
| HarnessModelFileName  | Set by the <b>Harness</b><br><b>model file name</b><br>option on the <b>Design</b><br><b>Verifier &gt; Results</b> pane<br>of the Configuration<br>Parameters dialog box.      | string<br>{'\$ModelName\$_harness'} |
| MakeOutputFilesUnique | Set by the Make<br>output file names<br>unique by adding a<br>suffix check box on the<br>Design Verifier pane<br>of the Configuration<br>Parameters dialog box.                | {'on'}   'off'                      |
| MaxProcessTime        | Set by the <b>Maximum</b><br><b>analysis time</b> option<br>on the <b>Design Verifier</b><br>pane of the Configuration<br>Parameters dialog box.                               | double {'600'}                      |
| MaxTestCaseSteps      | Set by the <b>Maximum</b><br><b>test case steps</b> option<br>on the <b>Design Verifier</b><br>> <b>Test Generation</b><br>pane of the Configuration<br>Parameters dialog box. | int32 {'500'}                       |
| MaxViolationSteps     | Set by the <b>Maximum</b><br>violation steps option<br>on the <b>Design Verifier</b><br>> <b>Property Proving</b><br>pane of the Configuration<br>Parameters dialog box.       | int32 {'20'}                        |

| Parameter                     | Description                                                                                                                                                                       | Values                                                     |
|-------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|
| Mode                          | Set by the <b>Mode</b> option<br>on the <b>Design Verifier</b><br>pane of the Configuration<br>Parameters dialog box.                                                             | {'TestGeneration'}  <br>'PropertyProving'                  |
| ModelCoverageObjectives       | Set by the <b>Model</b><br>coverage objectives<br>option on the <b>Design</b><br>Verifier > Test<br>Generation pane<br>of the Configuration<br>Parameters dialog box.             | 'None'   'Decision'  <br>'ConditionDecision'  <br>{'MCDC'} |
| OutputDir                     | Set by the <b>Output</b><br><b>directory</b> option on the<br><b>Design Verifier</b> pane<br>of the Configuration<br>Parameters dialog box.                                       | string<br>{'sldv_output/\$ModelName\$'}                    |
| Parameters                    | Set by the <b>Apply</b><br><b>parameters</b> option<br>on the <b>Design Verifier</b><br>> <b>Parameters</b> pane<br>of the Configuration<br>Parameters dialog box.                | {'on'}   'off'                                             |
| ParametersConfigFile-<br>Name | Set by the <b>Parameter</b><br><b>configuration file</b><br>option on the <b>Design</b><br><b>Verifier &gt; Parameters</b><br>pane of the Configuration<br>Parameters dialog box. | <pre>string {'sldv_params_template.m'}</pre>               |

| Parameter             | Description                                                                                                                                                                            | Values                                                            |
|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| ProofAssumptions      | Set by the <b>Proof</b><br>assumptions option<br>on the <b>Design Verifier</b><br>> <b>Property Proving</b><br>pane of the Configuration<br>Parameters dialog box.                     | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}              |
| ProvingStrategy       | Set by the <b>Strategy</b><br>option on the <b>Design</b><br><b>Verifier &gt; Property</b><br><b>Proving</b> pane of<br>the Configuration<br>Parameters dialog box.                    | 'FindViolation'<br>  {'Prove'}  <br>'ProveWithViolationDetection' |
| RandomizeNoEffectData | Set by the <b>Randomize</b><br>data that does not<br>affect outcome option<br>on the <b>Design Verifier</b><br>> <b>Results</b> pane of<br>the Configuration<br>Parameters dialog box. | 'on'   {'off'}                                                    |
| ReportFileName        | Set by the <b>Report</b><br>file name option on<br>the <b>Design Verifier</b><br>> <b>Report</b> pane of<br>the Configuration<br>Parameters dialog box.                                | <pre>string {'\$ModelName\$_report'}</pre>                        |
| ReportIncludeGraphics | Set by the <b>Include</b><br>screen shots and plots<br>option on the <b>Design</b><br><b>Verifier &gt; Report</b> pane<br>of the Configuration<br>Parameters dialog box.               | 'on'   {'off'}                                                    |

| Parameter          | Description                                                                                                                                                               | Values                                               |
|--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|
| SaveDataFile       | Set by the <b>Save test</b><br>data to file option on<br>the <b>Design Verifier</b><br>> <b>Results</b> pane of<br>the Configuration<br>Parameters dialog box.            | {'on'}   'off'                                       |
| SaveExpectedOutput | Set by the <b>Include</b><br>expected output<br>values option on<br>the <b>Design Verifier</b><br>> <b>Results</b> pane of<br>the Configuration<br>Parameters dialog box. | 'on'   {'off'}                                       |
| SaveHarnessModel   | Set by the <b>Save test</b><br>harness as model<br>option on the <b>Design</b><br><b>Verifier &gt; Results</b> pane<br>of the Configuration<br>Parameters dialog box.     | {'on'}   'off'                                       |
| SaveReport         | Set by the <b>Generate</b><br>report of the results<br>option on the <b>Design</b><br><b>Verifier &gt; Report</b> pane<br>of the Configuration<br>Parameters dialog box.  | {'on'}   'off'                                       |
| TestConditions     | Set by the <b>Test</b><br>conditions option on<br>the <b>Design Verifier &gt;</b><br><b>Test Generation</b> pane<br>of the Configuration<br>Parameters dialog box.        | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'} |

| Parameter             | Description                                                                                                                                                                | Values                                                               |
|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
| TestObjectives        | Set by the <b>Test</b><br>objectives option on<br>the <b>Design Verifier &gt;</b><br><b>Test Generation</b> pane<br>of the Configuration<br>Parameters dialog box.         | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}                 |
| TestSuiteOptimization | Set by the <b>Test suite</b><br>optimization option on<br>the <b>Design Verifier &gt;</b><br><b>Test Generation</b> pane<br>of the Configuration<br>Parameters dialog box. | {'CombinedObjectives'}  <br>'IndividualObjectives'  <br>'LargeModel' |

**See Also** sldvblockreplacement, sldvcompat, sldvgencov, sldvrun

| Purpose     | Run Simulink Design Verifier analysis on model or subsystem                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Syntax      | <pre>status = sldvrun(model) status = sldvrun(block) status = sldvrun(model, options) [status, filenames] = sldvrun(model, options) [status, filenames] = sldvrun(model, options, showUI,         startCov)</pre>                                                                                                                                                                                                                                                                                     |
| Description | <ul> <li>status = sldvrun(model) runs a Simulink Design Verifier analysis on the specified model. The Simulink Design Verifier software uses the configuration settings associated with model (if available); otherwise, the software uses its default configuration settings. Upon completion, sldvrun returns one of the following values for status:</li> <li>-1 — Maximum processing time was exceeded.</li> <li>0 — An error occurred.</li> <li>1 — Preprocessing completed normally.</li> </ul> |
|             | <b>Note</b> If you call this function without specifying a model, the function operates on the current system.                                                                                                                                                                                                                                                                                                                                                                                        |

status = sldvrun(block) converts the Simulink block into a new model, and then runs a Simulink Design Verifier analysis on the new model. The Simulink Design Verifier software uses the configuration settings associated with the parent model of block (if available); otherwise, the software uses its default configuration settings.

status = sldvrun(model, options) runs a Simulink Design Verifier analysis on the model specified by model. The Simulink Design Verifier software uses the sldvoptions object specified by options.

[status, filenames] = sldvrun(model, options) runs a Simulink Design Verifier analysis on the model specified by model. This function

## sldvrun

returns status and filenames, a structure whose fields list the names of the files that the Simulink Design Verifier software generates:

- DataFile MAT-file that contains raw input data
- HarnessModel Simulink harness model
- SystemTestFile SystemTest TEST-file
- Report HTML report that documents the results
- ExtractedModel Simulink model extracted from subsystem
- BlockReplacementModel Simulink model obtained after block replacements

[status, filenames] = sldvrun(model, options, showUI, startCov) opens the log window during analysis if you set showUI to true. If you set showUI to false (the default), it directs output to the MATLAB command line. The analysis ignores all model coverage objects that are satisfied in the cvdata object specified by startCov.

See Also sldvcompat, sldvgencov, sldvoptions

| Purpose     | Simulate model using test case in Simulink Design Verifier data file                                                                                                                                                                                                                                                                                                                    |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Syntax      | <pre>data = sldvruntest(model, sldvDataFile, testIdx) data = sldvruntest(model, sldvDataFile) [data, cvdo] = sldvruntest(model, sldvDataFile, testIdx,     true) [data, cvdo] = sldvruntest(model, sldvDataFile, [], true) [ data, cvdo ] = sldvruntest(model, sldvDataFile, testIdx,     true, outputFormat)</pre>                                                                     |
| Description | <pre>data = sldvruntest(model, sldvDataFile, testIdx) simulates<br/>model using input signals associated with a single test case that the<br/>Simulink Design Verifier software generated. testIdx specifies the<br/>index of the test case that the sldvDataFile MAT-file contains. This<br/>function returns data, a structure whose fields contain the simulation<br/>results:</pre> |
|             | • T — Simulation time vector                                                                                                                                                                                                                                                                                                                                                            |
|             | • X — Simulation state matrix                                                                                                                                                                                                                                                                                                                                                           |
|             | • Y — Simulation output captured in time-series objects or, if the Outport block specifies a bus object, in time-series array objects                                                                                                                                                                                                                                                   |
|             | <pre>data = sldvruntest(model, sldvDataFile) simulates model using all test cases that the MAT-file sldvDataFile contains.</pre>                                                                                                                                                                                                                                                        |
|             | [data, cvdo] = sldvruntest(model, sldvDataFile, testIdx,<br>true) simulates model using the test case that testIdx indexes in<br>the MAT-file sldvDataFile. The Simulink Verification and Validation<br>software collects model coverage information during the simulation,<br>which the function returns in the cvdata object cvdo.                                                    |
|             | [data, cvdo] = sldvruntest(model, sldvDataFile, [], true)<br>simulates model using all test cases that the MAT-file, sldvDataFile,<br>contains. The Simulink Verification and Validation software collects<br>model coverage information during the simulation, which the function<br>returns in the cvdata object cvdo.                                                                |
|             |                                                                                                                                                                                                                                                                                                                                                                                         |

[ data, cvdo ] = sldvruntest(model, sldvDataFile, testIdx, true, outputFormat) stores the output values of the model in Y in the structure data. If you set outputFormat to 'Timeseries' (the default), the output values are stored in the Timeseries format. If you set outputFormat to 'StructureWithTime' and the model's output signals do not include bus signals, the output values are stored in the Structure with time format.

See Also

cvsim (in the *Simulink Verification and Validation User's Guide*), sim (in the *Simulink Reference*)

12

## **Block Reference**

## **Proof Assumption**

**Purpose** Constrain signal values when proving model properties

Library Simulink Design Verifier

#### Description

true

> A >

When operating in property-proving mode, the Simulink Design Verifier software proves that properties of your model satisfy specified criteria (see Chapter 8, "Proving Properties of a Model"). In this mode, you can use Proof Assumption blocks to define assumptions for signals in your model. The **Values** parameter lets you specify constraints on signal values during a property proof. Use the **Initial** parameter to specify whether the constraint applies throughout the entire proof or only at its beginning. The block applies the specified **Values** parameter to its input signal, and the Simulink Design Verifier software proves or disproves that the properties of your model satisfy specified criteria.

The block's parameter dialog box also allows you to:

- Enable or disable the assumption.
- Specify that the block should display its **Values** parameter in the model editor.
- Specify that the block should display its output port.

**Note** The Simulink and Real-Time Workshop software ignore the Proof Assumption block during model simulation and code generation, respectively. The Simulink Design Verifier software uses the Proof Assumption block only when proving model properties.

#### **Specifying Proof Assumptions**

Use the **Values** parameter to constrain signal values in property proofs. Specify any combination of scalars and intervals in the form of a MATLAB cell array (see "Cell Arrays" in the MATLAB documentation for information about working with cell arrays). **Tip** If the **Values** parameter specifies only one scalar value, you do not need to enter it in the form of a MATLAB cell array.

