## Simulink<sup>®</sup> Design Verifier™ User's Guide

# MATLAB&SIMULINK®



R

**R**2023**a** 

## **How to Contact MathWorks**



Latest news:

Phone:

www.mathworks.com

Sales and services: www.mathworks.com/sales\_and\_services

User community: www.mathworks.com/matlabcentral

Technical support: www.mathworks.com/support/contact\_us



 $\searrow$ 

508-647-7000

#### The MathWorks, Inc. 1 Apple Hill Drive Natick, MA 01760-2098

Simulink<sup>®</sup> Design Verifier<sup>™</sup> User's Guide

© COPYRIGHT 2007-2023 by The MathWorks, Inc.

The software described in this document is furnished under a license agreement. The software may be used or copied only under the terms of the license agreement. No part of this manual may be photocopied or reproduced in any form without prior written consent from The MathWorks, Inc.

FEDERAL ACQUISITION: This provision applies to all acquisitions of the Program and Documentation by, for, or through the federal government of the United States. By accepting delivery of the Program or Documentation, the government hereby agrees that this software or documentation qualifies as commercial computer software or commercial computer software documentation as such terms are used or defined in FAR 12.212, DFARS Part 227.72, and DFARS 252.227-7014. Accordingly, the terms and conditions of this Agreement and only those rights specified in this Agreement, shall pertain to and govern the use, modification, reproduction, release, performance, display, and disclosure of the Program and Documentation by the federal government (or other entity acquiring for or through the federal government) and shall supersede any conflicting contractual terms or conditions. If this License fails to meet the government's needs or is inconsistent in any respect with federal procurement law, the government agrees to return the Program and Documentation, unused, to The MathWorks, Inc.

#### Trademarks

Prover, Prover Technology, Prover Plug-In and the Prover logo are trademarks or registered trademarks of Prover Technology AB in Sweden, the United States and in other countries.

MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See

www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.

#### Patents

 $MathWorks\ {\tt products\ are\ protected\ by\ one\ or\ more\ U.S.\ patents.\ Please\ {\tt see\ www.mathworks.com/patents\ for\ more\ information.}$ 

#### **Revision History**

May 2007 September 2007 March 2008 October 2008 March 2009 September 2009 March 2010 September 2010 April 2011 September 2011 March 2012 September 2012 March 2013 September 2013 March 2014 October 2014 March 2015 September 2015 October 2015 March 2016 September 2016 March 2017 September 2017 March 2018 September 2018 March 2019 September 2019 March 2020 September 2020 March 2021 September 2021 March 2022 September 2022 March 2023

Online only New for Version 1.0 (Release 2007a+) Revised for Version 1.1 (Release 2007b) Revised for Version 1.2 (Release 2008a) Revised for Version 1.3 (Release 2008b) Revised for Version 1.4 (Release 2009a) Revised for Version 1.5 (Release 2009b) Revised for Version 1.6 (Release 2010a) Revised for Version 1.7 (Release 2010b) Revised for Version 2.0 (Release 2011a) Revised for Version 2.1 (Release 2011b) Revised for Version 2.2 (Release 2012a) Revised for Version 2.3 (Release 2012b) Revised for Version 2.4 (Release 2013a) Revised for Version 2.5 (Release 2013b) Revised for Version 2.6 (Release 2014a) Revised for Version 2.7 (Release 2014b) Revised for Version 2.8 (Release 2015a) Revised for Version 3.0 (Release 2015b) Rereleased for Version 2.8.1 (Release 2015aSP1) Revised for Version 3.1 (Release 2016a) Revised for Version 3.2 (Release 2016b) Revised for Version 3.3 (Release 2017a) Revised for Version 3.4 (Release 2017b) Revised for Version 3.5 (Release 2018a) Revised for Version 4.0 (Release 2018b) Revised for Version 4.1 (Release 2019a) Revised for Version 4.2 (Release 2019b) Revised for Version 4.3 (Release 2020a) Revised for Version 4.4 (Release 2020b) Revised for Version 4.5 (Release 2021a) Revised for Version 4.6 (Release 2021b) Revised for Version 4.7 (Release 2022a) Revised for Version 4.8 (Release 2022b) Revised for Version 4.9 (Release 2023a)

## Contents

## Acknowledgments

## **Getting Started**

| Simulink Design Verifier Product Description                 | 1-2  |
|--------------------------------------------------------------|------|
| Simulink Design Verifier Block Library                       | 1-3  |
| Analyze a Model                                              | 1-4  |
| About This Example                                           | 1-4  |
| Open the Model                                               | 1-4  |
| Generate Test Cases                                          | 1-5  |
| Combine Test Cases                                           | 1-15 |
| Analyze a Stateflow Atomic Subchart                          | 1-17 |
| Analyze an Atomic Subchart by Using Simulink Design Verifier | 1-17 |
| Overview of the Simulink Design Verifier Workflow            | 1-19 |
| Check Model Compatibility                                    | 1-19 |
| Apply Block Replacement Rules                                | 1-19 |
| Set Simulink Design Verifier Options                         | 1-20 |
| Perform Analysis on Model                                    | 1-20 |
| Generate Analysis Results                                    | 1-20 |
| Interpret Analysis Results                                   | 1-20 |

1

2

## How the Simulink Design Verifier Software Works

| Analyze a Simple Model                           | 2-2        |
|--------------------------------------------------|------------|
| Model Blocks                                     | 2-4        |
| Block Reduction                                  | 2-5        |
| Large Models                                     | 2-6        |
| Handle Incompatibilities with Automatic Stubbing | 2-7<br>2-7 |

| How Automatic Stubbing Works                                                                                                                                                                                                                                                                                                                  | 2-7<br>2-9                           |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|
| Analyze Export-Function Models                                                                                                                                                                                                                                                                                                                | 2-12<br>2-12                         |
| Analyze Export-Function Model with Function-Call Subsystems                                                                                                                                                                                                                                                                                   | 2-13                                 |
| Analyze Export-Function Model with Global Simulink Function                                                                                                                                                                                                                                                                                   | 2-16                                 |
| Nonfinite Data                                                                                                                                                                                                                                                                                                                                | 2-19                                 |
| Role of Approximations During Model Analysis         Types of Approximations         Floating-Point to Rational Number Conversion         Linearization of Two-Dimensional Lookup Tables for Floating-Point Data         Types         Approximation of One- and Two-Dimensional Lookup Tables for Integer and         Fixed-Point Data Types | 2-20<br>2-20<br>2-20<br>2-21<br>2-21 |
| While Loops          How Simulink Design Verifier Reports Approximations Through         Validation Results                                                                                                                                                                                                                                   | 2-22<br>2-23                         |
| Impact of Approximations on Objectives Status<br>Identify the Effect of Approximations Through Validation Results                                                                                                                                                                                                                             | 2-23<br>2-23<br>2-24                 |
| Logic Operations Short-Circuiting                                                                                                                                                                                                                                                                                                             | 2-26                                 |
| Model Representation for AnalysisReuse Model Representation for AnalysisLimitations                                                                                                                                                                                                                                                           | 2-28<br>2-28<br>2-30                 |
| Share Simulink Cache File for Faster Analysis<br>Store the Simulink Cache File<br>Reuse the Simulink Cache File                                                                                                                                                                                                                               | 2-31<br>2-31<br>2-31                 |
| Analyze AUTOSAR Component Models                                                                                                                                                                                                                                                                                                              | 2-33<br>2-33                         |
| Extend Existing Test Cases by Reusing Model Representation                                                                                                                                                                                                                                                                                    | 2-35                                 |
| Configure Model Representation Options                                                                                                                                                                                                                                                                                                        | 2-39                                 |
| Run Additional Analysis to Reduce Instances of Rational Approximation                                                                                                                                                                                                                                                                         | 2-42                                 |
| Detect Design Errors in AUTOSAR Software Component Model                                                                                                                                                                                                                                                                                      | 2-47                                 |

## Checking Compatibility with the Simulink Design Verifier Software

| Check Model Compatibility<br>Run Compatibility Check<br>Compatibility Check Results                                                                                                                                           | 3-2<br>3-2<br>3-3            |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|
| Supported and Unsupported Simulink Blocks in Simulink Design Verifier                                                                                                                                                         | 3-7                          |
| Support Limitations for Simulink Software Features                                                                                                                                                                            | 3-16                         |
| Support Limitations for Model Blocks                                                                                                                                                                                          | 3-19                         |
| Support Limitations for Stateflow Software Features         ml Namespace Operator, ml Function, ml Expressions         C or C++ Operators                                                                                     | 3-21<br>3-21<br>3-21         |
| C Math Functions<br>Atomic Subcharts That Call Exported Graphical Functions Outside a<br>Subchart                                                                                                                             | 3-21<br>3-22                 |
| Atomic Subchart Input and Output MappingRecursion and Cyclic BehaviorCustom C/C++ Code                                                                                                                                        | 3-22<br>3-22<br>3-23         |
| Textual Functions with Literal String Arguments                                                                                                                                                                               | 3-24                         |
| Support Limitations for MATLAB for Code Generation<br>Unsupported MATLAB for Code Generation Features<br>Support Limitations for MATLAB for Code Generation Library Functions                                                 | 3-25<br>3-25                 |
| •••••••••••••••••••••••••••••••••••••••                                                                                                                                                                                       | 3-25                         |
| Support Limitations and Considerations for S-Functions and C/C++ Code                                                                                                                                                         |                              |
| Enabling S-Functions in Simulink Design Verifier<br>Support Limitations for S-Functions and C/C++ Code<br>Handle Volatile Variables as Normal Variables<br>Considerations for Enabling S-Functions and C/C++ Code in Simulink | 3-28<br>3-28<br>3-28<br>3-29 |
| Design Verifier<br>Source Code Protection                                                                                                                                                                                     | 3-29<br>3-29                 |

## Working with Block Replacements

## 4

| What Is Block Replacement?            Block Replacement Effects on Test Generation |     |
|------------------------------------------------------------------------------------|-----|
| Built-In Block Replacements                                                        | 4-4 |
| Template for Block Replacement Rules                                               | 4-6 |
| Block Replacements for Unsupported Blocks                                          | 4-7 |

| Parameter Configuration for Analysis                                                                         | 5-2<br>5-2        |
|--------------------------------------------------------------------------------------------------------------|-------------------|
| SetData Types in Parameter ConfigurationsParameters in Variant Blocks                                        | 5-3<br>5-4<br>5-5 |
| Use Parameter Table                                                                                          | 5-7               |
| Find Parameters                                                                                              | 5-8               |
| Edit Parameter Constraints                                                                                   | 5-10              |
| Highlight Constrained Parameters in Model                                                                    | 5-11              |
| Specify Parameter Configuration for Structure or Bus Parameters                                              | 5-12              |
| About This Example Model                                                                                     | 5-12              |
| Preload Workspace Variable for Structure Parameter                                                           | 5-12              |
| Define Parameter Constraint Values                                                                           | 5-13              |
| Define Parameter Constraint Values using Parameter Table                                                     | 5-13              |
| Define Constraint Values using Parameter Configuration File                                                  | 5-14              |
| Analyze Example Model                                                                                        | 5-15              |
| Specify Parameter Configuration for Full Coverage                                                            | 5-17              |
| About This Example                                                                                           | 5-17              |
| Construct Example Model                                                                                      | 5-17              |
| Parameterize Constant Block                                                                                  | 5-18              |
| Preload Workspace Variable                                                                                   | 5-18              |
| Autogenerate Parameter Constraint                                                                            | 5-19              |
| Analyze Example Model                                                                                        | 5-20              |
| Simulate Test Cases                                                                                          | 5-22              |
| Store Parameter Constraints in MATLAB Code Files                                                             | 5-26              |
| Export Parameter Constraints to File                                                                         | 5-26              |
| Import Parameter Constraints from File                                                                       | 5-27              |
|                                                                                                              |                   |
| Use Parameter Configuration File                                                                             | 5-29              |
| Template Parameter Configuration File                                                                        | 5-29              |
| Syntax in Parameter Configuration Files                                                                      | 5-29              |
| Automatically Infer Parameter Specification<br>Configuring Parameters by Using Automatically infer parameter | 5-32              |
| specification                                                                                                | 5-33              |
| Determine from Generated Code                                                                                | 5-36              |
| Configuring Parameters by Using Determine from generated code                                                | 5-37              |
| Using Command Line Functions to Support Changing Parameters                                                  | 5-39              |
|                                                                                                              |                   |
| Generate Parameters Values                                                                                   | 5-45              |
| Extend Existing Test Cases After Applying Parameter Configurations                                           | 5-46              |

| What Is Design Error Detection?                                                                                                                                                                                                | 6-2                                          |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
| Derived Ranges in Design Error Detection                                                                                                                                                                                       | 6-3                                          |
| Analyze Models for Design ErrorsWorkflow for Detecting Design ErrorsUnderstand the Analysis ResultsReview the Latest Analysis Results in the Results Summary WindowCheck For Design Errors using the Model Advisor             | 6-4<br>6-4<br>6-5<br>6-5                     |
| Dead Logic DetectionRun a Partial Check for Dead LogicRun an Exhaustive Analysis for Dead LogicRun a Dead Logic Analysis and Review Results                                                                                    | 6-7<br>6-7<br>6-7<br>6-8                     |
| Detect Dead Logic Caused by an Incorrect ValueAnalyze the Fuel System ModelReview the Results and Trace to the ModelInvestigate the Cause of the Dead LogicUpdate the Input Constraint and Reanalyze the Model                 | 6-12<br>6-12<br>6-13<br>6-13<br>6-14         |
| Common Causes for Dead LogicShort-Circuiting of a Logical Operator Block During AnalysisConditional Execution of a BlockParameter Values Treated as ConstantsUpstream BlocksLibrary-Linked BlocksRestrictions on Signal Ranges | 6-15<br>6-15<br>6-16<br>6-17<br>6-17<br>6-17 |
| Detect Integer Overflow and Division-by-Zero ErrorsAbout This ExampleAnalyze the ModelAnalyze the ModelReview the Analysis Results                                                                                             | 6-19<br>6-19<br>6-19<br>6-19                 |
| <b>Check for Specified Minimum and Maximum Value Violations</b><br>Limitations of Checking Specified Minimum and Maximum Value Violations                                                                                      | 6-23                                         |
| About This Example         Create the Example Model         Analyze the Model         Review the Analysis Results                                                                                                              | 6-23<br>6-23<br>6-24<br>6-25<br>6-25         |
| Detect Out of Bound Array Access Errors                                                                                                                                                                                        | 6-28<br>6-28<br>6-28<br>6-31                 |
| Detect Non-Finite, NaN, and Subnormal Floating-Point Values<br>Assumptions and Limitations<br>Run Design Error Detection Analysis to Detect Floating-Point Errors                                                              | 6-33<br>6-33<br>6-33                         |

| Detect Data Store Access Violations<br>Detect Data Store Access Violations in a Model                                                                                                                                                                                                                                      | 6-37<br>6-37                                 |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
| Detect Violations of High-Integrity Systems Modeling GuidelinesUsage of rem and reciprocal operations - hisl_0002Usage of square root operations - hisl_0003Usage of log and log10 operations - hisl_0004Usage of Reciprocal Square Root blocks - hisl_0028Detect Violations of High-Integrity Systems Modeling Guidelines | 6-41<br>6-41<br>6-41<br>6-41<br>6-41<br>6-41 |
| Filter Objectives by Using Simulink Design Verifier Filter Explorer<br>Use the Simulink Design Verifier Filter Explorer to Edit Filter Files<br>Limitations                                                                                                                                                                | 6-46<br>6-46<br>6-49                         |
| Detect Integer Overflow Errors                                                                                                                                                                                                                                                                                             | 6-51                                         |
| Detect Out of Bound Array Access Example Model                                                                                                                                                                                                                                                                             | 6-54                                         |
| Detect Design Errors in C/C++ Custom Code                                                                                                                                                                                                                                                                                  | 6-57                                         |
| Exclude and Justify Objectives for Design Error Detection                                                                                                                                                                                                                                                                  | 6-59                                         |
| Detect Integer Overflow in a Model with Complex Inputs                                                                                                                                                                                                                                                                     | 6-65                                         |
| Debug Integer Overflow Design Error Detection Using Model Slicer                                                                                                                                                                                                                                                           | 6-68                                         |
| Analyzing the Results for a Dead Logic Analysis                                                                                                                                                                                                                                                                            | 6-73                                         |

## **Generating Test Cases**

| What Is Test Case Generation?         Test Case Blocks           | 7-3<br>7-3 |
|------------------------------------------------------------------|------------|
| Test Case Functions                                              | 7-3        |
| Workflow for Test Case Generation                                | 7-5        |
| Generate Test Cases for Model Decision Coverage                  | 7-6        |
| Construct the Example Model                                      | 7-6        |
| Check Compatibility of the Example Model                         | 7-7        |
| Configure Test Generation Options                                | 7-8        |
| Analyze the Example Model                                        | 7-8        |
| Review Analysis Results                                          | 7-8        |
| Customize Test Generation                                        | 7-14       |
| Reanalyze the Example Model                                      | 7-16       |
| Analyze Contradictory Models                                     | 7-16       |
| Generate Test Cases for a Subsystem                              | 7-18       |
| Generate Test Cases for Subsystems for Normal Mode               | 7-18       |
| Generate Test Cases for Subsystems for Software-in-the-Loop Mode | 7-19       |

## **x** Contents

| Generate Test Cases for a Reusable Library Subsystem                                                                              | 7-21<br>7-21 |
|-----------------------------------------------------------------------------------------------------------------------------------|--------------|
| Use Test Generation Advisor to Identify Analyzable Components                                                                     | 7-24         |
| Test Generation Advisor                                                                                                           | 7-24         |
| Test Generation Advisor Requirements                                                                                              | 7-25         |
| Identify Analyzable Components                                                                                                    | 7-25<br>7-25 |
| Analyze and Generate Tests for Model Components                                                                                   | 7-23<br>7-27 |
| Generate Test Cases for Embedded Coder Generated Code<br>Generate Test Cases for Generated Code from the Simulink Model Toolstrip | 7-28         |
| Generate Test Cases for Generated Code by Using the Simulink Design                                                               | 7-28         |
| Verifier API<br>Generate Test Cases for Generated Code from the Simulink Test Test                                                | 7-29         |
| Manager                                                                                                                           | 7-29         |
| Model Coverage Objectives for Test Generation                                                                                     | 7-30         |
| Decision                                                                                                                          | 7-30<br>7-30 |
| MCDC                                                                                                                              | 7-31         |
| Enhanced MCDC                                                                                                                     | 7-31<br>7-31 |
| Enhance Model Coverage of Older Release Models<br>Enhance Model Coverage by Generating Test Cases for Older Release               | 7-32         |
| Model                                                                                                                             | 7-33         |
|                                                                                                                                   | 7-37         |
| Enhanced MCDC Coverage in Simulink Design Verifier                                                                                | 7-42         |
| Use Model Coverage Objectives for Enhanced MCDC Coverage                                                                          | 7-42         |
| Author Custom Test Objectives for Enhanced MCDC Coverage                                                                          | 7-43         |
| Analyze Model for Enhanced MCDC Analysis                                                                                          | 7-44         |
| Basic Workflow for Enhanced MCDC Analysis                                                                                         | 7-47         |
| Configure Detection Sites using Test-pointed Logged Signals                                                                       | 7-48         |
| Configure Advanced Options for Enhanced MCDC Analysis<br>Inspect Enhanced MCDC Objectives using Model Slicer                      | 7-49<br>7-50 |
| Author Custom Test Objective Workflow                                                                                             | 7-52         |
| Steps for Authoring Custom Test Objectives                                                                                        | 7-52         |
| Analyze Custom Test Objectives in Model for Enhanced MCDC                                                                         | 7-53         |
| What Is a Specification Model?                                                                                                    | 7-60         |
| Use Specification Models in Requirements-Based Testing                                                                            | 7-60         |
| Construct a Specification Model                                                                                                   | 7-61<br>7-65 |
| Test Generation Examples                                                                                                          | 7-66         |
| Test Generation for Custom Code in MATLAB Function Block<br>Generating Tests for Custom code in MATLAB function block             | 7-67<br>7-67 |

| Use Specification Models for Requirements-Based Testing                   | 7-69  |
|---------------------------------------------------------------------------|-------|
| Flip Flop Test Generation                                                 | 7-80  |
| Model Coverage Test Generation                                            | 7-81  |
| Test Objective Block                                                      | 7-82  |
| Test Condition Block                                                      | 7-83  |
| Cruise Control Test Generation                                            | 7-84  |
| Fuel Rate Controller Logic                                                | 7-85  |
| Extend an Existing Test Suite                                             | 7-86  |
| Defining and Extending Existing Tests Cases                               | 7-91  |
| Using Existing Coverage Data During Subsystem Analysis                    | 7-97  |
| Creating and Executing Test Cases                                         | 7-100 |
| Using Specified Input Minimum and Maximum Values as Constraints           | 7-107 |
| Configuring S-Function for Test Case Generation                           | 7-109 |
| Code Coverage Test Generation                                             | 7-111 |
| Test Generation on Model with C Caller Block                              | 7-119 |
| Debug Enhanced Modified Condition Decision Coverage Using Model<br>Slicer | 7-121 |
| Test Generation for Custom Code in a Stateflow Chart                      | 7-124 |
| Generate Test Cases for Model Blocks                                      | 7-126 |
| Use Observer Reference Block for Test Case Generation                     | 7-130 |
| Inspect Test Generation Objectives by Using Model Slicer                  | 7-135 |
| Generate Tests for Model Block Component by Using Default Simulation      | 7-138 |
| Add Test Cases Using Excel File                                           | 7-142 |
| Achieve Missing Coverage in Custom Code                                   | 7-146 |
| Achieve Missing Coverage in Generated Code of RLS                         | 7-149 |

| When to Extend Existing Test Cases         Common Workflow for Extending Existing Test Cases | 8-2<br>8-2 |
|----------------------------------------------------------------------------------------------|------------|
| Considerations for Starting Test Cases                                                       | 8-3        |
| Extend Test Cases for Model with Temporal Logic                                              | 8-4        |
| Create Starting Test Case                                                                    | 8-4        |
| Log Starting Test Case                                                                       | 8-6        |
| Extend Existing Test Cases                                                                   | 8-7        |
| Verify Analysis Results                                                                      | 8-8        |
| Extend Test Cases for Closed-Loop System                                                     | 8-10       |
| Log Starting Test Case                                                                       | 8-10       |
| Extend Existing Test Cases                                                                   | 8-12       |
| Extend Test Cases for Modified Model                                                         | 8-15       |
| Create Starting Test Cases                                                                   | 8-15       |
| Extend Existing Test Cases                                                                   | 8-15       |
| Create and Run Back-to-Back Tests Using Enhanced MCDC                                        | 8-18       |

8

9

## Achieving Test Cases for Missing Model Coverage

| Generate Test Cases for Missing Coverage Data                                                                                                                              | 9-2                  |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
| Achieve Missing Coverage in Referenced Model<br>Programmatically Achieve Missing Coverage in Referenced Model<br>Increase Coverage for Referenced Models in a Test Harness | 9-3<br>9-3<br>9-5    |
| Achieve Missing Coverage in Subsystems and Model Blocks                                                                                                                    | 9-10                 |
| Achieve Missing Coverage in Closed-Loop Simulation ModelRecord Coverage Data for the ModelFind Test Cases for Missing Coverage                                             | 9-11<br>9-11<br>9-12 |
| Analyze Coverage for Lookup Table Boundary Values                                                                                                                          | 9-14<br>9-16         |
| Modified Condition and Decision Coverage in Simulink Design Verifier                                                                                                       |                      |
| MCDC Definitions for Simulink Coverage and Simulink Design Verifier                                                                                                        | 9-21<br>9-21         |
| Achieve Coverage in Models with Variable-Size Inputs                                                                                                                       | 9-24                 |

## 10

| What Is Component Verification?                                     | 10-2  |
|---------------------------------------------------------------------|-------|
| Component Verification Approaches                                   | 10-2  |
| Simulink Design Verifier Tools for Component Verification           | 10-2  |
| Functions for Component Verification                                | 10-3  |
| Verify a Component for Code Generation                              | 10-4  |
| About the Example Model                                             | 10-4  |
| Prepare the Component for Verification                              | 10-6  |
| Record Coverage for the Component                                   | 10-7  |
| Use Simulink Design Verifier Software to Record Additional Coverage | 10-7  |
| Combine the Harness Models                                          | 10-8  |
| Execute the Component in Simulation Mode                            | 10-9  |
| Execute the Component in Software-in-the-Loop (SIL) Mode            | 10-10 |

## Considering Specified Minimum and Maximum Values for Inputs During Analysis

## 11

| Minimum and Maximum Input Constraints                                     | 11-2  |
|---------------------------------------------------------------------------|-------|
| Simulink Design Verifier Support for Specified Input Minimum and          |       |
| Maximum Values                                                            | 11-2  |
| Limitations of Simulink Design Verifier Support for Specified Minimum and |       |
| Maximum Values                                                            | 11-2  |
|                                                                           |       |
| Specify Input Ranges on Simulink and Stateflow Elements                   | 11-4  |
| Specify Input Ranges for Inport Blocks                                    | 11-4  |
| Specify Input Ranges for Simulink.Signal Objects                          | 11-5  |
| Specify Input Ranges for Stateflow Data Objects                           | 11-5  |
| Specify Input Ranges for Subsystems                                       | 11-6  |
| Specify Input Ranges for Global Data Stores                               | 11-7  |
| Specify Input Ranges for Bus Elements                                     | 11-8  |
| Specification of Input Ranges in sldvData Fields                          | 11-10 |

## 12

## **Proving Properties of a Model**

| What Is Property Proving?         Proof Blocks         Proof Functions | 12-2 |
|------------------------------------------------------------------------|------|
| Workflow for Proving Model Properties                                  | 12-4 |

| Prove Properties in a Model                                                         | 12-5  |
|-------------------------------------------------------------------------------------|-------|
| About This Example                                                                  | 12-5  |
| Construct Example Model                                                             | 12-5  |
| Check Compatibility of Example Model                                                | 12-6  |
| Instrument Example Model                                                            | 12-7  |
| Configure Property-Proving Options                                                  | 12-8  |
| Analyze Example Model                                                               | 12-8  |
| Review Analysis Results                                                             | 12-8  |
| Customize Example Proof                                                             | 12-15 |
| Reanalyze Example Model                                                             | 12-16 |
| Review Results of Second Analysis                                                   | 12-16 |
| Analyze Contradictory Models                                                        | 12-18 |
| Prove Properties in a Large Model                                                   | 12-19 |
| Prove System-Level Properties Using Verification Model                              | 12-20 |
| When to Use a Verification Model for Property Proving                               | 12-20 |
| About This Example                                                                  | 12-20 |
| Understand the Verification Model                                                   | 12-20 |
| Prove the Properties of the Design Model                                            | 12-21 |
| Fix the Verification Model                                                          | 12-22 |
|                                                                                     | 10 00 |
| Prove Properties in a Subsystem                                                     | 12-23 |
| Model Requirements                                                                  | 12-24 |
| Basic Properties                                                                    | 12-24 |
|                                                                                     | 12-24 |
| Temporal Properties                                                                 | 12-20 |
| Isolate Verification Logic with Observers                                           | 12-29 |
| Replace a Verification Subsystem with an Observer Reference Block                   | 12-29 |
| Report on Observer Reference Blocks                                                 | 12-31 |
| Limitations                                                                         | 12-31 |
| Property Proving with an Invalid Property                                           | 12-32 |
| Property Proving with Multiple Properties                                           | 12-33 |
| Property Proving with an Assumption Block                                           | 12-34 |
|                                                                                     | 12 01 |
| Property Proving Workflow for Cruise Control                                        | 12-35 |
| Property Proving Workflow for Fixed-Point Cruise Control with Block<br>Replacements | 12-39 |
| Property Proving Using MATLAB Function Block                                        | 12-40 |
| Property Proving Using MATLAB Truth Table Block                                     | 12-41 |
| Property Proving Workflow for Thrust Reverser                                       | 12-42 |
| Debounce Temporal Properties                                                        | 12-43 |
| Power Window Controller Temporal Properties                                         | 12-46 |
| Debug Property Proving Violations by Using Model Slicer                             | 12-55 |

| Design and Verify Properties in a Model                     | 12-60 |
|-------------------------------------------------------------|-------|
| Validate Requirements by Analyzing Model Properties         | 12-63 |
| Use Observer Reference Blocks for Property Proving Analysis | 12-70 |
| Prove Properties with Requirements Table Blocks             | 12-73 |

## **Reviewing the Results**

| Highlight Results on the Model                                       | 13-2  |
|----------------------------------------------------------------------|-------|
| Results Review with Model Highlighting                               | 13-2  |
| Simulink Design Verifier Results Inspector                           | 13-2  |
| Highlight Results on Model Automatically                             | 13-2  |
| Green Highlighting on Model                                          | 13-4  |
| Red Highlighting on Model                                            | 13-4  |
| Orange Highlighting on Model                                         | 13-4  |
| Gray Highlighting on Model                                           | 13-6  |
| Managa Simulink Decign Verifer Data Files                            | 13-7  |
| Manage Simulink Design Verifier Data Files                           | 13-7  |
| Generate sldvData StructureModel Information Fields in sldvData      | 13-7  |
|                                                                      | -     |
| Simulate Models Using Data Files                                     | 13-11 |
| Load Results from Data Files                                         | 13-11 |
| Manage Simulink Design Verifier Harness Models                       | 13-13 |
| Harness Model Generation                                             | 13-13 |
| Create a Harness Model                                               | 13-13 |
| Contents of a Harness Model                                          | 13-13 |
| Configuration of the Harness Model                                   | 13-19 |
| Simulate the Harness Model                                           | 13-19 |
| Simulate Harness Model with Signal Editor Inputs Block               | 13-22 |
| Export Test Cases to Simulink Test                                   | 13-27 |
| Generate and Export Test Cases to Simulink Test                      | 13-27 |
|                                                                      | 10-27 |
| Export Tests from Models That Contain Requirements Table Blocks with |       |
| Simulink Design Verifier                                             | 13-30 |
| Construct the Model and Generate Tests                               | 13-30 |
| Export the Tests to the Test Manager                                 | 13-31 |
| Run the Tests                                                        | 13-33 |
| Inspect Test Failures                                                | 13-33 |
| Review Results                                                       | 13-35 |
| Simulink Design Verifier Report Generation                           | 13-35 |
| Create Analysis Reports                                              | 13-35 |
| Front Matter                                                         | 13-35 |
| Summary Chapter                                                      | 13-36 |
| Analysis Information Chapter                                         | 13-36 |
| Derived Ranges Chapter                                               | 13-40 |

| Objectives Status Chapters | 13-42 |
|----------------------------|-------|
| Model Items Chapter        | 13-50 |
| Design Errors Chapter      | 13-51 |
| Test Cases Chapter         | 13-52 |
| Properties Chapter         | 13-54 |
| View Log Files             | 13-56 |
| Review Analysis Results    | 13-57 |
| View Active Results        | 13-57 |
| Load Previous Results      | 13-57 |
| Explore Results            | 13-57 |

## **Analyzing Large Models and Improving Performance**

| Sources of Model Complexity                                                                                                                                                                                                              | 14-2                                                        |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------|
| Analyze a Large ModelTypes of Large Model ProblemsSummarize Model Hierarchy and CompatibilityUse the Default Parameter ValuesModify the Analysis ParametersStop the Analysis Before Completion                                           | 14-3<br>14-3<br>14-3<br>14-4<br>14-5<br>14-5                |
| Increase Allocated Memory for Analysis Report Generation                                                                                                                                                                                 | 14-7                                                        |
| Manage Model Data to Simplify the Analysis         Simplify Data Types         Constrain Data                                                                                                                                            | 14-8<br>14-8<br>14-8                                        |
| Partition Model Inputs for Incremental Test Generation                                                                                                                                                                                   | 14-11                                                       |
| Bottom-Up Approach to Model Analysis<br>Reuse of Analysis Results from Subsystems at the System level<br>Limitations                                                                                                                     | 14-13<br>14-13<br>14-14                                     |
| Extract Subsystems for AnalysisOverview of Subsystem Extractionsldvextract FunctionStructure of the Extracted ModelAnalyze Subsystems That Read from Global Data StorageAnalyze Function-Call SubsystemsAnalyze Global Simulink Function | 14-15<br>14-15<br>14-15<br>14-15<br>14-16<br>14-17<br>14-19 |
| Logical Operations                                                                                                                                                                                                                       | 14-21                                                       |
| Analyzing Models with Large Verification State Space                                                                                                                                                                                     | 14-22                                                       |
| Counters and Timers                                                                                                                                                                                                                      | 14-23                                                       |

| Prove Properties in Large Models                        | 14-24 |
|---------------------------------------------------------|-------|
| Find Property Violations While Designing Your Model     | 14-24 |
| Combine Proving Properties and Finding Proof Violations | 14-24 |

## **Simulink Design Verifier Configuration Parameters**

| Simulink Design Verifier Options                                        | 15-2  |
|-------------------------------------------------------------------------|-------|
| Options in Configuration Parameters Dialog Box                          | 15-2  |
| Design Verification Options Objects                                     | 15-2  |
| Command-Line Parameters for Design Verification Options                 | 15-2  |
|                                                                         | 15-2  |
| Design Verifier Pane                                                    | 15-9  |
| Design Verifier Pane Overview                                           | 15-10 |
| Mode                                                                    | 15-10 |
| Maximum analysis time                                                   | 15-11 |
| Output folder                                                           | 15-11 |
| Make output file names unique by adding a suffix                        | 15-12 |
| Check Model Compatibility                                               | 15-12 |
| Cireck Model Company (Drave Drave artice                                | 15-13 |
| Generate Tests/Detect Errors/Prove Properties                           |       |
| Rebuild model representation                                            | 15-13 |
| Automatic stubbing of unsupported blocks and functions                  | 15-13 |
| Support S-Functions in the analysis                                     | 15-14 |
| Use specified input minimum and maximum values                          | 15-15 |
| Run additional analysis to reduce instances of rational approximation . | 15-15 |
| Validate test cases or counterexamples with parallel computing          | 15-16 |
| Additional options for code analysis                                    | 15-17 |
| Ignore objectives based on filter                                       | 15-17 |
| Filter file(s)                                                          | 15-18 |
| Browse                                                                  | 15-18 |
|                                                                         |       |
| Design Verifier Pane: Block Replacements                                | 15-19 |
| Block Replacements Pane Overview                                        | 15-19 |
| Apply block replacements                                                | 15-19 |
| List of block replacement rules                                         | 15-20 |
| File path of the output model                                           | 15-20 |
|                                                                         | 10 10 |
| Design Verifier Pane: Parameters and Variants                           | 15-22 |
| Parameters Pane Overview                                                | 15-23 |
| Parameter configuration                                                 | 15-23 |
|                                                                         | 15-23 |
| Disable                                                                 | 15-23 |
| Clear                                                                   | 15-23 |
|                                                                         | 15-23 |
| Highlight in Model                                                      | 15-24 |
| Use                                                                     | -     |
| Name                                                                    | 15-24 |
| Constraint                                                              | 15-25 |
| Value                                                                   | 15-25 |
| Min                                                                     | 15-26 |
| Max                                                                     | 15-26 |
| Model Element                                                           | 15-26 |
| Find parameters                                                         | 15-27 |

| Import                                                                     | 15-27          |
|----------------------------------------------------------------------------|----------------|
| Export                                                                     | 15-27          |
| Parameter configuration file                                               | 15-27          |
| Browse                                                                     | 15-28          |
| Edit                                                                       | 15-28          |
| Analyze all Startup Variants                                               | 15-28          |
| Launch Variant Manager                                                     | 15-29          |
|                                                                            | 15 20          |
| Design Verifier Pane: Test Generation                                      | 15-30<br>15-31 |
| Test Generation Pane Overview                                              | 15-31          |
| Test generation target                                                     | 15-31          |
| Model coverage objectivesTest conditions                                   | 15-31          |
| Test objectives                                                            | 15-32          |
| Maximum test case steps                                                    | 15-33          |
| Test suite optimization                                                    | 15-34          |
| Include relational boundary objectives                                     | 15-35          |
| Floating point absolute tolerance                                          | 15-36          |
| Floating point relative tolerance                                          | 15-36          |
| Use strict propagation conditions                                          | 15-37          |
| Extend using existing coverage data                                        | 15-38          |
| Coverage data                                                              | 15-38          |
| Browse                                                                     | 15-39          |
| Extend using existing test data                                            | 15-39          |
| Test data                                                                  | 15-39          |
| Browse                                                                     | 15-40          |
| Separate objectives satisfied with the existing tests/coverage data in the |                |
| report                                                                     | 15-40          |
|                                                                            |                |
| Design Verifier Pane: Design Error Detection                               | 15-42          |
| Design Error Detection Pane Overview                                       | 15-43          |
| Dead logic (partial)                                                       | 15-43          |
| Run exhaustive analysis                                                    | 15-43          |
| Coverage objectives to be analyzed                                         | 15-44          |
| Out of bound array access                                                  | 15-45          |
| Data store access violations                                               | 15-45          |
| Division by zero                                                           | 15-46          |
| Integer overflow                                                           | 15-46          |
| Non-finite and NaN floating-point values                                   | 15-47          |
| Subnormal floating-point values                                            | 15-47          |
| Specified minimum and maximum value violations                             | 15-48          |
| Specified block input range violations                                     | 15-48          |
| Usage of rem and reciprocal operations - hisl_0002                         | 15-49          |
| Usage of Square Root operations - hisl_0003                                | 15-50          |
| Usage of log and log10 operations - hisl_0004                              | 15-50          |
| Usage of Reciprocal Square Roots blocks - hisl_0028                        | 15-51          |
| Design Verifier Pane: Property Proving                                     | 15-52          |
| Property Proving Pane Overview                                             | 15-52          |
| Assertion blocks                                                           | 15-52<br>15-52 |
| Proof assumptions                                                          | 15-53          |
| Strategy                                                                   | 15-53          |
| Maximum violation steps                                                    | 15-54          |
| · · · · · · · · · · · · · · · · · · ·                                      |                |
| Design Verifier Pane: Results                                              | 15-56          |
| Results Pane Overview                                                      | 15-56          |

| Data file nameInclude expected output valuesRandomize data that do not affect the outcomeGenerate separate harness model after analysisHarness model file nameReference input model in generated harnessHarness sourceTest File NameTest Harness Name | 15-57<br>15-57<br>15-58<br>15-59<br>15-59<br>15-60<br>15-61<br>15-61<br>15-62 |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| Design Verifier Pane: Report         Report Pane Overview         Generate report of the results         Generate additional report in PDF format         Report file name         Include screen shots of properties         Display report          | 15-63<br>15-63<br>15-63<br>15-64<br>15-64<br>15-65<br>15-65                   |

## Verification and Validation

| Test Model Against Requirements and Report Results              | 16-2  |
|-----------------------------------------------------------------|-------|
| Requirements – Test Traceability Overview                       | 16-2  |
| Display the Requirements                                        | 16-2  |
| Link Requirements to Tests                                      | 16-3  |
| Run the Test                                                    | 16-4  |
| Report the Results                                              | 16-5  |
| Analyze Models for Standards Compliance and Design Errors       | 16-7  |
| Standards and Analysis Overview                                 | 16-7  |
| Check Model for Style Guideline Violations and Design Errors    | 16-7  |
| Perform Functional Testing and Analyze Test Coverage            | 16-9  |
| Incrementally Increase Test Coverage Using Test Case Generation | 16-9  |
| Analyze Code and Test Software-in-the-Loop                      | 16-12 |
| Code Analysis and Testing Software-in-the-Loop Overview         | 16-12 |
| Analyze Code for Defects, Metrics, and MISRA C:2012             | 16-12 |
| Test Code Against Model Using Software-in-the-Loop Testing      | 16-17 |
| Out to Deal material to the test of MODO                        |       |
| Create Back-to-Back Tests Using Enhanced MCDC                   | 16-20 |

## Glossary

## Acknowledgments

The Simulink Design Verifier software uses Prover Plug-In $^{\mbox{\tiny \$}}$  product Prover $^{\mbox{\tiny \$}}$  PSL from Prover Technology to generate test cases and prove model properties.



## **Getting Started**

- "Simulink Design Verifier Product Description" on page 1-2
- "Simulink Design Verifier Block Library" on page 1-3
- "Analyze a Model" on page 1-4
- "Analyze a Stateflow Atomic Subchart" on page 1-17
- "Overview of the Simulink Design Verifier Workflow" on page 1-19

## **Simulink Design Verifier Product Description**

## Identify design errors, prove requirements compliance, and generate tests

Simulink Design Verifier uses formal methods to identify hidden design errors in models. It detects blocks in the model that result in integer overflow, dead logic, array access violations, and division by zero. It can formally verify that the design meets functional requirements. For each design error or requirements violation, it generates a simulation test case for debugging.

Simulink Design Verifier generates test cases for model coverage and custom objectives to extend existing requirements-based test cases. These test cases drive your model to satisfy condition, decision, modified condition/decision (MCDC), and custom coverage objectives. In addition to coverage objectives, you can specify custom test objectives to automatically generate requirements-based test cases.

Support for industry standards is available through IEC Certification Kit (for IEC 61508 and ISO 26262) and DO Qualification Kit (for DO-178).

## **Simulink Design Verifier Block Library**

To open the Simulink Design Verifier block library, at the MATLAB® command prompt, type sldvlib.



The Simulink Design Verifier block library has three categories of blocks:

- Objectives and Constraints Blocks that define custom objectives and constraints
- Temporal Operators Blocks that define temporal properties on Boolean signals
- Verification Utilities Miscellaneous verification utilities

The block library also has a sublibrary, Example Properties, that includes examples of how to specify common properties in your model. You can easily adapt these examples for use in your models.

## Analyze a Model

| In this section                   |  |
|-----------------------------------|--|
| "About This Example" on page 1-4  |  |
| "Open the Model" on page 1-4      |  |
| "Generate Test Cases" on page 1-5 |  |
| "Combine Test Cases" on page 1-15 |  |

## **About This Example**

The following sections describe an example model, Cruise Control Test Generation. This example illustrates how to use Simulink Design Verifier to generate test cases that achieve complete model coverage. Through this example, you learn how to analyze models with Simulink Design Verifier and interpret the results.