Scalar values each comprise a single cell in the array, for example:

{0, 5}

A closed interval comprises a two-element vector as a cell in the array, where each element specifies an interval endpoint:

{[1, 2]}

Alternatively, you can specify scalar values using the Sldv.Point constructor, which accepts a single value as its argument. You can specify intervals using the Sldv.Interval constructor, which requires two input arguments, i.e., a lower bound and an upper bound for the interval. Optionally, you can provide one of the following strings as a third input argument that specifies inclusion or exclusion of the interval endpoints:

- '()' Defines an open interval.
- '[]' Defines a closed interval.
- '(]' Defines a left-open interval.
- '[)' Defines a right-open interval.

**Note** By default, Sldv. Interval considers an interval to be closed if you omit its third input argument.

As an example, the Values parameter

 $\{0, [1, 3]\}$ 

specifies:

- 0 a scalar
- [1, 3] a closed interval

The Values parameter

```
{Sldv.Interval(0, 1, '[)'), Sldv.Point(1)}
```

specifies:

- Sldv.Interval(0, 1, '[)') the right-open interval [0, 1)
- Sldv.Point(1) a scalar

If you specify multiple scalars and intervals for a Proof Assumption block, the Simulink Design Verifier software combines them using a logical OR operation during the property proof. In this case, the software considers the entire assumption to be satisfied if any single scalar or interval is satisfied.

# Data TypeThe Proof Assumption block accepts signals of all built-in data typesSupportsupported by the Simulink software. For a discussion on the data typessupported by the Simulink software, see "Data Types Supported by<br/>Simulink" in Simulink User's Guide.

| <b>Parameters</b> |
|-------------------|
| and               |
| Dialog            |
| Box               |

| 🙀 Function Block Pa                                                                                                                                                                                                                                                                                                                                                                                                                      | rameters: As      | sumption          |           | ×     |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------|-------------------|-----------|-------|
| C Design Verifier Assump                                                                                                                                                                                                                                                                                                                                                                                                                 | otion (mask)      |                   |           |       |
| Assumes signal values when Simulink Design Verifier proves model properties. The<br>input signal is assumed to be one of the values listed in the 'Values' parameter. Two<br>element vectors specify intervals. Cell arrays specify lists. The signal must match one<br>of the listed values or intervals at every time step unless the "Initial" check box is<br>enabled, in which case the assumption is for only the first time step. |                   |                   |           |       |
| Example Values:<br>true<br>{[0 1], 2, [4 5], 6}<br>{Sldv.Interval(-2, -1), S                                                                                                                                                                                                                                                                                                                                                             | ldv.Point(0), Slo | lv.Interval(0, 1, | '()'), 1} |       |
| Parameters                                                                                                                                                                                                                                                                                                                                                                                                                               |                   |                   |           |       |
| 🔽 Enable                                                                                                                                                                                                                                                                                                                                                                                                                                 |                   |                   |           |       |
| Type Assumption                                                                                                                                                                                                                                                                                                                                                                                                                          |                   |                   |           | •     |
| Values                                                                                                                                                                                                                                                                                                                                                                                                                                   |                   |                   |           |       |
| true                                                                                                                                                                                                                                                                                                                                                                                                                                     |                   |                   |           |       |
| 🔲 Initial                                                                                                                                                                                                                                                                                                                                                                                                                                |                   |                   |           |       |
| 🔽 Display values                                                                                                                                                                                                                                                                                                                                                                                                                         |                   |                   |           |       |
| Pass through style                                                                                                                                                                                                                                                                                                                                                                                                                       | (show Outport)    |                   |           |       |
|                                                                                                                                                                                                                                                                                                                                                                                                                                          |                   |                   |           |       |
|                                                                                                                                                                                                                                                                                                                                                                                                                                          | ОК                | Cancel            | Help      | Apply |

#### Enable

Specify whether the block is enabled. If selected (the default), the Simulink Design Verifier software uses the block when proving properties of a model. Clearing this option disables the block, that is, causes the Simulink Design Verifier software to behave as if the Proof Assumption block did not exist. If this option is not selected, the block appears grayed out in the model editor.

#### Type

Specify whether the block behaves as a Proof Assumption or Test Condition block. Select Test Condition to transform the Proof Assumption block into a Test Condition block.

#### Values

Specify the proof assumption (see "Specifying Proof Assumptions" on page 12-2).

#### Initial

Specify whether the **Values** parameter applies at the beginning of or throughout the entire proof. If selected, the block constrains only the initial value of its input signal at the start of a proof analysis (t=0). If not selected (the default), the block constrains its signal value for the entire proof.

#### **Display values**

Specify whether the block displays the contents of its **Values** parameter in the model editor. By default, this option is selected.

#### Pass through style

Specify whether the block displays an output port in the model editor. If selected (the default), the block displays its output port, allowing its input signal to pass through as the block output. If not selected, the block hides its output port and terminates the input signal. The following figure illustrates the appearance of the block in each case.

## **Proof Assumption**



Pass through style: selected

Pass through style: deselected



Proof Objective, Test Condition

## **Proof Objective**

| Purpose             | Define objectives that signals must satisfy when proving model properties                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Library             | Simulink Design Verifier                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Description<br>true | When operating in property-proving mode, the Simulink Design Verifier<br>software proves that properties of your model satisfy specified criteria<br>(see Chapter 8, "Proving Properties of a Model"). In this mode, you can<br>use Proof Objective blocks to define proof objectives for signals in your<br>model. The <b>Values</b> parameter lets you specify values that a signal<br>must achieve for at least one time step during a proof. The block applies<br>the specified <b>Values</b> parameter to its input signal, and the Simulink<br>Design Verifier software proves or disproves that the properties of your<br>model satisfy specified criteria. |

The block's parameter dialog box also allows you to

- Enable or disable the objective.
- Specify that the block should display its **Values** parameter in the model editor.
- Specify that the block should display its output port.

**Note** The Simulink and Real-Time Workshop software ignore the Proof Objective block during model simulation and code generation, respectively. The Simulink Design Verifier software uses the Proof Objective block only when proving model properties.

#### **Specifying Proof Objectives**

Use the **Values** parameter to define values that a signal must achieve during a proof simulation. Specify any combination of scalars and intervals in the form of a MATLAB cell array (see "Cell Arrays" in the MATLAB documentation for information about working with cell arrays). **Tip** If the **Values** parameter specifies only one scalar value, you do not need to enter it in the form of a MATLAB cell array.

Scalar values each comprise a single cell in the array, for example:

{0, 5}

A closed interval comprises a two-element vector as a cell in the array, where each element specifies an interval endpoint:

{[1, 2]}

Alternatively, you can specify scalar values using the Sldv.Point constructor, which accepts a single value as its argument. You can specify intervals using the Sldv.Interval constructor, which requires two input arguments, i.e., a lower bound and an upper bound for the interval. Optionally, you can provide one of the following strings as a third input argument that specifies inclusion or exclusion of the interval endpoints:

- '()' Defines an open interval.
- '[]' Defines a closed interval.
- '(]' Defines a left-open interval.
- '[)' Defines a right-open interval.

**Note** By default, Sldv. Interval considers an interval to be closed if you omit its third input argument.

As an example, the Values parameter

 $\{0, [1, 3]\}$ 

specifies:

- 0 a scalar
- [1, 3] a closed interval

The Values parameter

{Sldv.Interval(0, 1, '[)'), Sldv.Point(1)}

specifies:

- Sldv.Interval(0, 1, '[)') the right-open interval [0, 1)
- Sldv.Point(1) a scalar

If you specify multiple scalars and intervals for a Proof Objective block, the Simulink Design Verifier software combines them using a logical OR operation during the property proof. In this case, the software considers the entire proof objective to be satisfied if any single scalar or interval is satisfied.

# Data TypeThe Proof Objective block accepts signals of all built-in data typesSupportsupported by the Simulink software. For a discussion on the data typessupported by the Simulink software, see "Data Types Supported by<br/>Simulink" in Simulink User's Guide.

| Parameters |
|------------|
| and        |
| Dialog     |
| Box        |
|            |

| 🙀 Function Block Parameters: Proof Objective 🛛 🛛 🗶                                                                                                                                                                                                                                       |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design Verifier Proof Objective (mask)                                                                                                                                                                                                                                                   |
| Proves signal values using Simulink Design Verifier. The 'Values' parameter specifies<br>input signal values to prove. Two element vectors specify intervals. Cell arrays<br>specify lists. Signals are proven to satisfy at least one of the values or intervals at<br>every time step. |
| Example Values:<br>true<br>{(0.1), 2, [4.5], 6}                                                                                                                                                                                                                                          |
| (0 1), 2, (4 3), 0)<br>{Sldv.Interval(-2, -1), Sldv.Point(0), Sldv.Interval(0, 1, '()'), 1}                                                                                                                                                                                              |
| Parameters  Finable  Type Proof Objective                                                                                                                                                                                                                                                |
| Values                                                                                                                                                                                                                                                                                   |
| true                                                                                                                                                                                                                                                                                     |
| <ul> <li>Display values</li> <li>Pass through style (show Outport)</li> </ul>                                                                                                                                                                                                            |
| OK Cancel Help Apply                                                                                                                                                                                                                                                                     |

#### Enable

Specify whether the block is enabled. If selected (the default), the Simulink Design Verifier software uses the block when proving properties of a model. Clearing this option disables the block, that is, causes the Simulink Design Verifier software to behave as if the Proof Objective block did not exist. If this option is not selected, the block appears grayed out in the model editor.

#### Type

Specify whether the block behaves as a Proof Objective or Test Objective block. Select Test Objective to transform the Proof Objective block into a Test Objective block.

#### Values

Specify the proof objective (see "Specifying Proof Objectives" on page 12-8).

#### **Display values**

Specify whether the block displays the contents of its **Values** parameter in the model editor. By default, this option is selected.

#### Pass through style

Specify whether the block displays an output port in the model editor. If selected (the default), the block displays its output port, allowing its input signal to pass through as the block output. If not selected, the block hides its output port and terminates the input signal. The following figure illustrates the appearance of the block in each case.



Pass through style: selected

Pass through style: deselected

#### See Also Proof Assumption, Test Objective

#### **Purpose** Constrain signal values in test cases

Library Simulink Design Verifier

#### **Description**

true

> C>

When operating in test generation mode, the Simulink Design Verifier software produces test cases that satisfy specified criteria (see Chapter 7, "Generating Test Cases"). In this mode, you can use Test Condition blocks to define test conditions for signals in your model. The **Values** parameter lets you specify constraints on signal values during a test case simulation. Use the **Initial** parameter to specify whether the constraint applies throughout the entire test case simulation or only at its beginning. The block applies the specified **Values** parameter to its input signal, and the Simulink Design Verifier software attempts to produce test cases that satisfy the condition.

The block's parameter dialog box also allows you to

- Enable or disable the condition.
- Specify that the block should display its **Values** parameter in the model editor.
- Specify that the block should display its output port.

**Note** The Simulink and Real-Time Workshop software ignore the Test Condition block during model simulation and code generation, respectively. The Simulink Design Verifier software uses the Test Condition block only when generating test cases for a model.

#### **Specifying Test Conditions**

Use the **Values** parameter to constrain signal values in test cases. Specify any combination of scalars and intervals in the form of a MATLAB cell array (see "Cell Arrays" in the MATLAB documentation for information about working with cell arrays). **Tip** If the **Values** parameter specifies only one scalar value, you do not need to enter it in the form of a MATLAB cell array.

Scalar values each comprise a single cell in the array, for example:

{0, 5}

A closed interval comprises a two-element vector as a cell in the array, where each element specifies an interval endpoint:

```
{[1, 2]}
```

Alternatively, you can specify scalar values using the Sldv.Point constructor, which accepts a single value as its argument. You can specify intervals using the Sldv.Interval constructor, which requires two input arguments, i.e., a lower bound and an upper bound for the interval. Optionally, you can provide one of the following strings as a third input argument that specifies inclusion or exclusion of the interval endpoints:

- '()' Defines an open interval.
- '[]' Defines a closed interval.
- '(]' Defines a left-open interval.
- '[)' Defines a right-open interval.

**Note** By default, Sldv. Interval considers an interval to be closed if you omit its third input argument.

As an example, the Values parameter

 $\{0, [1, 3]\}$ 

specifies:

- 0 a scalar
- [1, 3] a closed interval

The Values parameter

```
{Sldv.Interval(0, 1, '[)'), Sldv.Point(1)}
```

specifies:

- Sldv.Interval(0, 1, '[)') the right-open interval [0, 1)
- Sldv.Point(1) a scalar

If you specify multiple scalars and intervals for a Test Condition block, the Simulink Design Verifier software combines them using a logical OR operation when generating test cases. Consequently, the software considers the entire test condition to be satisfied if any single scalar or interval is satisfied.

Data TypeThe Test Condition block accepts signals of all built-in data typesSupportsupported by the Simulink software. For a discussion on the data typessupported by the Simulink software, see "Data Types Supported by<br/>Simulink" in Simulink User's Guide.

| Parameters |
|------------|
| and        |
| Dialog     |
| Box        |

| 🙀 Function Block Pa                                                                                                              | arameters: Te                                                  | st Condition                            |                                       | ×                                  |
|----------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-----------------------------------------|---------------------------------------|------------------------------------|
| 🕞 Design Verifier Test C                                                                                                         | Condition (mask)-                                              |                                         |                                       |                                    |
| Constrains signal valu<br>parameter constrains<br>Cell arrays specify list<br>at every time step unl<br>applies only to the firs | the block input s<br>s. The signal mu<br>less the "Initial" ch | signal. Two elem<br>ist satisfy at leas | nent vectors spe<br>t one of the valu | cify intervals.<br>es or intervals |
| Example Values:<br>true<br>{[0 1], 2, [4 5], 6}<br>{SIdv.Interval(-2, -1),                                                       | Sldv.Point(0), Sld                                             | dv.Interval(0, 1, '                     | ()'), 1}                              |                                    |
| - Parameters                                                                                                                     |                                                                |                                         |                                       |                                    |
| 🔽 Enable                                                                                                                         |                                                                |                                         |                                       |                                    |
| Type Test Condition                                                                                                              |                                                                |                                         |                                       | •                                  |
| Values                                                                                                                           |                                                                |                                         |                                       |                                    |
| true                                                                                                                             |                                                                |                                         |                                       |                                    |
| 🗖 Initial                                                                                                                        |                                                                |                                         |                                       |                                    |
| 🔽 Display values                                                                                                                 |                                                                |                                         |                                       |                                    |
| Pass through style                                                                                                               | e (show Outport)                                               |                                         |                                       |                                    |
|                                                                                                                                  |                                                                |                                         |                                       |                                    |
|                                                                                                                                  |                                                                |                                         |                                       |                                    |
|                                                                                                                                  | ОК                                                             | Cancel                                  | Hala                                  | Applu.                             |
|                                                                                                                                  |                                                                | Lancel                                  | Help                                  | Apply                              |

#### Enable

Specify whether the block is enabled. If selected (the default), the Simulink Design Verifier software uses the block when generating tests for a model. Clearing this option disables the block, that is, causes the Simulink Design Verifier software to behave as if the Test Condition block did not exist. If this option is not selected, the block appears grayed out in the model editor.

#### Type

Specify whether the block behaves as a Test Condition or Proof Assumption block. Select Assumption to transform the Test Condition block into a Proof Assumption block.

#### Values

Specify the test condition (see "Specifying Test Conditions" on page 12-13).

#### Initial

Specify whether the **Values** parameter applies at the beginning of or throughout the entire test case simulation. If selected, the block constrains only the initial value of its input signal at the start of a test case simulation (t=0). If not selected (the default), the block constrains its signal value for the entire test case simulation.

#### **Display values**

Specify whether the block displays the contents of its **Values** parameter in the model editor. By default, this option is selected.

#### Pass through style

Specify whether the block displays an output port in the model editor. If selected (the default), the block displays its output port, allowing its input signal to pass through as the block output. If not selected, the block hides its output port and terminates the input signal. The following figure illustrates the appearance of the block in each case.





Proof Assumption, Test Objective

#### **Purpose** Define custom objectives that signals must satisfy in test cases

Library Simulink Design Verifier

#### Description

true

>0>

When operating in test generation mode, the Simulink Design Verifier software produces test cases that satisfy specified criteria (see Chapter 7, "Generating Test Cases"). In this mode, you can use Test Objective blocks to define custom test objectives for signals in your model. The **Values** parameter lets you specify values that a signal must achieve for at least one time step during a test case simulation. The block applies the specified **Values** parameter to its input signal, and the Simulink Design Verifier software attempts to produce test cases that satisfy the objective.

The block's parameter dialog box also allows you to

- Enable or disable the objective.
- Specify that the block should display its **Values** parameter in the model editor.
- Specify that the block should display its output port.

**Note** The Simulink and Real-Time Workshop software ignore the Test Objective block during model simulation and code generation, respectively. The Simulink Design Verifier software uses the Test Objective block only when generating test cases for a model.

#### **Specifying Test Objectives**

Use the **Values** parameter to define custom objectives that signals must satisfy in test cases. Specify any combination of scalars and intervals in the form of a MATLAB cell array (see "Cell Arrays" in the MATLAB documentation for information about working with cell arrays). **Tip** If the **Values** parameter specifies only one scalar value, you do not need to enter it in the form of a MATLAB cell array.

Scalar values each comprise a single cell in the array, for example:

{0, 5}

A closed interval comprises a two-element vector as a cell in the array, where each element specifies an interval endpoint:

```
{[1, 2]}
```

Alternatively, you can specify scalar values using the Sldv.Point constructor, which accepts a single value as its argument. You can specify intervals using the Sldv.Interval constructor, which requires two input arguments, i.e., a lower bound and an upper bound for the interval. Optionally, you can provide one of the following strings as a third input argument that specifies inclusion or exclusion of the interval endpoints:

- '()' Defines an open interval.
- '[]' Defines a closed interval.
- '(]' Defines a left-open interval.
- '[)' Defines a right-open interval.

**Note** By default, Sldv. Interval considers an interval to be closed if you omit its third input argument.

As an example, the Values parameter

 $\{0, [1, 3]\}$ 

specifies:

- 0 a scalar
- [1, 3] a closed interval

The Values parameter

```
{Sldv.Interval(0, 1, '[)'), Sldv.Point(1)}
```

specifies:

- Sldv.Interval(0, 1, '[)') the right-open interval [0, 1)
- Sldv.Point(1) a scalar

#### Data Type Support

The Test Objective block accepts signals of all built-in data types supported by the Simulink software. For a discussion on the data types supported by the Simulink software, see "Data Types Supported by Simulink" in *Simulink User's Guide*. Parameters and Dialog Box

| 🙀 Function Block Parameters: Test Objective 🛛 🛛 🔀                                                                                                                                                                                                             |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design Verifier Test Objective (mask)                                                                                                                                                                                                                         |
| Obtains signal values in Simulink Design Verifier test cases. The 'Values' parameter<br>specifies the desired input signal values. Two element vectors specify intervals. Cell<br>arrays specify lists. Each list entry might result in a separate test case. |
| Example Values:<br>true<br>{[0 1], 2, [4 5], 6}<br>{Sldv.Interval(-2, -1), Sldv.Point(0), Sldv.Interval(0, 1, '()'), 1}                                                                                                                                       |
| Parameters                                                                                                                                                                                                                                                    |
| 🔽 Enable                                                                                                                                                                                                                                                      |
| Type Test Objective                                                                                                                                                                                                                                           |
| Values                                                                                                                                                                                                                                                        |
| true                                                                                                                                                                                                                                                          |
| ✓ Display values                                                                                                                                                                                                                                              |
| Pass through style (show Outport)                                                                                                                                                                                                                             |
|                                                                                                                                                                                                                                                               |
|                                                                                                                                                                                                                                                               |
| OK Cancel Help Apply                                                                                                                                                                                                                                          |

#### Enable

Specify whether the block is enabled. If selected (the default), the Simulink Design Verifier software uses the block when generating tests for a model. Clearing this option disables the block, that is, causes the Simulink Design Verifier software to behave as if the Test Objective block did not exist. If this option is not selected, the block appears grayed out in the model editor.

#### Type

Specify whether the block behaves as a Test Objective or Proof Objective block. Select Proof Objective to transform the Test Objective block into a Proof Objective block.

#### Values

Specify the test objective (see "Specifying Test Objectives" on page 12-19).

#### **Display values**

Specify whether the block displays the contents of its **Values** parameter in the model editor. By default, this option is selected.

#### Pass through style

Specify whether the block displays an output port in the model editor. If selected (the default), the block displays its output port, allowing its input signal to pass through as the block output. If not selected, the block hides its output port and terminates the input signal. The following figure illustrates the appearance of the block in each case.



Pass through style: selected

Pass through style: deselected

#### See Also Proof Objective, Test Condition

# **Verification Subsystem**

# **Purpose** Represent subsystem that specifies proof or test objectives without impacting simulation results or generated code

Simulink Design Verifier

Description

Library



This block is a Subsystem block that is preconfigured to serve as a starting point for creating a subsystem that specifies proof or test objectives for use with the Simulink Design Verifier software. The Real-Time Workshop software ignores Verification Subsystem blocks during code generation, behaving as if the subsystems do not exist. A Verification Subsystem block allows you to add Simulink Design Verifier components to a model without affecting its generated code.

To create a Verification Subsystem in your model:

- **1** Copy the Verification Subsystem block from the Simulink Design Verifier library into your model.
- 2 Open the Verification Subsystem block by double-clicking it.
- **3** In the Verification Subsystem window, add blocks that specify proof or test objectives. Use Inport blocks to represent input from outside the subsystem.

The Verification Subsystem block in the Simulink Design Verifier library is preconfigured to work correctly. For correct behavior, a Verification Subsystem block must

- Contain no Outport blocks.
- Enable its **Treat as Atomic Unit** parameter.
- Specify its Mask type parameter as VerificationSubsystem.

**Note** If you alter a Verification Subsystem block so that it no longer behaves correctly, the Simulink Design Verifier software displays a warning.

See the Subsystem block in the *Simulink Reference* and "Creating Subsystems" in *Simulink User's Guide* for more information.

# **Examples** The sldvdemo\_debounce\_validprop demo model includes a Verification Subsystem that specifies two proof objectives, as shown in the following figure.



See Also Proof Assumption, Proof Objective, Test Condition, Test Objective

# 13

# **Configuration Parameters**

- "Design Verifier Pane" on page 13-2
- "Design Verifier Pane: Block Replacements" on page 13-9
- "Design Verifier Pane: Parameters" on page 13-14
- "Design Verifier Pane: Test Generation" on page 13-18
- "Design Verifier Pane: Property Proving" on page 13-26
- "Design Verifier Pane: Results" on page 13-32
- "Design Verifier Pane: Report" on page 13-46
- "Parameter Command-Line Information Summary" on page 13-52

# **Design Verifier Pane**

| - Analysis options     |                               |                           |
|------------------------|-------------------------------|---------------------------|
| Mode:                  | Test generation               | ▼                         |
| Maximum analysis time: | 600                           |                           |
| Display unsatisfiable  | test objectives               |                           |
| - Output               |                               |                           |
| Output directory:      | sldv_output/\$ModelName\$     |                           |
| Make output file nar   | nes unique by adding a suffix |                           |
|                        |                               | Check Model Compatibility |
|                        |                               | Analyze Model             |

| In this section                                                 |
|-----------------------------------------------------------------|
| "Design Verifier Pane Overview" on page 13-3                    |
| "Mode" on page 13-4                                             |
| "Maximum analysis time" on page 13-5                            |
| "Display unsatisfiable test objectives" on page 13-6            |
| "Output directory" on page 13-7                                 |
| "Make output file names unique by adding a suffix" on page 13-8 |

## **Design Verifier Pane Overview**

Specify analysis options and configure Simulink Design Verifier output.

#### Mode

Specify whether the Simulink Design Verifier software generates test cases or proves properties.

#### **Settings**

Default: Test generation

Test generation Generates test cases for a model.

Property proving Proves properties of a model.

#### Tip

The Simulink Design Verifier software specifies the value of this option automatically if you start an analysis by selecting from the **Tools** menu either **Design Verifier > Generate Tests** or **Design Verifier > Prove Properties**.