## **Open the Model**

To open the Cruise Control Test Generation model, at the MATLAB prompt, enter:

sldvdemo\_cruise\_control



## **Generate Test Cases**

- "Run Analysis" on page 1-5
- "Generate Analysis Results" on page 1-6
- "Highlight Analysis Results on Model" on page 1-7
- "Detailed analysis report: (HTML) (PDF)" on page 1-8
- "Create Harness Model" on page 1-12
- "Simulate Tests and Produce Model Coverage Report" on page 1-15

### **Run Analysis**

To generate test cases for the Cruise Control Test Generation model, click on Generate Tests.

Simulink Design Verifier begins analyzing the model to generate test cases, and the Simulink Design Verifier Results Summary window opens. The Results Summary window displays a running log showing the progress of the analysis.

| 🚹 Simulink Design Verifie                                                                                                                                   | er Results Summary: sldvdemo_cruise_con                    | . × |  |  |  |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|-----|--|--|--|
|                                                                                                                                                             |                                                            |     |  |  |  |
| Progress                                                                                                                                                    |                                                            |     |  |  |  |
| Objectives processed                                                                                                                                        | 22/32                                                      |     |  |  |  |
| Satisfied                                                                                                                                                   | 22                                                         |     |  |  |  |
| Unsatisfiable                                                                                                                                               | 0                                                          |     |  |  |  |
| Elapsed time                                                                                                                                                | 0:13                                                       |     |  |  |  |
|                                                                                                                                                             |                                                            |     |  |  |  |
|                                                                                                                                                             |                                                            | ^   |  |  |  |
| 13-Jul-2017 17:11:10<br>Checking compatibility for test generation: model<br>'sldvdemo_cruise_control'<br>Compiling modeldone<br>Checking compatibilitydone |                                                            |     |  |  |  |
| 13-Jul-2017 17:11:11<br>'sldvdemo_cruise_cont<br>with Simulink Design V                                                                                     | rol' is <b>compatible</b> for test generation<br>/erifier. |     |  |  |  |
| Generating tests using 17:11:11                                                                                                                             | compatibility results from 13-Jul-2017                     |     |  |  |  |
| SATISFIED                                                                                                                                                   |                                                            | ~   |  |  |  |
|                                                                                                                                                             | Disable Highlighting Stop                                  | )   |  |  |  |

If you need to terminate an analysis while it is running, click **Stop**. The software asks if you want to produce results. If you click **Yes**, the software creates a data file based on the results achieved so far. The path name of the data file appears in the Results Summary window.

The data file is a MAT-file that contains a structure named sldvData. This structure stores the data that the software gathers and produces during the analysis.

For more information, see "Manage Simulink Design Verifier Data Files" on page 13-7.

### **Generate Analysis Results**

When Simulink Design Verifier completes its analysis of the sldvdemo\_cruise\_control model, the Results Summary window displays several options. Some of them are:

- Highlight analysis results on model
- Detailed analysis report: (HTML) (PDF)
- Create harness model
- Simulate tests and produce a model coverage report
- Save test cases/counterexamples to spreadsheet

**Note** When you analyze other models, depending on the results of the analysis, you may see a subset of options.

| 🖥 Simulink Design V                          | /erifier Results Summary: sldvdemo_cruise_control | $\times$ |
|----------------------------------------------|---------------------------------------------------|----------|
|                                              |                                                   | ^        |
| Progress                                     |                                                   |          |
| Objectives<br>processed                      | 32/32                                             |          |
| Satisfied                                    | 32                                                |          |
| Unsatisfiable                                | 0                                                 |          |
| Elapsed time                                 | 1:47                                              | ~        |
|                                              |                                                   |          |
| Test generation of 32/32 objectives Results: | ompleted normally.<br>satisfied.                  |          |
|                                              |                                                   |          |
| Open filter vi                               |                                                   |          |
|                                              | Ilysis results on model                           |          |
|                                              | Simulation Data Inspector                         |          |
| Create harne                                 | lysis report: ( <u>HTML</u> ) ( <u>PDF</u> )      |          |
|                                              | ses/counterexamples to spreadsheet                |          |
|                                              | ases to Simulink Test                             |          |
|                                              | ts and produce a model coverage report            |          |
|                                              | dvdemo_cruise_control_sldvdata.mat                |          |
| \                                            | <pre>control cruise_control cruise_control</pre>  |          |
|                                              |                                                   | × *      |
|                                              |                                                   |          |

The sections that follow describe these options in detail.

#### **Highlight Analysis Results on Model**

In the Simulink Design Verifier Results Summary window, if you click **Highlight analysis results on model**, the software highlights objects in the model in three different colors, depending on the analysis results:

- "Green: Objectives Satisfied" on page 1-8
- "Orange: Objectives Undecided" on page 1-8
- "Red: Objectives Unsatisfiable" on page 1-8

When you highlight the analysis results on a model, the Simulink Design Verifier Results Inspector opens. When you click an object in the model that has analysis results, the Results Inspector displays the results summary for that object.

#### **Green: Objectives Satisfied**

Green outline indicates that the analysis generated test cases for all the objectives for that block. If the block is a subsystem or Stateflow<sup>®</sup> atomic subchart, the green outline indicates that the analysis generated test cases for all objectives associated with the child objects.

For example, in the sldvdemo\_cruise\_control model, the green outline shows that the PI controller subsystem satisfied all test objectives. The Results Inspector lists the two satisfied test objectives for the PI controller subsystem.



| Results: sldvdemo_cruise_c            | ontrol      |                         |                |  | $\times$ |
|---------------------------------------|-------------|-------------------------|----------------|--|----------|
| $\Leftrightarrow \Rightarrow \oslash$ |             |                         |                |  | - 9      |
| Back to summary                       |             |                         |                |  |          |
| sldvdemo_cruise_control/Co            | ntroller/PI | Controller              |                |  |          |
| Decision Objectives                   |             |                         |                |  |          |
| Enable control activated true         | Satisfied   | - <u>View test case</u> | Inspect        |  |          |
| Enable control activated <b>false</b> | Satisfied   | - <u>View test case</u> | <u>Inspect</u> |  |          |
|                                       |             |                         |                |  |          |
|                                       |             |                         |                |  |          |

#### **Orange: Objectives Undecided**

Orange outline indicates that the analysis was not able to determine if an objective was satisfiable or not. This situation might occur when:

- The analysis times out
- The software satisfies test objectives without generating test cases due to:
  - Automatic stubbing errors
  - Limitations of the analysis engine

#### **Red: Objectives Unsatisfiable**

Red outline indicates that the analysis found some objectives for which it could not generate test cases, most likely due to unreachable design elements in your model.

In the following example, input 2 always satisfies the criterion for the Switch block, so the Switch block never passes through the value of input 3.

#### Detailed analysis report: (HTML) (PDF)

In the Simulink Design Verifier Results Summary window, if you click **HTML**on **Detailed analysis report: (HTML) (PDF)**, the software saves and then opens a detailed report of the analysis. The path to the report is:

<current\_folder>/sldv\_output/...
sldvdemo\_cruise\_control/sldvdemo\_cruise\_control\_report.html

The HTML report includes the following chapters.

## **Table of Contents**

- 1. Summary
- 2. Analysis Information
- 3. Test Objectives Status
- 4. Model Items
- 5. Test Cases

For a description of each report chapter, see:

- "Summary" on page 1-9
- "Analysis Information" on page 1-10
- "Test Objectives Status" on page 1-10
- "Model Items" on page 1-11
- "Test Cases" on page 1-11

#### Summary

In the **Table of Contents**, click **Summary** to display the Summary chapter, which includes the following information under **Analysis Information** subsection:

- Name of the model
- Release and Checksum information
- Mode of the analysis (test generation, property proving, design error detection)
- Status of the analysis
- Length of the analysis in seconds

The **Objective Status** sub-section under **Summary** shows number of objectives satisfied.

#### **Analysis Information**

| Model:                 | sldvdemo_cruise_control                   |
|------------------------|-------------------------------------------|
| Release:               | R2022b Prerelease                         |
| Checksum:              | 3016843220 2232669898 18135123 2081307571 |
| Mode:                  | Test generation                           |
| Model Representation:  | Built on 25-Jun-2022 22:19:16             |
| Test Generation Target | : Model                                   |
| Status:                | Completed normally                        |
| PreProcessing Time:    | 106s                                      |
| Analysis Time:         | 108s                                      |
|                        |                                           |

#### **Objectives Status**

| Number of Objectives: | 32 |        |
|-----------------------|----|--------|
| Objectives Satisfied: | 32 | (100%) |

#### **Analysis Information**

In the **Table of Contents**, click **Analysis Information** to display information about the analyzed model and the analysis options. You can click on any of these options to know more about the model analysis.

#### **Chapter 2. Analysis Information**

#### Table of Contents

2.1. Model Information 2.2. Analysis Options 2.3. User Artifacts 2.4. Constraints

#### **Test Objectives Status**

In the **Table of Contents**, click **Test Objectives Status** to display a table of satisfied objectives. The following figure shows a partial list of the objectives satisfied in the Cruise Control Test Generation model.

| #   | Туре      | Model Item                   | Description                                                       | Analysis Time<br>(sec) | Test Case |
|-----|-----------|------------------------------|-------------------------------------------------------------------|------------------------|-----------|
| 1   | Decision  | Controller/Switch3           | logical trigger input false (output is from 3rd input port)       | 38                     | 1         |
| 2   | Decision  | Controller/Switch3           | logical trigger input true (output is from 1st input port)        | 38                     | 1         |
| 3   | Decision  | Controller/Switch2           | logical trigger input false (output is from 3rd input port)       | 38                     | 1         |
| ł – | Decision  | Controller/Switch2           | logical trigger input true (output is from 1st input port)        | 38                     | 1         |
| ;   | Decision  | Controller/Switch1           | logical trigger input false (output is from 3rd input port)       | 38                     | 1         |
|     | Decision  | Controller/Switch1           | logical trigger input true (output is from 1st input port)        | 38                     | 1         |
|     | Condition | Controller/Logical Operator1 | Logic: input port 1 true                                          | 38                     | 1         |
|     | Condition | Controller/Logical Operator1 | Logic: input port 1 false                                         | 38                     | 1         |
|     | Condition | Controller/Logical Operator2 | Logic: input port 1 true                                          | 38                     | 1         |
| 0   | Condition | Controller/Logical Operator2 | Logic: input port 1 false                                         | 38                     | 1         |
| 1   | Condition | Controller/Logical Operator2 | Logic: input port 2 true                                          | 101                    | 2         |
| 2   | Condition | Controller/Logical Operator2 | Logic: input port 2 false                                         | 38                     | 1         |
| 3   | Condition | Controller/Logical Operator  | Logic: input port 1 true 3.1. Objectives Satisfi                  | ed                     | 1         |
| 4   | Condition | Controller/Logical Operator  | Logic: input port 1 false                                         | 38                     | 1         |
| 5   | Condition | Controller/Logical Operator  | Logic: input port 2 true                                          | 38                     | 1         |
| 6   | Condition | Controller/Logical Operator  | Logic: input port 2 false                                         | 38                     | 1         |
| 7   | Condition | Controller/Logical Operator  | Logic: input port 3 true                                          | 38                     | 1         |
| 8   | Condition | Controller/Logical Operator  | Logic: input port 3 false                                         | 38                     | 1         |
| 9   | MCDC      | Controller/Logical Operator  | (C1 && ~C2) && (C3    C4) with C1 (Logical Operator In1)<br>true  |                        | 1         |
| 20  | MCDC      | Controller/Logical Operator  | (C1 && ~C2) && (C3    C4) with C1 (Logical Operator In1)<br>false | 38                     | 1         |

#### **Objectives Status**

The **Objectives Satisfied** table lists the following information for the model:

- **#** Objective number
- **Type** Objective type
- **Model Item** Element in the model for which the objective was tested. Click this link to display the model with this element highlighted.
- **Description** Description of the objective
- **Test Case** Test case that achieves the objective. Click this link for more information about that test case.

In the row for objective 32, click the test case number (5) to display more information about Test Case 5 in the report's **Test Cases** chapter.

#### Summary

Length: 0.06 second (7 sample periods) Objectives Satisfied: 1

#### Objectives

| Step | Time | Model Item                                        | Objectives                                           |
|------|------|---------------------------------------------------|------------------------------------------------------|
| 7    | 0.06 | Controller/PI Controller/Discrete-Time Integrator | <u>31. integration result &gt;= upper limit true</u> |

#### Generated Input Data

| Time   | 0  | 0.01-0.05 | 0.06 |
|--------|----|-----------|------|
| Step   | 1  | 2-6       | 7    |
| enable | 1  | 1         | 1    |
| brake  | 0  | 0         | 0    |
| set    | 1  | 0         | 1    |
| inc    | 1  | 1         | -    |
| dec    | 0  | 0         | -    |
| speed  | 97 | 0         | 0    |

#### Test Case 5

In this example, Test Case 5 satisfies one objective, that the integration result be greater than or equal to the upper limit T in the Discrete-Time Integrator block. The table lists the values of the six signals from time 0 through time 0.06.

#### Model Items

In the **Table of Contents**, click **Model Items** to see detailed information about each item in the model that defines coverage objectives. This table includes the status of the objective at the end of the analysis. Click the links in the table for detailed information about the satisfied objectives.

| View |          |                         |                                                             |           |           |
|------|----------|-------------------------|-------------------------------------------------------------|-----------|-----------|
| #:   | Туре     |                         | Description                                                 | Status    | Test Case |
| 1    | Decision | 4.1. Controller/Switch3 | logical trigger input false (output is from 3rd input port) | Satisfied | <u>1</u>  |
| 2    | Decision |                         | logical trigger input true (output is from 1st input port)  | Satisfied | <u>1</u>  |

#### Model Items - Controller/Switch3

| Ī | #: | Туре | Description                                                 | Status    | Test Case |
|---|----|------|-------------------------------------------------------------|-----------|-----------|
|   | 3  |      | logical trigger input false (output is from 3rd input port) | Satisfied | 1         |
|   | 4  |      | logical trigger input true (output is from 1st input port)  | Satisfied | 1         |

#### Model Items - Controller/Switch2

#### Test Cases

Minu

In the **Table of Contents**, click **Test Cases** to display detailed information about each generated test case, including:

- Length of time to execute the test case
- Number of objectives satisfied
- Detailed information about the satisfied objectives

• Input data

For an example, see the section for Test Case 5 in "Test Objectives Status" on page 1-10.

### Create Harness Model

In the Simulink Design Verifier Results Summary window, if you click **Create harness model**, the software creates and opens a harness model named sldvdemo\_cruise\_control\_harness.



The harness model contains the following blocks:

• The Test Case Explanation block is a DocBlock block that documents the generated test cases. Double-click the Test Case Explanation block to view a description of each test case for the objectives that the test case satisfies.

```
tp7469ce30_944a_4887_840e_c8d2d392a9ee.txt 🗶 +
19. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C1 (Logical Operator In1) false @ T=0.03
22
23
           20. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C2 (Logical Operator1 In1) true @ T=0.04
24
           21. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C2 (Logical Operator1 In1) false @ T=0.05
           22. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C3 (Logical Operator2 In1) true @ T=0.04
23. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C3 (Logical Operator2 In1) false @ T=0.01
25
26
           24. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C4 (Logical Operator2 In2) false @ T=0.01
27
28
           25. Controller/PI Controller - Enable control activated true @ T=0.04
29
           26. Controller/PI Controller - Enable control activated false @ T=0.00
           27. Controller/PI Controller/Discrete-Time Integrator - integration result <= lower limit false @ T=0.04
30
31
           28. Controller/PI Controller/Discrete-Time Integrator - integration result >= upper limit false @ T=0.04
32
33
      Test Case 2 (1 Objectives)
34
           Parameter values:
35
36
           1. Controller/Logical Operator2 - Logic: input port 2 true @ T=0.01
37
38
      Test Case 3 (1 Objectives)
39
           Parameter values:
40
41
           1. Controller/Logical Operator - (C1 && ~C2) && (C3 || C4) with C4 (Logical Operator2 In2) true @ T=0.01
42
43
      Test Case 4 (1 Objectives)
44
           Parameter values:
45
46
           1. Controller/PI Controller/Discrete-Time Integrator - integration result <= lower limit true @ T=0.06
47
48
      Test Case 5 (1 Objectives)
49
           Parameter values:
50
           1. Controller/PI Controller/Discrete-Time Integrator - integration result >= upper limit true @ T=0.06
51
```

• The Test Unit block is a Subsystem block that contains a copy of the original model that the software analyzed. Double-click the Test Unit block to view its contents and confirm that it is a copy of the Cruise Control Test Generation model.

**Note** You can configure the harness model to reference the model that you are analyzing using a Model block instead of using a subsystem. In the Configuration Parameters dialog box, on the **Design Verifier > Results** pane, select **Generate separate harness model after analysis** and **Reference input model in generated harness**.

- The Inputs block is a Signal Builder block that contains the generated test case signals. Doubleclick the Inputs block to open the Signal Builder dialog box and view the eight test case signals.
- The Size-Type block is a subsystem that transmits signals from the Inputs block to the Test Unit block. This block verifies that the size and data type of the signals are consistent with the Test Unit block.

The Signal Builder dialog box contains eight test cases.

1 To view Test Case 5, from the Active Group list, select Test Case 5.

In Test Case 7 at 0.01 seconds:

- The enable and inc signals remain 1.
- The brake and dec signals remain 0.
- The set signal transitions from 1 to 0.
- The speed signal transitions from 100 to 0.



In the Signal Builder block, the signal group satisfies the test objectives described in the Test Case Explanation block.

2 To confirm that Simulink Design Verifier achieved complete model coverage, simulate the harness model using all the test cases. In the Signal Builder dialog box, click the **Run all and** 

### produce coverage button

The Simulink software simulates all the test cases. The Simulink Coverage™ software collects coverage data for the harness model and displays a coverage report. The report summary shows that the sldvdemo\_cruise\_control\_harness model achieves 100% coverage.

#### Model Hierarchy/Complexity:



#### Summary

#### Simulate Tests and Produce Model Coverage Report

In the Simulink Design Verifier Results Summary window, if you click **Simulate tests and produce a model coverage report**, the software simulates the model and produces a coverage report for the sldvdemo\_cruise\_control model. The software stores the report with the following name:

```
<current_folder>/sldv_output/sldvdemo_cruise_control/...
sldvdemo_cruise_control_report.html
```

When you click **Run all and produce coverage** to simulate tests in the harness model, you may see the following differences between this coverage report and the report you generated for the model itself:

- The harness model coverage report might contain additional time steps. When you collect coverage for the harness model, the model stop time equals the stop time for the longest test case. As a result, you might achieve additional coverage when you simulate the shorter test cases.
- The cyclomatic complexity coverage for the Test Unit subsystem in the harness model might be different than the coverage for the model itself due to the structure of the harness model.

# **Combine Test Cases**

If you prefer to review results that are combined into a smaller number of test cases, set the **Test** suite optimization parameter to LongTestcases. When you use the LongTestcases optimization, the analysis generates fewer, but longer, test cases that each satisfy multiple test objectives.

Open the sldvdemo\_cruise\_control model and rerun the analysis with the LongTestcases optimization:

- 1 On the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**.
- 2 In the Configuration Parameters dialog box, in the **Select** tree on the left side, under the **Design Verifier** category, select **Test Generation**.
- 3 Set the Test suite optimization parameter to LongTestcases.
- 4 Click Apply and OK to close the Configuration Parameters dialog box.
- 5 In the sldvdemo\_cruise\_control model, double-click the block labeled Run.
- 6 In the Results Summary window, click Create harness model.

In the harness model, the Signal Builder block and the Test Case Explanation block now contain one longer test case instead of the eight shorter test cases created earlier in "Generate Test Cases" on page 1-5.

|      | Editor - S:\sca_sldv\sldvdemo_cruise_control_harness_testcase_long.txt                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|      | EDITOR VEW Cose/clear all 🛃 🔚 🔏 🗇 😪 🖻 😢 🛇 🗖                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|      | The second seco |
|      | 🔁 Compare 🔻 Comment % 👷 🖓 🖒 Go To 👻                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Nev  | w Open Save Breakpoints<br>→ → □ Print → Indent □ ↓ □ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|      | FILE EDIT NAVIGATE BREAKPOINTS                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| िहात | dvdemo_cruise_control_harness_testc ×                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 1    | Test Case 1 (34 Objectives)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 2    | Parameter values:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 3    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 4    | 1. Controller/Switch3 - logical trigger input false (output is from 3rd input port) @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 5    | 2. Controller/Switch3 - logical trigger input true (output is from 1st input port) @ T=0.02                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 6    | 3. Controller/Switch2 - logical trigger input false (output is from 3rd input port) @ T=0.03                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 7    | 4. Controller/Switch2 - logical trigger input true (output is from 1st input port) @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 8    | 5. Controller/Switch1 - logical trigger input false (output is from 3rd input port) @ T=0.04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 9    | 6. Controller/Switch1 - logical trigger input true (output is from 1st input port) @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 10   | 7. Controller/Logical Operator1 - Logic: input port 1 T @ T=0.02                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 11   | 8. Controller/Logical Operator1 - Logic: input port 1 F @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 12   | 9. Controller/Logical Operator2 - Logic: input port 1 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 13   | 10. Controller/Logical Operator2 - Logic: input port 1 F @ T=0.04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 14   | 11. Controller/Logical Operator2 - Logic: input port 2 T @ T=0.07<br>12. Controller/Logical Operator2 - Logic: input port 2 F @ T=0.04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| 16   | 12. Controller/Logical Operator2 - Logic: MCDC expression for output with input port 1 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 17   | 14. Controller/Logical Operator2 - Logic: MCDC expression for output with input port 2 T @ T=0.07                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 18   | 15. Controller/Logical Operator2 - Logic MCDC expression for output with input port 1 F @ T=0.04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 19   | 16. Controller/Logical Operator2 - Logic: MCDC expression for output with input port 2 F @ T=0.04                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| 20   | 17. Controller/Logical Operator - Logic: input port 1 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 21   | 18. Controller/Logical Operator - Logic: input port 1 F @ T=0.01                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 22   | 19. Controller/Logical Operator - Logic: input port 2 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 23   | 20. Controller/Logical Operator - Logic: input port 2 F @ T=0.02                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 24   | 21. Controller/Logical Operator - Logic: input port 3 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 25   | 22. Controller/Logical Operator - Logic: input port 3 F @ T=0.05                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 26   | 23. Controller/Logical Operator - Logic: MCDC expression for output with input port 1 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 27   | 24. Controller/Logical Operator - Logic: MCDC expression for output with input port 2 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 28   | 25. Controller/Logical Operator - Logic: MCDC expression for output with input port 3 T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 29   | 26. Controller/Logical Operator - Logic: MCDC expression for output with input port 1 F @ T=0.01                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 30   | 27. Controller/Logical Operator - Logic: MCDC expression for output with input port 2 F @ T=0.02                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 31   | 28. Controller/Logical Operator - Logic: MCDC expression for output with input port 3 F @ T=0.05<br>29. Controller/PI Controller - enable logical value F @ T=0.01                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| 32   | 29. Controller/PI Controller - enable logical value F @ 1=0.01<br>30. Controller/PI Controller - enable logical value T @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| 34   | 30. Controller/PI Controller/Discrete-Time Integrator - integration result <= lower limit F @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 35   | 32. Controller/PI Controller/Discrete-Time Integrator - Integration result <= lower limit r @ 1-0.00<br>32. Controller/PI Controller/Discrete-Time Integrator - integration result <= lower limit T @ T=0.14                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| 36   | 33. Controller/PI Controller/Discrete-Time Integrator - integration result >= upper limit F @ T=0.00                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 37   | 34. Controller/PI Controller/Discrete-Time Integrator - integration result >= upper limit T @ T=0.26                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
|      | plain text file   Ln 1 Col 1   OVR ,;                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |

#### 7 Click **Run all and produce coverage** to collect coverage.

The analysis still satisfies all 34 objectives.

# **Analyze a Stateflow Atomic Subchart**

In a Stateflow chart, an atomic subchart is a graphical object that allows you to reuse the same state or subchart across multiple charts and models. You can use Simulink Design Verifier to analyze atomic subcharts individually. You do not have to analyze the chart that contains the atomic subchart, or the model that contains the chart.

If you are having problems analyzing a large model, analyzing an atomic subchart in a controlled environment is helpful. As described in "Bottom-Up Approach to Model Analysis" on page 14-13, by analyzing atomic subcharts or other components in the model hierarchy individually, you can analyze a model to:

- Solve problems that slow down or prevent test generation, property proving, or design error detection.
- Analyze model components that are unreachable in the context of the container model or chart.

**Note** For more information about atomic subcharts, see "Create Reusable Subcomponents by Using Atomic Subcharts" (Stateflow).

# Analyze an Atomic Subchart by Using Simulink Design Verifier

The sf\_atomic\_sensor\_pair example model models a redundant sensor pair using atomic subcharts. This example analyzes the Sensor1 subchart in the RedundantSensors chart.

1 Open the sf\_atomic\_sensor\_pair example model:

sf\_atomic\_sensor\_pair

This model demonstrates how to model a simple redundant sensor pair using atomic subcharts.

2 Double-click the RedundantSensors chart to open it.



This Stateflow chart has two atomic subcharts:

- Sensor1
- Sensor2
- **3** To analyze the Sensor1 subchart using Simulink Design Verifier, right-click the subchart and select **Design Verifier > Generate Tests for Subchart**.

During the analysis, the software creates a Simulink model named Sensor1 that contains the Sensor1 subchart. The new model contains Inport and Outport blocks that respectively correspond to the data objects u and y in the subchart.



The software saves the new model and other files generated by the analysis in:

<current\_folder>/sldv\_output/Sensor1

- 4 When the analysis is complete, view the analysis results for the Sensor1 subchart by clicking one of the following options:
  - Highlight analysis results on model
  - Generate detailed analysis report
  - Create harness model
  - Simulate tests and produce a model coverage report

# **Overview of the Simulink Design Verifier Workflow**

Before you analyze a model for design error detection, test case generation, and property proving, you must complete a few as shown in this diagram:



The following sections provide a brief overview of the Simulink Design Verifier workflow and include with links to related documentation in Simulink Design Verifier.

# **Check Model Compatibility**

Before Simulink Design Verifier analyzes a model, the software checks whether the model is compatible for analysis. For more information on model compatibility, see "Check Model Compatibility" on page 3-2. The software runs a compatibility check on your model, and then creates a model representation. The model representation includes the model artifacts that you can use during analysis. The compatibility check tells you if your model is fully compatible, partially compatible, or not compatible.

Simulink supports a broad range of and software capabilities in your models but there are some capabilities that Simulink Design Verifier does not support. For more information, see "Supported and Unsupported Simulink Blocks in Simulink Design Verifier" on page 3-7 and "Support Limitations for Simulink Software Features" on page 3-16.

# Apply Block Replacement Rules

If you want to work around the compatibility limitations in your model or customize model elements for analysis, you can use the Simulink Design Verifier block replacement rules. For more information,

see "What Is Block Replacement?" on page 4-2 and "Block Replacements for Unsupported Blocks" on page 4-7.

If you want to generate additional values for parameters in your model during analysis, use Simulink Design Verifier parameter configurations. See "Parameter Configuration for Analysis" on page 5-2 for more information.

## Set Simulink Design Verifier Options

You can set the Simulink Design Verifier analysis options in the Configuration Parameters dialog box. Alternatively, you can use the *sldvoptions* function to specify the Simulink Design Verifier options at the command line. For more information, see "Simulink Design Verifier Options" on page 15-2.

## **Perform Analysis on Model**

You can analyze your model for:

- Design Error Detection: Detect design errors that can occur at run time. For more information, see "Analyze Models for Design Errors" on page 6-4.
- Test Case Generation: Generate test cases that achieve model coverage. For more information, see "Workflow for Test Case Generation" on page 7-5
- Property Proving Analysis: Prove properties and identify property violations. For more information, see "Workflow for Proving Model Properties" on page 12-4.

If you plan to generate test cases or prove properties in your model, first run design error detection for integer overflow and division by zero. Refer to these topics for more information:

- "What Is Design Error Detection?" on page 6-2
- "Detect Integer Overflow and Division-by-Zero Errors" on page 6-19
- "Debug Integer Overflow Design Error Detection Using Model Slicer" on page 6-68

## **Generate Analysis Results**

Once Simulink Design Verifier finishes analyzing the model, it displays the analysis highlights and the results options in the Results Summary window. For more information, see "Generate Analysis Results" on page 1-6.

## **Interpret Analysis Results**

You can the review analysis results and generate analysis reports in the HTML, DOCX, or PDF format. For more information, see "Review Analysis Results"

## See Also

## **More About**

- Systematic Model Verification using Simulink Design Verifier
- "Analyze a Model" on page 1-4

# How the Simulink Design Verifier Software Works

- "Analyze a Simple Model" on page 2-2
- "Model Blocks" on page 2-4
- "Block Reduction" on page 2-5
- "Large Models" on page 2-6
- "Handle Incompatibilities with Automatic Stubbing" on page 2-7
- "Analyze Export-Function Models" on page 2-12
- "Analyze Export-Function Model with Function-Call Subsystems" on page 2-13
- "Analyze Export-Function Model with Global Simulink Function" on page 2-16
- "Nonfinite Data" on page 2-19
- "Role of Approximations During Model Analysis" on page 2-20
- "How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23
- "Logic Operations Short-Circuiting" on page 2-26
- "Model Representation for Analysis" on page 2-28
- "Share Simulink Cache File for Faster Analysis" on page 2-31
- "Analyze AUTOSAR Component Models" on page 2-33
- "Extend Existing Test Cases by Reusing Model Representation" on page 2-35
- "Configure Model Representation Options" on page 2-39
- "Run Additional Analysis to Reduce Instances of Rational Approximation" on page 2-42
- "Detect Design Errors in AUTOSAR Software Component Model" on page 2-47

# Analyze a Simple Model



This simple model includes two Logical Operator blocks and a Memory block. The persistent information in this model is limited to the Boolean value of the Memory block. The input to the model is a single Boolean value. The following table describes the complete behavior of the model, including the behavior that results from an arbitrarily long sequence of inputs.

| # | Input | Memory Value | Output of XOR Block =<br>Next Memory Value | Output of AND Block |
|---|-------|--------------|--------------------------------------------|---------------------|
| 1 | false | false        | false                                      | false               |
| 2 | true  | false        | true                                       | false               |
| 3 | false | true         | true                                       | false               |
| 4 | true  | true         | false                                      | true                |

The test objective is to generate test cases that result in a true output. A true output results when the input is true, and the output of the Memory block is true. Test case generation follows a path to reach this condition, which depends on the initial model conditions:

- If the initial memory value is true, the test case is a single time step where the input is true.
- If the initial memory value is false, the test case is two time steps:
  - 1 The input value is true and the memory value is false (row 2). Thus, the output of the XOR block is true, making the memory value true.
  - 2 Now that the input value and memory value are both true (row 4), the output is true, and the analysis achieves the test objective.

An infinite number of test cases can cause the output to be true, and regardless of the state value, the output can be held false for an arbitrary time before making it true. When Simulink Design Verifier searches, it returns the first test case it encounters that satisfies the objective. This case is invariably the simulation with the fewest time steps. Sometimes you may find this result undesirable because it is unrealistic or does not satisfy some other test requirement.

The same basic principles from this example apply to property proving and test case generation. During test case generation, option parameters explicitly specify the search criteria. For example, you can specify that Simulink Design Verifier find paths for all block outputs or find only those paths that cause the block output to be true.

During a property proving analysis, you specify a functional requirement, or property, that you want Simulink Design Verifier to prove, for example, that the output is always true. If the search completes without finding a path that violates the property, the property is proven. If the software finds a path where the output is false, it creates a counterexample that causes the output to be false.

During an error detection analysis, Simulink Design Verifier identifies objectives where data overflow or division-by-zero errors can and cannot occur. The analysis creates test cases that demonstrate how the errors can occur.

# **Model Blocks**

If your model contains Model blocks that reference external models, test creation occurs for the toplevel model, considering each referenced model in its execution context.

If multiple Model blocks reference the same model, generated tests attempt to satisfy test objectives for each instance of the referenced model in its individual context in the top-level model. If you have three Model blocks that reference a certain model, the analysis produces results for all three instances.

If you collect coverage using the generated test cases, the cumulative coverage reflects the multiple instances of the same referenced model. The simulation produces one set of coverage results for each referenced model; if you have three Model blocks that reference a certain model, the simulation produces one set of results for that referenced model.

For example, consider a top-level model with three Model blocks referencing the same model. The referenced model has three test objectives. Analyzing the top-level model produces nine test objectives. If you simulate the model with the nine test cases, the coverage results for that referenced model specify three test objectives.

# **Block Reduction**

Block reduction achieves faster execution during model simulation and in generated code. When block reduction is enabled, certain block groups can be collapsed into a single block, or even removed entirely.

With Simulink Design Verifier, block reduction happens automatically, and blocks in unused code paths are eliminated from the model. Simulink Design Verifier results do not include test objectives for blocks that have been reduced.

Consider the Switch block in the following model.



For this Switch block, the control input is always 0. If the **Criteria for passing first input** block parameter is  $u_2 \sim = 0$ , the Switch block always passes the third input through to the output port. When you analyze this model, Simulink Design Verifier removes the Switch block from the model and does not report any test objectives for the Switch block.

For more information about block reduction, see the description of the "Block reduction" parameter.

# **Large Models**

In larger, more complicated models, Simulink Design Verifier uses mathematical techniques to simplify the analysis:

- It identifies portions of the model that do not affect the desired objectives.
- It discovers relationships within the model that reduce the complexity of the search.
- It reuses intermediate results from one objective to another.

In this way, the problem is reduced to a search though the logical values that describe your model.

For detailed information about analyzing large models, see "Analyze a Large Model" on page 14-3.

# Handle Incompatibilities with Automatic Stubbing

In this section... "What Is Automatic Stubbing?" on page 2-7 "How Automatic Stubbing Works" on page 2-7 "Analyze a Model Using Automatic Stubbing" on page 2-9

# What Is Automatic Stubbing?

Automatic stubbing lets you analyze a model that contains objects that Simulink Design Verifier does not support.

When you enable the automatic stubbing option (it is enabled by default), the software considers only the interface of the unsupported objects, not their actual behavior. This technique allows the software to complete the analysis. However, the analysis may achieve only partial results if any unsupported model element affects the simulation outcome.

# **How Automatic Stubbing Works**

If you enable automatic stubbing, when the Simulink Design Verifier analysis comes to an unsupported block, the software "stubs" that block. The analysis ignores the behavior of the block, and as a result, the block output can take any value.

#### **Stub Trigonometric Function Block**

Simulink Design Verifier does not support Trigonometric Function blocks when the **Function** parameter is set to **acos**, such as the one in the following graphic.



When stubbing this block during analysis, out\_signal can take any value, with the following results.

| Analysis Model         | Result of Stubbing out_signal                                                                                                                                                                                                   |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design error detection | • If a design-error objective that depends on out_signal is proven valid, that objective is valid for all simulations. In this case, the stubbing did not affect the results of the analysis.                                   |
|                        | • If a design-error objective that depends on out_signal is falsified, the analysis cannot create a test case. The analysis cannot determine which input to the stubbed block produces the output that falsifies the objective. |

| Analysis Model       | Result of Stubbing out_signal                                                                                                                                                                                                        |
|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Test case generation | • If a test objective that depends on the value of out_signal is satisfied, the analysis cannot create a test case. The analysis cannot determine which input to the stubbed block produces the output that satisfies the objective. |
|                      | • If a test objective that depends on the value of out_signal is unsatisfiable, there is no simulation that can satisfy that objective. In this case, the stubbing did not affect the results of the analysis.                       |
| Property proving     | • If a proof objective that depends on out_signal is proven valid, that objective is valid for all simulations. In this case, the stubbing did not affect the results of the analysis.                                               |
|                      | • If a proof objective that depends on <b>out_signal</b> is falsified, the analysis cannot create a counterexample. The analysis cannot determine which input to the stubbed block produces the output that falsifies the objective. |

#### Stub S-Function Block Containing Function-Call Triggers

The Simulink example model sfcndemo\_sfun\_fcncall has an S-Function block. The S-function sfun\_fcncall triggers the execution of the function-call subsystems f1 subsys1 and f2 subsys2 on the first and second elements of the first output port.



If you do not enable support for an S-function in Simulink Design Verifier and automatic stubbing is enabled, the analysis ignores the behavior of the S-function. As a result, the code that triggers the two function-call subsystems is ignored, resulting in two unsatisfiable objectives. Since the function calls are ignored, the contents of those subsystems are effectively eliminated from the analysis.

To enable support for an S-function in Simulink Design Verifier, see "Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28

# Analyze a Model Using Automatic Stubbing

This section describes a workflow for using automatic stubbing, with a simple Simulink model as an example.

- "Check Model Compatibility" on page 2-9
- "Turn On Automatic Stubbing" on page 2-10
- "Review Results" on page 2-11
- "Achieve Complete Results" on page 2-11

The following model contains a Discrete State-Space block, which is not compatible with Simulink Design Verifier.



#### **Check Model Compatibility**

From the Simulink Editor, there are two ways to check whether a model is compatible with Simulink Design Verifier: by the Simulink Design Verifier compatibility check or by running a Simulink Design Verifier analysis.

To run the Simulink Design Verifier compatibility check:

• On the **Design Verifier** tab, click **Check Compatibility**.



• Select the analysis that you want to perform.

To run a Simulink Design Verifier analysis, on the **Design Verifier** tab, in the **Mode** section, select any of these options:

- Select **Design Error Detection**, then click **Detect Design Errors**.
- Select Test Generation, then click Generate Tests.
- Select **Property Proving**, then click **Prove Properties**.

The software first checks the compatibility of the model. If the model itself is incompatible, for example, if it uses a variable-step solver, the analysis cannot continue.

If it finds incompatible elements in the model, the software analyzes the model and, by default, stubs out the incompatible elements. The Diagnostic Viewer also opens, listing the incompatibilities.



Note For more information, see "View Diagnostics".

#### **Turn On Automatic Stubbing**

Automatic stubbing is enabled by default. To change the automatic stubbing setting, in the Configuration Parameters dialog box, on the main **Design Verifier** pane, select **Automatic stubbing of unsupported block and functions**. When you run the analysis, the software tells you that stubbing is turned on and the analysis continues.

#### **Review Results**

If you run an analysis with automatic stubbing enabled, make sure to review the results. In this report, generated after a test case generation analysis, you see a table of unsupported blocks that the software encountered.

| Block                | Туре               |
|----------------------|--------------------|
| Discrete State-Space | DiscreteStateSpace |

#### **Unsupported Blocks**

The generated analysis report for the example model shows that the objectives are undecided because of stubbing. The software cannot generate test cases because it does not understand the operation of the Discrete State-Space block.

| # | Туре     | Model Item | Description            | Analysis Time<br>(sec) |
|---|----------|------------|------------------------|------------------------|
| 2 | Decision | Saturation | input > lower limit F  | 12                     |
| 3 | Decision | Saturation | input > lower limit T  | 12                     |
| 4 | Decision | Saturation | input >= upper limit F | 12                     |
| 5 | Decision | Saturation | input >= upper limit T | 12                     |

#### **Objective Undecided Due to Stubbing**

#### **Achieve Complete Results**

If your analysis does not achieve complete results because of the stubbing, you can define custom block replacements to give a more precise definition of the unsupported blocks. For more information, follow the steps in "Block Replacements for Unsupported Blocks" on page 4-7.

# **Analyze Export-Function Models**

Simulink Design Verifier supports design error detection, test generation, and property proving for export-function models. The software creates a scheduler model that invokes the export-function models, and then performs the analysis on the scheduler model. The scheduler model invokes the function calls based on the sample times and priorities set in the top model. By default, the software saves the scheduler model in <current\_folder>\sldv\_output\<model\_name> \<model\_name>\_SldvScheduler.slx. You can analyze export-function models with periodic and aperiodic function-call groups. If the model consists of aperiodic function-call or global Simulink Function call, the scheduler has an additional port called the FcnTriggerPort. For more information, see "Export-Function Models Overview".

These topics cover examples that explain a periodic function-call subsystem and global Simulink Function that you can use as an AUTOSAR server runnable.

- "Analyze Export-Function Model with Function-Call Subsystems" on page 2-13
- "Analyze Export-Function Model with Global Simulink Function" on page 2-16

# Limitations

Simulink Design Verifier does not support:

- Models that include export functions with multiple function-call initiators.
- Masked model blocks that export Simulink Function blocks.
- Scoped Simulink functions in export-function models.

# See Also

## **More About**

- "Export-Function Models"
- "Analyze a Model" on page 1-4

# Analyze Export-Function Model with Function-Call Subsystems

This example shows how you can analyze a model which consists of periodic function-call subsystems. This example uses the AUTOSAR example model sldvExportFunction\_autosar\_multirunnables.