#### Dependency

Selecting Test generation enables the **Display unsatisfiable test** objectives parameter.

#### **Command-Line Information**

Parameter: DVMode Type: string Value: 'TestGeneration' | 'PropertyProving' Default: 'TestGeneration'

#### See Also

- Generating Test Cases
- Proving Properties of a Model

#### Maximum analysis time

Specify the maximum time (in seconds) that the Simulink Design Verifier software spends analyzing a model.

#### Settings

Default: 600

The value you enter represents the maximum number of seconds the Simulink Design Verifier software analyzes your model.

#### **Command-Line Information**

Parameter: DVMaxProcessTime Type: double Value: any valid value Default: 600

## Display unsatisfiable test objectives

Specify whether to display a warning for unsatisfiable test objectives. For more information about using this option, see "Display unsatisfiable test objectives" on page 6-6.

#### **Settings**

Default: On

🔽 On

Displays a warning in the Simulation Diagnostics Viewer when the Simulink Design Verifier software is unable to satisfy a test objective.

#### C Off

Does not display a warning when the Simulink Design Verifier software is unable to satisfy a test objective.

#### Dependency

This parameter is enabled by **Mode**.

#### **Command-Line Information**

Parameter: DVDisplayUnsatisfiableObjectives Type: string Value: 'on' | 'off' Default: 'on'

#### **Output directory**

Specify a directory to which the Simulink Design Verifier software writes its output.

#### Settings

**Default:** sldv\_output/\$ModelName\$

- Enter a path that is either absolute or relative to the current directory.
- \$ModelName\$ is a token that represents the model name.

#### Tip

You can use the following parameters to customize the names and locations of Simulink Design Verifier output:

- Data file name
- Harness model file name
- SystemTest file name
- Report file name
- File path of the output model

#### **Command-Line Information**

Parameter: DVOutputDir Type: string Value: any valid path Default: 'sldv\_output/\$ModelName\$'

#### Make output file names unique by adding a suffix

Specify whether the Simulink Design Verifier software makes its output file names unique by appending a numeric suffix.

#### Settings

Default: On

🔽 On

Appends an incremental numeric suffix to Simulink Design Verifier output file names. Selecting this option prevents the software from overwriting existing files that have the same name.

C Off

Does not append a suffix to Simulink Design Verifier output file names. In this case, the software might overwrite existing files that have the same name.

#### **Command-Line Information**

Parameter: DVMakeOutputFilesUnique
Type: string
Value: 'on' | 'off'
Default: 'on'

# **Design Verifier Pane: Block Replacements**

| -Block replacements                                     |
|---------------------------------------------------------|
| Apply block replacements                                |
| List of block replacement rules (in order of priority): |
|                                                         |
|                                                         |
|                                                         |
|                                                         |
|                                                         |
|                                                         |
|                                                         |
| Output model                                            |
| File path of the output model:                          |
|                                                         |

| In this section | In | this | section |
|-----------------|----|------|---------|
|-----------------|----|------|---------|

"Block Replacements Pane Overview" on page 13-10

"Apply block replacements" on page 13-11

"List of block replacement rules" on page 13-12

"File path of the output model" on page 13-13

#### **Block Replacements Pane Overview**

Specify options that control how the Simulink Design Verifier software preprocesses the models it analyzes.

#### See Also

#### **Apply block replacements**

Specify whether the Simulink Design Verifier software replaces blocks in a model before its analysis.

#### **Settings**

Default: Off

🔽 On

Replaces blocks in a model before the Simulink Design Verifier software analyzes it.

C Off

Does not replace blocks in a model before the Simulink Design Verifier software analyzes it.

#### Dependencies

This parameter enables List of block replacement rules and File path of the output model.

#### **Command-Line Information**

Parameter: DVBlockReplacement
Type: string
Value: 'on' | 'off'
Default: 'off'

#### See Also

#### List of block replacement rules

Specify a list of block replacement rules that the Simulink Design Verifier software executes before its analysis.

#### **Settings**

**Default:** <FactoryDefaultRules>

- Specify block replacement rules as a list delimited by spaces, commas, or carriage returns.
- The Simulink Design Verifier software processes block replacement rules in the order that you list them.
- If you specify the default value, the Simulink Design Verifier software uses its factory default block replacement rules.

#### Dependency

This parameter is enabled by Apply block replacements.

#### **Command-Line Information**

Parameter: DVBlockReplacementRulesList
Type: string
Value: any rules
Default: '<FactoryDefaultRules>'

#### See Also

### File path of the output model

Specify a directory and file name for the model that results after applying block replacement rules.

#### Settings

Default: \$ModelName\$\_replacement

- Optionally, enter a path that is either absolute or relative to the path specified in **Output directory**.
- Enter a file name for the model that results after applying block replacement rules.
- \$ModelName\$ is a token that represents the model name.

#### Dependency

This parameter is enabled by Apply block replacements.

#### **Command-Line Information**

Parameter: DVBlockReplacementModelFileName
Type: string
Value: any valid path and file name
Default: '\$ModelName\$\_replacement'

#### See Also

# **Design Verifier Pane: Parameters**

| Parameters                                           |        |      |
|------------------------------------------------------|--------|------|
| Apply parameters                                     |        |      |
| Parameter configuration file: sldv_params_template.m | Browse | Edit |
|                                                      |        |      |

#### In this section...

"Parameters Pane Overview" on page 13-15

"Apply parameters" on page 13-16

"Parameter configuration file" on page 13-17

#### **Parameters Pane Overview**

Specify options that control how the Simulink Design Verifier software uses parameter configurations when analyzing models.

#### See Also

Specifying Parameter Configurations

#### **Apply parameters**

Specify whether the Simulink Design Verifier software uses parameter configurations when analyzing a model.

#### Settings

Default: On

🔽 On

The Simulink Design Verifier software uses parameter configurations when analyzing a model.

C Off

The Simulink Design Verifier software does not use parameter configurations when analyzing a model.

#### Dependency

This parameter enables Parameter configuration file.

#### **Command-Line Information**

Parameter: DVParameters Type: string Value: 'on' | 'off' Default: 'on'

#### See Also

Specifying Parameter Configurations

#### Parameter configuration file

Specify an M-file function that defines parameter configurations for a model.

#### **Settings**

**Default:** sldv\_params\_template.m

- The default file, sldv\_params\_template.m, is a template that you can edit and save. The comments in the template explain the syntax you use to specify parameter configurations.
- Click the **Browse** button to select an existing M-file function using a file chooser dialog box.
- Click the **Edit** button to open the specified M-file function in an editor.

#### Dependency

This parameter is enabled by Apply parameters.

#### **Command-Line Information**

Parameter: DVParametersConfigFileName Type: string Value: any valid M-file function Default: 'sldv\_params\_template.m'

#### See Also

Specifying Parameter Configurations

# **Design Verifier Pane: Test Generation**

| -Test generation           |                     |
|----------------------------|---------------------|
| Model coverage objectives: | MCDC                |
| Test conditions:           | Enable all          |
| Test objectives:           | Enable all          |
| Maximum test case steps:   | 500                 |
| Test suite optimization:   | Combined objectives |
|                            |                     |

| In this section                               |
|-----------------------------------------------|
| "Test Generation Pane Overview" on page 13-19 |
| "Model coverage objectives" on page 13-20     |
| "Test conditions" on page 13-21               |
| "Test objectives" on page 13-22               |
| "Maximum test case steps" on page 13-23       |
| "Test suite optimization" on page 13-24       |

# **Test Generation Pane Overview**

Specify options that control how the Simulink Design Verifier software generates tests for the models it analyzes.

## See Also

Generating Test Cases

# Model coverage objectives

Specify the type of model coverage that the Simulink Design Verifier software attempts to achieve.

#### Settings

Default: MCDC

#### None

Generates test cases that achieve only the custom objectives that you specified in your model using, for example, Test Objective blocks.

#### Decision

Generates test cases that achieve decision coverage.

#### Condition Decision

Generates test cases that achieve condition and decision coverage.

#### MCDC

Generates test cases that achieve modified condition/decision coverage (MCDC).

#### **Command-Line Information**

Parameter: DVModelCoverageObjectives Type: string Value: 'None' | 'Decision' | 'ConditionDecision' | 'MCDC' Default: 'MCDC'

#### See Also

Generating Test Cases

# **Test conditions**

Specify whether Test Condition blocks in your model are enabled or disabled.

#### **Settings**

Default: Use local settings

Use local settings

Enables or disables Test Condition blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

#### Enable all

Enables all Test Condition blocks in the model regardless of the settings of their **Enable** parameters.

#### Disable all

Disables all Test Condition blocks in the model regardless of the settings of their **Enable** parameters.

#### **Command-Line Information**

Parameter: DVTestConditions Type: string Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll' Default: 'UseLocalSettings'

#### See Also

- Test Condition
- Generating Test Cases

# **Test objectives**

Specify whether Test Objective blocks in your model are enabled or disabled.

#### **Settings**

Default: Use local settings

#### Use local settings

Enables or disables Test Objective blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

#### Enable all

Enables all Test Objective blocks in the model regardless of the settings of their **Enable** parameters.

#### Disable all

Disables all Test Objective blocks in the model regardless of the settings of their **Enable** parameters.

#### **Command-Line Information**

```
Parameter: DVTestObjectives
Type: string
Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll'
Default: 'UseLocalSettings'
```

#### See Also

- Test Objective
- Generating Test Cases

#### Maximum test case steps

Specify the maximum number of simulation steps the Simulink Design Verifier software takes when attempting to satisfy a test objective.

## Settings

Default: 500

You can specify a value that represents the maximum number of simulation steps the Simulink Design Verifier software takes when attempting to satisfy a test objective.

#### **Command-Line Information**

Parameter: DVMaxTestCaseSteps Type: int32 Value: any valid value Default: 500

#### See Also

Generating Test Cases

# Test suite optimization

Specify the optimization strategy to use when generating test cases.

#### **Settings**

Default: Combined objectives

#### Combined objectives

Minimizes the number of test cases in a suite by generating cases that address more than one test objective. Each test case tends to be long, i.e., it includes many time steps.

#### Individual objectives

Maximizes the number of test cases in a suite by generating cases that each address only one test objective. Each test case tends to be short, i.e., it includes only a few time steps.

#### Large model

Minimizes the number of test cases in a suite by generating cases that address more than one test objective. This strategy is tailored for large, complex models; consequently, it tends to use all the time that the **Maximum analysis time** option allots.

#### Tip

If an analysis using the Combined objectives strategy returns objectives without an outcome, set this option to Individual objectives and reanalyze the model. The Individual objectives strategy analyzes each objective independently and is better at identifying unsatisfiable objectives.

However, set this option to Large model if the model has both of the following characteristics:

- Nonlinearities, such as those that result from multiplying or dividing the model's input signals
- Numerous test objectives, such as those that result when using blocks that receive model coverage

The Large model strategy performs an analysis that is tailored to large, complex models; but, this strategy tends to use all the time that the **Maximum analysis time** option allots.

#### **Command-Line Information**

Parameter: DVTestSuiteOptimization
Type: string
Value: 'CombinedObjectives' | 'IndividualObjectives' |
'LargeModel'
Default: 'CombinedObjectives'

#### See Also

Generating Test Cases

# **Design Verifier Pane: Property Proving**

| Property proving         |                |  |  |
|--------------------------|----------------|--|--|
| Assertion blocks:        | Enable all     |  |  |
| Proof assumptions:       | Enable all     |  |  |
| Strategy:                | Find violation |  |  |
| Maximum violation steps: | 20             |  |  |
|                          |                |  |  |

| In this section                                |  |  |
|------------------------------------------------|--|--|
| "Property Proving Pane Overview" on page 13-27 |  |  |
| "Assertion blocks" on page 13-28               |  |  |
| "Proof assumptions" on page 13-29              |  |  |
| "Strategy" on page 13-30                       |  |  |
| "Maximum violation steps" on page 13-31        |  |  |

# **Property Proving Pane Overview**

Specify options that control how the Simulink Design Verifier software proves properties for the models it analyzes.

#### See Also

Proving Properties of a Model

# **Assertion blocks**

Specify whether Assertion blocks in your model are enabled or disabled.