1. Open the sldvExportFunction\_autosar\_multirunnables model.

open\_system('sldvExportFunction\_autosar\_multirunnables');

2. To run the test generation analysis, on the **Design Verifier** tab, click **Generate Tests**.

The Simulink Design Verifier Results Summary window indicates that a scheduler model sldvExportFunction\_autosar\_multirunnables\_SldvScheduler.slx is created. You can also generate a scheduler model by using sldvextract.

| 🎦 Simulin                                                                                                                               | k Design Verifier Results                                                               | s Summary: sldvExportFunction_autosar_multirunnables_SI                     | ) | × |
|-----------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|---|---|
|                                                                                                                                         |                                                                                         |                                                                             |   | ^ |
| Progress                                                                                                                                | 5                                                                                       |                                                                             |   |   |
| Satisfied                                                                                                                               |                                                                                         | 0/7<br>0                                                                    |   |   |
| Unsatisf<br>Elapsed                                                                                                                     |                                                                                         | 0<br>0:00                                                                   |   |   |
|                                                                                                                                         |                                                                                         |                                                                             |   |   |
| Creating a new model from the contents of Export Function model<br>"sldvExportFunction_autosar_multirunnables".                         |                                                                                         |                                                                             |   |   |
| New Model File:H:\sldv_output\sldvExportFunction_autosar_multirunnables<br>\sldvExportFunction_autosar_multirunnables_SldvScheduler.slx |                                                                                         |                                                                             |   |   |
|                                                                                                                                         | 2019 13:33:07<br>ssing modeldone                                                        |                                                                             |   |   |
| Checking<br>'sldvExpo<br>Compilin                                                                                                       | compatibility for test<br>ortFunction_autosar_n<br>g modeldone<br>model representation. | nultirunnables'                                                             |   |   |
| 'sldvExpo                                                                                                                               | 2019 13:33:14<br>ortFunction_autosar_n<br>on with Simulink Desig                        | nultirunnables_SldvSchedule2' is <b>compatible</b> for test<br>gn Verifier. |   |   |
| (                                                                                                                                       |                                                                                         |                                                                             | > | ~ |



The scheduler model consists of a MATLAB® function block \_SldvExportFcnScheduler. The function calls are called periodically as the model consists of periodic function-call subsystem.

The MATLAB® code specifies the order in which the periodic function-call execute. Runnable1 and Runnable2 executes first because the time period is 1 for both of them. After 10 time steps, Runnable3 executes.





If the model consists of aperiodic function-call subsystems, the scheduler consists of an additional inport FcnTriggerPort. The value of FcnTriggerPort indicates whether to invoke the function-call in a time step.

For example, if Runnable1 is an aperiodic function-call subsystem, the FcnTriggerPort Inport block invokes the scheduler model. This graphic shows the Timing Legend window and the scheduler model for an aperiodic function-call.



After the test generation analysis, in the Simulink Design Verifier Results Summary window, you see the results that 7/7 objectives are Satisfied.

3. To simulate the test cases and generate a coverage report, click **Simulate tests** and produce a model coverage report in the Simulink Design Verifier Results Summary window. The software simulates the test cases, collects model coverage information, and displays a coverage report.

4. To view the detailed analysis report, click **HTML** in the Simulink Design Verifier Results Summary window.

The **Schedule for Export Function Analysis** section in the **Analysis Information** chapter lists the schedule for invoking the export functions.

| Order |                  |    | Number of times invoked per<br>sample hit |
|-------|------------------|----|-------------------------------------------|
| 1     | <u>Runnable1</u> | 1  | 1                                         |
| 2     | Runnable2        | 1  | 1                                         |
| 3     | Runnable3        | 10 | 1                                         |

#### See Also

- "Export-Function Models"
- "Analyze a Model" on page 1-4

# **Analyze Export-Function Model with Global Simulink Function**

This example shows how you can analyze an export-function model sldvexGlobalSimFcn that consists of a global Simulink Function to be used as an AUTOSAR server runnable.

1. Open the sldvexGlobalSimFcn model.

open\_system('sldvexGlobalSimFcn');

2. To run the test generation analysis, on the **Design Verifier** tab, click **Generate Tests**.

The Simulink Design Verifier Results Summary window indicates that a scheduler model sldvexGlobalSimFcn\_sldvScheduler.slx is created. You can also generate a scheduler model by using sldvextract.

| 🔁 Simulink Design Verifier Results                                                                                                                                                                                                                                                                                              | Summary: sldvexGlobalSimFcn_SldvScheduler_replaceme  | × |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|---|
| Progress<br>Objectives processed<br>Satisfied<br>Unsatisfiable<br>Elapsed time                                                                                                                                                                                                                                                  | 0/5<br>0<br>0<br>0:00                                |   |
| "sldvexGlobalSimFcn".<br>New Model File:Z:\sldv_output<br>\sldvexGlobalSimFcn_SldvSche<br>07-Jul-2021 15:53:55<br>Preprocessing modeldone<br>Checking compatibility for test<br>Compiling modeldone<br>Building model representation.<br>07-Jul-2021 15:54:36<br>'sldvexGlobalSimFcn_SldvSche<br>with Simulink Design Verifier. | eduler.slx<br>generation: model 'sldvexGlobalSimFcn' |   |
|                                                                                                                                                                                                                                                                                                                                 | Enable Highlighting Stop                             |   |



The scheduler model consists of a MATLAB function block \_SldvExportFcnScheduler and a function-call subsystem that calls the function calls periodically. This MATLAB function block is driven by inports which represent the input arguments of the Simulink Function. An additional Inport block called FcnTriggerPort, the value of which indicates whether to invoke a particular function in a time step.

3. After the test generation analysis, in the Simulink Design Verifier Results Summary window, you see the results that 5/5 objectives are Satisfied.

#### See Also

- "Export-Function Models"
- "Analyze a Model" on page 1-4

# **Nonfinite Data**

Simulink Design Verifier does not support nonfinite data (for example, NaN and Inf) and related operations.

During an analysis, the software handles nonfinite operations as follows:

- In the Relational Operator block:
  - If the **Relational operator** parameter is *isFinite*, the output is always 1.
  - If the **Relational operator** parameter is **isNan** or **isInf**, the output is always 0.
- In the MATLAB Function block:
  - For the isFinite function, the output is always 1.
  - For the isNan and isInf functions, the output is always 0.

# **Role of Approximations During Model Analysis**

#### In this section...

"Types of Approximations" on page 2-20

"Floating-Point to Rational Number Conversion" on page 2-20

"Linearization of Two-Dimensional Lookup Tables for Floating-Point Data Types" on page 2-21 "Approximation of One- and Two-Dimensional Lookup Tables for Integer and Fixed-Point Data Types" on page 2-21

"While Loops" on page 2-22

The Simulink Design Verifier software generates inputs and parameters to achieve objectives. However, there can be an infinite number of values for the software to search. To create reasonable limits on the analysis, the software performs approximations to simplify the analysis. The software records all the approximations it performed in the Analysis Information chapter of the Simulink Design Verifier HTML report. For a description of this chapter, see "Analysis Information Chapter" on page 13-36.

Review the analysis results carefully when the software uses approximations. Evaluate your model to identify which blocks or subsystems caused the software to perform the approximations.

In rare cases, an approximation can result in test cases that fail to achieve test objectives or demonstrate a design error, or counterexamples that fail to falsify proof objectives. For example, suppose the software generates a test case signal that should achieve an objective by exceeding a threshold, a floating-point round-off error might prevent that signal from attaining the threshold value. For more information, see "How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23.

# **Types of Approximations**

The Simulink Design Verifier software performs the following approximations when it analyzes a model:

- "Floating-Point to Rational Number Conversion" on page 2-20
- "Linearization of Two-Dimensional Lookup Tables for Floating-Point Data Types" on page 2-21
- "Approximation of One- and Two-Dimensional Lookup Tables for Integer and Fixed-Point Data Types" on page 2-21
- "While Loops" on page 2-22

# **Floating-Point to Rational Number Conversion**

In some cases, the Simulink Design Verifier software simplifies the linear arithmetic of floating-point numbers by approximating them with infinite-precision rational numbers. The software discovers how the logical relationships between these values affect the objectives. This analysis enables the software to support supervisory logic that is commonly found in embedded controller designs. For an example, see "Identify the Effect of Approximations Through Validation Results" on page 2-24.

If your model contains floating-point values in the signals, input values, or block parameters, Simulink Design Verifier converts some values to rational numbers before performing its analysis. As a result of these approximations:

- Round-off error is not considered.
- Upper and lower bounds of floating-point numbers are not considered.
- If your model casts floating-point values to integer values, the integer representation can affect tests generated for the model. In some rare cases, the generated tests might not satisfy objectives associated with the floating-point values.

**Note** You can use the **Run additional analysis to reduce instances of rational approximation** option in the Configuration parameters window to reduce instances of approximation. For more information, see "Run Additional Analysis to Reduce Instances of Rational Approximation" on page 2-42.

## Linearization of Two-Dimensional Lookup Tables for Floating-Point Data Types

The Simulink Design Verifier software does not support nonlinear arithmetic for floating-point data types. If your model contains any 2-D Lookup Table blocks, or n-D Lookup Table blocks where n = 2, with all of the following characteristics, the software approximates nonlinear two-dimensional interpolation with linear interpolation by fitting planes to each interpolation interval.

| Block                             | Characteristics                                                        |  |
|-----------------------------------|------------------------------------------------------------------------|--|
| n-D Lookup Table block, $n = 2$ : | Interpolation method parameter is Linear.                              |  |
|                                   | • Extrapolation method parameter is Clip or Linear.                    |  |
|                                   | • The input and output signals both have the floating-point data type. |  |

## Approximation of One- and Two-Dimensional Lookup Tables for Integer and Fixed-Point Data Types

If your model contains lookup tables with the following characteristics, Simulink Design Verifier automatically converts your original lookup table into a new lookup table composed of breakpoints that are evenly-spaced in each of their respective dimensions.

| Block                           | Characteristics                                                                                         |  |
|---------------------------------|---------------------------------------------------------------------------------------------------------|--|
| n-D Lookup Table block, $n = 1$ | Interpolation method parameter is Linear.                                                               |  |
| or $n = 2$ :                    | <ul> <li>Extrapolation method parameter is Clip .</li> </ul>                                            |  |
|                                 | • Index search method parameter is Linear search or Binary search.                                      |  |
|                                 | • The input and output signals are both of the same type and are both integer type or fixed-point type. |  |

This approximation allows Simulink Design Verifier to generate tests significantly faster. The time saved is pronounced when you have unsatisfiable test objectives in your model.

If Simulink Design Verifier applies such approximations to your model, the Simulink Design Verifier report includes details of the approximation.

# While Loops

If your model or a Stateflow chart in your model contains a while loop, Simulink Design Verifier tries to detect a conservative constant bound that allows the while loop to exit. If the software cannot find a constant bound, it performs a while loop approximation. With this approximation, the analysis does not prove objectives to be valid or unsatisfiable and it does not prove dead logic. The generated analysis report notes this approximation.

The behavior of the while loop approximation is consistent in all modes of analysis, as described in the following table.

| Analysis Mode          | While Loop Approximation                                                                   |
|------------------------|--------------------------------------------------------------------------------------------|
| Design Error Detection | Sets number of while loop iterations to 3. Does not report dead logic or valid objectives. |
| Test Case Generation   | Sets number of while loop iterations to 3. Does not report unsatisfiable objectives.       |
| Property Proving       | Sets number of while loop iterations to 3. Does not report valid objectives.               |

## See Also

"How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23 | "Review Analysis Results" on page 7-8

# How Simulink Design Verifier Reports Approximations Through Validation Results

Simulink Design Verifier performs approximations during analysis. The software identifies the presence of approximations and reports them at the level of each objective status in the Objective Status Chapter of the Simulink Design Verifier HTML report. For more information, see "Role of Approximations During Model Analysis" on page 2-20 and "Objectives Status Chapters" on page 13-42.

To validate the test cases or counterexamples during simulation, the model is locked in fast restart mode. For more information, see "Fast Restart Methodology".

For example, to ensure the effect of approximations, in the test generation analysis the test cases are validated against the coverage data during analysis.

# Impact of Approximations on Objectives Status

The software provides the test cases or counterexamples for the objectives that are impacted due to approximations during analysis. These objectives are reported as "Objectives Undecided with Testcases" on page 13-47 for test generation analysis and "Objectives Undecided with Counterexamples" on page 13-49 for property-proving analysis.

The software confirms the objectives that can be impacted due to approximations as dead logic, valid, or unsatisfiable. This table summarizes these objectives for all analysis modes.

| Analysis Mode          | Objectives Status                                            |  |
|------------------------|--------------------------------------------------------------|--|
| Design error detection | "Dead Logic under Approximation" on page 13-44               |  |
|                        | "Objectives Valid under Approximation" on page 13-45         |  |
| Test generation        | "Objectives Unsatisfiable under Approximation" on page 13-47 |  |
| Property proving       | "Objectives Valid under Approximation" on page 13-48         |  |

The software is unable to confirm the objectives status through validation results for these cases:

- The objectives introduced by the block replacement. For more information, see "What Is Block Replacement?" on page 4-2.
- The Verification Subsystem consists of the sldv.test or sldv.prove function.
- You abort the analysis by using the **Stop** button in the Simulink Design Verifier Results Summary window or the software exceeds its "Maximum analysis time" on page 15-11. Therefore, some objectives remain unvalidated during analysis and the software is unable to confirm the objectives status.
- The block with an objective is inside the Simulink test harness but outside the component under test. For more information, see "Test Harness and Model Relationship" (Simulink Test).

This table summarizes the objectives statuses for the preceding cases. To confirm the status of the objectives, you must run additional simulations of test cases or counterexamples.

| Analysis Mode          | Objectives Status                                       |  |
|------------------------|---------------------------------------------------------|--|
| Design error detection | "Active Logic - Needs Simulation" on page 13-44         |  |
|                        | "Objectives Error - Needs Simulation" on page 13-45     |  |
| Test generation        | "Objectives Satisfied - Needs Simulation" on page 13-46 |  |
| Property proving       | "Objectives Falsified - Needs Simulation" on page 13-49 |  |

# Identify the Effect of Approximations Through Validation Results

This example shows how approximations affect the objectives status of the Switch block. In the sldvApproximationsExample model, the calculations 1./3 and 2./3 in the Constant block result in "Floating-Point to Rational Number Conversion" on page 2-20 during analysis.

For inport In2 equal to -1, the input 2 of the Switch block is not equal to 0 during simulation. Therefore, the Switch does not select inport In3 as output. For test generation and property-proving analysis, the objective logical trigger input false(output is from 3rd input port) for the Switch block is undecided due to the impact of approximations during analysis.

1. Open the model sldvApproximationsExample:

open\_system('sldvApproximationsExample');

## **Reporting Approximations Through Validation Results**



proving analysis.

Copyright 2017 The MathWorks, Inc.

2. To perform test generation analysis, on the **Design Verifier** tab, click **Generate Tests**. The software simulates the model and validates the test results against coverage data.

3. To view the detailed analysis report, click **HTML** in the Simulink Design Verifier Results Summary window.

This image shows the Test Objectives Status section of the generated analysis report. The software provides two test cases that are impacted by approximations.

#### **Test Objectives Status - Objective Satisfied**

| # | Туре     | Model Item |                                                               | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|---------------------------------------------------------------|------------------------|-----------|
| 2 | Decision | Swatch     | logical trigger input true (output is<br>from 1st input port) | 14                     | 1         |

#### **Test Objectives Status - Objective Undecided with Testcases**

| # | Туре     | Model Item |                                                             | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|-------------------------------------------------------------|------------------------|-----------|
| 1 | Decision |            | logical trigger input false (output is from 3rd input port) | 14                     | 2         |

4. To perform property proving analysis, on the **Design Verifier** tab, in the **Mode** section, select **Property Proving**. Click **Prove Properties**.

This image shows the Proof Objectives Status section of the generated analysis report.

#### **Proof Objectives Status - Objective Undecided with Counterexamples**

| # | Туре               | Model Item      |                   | Analysis<br>Time (sec) | Counterexample |
|---|--------------------|-----------------|-------------------|------------------------|----------------|
| 1 | Proof<br>objective | Proof Objective | Objective: [1, 2] | 11                     | 1              |

The software provides one counterexample that is impacted by approximations.

Note: The sldvApproximationsExample example model is preconfigured with the Run additional analysis to reduce the instances of approximations option set to Off. If you enable this option and run the analysis, the Undecided with Testcases test objective is reported as Unsatisfiable and the proof objective is reported as Valid.

## See Also

## **More About**

- "Review Results" on page 13-35
- "Role of Approximations During Model Analysis" on page 2-20

# **Logic Operations Short-Circuiting**

Simulink Design Verifier considers logical operations and logical expressions as short-circuiting when analyzing for dead logic and when generating tests.

Logical Operators and Logical Expressions for Condition and MCDC objectives can be considered short-circuiting or not when you analyze for dead logic or generate tests. The table summarizes different considerations:

Short-Circuit consideration for Condition or MCDC Objectives

| Modeling element                                                    | Short-Circuit consideration for Condition or MCDC Objectives |
|---------------------------------------------------------------------|--------------------------------------------------------------|
| MATLAB, Stateflow (C/MATLAB) and other<br>Simulink Blocks (Fcn, If) | Always short-circuited                                       |
| Logic blocks (standalone/cascaded)                                  | Short-circuited only when<br>CovLogicBlockShortCircuit is ON |

For Condition objective, consider the following simple logical operator example model. When CovLogicBlockShortCircuit parameter is ON, a previous input alone determines the block output, the analysis ignores any remaining block inputs. If the first input to a Logical Operator block whose **Operator** parameter specifies AND is false, the analysis ignores the values of the other inputs.

When CovLogicBlockShortCircuit parameter is OFF, all the inputs are considered.



The tables summarizes the difference in objectives for short-circuit and non short-circuit case for Condition objective by using a similar logical expression for MATLAB function block:

#### Short-Circuit considerations for Condition objective

| Condition 'F' Port 3                                              | -                                     | CovLogicBlockShortCircui<br>t: <b>OFF</b> |
|-------------------------------------------------------------------|---------------------------------------|-------------------------------------------|
| Logical operator                                                  | (in1) && (in2) && (~in2) (dead logic) | ~ in2 (active logic)                      |
| MATLAB Function with<br>logical expression (in1<br>&& in2 && in2) |                                       | (in1) && (in2) && (~in2) (dead<br>logic)  |

For MCDC objective, along with the short-circuit mode, the CovMCDCMode or the coverage MCDC mode is set as a parameter.

The tables summarizes the difference in objectives for short-circuit and non short-circuit case for MCDC objective.

| CovLogicBlockSh<br>ortCircuit | CovMCDCMode  | Standalone block         | Cascaded<br>Network                                                                           |
|-------------------------------|--------------|--------------------------|-----------------------------------------------------------------------------------------------|
| ON                            | Masking      | Short circuited MCDC     | MCDC for network<br>(Short-circuited)                                                         |
| OFF                           | Masking      | Non short-circuited MCDC | MCDC for network<br>(Non short-<br>circuited)                                                 |
| ON                            | Unique cause | Short-circuited MCDC     | MCDC (Short-<br>circuited) coverage<br>result can differ<br>from Simulink<br>Design Verifier. |
| OFF                           | Unique cause | Non short-circuited MCDC | NA                                                                                            |

Short-Circuit considerations for MCDC objective

**Note** If covMCDCMode is Unique cause, then MCDC definition differs between coverage and MCDC.

For more information, see "Short-Circuiting of Boolean Expressions for MCDC" in "Analyzing MCDC for Cascaded Logic Blocks" (Simulink Coverage).

# **Model Representation for Analysis**

#### In this section...

"Reuse Model Representation for Analysis" on page 2-28

"Limitations" on page 2-30

When you analyze a model for the first time, Simulink Design Verifier performs a compatibility check and creates a model representation. The model representation contains information about model behavior to use for analysis. By default, the software saves the model representation at the "Simulation cache folder" location.

If you modify a model and rerun the analysis, Simulink Design Verifier determines whether to rebuild the model representation or to use the existing Simulink cache depending on the "Rebuild model representation" on page 15-13 parameter. A rebuild of the model representation is triggered, when the **Rebuild model representation** option is set to If change is detected and the software detects any changes in the model.

# **Reuse Model Representation for Analysis**

The **Rebuild model representation** option is set to If change is detected by default and the software validates the model representation against any model changes and Simulink Design Verifier analysis options. The software then determines whether to reuse or to rebuild the model representation for analysis. When you set the option to Always, the model representation is rebuilt during every model analysis.

When the **Rebuild model representation** option is set to **If change is detected**, Simulink Design Verifier checks for these changes in a model:

- Simulink Design Verifier Options on page 2-28
- "Structural Checksum of a Model" on page 2-29
- "Additional Dependencies" on page 2-30

#### **Simulink Design Verifier Options**

The software validates the model representation against any changes in the Simulink Design Verifier options. This table lists the options that do not affect the model representation, and if you change any of these options the software reuses the model representation.

| Design Verifier Options | • "Maximum analysis time" on page 15-11                                                 |
|-------------------------|-----------------------------------------------------------------------------------------|
|                         | • "Output folder" on page 15-11                                                         |
|                         | • "Make output file names unique by adding a suffix" on page 15-12                      |
|                         | • "Run additional analysis to reduce instances of rational approximation" on page 15-15 |
|                         | <ul> <li>"Ignore objectives based on filter" on page 15<br/>17</li> </ul>               |
|                         | • "Filter file(s)" on page 15-18                                                        |

| Test Generation options    | "Test conditions" on page 15-32                                                                     |
|----------------------------|-----------------------------------------------------------------------------------------------------|
|                            | <ul> <li>"Test objectives" on page 15-33</li> </ul>                                                 |
|                            | <ul> <li>"Maximum test case steps" on page 15-33</li> </ul>                                         |
|                            | <ul> <li>"Test suite optimization" on page 15-34</li> </ul>                                         |
|                            |                                                                                                     |
|                            | • "Extend using existing coverage data" on page 15-38                                               |
|                            | • "Extend using existing coverage data" on page 15-38                                               |
|                            | • "Extend using existing test data" on page 15-<br>39                                               |
|                            | • "Separate objectives satisfied with the existing tests/coverage data in the report" on page 15-40 |
| Property Proving options   | "Assertion blocks" on page 15-52                                                                    |
|                            | "Proof assumptions" on page 15-53                                                                   |
|                            | "Strategy" on page 15-53                                                                            |
|                            | • "Maximum violation steps" on page 15-54                                                           |
| Results generation options | • "Data file name" on page 15-57                                                                    |
|                            | • "Include expected output values" on page 15-<br>57                                                |
|                            | • "Randomize data that do not affect the outcome" on page 15-58                                     |
|                            | • "Generate separate harness model after<br>analysis" on page 15-59                                 |
|                            | • "Harness model file name" on page 15-59                                                           |
|                            | • "Reference input model in generated harness"<br>on page 15-60                                     |
|                            | "Harness source" on page 15-61                                                                      |
|                            | • "Test File Name" on page 15-61                                                                    |
|                            | • "Test Harness Name" on page 15-62                                                                 |
| Report generation options  | • "Generate report of the results" on page 15-<br>63                                                |
|                            | • "Generate additional report in PDF format" on page 15-64                                          |
|                            | • "Report file name" on page 15-64                                                                  |
|                            | "Include screen shots of properties" on page                                                        |
|                            | 15-65                                                                                               |

#### Structural Checksum of a Model

The Simulink Design Verifier uses both structural checksum and code checksum. A structural checksum is a computation that detects changes in the model that can affect simulation results. For more information about the kinds of changes that affect the model, see Rebuild.

**Note** When you "Generate Test Cases for Embedded Coder Generated Code" on page 7-28, Simulink Design Verifier also considers checksum of the generated code.

#### **Additional Dependencies**

In addition to structural checksum, Simulink Design Verifier checks for changes in model dependencies that can impact the analysis results, such as:

- Simulation run-time parameters that are defined in the data dictionary or the MATLAB base, mask, or model workspaces
- External C or C++ source code files that the model uses during simulation
- Minimum and maximum constraints that are specified for block parameters
- Block parameters that are specified for blocks in the "Simulink Design Verifier Block Library" on page 1-3, such as **Values**

## Limitations

- The model representation is always rebuilt:
  - When Simulink Design Verifier analysis is started from other products such as Simulink Test<sup>™</sup>, Simulink Coverage, Simulink Check<sup>™</sup>, and Requirements Toolbox<sup>™</sup>.
  - When the model contains MATLAB System blocks.
- Simulink Design Verifier does not detect changes in the custom block replacement rules that you apply, even if the **Rebuild model representation** option is set to If change is detected. In such cases, the Simulink cache is reused for analysis and a warning message is displayed in the Diagnostic Viewer that suggests you to set the **Rebuild model representation** option to Always, if you want to rebuild the model representation.

## See Also

"Extend Existing Test Cases by Reusing Model Representation" on page 2-35

## **More About**

- Configure Model Representation Options on page 2-39
- "Check Model Compatibility" on page 3-2
- "Simulink Design Verifier Options" on page 15-2

## Share Simulink Cache File for Faster Analysis

#### In this section...

"Store the Simulink Cache File" on page 2-31

"Reuse the Simulink Cache File" on page 2-31

You can share the Simulink cache file for faster Simulink Design Verifier analysis. When you analyze a model, Simulink Design Verifier performs a compatibility check and creates a Simulink cache file that contains the model representation information. If there is no change in the model, Simulink Design Verifier reuses the model representation from the Simulink cache file without performing the compatibility check again. For more information, see "Share Simulink Cache Files for Faster Simulation" and "Model Representation for Analysis" on page 2-28.

## Store the Simulink Cache File

The Simulink cache file is stored in the location specified in the **Simulink Preferences > General** dialog box, under **Simulation cache folder**. By default, the Simulink cache file is stored in the current working directory.

| Pi Simulink Preferences | -                                                                                    | - 🗆    |
|-------------------------|--------------------------------------------------------------------------------------|--------|
| Simulink Preferences    | General Preferences<br>Folders for Generated Files                                   |        |
| Editor                  | Simulation cache folder:                                                             | Browse |
| 👪 Model File            | Code generation folder:       Code generation folder structure:       Model specific | Browse |

The file name of the Simulink cache is the same as the file name of the model with an .slxc file extension.

## **Reuse the Simulink Cache File**

You can reuse the Simulink cache file to speed up the Simulink Design Verifier analysis for later use by yourself or others. When you perform Simulink Design Verifier analysis, the software determines whether to rebuild the model representation based on the "Rebuild model representation" on page 15-13 option. By default, this option is set to If change is detected and if there is no change in the model, the software reuses the model representation from the Simulink cache file for analysis.

If **Rebuild model representation** is set to Always or if the software detects any change in the model during analysis, the software rebuilds the model representation and updates the Simulink cache file.

**Note** The Simulink cache file accumulates model representation build artifacts for the release in which it was created and is platform dependent. This cache file does not support cross-release compatibility.

For information on what a specific Simulink cache contains, double-click the Simulink cache file. The report contains information of supported releases, platforms, and model representation.



For example, suppose a team is working on large models and uses a source control system to manage design files. To reduce the amount of time for Simulink Design Verifier analysis, the team follows these steps:

- **1** A developer pulls the latest version of the Simulink model from the source control system.
- 2 Performs Simulink Design Verifier test case generation analysis and shares the latest version of Simulink cache file to the source control system and the generated test cases to the build archive.
- **3** Test engineer pulls the latest version of the model and the Simulink cache file from the source control systems. Also, pulls the existing test cases from the build archive.
- 4 Performs test case extension on the same model by using the existing test cases. If no changes are detected in the model, the model representation from the Simulink cache file is reused for analysis. For a detailed example, see "Extend Existing Test Cases by Reusing Model Representation" on page 2-35.

If the test engineer, changes the model or Simulink Design Verifier options that affects the compatibility results, the model representation is rebuilt and the Simulink cache file is updated. For more information on Simulink Design Verifier options that leverage the reuse of model representation, see "Reuse Model Representation for Analysis" on page 2-28.

#### See Also

#### **More About**

- "Model Representation for Analysis" on page 2-28
- Configure Model Representation Options on page 2-39

#### **External Websites**

• Simulink Cache (1 min, 27 sec)

## **Analyze AUTOSAR Component Models**

Simulink Design Verifier supports design error detection, test generation, and property proving analysis for AUTOSAR software components (SWC) at the unit level. You can analyze an AUTOSAR component that contains blocks from the AUTOSAR Blockset Basic Software block library, which model component calls to AUTOSAR Basic Software (BSW) services, including:

- Diagnostic Event Manager (Dem)
- Function Inhibition Manager (FiM)
- NVRAM Manager (NvM)

Additionally, you can analyze a Simulink model generated by importing descriptions of AUTOSAR software components from AUTOSAR XML (ARXML) files. See, "Create and Configure AUTOSAR Software Component" (AUTOSAR Blockset).

The software creates an analysis harness that provides stub implementations of the Basic Software service operations called by the component, and then performs the analysis on the harness model. By default, the software saves the harness model in <current\_folder>\sldv\_output \<model\_name>\<model\_name>\_SldvStub.slx.



#### AUTOSAR Model at Component Level

#### Limitations

The Simulink Design Verifier analysis reports an incompatibility if:

- You use Simulink Design Verifier to generate tests in the Simulink Test, and the harness parameter is set to Signal Editor.
- The component model contains service component blocks, such as the Diagnostic Service Component or NVRAM Service Component blocks.
- The component model contains Initialize Function, Reinitialize Function, Reset Function, or Terminate Function blocks that call a Simulink functions that is not defined in the same component.
- If you perform Software-in-the-Loop (SIL) code analysis on an AUTOSAR component model
- You export test cases generated by Simulink Design Verifier and run software-in-the-loop (SIL) simulation on those test cases in Simulink Test Manager. The recommended approach is to perform back-to-back testing using Simulink Test.

#### See Also

"Configure Elements of AUTOSAR Software Component for Simulink Modeling Environment" (AUTOSAR Blockset) | "Import Test Cases for Equivalence Testing" (Simulink Test)

#### **Related Examples**

• "Detect Design Errors in AUTOSAR Software Component Model" on page 2-47

## **Extend Existing Test Cases by Reusing Model Representation**

This example shows how to avoid unneeded model representation builds when reanalyzing a model. Consider a case where you perform test generation and the analysis exceeds maximum analysis time. In the specified analysis time, Simulink Design Verifier analyzes some objectives and saves the generated test cases in a MAT-file.

To reanalyze the model, you update the maximum analysis time and select the extend existing test cases option. To speed up the analysis, set the **Rebuild model representation** option to If change is detected. Simulink Design Verifier reanalyzes the model by reusing the model representation. For more information, see "Model Representation for Analysis" on page 2-28.

#### Step 1. Open the model and specify analysis options

Generate test cases for sldvdemo cruise control model by specifying the sldvoptions.

```
model = 'sldvdemo_cruise_control';
open_system(model);
opts = sldvoptions;
opts.Mode = "TestGeneration";
opts.MaxProcessTime = 10;
opts.RebuildModelRepresentation = "IfChangeIsDetected";
```



Copyright 2006-2023 The MathWorks, Inc.

Analyze the model by using this command.

[ status, files ] = sldvrun('sldvdemo\_cruise\_control', opts, true);

The Diagnostic Viewer window displays the Test Generation analysis error.

Simulink Design Verifier has exceeded the maximum processing time. You can extend the time limit by modifying the "Maximum analysis time" edit field on the Design Verifier pane of the configuration dialog or by modifying the "MaxProcessTime" attribute of the options object.

After the analysis is completed, the Results Summary window displays the results. The software reports 22/24 objectives as satisfied and 2/24 objectives as undecided.

| Simulink Design Verifier Results Summary: sldvdemo_cruise_control X                                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                |          |       |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------|--|--|
| Progress                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                                                                                |          | ^     |  |  |
| Objectives<br>processed<br>Satisfied<br>Unsatisfiable                                                                                                                             | 22/24<br>22<br>0                                                                                                                                                                                                                                                                                                                                                                               |          |       |  |  |
| Elapsed time                                                                                                                                                                      | 0:15                                                                                                                                                                                                                                                                                                                                                                                           |          | ~     |  |  |
| 22/24 objectives sa<br>2/24 objectives und<br>Results:<br>• Open filter exp<br>• Highlight analy<br>• View tests in S<br>• Detailed analy<br>• Create harness<br>• Save test case | Test generation exceeded time limit.<br>22/24 objectives satisfied.<br>2/24 objectives undecided<br>Results:<br>• Open filter explorer<br>• Highlight analysis results on model<br>• View tests in Simulation Data Inspector<br>• Detailed analysis report: (HTML) (PDF)<br>• Create harness model<br>• Save test cases/counterexamples to spreadsheet<br>• Export test cases to Simulink Test |          |       |  |  |
| Data saved in: <u>sldvdemo</u> cruise contr <u>ol_sldvdata6.mat</u><br>in folder: <u>C:\Users\</u>                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                |          |       |  |  |
| \sldv_c                                                                                                                                                                           | output\sldvdemo_cruise_cont                                                                                                                                                                                                                                                                                                                                                                    | rol      |       |  |  |
|                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                | View Log | Close |  |  |

#### Step 2. Reanalyze the model by modifying the sldvoptions

To reanalyze the model, you select the extend existing test cases option and update the maximum analysis time. The **Rebuild model representation** option is set to **If** change is detected. The software validates the cache model representation, detects no change, and reuses the model representation for analysis.

```
opts.MaxProcessTime =500;
opts.ExtendExistingTests='on';
opts.IgnoreExistTestSatisfied = 'on';
opts.ExistingTestFile=files.DataFile;
sldvrun('sldvdemo_cruise_control', opts, true);
```

The results show that 24/24 objectives are satisfied and no additional test cases are generated.

| 🚹 Simulink Design Ve                                               | rifier Results Summary: sldvdemo                                                                       | _cruise_control | ×     |  |
|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|-----------------|-------|--|
|                                                                    |                                                                                                        |                 |       |  |
| Progress                                                           |                                                                                                        |                 |       |  |
| 1109.000                                                           |                                                                                                        | -               |       |  |
| Objectives<br>processed                                            | 24/24                                                                                                  |                 |       |  |
| Satisfied                                                          | 24                                                                                                     |                 |       |  |
| Unsatisfiable                                                      | 0                                                                                                      |                 |       |  |
| Elapsed time                                                       | 0:57                                                                                                   |                 | *     |  |
| Toot concretion as                                                 | mploted normally                                                                                       |                 |       |  |
| Test generation co<br>2/24 objectives sat                          |                                                                                                        |                 |       |  |
| 22/24 objectives sa                                                | atisfied by existing tests/cover                                                                       | rage data       |       |  |
| Results:                                                           |                                                                                                        |                 |       |  |
| Open filter exp                                                    | lorer                                                                                                  |                 |       |  |
|                                                                    | sis results on model                                                                                   |                 |       |  |
|                                                                    | View tests in Simulation Data Inspector                                                                |                 |       |  |
| · ·                                                                | <ul> <li>Detailed analysis report: (<u>HTML</u>) (<u>PDF</u>)</li> <li>Create harness model</li> </ul> |                 |       |  |
| <ul> <li>Save test cases/counterexamples to spreadsheet</li> </ul> |                                                                                                        |                 |       |  |
|                                                                    | ses to Simulink Test<br>and produce a model coverage                                                   | ae report       |       |  |
|                                                                    | demo_cruise_control_sldvdat                                                                            |                 |       |  |
| in folder: <u>C:\Users\</u>                                        |                                                                                                        | arinat          |       |  |
| \sldv_c                                                            | output\sldvdemo cruise contr                                                                           | rol             |       |  |
|                                                                    |                                                                                                        |                 |       |  |
|                                                                    |                                                                                                        |                 |       |  |
|                                                                    |                                                                                                        |                 |       |  |
|                                                                    |                                                                                                        | View Log        | Close |  |

Close the model.

close\_system('sldvdemo\_cruise\_control', 0);

#### **Related Topics**

- "Model Representation for Analysis" on page 2-28
- "Extend an Existing Test Suite" on page 7-86

## **Configure Model Representation Options**

You can configure the option to build or reuse the model representation from the **Design Verifier** pane, "Rebuild model representation" on page 15-13 option or by using the sldvoptions. By default, the option is set to If change is detected and the software reuses the model representation for analysis, if there is no change in the model.

When you perform analysis, the Results Summary window displays the information regarding the model representation. If you select Always for the **Rebuild model representation** option, the software rebuilds the model representation during analysis.

| 🔁 Simulink Design Verifier Res                                                                                                       | ults Summary: sldvdemo_cruise_control                                                                           | ×       |
|--------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|---------|
| Progress<br>Objectives processed<br>Satisfied<br>Unsatisfiable<br>Elapsed time                                                       | 17/32<br>17<br>0<br>0:19                                                                                        |         |
| Compiling modeldone<br>Building model representati<br>13-Nov-2018 16:39:09                                                           | est generation: model 'sldvdemo_cruise_contr<br>iondone<br>s <b>compatible</b> for test generation with Simulin | - 1     |
| SATISFIED<br>Controller/Logical Operator<br>Logic: input port 1 false<br>Analysis Time = 00:00:18<br>SATISFIED<br>Controller/Switch2 | lel representation from 13-Nov-2018 16:39:09<br>1<br>putput is from 3rd input port)                             |         |
| Analysis Time = 00:00:18                                                                                                             | Disable Highlighti                                                                                              | rg Stop |

If you select **If change is detected** option, the software validates the existing cached model representation. If the cached model is successfully validated, it is reused for analysis.

| Simulink Design Verifier Re        | sults Summary: sldvdemo_cruise_control                 | ×         |
|------------------------------------|--------------------------------------------------------|-----------|
| Progress                           |                                                        |           |
| Objectives processed               | 27/32                                                  |           |
| Satisfied                          | 27                                                     |           |
| Unsatisfiable                      | 0                                                      |           |
| Elapsed time                       | 0:18                                                   |           |
|                                    |                                                        |           |
|                                    |                                                        | ^         |
| 13-Nov-2018 16:41:46               | epresentation from 11-Nov-2018 16:39:09done            |           |
| validading cached model re         | epresentation from 11-1404-2010 10.55.05done           |           |
| 13-Nov-2018 16:41:47               |                                                        |           |
|                                    | is compatible for test generation with Simulink Design |           |
| Verifier.                          |                                                        |           |
|                                    |                                                        |           |
| Generating tests using mo          | del representation from 13-Nov-2018 16:39:09           |           |
| SATISFIED                          |                                                        |           |
| Controller/Switch2                 |                                                        |           |
|                                    | output is from 3rd input port)                         |           |
| Analysis Time = 00:00:18           |                                                        |           |
| CATICFIED                          |                                                        |           |
| SATISFIED<br>Controller/Switch1    |                                                        |           |
|                                    |                                                        |           |
| iodical tridder indut false (      | output is from 3rd input port)                         |           |
| Analysis Time = 00:00:18           | output is from 3rd input port)                         |           |
| Analysis Time = 00:00:18           | output is from 3rd input port)                         |           |
| Analysis Time = 00:00:18 SATISFIED |                                                        |           |
| Analysis Time = 00:00:18           |                                                        | Ŷ         |
| Analysis Time = 00:00:18 SATISFIED | r1                                                     | ↓<br>Stop |

If change is detected in the model, the model representation is rebuilt. For more information, see Changes That Affect the Model Representation Rebuild on page 2-28.

| Simulink Design Verifier Re                                                                 | sults Summary: sldvdemo_cruise_control                                                            | $\times$ |
|---------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|----------|
| Progress<br>Objectives processed<br>Satisfied<br>Unsatisfiable<br>Elapsed time              | 10/12<br>10<br>0<br>0:20                                                                          |          |
| detected 27-Nov-2018 16:04:13                                                               | epresentation from 27-Nov-2018 16:00:44change<br>test generation: model 'sldvdemo_cruise_control' | ^        |
| Building model representa<br>27-Nov-2018 16:04:16<br>'sldvdemo_cruise_control'<br>Verifier. | tiondone                                                                                          |          |
| SATISFIED<br>Controller/Switch2                                                             | del representation from 27-Nov-2018 16:04:16<br>output is from 3rd input port)                    |          |
| SATISFIED<br>Controller/Switch3                                                             | Disable Highlighting                                                                              | ✓        |
|                                                                                             | Disable Highlighting Si                                                                           | top      |

## See Also

#### **More About**

- "Model Representation for Analysis" on page 2-28
- "Check Model Compatibility" on page 3-2

# Run Additional Analysis to Reduce Instances of Rational Approximation

This example shows how to reduce the instances of rational approximation by running additional analysis. You analyze a model and during the analysis, Simulink® Design Verifier<sup>™</sup> identifies the presence of approximations and the associated objectives are reported as undecided with test case.

You enable the **Run additional analysis to reduce instances of rational approximation** option to perform additional analysis to confirm the undecided objectives. When you rerun the analysis, Simulink cache that contains the model representation information is reused to perform faster analysis. For more information see "Reuse Model Representation for Analysis" on page 2-28.

#### **Open the Model**

The sldvApproximationsExample model results in approximations due to the calculations 1./3 and 2./3 in the Constant block.

open\_system('sldvApproximationsExample')



#### Reporting Approximations Through Validation Results

This example shows how Simulink Design Verifier reports the impact of approximations through validation results.

In this model, approximations occur due to floating point to rational number conversion during analysis. In the Simulink Design Verifier Report, the Objective Status chapter reports the objectives impacted by approximations for test generation and property proving analysis.

Copyright 2017-2019 The MathWorks, Inc.



#### **Reporting Approximations Through Validation Results**

Copyright 2017-2019 The MathWorks, Inc.

#### Perform Test Case Generation Analysis and Review Results

On the **Design Verifier** tab, click **Generate Tests**.

proving analysis.