#### **Settings**

Default: Use local settings

#### Use local settings

Enables or disables Assertion blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

#### Enable all

Enables all Assertion blocks in the model regardless of the settings of their **Enable** parameters.

#### Disable all

Disables all Assertion blocks in the model regardless of the settings of their **Enable** parameters.

#### **Command-Line Information**

Parameter: DVAssertions Type: string Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll' Default: 'UseLocalSettings'

#### See Also

- Assertion
- Proving Properties of a Model

# **Proof** assumptions

Specify whether Proof Assumption blocks in your model are enabled or disabled.

# Settings

Default: Use local settings

Use local settings

Enables or disables Proof Assumption blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

Enable all

Enables all Proof Assumption blocks in the model regardless of the settings of their **Enable** parameters.

Disable all

Disables all Proof Assumption blocks in the model regardless of the settings of their **Enable** parameters.

# **Command-Line Information**

Parameter: DVProofAssumptions
Type: string
Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll'
Default: 'UseLocalSettings'

# See Also

- Proof Assumption
- Proving Properties of a Model

## Strategy

Specify the strategy that the Simulink Design Verifier software uses when proving properties.

#### Settings

Default: Prove

#### Prove

Performs property proofs.

#### Find violation

Searches for property violations within the number of simulation steps specified by the **Maximum violation steps** option.

#### Prove with violation detection

Searches for property violations within the number of simulation steps specified by the **Maximum violation steps** option; then it attempts to prove properties for which it failed to detect a violation.

#### Dependency

Selecting Find violation or Prove with violation detection enables the **Maximum violation steps** parameter.

#### **Command-Line Information**

Parameter: DVProvingStrategy
Type: string
Value: 'Prove' | 'FindViolation' | 'ProveWithViolationDetection'
Default: 'Prove'

#### See Also

Proving Properties of a Model

# **Maximum violation steps**

Specify the maximum number of simulation steps over which the Simulink Design Verifier software searches for property violations.

## Settings

Default: 20

The Simulink Design Verifier software does not search beyond the maximum number of simulation steps that you specify. Therefore, it cannot identify violations that might occur later in a simulation.

#### Dependency

This parameter is enabled by **Strategy**.

#### **Command-Line Information**

Parameter: DVMaxViolationSteps Type: int32 Value: any valid value Default: 20

#### See Also

Proving Properties of a Model

# **Design Verifier Pane: Results**

| -Data file options                                                         |                        |  |
|----------------------------------------------------------------------------|------------------------|--|
| Save test data to file                                                     |                        |  |
| Data file name: \$Mode                                                     | \$ModelName\$_sldvdata |  |
| Include expected output values                                             |                        |  |
| Randomize data that do not affect the outcome                              |                        |  |
| Harness model options                                                      |                        |  |
| Save test harness as model                                                 |                        |  |
| Harness model file name:                                                   | \$ModelName\$_harness  |  |
| Reference input model in generated harness                                 |                        |  |
| SystemTest options                                                         |                        |  |
| Save test harness as SystemTest TEST-file (will reference saved data file) |                        |  |
| SystemTest file name:                                                      |                        |  |

#### In this section...

"Results Pane Overview" on page 13-34

"Save test data to file" on page  $13\mathchar`-35$ 

"Data file name" on page 13-36

"Include expected output values" on page 13-37

"Randomize data that does not affect outcome" on page 13-39

"Save test harness as model" on page 13-41

"Harness model file name" on page  $13\mathchar`-42$ 

"Reference input model in generated harness" on page 13-43

#### In this section...

"Save test harness as SystemTest TEST-file (will reference saved data file)" on page 13-44

"SystemTest file name" on page  $13\mathchar`-45$ 

# **Results Pane Overview**

Specify options that control how the Simulink Design Verifier software handles the results that it generates.

#### See Also

# Save test data to file

Save the test data that the Simulink Design Verifier software generates to a MAT-file.

#### **Settings**

Default: On

🔽 On

Saves the test data that the Simulink Design Verifier software generates to a MAT-file.

C Off

Does not save the test data that the Simulink Design Verifier software generates.

#### Dependency

This parameter enables Data file name.

#### **Command-Line Information**

Parameter: DVSaveDataFile
Type: string
Value: 'on' | 'off'
Default: 'on'

#### See Also

# Data file name

Specify a directory and file name for the MAT-file that contains the data generated during the analysis, stored in an sldvData structure.

#### **Settings**

**Default:** \$ModelName\$\_sldvdata

- Optionally, enter a path that is either absolute or relative to the path specified in **Output directory**.
- Enter a file name for the MAT-file.
- \$ModelName\$ is a token that represents the model name.

#### Dependency

This parameter is enabled by Save test data to file.

#### **Command-Line Information**

Parameter: DVDataFileName Type: string Value: any valid path and file name Default: '\$ModelName\$ sldvdata'

#### See Also

## Include expected output values

Simulate the model using test case signals and include the output values in the Simulink Design Verifier data file.

#### Settings

Default: Off

#### 🔽 On

Simulates the model using the test case signals that the Simulink Design Verifier software produces. For each test case, the software collects the simulation output values associated with Outport blocks in the top-level system and includes those values in the MAT-file that it generates.

#### C Off

Does not simulate the model and collect output values for inclusion in the MAT-file that the Simulink Design Verifier software generates.

#### Tips

- The TestCases.expectedOutput subfield of the MAT-file contains the output values. For more information, see "Anatomy of the sldvData Structure".
- When **Include expected output values** is enabled, the Simulink Design Verifier software successively simulates the model using each test case that it generates. Enabling this option requires more time for the Simulink Design Verifier software to complete its analysis.

#### Dependency

This parameter is enabled by Save test data to file.

#### **Command-Line Information**

Parameter: DVSaveExpectedOutput
Type: string
Value: 'on' | 'off'
Default: 'off'

#### See Also

# Randomize data that does not affect outcome

Use random values instead of zeros for input signals that have no impact on test or proof objectives.

#### Settings

Default: Off

#### 🔽 On

Assigns random values to test case or counterexample signals that do not affect the outcome of test or proof objectives in a model. This option can enhance traceability and improve your regression tests.

#### C Off

Assigns zeros to test case or counterexample signals that do not affect the outcome of test or proof objectives in a model.

#### Tips

- This option assigns random values to test case or counterexample signals that otherwise would be zero. In the Simulink Design Verifier report, the Generated Input Data table always displays a dash (-) for such signals.
- Enable this option to enhance traceability when simulating test cases or counterexamples. For instance, consider the following model:



Only the signal entering the Switch block's control port impacts its decision coverage. If the **Randomize data that does not affect outcome** parameter is off, the Simulink Design Verifier software uses zeros to represent the signals from In1 and In3. When inspecting the results from test case or counterexample simulations, it is unclear which of these signals passes through the Switch block because they have the same value. But if the **Randomize data that does not affect outcome** parameter is on, the software uses unique values to represent each of those signals. In this case, it is easier to determine which signal passes through the Switch block.

#### Dependency

This parameter is enabled by Save test data to file.

#### **Command-Line Information**

Parameter: DVRandomizeNoEffectData
Type: string
Value: 'on' | 'off'
Default: 'off'

#### See Also

#### Save test harness as model

Save the test harness that the Simulink Design Verifier software generates as a model file.

#### **Settings**

Default: On

🔽 On

Saves the test harness that the Simulink Design Verifier software generates as a model file.

C Off

Does not save the test harness that the Simulink Design Verifier software generates.

#### Dependency

This parameter enables Harness model file name.

#### **Command-Line Information**

Parameter: DVSaveHarnessModel Type: string Value: 'on' | 'off' Default: 'on'

#### See Also

# Harness model file name

Specify a directory and file name for the test harness model.

#### **Settings**

**Default:** \$ModelName\$\_harness

- Optionally, enter a path that is either absolute or relative to the path specified in **Output directory**.
- Enter a file name for the test harness model.
- \$ModelName\$ is a token that represents the model name.

#### Dependency

This parameter is enabled by Save test harness as model.

#### **Command-Line Information**

Parameter: DVHarnessModelFileName Type: string Value: any valid path and file name Default: '\$ModelName\$\_harness'

#### See Also

# **Reference input model in generated harness**

Use model reference to run the model in the test harness.

#### **Settings**

Default: Off

🔽 On

Uses model reference to run the model in the test harness.

C Off

Uses a copy of the model in the test harness.

#### **Command-Line Information**

Parameter: DVModelReferenceHarness
Type: string
Value: 'on' | 'off'
Default: 'off'

#### See Also

# Save test harness as SystemTest TEST-file (will reference saved data file)

Save the test harness as a SystemTest TEST-file so you can run test cases using the SystemTest capabilities.

#### Settings

Default: Off



Saves the test harness as a SystemTest TEST-file.

C Off

Does not save the test harness as a SystemTest TEST-file.

#### Dependency

This parameter enables SystemTest file name.

#### **Command-Line Information**

Parameter: DVSaveSystemTestHarness
Type: string
Value: 'on' | 'off'
Default: 'off'

#### See Also

# SystemTest file name

Specify a directory and file name for the SystemTest TEST-file.

#### **Settings**

**Default:** \$ModelName\$\_harness

- Optionally, enter a path that is either absolute or relative to the path specified in **Output directory**.
- Enter a file name for the SystemTest TEST-file.
- **\$ModelName\$** is a token that represents the model name.

#### Dependency

This parameter is enabled by **Save test harness as SystemTest TEST-file** (will reference saved data file).

#### **Command-Line Information**

Parameter: DVMSystemTestFileName Type: string Value: any valid path and file name Default: '\$ModelName\$\_harness'

#### See Also

# **Design Verifier Pane: Report**

#### Report

🔽 Generate report of the results

Report file name: \$ModelName\$\_report

Include screen shots and plots

🔽 Display report

#### In this section...

"Report Pane Overview" on page 13-47

"Generate report of the results" on page 13-48

"Report file name" on page 13-49

"Include screen shots and plots" on page 13-50

"Display report" on page 13-51

# **Report Pane Overview**

Specify options that control how the Simulink Design Verifier software reports its results.

# See Also

# Generate report of the results

Generate and save a Simulink Design Verifier report.

#### **Settings**

Default: on

🔽 On

Saves the HTML report that the Simulink Design Verifier software generates.

```
C Off
```

Does not generate a Simulink Design Verifier report.

#### **Dependencies**

When this parameter is enabled, you must enable **Save test harness as model**.

This parameter enables the following parameters:

- Report file name
- Include screen shots and plots
- Display report

#### **Command-Line Information**

Parameter: DVSaveReport Type: string Value: 'on' | 'off' Default: 'on'

#### See Also

# **Report file name**

Specify a directory and file name for the report that Simulink Design Verifier software generates.

#### Settings

Default: \$ModelName\$\_report

- Optionally, enter a path that is either absolute or relative to the path specified in **Output directory**.
- Enter a file name for the report Simulink Design Verifier software generates.
- \$ModelName\$ is a token that represents the model name.

#### Dependency

This parameter is enabled by Generate report of the results.

#### **Command-Line Information**

Parameter: DVReportFileName Type: string Value: any valid path and file name Default: '\$ModelName\$\_report'

#### See Also

# Include screen shots and plots

Include images in the report that the Simulink Design Verifier software generates after completing its analysis.

#### Settings

Default: Off

#### 🔽 On

Includes images in the report that the Simulink Design Verifier software generates after completing its analysis. Specifically, the report displays images of your model and any signals that comprise its test cases or counterexamples.

#### C Off

Suppresses images in the report that the Simulink Design Verifier software generates after completing its analysis.

#### Dependency

This parameter is enabled by Generate report of the results.

#### **Command-Line Information**

Parameter: DVReportIncludeGraphics
Type: string
Value: 'on' | 'off'
Default: 'off'

#### See Also

# **Display report**

Display the report that the Simulink Design Verifier software generates after completing its analysis.

#### Settings

Default: On

🔽 On

Displays the report that the Simulink Design Verifier software generates after completing its analysis.

C Off

Does not display the report that the Simulink Design Verifier software generates after completing its analysis.

#### Dependency

This parameter is enabled by Generate report of the results.