After the analysis completes, the Results Summary window displays that one objective is satisfied and one objective is undecided with test case.

| Progress                                                                             |                              |
|--------------------------------------------------------------------------------------|------------------------------|
| Objectives processed<br>Satisfied                                                    | 2/2                          |
| Unsatisfiable                                                                        | 0                            |
| Elapsed time                                                                         | 0:20                         |
|                                                                                      |                              |
|                                                                                      |                              |
| Test generation completed no                                                         | ormally.                     |
| 1/2 objective satisfied                                                              |                              |
| 1/2 objective undecided with                                                         | testcase                     |
|                                                                                      |                              |
| Results:                                                                             |                              |
| Open filter viewer                                                                   |                              |
| Highlight analysis resu                                                              |                              |
| <ul> <li><u>View tests in Simulatio</u></li> <li>Detailed analysis report</li> </ul> |                              |
| Create harness model                                                                 |                              |
| <ul> <li>Export test cases to Sin</li> </ul>                                         | mulink Test                  |
| <ul> <li>Simulate tests and pro</li> </ul>                                           | duce a model coverage report |
| Data saved in: sldvApproxima                                                         | tionsExample_sldvdata.mat    |
| in folder: <u>H:\sldv_output\sldv</u>                                                |                              |
|                                                                                      |                              |
|                                                                                      |                              |
|                                                                                      |                              |
|                                                                                      |                              |

To view the detailed analysis report, in the Results Summary window, click **HTML**. In the report, the Analysis Information chapter lists the approximations that were performed during analysis

## Approximations

Simulink Design Verifier performed the following approximations during analysis. These can impact the precision of the results generated by Simulink Design Verifier. Please see the product documentation for further details.

| # | Type                   | Description                                                                                                                                                                                                                                                                                                       |
|---|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Rational approximation | The model includes floating-point arithmetic. Simulink Design Verifier<br>approximates floating-point arithmetic with rational number arithmetic.<br>Specifying minimum and maximum values that mimic environmental<br>constraints on root-level Inport blocks may reduce instances of rational<br>approximation. |

The Objective Status chapter gives detailed description of the objectives.

| Oł  | ojectives    | Satisfied                    |                                                               |                        |           |
|-----|--------------|------------------------------|---------------------------------------------------------------|------------------------|-----------|
| Sim | ulink Design | Verifier found test cases th | nat exercise these test objectives.                           |                        |           |
| #   | Туре         | Model Item                   | Description                                                   | Analysis<br>Time (sec) | Test Case |
| 2   | Decision     | Switch                       | logical trigger input true (output is<br>from 1st input port) | 8                      | 1         |
| Oł  | jectives     | Undecided with               | Testcases                                                     |                        |           |

Simulink Design Verifier was not able to decide these objectives due to the impact of approximations during analysis.

| # | Туре     | Model Item | Deceriminan                                                 | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|-------------------------------------------------------------|------------------------|-----------|
| 1 | Decision |            | logical trigger input false (output is from 3rd input port) | 22                     | 2         |

#### **Run Additional Analysis by Reusing Cache**

The undecided with test case objective is impacted by approximation, and to confirm this objective status you run additional analysis.

(a) On the **Design Verifier** tab, click **Test Generation Settings > Settings**.

(b) In the Configurations Parameters dialog box, on the Design Verifier pane, in Advanced parameters, set the **Rebuild model representation** option to If change is detected and enable **Run additional analysis to reduce instances of rational approximation** option. Click **OK**.

Note: If you create a new model, by default, the **Rebuild model representation** option is set to If change is detected.

(c) To perform test generation analysis, click **Generate Tests**. The existing cache is validated against the model and the analysis reuses the cache if no change is detected.

The Results Summary window displays that the cached model representation is validated and no change is detected. Hence, the analysis skips the compatibility check and reuses the model representation for analysis.

| Paresults: sldvApproximationsExample                                                                                                                                                                                             | _ | $\times$ |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|----------|
| $\Leftrightarrow \Rightarrow \bigcirc$                                                                                                                                                                                           |   | - 0      |
| Test generation completed normally.<br>1/2 objective satisfied<br>1/2 objective unsatisfiable                                                                                                                                    |   |          |
| Results:                                                                                                                                                                                                                         |   |          |
| Open filter viewer     View tests in Simulation Data Inspector     Detailed analysis report: (HTML) (PDF)     Create harness model     Export test cases to Simulink Test     Simulate tests and produce a model coverage report |   |          |

After the analysis completes, the Results Summary window displays that one objective is satisfied and one objective is unsatisfiable.

#### **Review Analysis Results**

To view the detailed analysis report, in the Results Summary window, click **HTML**. In the report, the Objectives Status chapter gives a detailed description of the objectives.

#### **Objectives Satisfied**

Simulink Design Verifier found test cases that exercise these test objectives.

| # | Туре     | Model Item | lacomption                                                    | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|---------------------------------------------------------------|------------------------|-----------|
| 2 | Decision |            | logical trigger input true (output is<br>from 1st input port) | 2                      | 1         |

## **Objectives Unsatisfiable**

Simulink Design Verifier found that there does not exist any test case exercising these test objectives. This often indicates the presence of dead logic in the model. Other possible reasons can be inactive blocks in the model due to parameter configuration or test constraints such as given using Test Condition blocks.

| # | Туре     | Model Item | Description                                                 | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|-------------------------------------------------------------|------------------------|-----------|
| 1 | Decision | Switch     | logical trigger input false (output is from 3rd input port) | 264                    | n/a       |

#### **Related Topics**

- "Model Representation for Analysis" on page 2-28
- "Run additional analysis to reduce instances of rational approximation" on page 15-15
- "Rebuild model representation" on page 15-13

## **Detect Design Errors in AUTOSAR Software Component Model**

The AUTOSAR standard defines Basic Software (BSW) services that run in the AUTOSAR run-time environment. The services include NVRAM Manager (NvM) Diagnostic Event Manager (Dem), and Function Inhibition Manager (FiM) services. The following example shows how to use Simulink Design Verifier to run design error checks on the AUTOSAR component model.

#### Prepare the Model

Open the AUTOSAR software component. This example uses AUTOSAR simulink model autosar\_bsw\_monitor.

```
model = 'autosar_bsw_monitor';
open_system(model);
```



Monitor component autosar\_bsw\_monitor contains a call to the Dem service interface DiagnosticMonitor and four calls to the Dem service interface DiagnosticInfo. The four DiagnosticInfo calls are implemented using the Basic Software library block DiagnosticInfoCaller (AUTOSAR Blockset). Each block is configured to call the DiagnosticInfo operation GetEventFailed. The GetEventFailed calls use client ports TPS1StuckLow, TPS1StuckHigh, TPS2StuckLow, and TPS2StuckHigh.

#### **Perform Design Error Detection Analysis**

To detect the design errors in the above component model, configure the Design Verifier options as follows:

```
opts = sldvoptions;
opts.Mode = "DesignErrorDetection";
opts.DetectDeadLogic = 'on';
opts.DetectActiveLogic = 'on';
```

Analyze the model.

```
[ status, files ] = sldvrun('autosar_bsw_monitor', opts, true);
```

Creating a new model to analyze Simulink Function calls with missing definitions in the model "autosar\_bsw\_monitor".

New Model File:Z:\sldv\_output\autosar\_bsw\_monitor \autosar\_bsw\_monitor\_SldvStub.slx

The Simulink® Design Verifier<sup>™</sup> Results Summary window indicates that an analysis harness model autosar\_bsw\_monitor\_SldvStub is created. You can also generate the same analysis harness model using sldvextract function.

#### **Review the Analysis Results**

The Simulink Design Verifier Results Summary window shows that 18 of 18 objectives are active logic in the model.

| Progress                                          |                                        |     |
|---------------------------------------------------|----------------------------------------|-----|
| Objectives processed                              | 18/18                                  |     |
| Valid                                             | 18                                     |     |
| Falsified                                         | 0                                      |     |
| Elapsed time                                      | 1:58                                   |     |
| Design error detection<br>18/18 objectives are ad |                                        |     |
| Results:                                          |                                        |     |
| Open filter viewer                                |                                        |     |
| <ul> <li>Highlight analysis</li> </ul>            | results on model                       |     |
| <ul> <li>Detailed analysis</li> </ul>             | report: ( <u>HTML</u> ) ( <u>PDF</u> ) |     |
|                                                   | bsw_monitor_SldvStub_sldvdata.mat      |     |
| n folder: <u>Z:\sldv_outpu</u>                    | ut\autosar_bsw_monitor_SldvStub        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   |                                        |     |
|                                                   | View Log Clo                           | nce |

To view the detailed analysis report, click the HTML link in the Results Summary window. The **Design Error Detection Objectives Status** section includes the **Active Logic** objectives statuses for the model.

| #  | Турс      | Model Item                                    | Description                                                 | Analysis Time<br>(sec) |
|----|-----------|-----------------------------------------------|-------------------------------------------------------------|------------------------|
| 6  | Condition | autosar_bsw_monitor/Logical Operator          | Logic: input port 1 true                                    | 38                     |
| 7  | Condition | autosar_bsw_monitor/Logical Operator          | Logic: input port 1 false                                   | 38                     |
| 8  | Condition | autosar_bsw_monitor/Logical Operator          | Logic: input port 2 true                                    | 38                     |
| 9  | Condition | autosar_bsw_monitor/Logical Operator          | Logic: input port 2 false                                   | 38                     |
| 15 | Condition | autosar bsw monitor/Logical Operator2         | Logic: input port 1 true                                    | 38                     |
| 16 | Condition | autosar_bsw_monitor/Logical Operator2         | Logic: input port 1 false                                   | 38                     |
| 17 | Condition | autosar_bsw_monitor/Logical Operator2         | Logic: input port 2 true                                    | 38                     |
| 18 | Condition | autosar_bsw_monitor/Logical Operator2         | Logic: input port 2 false                                   | 38                     |
| 20 | Condition | autosar_bsw_monitor/Logical Operator1         | Logic: input port 1 true                                    | 38                     |
| 21 | Condition | autosar_bsw_monitor/Logical Operator1         | Logic: input port 1 false                                   | 38                     |
| 22 | Condition | autosar bsw monitor/Logical Operator1         | Logic: input port 2 true                                    | 38                     |
| 23 | Condition | autosar_bsw_monitor/Logical Operator1         | Logic: input port 2 false                                   | 38                     |
| 25 | Decision  | autosar_bsw_monitor/BoolToEventStatus2/Switch | logical trigger input false (output is from 3rd input port) | 38                     |
| 26 | Decision  | autosar_bsw_monitor/BoolToEventStatus2/Switch | logical trigger input true (output is from 1st input port)  | 38                     |
| 27 | Decision  | autosar_bsw_monitor/Switch1                   | logical trigger input false (output is from 3rd input port) | 38                     |
| 28 | Decision  | autosar_bsw_monitor/Switch1                   | logical trigger input true (output is from 1st input port)  | 38                     |
| 30 | Decision  | autosar bsw monitor/Switch                    | logical trigger input false (output is from 3rd input port) | 38                     |
| 31 | Decision  | autosar bsw monitor/Switch                    | logical trigger input true (output is from 1st input port)  | 38                     |

The analysis report also captures information about the analysis harness for analyzing the model in the **Analysis Harness Information** section. The **Stubbed Simulink Functions for Analysis** section in the **Analysis Harness Information** section lists the stubbed Simulink functions.

| Function Prototype                                 |
|----------------------------------------------------|
| [EventFailed,ERR] = TPS2StuckLow_GetEventFailed()  |
| [EventFailed,ERR] = TPS2StuckHigh_GetEventFailed() |
| [EventFailed,ERR] = TPS1StuckLow_GetEventFailed()  |
| [EventFailed,ERR] = TPS1StuckHigh_GetEventFailed() |
| <u>ERR = TPS_SetEventStatus(EventStatus)</u>       |

Note that Simulink Design Verifier assumes that the output of stubbed Simulink Functions is held when the functions are invoked multiple times in a single step.

#### **Related Links**

• "Analyze AUTOSAR Component Models" on page 2-33

## **Checking Compatibility with the Simulink Design Verifier Software**

- "Check Model Compatibility" on page 3-2
- "Supported and Unsupported Simulink Blocks in Simulink Design Verifier" on page 3-7
- "Support Limitations for Simulink Software Features" on page 3-16
- "Support Limitations for Model Blocks" on page 3-19
- "Support Limitations for Stateflow Software Features" on page 3-21
- "Support Limitations for MATLAB for Code Generation" on page 3-25
- "Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28

## **Check Model Compatibility**

#### In this section...

"Run Compatibility Check" on page 3-2 "Compatibility Check Results" on page 3-3

With Simulink Design Verifier, you can analyze Simulink models to:

- Detect design errors that can occur at a run time.
- Generate test cases that achieve model coverage.
- Prove properties and identify property violations.

Before Simulink Design Verifier analyzes a model, the software checks whether the model is compatible for analysis. The model is compatible for analysis when:

- The model is compiled into an executable form.
- The model is compatible with code generation.
- The model performs zero-second simulation with no errors, that is the simulation start and stop time is  $\boldsymbol{\theta}.$

The software supports a broad range of Simulink and Stateflow software capabilities in your models. However, there are capabilities that the product does not support, described in "Support Limitations for Simulink Software Features" on page 3-16 and "Support Limitations for Stateflow Software Features" on page 3-21.

For more information on supported Simulink blocks, see "Supported and Unsupported Simulink Blocks in Simulink Design Verifier" on page 3-7.

## **Run Compatibility Check**

Before the software begins an analysis, it checks the compatibility of your model, and then creates a model representation. The model representation includes the model artifacts that are used during analysis. For more information, see "Model Representation for Analysis" on page 2-28.

Before you start an analysis, you can run a compatibility check on your model by using one of these methods. When you use any of these methods, the model representation is always rebuilt.

- On the **Design Verifier** tab, in the **Analyze** section, click **Check Compatibility**.
- In the Model Advisor, select either By Product > Simulink Design Verifier > Check compatibility with Simulink Design Verifier or By Task > Simulink Design Verifier Compatibility Check > Check compatibility with Simulink Design Verifier. Click Run This Check.

For more information, see "Simulink Design Verifier Checks".

- To run the compatibility check programmatically at the command line or in a MATLAB program, use the sldvcompat function . For more information, see sldvcompat.
- To check compatibility of a Subsystem, right-click the Subsystem and select Design Verifier > Check Subsystem Compatibility.

## **Compatibility Check Results**

When you run a compatibility check on a model, the Results Summary window displays one of these results:

- "Model Is Compatible" on page 3-3
- "Model Is Incompatible" on page 3-3
- "Model Is Partially Compatible" on page 3-5

#### Model Is Compatible

If your model is compatible, you can continue with the analysis in the Results Summary window. For example, to continue the test generation analysis, click **Generate Tests**.

| 📔 Simulink Design Verifier Results Summary: sldvdemo_cruise_control                                                                                                                                                                                                                        | ×  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|
| 21-Nov-2018 15:20:42<br>Checking compatibility for test generation: model 'sldvdemo_cruise_control'<br>Compiling modeldone<br>Building model representationdone<br>21-Nov-2018 15:21:06<br>'sldvdemo_cruise_control' is <b>compatible</b> for test generation with Simulink Design Verifie | r. |
| Save Log Generate Tests Clos                                                                                                                                                                                                                                                               | e  |

**Note** After you have completed the compatibility check, if you change the model, you cannot continue the analysis in the Results Summary window. If you change your model, rerun the compatibility check for analysis.

#### Model Is Incompatible

If the model is incompatible with Simulink Design Verifier, you can identify and fix the incompatibilities through the Diagnostic Viewer messages. For more information, see "View Diagnostics".



• If your model uses a variable-step solver, configure the solver Type to Fixed-step.



• If your model has nonfinite data, change the value of the data or configure the model so that the data is treated as a variable during Simulink Design Verifier analysis. For more information, see "Nonfinite Data" on page 2-19.



If your model is large and contains many subsystems, you can use the Test Generation Advisor to determine whether certain subsystems cause the incompatibility. For more information, see "Use Test Generation Advisor to Identify Analyzable Components" on page 7-24.

#### Model Is Partially Compatible

A model is partially compatible if at least one model object in the model is incompatible. Simulink Design Verifier continues the analysis for partially compatible model by stubbing out the unsupported elements. By default, the "Automatic stubbing of unsupported blocks and functions" on page 15-13 option is set to **On**. For more information, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

| 🚡 Simulink Design Verifier Results Summary: sldvdemo_sqrt_blockrep                                                                                                                       |  |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| 11-Jul-2019 15:51:14<br>Checking compatibility for test generation: model 'sldvdemo_sqrt_blockrep'<br>Compiling modeldone<br>Building model representationdone                           |  |  |
| 11-Jul-2019 15:51:21<br>'sldvdemo_sqrt_blockrep' is <b>partially compatible</b> for test generation with Simulink<br>Design Verifier.                                                    |  |  |
| The model can be analyzed by Simulink Design Verifier.<br>It contains unsupported elements that will be stubbed out during analysis. The results<br>of the analysis might be incomplete. |  |  |
| See documentation.                                                                                                                                                                       |  |  |
| Save Log Generate Tests Close                                                                                                                                                            |  |  |

## See Also

"Overview of the Simulink Design Verifier Workflow" on page 1-19 | "Block Replacements for Unsupported Blocks" on page 4-7 | "Model Representation for Analysis" on page 2-28

## Supported and Unsupported Simulink Blocks in Simulink Design Verifier

Simulink Design Verifier provides various levels of support for the Simulink blocks:

- Supported
- Partially supported
- Not supported

If your model contains partially supported blocks, you can enable automatic stubbing. In order to improve the scalability of the analysis, automatic stubbing conservatively abstracts the block behavior. As a result, the analysis may not successfully analyze all the objectives. For more details about automatic stubbing, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

To achieve 100% coverage, avoid using partially supported blocks in models that you analyze.

The following tables summarize Simulink Design Verifier analysis support for Simulink blocks. Each table lists the blocks in a Simulink library and also describes support information for that particular block.

#### Additional Math and Discrete Library

The software supports all blocks in the Additional Math and Discrete library.

#### **Commonly Used Blocks Library**

The Commonly Used Blocks library includes blocks from other libraries. Those blocks are listed under their respective libraries.

#### **Continuous Library**

| Block                           | Support Notes |
|---------------------------------|---------------|
| Derivative                      | Not supported |
| Integrator                      | Not supported |
| Integrator Limited              | Not supported |
| PID Controller                  | Not supported |
| PID Controller (2DOF)           | Not supported |
| Second-Order Integrator         | Not supported |
| Second-Order Integrator Limited | Not supported |
| State-Space                     | Not supported |
| Transfer Fcn                    | Not supported |
| Transport Delay                 | Not supported |
| Variable Time Delay             | Not supported |
| Variable Transport Delay        | Not supported |
| Zero-Pole                       | Not supported |

#### **Discontinuities Library**

The software supports all blocks in the Discontinuities library.

#### **Discrete Library**

| Block                          | Support Notes |
|--------------------------------|---------------|
| Delay                          | Supported     |
| Difference                     | Supported     |
| Discrete Derivative            | Supported     |
| Discrete Filter                | Supported     |
| Discrete FIR Filter            | Supported     |
| Discrete PID Controller        | Supported     |
| Discrete PID Controller (2DOF) | Supported     |
| Discrete State-Space           | Not supported |
| Discrete Transfer Fcn          | Supported     |
| Discrete Zero-Pole             | Not supported |
| Discrete-Time Integrator       | Supported     |
| Memory                         | Supported     |
| Tapped Delay                   | Supported     |
| Transfer Fcn First Order       | Supported     |
| Transfer Fcn Lead or Lag       | Supported     |
| Transfer Fcn Real Zero         | Supported     |
| Unit Delay                     | Supported     |
| Zero-Order Hold                | Supported     |

#### Logic and Bit Operations Library

The software supports all blocks in the Logic and Bit Operations library.

#### Lookup Tables Library

| Block                         | Support Notes                                                                                                                                                       |
|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Cosine                        | Supported                                                                                                                                                           |
| Direct Lookup Table (n-D)     | Supported                                                                                                                                                           |
| Interpolation Using Prelookup | <ul> <li>Partially supported when:</li> <li>The Interpolation method parameter is Linear and the Number of table dimensions parameter is greater than 4.</li> </ul> |
|                               | <ul> <li>or</li> <li>The Interpolation method parameter is Linear and the Number of sub-table selection dimensions parameter is not 0.</li> </ul>                   |

| Block                | Support Notes                                                                                                                |
|----------------------|------------------------------------------------------------------------------------------------------------------------------|
| 1-D Lookup Table     | Partially supported when the <b>Interpolation method</b> or the <b>Extrapolation method</b> parameter is Cubic Spline.       |
| 2-D Lookup Table     | Not supported when the <b>Interpolation method</b> or the <b>Extrapolation method</b> parameter is Akima Spline.             |
| n-D Lookup Table     | Partially supported when:                                                                                                    |
|                      | • The Interpolation method or the Extrapolation method parameter is Cubic Spline.                                            |
|                      | or                                                                                                                           |
|                      | • The <b>Interpolation method</b> parameter is Linear and the <b>Number of table dimensions</b> parameter is greater than 5. |
|                      | Not supported when the <b>Interpolation method</b> or the <b>Extrapolation method</b> parameter is Akima Spline.             |
| Lookup Table Dynamic | Supported                                                                                                                    |
| Prelookup            | Supported                                                                                                                    |
| Sine                 | Supported                                                                                                                    |

## Math Operations Library

| Block                      | Support Notes                                                             |
|----------------------------|---------------------------------------------------------------------------|
| Abs                        | Supported                                                                 |
| Add                        | Supported                                                                 |
| Algebraic Constraint       | Supported                                                                 |
| Assignment                 | Supported                                                                 |
| Bias                       | Supported                                                                 |
| Complex to Magnitude-Angle | Supported                                                                 |
| Complex to Real-Imag       | Supported                                                                 |
| Divide                     | Supported                                                                 |
| Dot Product                | Supported                                                                 |
| Find Nonzero Elements      | Not supported                                                             |
| Gain                       | Supported                                                                 |
| Magnitude-Angle to Complex | Supported                                                                 |
| Math Function              | Supported. Support for pow function is limited to integer exponents only. |
| Matrix Concatenate         | Supported                                                                 |
| MinMax                     | Supported                                                                 |
| MinMax Running Resettable  | Supported                                                                 |
| Permute Dimensions         | Supported                                                                 |
| Polynomial                 | Supported                                                                 |

| Block                     | Support Notes                                                                                                                  |
|---------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| Product                   | Supported                                                                                                                      |
| Product of Elements       | Supported                                                                                                                      |
| Real-Imag to Complex      | Supported                                                                                                                      |
| Reciprocal Sqrt           | Partially supported                                                                                                            |
| Reshape                   | Supported                                                                                                                      |
| Rounding Function         | Supported                                                                                                                      |
| Sign                      | Supported                                                                                                                      |
| Signed Sqrt               | Partially supported                                                                                                            |
| Sine Wave Function        | Partially supported                                                                                                            |
| Slider Gain               | Supported                                                                                                                      |
| Sqrt                      | Partially supported                                                                                                            |
| Squeeze                   | Supported                                                                                                                      |
| Subtract                  | Supported                                                                                                                      |
| Sum                       | Supported                                                                                                                      |
| Sum of Elements           | Supported                                                                                                                      |
| Trigonometric Function    | Supported if <b>Function</b> is sin, cos, or sincos, and <b>Approximation method</b> is CORDIC. Partially supported otherwise. |
| Unary Minus               | Supported                                                                                                                      |
| Vector Concatenate        | Supported                                                                                                                      |
| Weighted Sample Time Math | Supported                                                                                                                      |

#### Model Verification Library

The software supports all blocks in the Model Verification library.

#### Model-Wide Utilities Library

| Block                       | Support Notes |
|-----------------------------|---------------|
| Block Support Table         | Supported     |
| DocBlock                    | Supported     |
| Model Info                  | Supported     |
| Timed-Based Linearization   | Not supported |
| Trigger-Based Linearization | Not supported |

#### Ports & Subsystems Library

| Block                | Support Notes |
|----------------------|---------------|
| Atomic Subsystem     | Supported     |
| Code Reuse Subsystem | Supported     |

| Block                           | Support Notes                                                                                                                                                                                                                                                                                                                                                                           |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Configurable Subsystem          | Supported                                                                                                                                                                                                                                                                                                                                                                               |
| Enable                          | Supported                                                                                                                                                                                                                                                                                                                                                                               |
| Enabled Subsystem               | <ul> <li>Design range checks do not consider specified minimum and maximum values for blocks connected to the output port of the subsystem. For more information on design range checks, see "Check for Specified Minimum and Maximum Value Violations" on page 6-23.</li> <li>Simulink Design Verifier treats Enabled Subsystems as short-circuited during test generation.</li> </ul> |
| Enabled and Triggered Subsystem | Not supported when the trigger control signal specifies a fixed-<br>point data type.                                                                                                                                                                                                                                                                                                    |
|                                 | Design range checks do not consider specified minimum and<br>maximum values for blocks connected to the output port of the<br>subsystem. For more information on design range checks, see<br>"Check for Specified Minimum and Maximum Value Violations"<br>on page 6-23.                                                                                                                |
|                                 | Simulink Design Verifier treats Enabled and Triggered Subsystems as short-circuited during test generation.                                                                                                                                                                                                                                                                             |
| For Each                        | Supported with the following limitations:                                                                                                                                                                                                                                                                                                                                               |
|                                 | <ul> <li>When For Each Subsystem contains one or more Simulink<br/>Design Verifier Test Condition, Test Objective, Proof<br/>Assumption, or Proof Objective blocks, not supported.</li> <li>When the mask parameters of the For Each Subsystem are</li> </ul>                                                                                                                           |
|                                 | partitioned, not supported.                                                                                                                                                                                                                                                                                                                                                             |
| For Each Subsystem              | Supported with the following limitations:                                                                                                                                                                                                                                                                                                                                               |
|                                 | • When For Each Subsystem contains one or more Simulink<br>Design Verifier Test Condition, Test Objective, Proof<br>Assumption, or Proof Objective blocks, not supported.                                                                                                                                                                                                               |
|                                 | • When the mask parameters of the For Each Subsystem are partitioned, not supported.                                                                                                                                                                                                                                                                                                    |
| For Iterator Subsystem          | Supported                                                                                                                                                                                                                                                                                                                                                                               |
| Function-Call Feedback Latch    | Supported                                                                                                                                                                                                                                                                                                                                                                               |
| Function-Call Generator         | Supported                                                                                                                                                                                                                                                                                                                                                                               |
| Function-Call Split             | Supported                                                                                                                                                                                                                                                                                                                                                                               |
| Function-Call Subsystem         | Design range checks do not consider specified minimum and<br>maximum values for blocks connected to the output port of the<br>subsystem. For more information on design range checks, see<br>"Check for Specified Minimum and Maximum Value Violations"<br>on page 6-23.                                                                                                                |
| If                              | Parameter configurations are not supported. The analysis ignores parameter configurations that you specify for an If block.                                                                                                                                                                                                                                                             |

| Block                            | Support Notes                                                                                                                                                                                               |
|----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| If Action Subsystem              | Supported                                                                                                                                                                                                   |
| In Bus Element                   | Supported                                                                                                                                                                                                   |
| Inport                           | Supported                                                                                                                                                                                                   |
| Model                            | Supported except for the limitations described in "Support<br>Limitations for Model Blocks" on page 3-19.                                                                                                   |
| Out Bus Element                  | Supported                                                                                                                                                                                                   |
| Outport                          | Supported                                                                                                                                                                                                   |
| Resettable Subsystem             | Supported                                                                                                                                                                                                   |
| Subsystem                        | Supported                                                                                                                                                                                                   |
| Variant Transitions in Stateflow | Supported.                                                                                                                                                                                                  |
|                                  | Only the active variant is analyzed.                                                                                                                                                                        |
| Switch Case                      | Supported                                                                                                                                                                                                   |
| Switch Case Action Subsystem     | Supported                                                                                                                                                                                                   |
| Trigger                          | Supported                                                                                                                                                                                                   |
| Triggered Subsystem              | Not supported when the trigger control signal specifies a fixed-<br>point data type.<br>Design range checks do not consider specified minimum and                                                           |
|                                  | maximum values for blocks connected to the output port of the<br>subsystem. For more information on design range checks, see<br>"Check for Specified Minimum and Maximum Value Violations"<br>on page 6-23. |
|                                  | Simulink Design Verifier treats Enabled Subsystems as short-<br>circuited during test generation.                                                                                                           |
| Variant Subsystem                | Not supported when the <b>Generate preprocessor conditionals</b> parameter is enabled.                                                                                                                      |
|                                  | Only the active variant is analyzed.                                                                                                                                                                        |
| While Iterator Subsystem         | Supported                                                                                                                                                                                                   |

#### Signal Attributes Library

The software supports all blocks in the Signal Attributes library.

#### Signal Routing Library

| Block             | Support Notes |
|-------------------|---------------|
| Bus Assignment    | Supported     |
| Bus Creator       | Supported     |
| Bus Selector      | Supported     |
| Data Store Memory | Supported     |
| Data Store Read   | Supported     |

| Block                  | Support Notes                                                                                                                                                                                                                                                                         |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Data Store Write       | Supported                                                                                                                                                                                                                                                                             |
| Demux                  | Supported                                                                                                                                                                                                                                                                             |
| Environment Controller | Supported                                                                                                                                                                                                                                                                             |
| From                   | Supported                                                                                                                                                                                                                                                                             |
| Goto                   | Supported                                                                                                                                                                                                                                                                             |
| Goto Tag Visibility    | Supported                                                                                                                                                                                                                                                                             |
| Index Vector           | Supported                                                                                                                                                                                                                                                                             |
| Manual Switch          | The Manual Switch block is compatible with the software, but<br>the analysis ignores this block in a model. The analysis does not<br>flag the coverage objectives for this block as satisfiable or<br>unsatisfiable.<br>Model coverage data is collected for the Manual Switch block. |
| Merge                  | Supported                                                                                                                                                                                                                                                                             |
| Multiport Switch       | Supported                                                                                                                                                                                                                                                                             |
| Mux                    | Supported                                                                                                                                                                                                                                                                             |
| Selector               | Supported                                                                                                                                                                                                                                                                             |
| Switch                 | Supported                                                                                                                                                                                                                                                                             |
| Vector Concatenate     | Supported                                                                                                                                                                                                                                                                             |

## Sinks Library

| Block           | Support Notes |
|-----------------|---------------|
| Display         | Supported     |
| Floating Scope  | Supported     |
| Outport (Out1)  | Supported     |
| Out Bus Element | Supported     |
| Scope           | Supported     |
| Stop Simulation | Not supported |
| Terminator      | Supported     |
| To File         | Supported     |
| To Workspace    | Supported     |

#### Sources Library

| Block                    | Support Notes       |
|--------------------------|---------------------|
| Band-Limited White Noise | Not supported       |
| Chirp Signal             | Partially supported |
| Clock                    | Supported           |

| Block                           | Support Notes                                                                                                     |
|---------------------------------|-------------------------------------------------------------------------------------------------------------------|
| Constant                        | Supported unless <b>Constant value</b> is inf or nan (in which case, it is not supported).                        |
| Counter Free-Running            | Supported                                                                                                         |
| Counter Limited                 | Supported                                                                                                         |
| Digital Clock                   | Supported                                                                                                         |
| Enumerated Constant             | Supported                                                                                                         |
| From File                       | Partially supported. When MAT-file data is stored in MATLAB timeseries format, not supported.                     |
| From Workspace                  | Partially supported                                                                                               |
| Ground                          | Supported                                                                                                         |
| Inport (In1)                    | Supported                                                                                                         |
| In Bus Element                  | Supported if Simulink.Bus type is defined for the In Bus Element.                                                 |
| Pulse Generator                 | Supported                                                                                                         |
| Ramp                            | Supported                                                                                                         |
| Random Number                   | Not supported                                                                                                     |
| Repeating Sequence              | Partially supported                                                                                               |
| Repeating Sequence Interpolated | Partially supported                                                                                               |
| Repeating Sequence Stair        | Supported                                                                                                         |
| Signal Editor                   | Not supported                                                                                                     |
| Signal Generator                | Partially supported if wave form is sine. Supported if wave form is square. Not supported if wave form is random. |
| Sine Wave                       | Partially supported                                                                                               |
| Step                            | Supported                                                                                                         |
| Uniform Random Number           | Not supported                                                                                                     |

#### **User-Defined Functions Library**

| Block                       | Support Notes                                                                                              |
|-----------------------------|------------------------------------------------------------------------------------------------------------|
| C Function                  | Partially supported. The C Function block is stubbed out during the Simulink Design Verifier analysis.     |
| C Caller                    | Supported.                                                                                                 |
| Initialize Function         | Not Supported for Initialize function containing Parameter Writer blocks.                                  |
|                             | Not supported as a target for subsystem analysis.                                                          |
| Interpreted MATLAB Function | Partially supported                                                                                        |
| Level-2 MATLAB S-Function   | For limitations, see "Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28. |
| MATLAB Function             | For limitations, see "Support Limitations for MATLAB for Code Generation" on page 3-25.                    |

| Block              | Support Notes                                                                                                                                                                                   |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| MATLAB System      | <ul> <li>Decision, Condition and MCDC Coverage objectives are<br/>supported in Test Generation. Enhanced MCDC, Relational<br/>Boundary and Custom Test objectives are not supported.</li> </ul> |
|                    | Custom Proof objectives are not supported in Property Proving.                                                                                                                                  |
|                    | • For further limitations, see "Support Limitations for MATLAB for Code Generation" on page 3-25.                                                                                               |
|                    | Logical expressions within assignment statements are not analyzed for coverage objectives.                                                                                                      |
| Reset Function     | Not supported                                                                                                                                                                                   |
| S-Function Builder | For limitations, see "Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28.                                                                                      |
| Simulink Function  | • For export-function models, see "Analyze Export-Function Models" on page 2-12.                                                                                                                |
|                    | • Global Simulink functions within a non export-function model reference are not supported.                                                                                                     |
| Terminate Function | Partially supported.                                                                                                                                                                            |
|                    | • The behaviour of Terminate function is ignored and is replaced by an empty function during the analysis.                                                                                      |
|                    | Not supported as a target for subsystem analysis.                                                                                                                                               |
| Observer Reference | Supported with limitations. See "Isolate Verification Logic with Observers" on page 12-29.                                                                                                      |
| Simscape Library   | Not supported                                                                                                                                                                                   |

## **Support Limitations for Simulink Software Features**

Simulink Design Verifier does not support the following Simulink software features. Avoid using these unsupported features.

| Not Supported                                | Description                                                                                                                                                                                                 |
|----------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Variable-step solvers                        | The software supports only fixed-step solvers.                                                                                                                                                              |
|                                              | For more information, see "Fixed Step Solvers in Simulink".                                                                                                                                                 |
| Callback functions                           | The software does not execute model callback functions during the<br>analysis. The results that the analysis generates, such as the harness<br>model, may behave inconsistently with the expected behavior. |
|                                              | • If a model or any referenced model calls a callback function that changes any block parameters, model parameters, or workspace variables, the analysis does not reflect those changes.                    |
|                                              | • Changing the storage class of base workspace variables on model callback functions or mask initializations is not supported.                                                                              |
|                                              | Callback functions called prior to analysis, such as the<br>PreLoadFcn or PostLoadFcn model callbacks, are fully<br>supported.                                                                              |
| Model callback functions                     | The software supports model callback functions only if the InitFcn callback of the model is empty.                                                                                                          |
| Algebraic loops                              | The software does not support models that contain algebraic loops.                                                                                                                                          |
|                                              | For more information, see "Algebraic Loop Concepts".                                                                                                                                                        |
| Masked subsystem<br>initialization functions | The software does not support models whose masked subsystem initialization:                                                                                                                                 |
|                                              | Modifies any attribute of any workspace parameter.                                                                                                                                                          |
|                                              | Deletes or creates blocks.                                                                                                                                                                                  |

| Not Supported                    | Description                                                                                                                                                                                                                                                                                                                                            |  |  |  |
|----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Variable-size signals            | The software supports test generation for models with bounded<br>variable-size signals. For more information on how to generate test<br>cases when input signals are of variable-size, see "Achieve Coverage<br>in Models with Variable-Size Inputs" on page 9-24.                                                                                     |  |  |  |
|                                  | In addition, the following are the limitations for analysis:                                                                                                                                                                                                                                                                                           |  |  |  |
|                                  | 1 Relational boundary coverage objectives                                                                                                                                                                                                                                                                                                              |  |  |  |
|                                  | 2 Enhanced MCDC coverage objectives                                                                                                                                                                                                                                                                                                                    |  |  |  |
|                                  | <b>3</b> Models with variable-size signals at root level input port                                                                                                                                                                                                                                                                                    |  |  |  |
|                                  | 4 Models with variable-size signals with maximum size 1                                                                                                                                                                                                                                                                                                |  |  |  |
|                                  | Note                                                                                                                                                                                                                                                                                                                                                   |  |  |  |
|                                  | • Coverage objectives of single port logical and min-max blocks with variable size signals are not considered.                                                                                                                                                                                                                                         |  |  |  |
|                                  | • The analysis is performed under the assumptions that at any step, all the variable-size inputs of a block will have same size.                                                                                                                                                                                                                       |  |  |  |
| Multiword fixed-point data types | The software does not support multiword fixed-point data types larger than 128 bits.                                                                                                                                                                                                                                                                   |  |  |  |
| Nonzero start times              | Although Simulink allows you to specify a nonzero simulation start<br>time, the analysis generates signal data that begins only at zero. If<br>your model specifies a nonzero start time:                                                                                                                                                              |  |  |  |
|                                  | • If you do not select the <b>Reference input model in generated</b><br><b>harness</b> parameter (the default), the harness model is a<br>subsystem. The analysis sets the start time of the harness model to<br>1 and continues the analysis.                                                                                                         |  |  |  |
|                                  | • If you select the <b>Reference input model in generated harness</b> parameter, a Model block references the harness model. The software cannot change the start time of the harness model, so the analysis stops and you see a recommendation to set the <b>Start time</b> parameter to 0.                                                           |  |  |  |
|                                  | • Simulink Design Verifier assumes zero start time for analysis and generates signal data that begins at zero. Zero start time might impact the reporting of the objective status. For example, in the test generation analysis, the software might report some objectives as Undecided with Testcases. For more information, see "Simulation Basics". |  |  |  |

| Not Supported                                                                     | Description                                                                                                                                                                                                                         |
|-----------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Nonfinite data                                                                    | The software does not support nonfinite data (for example, NaN and Inf) and related operations.                                                                                                                                     |
|                                                                                   | In the Relational Operator block, the software assigns the output as follows:                                                                                                                                                       |
|                                                                                   | • If the <b>Relational operator</b> parameter is isFinite, the output is always 1.                                                                                                                                                  |
|                                                                                   | • If the <b>Relational operator</b> parameter is <b>isNan</b> or <b>isInf</b> , the output is always 0.                                                                                                                             |
|                                                                                   | In the MATLAB Function block, the software assigns the return value as follows:                                                                                                                                                     |
|                                                                                   | • For the isFinite function, the output is always 1.                                                                                                                                                                                |
|                                                                                   | • For the isNan and isInf functions, the output is always 0.                                                                                                                                                                        |
| Concurrent execution                                                              | The software does not support models that are configured for concurrent execution.                                                                                                                                                  |
| Signals with nonzero sample time offset                                           | The software does not support models with signals that have nonzero sample time offsets.                                                                                                                                            |
| Models with no output ports                                                       | The software only supports models that have one or more output<br>ports. If a model contains test condition or test objective blocks and<br>no output ports are present in the model, then nominal test cases will<br>be generated. |
| Large floating-point<br>constants outside the range<br>[-realmax/2,<br>realmax/2] | The use of large floating-point constants can cause out of memory<br>errors or substantial loss of precision. Avoid using such constants if<br>possible.                                                                            |
| Symbolic Dimensions                                                               | The software does not support symbolic dimensions for test generation, property proving, or design error detection.                                                                                                                 |
| Simulink Strings                                                                  | Models that contain blocks with string data types as block parameters<br>are not supported. For more information, see "Simulink Strings".                                                                                           |
| Parameter Tuning                                                                  | The software does not support parameter tuning for the parameters that are defined in the Model Workspace.                                                                                                                          |
| Row-major Algorithms                                                              | The software does not support models that contain MATLAB System<br>blocks that use coder.rowMajor directive. For more information<br>see, "Use algorithms optimized for row-major array layout".                                    |

## **Support Limitations for Model Blocks**

Simulink Design Verifier supports the Model block with the following limitations. The software cannot analyze a model containing one or more Model blocks if:

• The referenced model is protected. Protected referenced models are encoded to obscure their contents. This allows third parties to use the referenced model without being able to view the intellectual property that makes up the model.

For more information, see "Reference Protected Models from Third Parties".

 The parent model or any of the referenced models returns an error when you set the Configuration Parameters > Diagnostics > Connectivity > Element name mismatch parameter to error.

You can use the **Element name mismatch** diagnostic along with bus objects so that your model meets the bus element naming requirements imposed by some blocks.

- The Model block uses asynchronous function-call inputs.
- Any of the Model blocks in the model reference hierarchy creates an artificial algebraic loop. If this occurs, take the following steps:
  - 1 On the **Diagnostics** pane of the Configuration Parameters dialog box, set the **Minimize algebraic loop** parameter to error so that Simulink reports an algebraic loop error.
  - 2 On the **Model Referencing** Pane of the Configuration Parameters dialog box, select the **Minimize algebraic loop occurrences** parameter.

Simulink tries to eliminate the artificial algebraic loop during simulation.

- **3** Simulate the model.
- 4 Simulink will remove the algebraic loop if possible. If Simulink cannot eliminate the artificial algebraic loop, highlight the location of the algebraic loop by opening the **Modeling** tab and, in the **Compile** section, clicking **Update Model**.
- **5** Eliminate the artificial algebraic loop so that the software can analyze the model. Break the loop with Unit Delay blocks so that the execution order is predictable.

**Note** For more information, see "Algebraic Loop Concepts".

• The parent model and the referenced model have mismatched data type override settings. The data type override setting of the parent model and its referenced models must be the same, unless the data type override setting of the parent model is Use local settings. You can configure data type override settings to simulate a model that specifies fixed-point data types. Using this setting, the software temporarily overrides data types with floating-point data types during simulation.

set\_param('MyModel','DataTypeOverride','Double')

For more information, see set\_param.

To observe the true behavior of your model, set the data type override parameter to UseLocalSettings or Off.

set\_param('MyModel','DataTypeOverride','Off')

• The referenced model is a Model block with virtual buses at input ports, and the signals in the bus do not all have the same sample time at compilation. To make the model compatible with Simulink

Design Verifier analysis, convert the virtual bus to a nonvirtual bus, or specify an explicit sample time for the port.

• When you run the analysis on Model block, then the code generated as a top model is not supported.

# **Support Limitations for Stateflow Software Features**

Simulink Design Verifier does not support the following Stateflow software features. Avoid using these unsupported features in models that you analyze.

| In this section                                                                           |
|-------------------------------------------------------------------------------------------|
| "ml Namespace Operator, ml Function, ml Expressions" on page 3-21                         |
| "C or C++ Operators" on page 3-21                                                         |
| "C Math Functions" on page 3-21                                                           |
| "Atomic Subcharts That Call Exported Graphical Functions Outside a Subchart" on page 3-22 |
| "Atomic Subchart Input and Output Mapping" on page 3-22                                   |
| "Recursion and Cyclic Behavior" on page 3-22                                              |
| "Custom C/C++ Code" on page 3-23                                                          |
| "Textual Functions with Literal String Arguments" on page 3-24                            |

## ml Namespace Operator, ml Function, ml Expressions

The software does not support calls to MATLAB functions or access to MATLAB workspace variables, which the Stateflow software allows. See "Access MATLAB Functions and Workspace Data in C Charts" (Stateflow).