#### **Command-Line Information**

Parameter: DVDisplayReport
Type: string
Value: 'on' | 'off'
Default: 'on'

#### See Also

# **Parameter Command-Line Information Summary**

The following table lists parameters that you can use to configure the behavior of the Simulink Design Verifier software. Use the get\_param and set\_param functions to retrieve and specify values for these parameters programmatically.

For each parameter listed in the table, the **Description** column indicates where you can set its value on the Configuration Parameters dialog box. The **Values** column shows the type of value required, the possible values (separated with a vertical line), and the default value (enclosed in braces).

| Parameter                            | Description                                                                                                                                                                    | Values                                                            |
|--------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| DVAssertions                         | Set by the Assertion blocks<br>option on the Design<br>Verifier > Property<br>Proving pane of the<br>Configuration Parameters<br>dialog box.                                   | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}              |
| DVBlockReplacement                   | Set by the <b>Apply block</b><br>replacements option on the<br><b>Design Verifier &gt; Block</b><br><b>Replacements</b> pane of the<br>Configuration Parameters<br>dialog box. | 'on'   {'off'}                                                    |
| DVBlockReplacementModel-<br>FileName | Set by the File path of the<br>output model option on the<br>Design Verifier > Block<br>Replacements pane of the<br>Configuration Parameters<br>dialog box.                    | string<br>{'\$ModelName\$_replacement'}                           |
| DVBlockReplacementRules-<br>List     | Set by the List of block<br>replacement rules option<br>on the Design Verifier<br>> Block Replacements<br>pane of the Configuration<br>Parameters dialog box.                  | <pre>string {'<factorydefaultrules>'}</factorydefaultrules></pre> |

| Parameter                             | Description                                                                                                                                                                              | Values                               |
|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| DVDataFileName                        | Set by the <b>Data file name</b><br>option on the <b>Design</b><br><b>Verifier &gt; Results</b> pane<br>of the Configuration<br>Parameters dialog box.                                   | string<br>{'\$ModelName\$_sldvdata'} |
| DVDisplayUnsatisfiable-<br>Objectives | Set by the <b>Display</b><br><b>unsatisfiable test</b><br><b>objectives</b> option on the<br><b>Design Verifier</b> pane of the<br>Configuration Parameters<br>dialog box.               | {'on'}   'off'                       |
| DVHarnessModelFileName                | Set by the <b>Harness model</b><br><b>file name</b> option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box.                          | string<br>{'\$ModelName\$_harness'}  |
| DVMakeOutputFilesUnique               | Set by the <b>Make output file</b><br><b>names unique by adding</b><br><b>a suffix</b> check box on the<br><b>Design Verifier</b> pane of the<br>Configuration Parameters<br>dialog box. | {'on'}   'off'                       |
| DVMaxProcessTime                      | Set by the <b>Maximum</b><br><b>analysis time</b> option on the<br><b>Design Verifier</b> pane of the<br>Configuration Parameters<br>dialog box.                                         | double {'600'}                       |
| DVMaxTestCaseSteps                    | Set by the <b>Maximum test</b><br>case steps option on the<br><b>Design Verifier &gt; Test</b><br><b>Generation</b> pane of the<br>Configuration Parameters<br>dialog box.               | int32 {'500'}                        |

| Parameter                 | Description                                                                                                                                                                    | Values                                                     |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|
| DVMaxViolationSteps       | Set by the <b>Maximum</b><br>violation steps option<br>on the <b>Design Verifier</b><br>> <b>Property Proving</b><br>pane of the Configuration<br>Parameters dialog box.       | int32 {'20'}                                               |
| DVMode                    | Set by the <b>Mode</b> option<br>on the <b>Design Verifier</b><br>pane of the Configuration<br>Parameters dialog box.                                                          | {'TestGeneration'}  <br>'PropertyProving'                  |
| DVModelCoverageObjectives | Set by the <b>Model coverage</b><br>objectives option on the<br><b>Design Verifier &gt; Test</b><br><b>Generation</b> pane of the<br>Configuration Parameters<br>dialog box.   | 'None'   'Decision'  <br>'ConditionDecision'  <br>{'MCDC'} |
| DVModelReferenceHarness   | Set by the <b>Reference</b><br>input model in generated<br>harness option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box. | 'on'   {'off')                                             |
| DVOutputDir               | Set by the <b>Output directory</b><br>option on the <b>Design</b><br><b>Verifier</b> pane of the<br>Configuration Parameters<br>dialog box.                                    | string<br>{'sldv_output/\$ModelName\$'}                    |
| DVOutputDir               | Set by the <b>Output directory</b><br>option on the <b>Design</b><br><b>Verifier</b> pane of the<br>Configuration Parameters<br>dialog box.                                    | <pre>string {'sldv_output/\$ModelName\$'}</pre>            |

| Parameter                       | Description                                                                                                                                                                     | Values                                                            |
|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| DVParameters                    | Set by the <b>Apply</b><br><b>parameters</b> option on<br>the <b>Design Verifier &gt;</b><br><b>Parameters</b> pane of the<br>Configuration Parameters<br>dialog box.           | {'on'}   'off'                                                    |
| DVParametersConfigFile-<br>Name | Set by the <b>Parameter</b><br>configuration file option<br>on the <b>Design Verifier</b> ><br><b>Parameters</b> pane of the<br>Configuration Parameters<br>dialog box.         | <pre>string {'sldv_params_template.m'}</pre>                      |
| DVProofAssumptions              | Set by the <b>Proof</b><br>assumptions option on<br>the <b>Design Verifier</b><br>> <b>Property Proving</b><br>pane of the Configuration<br>Parameters dialog box.              | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}              |
| DVProvingStrategy               | Set by the <b>Strategy</b> option<br>on the <b>Design Verifier</b><br>> <b>Property Proving</b><br>pane of the Configuration<br>Parameters dialog box.                          | 'FindViolation'<br>  {'Prove'}  <br>'ProveWithViolationDetection' |
| DVRandomizeNoEffectData         | Set by the <b>Randomize</b><br>data that does not affect<br>outcome option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box. | 'on'   {'off'}                                                    |
| DVReportFileName                | Set by the <b>Report file</b><br><b>name</b> option on the<br><b>Design Verifier &gt; Report</b><br>pane of the Configuration<br>Parameters dialog box.                         | <pre>string {'\$ModelName\$_report'}</pre>                        |

| Parameter               | Description                                                                                                                                                                                         | Values         |
|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|
| DVReportIncludeGraphics | Set by the <b>Include screen</b><br><b>shots and plots</b> option<br>on the <b>Design Verifier</b><br><b>&gt; Report</b> pane of the<br>Configuration Parameters<br>dialog box.                     | 'on'   {'off'} |
| DVSaveDataFile          | Set by the <b>Save test</b><br>data to file option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box.                                             | {'on'}   'off' |
| DVSaveExpectedOutput    | Set by the <b>Include expected</b><br><b>output values</b> option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box.                              | 'on'   {'off'} |
| DVSaveHarnessModel      | Set by the <b>Save test harness</b><br><b>as model</b> option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box.                                  | {'on'}   'off' |
| DVSaveReport            | Set by the <b>Generate report</b><br>of the results option on the<br><b>Design Verifier &gt; Report</b><br>pane of the Configuration<br>Parameters dialog box.                                      | {'on'}   'off' |
| DVSaveSystemTestHarness | Set by the Save text<br>harness as SystemTest<br>TEST-file (will reference<br>saved data file) option<br>on the Design Verifier<br>> Results pane of the<br>Configuration Parameters<br>dialog box. | 'on'   {off'}  |

| Parameter               | Description                                                                                                                                                                | Values                                                               |
|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
| DVSystemTestFileName    | Set by the <b>SystemTest</b><br><b>file name</b> option on the<br><b>Design Verifier &gt; Results</b><br>pane of the Configuration<br>Parameters dialog box.               | string<br>{'\$ModelName\$_harness'}                                  |
| DVTestConditions        | Set by the <b>Test conditions</b><br>option on the <b>Design</b><br><b>Verifier &gt; Test Generation</b><br>pane of the Configuration<br>Parameters dialog box.            | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}                 |
| DVTestObjectives        | Set by the <b>Test objectives</b><br>option on the <b>Design</b><br><b>Verifier &gt; Test Generation</b><br>pane of the Configuration<br>Parameters dialog box.            | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}                 |
| DVTestSuiteOptimization | Set by the <b>Test suite</b><br>optimization option on the<br><b>Design Verifier &gt; Test</b><br><b>Generation</b> pane of the<br>Configuration Parameters<br>dialog box. | {'CombinedObjectives'}  <br>'IndividualObjectives'  <br>'LargeModel' |

# 14

## Simulink Block Support

This chapter summarizes the Simulink Design Verifier software's support for Simulink blocks. Each section lists all the blocks in that Simulink library and support information for that particular block. A dash (—) indicates that the software supports that block under all conditions.

- "Additional Math and Discrete Library" on page 14-2
- "Commonly Used Blocks Library" on page 14-3
- "Continuous Library" on page 14-4
- "Discontinuities Library" on page 14-5
- "Discrete Library" on page 14-6
- "Logic and Bit Operations" on page 14-7
- "Lookup Tables Library" on page 14-8
- "Math Operations" on page 14-9
- "Model Verification Library" on page 14-12
- "Model-Wide Utilities Library" on page 14-13
- "Ports & Subsystems Library" on page 14-14
- "Signal Attributes Library" on page 14-15
- "Signal Routing Library" on page 14-16
- "Sinks Library" on page 14-17
- "Sources Library" on page 14-18
- "User-Defined Functions Library" on page 14-19

## **Additional Math and Discrete Library**

| Block                                                     | Support Notes |
|-----------------------------------------------------------|---------------|
| Decrement Real World                                      | —             |
| Decrement Stored Integer                                  | —             |
| Decrement Time To Zero                                    | Not supported |
| Decrement To Zero                                         | —             |
| Fixed-Point State-Space                                   | Not supported |
| Increment Real World                                      | —             |
| Increment Stored Integer                                  | —             |
| Transfer Fcn Direct Form II                               | Not supported |
| Transfer Fcn Direct Form II Time<br>Varying               | Not supported |
| Unit Delay Enabled                                        | —             |
| Unit Delay Enabled External IC                            | —             |
| Unit Delay Enabled Resettable                             | —             |
| Unit Delay Enabled Resettable<br>External IC              | —             |
| Unit Delay External IC                                    | —             |
| Unit Delay Resettable                                     | —             |
| Unit Delay Resettable External IC                         | —             |
| Unit Delay With Preview Enabled                           | —             |
| Unit Delay With Preview Enabled<br>Resettable             | —             |
| Unit Delay With Preview Enabled<br>Resettable External RV | _             |
| Unit Delay With Preview Resettable                        | —             |
| Unit Delay With Preview Resettable<br>External RV         |               |

## **Commonly Used Blocks Library**

The Commonly Used Blocks library includes blocks from other libraries. Those blocks are listed under their respective libraries.