## C or C++ Operators

The software does not support the sizeof operator, which the Stateflow software allows.

## **C** Math Functions

The software supports calls to the following C math functions:

- abs
- ceil
- fabs
- floor
- fmod
- labs
- ldexp
- pow (only for integer exponents)

The software does not support calls to other C math functions, which the Stateflow software allows. If automatic stubbing is enabled, which it is by default, the software eliminates these unsupported functions during the analysis.

For information about C math functions in Stateflow, see "Call C Library Functions in C Charts" (Stateflow).

**Note** For details about automatic stubbing, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

## Atomic Subcharts That Call Exported Graphical Functions Outside a Subchart

The software does not support atomic subcharts that call exported graphical functions, which the Stateflow software allows.

**Note** For information about exported functions, see "Export Stateflow Functions for Reuse" (Stateflow).

## Atomic Subchart Input and Output Mapping

If an input or output in an atomic subchart maps to chart-level data of a different scope, the software does not support the chart that contains that atomic subchart.

For an atomic subchart input, this incompatibility applies when the input maps to chart-level data of output, local, or parameter scope. For an atomic subchart output, this incompatibility applies when the output maps to chart-level data of local scope.

## **Recursion and Cyclic Behavior**

The software does not support recursive functions, which occur when a function calls itself directly or indirectly through another function call. Stateflow software allows you to implement recursion using graphical functions.

In addition, the software does not support recursion that the Stateflow software allows you to implement using a combination of event broadcasts and function calls.

**Note** For information about avoiding recursion in Stateflow charts, see "Avoid Unwanted Recursion in a Chart" (Stateflow).

Stateflow software also allows you to create *cyclic behavior*, where a sequence of steps is repeated indefinitely. If your model has a chart with cyclic behavior, the software cannot analyze it.

**Note** For information about cyclic behavior in Stateflow charts, see "Detect Cyclic Behavior" (Stateflow).

However, you can modify a chart with cyclic behavior so that it is compatible, as in the following example.

The following chart creates cyclic behavior. State A calls state A1, which broadcasts a Clear event to state B, which calls state B2, which broadcasts a Set event back to state A, causing the cyclic behavior.



If you change the **send** function calls to use directed event broadcasts so that the Set and Clear events are broadcast directly to the states B1 and A1, respectively, the cyclic behavior disappears and the software can analyze the model.



**Note** For information about the benefits of directed event broadcasts, see "Broadcast Local Events to Synchronize Parallel States" (Stateflow).

## Custom C/C++ Code

If your model consists of custom C/C++ code, Simulink Design Verifier supports analysis based on these settings:

- If you enable import custom code and custom code analysis options, the software supports custom C/C++ code for analysis. For more information, see "Import custom code" and "Enable custom code analysis".
- If you enable import custom code option and the custom code analysis option is set to **Off**, the model is compatible for analysis, but calls to the custom code are stubbed during analysis.
- If the import custom code option is set to Off, the custom code is not supported and the model is incompatible for analysis.

## **Textual Functions with Literal String Arguments**

The software does not support literal string arguments to textual functions in a Stateflow chart.

# Support Limitations for MATLAB for Code Generation

#### In this section...

"Unsupported MATLAB for Code Generation Features" on page 3-25

"Support Limitations for MATLAB for Code Generation Library Functions" on page 3-25

## **Unsupported MATLAB for Code Generation Features**

Simulink Design Verifier does not support the following features of the MATLAB Function block in the Simulink software and MATLAB functions in the Stateflow software. Avoid using these unsupported features in models that you analyze with Simulink Design Verifier.

| Not Supported       | Description                                                                                             |
|---------------------|---------------------------------------------------------------------------------------------------------|
| Characters          | The software does not support characters, which MATLAB for code generation allows.                      |
| C functions         | The software does not support calls to external C functions, which MATLAB for code generation allows.   |
| Extrinsic functions | The software supports extrinsic functions only when they do not affect the output of a MATLAB function. |

## Support Limitations for MATLAB for Code Generation Library Functions

Simulink Design Verifier provides various levels of support for MATLAB for code generation library functions. The software either fully or partially supports particular functions. It does not support other functions.

If your model contains unsupported functions, you can turn on automatic stubbing, which considers the interface of the unsupported functions, but not their behavior. However, if any of the unsupported functions affect the simulation outcome, the analysis might achieve only partial results. For details about automatic stubbing, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

To achieve 100% coverage, avoid using unsupported MATLAB library functions in models that you analyze.

The following table lists Simulink Design Verifier support for categories of library functions in code generation from MATLAB:

- Software supports functions in that category, indicated by a dash (-).
- Software does not support functions in that category.
- Software supports the function in that category with limitations as specified.

For the complete listing of available functions, see "Functions and Objects Supported for C/C++ Code Generation".

| Function Category           | Support Notes  |
|-----------------------------|----------------|
| Aerospace Toolbox functions | Not supported. |

| Function Category                              | Support Notes                             |                                                                       |  |  |
|------------------------------------------------|-------------------------------------------|-----------------------------------------------------------------------|--|--|
| Arithmetic operator functions                  | Supported with the following limitations: |                                                                       |  |  |
|                                                | mldivide(\)                               | Supported.                                                            |  |  |
|                                                | mpower(^)                                 | Supports only integer exponents.<br>Otherwise partially supported.    |  |  |
|                                                | mrdivide(/)                               | Supported.                                                            |  |  |
|                                                | power(.^)                                 | Supports integer exponents. Float exponents partially supported.      |  |  |
| Bit-wise operation functions —                 |                                           |                                                                       |  |  |
| Casting functions                              | Supported with the following limitations: |                                                                       |  |  |
|                                                | char                                      | Not supported.                                                        |  |  |
|                                                | typecast                                  | Not supported.                                                        |  |  |
| Communications Toolbox™ functions              | Not supported                             | •                                                                     |  |  |
| Complex number functions                       | Partially suppo                           | orted.                                                                |  |  |
| Computer Vision Toolbox <sup>™</sup> functions | Not supported                             | Not supported.                                                        |  |  |
| Data type functions                            | —                                         |                                                                       |  |  |
| Derivative and Integral functions              | Not supported                             | Not supported.                                                        |  |  |
| Discrete math functions                        | -                                         | -                                                                     |  |  |
| Error handling functions                       | Supported with                            | h the following limitations:                                          |  |  |
|                                                | assert                                    | Supported, but does not behave like<br>a Proof Objective block.       |  |  |
| Exponential functions                          | Supported.                                | Supported.                                                            |  |  |
| Filtering and convolution functions            | Supported with the following limitations: |                                                                       |  |  |
|                                                | detrend                                   | Supported if argument is a scalar.<br>Otherwise, partially supported. |  |  |
| Fixed-Point Designer functions                 | Supported.                                |                                                                       |  |  |
| Histogram functions                            | Not supported                             | Not supported.                                                        |  |  |
| Image Processing Toolbox™ functions            | Not supported                             |                                                                       |  |  |
| Input and output functions                     | -                                         |                                                                       |  |  |
| Interpolation and computation geometry         | Supported with                            | h the following limitations:                                          |  |  |
|                                                | cart2pol                                  | Partially supported.                                                  |  |  |
|                                                | cart2sph                                  | Partially supported.                                                  |  |  |
|                                                | pol2cart                                  | Partially supported.                                                  |  |  |
|                                                | sph2cart                                  | Partially supported.                                                  |  |  |
| Linear algebra                                 | Not supported.                            |                                                                       |  |  |
| Logical operator functions                     | -                                         |                                                                       |  |  |
| MATLAB Compiler <sup>™</sup> functions         | Not supported.                            |                                                                       |  |  |
| Matrix and array functions                     |                                           | h the following limitations:                                          |  |  |
| -                                              | angle                                     | Partially supported.                                                  |  |  |

| Function Category                     | Support Notes      |                                                                                                                       |
|---------------------------------------|--------------------|-----------------------------------------------------------------------------------------------------------------------|
|                                       | cond               | Partially supported.                                                                                                  |
|                                       | det                | Supported.                                                                                                            |
|                                       | eig                | Partially supported.                                                                                                  |
|                                       | inv                | Supported.                                                                                                            |
|                                       | invhilb            | Not supported.                                                                                                        |
|                                       | logspace           | Partially supported.                                                                                                  |
|                                       | lu                 | Supported.                                                                                                            |
|                                       | norm               | Supported when invoked using the<br>syntax norm(A,p) where p is either<br>1 or inf. Otherwise partially<br>supported. |
|                                       | normest            | Partially supported.                                                                                                  |
|                                       | pinv               | Partially supported.                                                                                                  |
|                                       | planerot           | Partially supported.                                                                                                  |
|                                       | qr                 | Partially supported.                                                                                                  |
|                                       | rank               | Partially supported.                                                                                                  |
|                                       | rcond              | Supported.                                                                                                            |
|                                       | subspace           | Partially supported.                                                                                                  |
| Nested functions                      | Supported.         |                                                                                                                       |
| Nonlinear numerical methods           | Not supported.     |                                                                                                                       |
| Polynomial functions                  | Not supported.     |                                                                                                                       |
| Relational operations functions       | —                  |                                                                                                                       |
| Rounding and remainder functions      | —                  |                                                                                                                       |
| Set functions                         | —                  |                                                                                                                       |
| Signal Processing functions in MATLAB | Not supported.     |                                                                                                                       |
| Signal Processing Toolbox™ functions  | Not supported.     |                                                                                                                       |
| Special values                        | Supported with the | he following limitations:                                                                                             |
|                                       | rand               | Partially supported.                                                                                                  |
|                                       | randn              | Partially supported.                                                                                                  |
| Specialized math                      | Not supported.     |                                                                                                                       |
| Statistical functions                 | —                  |                                                                                                                       |
| String functions                      | Supported with t   | he following limitations:                                                                                             |
|                                       | char               | Not supported.                                                                                                        |
|                                       | ischar             | Not supported.                                                                                                        |
| Trigonometric functions               | Not supported.     |                                                                                                                       |

# Support Limitations and Considerations for S-Functions and C/C++ Code

#### In this section...

"Enabling S-Functions in Simulink Design Verifier" on page 3-28

"Support Limitations for S-Functions and C/C++ Code" on page 3-28

"Handle Volatile Variables as Normal Variables" on page 3-29

"Considerations for Enabling S-Functions and C/C++ Code in Simulink Design Verifier" on page 3-29  $\,$ 

"Source Code Protection" on page 3-29

## **Enabling S-Functions in Simulink Design Verifier**

Simulink Design Verifier supports test case generation for code generated with Embedded Coder<sup>®</sup>. Simulink Design Verifier also supports error detection, test case generation, and property proving for S-Functions that:

- The Legacy Code Tool generates, with def.Options.supportCoverageAndDesignVerifier set to true.
- The S-Function Builder generates, with **Enable support for Design Verifier** selected on the **Build Info** tab of the S-Function Builder dialog box.
- The function slcovmex compiles, with the option -sldv passed to the function when compiling the S-function.

For more information on the three approaches, see "About C MEX S-Functions".

## Support Limitations for S-Functions and C/C++ Code

- Simulink Design Verifier does not support S-Functions or C/C++ code containing:
  - Continuous states. Simulink Design Verifier does not analyze such code.
  - Zero-crossing functions. Simulink Design Verifier ignores such code during analysis.
  - Constants that describe INF or NaN objects. Simulink Design Verifier considers such code as containing floating-point overflow errors. Although Simulink Design Verifier analysis cannot determine the type of overflow error for such cases, the analysis can determine which lines of code introduce the incompatibility. Polyspace<sup>®</sup> can provide more information on why your code contains floating-point overflow errors.
- You must specify that the signal elements entering the ports of S-Functions compiled with slcovmex are contiguous. Use the SimStruct function ssSetInputPortRequiredContiguous.

Simulink Design Verifier supports the following design errors for S-Function and C/C++ code:

- Dead logic including active logic.
- Array out of bounds. This includes pointer out of bounds in case of C/C++.
- Division-by-Zero.

## Handle Volatile Variables as Normal Variables

Simulink Design Verifier allows the option for volatile variables to be stubbed or handled as normal variables. When you select the **Ignore the volatile qualifier** parameter, volatile elements will be treated in the same as the non-volatile elements. Deselecting the **Ignore the volatile qualifier** will revert to the previous behavior of stubbing access to volatile elements.

## Considerations for Enabling S-Functions and C/C++ Code in Simulink Design Verifier

• When performing property proving or test generation analysis for models with enabled S-Functions or C/C++ code generated with Embedded Coder, Simulink Design Verifier assumes that the code contains no run-time errors. If the code contains run-time errors such as division by zero, access to non-initialized variables or array out of bounds, the property proving or test generation analysis can produce incorrect results. Code that has been checked by Polyspace and is free of run-time errors provide correct results in Simulink Design Verifier analysis.

To avoid incorrect results that are produced due to run-time errors, perform design error detection analysis first, and then perform property proving or test generation analysis.

- If Simulink Design Verifier cannot determine the size of arrays in your code (for instance for arrays that are dynamically allocated with non-constant size), Simulink Design Verifier assumes an upper bound for the array. Ensure that the given upper bound is appropriate.
- If you do not enable Simulink Design Verifier support for an S-function, Simulink Design Verifier stubs the S-function. With S-function support enabled, Simulink Design Verifier analyzed the content of the S-function to get more detailed information. Sometimes, Simulink Design Verifier internally stubs the S-function. Internal stubs can be the result of different C/C++ constructs, such as:
  - Calls to library functions (the library function is replaced by a stub).
  - Complex pointer operations.
  - · Casts to or from incompatible or unknown pointer types.

Models containing such constructs are labeled **Partially compatible**.

## **Source Code Protection**

To analyze the contents of an S-function, information about the implementation of the S-function, including information derived from the source code, are stored within the shared object. Although this information is not directly accessible to users, consider disabling Simulink Design Verifier support for S-Functions in models that are released externally if the S-Functions contain sensitive source code.

## See Also

"Configuring S-Function for Test Case Generation" on page 7-109 | "Generate Test Cases for Embedded Coder Generated Code" on page 7-28

- "What Is Block Replacement?" on page 4-2
- "Built-In Block Replacements" on page 4-4
- "Template for Block Replacement Rules" on page 4-6
- "Block Replacements for Unsupported Blocks" on page 4-7

# What Is Block Replacement?

Using Simulink Design Verifier, you can define rules to replace blocks automatically in your model. For example, you can work around a block that is incompatible with the software by creating a rule that replaces an unsupported Simulink block in your model with a supported block that is functionally equivalent. Or, you can customize blocks for analysis by creating a rule that adds constraints or objectives to particular blocks in your model.

When performing block replacements, the software makes a copy of your model and replaces blocks in the copy, without altering your original model. This way, you can easily customize a model for analysis.

The Simulink Design Verifier software replaces blocks automatically in a model using:

- Libraries of replacement blocks
- Rules that define which blocks to replace and under what conditions

You replace any block with any built-in block, library block, or subsystem.

Block replacements are extensible, allowing you to define your own libraries of replacement blocks and custom block replacement rules. Using block replacements, you can

- Work around an incompatibility, such as the presence of unsupported blocks in your model.
- Customize a block for analysis, such as:
  - Adding constraints to its input signals
  - Adding objectives to its output signals
  - Eliminating the contents of a subsystem or Model block to simplify your analysis

**Note** You can use automatic stubbing as an alternative to block replacements to resolve incompatibilities. Automatic stubbing replaces unsupported blocks with elements that have the same interface. For more information, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

## **Block Replacement Effects on Test Generation**

Replacing blocks can affect test case generation if the replaced blocks share functionality with other parts of your model. Before you replace blocks, understand functional dependencies on those blocks or on shared signals. See "Highlight Functional Dependencies". Replacement blocks can also affect other analysis workflows such as property proving.

For example, you can customize a block for analysis using a replacement block that adds objectives to an input signal. If another subsystem depends on that signal, the replacement block effectively adds an objective for the subsystem.

In this example, the breakpoint range of u1 in the 2-D Lookup Table is 5–7. The switch threshold 8 falls outside the u1 lookup table range.



Tests generated without replacing the 2D Lookup Table satisfy two objectives: that the trigger is not greater than the Switch block threshold 8, and that the trigger is greater than the Switch block threshold 8.

| # | Туре     | Model Item |                                                              | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|--------------------------------------------------------------|------------------------|-----------|
| 1 | Decision | NUMER      | trigger > threshold false (output is<br>from 3rd input port) | 0                      | 1         |

#### **Objectives Satisfied**

The blkrep\_rule\_lookup2D\_normal.m block replacement rule replaces the 2D Lookup Table with a masked subsystem containing the 2D Lookup Table and a MATLAB Function block.



The MATLAB Function block constrains the analysis within the breakpoint bounds of the table.

# **Built-In Block Replacements**

The Simulink Design Verifier software provides a set of block replacement rules and a corresponding library of replacement blocks. Use these built-in block replacements when analyzing models. They serve as examples that you can examine to learn how to create your own block replacements.

The following table lists the factory default block replacement rules, available in the *matlabroot* \toolbox\sldv\sldv\private folder. There are two implementations of each factory-default block replacement rule. Rules whose file names end with \_normal.m replace blocks with Subsystem blocks.

| File Name                      | Description                                                                                                                                                                                                                                                                                                                 |
|--------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| blkrep_rule_lookup_normal.m    | A rule that replaces 1-D Lookup Table blocks with an implementation that includes test objectives for each breakpoint and interval specified by the <b>Breakpoints</b> parameter.                                                                                                                                           |
| blkrep_rule_lookup2D_normal.m  | A rule that adds Test Condition/Proof Assumption blocks<br>to the input ports of 2-D Lookup Table blocks. Each Test<br>Condition/Proof Assumption block constrains signal values<br>to the interval specified by the corresponding breakpoint<br>vector.                                                                    |
| blkrep_rule_mpswitch2_normal.m | A rule that adds a Test Condition/Proof Assumption block<br>to the control input port of Multiport Switch blocks whose<br><b>Number of data ports</b> parameter is 2. The Test<br>Condition/Proof Assumption block constrains signal values<br>to the interval [1, 2] (or [0, 1] if the block uses zero-based<br>indexing). |
| blkrep_rule_mpswitch3_normal.m | A rule that adds a Test Condition/Proof Assumption block<br>to the control input port of Multiport Switch blocks whose<br><b>Number of data ports</b> parameter is 3. The Test<br>Condition/Proof Assumption block constrains signal values<br>to the interval [1, 3] (or [0, 2] if the block uses zero-based<br>indexing). |
| blkrep_rule_mpswitch4_normal.m | A rule that adds a Test Condition/Proof Assumption block<br>to the control input port of Multiport Switch blocks whose<br><b>Number of data ports</b> parameter is 4. The Test<br>Condition/Proof Assumption block constrains signal values<br>to the interval [1, 4] (or [0, 3] if the block uses zero-based<br>indexing). |
| blkrep_rule_mpswitch5_normal.m | A rule that adds a Test Condition/Proof Assumption block<br>to the control input port of Multiport Switch blocks whose<br><b>Number of data ports</b> parameter is 5. The Test<br>Condition/Proof Assumption block constrains signal values<br>to the interval [1, 5] (or [0, 4] if the block uses zero-based<br>indexing). |
| blkrep_rule_switch_normal.m    | A rule that replaces Switch blocks with an implementation<br>that includes test objectives, requiring that each switch<br>position be exercised when the values of the first and<br>third input ports are different.                                                                                                        |

| File Name                                        | Description                                                                                                                                                                                                                                                                                                                                                                                                                        |
|--------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| blkrep_rule_switch_nonvir_normal.m               | A rule that replaces Switch blocks having non-virtual bus<br>inputs with an implementation that converts non-virtual<br>bus inputs to virtual bus inputs. This implementation<br>includes test objectives and requires that each switch<br>position be exercised when the values of the first and<br>third input ports are different.                                                                                              |
| blkrep_rule_selector<br>IndexVecPort_normal.m    | A rule that adds a Test Condition/Proof Assumption block<br>to the index port of Selector blocks whose <b>Index Option</b><br>parameter is <b>Index vector (port)</b> . The Test<br>Condition/Proof Assumption block constrains signal values<br>to an interval whose endpoints are derived from the<br>values of the Selector block's <b>Input port size</b> and <b>Index</b><br><b>mode</b> parameters.                          |
| blkrep_rule_selector<br>StartingIdxPort_normal.m | A rule that adds a Test Condition/Proof Assumption block<br>to the index port of Selector blocks whose <b>Index Option</b><br>parameter is <b>Starting index (port)</b> . The Test<br>Condition/Proof Assumption block constrains signal values<br>to an interval whose endpoints are derived from the<br>values of the Selector block's <b>Input port size</b> , <b>Output</b><br><b>size</b> , and <b>Index mode</b> parameters. |

The library of replacement blocks that corresponds to the factory default rules is

matlabroot/toolbox/sldv/sldv/sldvblockreplacementlib

# **Template for Block Replacement Rules**

To help you create block replacement rules, Simulink Design Verifier provides an annotated template that contains a skeleton implementation of the requisite callbacks:

matlabroot/toolbox/sldv/sldvblockreplacetemplate.m

To create a block replacement rule, make a copy of the template and edit the copy to implement the desired behavior for the rule you are creating. The comments in the template provide hints about how to use each section.

Block replacement rules have the following restrictions:

- The function that represents a block replacement rule must include particular callbacks. Use the block replacement rule template as a starting point for writing a custom rule. (See "Block Replacements for Unsupported Blocks" on page 4-7.)
- The function that represents a block replacement rule must be on the MATLAB search path.

## **Block Replacements for Unsupported Blocks**

This example shows how to use Simulink® Design Verifier<sup>™</sup> functions to replace unsupported blocks and how to customize test vector generation for specific requirements.

#### Model with an Unsupported Block

The example model includes a Switch block whose output is controlled by a Sqrt block. For each switch position, the output of the model is calculated by a 1-D Lookup Table block. For this model, the example concentrates on generating test cases that satisfy the following:

1. Achieve 100% lookup table coverage.

2. Test vectors demonstrate each Switch block position when the values of its first and third input ports differ.

open\_system('sldvdemo\_sqrt\_blockrep');



#### **Checking Model Compatibility**

Since the sqrt function is not supported, this model is partially compatible with Simulink Design Verifier.

```
sldvcompat('sldvdemo_sqrt_blockrep');
```

```
04-Mar-2023 00:17:36
Checking compatibility for test generation: model 'sldvdemo_sqrt_blockrep'
Compiling model...done
Building model representation...done
```

04-Mar-2023 00:17:41

'sldvdemo\_sqrt\_blockrep' is partially compatible for test generation with Simulink Design Verific

The model can be analyzed by Simulink Design Verifier. It contains unsupported elements that will be stubbed out during analysis. The results of the ana See the Diagnostic Viewer for more details on the unsupported elements.

#### Creating a Custom Block Replacement Rule to Work Around the Incompatibility

This model can be analyzed for test generation by automatically stubbing the unsupported Sqrt block. However, test cases cannot be generated for the Switch block positions because Simulink Design Verifier does not understand the Sqrt block and the output of this block is effecting the Switch block. Since you want test cases for the Switch block, you need to replace the Sqrt block with a supported block that is functionally equivalent. The library block sldvdemo\_custom\_blockreplib shown below constrains the input signal to the range [0 10000] and approximates the sqrt function by using a 1-D Lookup Table block.

The table data was calculated to match the values of sqrt, with a maximum error of 0.2 in the range [0 10000]. Refer to the mask initialization pane of the block Sqrt\_Approx in the library sldvdemo\_custom\_blockreplib for the values of the lookup table data.

The replacement rule is in defined the MATLAB-file sldvdemo\_custom\_blkrep\_rule\_sqrt.m. Since the replacement block sldvdemo\_custom\_blockreplib for the Sqrt block is only valid for double or single types, this rule ensures that these conditions are satisfied before allowing a block replacement.

```
function rule = sldvdemo custom blkrep rule sqrt
    rule = SldvBlockReplacement.blockreprule;
    rule.fileName = mfilename;
    rule.blockType = 'Sqrt';
    rule.replacementPath = sprintf('sldvdemo custom blockreplib/Sqrt Approx');
    rule.replacementMode = 'Normal';
   parameter.OutMin = '$original.OutMin$';
   parameter.OutMax = '$original.OutMax$';
   parameter.OutDataTypeStr = '$original.OutDataTypeStr$';
    rule.parameterMap = parameter;
    rule.isReplaceableCallBack = @replacementTestFunction;
end
function out = replacementTestFunction(blockH)
    out = false;
   acceptedOutDataTypeStr = {'double','single',...
                      'Inherit: Inherit via back propagation',...
                      'Inherit: Same as input'};
    I = strmatch(get param(blockH,'OutDataTypeStr'),acceptedOutDataTypeStr,'exact');
    if ~isempty(I)
        portDataTypes = get param(blockH, 'CompiledPortDataTypes');
        out = any(strcmp(portDataTypes.Inport,{'double','single'})) &&
                                                                         . . .
              strcmp(portDataTypes.Inport,portDataTypes.Outport);
```

```
end
end
open_system('sldvdemo_custom_blockreplib');
open_system('sldvdemo_custom_blockreplib/Sqrt_Approx/1-D Lookup Table');
```



#### Configuring Simulink® Design Verifier<sup>™</sup> Options for Block Replacement

You will run Simulink Design Verifier in test generation mode with block replacements enabled. In order to generate test cases for positions of Switch block, you must use the custom replacement rule sldvdemo\_custom\_blkrep\_rule\_sqrt.m.

Since you are also interested in lookup table coverage, you need the built-in block replacement blkrep\_rule\_lookup\_normal.m, which inserts test objectives for each interval and breakpoint value for a 1-D Lookup Table block. Moreover, you need the built-in rule blkrep\_rule\_switch\_normal.m, which requires that each switch position be exercised when the values of the first and third input ports differ.

The analysis will run for a maximum of 30 seconds and produce a harness model. Report generation is also enabled. Other Simulink Design Verifier options are set to their default values.

```
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.MaxProcessTime = 80;
opts.BlockReplacement = 'on';
opts.BlockReplacementRulesList = ['sldvdemo_custom_blkrep_rule_sqrt.m,' ...
'blkrep_rule_lookup_normal.m,'...
'blkrep_rule_switch_normal.m'];
opts.SaveHarnessModel = 'on';
opts.ModelReferenceHarness = 'on';
opts.SaveReport = 'on';
```

#### **Executing Test Generation with Block Replacements**

The sldvrun function analyzes the model using the settings defined in a sldvoptions object opts. The generated report includes a chapter summarizing block replacements performed on the model.

[status,fileNames] = sldvrun('sldvdemo\_sqrt\_blockrep', opts, true);



#### **Executing Tests in the Harness Model**

Enable the lookup table coverage metric and then run the test cases using the harness model. You can also execute the suite of tests by clicking the "Run all" button on the Signal Builder dialog box after enabling lookup table coverage from the Configuration Parameters dialog. In the **Coverage** tab, select **Enable coverage analysis** and then select **Coverage metrics > Other metrics > Lookup table**.

The coverage report shown below indicates that you can reach 100% lookup table coverage with the test vectors that Simulink Design Verifier generated.

```
[harnessModelPath,harnessModel] = fileparts(fileNames.HarnessModel);
set_param(harnessModel,'covMetricSettings','dcmte');
sldvdemo_playall(harnessModel);
```

#### Clean Up

To complete the example, close all models and remove the files that Simulink Design Verifier generated.

```
close_system('sldvdemo_custom_blockreplib');
close_system(fileNames.HarnessModel,0);
close_system(fileNames.BlockReplacementModel,0);
close_system('sldvdemo_sqrt_blockrep',0);
delete(fileNames.HarnessModel);
delete(fileNames.BlockReplacementModel);
delete(fileNames.DataFile);
```

# **Specifying Parameter Configurations**

- "Parameter Configuration for Analysis" on page 5-2
- "Use Parameter Table" on page 5-7
- "Specify Parameter Configuration for Structure or Bus Parameters" on page 5-12
- "Specify Parameter Configuration for Full Coverage" on page 5-17
- "Store Parameter Constraints in MATLAB Code Files" on page 5-26
- "Use Parameter Configuration File" on page 5-29
- "Automatically Infer Parameter Specification" on page 5-32
- "Determine from Generated Code" on page 5-36
- "Using Command Line Functions to Support Changing Parameters" on page 5-39
- "Generate Parameters Values" on page 5-45
- "Extend Existing Test Cases After Applying Parameter Configurations" on page 5-46

# **Parameter Configuration for Analysis**

#### In this section...

"What is Parameter Configuration for Analysis?" on page 5-2

"Specify Parameter Constraints for Models Using Referenced Configuration Set" on page 5-3

"Data Types in Parameter Configurations" on page 5-4

"Parameters in Variant Blocks" on page 5-5

## What is Parameter Configuration for Analysis?

Simulink Design Verifier software can treat parameters in your model as variables during its analysis. For example, suppose you specify a variable that is defined in the MATLAB workspace as the value of a block parameter in your model. You can instruct Simulink Design Verifier to use additional values for that parameter in its analysis.

You can achieve this by placing a constraint on a parameter in your model, during analysis that parameter takes only your specified constraint value or values. A group of constraints on parameters in the same model is also called a parameter configuration.

This allows you to, for example:

- Extend the results of design error detection or property proving analysis to consider the impact of additional parameter values.
- Generate comprehensive test cases for situations in which parameter values must vary to achieve more complete coverage results. For more information, see "Specify Parameter Configuration for Full Coverage" on page 5-17.

Simulink Design Verifier provides the following workflows to specify parameter configuration:

| Parameter Configuration                     | How to Select Parameters Constraints?                                                                                                                                                                                                                                                                              |  |  |  |
|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|
| Treat all parameters as constants           | Retains the initial value for all parameters during<br>the analysis. Thus, analysis considers all<br>parameters as constants.                                                                                                                                                                                      |  |  |  |
| Automatically infer parameter specification | For each parameter, the minimum or maximum value configured in Simulink.Parameter object is used as the parameter configuration for analysis.                                                                                                                                                                      |  |  |  |
|                                             | When test generation target is <b>Model</b> , Simulink<br>Design Verifier selects as many parameters as<br>possible for parameter configuration.                                                                                                                                                                   |  |  |  |
|                                             | When test generation target is <b>Code Generated</b><br><b>as Top Model</b> or <b>Code Generated as Model</b><br><b>Reference</b> , parameters whose value can be<br>changed in the generated code are selected for<br>parameter configuration. See "Automatically Infer<br>Parameter Specification" on page 5-32. |  |  |  |
| Determine from generated code               | Parameters whose value can be changed in the generated code are selected for parameter configuration during the analysis.                                                                                                                                                                                          |  |  |  |
|                                             | For such parameters, the minimum or maximum value from Simulink.Parameter object is used as the parameter configuration for analysis. See "Determine from Generated Code" on page 5-36.                                                                                                                            |  |  |  |
| Use parameter table                         | Parameters and constraints in the parameter<br>table must be specified. See "Use Parameter<br>Table" on page 5-7                                                                                                                                                                                                   |  |  |  |
| Use parameter configuration files           | Parameters and constraints in the input file must<br>be specified. See "Use Parameter Configuration<br>File" on page 5-29                                                                                                                                                                                          |  |  |  |

#### **Parameter Configuration Workflows**

# Specify Parameter Constraints for Models Using Referenced Configuration Set

If your model uses reference configuration set, you can use **Override** capability to specify parameter constraints. Before you work with parameter table in a referenced configuration set, follow these steps:

- **1** Open the model.
- **2** On the **Design Verifier** tab, click **Settings** to open the Configuration parameters window. The Configuration parameters window shows the Configuration reference for the model.
- 3 Click on **Parameters and Variants** from **Design Verifier** pane.
- **4** To edit and save the constraints locally, right-click on the **Parameters configuration** and select **Override**.

| C Search                                                                                                                               |                                                                                         |                                                                           |        | ly, nght-click c | a parameter and sele | ou overnue |
|----------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|---------------------------------------------------------------------------|--------|------------------|----------------------|------------|
| Solver                                                                                                                                 | Parameters                                                                              |                                                                           |        |                  |                      |            |
| Data Import/Export<br>Math and Data Types                                                                                              |                                                                                         | rameter configuration. Treat all parameters as constants.<br>What's This? |        |                  | enstante             | *          |
| <ul> <li>Diagnostics</li> <li>Hardware Implementation</li> <li>Model Referencing</li> </ul>                                            | Parameter spec Override Parameter tal Set value different from referenced configuration |                                                                           |        | iguration        |                      |            |
| Simulation Target                                                                                                                      | Enable                                                                                  | Disable                                                                   | Clear  | Highlight in     | Model                |            |
| <ul> <li>Code Generation<br/>Coverage</li> <li>Design Verifier</li> <li>Block Replacements</li> <li>Parameters and Variants</li> </ul> | Use Name                                                                                | Constrain                                                                 | t Valu | e Min Max        | Model Element        |            |
| Test Generation<br>Design Error Detection<br>Property Proving<br>Results<br>Report                                                     | Find param                                                                              |                                                                           |        | Export           | Browse Ec            | dit        |

5 Similarly, override the values in **Parameter table**. Right-click in the Parameter table area and select **Override** and specify the values for the model by clicking on **Find parameters**.

| aram | neter tab | ole             |           |     |                                            |
|------|-----------|-----------------|-----------|-----|--------------------------------------------|
| En   | able      | Disable         | Clear     | Hig | hlight in Model                            |
| Use  | Name      | Constraint      | Value Mir | Max | Model Element                              |
|      | в         | <empty></empty> | 0         |     | mModelWithRefCS_paramValue/Subsystem/Const |
|      | С         | <empty></empty> | 0         |     | mModelWithRefCS_paramValue/Subsystem/Cons  |
| -    | D         | <empty></empty> | 0         |     | mModelWithRefCS paramValue/Subsystem/Cons  |

**6** The Parameter table area highlights the override settings for the model.

You can perform the analysis after specifying the values for the parameter table. For more information on how to specify constraint values, see "Use Parameter Table" on page 5-7.

## **Data Types in Parameter Configurations**

Consider the following issues related to data types when constraining parameter values:

- "Parameters Converted to Fixed Point in the Model" on page 5-5
- "Parameters Defined as Simulink.Parameter and Referenced by Multiple Locations" on page 5-5
- "Complex Data as Parameters not Supported" on page 5-5
- "Tuning Array of Structure or Bus Data types are not supported" on page 5-5

#### Parameters Converted to Fixed Point in the Model

If your model references a base workspace parameter whose data type is auto, single, or double, and the model converts that parameter to a fixed-point data type, you must define the constraints for that parameter according to its fixed-point type.

#### Parameters Defined as Simulink.Parameter and Referenced by Multiple Locations

For a parameter defined as Simulink.Parameter or an inherited class of Simulink.Parameter whose data type is auto, if the parameter is referenced by multiple locations with different data types, Simulink Design Verifier cannot generate values for that parameter during the analysis.

#### **Complex Data as Parameters not Supported**

If the data type of a parameter in the MATLAB workspace is complex, Simulink Design Verifier does not support generating values for that parameter during the analysis.

#### Tuning Array of Structure or Bus Data types are not supported

Simulink Design Verifier does not support tuning array of structure or bus data types during the analysis.

## **Parameters in Variant Blocks**

Parameters can be used to select variants in the model using variant blocks such as Variant Subsystem, Variant Source and Variant Sinks.

Simulink Design Verifier supports only active variant for blocks the where **Variant activation time** parameter is not set to startup. For blocks where **Variant activation time** is startup, Simulink Design Verifier analyzes all variants when you select **Analyze all Startup Variants** under **Design Verifier > Parameters and Variants** in Configuration Parameters dialog box.

To analyze a model that contains variant constraints, open the **Launch Variant Manager**. Use the Variant Manager to run predefined configurations for a model, and use the model under any of the configurations. The Simulink Design Verifier analysis report includes the results information about the variants blocks.

Simulink Design Verifier does not support block replacement in models that contain model reference with startup variants.

To perform the Simulink Design Verifier analysis on variant blocks with **Variant activation time** set to startup, see "Verify and Validate Variant Models with Startup Activation Time".

#### See Also

"Variant Manager for Simulink" | "Variant Activation Time for Variant Blocks"

## **More About**

- "Specify Parameter Configuration for Full Coverage" on page 5-17
- "Extend Existing Test Cases After Applying Parameter Configurations" on page 5-46

## **Use Parameter Table**

#### In this section...

"Find Parameters" on page 5-8

"Edit Parameter Constraints" on page 5-10

"Highlight Constrained Parameters in Model" on page 5-11

Using the Parameter Table, you can find and autogenerate constraints for parameters in your model. This example uses the following model, which contains **Gain** and **Constant** parameters defined as m and b, respectively.



The model callback function PreLoadFcn defines m and b in the MATLAB workspace.

| 🚹 Mode                                                                   | 🔁 Model Properties: ex_defining_param_configurations_errwarn 📃 🔀                                   |     |                          |                                                                                 |               |  |  |  |  |  |
|--------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|-----|--------------------------|---------------------------------------------------------------------------------|---------------|--|--|--|--|--|
| Main                                                                     | Callbacks                                                                                          | His | tory                     | Description                                                                     |               |  |  |  |  |  |
| Model (<br>PreL<br>Post<br>InitF<br>Star<br>Paus<br>Cont<br>Stop<br>PreS | callbacks<br>.oadFcn*<br>LoadFcn<br>ccn<br>tFcn<br>seFcn<br>tinueFcn<br>oFcn<br>SaveFcn<br>SaveFcn |     | Mod<br>m =<br>b =<br>b.D | el pre-load fun<br>= 5;<br>Simulink.Para<br>vataType = 'int8<br>alue = int8(5); | meter;<br>8'; |  |  |  |  |  |
|                                                                          | OK Cancel Help Apply                                                                               |     |                          |                                                                                 |               |  |  |  |  |  |

When the model opens:

- m is set to 5.
- b is a Simulink. Parameter object of type int8 whose value is set to 5.

## **Find Parameters**

This example shows how to specify values or ranges of values used for model parameters during Simulink Design Verifier analysis.

Open the Parameter Table.

On the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**.

In the Configuration Parameters dialog box, select **Design Verifier > Parameters and Variants**.

Find parameters that can be constrained for analysis.

At the bottom of the Parameter Table, click **Find parameters**. The Parameter Table searches your model for parameters that can be configured and loads them in the table.

When possible, the Parameter Table autogenerates constraint values for parameters. You can use these autogenerated values or specify your own constraint.

In this example, in the Parameter Table, rows for model parameters m and b appear.

| Parameter table                         |      |            |       |     |     |                                                   |  |  |  |
|-----------------------------------------|------|------------|-------|-----|-----|---------------------------------------------------|--|--|--|
| Enable Disable Clear Highlight in Model |      |            |       |     |     |                                                   |  |  |  |
| Use                                     | Name | Constraint | Value | Min | Max | Model Element                                     |  |  |  |
|                                         | b    |            | 5     |     |     | ex_defining_param_configurations_errwarn/Constant |  |  |  |
|                                         | m    |            | 5     |     |     | ex_defining_param_configurations_errwarn/Gain     |  |  |  |

Each row represents a parameter configuration. You can edit the parameter's constraint value(s) in the field under **Constraint**. To use your specified parameter configuration in analysis, select the check box in the field under **Use**. The following table provides more details about these and other columns in the Parameter Table.

| For parameter in row, the column | Shows                                                                                                                                                                                                                                                               |
|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Use                              | Whether specified constraint for parameter is used in analysis.                                                                                                                                                                                                     |
|                                  | To include parameter configuration in analysis,<br>select the check box. To exclude parameter<br>configuration from analysis, clear the selection.                                                                                                                  |
| Name                             | Name of parameter.                                                                                                                                                                                                                                                  |
| Constraint                       | Autogenerated or user-specified constraint value(s) for parameter.                                                                                                                                                                                                  |
|                                  | To change the specified constraint value(s),<br>double-click in this field and enter new constraint<br>value(s).                                                                                                                                                    |
| Value                            | Value of parameter. If the parameter is defined in<br>a Simulink data dictionary that is linked to the<br>model, the column shows the value of the<br>parameter in the data dictionary. Otherwise, it<br>shows the value of the parameter in the base<br>workspace. |
| Min                              | Specified minimum value for parameter, if parameter is of type Simulink.Parameter and has a specified minimum value.                                                                                                                                                |
| Max                              | Specified maximum value for parameter, if parameter is of type Simulink.Parameter and has a specified maximum value.                                                                                                                                                |
| Model Element                    | Path to model component(s) where parameter is used.                                                                                                                                                                                                                 |

**Note** If you use a MATLAB variable from a data dictionary as a model parameter, SLDV analysis does not consider the parameter as tunable. If you want the parameter to be tunable for the analysis, use a

Simulink.Parameter object for the parameter. To create a Simulink.Parameter object in the data dictionary:

- **1** In the Model Explorer, on the **Model Hierarchy** pane, select the workspace under the data dictionary that contains your MATLAB variable.
- 2 Select Add > Simulink Parameter. You see a new variable titled Param in the workspace.
- **3** Rename the variable. Assign the same data type as the original MATLAB variable.
- 4 In your model, use the variable that you just created as your parameter.

## **Edit Parameter Constraints**

For each parameter you want to treat as a variable during analysis, specify constraint values.

In the Parameter Table, in the **Constraint** column, double-click the field for the parameter you want to constrain. Enter your constraint values.

For this example:

- For parameter b, specify the value range [4, 10].
- For parameter m, specify the value 5.

| Pa | Parameter table |      |                              |       |     |     |                                                   |  |  |
|----|-----------------|------|------------------------------|-------|-----|-----|---------------------------------------------------|--|--|
|    | Ena             | able | Disable Clear Highlight in N | lodel |     |     |                                                   |  |  |
|    | Use             | Name | Constraint                   | Value | Min | Max | Model Element                                     |  |  |
|    |                 | b    | [4,10]                       | 5     |     |     | ex_defining_param_configurations_errwarn/Constant |  |  |
|    |                 | m    | 5                            | 5     |     |     | ex_defining_param_configurations_errwarn/Gain     |  |  |

To enable a parameter configuration for analysis, click to select the row that corresponds to the configured parameter. Click **Enable**.

To enable multiple parameter configurations at once, shift-click to select multiple rows, and click **Enable**.

To exclude parameter configurations from analysis, click to select the row that corresponds to the configured parameter. Click **Disable**.

When you disable a parameter configuration, the specified constraint for this parameter is not used in analysis.

To disable multiple parameter configurations at once, shift-click to select multiple rows, and click **Disable**.

To exclude a parameter configuration from analysis and delete its specified constraint, click to select the row that corresponds to the configured parameter. Click **Clear**.

The Parameter Table clears the specified constraint for the parameter, and the parameter configuration is excluded from analysis.

To clear multiple parameter configurations at once, shift-click to select multiple rows, and click **Clear**.

## **Highlight Constrained Parameters in Model**

Highlight model components that use the parameters for which you have specified constraints.

Select the parameter(s) you want to highlight in the model.

To select a parameter, click anywhere inside the **Name** or **Constraint** columns for either parameter. Shift-click to select multiple parameters.

| Pa | Parameter table |      |                              |       |     |     |                                                   |  |  |  |
|----|-----------------|------|------------------------------|-------|-----|-----|---------------------------------------------------|--|--|--|
| [  | Ena             | able | Disable Clear Highlight in M |       |     |     |                                                   |  |  |  |
| 1  | Use             | Name | Constraint                   | Value | Min | Max | Model Element                                     |  |  |  |
|    | <b>√</b>        | b    | [4,10]                       | 5     |     |     | ex_defining_param_configurations_errwarn/Constant |  |  |  |
|    | <b>√</b>        | m    | 5                            | 5     |     |     | ex_defining_param_configurations_errwarn/Gain     |  |  |  |

Click Highlight in Model.

In the Simulink Editor, model components that use the selected parameters are highlighted.



You can also define constraints for parameters using Parameter Configuration File. For more information, see "Template Parameter Configuration File" on page 5-29 in "Use Parameter Configuration File" on page 5-29.

To define constraints for structure or bus parameter, see "Specify Parameter Configuration for Structure or Bus Parameters" on page 5-12.

# Specify Parameter Configuration for Structure or Bus Parameters

## About This Example Model

This example describes how to generate tests that constrain the values for the structures and bus signals in a model. Suppose that your model includes a variable called kpGainsStructure, which is a structure in the MATLAB workspace. The model uses a Bus Selector block to separate the structure fields into individual bus signals. You can constrain the values of the structure or the values of the bus signals to ensure that they stay within the specified range during simulation.



This example describes how to create and analyze a simple Simulink model, then use Simulink Design Verifier to generates test cases for the model. The model contains an input signal In1 whose value is set between -1 to 1. kpGainsStructure is a structure that contains three fields, Kp1, Kp2, and Kp3, and outputs them to a Bus Selector block that separates the fields into individual bus signals. The block called Mode has a constant value parameter, which is set to mode determines the three bus signals as an input to the kpGain block.

The value of In1 is multiplied by d, then multiplied by the selected bus signal. The result passes to a Saturation block whose limit is defined between -0.5 to 0.5.

Based on the mode value, Simulink selects one of the three kpGainsStructure fields and specifies the constraints. The input signal to the Saturation block must be below the lower limit or fall above the upper limit to satisfy the decision objective of the Saturation block. Simulink Design Verifier then tunes these parameters to achieve this limit. The following workflow guides you through the process of completing this example.

## Preload Workspace Variable for Structure Parameter

Preload the value of the MATLAB workspace variable kpGainsStructure. The structure contains the fields Kp1, Kp2, and Kp3.

- **1** On the **Modeling** tab, select **Model Settings > Model Properties**.
- 2 Click the **Callbacks** tab.
- 3 Click **PreLoadFcn**, then load the Kp1, Kp2, and Kp3 fields of myStruct:

```
load('struct_param.mat');
myStruct.Kp1 = 15;
myStruct.Kp2 = -5;
```

```
myStruct.Kp3 = -5;
gainsParam = Simulink.Parameter(myStruct);
mode = 1;
d = Simulink.Parameter(0.012);
```

| Main                                        | Callbacks                                                                            | Info | Descripti                 | ion                                | External Data   |                                 |
|---------------------------------------------|--------------------------------------------------------------------------------------|------|---------------------------|------------------------------------|-----------------|---------------------------------|
|                                             | Model callba                                                                         | cks  | Mode                      | el pre                             | -load function: |                                 |
| Prel                                        | .oadFcn*                                                                             |      | load                      | d('stru                            | uct_param.mat') | ;                               |
| Initi<br>Star<br>Pau<br>Con<br>Stop<br>Pres | tLoadFcn<br>Fcn<br>tFcn<br>seFcn<br>tinueFcn<br>DFcn<br>SaveFcn<br>tSaveFcn<br>seFcn |      | mys<br>mys<br>stru<br>mod | Struct<br>Struct<br>uctPar<br>de = |                 | °arameter(myStruct);<br>0.012); |

4 Click **OK** to close the Model Properties dialog box and save the model.

Because the structure parameter is called by the Constant block, you need to define the output of the Constant block as a bus. Follow these steps:

- 1 Double-click the Gains block to open Block Parameters dialog box.
- 2 Under Signal Attributes, select Output data type as Bus:Bus0.
- 3 Click OK.

## **Define Parameter Constraint Values**

There are two ways to constrain the values of structure or bus signals in the Configuration Parameter window: by using the parameter table or the parameter configuration file.

- Parameter Table
- Parameter configuration file

## **Define Parameter Constraint Values using Parameter Table**

When possible, parameter table automatically generates constraint values for each parameter, depending on the data type and location of the parameter in the model. For more information, see "Use Parameter Table" on page 5-7.

Follow these steps to generate the constraint value for each parameter:

- 1 On the Apps tab, under Model Verification, Validation, and Test, click Design Verifier.
- 2 On the **Design Verifier** tab, click **Test Generation Settings**.
- 3 In Configuration Parameters dialog box, select **Design Verifier > Parameters and Variants**.
- 4 Select Use parameter table.
- 5 Click Find parameters.
- **6** The parameter table populates with the parameters from your model.

- 7 In the parameter table, in the **Constraint** column,
  - {1,2,3} for mode
  - [-0.01 0.15] for d

| Use | Name           | Constraint   | Value | Min | Max | Model Element            |
|-----|----------------|--------------|-------|-----|-----|--------------------------|
|     | d              | [-0.01 0.15] | 0.012 |     |     | /PController/Regulator   |
|     | gainsParam.Kp1 | [0, 100]     | 15    | 0   | 100 | myDemoModel4/Gains       |
|     | gainsParam.Kp2 | [-10, 10]    | -5    | -10 | 10  | myDemoModel4/Gains       |
|     | gainsParam.Kp3 | [-5, 5]      | -5    | -5  | 5   | myDemoModel4/Gains       |
|     | mode           | (1,2,3)      | 1     |     |     | myDemoModel4/ControlMode |

8 Click OK.

## **Define Constraint Values using Parameter Configuration File**

This is an alternative approach that you can use to define the values of constraints instead of using the Parameter Table. The Simulink Design Verifier software provides a template that you can make a copy and edit it. For more information, see "Template Parameter Configuration File" on page 5-29 in "Use Parameter Configuration File" on page 5-29. By default, the path to the parameter configuration file is:

```
matlabroot/toolbox/sldv/sldv/sldv_params_template.m
```

To associate the parameter configuration file with your model before analyzing the model, in the Configuration Parameters dialog box, on the **Design Verifier > Parameters and Variants** pane, ensure that **Use parameter table** is cleared and enter the file name of the configuration file in the **Parameter configuration file** field.

Follow these steps to define the constraint values in Parameter configuration file:

1 In sldv\_params\_template.m, enter:

```
function params = params_config
params.mode = {1, 2, 3};
params.d = [-.001 0.15];
params.gainsParam.Kp1 = Sldv.Interval(0, 50);
params.gainsParam.Kp2 = Sldv.Interval(-10, 10);
params.gainsParam.Kp3 = [-5, 5];
```

- 2 Save the file with the name params\_config.m.
- **3** Open the model DemoModel.
- 4 On the Apps pane, under Model Verification, Validation, and Test, click Design Verifier.
- 5 On the **Design Verifier** tab, click **Test Generation Settings**.
- 6 In Configuration Parameters dialog box, select **Design Verifier > Parameters and Variants**.
- 7 Click Browse, then select params\_config.m parameter configuration file created saved in step 2.

## **Analyze Example Model**

Analyze the model with the parameter constraints enabled and generate the analysis report:

1 On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**. Click **Generate Tests**.

Simulink Design Verifier analyzes your model to generate test cases.

**2** When the software completes its analysis, in the Simulink Design Verifier Results Summary window, next to Detailed analysis report, select HTML.

The software displays an HTML report named  ${\tt DemoModel.html}.$ 

| 🎦 Sir | mulink Design Verifier Resu                                                   | ılts Summary: DemoModel                           | × |
|-------|-------------------------------------------------------------------------------|---------------------------------------------------|---|
|       |                                                                               |                                                   | ^ |
| Pro   | gress                                                                         |                                                   |   |
| Sat   | ectives processed<br>isfied                                                   | 7/7<br>7                                          |   |
|       | atisfiable<br>osed time                                                       | 0<br>0:21                                         |   |
|       |                                                                               |                                                   | _ |
|       | generation completed i objectives satisfied.                                  | normally.                                         |   |
| Res   | ults:                                                                         |                                                   |   |
|       | <ul> <li><u>Open filter viewer</u></li> <li>Highlight analysis res</li> </ul> | ults on model                                     |   |
|       | View tests in Simulat     Detailed analysis rep                               |                                                   |   |
|       | <ul> <li>Detailed analysis rep</li> <li>Create harness mode</li> </ul>        |                                                   |   |
|       | <ul> <li>Export test cases to !</li> </ul>                                    | Simulink Test                                     |   |
|       | <ul> <li>Simulate tests and pr</li> </ul>                                     | oduce a model coverage report                     |   |
| Data  | a saved in: DemoModel                                                         | sldvdata.mat                                      |   |
| in fo | lder: <u>(</u> )                                                              | MATLAB\structorbusparameter\sldv_output\DemoModel |   |
|       |                                                                               |                                                   | ~ |

- 3 In the table of contents of the Simulink Design Verifier report, click **Test Cases**.
- 4 Click **Test Case 1** to display the subsection for that test case.

Test Case 1 shows that Simulink Design Verifier tuned all the parameters in such a way that all the inputs coming from the In1 input signal, the Gain block and the mode variable will either fall below -0.5 or above 0.5. While generating test cases, all the constraints satisfy the objectives.

| Param          | eter    | Value   |     |
|----------------|---------|---------|-----|
| 1              |         | 0.1112  | 28  |
| mode           |         | 1       |     |
| structP        | aram.Kp | 1 50.46 | 4   |
| structP        | aram.Kp | 2 1.948 | 2   |
| structP        | aram.Kp | 3-0.114 | 87  |
|                |         |         |     |
| Gener:<br>Time | ted Inp | ut Data | 0.4 |
|                |         |         | 0.4 |

Similarly, the parameters for Test Case 2 and Test Case 3 are tuned and satisfy the objectives.

## See Also

"Use Parameter Table" on page 5-7

# **Specify Parameter Configuration for Full Coverage**

| In this section                                  |  |
|--------------------------------------------------|--|
| "About This Example" on page 5-17                |  |
| "Construct Example Model" on page 5-17           |  |
| "Parameterize Constant Block" on page 5-18       |  |
| "Preload Workspace Variable" on page 5-18        |  |
| "Autogenerate Parameter Constraint" on page 5-19 |  |
| "Analyze Example Model" on page 5-20             |  |
| "Simulate Test Cases" on page 5-22               |  |

## About This Example

This example describes how to create and analyze a simple Simulink model, for which you generate test cases that achieve decision coverage. However, in this example, achieving complete decision coverage is possible only when Simulink Design Verifier treats a particular block parameter as a variable during its analysis. This example explains how to specify parameter configurations for use with the analysis.

| Task | Description                                                            | See                                                  |
|------|------------------------------------------------------------------------|------------------------------------------------------|
| 1    | Construct the example model.                                           | "Construct Example Model" on page 5-17               |
| 2    | Specify a variable as the value of a Constant block parameter.         | "Parameterize Constant Block" on page 5-18           |
| 3    | Constrain the value of the variable that the Constant block specifies. | "Autogenerate Parameter Constraint" on page 5-<br>19 |
| 4    | Generate test cases for your model and interpret the results.          | "Analyze Example Model" on page 5-20                 |
| 5    | Simulate the test cases and measure the resulting decision coverage.   | "Simulate Test Cases" on page 5-22                   |

The following workflow guides you through the process of completing this example.

## **Construct Example Model**

Construct a simple Simulink model to use in this example:

- **1** Create an empty Simulink model.
- **2** Copy the following blocks into the empty Simulink Editor:
  - From the Sources library:
    - Two Inport blocks to initiate the input signals
    - A Constant block to control the switch
  - From the Signal Routing library: A Multiport Switch block to provide simple logic
  - From the Sinks library: An Outport block to receive the output signal

- **3** Double-click the Multiport Switch block to access its dialog box and specify its **Number of data ports** option as 2.
- 4 Connect the blocks so that your model looks like the following.



- 5 On the **Simulation** tab, click the arrow on the right of the **Prepare** section and click **Model Settings**.
- 6 In the Configuration Parameters dialog box, select the Solver. Under Solver selection, set the Type option to Fixed-step, and then set the Solver option to discrete (no continuous states).
- 7 In the **Diagnostics** pane, set **Automatic solver parameter selection** to none.
- 8 Click **OK** to apply your changes and close the Configuration Parameters dialog box.
- 9 Save your model as ex\_defining\_params\_example for use in the next procedure.

## **Parameterize Constant Block**

Parameterize the Constant block in your model by specifying a variable as the value of the Constant block's **Constant value** parameter:

- **1** Double-click the Constant block.
- 2 In the **Constant value** box, enter A.
- **3** Click **OK** to apply your change and close the Constant block parameter dialog box.
- 4 Save your model.

## **Preload Workspace Variable**

Preload the value of the MATLAB workspace variable A referenced by the Constant block:

- 1 On the Modeling tab, select Model Settings > Model Properties.
- 2 Click the **Callbacks** tab.
- 3 In the PreLoadFcn, enter:

```
A = Simulink.Parameter(int8(1));
A.Min = 1;
A.Max = 2;
```

- 4 Click **OK** to close the Model Properties dialog box and save your changes.
- **5** Close your model.

6 Open your model.

When you open the model, the PreLoadFcn defines a variable A of type int8 whose value is 1.



## **Autogenerate Parameter Constraint**

Use the Parameter Table to constrain variable A to specified values.

**1** On the **Apps** tab, click the arrow on the right of the **Apps** section.

Under Model Verification, Validation, and Test, click Design Verifier.

- 2 On the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**.
- 3 In Configuration Parameters dialog box, select **Design Verifier > Parameters and Variants**.
- 4 Select Use parameter table.
- 5 Click **Find parameters**.

The Parameter Table is populated with parameters from your model. When possible, it autogenerates constraint values for each parameter, depending on the data type and location of the parameter in the model.

In this case, a row appears for the parameter A that you defined. The table row for A displays the following information:

- In the **Name** column, the parameter name (A).
- In the **Constraint** column, the constraint specified on parameter A. The Parameter Table autogenerates the constraint values [1, 2].
- In the Value column, the value of A in the base workspace. This value is 1.
- In the **Model Element** column, the model component in which A resides (ex\_defining\_params\_example/Constant).
- In the **Use** column, a check box indicating whether the specified constraint values in the table are configured for analysis.

| Parameter table |                    |            |                                     |
|-----------------|--------------------|------------|-------------------------------------|
| Enable Disable  | Clear Highlight in | n Model    |                                     |
| Parameter table |                    | Min Ma     |                                     |
| ✓ A             | {1, 2} 1           |            | ex_defining_params_example/Constant |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
|                 |                    |            |                                     |
| Find in Model   | Add from File Expo | rt to File |                                     |

6 In the Parameter Table, in the row for parameter A, make sure that you select the **Use** check box.

When you enable this parameter configuration, during Simulink Design Verifier analysis, the parameter A takes only the int8 values 1 and 2.

- 7 In the Configuration Parameters dialog box, click **OK**.
- 8 Save your model.

## **Analyze Example Model**

Analyze the model using the parameter configuration you just created, and generate the analysis report:

**1** On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**. Click **Generate Tests**.

Simulink Design Verifier analyzes your model to generate test cases.

2 When the software completes its analysis, in the Simulink Design Verifier Results Summary window, select **Generate detailed analysis report**.

The software displays an HTML report named ex\_defining\_params\_example\_report.html.

Keep the Results Summary window open for the next procedure.

- 3 In the Simulink Design Verifier report **Table of Contents**, click Test Cases.
- 4 Click Test Case 1 to display the subsection for that test case.

# **Test Case 1**

#### Summary

| Length:    | 0 second (1 sample period) |
|------------|----------------------------|
| Objectives | 1                          |
| Satisfied: | 1                          |

#### Objectives

| Step | Time | Model Item       | Objectives                                            |
|------|------|------------------|-------------------------------------------------------|
| 1    | 0    | Multiport Switch | integer input value = 1 (output is from input port 1) |

#### **Generated Parameter Values**

| Parameter | Value |
|-----------|-------|
| A         | 1     |

#### **Generated Input Data**

| Time | 0 |
|------|---|
| Step | 1 |
| In1  | - |
| In2  | - |

This section provides details about Test Case 1 that Simulink Design Verifier generated to satisfy a coverage objective in the model. In this test case, a value of 1 for parameter A satisfies the objective.

5 Scroll down to the Test Case 2 section in the **Test Cases** chapter.

# Test Case 2

#### Summary

| Length:    | 0 second (1 sample period) |
|------------|----------------------------|
| Objectives | 1                          |
| Satisfied: | 1                          |

#### Objectives

| Step | Time | Model Item       | Objectives                                              |
|------|------|------------------|---------------------------------------------------------|
| 1    | 0    | Multiport Switch | integer input value = *,2 (output is from input port 2) |

#### **Generated Parameter Values**

| Parameter | Value |
|-----------|-------|
| А         | 2     |

#### **Generated Input Data**

| Time | 0 |
|------|---|
| Step | 1 |
| In1  | - |
| In2  | - |

This section provides details about Test Case 2, which satisfies another coverage objective in the model. In this test case, a value of 2 for parameter A satisfies the objective.

## Simulate Test Cases

Simulate the generated test cases and review the coverage report that results from the simulation:

1 In the Simulink Design Verifier Results Summary window, select **Create harness model**.

The software creates and opens a harness model named ex\_defining\_params\_example\_harness.

2 The block labeled Inputs in the harness model is a Signal Builder block that contains the test case signals. Double-click the Inputs block to view the test case signals in the Signal Builder block.

|            |            | Group | _    |        | -     |    |             |          |          |         |      |                    |         |  |
|------------|------------|-------|------|--------|-------|----|-------------|----------|----------|---------|------|--------------------|---------|--|
| <b>;</b> 🗌 | <u>%</u> [ |       | 50   | ·   •• | l u   |    | क् ि दि     |          | - 11     |         | 1    |                    |         |  |
| Active     | Group:     | Test  | Case | 1      |       |    |             |          |          |         |      | •                  | <u></u> |  |
| 1          |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
|            | ln1        |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| 0.5        |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| 0          |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
|            |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| 0.5        |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| -1-        |            |       |      |        |       |    |             | <u> </u> |          |         |      |                    |         |  |
|            | In2        |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| 0.5        |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| 0          |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
|            |            |       |      |        |       |    |             |          |          |         |      |                    |         |  |
| -0.5 -     |            |       |      |        |       |    |             |          |          |         | ÷    |                    |         |  |
| -1 L       |            | 0.1   | 0.   | 2      | 0.3   | 0. | 4 (         | ).5      | 0.6      | 0       | .7   | 0.8                | 0.9     |  |
| Ŭ          |            | 0.1   | υ.   | -      | 0.0   | υ. |             | (sec)    | 0.0      | Ŭ       |      | 0.0                | 0.0     |  |
|            |            |       |      | Left   | Point | F  | light Point | In       |          |         |      | (shown)<br>(shown) |         |  |
| Name       |            |       |      | T:     |       | T: |             |          |          |         |      |                    |         |  |
| Index:     | 1          | •     |      | Y:     |       | Y: |             |          |          |         |      |                    |         |  |
| k          |            |       |      |        |       |    |             | In       | 1 (#1) [ | YMin YN | ax ] |                    |         |  |

In the Signal Builder dialog box, click the **Run all** button .

The Simulink software simulates each of the test cases in succession, collects coverage data for each simulation, and displays an HTML report of the combined coverage results at the end of the last simulation.

4 In the model coverage report, review the **Summary** section:

# Summary

### Model Hierarchy/Complexity:

|                                                      |   | _    | DI |
|------------------------------------------------------|---|------|----|
| 1. ex_defining_params_example_harness                | 2 | 100% |    |
| 2 Test Unit (copied from ex_defining_params_example) | 1 | 100% |    |

This section summarizes the coverage results for the harness model and its Test Unit subsystem. Observe that the subsystem achieves 100% decision coverage.

----

5 In the **Summary** section, click the Test Unit subsystem.

The report displays detailed coverage results for the Test Unit subsystem.

## 2. SubSystem block "<u>Test Unit (copied from ex\_defining\_param...</u>"

| Parent: | /ex | defining | params | example | harness |
|---------|-----|----------|--------|---------|---------|
|---------|-----|----------|--------|---------|---------|

| Metric                | Coverage (this object) | Coverage (inc.<br>descendants) |
|-----------------------|------------------------|--------------------------------|
| Cyclomatic Complexity | 0                      | 1                              |
| Decision (D1)         | NA                     | 100% (2/2) decision outcomes   |

## MultiPortSwitch block "Multiport Switch"

| Davanti | ex | defining | params | example  | harness/Test Un | t (copied from |
|---------|----|----------|--------|----------|-----------------|----------------|
| Parent: | ex | defining | params | example) |                 |                |

| Metric                | Coverage                     |
|-----------------------|------------------------------|
| Cyclomatic Complexity | 1                            |
| Decision (D1)         | 100% (2/2) decision outcomes |

## **Decisions analyzed:**

| integer input value                 | 100% |
|-------------------------------------|------|
| = 1 (output is from input port 1)   | 2/4  |
| = *,2 (output is from input port 2) | 2/4  |

This section reveals that the Multiport Switch block achieves 100% decision coverage because the test cases exercise each of the switch pathways.

## See Also

"Extend Existing Test Cases After Applying Parameter Configurations" on page 5-46

# **Store Parameter Constraints in MATLAB Code Files**

#### In this section...

"Export Parameter Constraints to File" on page 5-26 "Import Parameter Constraints from File" on page 5-27

You can use the Parameter Table to manage constraints on your model parameters for analysis. If you place a constraint on a parameter in your model, during analysis that parameter takes only your specified constraint value or values. A group of constraints on parameters in the same model is also called a parameter configuration. You can store groups of parameter constraints in a MATLAB code file called a parameter configuration file. For more information on configuring parameters for Simulink Design Verifier, see "Use Parameter Table" on page 5-7.

To enable parameter configuration, on the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**. In the Configuration Parameters dialog box, on the **Design Verifier > Parameters and Variants** pane..

## **Export Parameter Constraints to File**

Using the Parameter Table, you can export parameter constraint values to a MATLAB code file. If you later want to use the same parameter configuration in a different analysis, you can import your previously specified parameter constraint values from the MATLAB code file.

To export parameter constraint values to a file:

1 On the Design Verifier tab, in the Prepare section, from the drop-down menu for the mode settings, click Settings. In the Configuration Parameters dialog box, select Design Verifier > Parameters and Variants.

The Parameter Table shows specified constraint values for parameters in your model, as in the following example screen shot.

| lse Name | Constraint | Value | Min | Max | Model Element            |
|----------|------------|-------|-----|-----|--------------------------|
| param_01 | {0, 1}     | -1    |     |     | ex_many_params/Constant  |
| param_02 | {0, 1}     | -0.5  |     |     | ex_many_params/Constant2 |
| param_03 | {0, 1}     | 0     |     |     | ex_many_params/Constant1 |
| param_04 | {0, 1}     | 2     |     |     | ex_many_params/Constant3 |
|          |            |       |     |     |                          |

#### 2 Click **Export to File**.

The Parameter Configuration File saves the current parameter configurations to a .m file with the name you specify. Parameters that do not have the **Use** check box enabled appear as commented lines in the parameter configuration file.

In the example shown in the previous step, the parameter configuration file contains the following code:

```
function params = ex_many_params_config
params.param_01 = {0, 1};
% params.param_02 = {0, 01};
params.param_03 = {0, 1};
% params.param_04 = {0, 1};
```

## **Import Parameter Constraints from File**

If you defined parameter configurations for analysis in a release prior to R2014a, you can import corresponding MATLAB files and manage these parameters in the Parameter Table.

To import parameter constraints from a MATLAB code file:

- 1 On the Design Verifier tab, in the Prepare section, from the drop-down menu for the mode settings, click Settings. In the Configuration Parameters dialog box, select Design Verifier > Parameters and Variants.
- 2 Click Add from File. Choose a parameter configuration file.

The Parameter Table loads specified parameter constraints from the code, excluding code comments, from the file. If you specify a constraint for a parameter and then load a parameter configuration file containing constraint specification for the same parameter, the constraint specified in the file overwrites the preexisting constraint in the table.

Simulink Design Verifier provides an example parameter configuration file for the example model sldvdemo\_param\_identification:

matlabroot/toolbox/sldv/sldvdemos/sldvdemo\_param\_ident\_config.m

## See Also

## **More About**

• "Generate Parameters Values" on page 5-45

# **Use Parameter Configuration File**

#### In this section...

"Template Parameter Configuration File" on page 5-29 "Syntax in Parameter Configuration Files" on page 5-29

To specify parameters as variables for analysis, you can use the Parameter Table or define parameter configurations in a MATLAB code file. You can also export parameter configuration files from the Parameter Table. For more information, see "Store Parameter Constraints in MATLAB Code Files" on page 5-26.

This example shows how to define parameter configurations in a MATLAB code file. For an example that shows how to define these parameter configurations using the Parameter Table, see "Use Parameter Table" on page 5-7.

## **Template Parameter Configuration File**

The Simulink Design Verifier software provides an annotated template that you can use as a starting point:

matlabroot/toolbox/sldv/sldv/sldv\_params\_template.m

To create a parameter configuration file, make a copy of the template and edit the copy. The comments in the template explain the syntax for defining parameter configurations.

To associate the parameter configuration file with your model before analyzing the model, in the Configuration Parameters dialog box, on the **Design Verifier > Parameters and Variants** pane, enter the file name in the **Parameter configuration file** field.

## Syntax in Parameter Configuration Files

Specify parameter configurations using a structure whose fields share the same names as the parameters that you treat as input variables.

For example, suppose you want to constrain the **Gain** and **Constant value** parameters, m and b, which appear in the following model:



The  ${\tt PreLoadFcn}$  callback function defines m and b in the MATLAB workspace when you open the model:

- m is set to 5.
- b is a Simulink. Parameter object of type int8 whose value is set to 5.

| 🚹 Model Pro                                                                                                                                   | Model Properties: ex_defining_param_configurations_errwarn |      |                          |                                                                                             |                 |      |  |       |  |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|------|--------------------------|---------------------------------------------------------------------------------------------|-----------------|------|--|-------|--|--|--|
| Main Ca                                                                                                                                       | allbacks                                                   | Hist | tory                     | Description                                                                                 |                 |      |  |       |  |  |  |
| Main Ca<br>Model callba<br>PreLoadf<br>PostLoad<br>InitFcn<br>StartFcn<br>PauseFcr<br>Continue<br>StopFcn<br>PreSavef<br>PostSave<br>CloseFcn | acks<br>Fcn*<br>dFcn<br>dFcn<br>eFcn<br>eFcn<br>eFcn       | Hist | Mod<br>m =<br>b =<br>b.D | Description<br>lel pre-load fu<br>= 5;<br>Simulink.Para<br>ataType = 'inf<br>alue = int8(5) | ameter;<br>:8'; |      |  |       |  |  |  |
|                                                                                                                                               |                                                            |      | (                        | ок Са                                                                                       | ancel           | Help |  | Apply |  |  |  |

In your parameter configuration file, specify constraints for m and b:

params.b = int8([4 10]);
params.m = {};

This file specifies:

- b is an 8-bit signed integer from 4 to 10. The constraint type must match the type of the parameter b in the MATLAB workspace, int8, in this example.
- m is not constrained to any values.

Specify points using the Sldv.Point constructor, which accepts a single value as its argument. Specify intervals using the Sldv.Interval constructor, which requires two input arguments, i.e., a lower bound and an upper bound for the interval. Optionally, you can provide one of the following values as a third input argument that specifies inclusion or exclusion of the interval endpoints:

- '()' Defines an open interval.
- '[]' Defines a closed interval.

- '(]' Defines a left-open interval.
- '[)' Defines a right-open interval.

**Note** By default, Simulink Design Verifier considers an interval to be closed if you omit this argument.

The following example constrains m to 3 and b to any value in the closed interval [0, 10]:

```
params.m = Sldv.Point(3);
params.b = Sldv.Interval(0, 10);
```

If the parameters are scalar, you can omit the constructors and instead specify single values or twoelement vectors. For example, you can alternatively specify the previous example as:

```
params.m = 3;
params.b = [0 10];
```

**Note** To indicate no constraint for an input parameter, specify params.m = {} or params.m = []. The analysis treats this parameter as free input.

You can specify multiple constraints for a single parameter using a cell array. In this case, the analysis combines the constraints using a logical OR operation.

The following example constrains m to either 3 or 5 and constrains b to any value in the closed interval [0, 10]:

```
params.m = {3, 5};
params.b = [0 10];
```

You can specify several sets of parameters by expanding the size of your structure. For example, the following example uses a 1-by-2 structure to define two sets of parameters:

```
params(1).m = {3, 5};
params(1).b = [0 10];
params(2).m = {12, 15, Sldv.Interval(50, 60, '()')};
params(2).b = 5;
```

The first parameter set constrains m to either 3 or 5 and constrains b to any value in the closed interval [0, 10]. The second parameter set constrains m to either 12, 15, or any value in the open interval (50, 60), and constrains b to 5.

# **Automatically Infer Parameter Specification**

Simulink Design Verifier automates the process of selecting parameters that is a part of parameter configuration and determines minimum and maximum values of such parameters configured in the Simulink.Parameter object.

When test generation target is **Model**, Simulink Design Verifier selects as many parameters as possible for parameter configuration.

When test generation target is **Code Generated as Top Model** or **Code Generated as Model Reference**, parameters whose value can be changed in the generated code are selected for parameter configuration.

The PreLoadFcn callback function model, defines codeTunableParam and constParam in the MATLAB workspace.





The code generation settings for the model:

#### Model Properties: mTunability

| Main                                                        | Callbacks                                                                                         | Info | Description | External Data                                                                                                                                                                             |  |
|-------------------------------------------------------------|---------------------------------------------------------------------------------------------------|------|-------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Model callbacks                                             |                                                                                                   |      | ks          | Model pre-load function:                                                                                                                                                                  |  |
| Post<br>InitF<br>Star<br>Pau<br>Con<br>Stop<br>Pres<br>Post | .oadFcn*<br>:LoadFcn<br>:cn<br>tFcn<br>seFcn<br>tinueFcn<br>oFcn<br>SaveFcn<br>:SaveFcn<br>:eFcn* |      |             | sldvParam = Simulink.Parameter(1);<br>sldvParam.Min = -10;<br>sldvParam.Max = 10;<br>codeTunableParam = Simulink.Parameter(2);<br>codeTunableParam.Max = 10;<br>codeTunableParam.Min = 0; |  |

| <b>*</b>                      | Simulisk.Peremotors codeTuneDoPerem   | X     | 2                                                                                  | Similal Parameter: ski/Param          | X     |
|-------------------------------|---------------------------------------|-------|------------------------------------------------------------------------------------|---------------------------------------|-------|
| Design Co                     | de Generation                         |       | Design Co                                                                          | de Generation                         |       |
| Storage class:<br>Identifier: | ExportedGlobal                        | •     | Storage class:<br>Custom attribu                                                   |                                       | •     |
| Alignment:                    | -1                                    |       | HeaderFile:<br>DefinitionFile<br>Owner:<br>Preserve a<br>Identifier:<br>Alignment: | er                                    |       |
|                               | <u>OK</u> <u>C</u> ancel <u>H</u> elp | Apply |                                                                                    | <u>OK</u> <u>C</u> ancel <u>H</u> elp | Apply |

Set storage class of constParam to Const and codeTunableParam to ExportedGlobal.

# **Configuring Parameters by Using Automatically infer parameter specification**

This example shows how to automatically infer constraint values used for model parameters during Simulink Design Verifier analysis.

- **1** Open Model Settings > Design Verifier > Parameters and Variants.
- 2 Click on the drop down for **Parameter Configuration** and select **Automatically infer parameter specification**.

This automatically infers the parameters that will be selected based on the test generation target and the parameter settings based on their definition.

When the test generation target is **Model**, Simulink Design Verifier analysis selects all the supported parameters.

In the above example, both the parameters constParam and codeTunableParam, are configured during the analysis.

## 2.4.1. Parameter Constraints

#### **Constraint 1**

| Parameter        | Constraint |
|------------------|------------|
| codeTunableParam | [0, 10]    |
| sldvParam        | [-10, 10]  |

The results window shows that all objectives for both the Multiport switch blocks are satisfied.



When the test generation target is set to **Code Generated as Top Model**, parameter constParam cannot be changed in the generated code. So, Simulink Design Verifier selects codeTunableParam for parameter configuration.

## 2.4.1. Parameter Constraints

**Constraint 1** 

| Parameter        | Constraint |  |  |  |  |
|------------------|------------|--|--|--|--|
| codeTunableParam | [0, 10]    |  |  |  |  |



The Undecided objectives are related to the code corresponding to Multiport Switch1.

# **Determine from Generated Code**

Simulink Design Verifier selects the parameters whose value can be changed in the generated code for parameter configuration.

For such parameters, the minimum or maximum value from Simulink.Parameter object is used as parameter configuration for analysis.

#### Note

- This workflow is recommended when you have generated the code before the analysis is run.
- This parameter configuration can be used for both Model and Code workflows.

The PreLoadFcn callback function model, defines codeTunableParam and constParam in the MATLAB workspace.





The code generation settings for the model:

| Main                                                | Callbacks                                                                                  | Info           | Description | External Data                                 |                                                            |
|-----------------------------------------------------|--------------------------------------------------------------------------------------------|----------------|-------------|-----------------------------------------------|------------------------------------------------------------|
| Model callbacks                                     |                                                                                            | Model pre-load | function:   |                                               |                                                            |
| Post<br>InitF<br>Star<br>Pau<br>Con<br>Stop<br>Pres | LoadFcn*<br>LoadFcn<br>Fcn<br>seFcn<br>tinueFcn<br>oFcn<br>SaveFcn<br>tSaveFcn<br>tSaveFcn |                |             | sldvParam.Mir<br>sldvParam.Ma<br>codeTunableP | x = 10;<br>aram = Simulink.Parameter(2);<br>aram.Max = 10; |

Set storage class of constParam to Const and codeTunableParam to ExportedGlobal.

| <b>N</b>                                                 | Simuliak.Peremotors codefineabloPerem  | 23     | 1                                                    |               | Staullah Personakar: slakPerson | 8     |
|----------------------------------------------------------|----------------------------------------|--------|------------------------------------------------------|---------------|---------------------------------|-------|
| Design Co                                                |                                        | Design | Coc                                                  | le Generation |                                 |       |
| Design Co<br>Storage class:<br>Identifier:<br>Alignment: | ntifier:                               |        | Storage class:       Const         Custom attributes |               |                                 |       |
|                                                          | <u>O</u> K <u>C</u> ancel <u>H</u> elp | Apply  |                                                      |               | QK <u>C</u> ancel <u>H</u> elp  | Apply |

## **Configuring Parameters by Using Determine from generated code**

This example shows how to configure parameters by using **Determine from generated code** workflow during the Simulink Design Verifier analysis.

- **1** Open Model Settings > Design Verifier > Parameters and Variants.
- 2 Click on the drop down for **Parameter Configuration** and select **Determine from generated code**.

This automatically infers the parameters that will be selected based on the code generated and the parameter settings based on their definition.

In the above example, the parameter constParam cannot be changed in the generated code. So Simulink Design Verifier selects codeTunableParam for parameter configuration.

## 2.4.1. Parameter Constraints

#### **Constraint 1**

| Parameter        | Constraint |  |  |  |  |
|------------------|------------|--|--|--|--|
| codeTunableParam | [0, 10]    |  |  |  |  |



The Undecided objectives are related to the code corresponding to Multiport Switch1.

# Using Command Line Functions to Support Changing Parameters

This example shows how to use Simulink® Design Verifier™ command-line functions to generate test data that incorporates different parameter values.

#### **Controller Model with an Adjustable Parameter**

The example model is a simple controller with a single parameter. The constant parameter 'control\_mode' can be either 1 or 2. The parameter must take both values for the test cases to achieve complete coverage. The value determines the switch block output and which enabled subsystem will execute.

open\_system('sldvdemo\_param\_controller');



Copyright 2006-2023 The MathWorks, Inc.

#### **Specifying Parameter Values for Analysis**

Simulink Design Verifier does not identify parameter values. The tool uses the parameter values at the start of analysis for generating tests and proving properties. You can force the tool to incorporate changing parameter values by repeating analysis with different values.

The first iteration of design verifier will use control mode=1.

control\_mode = 1;

#### Simulink® Design Verifier<sup>™</sup> Options

Simulink Design Verifier functions use options objects created with the sldvoptions function to control all aspects of analysis and output.

In this example, we will run Simulink Design Verifier in test generation mode for a maximum of 300 seconds and produce a harness model. We will disable the report generation.

The default values of the remaining options are set correctly to generate tests. You can use the get command to display all the options and values.

```
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.MaxProcessTime = 300;
opts.SaveHarnessModel = 'on';
opts.SaveReport = 'off';
opts.HarnessModelFileName = '$ModelName$_harness.slx';
```

get(opts)

```
Mode: 'TestGeneration'
                MaxProcessTime: 300
             AutomaticStubbing: 'on'
                   UseParallel: 'off'
      DesignMinMaxConstraints: 'on'
OutputDir: 'sldv_output/$ModelName$'
MakeOutputFilesUnique: 'on'
    BlockReplacement: 'off'
BlockReplacementRulesList: '<FactoryDefaultRules>'
BlockReplacementModelFileName: '$ModelName$_replacement'
       ParameterConfiguration: 'None'
     ParametersConfigFileName: 'sldv_params_template.m'
                ParameterNames: []
         ParameterConstraints: []
       ParameterUseInAnalysis: []
                 TestgenTarget: 'Model'
      ModelCoverageObjectives: 'ConditionDecision'
                TestConditions: 'UseLocalSettings'
                TestObjectives: 'UseLocalSettings'
              MaxTestCaseSteps: 10000
        TestSuiteOptimization: 'Auto'
                    Assertions: 'UseLocalSettings'
              ProofAssumptions: 'UseLocalSettings'
          ExtendExistingTests: 'off'
              ExistingTestFile: ''
     IgnoreExistTestSatisfied: 'on'
            IgnoreCovSatisfied: 'off'
              CoverageDataFile: '
                     CovFilter: 'off'
             CovFilterFileName: ''
    IncludeRelationalBoundary: 'off'
             RelativeTolerance: 0.0100
             AbsoluteTolerance: 1.0000e-05
               DetectDeadLogic: 'off'
```

```
DetectActiveLogic: 'off'
            DeadLogicObjectives: 'ConditionDecision'
              DetectOutOfBounds: 'on'
           DetectDivisionByZero: 'on'
          DetectIntegerOverflow: 'on'
                   DetectInfNaN: 'off'
                DetectSubnormal: 'off'
              DesignMinMaxCheck: 'off'
      DetectDSMAccessViolations: 'off'
  DetectHISMViolationsHisl 0002: 'off'
  DetectHISMViolationsHisl_0003: 'off'
  DetectHISMViolationsHisl_0004: 'off'
  DetectHISMViolationsHisl_0028: 'off'
DetectBlockInputRangeViolations: 'off'
                ProvingStrategy: 'Prove'
              MaxViolationSteps: 20
                   DataFileName: '$ModelName$ sldvdata'
             SaveExpectedOutput: 'off'
          RandomizeNoEffectData: 'off'
               SaveHarnessModel: 'on'
           HarnessModelFileName: '$ModelName$ harness.slx'
          ModelReferenceHarness: 'on'
                  HarnessSource: 'Signal Editor'
                     SaveReport: 'off'
                ReportPDFFormat: 'off'
                 ReportFileName: '$ModelName$_report'
          ReportIncludeGraphics: 'off'
                  DisplayReport: 'on'
                    SFcnSupport: 'on'
       CodeAnalysisExtraOptions: ''
     CodeAnalysisIgnoreVolatile: 'on'
           ReduceRationalApprox: 'on'
                 SlTestFileName: '$ModelName$_test'
              SlTestHarnessName: '$ModelName$_sldvharness'
            SlTestHarnessSource: 'Inport'
             StrictEnhancedMCDC: 'off'
     RebuildModelRepresentation: 'IfChangeIsDetected'
     AnalyzeAllStartupVariants: 'on'
```

#### **Generating Tests and Collecting Coverage**

The sldvgencov function generates test suites and model coverage together. All tests that can be generated with the current parameter values will be collected into the harness model and the resulting coverage returned in a coverage data object.