## **Continuous Library**

| Block                    | Support Notes |
|--------------------------|---------------|
| Derivative               | Not supported |
| Integrator               | Not supported |
| State-Space              | Not supported |
| Transfer Fcn             | Not supported |
| Transport Delay          | Not supported |
| Variable Time Delay      | Not supported |
| Variable Transport Delay | Not supported |
| Zero-Pole                | Not supported |

## **Discontinuities Library**

| Block                      | Support Notes                                                         |
|----------------------------|-----------------------------------------------------------------------|
| Backlash                   | Not supported                                                         |
| Coulomb & Viscous Friction | —                                                                     |
| Dead Zone                  | Not supported                                                         |
| Dead Zone Dynamic          | —                                                                     |
| Hit Crossing               | —                                                                     |
| Quantizer                  | —                                                                     |
| Rate Limiter               | Supports only input and output signals of data type single or double. |
| Rate Limiter Dynamic       | —                                                                     |
| Relay                      | Not supported                                                         |
| Saturation                 | —                                                                     |
| Saturation Dynamic         | —                                                                     |
| Wrap To Zero               | —                                                                     |

## **Discrete Library**

| Block                    | Support Notes |
|--------------------------|---------------|
| Difference               | —             |
| Discrete Derivative      | Not supported |
| Discrete Filter          | Not supported |
| Discrete FIR Filter      | —             |
| Discrete State-Space     | Not supported |
| Discrete Transfer Fcn    | Not supported |
| Discrete Zero-Pole       | Not supported |
| Discrete-Time Integrator | —             |
| First-Order Hold         | —             |
| Integer Delay            | Not supported |
| Memory                   | —             |
| Tapped Delay             | Not supported |
| Transfer Fcn First Order | —             |
| Transfer Fcn Lead or Lag | —             |
| Transfer Fcn Real Zero   | —             |
| Unit Delay               | —             |
| Zero-Order Hold          | —             |

## Logic and Bit Operations

| Block                   | Support Notes                                                                                                                                                                |
|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Bit Clear               | —                                                                                                                                                                            |
| Bit Set                 | —                                                                                                                                                                            |
| Bitwise Operator        | —                                                                                                                                                                            |
| Combinatorial Logic     | Not supported                                                                                                                                                                |
| Compare To Constant     | —                                                                                                                                                                            |
| Compare To Zero         | —                                                                                                                                                                            |
| Detect Change           | —                                                                                                                                                                            |
| Detect Decrease         | —                                                                                                                                                                            |
| Detect Fall Negative    | —                                                                                                                                                                            |
| Detect Fall Nonpositive | —                                                                                                                                                                            |
| Detect Increase         | —                                                                                                                                                                            |
| Detect Rise Nonnegative | —                                                                                                                                                                            |
| Detect Rise Positive    | —                                                                                                                                                                            |
| Extract Bits            | —                                                                                                                                                                            |
| Interval Test           | —                                                                                                                                                                            |
| Interval Test Dynamic   | —                                                                                                                                                                            |
| Logical Operator        | —                                                                                                                                                                            |
| Relational Operator     | —                                                                                                                                                                            |
| Shift Arithmetic        | Not supported when the <b>Number of bits to shift right</b> parameter specifies a vector and the block's input or output signal has a data type other than single or double. |

| Lookup | Tables | Library |
|--------|--------|---------|
|--------|--------|---------|

| Block                         | Support Notes                                                                                                                                |
|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
| Cosine                        | Not supported                                                                                                                                |
| Direct Lookup Table (n-D)     | Not supported                                                                                                                                |
| Interpolation Using Prelookup | Not supported                                                                                                                                |
| Lookup Table                  | Input and output must have the same data type, either single or double.                                                                      |
| Lookup Table (2-D)            | Input and output must have the same data type, either single or double.                                                                      |
| Lookup Table (n-D)            | Input and output must have the same data type, either single or double.                                                                      |
|                               | Not supported when either the <b>Interpolation method</b><br>or the <b>Extrapolation method</b> parameter specifies<br><b>Cubic Spline</b> . |
|                               | Supports only <b>Number of table dimensions</b> that specify either 1 or 2.                                                                  |
| Lookup Table Dynamic          | Not supported                                                                                                                                |
| Prelookup                     | Not supported                                                                                                                                |
| Sine                          | Not supported                                                                                                                                |

## **Math Operations**

| Block                      | Support Notes |
|----------------------------|---------------|
| Abs                        | —             |
| Add                        | —             |
| Algebraic Constraint       | —             |
| Assignment                 | —             |
| Bias                       | —             |
| Complex to Magnitude-Angle | —             |
| Complex to Real-Imag       | —             |
| Divide                     | —             |
| Dot Product                | —             |
| Gain                       | —             |
| Magnitude-Angle to Complex | Not supported |

| Block                     | Support Notes                                                                                                 |
|---------------------------|---------------------------------------------------------------------------------------------------------------|
| Math Function             | Supports the following <b>Function</b> parameter settings for all signal types:                               |
|                           | • conj                                                                                                        |
|                           | • mod                                                                                                         |
|                           | • rem                                                                                                         |
|                           | Supports the following <b>Function</b> parameter settings for floating-point input and output signals:        |
|                           | • magnitude^2                                                                                                 |
|                           | • square                                                                                                      |
|                           | • reciprocal                                                                                                  |
|                           | • transpose                                                                                                   |
|                           | • hermitian                                                                                                   |
|                           | Supports the following <b>Function</b> parameter setting for integer or fixed-point input and output signals: |
|                           | • sqrt                                                                                                        |
| Matrix Concatenate        | —                                                                                                             |
| MinMax                    | —                                                                                                             |
| MinMax Running Resettable |                                                                                                               |
| Permute Dimensions        |                                                                                                               |
| Polynomial                | _                                                                                                             |
| Product                   |                                                                                                               |
| Product of Elements       |                                                                                                               |
| Real-Imag to Complex      | Not supported                                                                                                 |
| Reshape                   | —                                                                                                             |
| Rounding Function         | —                                                                                                             |

| Block                     | Support Notes |
|---------------------------|---------------|
| Sign                      | —             |
| Sine Wave Function        | Not supported |
| Slider Gain               | —             |
| Squeeze                   | —             |
| Subtract                  | —             |
| Sum                       | —             |
| Sum of Elements           | —             |
| Trigonometric Function    | Not supported |
| Unary Minus               | —             |
| Vector Concatenate        | —             |
| Weighted Sample Time Math | Not supported |

## **Model Verification Library**

The Simulink Design Verifier software supports all blocks in the Model Verification library.

## **Model-Wide Utilities Library**

| Block                       | Support Notes |
|-----------------------------|---------------|
| Block Support Table         | —             |
| DocBlock                    | —             |
| Model Info                  | —             |
| Time-Based Linearization    | Not supported |
| Trigger-Based Linearization | Not supported |

## Ports & Subsystems Library

| Block                           | Support Notes                                                                                                                                                                                |
|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Atomic Subsystem                | —                                                                                                                                                                                            |
| Code Reuse Subsystem            | —                                                                                                                                                                                            |
| Configurable Subsystem          | —                                                                                                                                                                                            |
| Enabled Subsystem               | —                                                                                                                                                                                            |
| Enabled and Triggered Subsystem | Not supported when the trigger control signal specifies a fixed-point data type.                                                                                                             |
| For Iterator Subsystem          | —                                                                                                                                                                                            |
| Function-Call Generator         | —                                                                                                                                                                                            |
| Function-Call Subsystem         | —                                                                                                                                                                                            |
| If                              | Parameter configurations are not supported for the If<br>and Fcn blocks. The Simulink Design Verifier software<br>ignores any parameter configurations that you specify<br>for these blocks. |
| If Action Subsystem             | —                                                                                                                                                                                            |
| Model                           | Not supported                                                                                                                                                                                |
| Subsystem                       | —                                                                                                                                                                                            |
| Switch Case                     | —                                                                                                                                                                                            |
| Switch Case Action Subsystem    | —                                                                                                                                                                                            |
| Triggered Subsystem             | Not supported when the trigger control signal specifies a fixed-point data type.                                                                                                             |
| While Iterator Subsystem        | -                                                                                                                                                                                            |

## Signal Attributes Library

| Block                          | Support Notes |
|--------------------------------|---------------|
| Bus to Vector                  | —             |
| Data Type Conversion           | —             |
| Data Type Conversion Inherited | —             |
| Data Type Duplicate            | —             |
| Data Type Propagation          | —             |
| Data Type Scaling Strip        | —             |
| IC                             | —             |
| Probe                          | —             |
| Rate Transition                | —             |
| Signal Conversion              | —             |
| Signal Specification           | —             |
| Weighted Sample Time           | Not supported |
| Width                          | Not supported |

## **Signal Routing Library**

The Simulink Design Verifier software supports all blocks in the Signal Routing library.

## **Sinks Library**

| Block           | Support Notes |
|-----------------|---------------|
| Display         | —             |
| Floating Scope  | —             |
| Outport (Out1)  | —             |
| Scope           | —             |
| Stop Simulation | Not supported |
| Terminator      | —             |
| To File         | —             |
| To Workspace    | —             |
| XY Graph        | —             |

## **Sources Library**

| Block                           | Support Notes                                                                                              |
|---------------------------------|------------------------------------------------------------------------------------------------------------|
| Band-Limited White Noise        | Not supported                                                                                              |
| Chirp Signal                    | Not supported                                                                                              |
| Clock                           | —                                                                                                          |
| Constant                        | —                                                                                                          |
| Counter Free-Running            | —                                                                                                          |
| Counter Limited                 | —                                                                                                          |
| Digital Clock                   | —                                                                                                          |
| From File                       | Not supported                                                                                              |
| From Workspace                  | Not supported                                                                                              |
| Ground                          | —                                                                                                          |
| Inport (In1)                    | —                                                                                                          |
| Pulse Generator                 | Supports only Sample based for the <b>Pulse type</b> parameter; also, must specify a discrete sample time. |
| Ramp                            | -                                                                                                          |
| Random Number                   | Not supported                                                                                              |
| Repeating Sequence              | Not supported                                                                                              |
| Repeating Sequence Interpolated | Not supported                                                                                              |
| Repeating Sequence Stair        | —                                                                                                          |
| Signal Builder                  | Not supported                                                                                              |
| Signal Generator                | Not supported                                                                                              |
| Sine Wave                       | Not supported                                                                                              |
| Step                            | —                                                                                                          |
| Uniform Random Number           | Not supported                                                                                              |

| Block                     | Support Notes                                                                                                                                                                                |
|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Embedded MATLAB Function  | See "Limitations of Support for the Embedded MATLAB<br>Subset" on page 3-10 for more information.                                                                                            |
| Fcn                       | Supports all operators except ^, and supports only the mathematical functions abs, ceil, fabs, floor, rem, and sgn.                                                                          |
|                           | Parameter configurations are not supported for the If<br>and Fcn blocks. The Simulink Design Verifier software<br>ignores any parameter configurations that you specify<br>for these blocks. |
| Level-2 M-file S-Function | Not supported                                                                                                                                                                                |
| MATLAB Fcn                | Not supported                                                                                                                                                                                |
| S-Function                | Not supported                                                                                                                                                                                |
| S-Function Builder        | Not supported                                                                                                                                                                                |

## **User-Defined Functions Library**

# 15

## Embedded MATLAB Subset Support

This table lists only the Embedded MATLAB library functions for which the Simulink Design Verifier software provides no support or limited support. See "Embedded MATLAB Function Library Reference" for the complete listing of available functions.

| Function                 | Support Notes                                                |  |
|--------------------------|--------------------------------------------------------------|--|
| Arithmetic Operat        | Arithmetic Operator Functions                                |  |
| mldivide(\)              | Supports only scalar arguments.                              |  |
| mpower (^)               | Supports only integer exponents.                             |  |
| mrdivide(/)              | Supports only scalar arguments.                              |  |
| power(.^)                | Supports only integer exponents.                             |  |
| <b>Casting Functions</b> |                                                              |  |
| char                     | Not supported.                                               |  |
| typecast                 | Not supported.                                               |  |
| Complex Number Functions |                                                              |  |
| complex                  | Not supported.                                               |  |
| imag                     | Not supported.                                               |  |
| Error-Handling Fu        | inctions                                                     |  |
| assert                   | Supported, but does not behave like a Proof Objective block. |  |
| Exponential Functions    |                                                              |  |
| exp                      | Not supported.                                               |  |
| expm                     | Not supported.                                               |  |
| expm1                    | Not supported.                                               |  |
| log                      | Not supported.                                               |  |
| log2                     | Not supported.                                               |  |
| log10                    | Not supported.                                               |  |
| log1p                    | Not supported.                                               |  |
| nextpow2                 | Not supported.                                               |  |

| Function                                 | Support Notes                                |
|------------------------------------------|----------------------------------------------|
| nthroot                                  | Not supported.                               |
| reallog                                  | Not supported.                               |
| realpow                                  | Not supported.                               |
| realsqrt                                 | Not supported.                               |
| sqrt                                     | Not supported.                               |
| Filtering and Conv                       | volution Functions                           |
| detrend                                  | Not supported.                               |
| Fixed-Point Toolbo                       | ox <sup>™</sup> Functions                    |
| complex                                  | Not supported.                               |
| Interpolation and Computational Geometry |                                              |
| cart2pol                                 | Not supported.                               |
| cart2sph                                 | Not supported.                               |
| pol2cart                                 | Not supported.                               |
| sph2cart                                 | Not supported.                               |
| Matrix and Array                         | Functions                                    |
| angle                                    | Not supported.                               |
| cond                                     | Not supported.                               |
| det                                      | Not supported.                               |
| eig                                      | Not supported.                               |
| inv                                      | Not supported.                               |
| invhilb                                  | Not supported.                               |
| logspace                                 | Not supported.                               |
| lu                                       | Not supported.                               |
| norm                                     | Supported only when invoked using the syntax |
|                                          | norm(A,p)                                    |
|                                          | where p is either 1 or inf.                  |