[status,coverageData,files] = sldvgencov('sldvdemo\_param\_controller',opts);

04-Mar-2023 00:18:27 Checking compatibility for test generation: model 'sldvdemo\_param\_controller' Compiling model...done Building model representation...done

04-Mar-2023 00:18:32

'sldvdemo\_param\_controller' is compatible for test generation with Simulink Design Verifier.

Generating tests using model representation from 04-Mar-2023 00:18:32...

04-Mar-2023 00:18:41

Completed normally.

Generating output files:

```
Harness model:
C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex05697027\sldv output\sldvdemo para
```

04-Mar-2023 00:18:44 Results generation completed.

```
Data file:
C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex05697027\sldv output\sldvdemo para
```



#### **Integrating Parameter Initialization Into a Test Harness**

Generated test cases must be run with the same parameter values used during analysis. An initialization command configures the values during simulation of test cases. The sldvmergeharness function incorporates initialization commands into test harnesses.

```
initCmdStr = 'control_mode=1;'
[path,modelName] = fileparts(files.HarnessModel);
sldvmergeharness(modelName,modelName,initCmdStr);
```

```
initCmdStr =
    'control_mode=1;'
```

#### **Modifying Parameters and Repeating Test Generation**

Modifying parameter values enables additional test generation. Passing a coverage data object as the third input to sldvgencov forces the function to ignore all model coverage test objectives that have been satisfied. We use the coverage data that was returned from the earlier call to sldvgencov to restrict test generation to unsatisfied test objectives.

```
control_mode=2;
[status,newCov,newFiles] = sldvgencov('sldvdemo_param_controller',opts,false,coverageData);
```

04-Mar-2023 00:18:48

Validating cached model representation from 04-Mar-2023 00:18:32...change detected

04-Mar-2023 00:18:48 Checking compatibility for test generation: model 'sldvdemo\_param\_controller' Compiling model...done Building model representation...done

04-Mar-2023 00:18:52

'sldvdemo\_param\_controller' is compatible for test generation with Simulink Design Verifier.

Generating tests using model representation from 04-Mar-2023 00:18:52...

```
04-Mar-2023 00:18:56
```

Completed normally.

Generating output files:

```
Harness model:
C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex05697027\sldv_output\sldvdemo_para
```

04-Mar-2023 00:18:58 Results generation completed.

```
Data file:
C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex05697027\sldv_output\sldvdemo_para
```



#### Merging Test Harnesses Into a Single Model

Another call to sldvharnessmerge merges the test data from the new harness and its initialization command into the existing harness model.

```
newInitCmd = 'control_mode=2;'
[path,newModelName] = fileparts(newFiles.HarnessModel);
sldvmergeharness(modelName,newModelName,newInitCmd);
```

```
newInitCmd =
```

'control\_mode=2;'

#### **Executing the Tests in the Harness Model**

We close the second harness model that was created because the test cases have been merged into the first harness model. You can execute the suite of tests by clicking the 'Run all' button on the Signal Builder.

```
close_system(newModelName,0);
sldvdemo_playall(modelName);
```

#### **Clean Up**

To complete the example, close the models and remove the generated files.

```
close_system(modelName,0);
close_system('sldvdemo_param_controller',0);
delete(files.HarnessModel);
delete(newFiles.HarnessModel);
```

# **Generate Parameters Values**

This example shows how to tune parameters using parameter configuration file for Simulink® Design Verifier<sup>M</sup> analysis. The model contains the parameter control\_mode that enables the active controller and selects its output to be the model output. Simulink Design Verifier treats this parameter as an input that is constrained to be either 1 or 2 and generates the appropriate value for each test case.

open\_system('sldvdemo\_param\_identification');



Copyright 2006-2019 The MathWorks, Inc.

# Extend Existing Test Cases After Applying Parameter Configurations

This example shows how to achieve missing coverage by extending existing test cases after applying parameter configurations.

In this example, you generate test cases for a model and review the analysis results. The results show that the model consists of unsatisfiable objectives and does not achieve full coverage. Then, you apply parameter configurations in the model and reuse the previously generated test cases to achieve full model coverage.

#### Step 1: Generate Initial Test Cases and Review Results

The sldvexParameterController model is a cruise control model that controls the throttle speed by selecting a P Controller or PI Controller. The ControllerModeSelection subsystem uses the SelectMode parameter to select the controller mode. Define the enumerated data type for Selectmode by using the function Simulink.defineIntEnumType. For more information on enumerated values, see "Use Enumerated Data in Simulink Models".

```
Simulink.defineIntEnumType('EnumForControllerSelection',...
{'Pmode','PImode'},[1;2]);
SelectMode = Simulink.Parameter;
SelectMode.Value = EnumForControllerSelection.Pmode;
model = 'sldvexParameterController';
open_system(model);
```



### Simulink Design Verifier Extend Test Cases in Presence of Parameter Configuratios

Copyright 2019 The MathWorks, Inc.

Set the sldvoptions and analyze the model by using the specified options.

```
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.ModelCoverageObjectives = 'MCDC';
[ status, files ] = sldvrun(model, opts, true);
```

After the analysis completes, the Results Summary window displays that 15 out of 54 objectives are unsatisfiable.

In the Results Summary window, click **Highlight analysis results on model**. Double-click the ControllerModeSelection subsystem. The PI\_ModeSelection and P\_ModeSelection subsystems are highlighted in red and consist of unsatisfiable objectives.



To view the model coverage report, in the Results Summary window, click **Simulate tests and produce a model coverage report**. The report shows that the model does not achieve full coverage.

## Summary

|                              | Decision       | Condition | MCDC | Test Condition | Execution |
|------------------------------|----------------|-----------|------|----------------|-----------|
| 1. sldvexParameterController | 10 64%         | 83%       | 63%  | 100%           | 84%       |
| 2 <u>Controller</u>          | 9 64%          | 83%       | 63%  | NA             | 84%       |
| 3ControllerModeSelection     | <u>n</u> 6 38% | 67%       | 25%  | NA             | 67%       |
| 4 <u>P_ModeSelection</u>     | 2 100%         | 67%       | 50%  | NA             | 100%      |
| 5 <u>P Controller2</u>       | 2 100%         | NA        | NA   | NA             | 100%      |
| 6                            | 4 17%          | 67%       | 0%   | NA             | 43%       |
| 7 <u>PI Controller1</u>      | 4 17%          | NA        | NA   | NA             | 0%        |

#### Model Hierarchy/Complexity

Full coverage is not achieved because the parameter value SelectMode is restricted to the default value of EnumForControllerSelection.Pmode. Consequently, full coverage is not achieved for the PI\_ModeSelection subsystem.

#### Step 2: Configure Parameter Configurations and Extend Existing Test Cases

If you apply parameter configurations, Simulink Design Verifier treats the parameter as a variable during analysis and constraints the values based on the constraint values that you specify.

Apply parameter configurations for the SelectMode parameter by specifying the constraint values for parameterValue.

```
controlParameter = [ {'SelectMode'}];
parameterValue = [ {'[EnumForControllerSelection.Pmode EnumForControllerSelection.PImode]'}];
opts.ParametersUseConfig = 'on';
opts.ParameterNames = controlParameter;
opts.ParameterConstraints = parameterValue;
opts.ParameterUseInAnalysis = {'on'};
```

To reuse the previously generated test cases, configure the analysis option to extend the existing test cases and specify the existing test file.

```
opts.ExtendExistingTests = 'on';
opts.IgnoreExistTestSatisfied = 'off';
opts.ExistingTestFile = files.DataFile;
```

#### Step 3: Perform Analysis and Review Coverage Report

Analyze the model by using the specified options.

```
[status, fileNames] = sldvrun(model, opts, true);
```

After the analysis completes, the Results Summary window displays that all the objectives are satisfied.

To generate model coverage report, click **Simulate tests and produce a model coverage report**. The report shows that the model achieves full coverage.

## Summary

| Model Hierarchy/Complexity |                                  | Test 1 |         |    |        |     |
|----------------------------|----------------------------------|--------|---------|----|--------|-----|
|                            |                                  |        | Decisio | on | Execut | ion |
|                            | 1. <u>sldvexRollApController</u> | 8      | 100%    |    | 100%   |     |
|                            | 2 <u>Roll Reference</u>          | 5      | 100%    |    | 100%   |     |
|                            | 3 <u>Latch Phi</u>               | 1      | 100%    |    | 100%   |     |

To complete this example, close the model.

close\_system('sldvexParameterController', 0);

#### See also

- "Parameter Configuration for Analysis" on page 5-2
- "When to Extend Existing Test Cases" on page 8-2

# **Detecting Design Errors**

- "What Is Design Error Detection?" on page 6-2
- "Derived Ranges in Design Error Detection" on page 6-3
- "Analyze Models for Design Errors" on page 6-4
- "Dead Logic Detection" on page 6-7
- "Detect Dead Logic Caused by an Incorrect Value" on page 6-12
- "Common Causes for Dead Logic" on page 6-15
- "Detect Integer Overflow and Division-by-Zero Errors" on page 6-19
- "Check for Specified Minimum and Maximum Value Violations" on page 6-23
- "Detect Out of Bound Array Access Errors" on page 6-28
- "Detect Non-Finite, NaN, and Subnormal Floating-Point Values" on page 6-33
- "Detect Data Store Access Violations" on page 6-37
- "Detect Violations of High-Integrity Systems Modeling Guidelines" on page 6-41
- "Filter Objectives by Using Simulink Design Verifier Filter Explorer" on page 6-46
- "Detect Integer Overflow Errors" on page 6-51
- "Detect Out of Bound Array Access Example Model" on page 6-54
- "Detect Design Errors in C/C++ Custom Code" on page 6-57
- "Exclude and Justify Objectives for Design Error Detection" on page 6-59
- "Detect Integer Overflow in a Model with Complex Inputs" on page 6-65
- "Debug Integer Overflow Design Error Detection Using Model Slicer" on page 6-68
- "Analyzing the Results for a Dead Logic Analysis" on page 6-73

Analyzing the Results for a Dead Logic Analysis

# What Is Design Error Detection?

Design error detection is a Simulink Design Verifier analysis mode that detects the following types of errors:

- Dead logic
- Out of bound array access
- Integer or fixed-point data overflow
- Division by zero
- Errors in floating-point usage (Inf/NaN and subnormal)
- Intermediate signal values that are outside the specified minimum and maximum values
- Data store access violations
- Specified block input range violations
- High-Integrity Systems Modeling checks

Before you simulate your model, analyze your model in design error detection mode to find and diagnose these errors. Design error detection analysis determines the conditions that cause the error, helping you identify possible design flaws. Design error detection analysis also computes a range of signal values that can occur for block outports and Stateflow local data in your model.

Model objects that have decision or condition outcomes receive dead logic detection.

After the analysis, you can:

- Click individual blocks to view the analysis results for that block.
- Create a harness model containing test cases that demonstrate the errors.
- Create an analysis report that contains detailed results for the entire model.

#### See Also

"Analyze Models for Design Errors" on page 6-4 | "Design Verifier Pane: Design Error Detection" on page 15-42

# **Derived Ranges in Design Error Detection**

When you specify minimum and maximum values for a signal or data in a model, these values define a design range.

During design error detection, the software analyzes the model behavior and computes the values that can occur during simulation for:

- Block Outports
- Stateflow local data

The range of these values is called a derived range.

The **Use specified input minimum and maximum values** parameter in the Configuration Parameters dialog box, on the **Design Verifier** pane, if enabled, tells the analysis to consider the design ranges on the model input ports as constraints when calculating the derived ranges. By default, the **Use specified input minimum and maximum values** parameter is enabled.

If **Use specified input minimum and maximum values** is disabled, the software does not restrict the signals when computing the derived ranges.

To see how this process works, consider the following model.



In this model, the design ranges are:

- Inport block: [-35..35]
- Abs block output: [0..30]

Given the design range on the Inport block, the only possible values for the Abs block output are values from 0 to 35. Therefore, the derived range for the Abs block is [0..35].

However, if you disable the **Use specified input minimum and maximum values** parameter, the analysis calculates the derived ranges based on unrestricted values of the input ports of the model. In the preceding model, the only valid outputs of the Abs block are nonnegative numbers. Consequently, the derived range for the Abs block is [0..Inf].

# **Analyze Models for Design Errors**

#### In this section...

"Workflow for Detecting Design Errors" on page 6-4

"Understand the Analysis Results" on page 6-4

"Review the Latest Analysis Results in the Results Summary Window" on page 6-5

"Check For Design Errors using the Model Advisor" on page 6-6

## **Workflow for Detecting Design Errors**

To analyze your model for design errors, use the following workflow:

- **1** Verify that your model is compatible with Simulink Design Verifier software.
- 2 If you have Stateflow objects in your model, in the Configuration Parameters dialog box, on the **Diagnostics > Stateflow** pane, set **Unreachable execution path** to error.
- **3** Specify options that control how Simulink Design Verifier detects design errors in your model.
- 4 Execute the Simulink Design Verifier analysis.
- **5** Review the analysis results.

## **Understand the Analysis Results**

When you run a design error detection analysis, by default, the software highlights model objects in one of four colors so that the analysis results are easy to review.

| Model Object<br>Highlighting Color | Analysis Results                                                                         |
|------------------------------------|------------------------------------------------------------------------------------------|
| Green                              | Both of the following:                                                                   |
|                                    | The analysis proved the absence of dead logic.                                           |
|                                    | • The analysis proved the absence of errors for the other design error detection checks. |
| Red                                | At least one of the following:                                                           |
|                                    | The analysis found dead logic.                                                           |
|                                    | • The analysis found an error for one of the other design error detection checks.        |

| Model Object<br>Highlighting Color | Analysis Results                                                                                                                                                                        |  |  |
|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|
| Orange                             | For at least one objective, the analysis could not determine if the model<br>object has dead logic or one of the other design error detection errors.<br>This situation can occur when: |  |  |
|                                    | The analysis times out.                                                                                                                                                                 |  |  |
|                                    | • The software cannot determine if an error occurred or not. This result is due to:                                                                                                     |  |  |
|                                    | • Automatic stubbing; for more information, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.                                                                         |  |  |
|                                    | Limitations of the analysis engine.                                                                                                                                                     |  |  |
| Gray                               | The model object was not part of the analysis.                                                                                                                                          |  |  |
| Steel blue                         | All objectives from this model object were excluded or justified using a filter files provided during the analysis.                                                                     |  |  |

The Simulink Design Verifier Results window initially displays a summary of the analysis results, as in the following example.

| Particial Results: sldvdemo_design_error_detection                                                                                                                                                                                                                                                                                                      | - | ×   |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|-----|
| $\Leftrightarrow \Rightarrow \triangle$                                                                                                                                                                                                                                                                                                                 |   | v 😨 |
| Design error detection completed normally.         5/7 objectives valid         2/7 objectives falsified - need simulation         Results:         • Open filter viewer         • View tests in Simulation Data Inspector         • Detailed analysis report: (HTML) (PDF)         • Create harness model         • Export test cases to Simulink Test |   |     |

When you click an object in the model, additional details about the results for that object are displayed in the Simulink Design Verifier Results window.

**Tip** By default, the Simulink Design Verifier Results window is always the topmost visible window. To change that setting, click the SS icon and on the context menu, clear the check mark next to Always on top.

#### **Review the Latest Analysis Results in the Results Summary Window**

If you close the analysis results to fix the cause of the errors in your model, you might need to review the analysis results again. As long as your model remains unchanged, you can view the results of your most recent analysis results in the Results Summary Window.

To view the latest results, on the **Design Verifier** tab, in the **Review Results** section, click **Results Summary**.

For any Simulink Design Verifier analysis, from the Results Summary Window, you can perform the following tasks:

- Open filter explorer.
- Highlight the analysis results on the model.
- View tests in Simulation Data Inspector.
- Generate a detailed analysis report.
- Create the harness model, or if the harness model already exists, open it.

Note If no objectives are falsified or satisfied, you cannot create the harness model.

- Export test cases to Simulink Test.
- View the data file.
- View the log file.

### **Check For Design Errors using the Model Advisor**

You can perform design error detection analysis from the Model Advisor, which is particularly useful if you need to perform other model checks. To analyze your model from the Model Advisor, follow this high-level workflow:

- **1** Specify options that control how Simulink Design Verifier detects design errors in your model.
- **2** Open the Model Advisor.
- 3 From the system hierarchy, select the model or model component you want to analyze
- 4 Expand the design error detection analysis items. Look for Simulink Design Verifier under either **By Product** or **By Task**.
- 5 If you have not checked your model for compatibility, enable the compatibility check for Simulink Design Verifier.
- 6 Select the design error detection checks you want to run.
- 7 Run the selected checks.
- 8 Review the analysis results.

#### See Also

#### **More About**

• "Check Your Model Using the Model Advisor"

# **Dead Logic Detection**

#### In this section...

"Run a Partial Check for Dead Logic" on page 6-7

"Run an Exhaustive Analysis for Dead Logic" on page 6-7

"Run a Dead Logic Analysis and Review Results" on page 6-8

Before you simulate a model, use dead logic detection to analyze the model for dead logic. In Simulink Design Verifier, design error detection for dead logic consists of two analysis options:

• Dead logic (partial): If you select this option, Simulink Design Verifier analyzes your model without making any approximations, such as rational approximation for floating points, or while loop approximation. For more information, see "Role of Approximations During Model Analysis" on page 2-20. With this option, Simulink Design Verifier does not report active logic or undecided objectives and it may not identify some dead logic in your model.

This option is available in:

- The Model Advisor. See "Check For Design Errors using the Model Advisor" on page 6-6.
- The Configuration Parameters dialog box, on the **Design Verifier > Design Error Detection** pane.
- Run exhaustive analysis: With this option, Simulink Design Verifier reports active logic in addition to dead logic as well as undecided objectives. This option may in some cases identify or find additional dead logic. The analysis may use approximations and are reported accordingly.

This option is available in Configuration Parameters dialog box, on the **Design Verifier > Design Error Detection** pane.

## **Run a Partial Check for Dead Logic**

If you are not using the Model Advisor, to detect dead logic:

- 1 On the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**.
- 2 Click Error Detection Settings.
- **3** In the Configuration Parameters dialog box, on the **Design Verifier > Design Error Detection** pane:
  - **a** Enable the "Dead logic (partial)" on page 15-43 option.
  - **b** Clear the "Run exhaustive analysis" on page 15-43 option, if it is selected.
  - c Set "Coverage objectives to be analyzed" on page 15-44 to MCDC. The available options from the drop-down menu are Decision, Condition Decision, and MCDC.
- 4 To apply these settings, click **OK** and close the Configuration Parameters dialog box.
- 5 Click **Detect Design Errors**.

#### **Run an Exhaustive Analysis for Dead Logic**

- 1 On the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**.
- 2 Click Error Detection Settings.

- **3** In the Configuration Parameters dialog box, on the **Design Verifier** > **Design Error Detection** pane:
  - **a** Enable the "Dead logic (partial)" on page 15-43 option.
  - **b** Clear the "Run exhaustive analysis" on page 15-43 option, if it is selected.
  - c Set "Coverage objectives to be analyzed" on page 15-44 to MCDC. The available options from the drop-down menu are Decision, Condition Decision, and MCDC.
- 4 To apply these settings, click **OK** and close the Configuration Parameters dialog box.
- 5 Click **Detect Design Errors**.

#### **Run a Dead Logic Analysis and Review Results**

This example shows how to detect dead logic in the sldvSlicerdemo\_dead\_logic example model. Dead logic detection finds the unreachable objectives in the model that cause the model element to remain inactive.

1 Open the sldvSlicerdemo\_dead\_logic model.

open\_system('sldvSlicerdemo\_dead\_logic');

- 2 On the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**.
- **3** Click **Error Detection Settings**.
- 4 In the Configuration Parameters dialog box, on the **Design Verifier > Design Error Detection** pane:
  - **a** Enable the "Dead logic (partial)" on page 15-43 option.
  - **b** Clear the "Run exhaustive analysis" on page 15-43 option, if it is selected.
  - c Set "Coverage objectives to be analyzed" on page 15-44 to MCDC. The available options from the drop-down menu are Decision, Condition Decision, and MCDC.
- 5 Click **Detect Design Errors**.

The software analyzes the model for dead logic and displays the results in the Results Summary window. The result indicates that 10 of the 32 objectives were found to be dead logic.

| 🚡 Simulink Design Verifier Res                                                                                     | ults Summary: sldvSlicerd | emo_dead_logic               | :          |
|--------------------------------------------------------------------------------------------------------------------|---------------------------|------------------------------|------------|
| Progress                                                                                                           |                           |                              |            |
| riogress                                                                                                           |                           |                              |            |
| Objectives processed                                                                                               | 24/24                     |                              |            |
| Valid                                                                                                              | 0                         |                              |            |
| Falsified                                                                                                          | 7                         |                              |            |
| Elapsed time                                                                                                       | 0:38                      |                              |            |
| Design error detection com                                                                                         | pleted normally           |                              |            |
| logic > Run exhaustive ana<br>analysis.<br>7/24 objectives are dead lo                                             |                           | on in order to perform an ex | naustive   |
| Results:                                                                                                           |                           |                              |            |
| <ul> <li><u>Open filter viewer</u></li> <li><u>Highlight analysis re</u></li> <li>Detailed analysis rep</li> </ul> |                           |                              |            |
| Data saved in: <u>sldvSlicerder</u><br>in folder:                                                                  |                           |                              | lead logic |
|                                                                                                                    | [madab [sh                |                              | iogic      |
|                                                                                                                    |                           |                              |            |
|                                                                                                                    |                           |                              |            |
|                                                                                                                    |                           |                              |            |
|                                                                                                                    |                           | View Log                     | Close      |

- 6 Click **Highlight analysis results on model**. The dead logic model elements are highlighted in red.
- 7 Open the Controller subsystem, and click the OR block highlighted in red. The Result Inspector displays the summary of the dead logic.

The set input is equal to 1, so the input port 1 of the OR block **can only be true**. The status implies that the input port 1 false condition is a dead logic. Similarly, the input port 2 is unreachable, as the objective never executes and is dead logic.



8 To view the detailed analysis report, in the Results Summary window, click HTML.

The report displays the summary of all the results that are dead logic in the model.

| # | Туре      | Model Item                                        | Description                                                                 |
|---|-----------|---------------------------------------------------|-----------------------------------------------------------------------------|
| 1 | Decision  |                                                   | logical trigger input can never be false (output is from<br>3rd input port) |
| 2 | Condition | Controller/Logical Operator2                      | Logic: input port 1 can only be true                                        |
| 3 | Condition | Controller/Logical Operator2                      | Logic: input port 2 unreachable                                             |
| 4 | Condition | Controller/Logical Operator                       | Logic: input port 3 can only be true                                        |
| 5 | Decision  | Controller/PI Controller/Discrete-Time Integrator | integration result <= lower limit <b>can never be true</b>                  |
| 6 | Decision  | Controller/PI Controller/Discrete-Time Integrator | integration result >= upper limit <b>can never be true</b>                  |

#### **Dead Logic**

The software stores the detailed analysis results in the DeadLogic field in the "Manage Simulink Design Verifier Data Files" on page 13-7. You can use the data file for further analysis of the results.

#### Suggestion:

You can use Model Slicer to find the parameters which could have an impact on a particular block by following these steps:

a. Create an object of SLSlicerAPI.ParameterDependence using Model Slicer.

```
slicerObj = slslicer('sldvSlicerdemo_dead_logic');
pd = slicerObj.parameterDependence;
```

b. Find the parameters affecting the Discrete-Time Integrator block.

```
param = parametersAffectingBlock(pd, 'sldvSlicerdemo_dead_logic/Controller/PI Controller/Discrete
```

```
param =
    VariableUsage with properties:
        Name: 'c'
        Source: 'base workspace'
        SourceType: 'base workspace'
        Users: {'sldvSlicerdemo_dead_logic/Constant'}
```

The image above displays the parameters returned by the function **parametersAffectingBlock** which have an impact on the **Discrete-Time Integrator** block. The parameters returned by the function can be considered for tuning.

c. Perform clean-up to exit compile state of the model.

```
slicerObj.terminate;
```

#### See Also

#### **More About**

• "Design Verifier Pane: Design Error Detection" on page 15-42

## **Detect Dead Logic Caused by an Incorrect Value**

| In this section                              |   |
|----------------------------------------------|---|
| "Analyze the Fuel System Model" on page 6-12 | 2 |

"Review the Results and Trace to the Model" on page 6-13

"Investigate the Cause of the Dead Logic" on page 6-13

Investigate the Cause of the Dead Logic on page 6-13

"Update the Input Constraint and Reanalyze the Model" on page 6-14

Dead logic detection helps you to identify:

- Model design errors.
- Extraneous model elements.
- Model elements that should be executed, but are not.

In this example, you analyze a fuel rate controller model to determine if the model contains dead logic. Dead logic detection finds the incorrect variable value that causes a transition condition in a Stateflow chart to remain inactive.

## Analyze the Fuel System Model

**1** Open the model.

sldvdemo\_fuelsys\_logic\_simple

Ensure that the current folder is writable.

2 Configure dead logic detection.

On the Design Verifier tab, in the Mode section, select Design Error Detection.

- **3** Select **Error Detection Settings**.
- 4 In the Configuration Parameters dialog box, on the **Design Verifier > Design Error Detection** pane:
  - **a** Enable the "Dead logic (partial)" on page 15-43 option.
  - **b** Clear the "Run exhaustive analysis" on page 15-43 option, if it is selected.
  - c Set **Coverage objectives to be analyzed** to Condition Decision. The available options from the drop-down menu are Decision, Condition Decision, and MCDC.
- 5 Click **Detect Design Errors**.
- 6 The results dialog box shows that there are 2/109 objectives that are dead logic.



## **Review the Results and Trace to the Model**

- 1 Create an analysis report. From the results inspector window, click HTML.
- 2 Scroll to the **Dead Logic** section. The table lists two instances of dead logic.
- 3 In the **Description** column, one of the dead logic instances is the false condition of press < zero\_thresh. The dead logic result indicates that in the simulation, the false condition was not executed. This logic is part of the Sens\_Failure\_Counter.INC transition.
- 4 Click the **Model Item** link. Simulink highlights the transition in the chart.



#### Investigate the Cause of the Dead Logic

**1** The logical statement controlling the transition is

speed==0 & press < zero\_thresh</pre>

- 2 Return to the report. Scroll to the **Constraints** section.
- **3** The value of the input control logic/Input Data "press" is constrained from 0 through 2. Click the link to open the input in the Model Explorer.
- 4 Select the **Model Workspace** in the Model Explorer. In the contents table, select zero\_thresh. The value of zero\_thresh is 250.

Given the constrained value of press, it is always less than zero\_thresh and therefore, the false condition is never exercised.

## Update the Input Constraint and Reanalyze the Model

- 1 Change the value of zero\_thresh to 0.250.
- 2 Reanalyze the model. On the **Design Verifier** tab, click **Detect Design Errors**.
- **3** In the new results, the objective is no longer dead logic.

## See Also

## **Related Examples**

• "Dead Logic Detection" on page 6-7

# **Common Causes for Dead Logic**

Common modeling patterns that lead to dead logic in a model include:

| In this section                                                             |
|-----------------------------------------------------------------------------|
| "Short-Circuiting of a Logical Operator Block During Analysis" on page 6-15 |
| "Conditional Execution of a Block" on page 6-15                             |
| "Parameter Values Treated as Constants" on page 6-16                        |
| "Upstream Blocks" on page 6-17                                              |
| "Library-Linked Blocks" on page 6-17                                        |
| "Restrictions on Signal Ranges" on page 6-17                                |

When you perform design error detection analysis, Simulink Design Verifier reports the common causes of dead logic in the Results window.

## Short-Circuiting of a Logical Operator Block During Analysis

Simulink Design Verifier treats logic blocks as if they are short-circuiting when analyzing for dead logic.

For example, in this model, if In2 is false, the software ignores the third input due to the shortcircuiting. The Results window lists this port as dead logic. See "Logic Operations Short-Circuiting" on page 2-26.



## **Conditional Execution of a Block**

If your model consists of Switch or Multiport Switch blocks and the **Conditional input branch execution** parameter is set to **On**, the conditional execution can often cause unexpected dead logic.

Consider this example model where the **Conditional input branch execution** parameter is set to **On**. The AND Logical Operator block is conditionally executed, which causes the dead logic for the block. For more information, see "Conditional input branch execution".



## **Parameter Values Treated as Constants**

If your model contains parameters, Simulink Design Verifier treats the values as constants by default. This might cause dead logic in the model. In these cases, consider configuring these parameters to be tuned during analysis.

For example, consider this model, where all of the parameters are set to zero. These settings cause the dead logic for the Less Than block.



## **Upstream Blocks**

When a particular block has dead logic, this often leads to a cascade effect that causes downstream blocks to have dead logic.

Consider the above example model. The dead logic in the Less Than block causes the dead logic in the corresponding downstream blocks. It is therefore often helpful to review the upstream dead logic before reviewing any downstream dead logic.

## Library-Linked Blocks

Library blocks may be written with defensive conditions that are redundant in some of the locations where they are used. In some cases, this may cause dead logic. See "Exclude and Justify Objectives for Design Error Detection" on page 6-59.

## **Restrictions on Signal Ranges**

Root-level Inport blocks with minimum and maximum values as constraints and Test Condition blocks in the test generation may cause dead logic. For example, consider ConditionGreaterThan0 Switch block, where the second Inport block has a minimum and maximum range of 1 and 100, respectively. This causes the Switch block in this subsystem to have dead logic.



## See Also

## **More About**

- "Run a Dead Logic Analysis and Review Results" on page 6-8
- "Analyzing the Results for a Dead Logic Analysis" on page 6-73

# **Detect Integer Overflow and Division-by-Zero Errors**

#### In this section...

"About This Example" on page 6-19

"Analyze the Model" on page 6-19

"Review the Analysis Results" on page 6-19

### About This Example

The following sections describe how to analyze the sldvdemo\_cruise\_control\_fxp\_fixed model for integer overflow and division-by-zero errors.

## Analyze the Model

Open and check model for integer overflow and division-by-zero errors:

- 1 Open the sldvdemo\_cruise\_control\_fxp\_fixed model.
- 2 On the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**.
- **3** In the Configuration Parameters dialog box, select **Design Verifier > Design Error Detection**.
- 4 On the **Design Error Detection** pane, select:
  - Integer overflow
  - Division by zero
- 5 In the Configuration Parameters dialog box, on the Diagnostics > Data Validity pane, set Signals > Wrap on overflow, Signals > Saturate on overflow and Parameters > Detect overflow to error.
- 6 Click **OK** to save these settings and close the Configuration Parameters dialog box.
- 7 In the Mode section, select Design Error Detection.
- 8 Click Detect Design Errors.

When the analysis is complete:

- The software highlights the model with the analysis results.
- The Simulink Design Verifier Results dialog box opens and displays a summary of the analysis.

#### **Review the Analysis Results**

- "Review the Results on the Model" on page 6-19
- "Review the Harness Model" on page 6-21
- "Review the Analysis Report" on page 6-22

#### **Review the Results on the Model**

The derived ranges can help you understand the source of an error by identifying the possible signal values, as you can see by taking the following steps:

1 At the top level of the sldvdemo\_cruise\_control\_fxp\_fixed model, click the Fixed-Point Controller subsystem.

The Simulink Design Verifier Results window displays the derived range of possible signal values for the Outports, as calculated by the analysis:

- The values of Outport 1 (throt) range from -2.6101 to 2.6096.
- The values of Outport 2 (target) range from 0 to 255.9960.



- 2 Click the Outport blocks of the sldvdemo\_cruise\_control\_fxp\_fixed model to see the same signal bound values.
- **3** Open the Fixed-Point Controller subsystem.

Two objects in this subsystem are outlined in red. The PI Controller subsystem is outlined in green.

4 Click the Sum block, outlined in red, that provides the error input to the PI Controller subsystem.



This Sum block can produce an overflow error. The analysis found a test case that can result in a computation where the output of the Sum block exceeds the range [-128..127.9960].



- **5** To more fully understand this error, click the two blocks that provide the inputs to the Sum block. In the Simulink Design Verifier Results window, view their derived ranges:
  - The third Outport from the Bus block has a range of [0..256].
  - The Outport from the Switch block has a range of [0..256].

You can see that the sum operation for these signal ranges can compute a value that exceeds the range [-128..128] for the Outport of the Sum block.

The analysis reports the overflow error on the Sum block. The analysis does not propagate this error and assumes that the Sum block output is within the valid range for any subsequent computations.

6 Click the PI Controller subsystem, outlined in green. None of the blocks in the PI Controller subsystem can produce overflow or division-by-zero errors. When the software analyzes the PI Controller subsystem, it ignores the overflow error from the Sum block and assumes that the inputs to the subsystem are valid.

Keep the sldvdemo\_cruise\_control\_fxp\_fixed model open. In the next section, you create the harness model to see the test case that generates the Sum block overflow error.

#### **Review the Harness Model**

To see the test cases that demonstrate the errors, generate the harness model from the Simulink Design Verifier Results window:

- 1 In the sldvdemo\_cruise\_control\_fxp\_fixed model, open the Fixed-Point Controller subsystem.
- 2 Click the Sum block, outlined in red, that provides the error input to the PI Controller subsystem.

The Simulink Design Verifier Results window displays information that an overflow error occurred.

3 In the Simulink Design Verifier Results window, click View counterexamples.

The software creates a harness model containing the test case with the signal values that cause this overflow error.

In the harness model, the Signal Builder dialog box opens, with Test Case 2 displayed.

4 Click the Start simulation button to simulate the model with this test case.

As expected, the simulation fails due to an overflow error at the Sum block in the Fixed-Point Controller subsystem.

For more information, see "Manage Simulink Design Verifier Harness Models" on page 13-13.

#### **Review the Analysis Report**

To view an HTML report containing detailed information about the analysis report for the sldvdemo\_cruise\_control\_fxp\_fixed model:

- 1 In the Simulink Design Verifier Results window, to redisplay the results summary, click **Back to summary**.
- 2 Click Generate detailed analysis report.

The software generates a detailed analysis report that opens in a browser.

For the sldvdemo\_cruise\_control\_fxp\_fixed model, the **Design Error Detection Objectives Status** chapter of the report provides detailed results in two categories:

- **Objectives Valid** Model objects that did not produce errors
- Objectives Falsified with Counterexamples Model objects for which test cases generated errors

Model objects that have decision or condition outcomes receive dead logic detection. For more information on the complete list of model objects that have decision or condition objectives, see "Model Objects That Receive Coverage" (Simulink Coverage).

For more information, see "Review Results" on page 13-35.

## See Also

#### **More About**

- "Detect Integer Overflow Errors" on page 6-51
- "Detect Integer Overflow in a Model with Complex Inputs" on page 6-65

# **Check for Specified Minimum and Maximum Value Violations**

"Limitations of Checking Specified Minimum and Maximum Value Violations" on page 6-23 "About This Example" on page 6-23 "Create the Example Model" on page 6-24 "Analyze the Model" on page 6-25 "Review the Analysis Results" on page 6-25

During a design error detection analysis, the software checks the specified minimum and maximum values on intermediate signals throughout the model and on the output ports. These values define the design ranges.

The analysis checks for specified minimum and maximum values on:

- Simulink block outputs, with the exception of the limitations described in the next section
- Simulink.Signal objects
- Stateflow data objects
- MATLAB for code generation data objects
- Global data store writes

If the analysis detects that a signal exceeds the design range, the results identify where in the model the errors occurred. In addition, you can generate a harness model that contains test cases that demonstrate how the error occurred.

# Limitations of Checking Specified Minimum and Maximum Value Violations

If you analyze a model checking if specified minimum and maximum values are exceeded, the software cannot check minimum and maximum values specified on:

- Any Mux block with an output connected to a Selector block
- Merge block inputs

To work around this limitation, use a Simulink.Signal object on the Merge block output and specify the range on the Simulink.Signal object.

**Note** For information about how a Simulink Design Verifier analysis handles specified minimum and maximum values on input ports, see "Minimum and Maximum Input Constraints" on page 11-2.

## About This Example

In this section, you create and analyze a model that has specified design minimum and maximum values on:

• The input ports

• The output ports of two of the intermediate blocks

The design error detection analysis identifies blocks where the output values exceed the design range. If the analysis detects this error, this example demonstrates how the analysis uses the specified minimum and maximum values when continuing the analysis.

### **Create the Example Model**

Create the model for this example:

- 1 In the MATLAB toolstrip, on the Home tab, select New > Simulink Model.
- **2** From the Simulink Commonly Used Blocks library, add the following blocks to the model and assign the indicated parameter values.

| Block      | Tab               | Parameter        | Value |
|------------|-------------------|------------------|-------|
| Inport     | Signal Attributes | Minimum          | 0     |
| Inport     | Signal Attributes | Maximum          | 5     |
| Gain       | Main              | Gain             | 5     |
| Gain       | Signal Attributes | Output minimum   | Θ     |
| Gain       | Signal Attributes | Output maximum   | 20    |
| Gain       | Signal Attributes | Output data type | int16 |
| Saturation | Main              | Upper limit      | 25    |
| Saturation | Main              | Lower limit      | - 25  |
| Saturation | Signal Attributes | Output minimum   | - 25  |
| Saturation | Signal Attributes | Output maximum   | 25    |
| Outport    | No changes        |                  |       |

**3** Connect the four blocks as shown.



- 4 To display the specified minimum and maximum values, on the **Debug** tab, select **Information Overlays > Signal Data Ranges**.
- 5 On the Modeling tab, click Model Settings.
- 6 In the Configuration Parameters dialog box, on the **Solver** pane, under **Solver selection**:
  - a Set Type to Fixed-step.

The Simulink Design Verifier software does not support variable-step solvers.

- **b** Set **Solver** to discrete (no continuous states).
- 7 On the **Design Verifier** pane, set **Mode** to **Design error detection**.
- 8 On the **Design Verifier > Design Error Detection** pane:
  - a Select Specified minimum and maximum value violations.

**b** Clear the **Integer overflow** and **Division by zero** parameters.

In this example, you check only for intermediate minimum and maximum violations.

9 To save these settings and exit the Configuration Parameters dialog box, click OK.

**10** Save the model and name it ex\_interim\_minmax.

### Analyze the Model

To analyze the example model to identify any intermediate signals that violate the specified minimum and maximum values, perform design error detection analysis.

#### On the **Design Verifier** tab, click **Detect Design Errors**.

After the analysis is complete:

• The software highlights the model with the analysis results.



• The Simulink Design Verifier Results dialog box opens and displays a summary of the analysis.



## **Review the Analysis Results**

- "Review Results on the Model" on page 6-25
- "Review the Harness Model" on page 6-26
- "Review the Analysis Report" on page 6-27

#### **Review Results on the Model**

In the model window, the Gain block is colored red and the Saturation block is colored green. This indicates that:

• At least one objective associated with the Gain block was falsified. For this example, the analysis falsified exactly one objective.

• All objectives associated with the Saturation block were satisfied. For this example, the analysis satisfied exactly one objective.

To understand these results:

**1** Click the Gain block.

The Simulink Design Verifier Results window shows that the design range for the output was [0..20], but the analysis detected an error and generated a test case that demonstrates that error. Because the design range for the input block is [0..5], when the input to the Gain block is 5, the output is 25, which exceeds the specified maximum value on that port.

The analysis computes and displays the derived range to help you understand how the design range was exceeded.

| 🎦 Results: ex_interim_minmax               | - | $\times$ |
|--------------------------------------------|---|----------|
| $\Leftarrow \Rightarrow \oslash$           |   | v 😼      |
| Back to summary                            |   |          |
| ex_interim_minmax/Gain                     |   |          |
| Design Range: [020] ERROR - View test case |   |          |
| Derived Ranges:                            |   |          |
| Outport 1: [025]                           |   |          |
|                                            |   |          |

**2** Click the Saturation block.

The Simulink Design Verifier Results window shows that the output of the Saturation block never exceeded the design range [-25..25]. The input to the Saturation block never exceeded [0..25], which is the derived range that the analysis propagated from the Gain block.

| 🎦 Results: ex_interim_minmax                                                   | — | ×   |
|--------------------------------------------------------------------------------|---|-----|
| $\langle + \rangle \otimes$                                                    |   | ₩ 😼 |
| Back to summary<br>ex_interim_minmax/Saturation<br>Design Range: [-2525] VALID |   |     |
| Derived Ranges:<br>Outport 1: [025]                                            |   |     |

#### **Review the Harness Model**

When the analysis completes, you can create a harness model contains the test cases that result in errors.

For the example model, view the test case that caused the design range error in the Gain block:

- **1** After the analysis completes and the model is highlighted, click the Gain block.
- 2 In the Simulink Design Verifier Results window, click **View test case**.

The software creates a harness model named ex\_interim\_minmax\_harness and opens the Signal Builder block in the harness model that contains the test case.

In the Signal Builder block, one test case, whose signal value is 5, caused the output of the Gain block to be 25, which exceeds the specified maximum of 20.

3 Before you simulate this test case, in the Configuration Parameters dialog box, on the Diagnostics > Data Validity pane, set Simulation range checking to warning or error.

Setting this parameter specifies the diagnostic action to take if Simulink detects signals that exceed specified minimum or maximum values during simulation.

- If you specify warning, the simulation displays a warning message and continues.
- If you specify error, the simulation displays an error message and stops.
- 4 Click **OK** to save your change and close the Configuration Parameters dialog box.
- **5** In the Signal Builder block window, click **Start simulation** to simulate the model with this test case.

As expected, in the MATLAB window, the simulation displays a warning or error that the output value of the Gain block exceeds the specified maximum.

#### **Review the Analysis Report**

You can also generate an HTML report containing detailed information about the analysis report for the ex\_interim\_minmax model. To create this report, in the Simulink Design Verifier Results window, click **Generate detailed analysis report**. The analysis report opens in a browser.

In the analysis report, the **Design Error Detection Objectives Status** chapter of the report provides detailed results in two categories:

- **Objectives Proven Valid** The output values for the Saturation block are always within the design range.
- **Objectives Falsified with Test Cases** The output values for the Gain block violated the design range.