| Function                    | Support Notes  |  |
|-----------------------------|----------------|--|
| normest                     | Not supported. |  |
| pinv                        | Not supported. |  |
| planerot                    | Not supported. |  |
| qr                          | Not supported. |  |
| rank                        | Not supported. |  |
| rcond                       | Not supported. |  |
| subspace                    | Not supported. |  |
| <b>Polynomial Functi</b>    | ons            |  |
| poly                        | Not supported. |  |
| polyfit                     | Not supported. |  |
| Signal Processing Functions |                |  |
| chol                        | Not supported. |  |
| fft                         | Not supported. |  |
| fftshift                    | Not supported. |  |
| ifft                        | Not supported. |  |
| ifftshift                   | Not supported. |  |
| sosfilt                     | Not supported. |  |
| svd                         | Not supported. |  |
| Special Values              |                |  |
| rand                        | Not supported. |  |
| randn                       | Not supported. |  |
| Specialized Math            |                |  |
| beta                        | Not supported. |  |
| betainc                     | Not supported. |  |
| betaln                      | Not supported. |  |
| ellipke                     | Not supported. |  |

| Function              | Support Notes  |
|-----------------------|----------------|
| erf                   | Not supported. |
| erfc                  | Not supported. |
| erfcinv               | Not supported. |
| erfcx                 | Not supported. |
| erfinv                | Not supported. |
| expint                | Not supported. |
| gamma                 | Not supported. |
| gammainc              | Not supported. |
| gammaln               | Not supported. |
| Statistical Functions |                |
| std                   | Not supported. |
| String Functions      |                |
| char                  | Not supported. |
| ischar                | Not supported. |
| Trigonometric Fur     | nctions        |
| acos                  | Not supported. |
| acosd                 | Not supported. |
| acosh                 | Not supported. |
| acot                  | Not supported. |
| acotd                 | Not supported. |
| acoth                 | Not supported. |
| acsc                  | Not supported. |
| acscd                 | Not supported. |
| acsch                 | Not supported. |
| asec                  | Not supported. |
| asecd                 | Not supported. |

| Function | Support Notes  |
|----------|----------------|
| asech    | Not supported. |
| asin     | Not supported. |
| asinh    | Not supported. |
| atan     | Not supported. |
| atan2    | Not supported. |
| atand    | Not supported. |
| atanh    | Not supported. |
| COS      | Not supported. |
| cosd     | Not supported. |
| cosh     | Not supported. |
| cot      | Not supported. |
| cotd     | Not supported. |
| coth     | Not supported. |
| csc      | Not supported. |
| cscd     | Not supported. |
| csch     | Not supported. |
| hypot    | Not supported. |
| sec      | Not supported. |
| secd     | Not supported. |
| sech     | Not supported. |
| sin      | Not supported. |
| sind     | Not supported. |
| sinh     | Not supported. |
| tan      | Not supported. |
| tand     | Not supported. |
| tanh     | Not supported. |

#### analysis model

The target model for a Simulink Design Verifier analysis. If you select an atomic subsystem for analysis, the analysis model is generated by extracting the subsystem to a new model.

#### assumption

A property that is assumed to be true during a property proof. The proof result holds only when the assumption is true.

#### block replacement rule

A rule that is registered with the Simulink Design Verifier software and defines how instances of specific blocks are replaced by an alternate implementation. The software uses M-code to define when and how to apply a block replacement rule (see Chapter 4, "Working with Block Replacements").

#### condition coverage

Measures the percentage of the total number of logic conditions associated with logical model objects that the simulation actually exercised. See "Using Model Coverage" in the *Simulink Verification and Validation User's Guide*.

#### constraint

A property that is forced to be true during test case generation.

#### counterexample

A test case that demonstrates a property violation.

#### coverage objective

A test objective that defines when a coverage point results in a particular outcome.

#### coverage point

A decision, condition, or MCDC expression associated with a model object. Each coverage point has a fixed number of mutually exclusive outcomes.

#### decision coverage

Measures the percentage of the total number of simulation paths through model objects that the simulation actually traversed. See "Using Model Coverage" in the *Simulink Verification and Validation User's Guide.* 

#### floating-point approximation

The process of approximating floating-point numbers using rational numbers (i.e., fractions whose numerator and denominator are small integers). The Simulink Design Verifier software performs floating-point approximations during its analysis. It can generate invalid test cases that result from numerical differences. For example, given a sufficiently large floating-point number x, the expression x==(x+1) is true; however, this expression never holds if x is a rational number.

#### invalid test case

A test case that does not satisfy its objectives.

#### Modified Condition/Decision Coverage (MCDC)

Measures the independence of logical block inputs and transition conditions associated with logical model objects during the simulation. See "Using Model Coverage" in the *Simulink Verification and Validation User's Guide*.

#### nonlinear arithmetic

A computation in the model that cannot be expressed as a combination of mutually exclusive linear expressions. Nonlinear arithmetic can affect a property or test objective, and it can cause the analysis to return an error. In this case, you should apply simplifying approximations and abstractions.

#### property

A logical expression of the signals and data values, within a model, that is intended to be proven true during simulation. Properties evaluate at specific points in the model.

#### property violation

The condition during a simulation when a property is false.

#### test case

A sequence of numeric values and input data time that you input to a model during its simulation.

#### test harness

A model that runs test cases on an analysis model.

#### test objective

A logical expression of the signals and data values, within a model, that is intended to be true at least once in the resulting test case during simulation. Test objectives evaluate at specific points in the model.

#### **Test Objective block**

The block that you add to a model to define test objectives. In the block mask, define test objectives as values or ranges that an input signal must satisfy during a test case.

#### unsatisfiable test objective

The status of a test objective that indicates a test case cannot be generated for the specified approximations. This includes floating-point approximations and maximum-step limitations specified in the **Test Generation** pane of the Configuration Parameters dialog box.

#### validated property

The status of a property that indicates no counterexample exists, subject to floating-point approximations and the settings specified in the **Property Proving** pane of the Configuration Parameters dialog box. Glossary



## Examples

Use this list to find examples in the documentation.

## **Working with Block Replacements**

"Constructing Replacement Blocks" on page 4-7 "Writing Block Replacement Rules" on page 4-10 "Configuring Block Replacements" on page 4-15

## **Specifying Parameter Configurations**

"Constructing the Example Model" on page 5-8 "Parameterizing the Constant Block" on page 5-10 "Specifying a Parameter Configuration" on page 5-11 "Analyzing the Example Model" on page 5-13 "Simulating the Test Cases" on page 5-15

### **Generating Test Cases**

"Constructing the Example Model" on page 7-5 "Checking Compatibility of the Example Model" on page 7-6 "Configuring Test Generation Options" on page 7-10 "Analyzing the Example Model" on page 7-12 "Customizing Test Generation" on page 7-20 "Reanalyzing the Example Model" on page 7-22

## **Proving Properties of a Model**

"Constructing the Example Model" on page 8-5 "Instrumenting the Example Model" on page 8-10 "Configuring Property-Proving Options" on page 8-13 "Analyzing the Example Model" on page 8-15 "Customizing the Example Proof" on page 8-21 "Reanalyzing the Example Model" on page 8-23

## Index

## Symbols and Numerics

2-D lookup tables linearizing 2-7

## A

AnalysisInformation field 9-4 analyzing large models initial steps 10-4 analyzing models overview 2-2 approximations types 2-6

### B

block replacements configuration 4-15 example 4-7 execution 4-16 factory defaults 4-3 introduction 4-2 template 4-6 block support limitations 3-6 summary 14-1

### C

configuration parameters block replacements 6-7 Block Replacements pane 13-10 Apply block replacements 13-11 File path of the output model 13-13 List of block replacement rules 13-12 Design Verifier 6-5 Design Verifier pane 13-3 Display unsatisfiable test objectives 13-6 Make output file names unique by adding a suffix 13-8

Maximum analysis time 13-5 Mode 13-4 Output directory 13-7 pane Reference input model in generated harness 13-43 Save test harness as SystemTest TEST-file (will reference saved data file) 13-44 SystemTest file name: 13-45 parameters 6-8 Parameters pane 13-15 Apply parameters 13-16 Parameter configuration file 13-17 property proving 6-11 Property Proving pane 13-27 Assertion blocks 13-28 Maximum violation steps 13-31 Proof assumptions 13-29 Strategy 13-30 report 6-16 Report pane 13-47 Display report 13-51 Generate report of the results 13-48 Include screen shots and plots 13-50 Report file name 13-49 results 6-13 Results pane 13-34 Data file name 13-36 Harness model file name 13-42 Include expected output values 13-37 Randomize data that does not affect outcome 13-39 Save test data to file 13-35 Save test harness as model 13-41 summary 13-52 test generation 6-9 Test Generation pane 13-19 Maximum test case steps 13-23 Model coverage objectives 13-20

Test conditions 13-21 Test objectives 13-22 Test suite optimization 13-24 CounterExamples field 9-5

#### D

discretization constraining data 10-8

#### E

Embedded MATLAB library functions limitations 3-11 Embedded MATLAB subset support summary 15-2

#### F

floating-point data constraining for model analysis 10-8 converting to rational 2-6

#### G

generating test cases 1-8

#### Η

harness. See test harness

#### L

large model optimization 10-5 large models analyzing first steps 10-4 complexity of 10-2 linearizing 2-D lookup tables 2-7 lookup tables linearizing 2-7

#### Μ

model compatibility
 checking 3-2
ModelInformation field 9-3
ModelObjects field 9-4
models 10-2
 analyzing, overview 2-2
 complexity of 10-2
 mathematical techniques for simplifying
 analysis 2-5
 See also large models

#### 0

Objectives field 9-5

#### Ρ

parameter configurations example 5-7 introduction 5-2 syntax 5-4 template 5-3 Proof Assumption block 12-2 Proof Objective block 12-8 property proofs example 8-4 introduction 8-2 Stateflow actions 8-2 subsystems 8-26 workflow 8-3

#### R

rational data converting floating-point data to 2-6

#### S

Simulink Design Verifier model parameters 13-52 Simulink Design Verifier data files fields 9-3 overview 9-2 simulation 9-7 Simulink Design Verifier options saving 6-18 viewing 6-2 Simulink Design Verifier report table of contents 9-17 Simulink Design Verifier reports analysis information 9-19 approximations 9-22 block replacements summary 9-21 Constraints 9-20 model items 9-27 summary 9-18 test cases/counterexamples 9-27 test/proof objectives 9-23 title 9-17 Simulink<sup>®</sup> Design Verifier<sup>™</sup> software analyzing demo model 1-6 block library 1-4 HTML report 1-12 starting 1-4 workflow 1-27 sldvblockreplacement function 11-2 sldvcompat function 11-3 sldvextract function 11-5 sldvgencov function 11-6 sldvharnessmerge function 11-7 sldvoptions function 11-8 sldvrun function 11-15 sldvruntest function 11-17 subsystems analyzing 1-23 generating test cases for 7-28 proving properties of 8-26

system requirements 1-3

#### T

test case generation example 7-4 introduction 7-2 Stateflow actions 7-2 subsystems 7-28 test objectives 2-3 workflow 7-3 test cases generating 1-8 Test Condition block 12-13 test harness contents 1-9 test harness models anatomy 9-8 simulation 9-12 Test Objective block 12-19 test objectives generating test cases 2-3 test suite optimization large model option 10-5 TestCases field 9-5

#### U

unrolling while loops 2-7 unsupported features Embedded MATLAB subset 3-10 Simulink 3-6 Stateflow 3-8

#### V

Verification Subsystem block 12-24 Version field 9-7

#### W

while loops unrolling 2-7