## **Detect Out of Bound Array Access Errors**

#### In this section...

"Design Error Detection for Out of Bound Array Access" on page 6-28

"Detect Out of Bound Array Access Example Model" on page 6-28

"Limitations of Support for Out of Bound Array Access Design Error Detection" on page 6-31

## **Design Error Detection for Out of Bound Array Access**

Simulink Design Verifier design error detection analysis detects out of bound array access errors in your model. In simulation, when your model attempts to access an array element using an invalid index, an out of bound array access error occurs.

To detect out of bound array access errors in your model:

- **1** On the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**.
- 2 Click Error Detection Settings.
- **3** In the Configuration Parameters dialog box, in **Design Error Detection** pane, select **Out of bound array access**.
- 4 Click OK.
- 5 Click **Detect Design Errors**.

The Simulink Design Verifier log window opens, showing the progress of the analysis.

When the analysis is complete:

- The software highlights the model with the analysis results.
- The Simulink Design Verifier Results dialog box opens and displays an analysis summary.

**Note** If a model contains out of bound array access error, after the first occurrence of array access, Simulink Design Verifier assumes that the array index is within bounds for the remaining analysis. Hence, design error detection objectives that are analyzed after this assumption may be reported as valid, even if the design errors occur in the model.

#### **Detect Out of Bound Array Access Example Model**

This example shows how to detect out of bound array access errors and review the analysis results. In the sldvdemo\_array\_bounds example model, the ComputeIndex MATLAB Function block uses the input signal values to determine range of indices with minimum minIdx and maximum maxIdx. The ArrayOp\_Matlab, ArrayOp\_MAL, and ArrayOp\_SF blocks use the set of integer indices between minIdx and maxIdx to access array elements and perform array operations.

#### Step 1: Open the Model

At the command prompt, enter:

```
open_system('sldvdemo_array_bounds');
```



Copyright 2010-2019 The MathWorks, Inc.

#### **Step 2: Perform Design Error Detection Analysis**

The analysis options in the model are preconfigured for out of bound array access error detection. To view these options, in the Simulink Editor, double-click the **View Options** button.

To perform design error detection analysis, in the Simulink Editor, double-click the **Run** button. The Simulink® Design Verifier<sup>™</sup> Results Summary window opens that displays the progress of the analysis. When the analysis completes, the example model is highlighted with the analysis results.



#### **Step 3: Review Analysis Results**

To view the analysis results inside the chart, double-click the ArrayOp\_SF Chart block that is highlighted in red.



Simulink Design Verifier detects that the index out of bound errors occurs in array u in state Diff.

#### **Step 4: Create Harness and Simulate Test Cases**

Click the first **View test case** link. Simulink Design Verifier creates and opens a harness model that contains test cases, that demonstrate out of bound array access errors. In the Signal Builder dialog box, click **Start simulation** to simulate the harness model with Test Case 2.

The simulation stops before entering the state Diff. The Stateflow® Debugger opens. The following error is shown:

Attempted to access index 4 of u with smaller dimension sizes. The valid index range is 0 to 3. This error will stop the simulation. State 'Diff' in Chart 'sldvdemo\_array\_bounds\_harness/Test Unit (copied from sldvdemo array bounds)/ArrayOp SF': y = u[maxIdx] - u[minIdx];

Keep the Stateflow® Debugger open at this breakpoint. In the sldvdemo\_array\_bounds\_harness model, hold your cursor over the Diff state to see the data values at this simulation breakpoint.



Using Test Case 2 input signal values, the ComputeIndex MATLAB Function block determines the range of array indices to be 1:4. One-based indexing is consistent with MATLAB syntax, so these indices are valid for the ArrayOp\_Matlab MATLAB Function block and the ArrayOp\_MAL Stateflow® chart.

The ArrayOp\_SF Stateflow® chart uses C as the action language, which does not support one-based indexing. Thus, 1:4 is not a valid index range for array access in the chart. The valid index range for array access in the chart is 0:3, as reported by the error message. When either maxIdx or minIdx evaluates to 4, an out of bound array access error occurs in the ArrayOp\_SF Chart block. For more information on zero-based indexing support, see "Differences Between MATLAB and C as Action Language Syntax" (Stateflow).

# Limitations of Support for Out of Bound Array Access Design Error Detection

#### Inf Index Values

Design error detection does not support indexing by Inf. If your model attempts to access an array using an index value that evaluates to Inf, design error detection does not report an out of bound array access error, but in simulation, an out of bound array access error occurs.

#### Index Vector Block with Scalar Data Input

Out of bound array access design error detection does not support Index Vector blocks with scalar data inputs. If your model includes an Index Vector block that specifies a scalar data input instead of a vector data input and the control input causes an out of bounds array access, design error detection does not report an error, but an error occurs in simulation.

## See Also

### **More About**

• "Detect Out of Bound Array Access Example Model" on page 6-54

## **Detect Non-Finite, NaN, and Subnormal Floating-Point Values**

To detect occurrences of nonfinite, NaN, and subnormal floating-point values in a model:

- 1 On the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**.
- 2 Click Error Detection Settings.
- 3 In the Configuration Parameters dialog box, in **Design Error Detection** pane:
  - a Select the check box for "Non-finite and NaN floating-point values" on page 15-47.
  - **b** Select the check box for "Subnormal floating-point values" on page 15-47.
  - c To apply these settings, click **OK** and close the Configuration Parameters dialog box.
- 4 Click **Detect Design Errors**.

Simulink Design Verifier analyzes the model to detect the occurrences of nonfinite, NaN, and subnormal floating-point values.

After the analysis is complete:

- The software highlights the model with the analysis results.
- The Results Summary windows displays the summary of the analysis.

#### **Assumptions and Limitations**

When you analyze a model and select "Non-finite and NaN floating-point values" on page 15-47, the software assumes that the floating-point input values and the tunable parameter values are finite.

When you analyze a model and select "Subnormal floating-point values" on page 15-47, the software assumes that the floating-point input values and the tunable parameter values are normal.

Models that use double-precision floating-point signals take more time to analyze than similar models that use single-precision floating-point signals. As a result, models that use double-precision floating-point signals might time out whereas similar models that use single-precision floating-point signals complete their analysis. To improve analysis performance, consider specifying minimum and maximum values that mimic environmental constraints on root-level Inport blocks.

If the model contains cast operations between floating-point signals and multiword fixed-point signals, the analysis might not be able to decide all objectives.

## **Run Design Error Detection Analysis to Detect Floating-Point Errors**

This example shows how to detect nonfinite, NaN, and subnormal floating-point values in the sldvexFloatingPointErrorChecks example model. The model consists of floating-point arithmetic operations that result in an error. Perform design error detection analysis to detect these errors in the model.

#### 1. Open the Model

This example model consists of Add and Divide blocks that handle floating-point calculations. The design error detection analysis detects the occurrences of floating-point errors in the model and reports the results.

open\_system('sldvexFloatingPointErrorChecks');

#### Simulink Design Verifier Design Error Detection for Non-Finite, NaN, and Subnormal Floating-Point Values



This example shows how to detect non-finite, NaN, and subnormal floating-point values by using Simulink Design Verifier.

This model contains errors that result from floating-point arithmetic operations.



Copyright 2018 The MathWorks, Inc.

#### 2. Perform Design Error Detection Analysis

The model is preconfigured with **Non-finite and NaN floating-point values** and **Subnormal floating-point values** options set to **On**. For more information see "Design Verifier Pane: Design Error Detection" on page 15-42.

To perform design error detection analysis, on the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**. Click **Detect Design Errors**.

The software analyzes the model for floating-point errors and displays the results in the Results Summary window. The result indicates that 4 out of 6 objectives are falsified.

#### 3. Review Analysis Results

a. Click **Highlight analysis results on model**. The model blocks that result in floating-point errors are highlighted in red.

b. Click the **Add** block highlighted in red. The Result Inspector displays the summary of the floatingpoint error objectives.



c. Click the **Division** block highlighted in red. The Result Inspector displays the summary of the floating-point error objectives.



#### 4. View Detailed Analysis Report

To view the detailed analysis report, in the Results Summary window, click **HTML**. The report displays the summary of all occurrences of floating-point errors in the model.

# **Chapter 3. Design Error Detection Objectives Status**

#### Table of Contents

<u>Objectives Valid</u> <u>Objectives Falsified - Needs Simulation</u>

#### **Objectives Valid**

| # | Туре                 | Model Item | Description     | Analysis Time (sec) | Test Case |
|---|----------------------|------------|-----------------|---------------------|-----------|
| 2 | Floating-point error | Add        | NaN             | 14                  | n/a       |
| 3 | Floating-point error | Add        | Subnormal value | 14                  | n/a       |

## **Objectives Falsified - Needs Simulation**

| #  | Туре                 | Model Item | Description     | Analysis Time (sec) | Test Case |
|----|----------------------|------------|-----------------|---------------------|-----------|
| 1  | Floating-point error | Add        | +/-Infinity     | 39                  | 2         |
| 8  | Floating-point error | Divide     | +/-Infinity     | 39                  | 1         |
| 9  | Floating-point error | Divide     | NaN             | 190                 | 4         |
| 10 | Floating-point error | Divide     | Subnormal value | 114                 | <u>3</u>  |

#### 5. Clean Up

To complete this example, close the model.

close\_system('sldvexFloatingPointErrorChecks', 0);

# See Also

# **More About**

- "Design Verifier Pane: Design Error Detection" on page 15-42
- "Simulink Design Verifier Options" on page 15-2

# **Detect Data Store Access Violations**

Simulink Design Verifier design error detection analysis identifies unintended sequences of data store reads and writes that occur during simulation. The analysis detects these data store access violations:

- Read-before-write
- Write-after-read
- Write-after-write

To detect data store access violations in your model:

- 1 On the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**.
- 2 Click Error Detection Settings.
- **3** In the Configuration Parameters dialog box, in the **Design Error Detection** pane, select "Data store access violations" on page 15-45. Click **OK**.
- 4 Click **Detect Design Errors**.

After the analysis is complete, the software highlights the model with the analysis results and the Results Summary window displays the summary of the analysis.

# **Detect Data Store Access Violations in a Model**

This example shows how to detect data store access violations and review the analysis results. The sldvexDataStoreAccessViolations example model consists of Data Store Memory blocks that define the alpha and beta data stores. In the example model, the Write Subsystem writes the data to the data store by using Data Store Write blocks and the Read Subsystem reads the data from the data store by using the Data Store Read blocks.

#### Step 1: Open the Model

At the command prompt, enter:

open\_system('sldvexDataStoreAccessViolations');





Copyright 2019 The MathWorks, Inc.

#### Step 2: Configure Analysis Options to Detect Data Store Access Violations

The model is preconfigured with the **Data store access violations** parameter set to **On**.

#### **Step 3: Perform Design Error Detection Analysis**

On the **Design Verifier** tab, click **Detect Design Errors**. Simulink Design Verifier analyzes the model for data store access violations. After the analysis completes, the Results Summary window displays that one objective was falsified.

#### Step 4: Review Analysis Results

The model is highlighted with the analysis results.

(1) Open the Read Subsystem and click Data Store Read1 block that is highlighted in red. The Results Inspector window displays the Read-before-write objective that violates the data store access order.



(2) To view the test case that replicates the error, click **View test case**. The harness model and the Signal Builder block open that displays the test case.

(3) To simulate the test case, in the Signal Builder dialog box, click **Start simulation**. After the simulation completes, the Diagnostic Viewer window displays this warning message:

The block 'sldvexDataStoreAccessViolations\_harness/Test Unit (copied from sldvexDataStoreAccessViolations)/Read Subsystem/Data Store Read1' is reading from the data store 'sldvexDataStoreAccessViolations\_harness/Test Unit (copied from sldvexDataStoreAccessViolations)/Data Store Memory1' before any blocks have written to this entire region of memory at time 0.0. For performance reasons, occurrences of this diagnostic for this memory at other simulation time steps will be suppressed.

#### Step 5: Fix the Data Store Access Violation Error

The read-before-write objective results in error because no block has been written to the **beta** data store before the read operation executes.

Open the Write Subsystem and double-click Write "alpha". In the Write "alpha" subsystem, only the alpha data store is written with a constant value. Hence, the read-before-write data store access violation occurs for the "beta" Data Store Read block.

To fix the error, in the Write "alpha" subsystem, add a Constant block and write its value to beta data store by using the Data Store Write block (highlighted in figure below).



On the **Design Verifier** tab, click **Detect Design Errors**. After the analysis completes, the software reports that all the objectives are valid.

#### See Also

- "Data Store Basics"
- "Detect Data Store Access Violations"

# See Also

## **More About**

• "Design Verifier Pane: Design Error Detection" on page 15-42

# Detect Violations of High-Integrity Systems Modeling Guidelines

Simulink Design Verifier design error detection analysis detects violations of the following High-Integrity Systems Modeling Guidelines:

- Usage of rem and reciprocal operations hisl\_0002
- Usage of square root operations hisl\_0003
- Usage of log and log10 operations hisl 0004
- Usage of Reciprocal Square Root blocks hisl 0028

# Usage of rem and reciprocal operations - hisl\_0002

Specify whether to check the usage of rem and reciprocal operations that cause non-finite results.

This corresponds to the hisl\_0002 check for High-Integrity Systems Modeling. For more information, see hisl\_0002: Usage of Math Function blocks (rem and reciprocal).

# Usage of square root operations - hisl\_0003

Specify whether to check the usage of Square Root operations with inputs that can be negative.

This corresponds to the hisl\_0003 check for High-Integrity Systems Modeling. For more information, see hisl\_0003: Usage of Square Root blocks.

# Usage of log and log10 operations - hisl\_0004

Specify whether to check the usage of log and log10 operations that cause non-finite results.

This corresponds to the hisl\_0004 check for High-Integrity Systems Modeling. For more information, see hisl\_0004: Usage of Math Function blocks (natural logarithm and base 10 logarithm).

# Usage of Reciprocal Square Root blocks - hisl\_0028

Specify whether to check the usage of Reciprocal Square Root blocks with inputs that can go zero or negative.

This corresponds to the hisl\_0028 check for High Integrity Systems Modeling. For more information, see hisl\_0028: Usage of Reciprocal Square Root blocks.

# **Detect Violations of High-Integrity Systems Modeling Guidelines**

This example shows how to detect violations of High-Integrity Systems Modeling guidelines.

#### 1. Open the Model

This example model explains about usage of remainder and reciprocal operations, square root operations, log and log10 operations, and Reciprocal Square Root blocks.

open\_system('sldvexHislChecks');







#### 2. Perform Design Error Detection Analysis

The model is preconfigured with High-Integrity Systems Modeling checks, **Usage of remainder and** reciprocal operations- hisl\_0002, Usage of square root operations-hisl\_0003, Usage of log and log10 operations-hisl\_0004, and Usage of Reciprocal Square Root blocks-hisl\_0028. For more information see "Design Verifier Pane: Design Error Detection" on page 15-42.

To perform design error detection analysis, on the **Design Verifier** tab, in the **Mode** section, select **Design Error Detection**. Then click **Detect Design Errors**.

The software analyzes the model for violations of the High-Integrity Systems Modeling guidelines and displays the results in the Results Summary window. The results indicate that 15 out of 29 objectives are falsified.

| 🎦 Sir      | mulink Design Verifier                                                                                                                                                                                                                                                                                   | Results Summary: sldvexHislChecks                                                                                          | $\times$ |  |  |
|------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------|--|--|
| Pro        | gress                                                                                                                                                                                                                                                                                                    |                                                                                                                            | ^        |  |  |
| Val<br>Fal | jectives processed<br>id<br>sified<br>psed time                                                                                                                                                                                                                                                          | 29/29<br>14<br>15<br>0:23                                                                                                  |          |  |  |
|            | pseu une                                                                                                                                                                                                                                                                                                 | 0.25                                                                                                                       | _        |  |  |
| 14/2       | ign error detection o<br>29 objectives valid<br>29 objectives falsifie                                                                                                                                                                                                                                   | completed normally.<br>d - need simulation                                                                                 |          |  |  |
| Res        | ults:                                                                                                                                                                                                                                                                                                    |                                                                                                                            |          |  |  |
|            | <ul> <li><u>Open filter viewer</u></li> <li><u>Highlight analysis results on model</u></li> <li><u>View tests in Simulation Data Inspector</u></li> <li><u>Detailed analysis report: (HTML) (PDF)</u></li> <li><u>Create harness model</u></li> <li><u>Export test cases to Simulink Test</u></li> </ul> |                                                                                                                            |          |  |  |
| in fo      | older: <u>C:\Users\pdas</u>                                                                                                                                                                                                                                                                              | slChecks_sldvdata2.mat<br>sbasu\OneDrive - MathWorks\Documents\MATLAB<br>basu.Bdoc21b.j1706738\sldv-ex65254669\sldv_output |          |  |  |
|            |                                                                                                                                                                                                                                                                                                          |                                                                                                                            | _        |  |  |
|            |                                                                                                                                                                                                                                                                                                          | View Log Close                                                                                                             | -~       |  |  |
| <          |                                                                                                                                                                                                                                                                                                          |                                                                                                                            | >        |  |  |

#### 3. Review Analysis Results

Click **Highlight analysis results on model**. The blocks that result in violations of High-Integrity Systems Modeling guidelines are highlighted in red.

a. Click the **Rem** and **Reciprocal** blocks highlighted in red. The Result Inspector displays the summary of the violation of hisl\_0002 guideline.

| Hisl_0002                       | Results: sldvexHislChecks —                                                                                                                          | Results: sldvexHislChecks – 🗆 🗙                                                                                                  |
|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
| 1 double                        | $\langle - \rangle $                                                                                                                                 | ←⇒ 🖄 🔻 🗭                                                                                                                         |
|                                 | Back to summary sldvexHislChecks/Rem                                                                                                                 | Back to summary A                                                                                                                |
| Rem                             | High-Integrity Systems Modeling Checks Objectives           Hisl_0002         Error - needs simulation         - View counterexample         Justify | High-Integrity Systems Modeling Checks Objectives Hisl_0002 Error - needs - <u>View</u> <u>Justify</u> simulation counterexample |
| 2 double $\frac{1}{u}$ double 2 | Derived Ranges:                                                                                                                                      | Derived Ranges:                                                                                                                  |
| Reciprocal                      | Outport 1:{ [-InfInf] NaN }                                                                                                                          | Outport 1:[-InfInf]                                                                                                              |

b. Click the **Sqrt** block highlighted in red. The Result Inspector displays the summary of the violation of hisl\_0003 guideline.



c. Click the Log and Log10 blocks highlighted in red. The Result Inspector displays the summary of the violation of hisl\_0004 guideline.



d. Click the **Reciprocal Square Root** block highlighted in red. The Result Inspector displays the summary of the violation of hisl\_0028 guideline.

| Hisl_0028                 | Results: sldvexHislChecks –                                                    | $\times$     |
|---------------------------|--------------------------------------------------------------------------------|--------------|
|                           | $\langle - \Rightarrow \Box$                                                   | - 9          |
|                           | Back to summary                                                                | ^            |
| 13 double $1$ double $13$ | sldvexHislChecks/RecSqrt                                                       |              |
| RecSqrt                   | High-Integrity Systems Modeling Checks Objectives                              |              |
| Output Data:real          | Hisl_0028 Error - needs simulation - <u>View counterexample</u> <u>Justify</u> |              |
|                           | Derived Ranges:                                                                |              |
|                           | Outport 1:{ [-InfInf] NaN }                                                    | $\checkmark$ |

e. Click the **MATLAB Function** block highlighted in red. The Result Inspector displays the summary of hisl\_0002, hisl\_0003, and hisl\_0004 checks.

| Results: sldvexHislChecks –                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | $\times$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Image: SidvexHislChecks/MATLAB Function         High-Integrity Systems Modeling Checks Objectives         Hisl_0003: sqrt(u1)       Error - needs simulation       • View counterexample       Justify         Hisl_0003: sqrt(u2)       Valid         Hisl_0004: log(u1)       Error - needs simulation       • View counterexample       Justify         Hisl_0004: log(u2)       Valid       • View counterexample       Justify         Hisl_0002: rem(u1,u2)       Valid       • View counterexample       Justify         Hisl_0002: rem(u1,u3)       Error - needs simulation       • View counterexample       Justify         Derived Ranges:       Image: Prove Counterexample       Justify | *                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Image: SidvexHisiChecks/MATLAB Function         High-Integrity Systems Modeling Checks Objectives         Hisl_0003: sqrt(u1)       Error - needs simulation       - View counterexample       Justify         Hisl_0003: sqrt(u2)       Valid         Hisl_0004: log(u1)       Error - needs simulation       - View counterexample       Justify         Hisl_0004: log(u2)       Valid         Hisl_0002: rem(u1,u2)       Valid         Hisl_0002: rem(u1,u3)       Error - needs simulation       - View counterexample       Justify |

#### 4. View Detailed Analysis Report

To view the detailed analysis report, in the Results Summary window, click **HTML**. The report displays the summary of all occurrences of High-Integrity Systems Modeling violations in the model.

#### 5. Clean Up

To complete this example, close the model.

```
close_system('sldvexHislChecks', 0);
```

## See Also

#### **More About**

- "Simulink Design Verifier Options" on page 15-2
- "Design Verifier Pane: Design Error Detection" on page 15-42

# Filter Objectives by Using Simulink Design Verifier Filter Explorer

Filtering model objects and code expressions from design error detection or test generation analysis allows you to focus on a subset of objects for Simulink Design Verifier analysis. Use filters when you have model objects that take a long time to analyze or when you want to focus on specific objectives for analysis.

You can add one or more filter files by opening the **Configuration Parameters** window, clicking **Design Verifier** and, under **Advanced parameters**, selecting "Ignore objectives based on filter" on page 15-17. Enter your filter files in the **Filter file(s)** parameter. For more information about coverage filter files, see "Creating and Using Coverage Filters" (Simulink Coverage). You can also filter the **Design Verifier** objectives for code-based analysis to align code-based results to model-based results.

After you perform design error detection or test generation analysis, you can justify unsatisfiable, dead logic, undecided, and falsified objectives by using the Simulink Design Verifier Filter Explorer. When you edit filters by using Simulink Design Verifier Filter Explorer, you can update the Simulink Design Verifier report and highlight the analysis results on the model without reanalyzing the model. For detailed example on how to filter objectives, see "Exclude and Justify Objectives for Design Error Detection" on page 6-59.

## Use the Simulink Design Verifier Filter Explorer to Edit Filter Files

After analyzing your model, you can use Simulink Design Verifier Filter Explorer to justify the falsified, unsatisfiable, undecided, and dead logic objectives and update the filter files.

You can open the filter explorer from the Results Summary window or from the Results Inspector window.

• In the Results Summary window, click **Open filter explorer**.

| Design error detection completed normally.<br>3/6 objectives valid<br>1/6 objective falsified<br>1/6 objective excluded<br>1/6 objective justified                                                                                                                     |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Results:                                                                                                                                                                                                                                                               |  |
| Open filter explorer     Highlight analysis results on model     View tests in Simulation Data Inspector     Detailed analysis report: (HTML) (PDF)     Create harness model     Save test cases/counterexamples to spreadsheet     Export test cases to Simulink Test |  |

- In the Results Inspector window,
  - To see the filter rule for a justified objective, click View.
  - To justify an objective, click **Justify**.



In the Simulink Design Verifier Filter Explorer, you can:

- Create, load, edit, or save filter files.
- Create a filter file to justify all the Unsatisfiable, Falsified and Dead Logic objectives from the active sldvData.
- Navigate to the model to inspect the model objects associated with a filter rule.
- Add rationale description about why the objective or model object or code expression is excluded or justified.

| 🧱 Simulink Design Verifier | Filter Explorer: sldvexControllerFilterObjectives                                                                             | _   |       | $\times$ |
|----------------------------|-------------------------------------------------------------------------------------------------------------------------------|-----|-------|----------|
| Applied filters (1)        | Simulink Design Verifier Filter Explorer: sldvexControllerFilterObjectives<br>Add justification rules to the selected filter. |     |       |          |
| Untitled                   | New filter         Load filter         Create justification rules for violations and dead logic from the active sldvData      |     |       |          |
| < >                        | Revert                                                                                                                        | elp | Apply | ý        |



| Task                                                                                                                 | Action                                                                                                                                                                                                                                        |  |
|----------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
| Navigate to a model object associated with a rule. Note This step is valid only for model objective analysis.        | <ol> <li>Select the rule.</li> <li>Click View in model. The model object is highlighted in blue.</li> </ol>                                                                                                                                   |  |
| Delete a rule.                                                                                                       | <ol> <li>Select the rule.</li> <li>Click Remove rule.</li> </ol>                                                                                                                                                                              |  |
| Save the current rules to a file.                                                                                    | <ol> <li>Click Apply.</li> <li>Specify a file name and folder for the filter file and click Save.</li> </ol>                                                                                                                                  |  |
| Rename a filter file                                                                                                 | <ol> <li>Click Save as.</li> <li>Specify a file name and folder for the filter file and click Save.</li> </ol>                                                                                                                                |  |
| Load an existing filter file.                                                                                        | <ol> <li>Click Load filter.</li> <li>Navigate to the filter file and click Open.</li> </ol>                                                                                                                                                   |  |
| Highlight the model and update the current<br>analysis report with the current filter files.                         | <ol> <li>Apply or Revert any changes you have<br/>made.</li> <li>The model is highlighted with the updated<br/>filter rules.</li> <li>In the Results Summary window or in the<br/>Results inspector window, click HTML or<br/>PDF.</li> </ol> |  |
| Create an empty filter file.                                                                                         | Click <b>New filter</b>                                                                                                                                                                                                                       |  |
| Remove a filter from Filter Explorer.                                                                                | Right-click the corresponding node under<br>Applied filters and select Remove                                                                                                                                                                 |  |
| Create a filter file to justify all Unsatisfiable,<br>Falsified, and Dead Logic objectives in the<br>active sldvData | <ol> <li>Click Create justification rules for<br/>violations and dead logic from the active<br/>sldvData</li> <li>Click Save as</li> <li>Specify a file name and folder for the filter<br/>file and click Save</li> </ol>                     |  |

# Limitations

Simulink Design Verifier does not support filtering objectives associated with property proving analysis.

# See Also

## **More About**

- "Design Verifier Pane" on page 15-9
- "Create, Edit, and View Coverage Filter Rules" (Simulink Coverage)
- "Review Results" on page 13-35

# **Detect Integer Overflow Errors**

This example shows how to detect integer overflow errors in a model by using design error detection analysis. Simulink® Design Verifier<sup>™</sup> identifies the model constructs that may result in integer overflows and then either proves that the integer overflow cannot occur during simulation or generates test cases that demonstrates the integer overflow error.

In this example, you will perform design error detection analysis on a model, then generate a report that shows which integer overflow objectives were valid and which objectives resulted in errors.

#### Step 1: Open the Model

At the command prompt, enter:

open\_system('sldvdemo\_design\_error\_detection');



Copyright 2006-2023 The MathWorks, Inc.

#### **Step 2: Perform Design Error Detection Analysis**

The model is preconfigured with the **Integer overflow** option enabled in the Configuration Parameters dialog box, on the **Design Verifier > Design Error Detection** pane.

#### On the **Design Verifier** tab, click **Detect Design Errors**.

The software analyzes the model for integer overflow errors. After the analysis completes, the Results Summary window reports that five objectives are valid and two objectives are falsified.

| 🚹 Simulink Design Verifier Re                                                                                                                                                                                                                                         | ults Summary: sldvdemo_design_error_d                                     | letection × |  |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|-------------|--|--|--|
| Progress                                                                                                                                                                                                                                                              |                                                                           |             |  |  |  |
| Objectives processed<br>Valid<br>Falsified<br>Elapsed time                                                                                                                                                                                                            | 7/7<br>5<br>2<br>0:24                                                     |             |  |  |  |
| Design error detection con<br>5/7 objectives valid                                                                                                                                                                                                                    |                                                                           |             |  |  |  |
| 2/7 objectives falsified - need simulation<br>Results:                                                                                                                                                                                                                |                                                                           |             |  |  |  |
| <ul> <li>Open filter viewer</li> <li>Highlight analysis results on model</li> <li>View tests in Simulation Data Inspector</li> <li>Detailed analysis report: (<u>HTML</u>) (PDF)</li> <li>Create harness model</li> <li>Export test cases to Simulink Test</li> </ul> |                                                                           |             |  |  |  |
|                                                                                                                                                                                                                                                                       | lesign_error_detection_sldvdata.mat<br>dv_output\sldvdemo_design_error_de | etection    |  |  |  |
|                                                                                                                                                                                                                                                                       | View L                                                                    | .og Close   |  |  |  |

#### **Step 3: Review Analysis Results**

To highlight the analysis results on the model, in the Results Summary window, click **Highlight analysis results on model**. The valid objectives are highlighted in green and the falsified objectives are highlighted in red.



Double-click the **Controller** subsystem. Click the Sum block that is highlighted in red. The Results Inspector window displays the integer overflow objectives.

To view the test case that results in the error, click **View test case**. The harness model opens and the Signal Builder block displays the test case that results in the error.

#### Step 4: Fix the Integer Overflow Error

For both the Sum blocks that generated the integer overflow, enable the **Saturate on integer overflow** option. Alternatively, you can double-click the **Toggle Saturation on overflow** button in the Simulink Editor.

To confirm that the integer overflow error was resolved, on the **Design Verifier** tab, click **Detect Design Errors**. After the analysis completes, the software reports that all the objectives are valid.

#### **Related Topics**

- "Detect Integer Overflow and Division-by-Zero Errors" on page 6-19
- "Understand the Analysis Results" on page 6-4

# **Detect Out of Bound Array Access Example Model**

This example shows how to detect out of bound array access errors and review the analysis results. In the sldvdemo\_array\_bounds example model, the ComputeIndex MATLAB Function block uses the input signal values to determine range of indices with minimum minIdx and maximum maxIdx. The ArrayOp\_Matlab, ArrayOp\_MAL, and ArrayOp\_SF blocks use the set of integer indices between minIdx and maxIdx to access array elements and perform array operations.

#### Step 1: Open the Model

At the command prompt, enter:

open\_system('sldvdemo\_array\_bounds');



Copyright 2010-2019 The MathWorks, Inc.

#### **Step 2: Perform Design Error Detection Analysis**

The analysis options in the model are preconfigured for out of bound array access error detection. To view these options, in the Simulink Editor, double-click the **View Options** button.

To perform design error detection analysis, in the Simulink Editor, double-click the **Run** button. The Simulink® Design Verifier<sup>™</sup> Results Summary window opens that displays the progress of the analysis. When the analysis completes, the example model is highlighted with the analysis results.



#### **Step 3: Review Analysis Results**

To view the analysis results inside the chart, double-click the  $ArrayOp\_SF$  Chart block that is highlighted in red.

| 🎦 Results: sldvdemo_array_bounds                                                                                                                                                                                                                                                                                                                                                                 |  | $\times$ |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|----------|
| $\langle - \Rightarrow @$                                                                                                                                                                                                                                                                                                                                                                        |  | - 9      |
| Design error detection completed normally.         7/9 objectives valid         2/9 objectives falsified         Results:         • Open filter explorer         • View tests in Simulation Data Inspector         • Detailed analysis report: (HTML) (PDF)         • Create harness model         • Save test cases/counterexamples to spreadsheet         • Export test cases to Simulink Test |  |          |

Simulink Design Verifier detects that the index out of bound errors occurs in array u in state Diff.

#### Step 4: Create Harness and Simulate Test Cases

Click the first **View test case** link. Simulink Design Verifier creates and opens a harness model that contains test cases, that demonstrate out of bound array access errors. In the Signal Builder dialog box, click **Start simulation** to simulate the harness model with Test Case 2.

The simulation stops before entering the state Diff. The Stateflow® Debugger opens. The following error is shown:

Attempted to access index 4 of u with smaller dimension sizes. The valid index range is 0 to 3. This error will stop the simulation. State 'Diff' in Chart 'sldvdemo\_array\_bounds\_harness/Test Unit (copied from sldvdemo\_array\_bounds)/ArrayOp\_SF': y = u[maxIdx] - u[minIdx];

Keep the Stateflow® Debugger open at this breakpoint. In the sldvdemo\_array\_bounds\_harness model, hold your cursor over the Diff state to see the data values at this simulation breakpoint.



Using Test Case 2 input signal values, the ComputeIndex MATLAB Function block determines the range of array indices to be 1:4. One-based indexing is consistent with MATLAB syntax, so these indices are valid for the ArrayOp\_Matlab MATLAB Function block and the ArrayOp\_MAL Stateflow® chart.

The ArrayOp\_SF Stateflow® chart uses C as the action language, which does not support one-based indexing. Thus, 1:4 is not a valid index range for array access in the chart. The valid index range for array access in the chart is 0:3, as reported by the error message. When either maxIdx or minIdx evaluates to 4, an out of bound array access error occurs in the ArrayOp\_SF Chart block. For more information on zero-based indexing support, see "Differences Between MATLAB and C as Action Language Syntax" (Stateflow).

# **Detect Design Errors in C/C++ Custom Code**

To detect division by zero and out of bound array access errors in a model with C/C++ custom code in model blocks or Stateflow® charts, use design error detection analysis. Simulink Design Verifier identifies the code that results in errors and then either proves that the errors are valid or generates test cases that replicate the error.

This example shows how to detect division by zero errors in a model that consists of C/C++ code in a Stateflow® chart.

#### Step 1: Open the Model

The example model sldvexCustomCodeErrorDetectionExample contains a Stateflow® chart that calls C/C++ custom code that uses input and output buses.

open\_system('sldvexCustomCodeErrorDetectionExample');

# Simulink Design Verifier Detect Design Errors in C/C++ Custom Code



Copyright 2019 The MathWorks, Inc.

#### **Step 2: Perform Design Error Detection Analysis**

To perform design error detection analysis, on the **Design Verifier** tab, click **Detect Design Errors**. After the analysis completes, the Results Summary window indicates that one objective is falsified.

#### Step 3: Review the Analysis Results

On the **Design Verifier** tab, in the **Review Results** section, click **Highlight in Model**. To view the C/C++ run-time error objectives that resulted in the error, click on the Simulink® Editor. The Results Inspector window displays the division by zero objectives.

| Results: sldvexCustomCodeErrorDetection                              | —                           |     | $\times$  |      |
|----------------------------------------------------------------------|-----------------------------|-----|-----------|------|
| $\Leftarrow \Rightarrow \oslash$                                     |                             |     |           | v 😼  |
| Back to summary                                                      |                             |     |           |      |
| sldvexCustomCodeErrorDetectionExample                                |                             |     |           |      |
| C/C++ Runtime Error Objectives                                       |                             |     |           |      |
| Division by zero (file<br>sldvexCustomCodeErrorDetection.c, line 23) | Error - needs<br>simulation | - 1 | View test | case |

**Note**: When you click **View test case** for the Error - needs simulation objective, Simulink® Design Verifier<sup>TM</sup> displays the test case that replicates the error. If you simulate the test case, MATLAB® may crash during custom code analysis.

To view the HTML report, on the **Design Verifier** tab, click **HTML Report**. The Design Error Detection Objectives Status section in the report describes the falsified objective.

## **Objectives Falsified - Needs Simulation**

| #  | Туре                      | Model Item                                   | Description                                                             | Analysis<br>Time (sec) | Test Case |
|----|---------------------------|----------------------------------------------|-------------------------------------------------------------------------|------------------------|-----------|
| 20 | C/C++<br>Runtime<br>Error | <u>sldvexCustomCodeErrorDetectionExample</u> | Division by zero (file<br>sldvexCustomCodeErrorDetection.c,<br>line 23) | 21                     | 1         |

#### **Step 4: Fix Design Errors**

In the example model, right-click the Saturation block that is greyed out and **Uncomment** the block. Reanalyze the model, by clicking **Detect Design Errors**. The results show that the C/C++ run-time objective is valid.

#### Step 5: Clean Up

To complete the example, close the model.

close\_system('sldvexCustomCodeErrorDetectionExample', 0);

#### **Related Topics**

- "Design Error Detection Objectives Status" on page 13-43
- "Design Verifier Pane: Design Error Detection" on page 15-42

# **Exclude and Justify Objectives for Design Error Detection**

This example shows how to exclude a model object from Simulink® Design Verifier<sup>™</sup> analysis by using a coverage filter file. After performing analysis, you can justify objectives by using **Analysis Filter** viewer, update the filter file, you can justify objectives by using **Analysis Filter** explorer, update the filter file, you can justify objectives by using Simulink® Design Verifier<sup>™</sup> Filter Explorer, update the filter file, and review the analysis results.

#### Step 1: Open the Model

The example model sldvexControllerFilterObjectives is a controller model that operates according to the controller algorithm.

open\_system('sldvexControllerFilterObjectives');



#### Simulink Design Verifier Filter Objectives for Design Error Detection Analysis

Copyright 2019 The MathWorks, Inc.

#### Step 2: Exclude a Model Object from Analysis

The model is preconfigured with the **Ignore objectives based on filter** option set to On and a coverage filter file specified by sldvexControllerFilterObjectives\_filter.cvf. The coverage filter file consists of a rule that excludes the Abs block from the analysis. For more information on coverage filter file, see "Creating and Using Coverage Filters" (Simulink Coverage).

On the **Apps** tab, under **Model Verification, Validation, and Test**, click **Design Verifier**. Then, click **Detect Design Errors**. After the analysis completes, the Results Summary window reports that 5 objectives were processed, out of which, 3 were valid and 2 were falsified. The summary shows that 1 objective was excluded from analysis.

| 🚹 Simulink Design Verifier Re                                          | sults Summary: sldvexControll                                                                                               | erFilterObjectives | ×     |
|------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------------|-------|
| Progress<br>Objectives processed<br>Valid<br>Falsified<br>Elapsed time | 5/5<br>3<br>2<br>0:22                                                                                                       |                    |       |
| Export test cases to                                                   | esults on model<br>ation Data Inspector<br>port: ( <u>HTML</u> ) ( <u>PDF</u> )<br><u>fel</u><br>nterexamples to spreadshee | _                  |       |
|                                                                        |                                                                                                                             | View Log           | Close |

#### Step 3: Open the Analysis Filter Viewer

On the Results Summary window, click **Open filter viewer**. The **Analysis Filter** viewer opens that displays the name, type, and rationale for the excluded

#### Step 3: Open the Analysis Filter Explorer

On the Results Summary window, click **Open filter explorer**. The **Analysis Filter** explorer opens that displays the name, type, and rationale for the excluded

#### Step 3: Open the Simulink Design Verifier Filter Explorer

On the Results Summary window, click **Open filter explorer**. The Filter Explorer opens.

| 🦉 Simulink Design Verifier Filt | ter Explorer: sld | vexControllerFilterOb    | ojectives            |          |                                                | - 🗆           |
|---------------------------------|-------------------|--------------------------|----------------------|----------|------------------------------------------------|---------------|
|                                 | Filter E          | ditor                    |                      |          |                                                |               |
| Applied filters (1)             | Filter 1          | lame Untitled            |                      |          |                                                |               |
| - Ontitieu                      |                   | ne: sldvexControllerFili | terObjectives_filter |          |                                                |               |
|                                 | Save as           |                          |                      |          |                                                |               |
|                                 | Descrip           | tion                     |                      |          |                                                |               |
|                                 |                   |                          |                      |          |                                                |               |
|                                 |                   |                          |                      |          |                                                |               |
|                                 | Filter R          | ules                     |                      |          |                                                |               |
|                                 | Mo                | del Code                 |                      |          |                                                |               |
|                                 |                   |                          |                      |          |                                                | _             |
|                                 |                   | Name                     | Туре                 | Mode     | Rationale                                      |               |
|                                 | Abs               |                          | by block path        | Excluded | <ul> <li>Design error depends on up</li> </ul> |               |
|                                 |                   |                          |                      |          |                                                | Remove rule   |
|                                 |                   |                          |                      |          |                                                | View in model |
|                                 |                   |                          |                      |          |                                                |               |
|                                 |                   |                          |                      |          |                                                | View in moder |
|                                 |                   |                          |                      |          |                                                | View in model |
|                                 |                   |                          |                      |          |                                                | View in model |
|                                 |                   |                          |                      |          |                                                |               |
|                                 | Sele              | c <b>ted rule</b> Abs    |                      |          |                                                |               |
|                                 | Sele              | c <b>ted rule</b> Abs    |                      |          | Revert Help                                    |               |

Click on the applied filter's node to view the names, type, and rationale for the excluded objectives specified in the coverage filter file.

#### Step 4: Justify Objectives

(a) Close the Filter Explorer.

(b) On the Results Summary window, click **Highlight analysis results on model**. The model is highlighted with the analysis results. The excluded model objects are highlighted in steel blue and the model objects that result in errors are highlighted in red.

(b) To view the excluded objectives, click Abs block and click **View**. The **Analysis Filter** viewer opens. The **Analysis Filter** explorer opens. The Filter Explorer opens and displays the relevant filter rule.

(c) Click the Divide block. The Results Inspector window displays a summary of the objectives.

| Pa Results: sldvexControllerFilterObjectives                                                | _                  |         | ×   |
|---------------------------------------------------------------------------------------------|--------------------|---------|-----|
| $4 \rightarrow 4$                                                                           |                    |         | v 😰 |
| Back to summary                                                                             |                    |         |     |
| sldvexControllerFilterObjectives/Divide                                                     |                    |         |     |
| Division by zero Objectives<br>Division by zero ERROR - <u>View counterexa</u>              | ample <u>Debug</u> | Justify |     |
| Integer overflow Objectives<br>Overflow Valid<br>Derived Ranges:<br>Outport 1:[-3276832767] |                    |         |     |

(d) To justify the division by zero objective, click **Justify**. The **Analysis Filter** viewer is updated with a rule that justifies this objective. Optionally, you can update the **Mode** or **Rationale** for the objectives. (d) To justify the division by zero objective, click **Justify**. The **Analysis Filter** explorer is updated with a rule that justifies this objective. Optionally, you can update the **Mode** or **Rationale** for the objectives. (d) To justify the division by zero objective, click on the **Applied filters** node in Filter Explorer and click **Justify** in the **Results Inspector** window. The Filter Explorer opens and queries about where to add the justification rule. You may choose to add it to the existing filter file or create a new filter file. Create a new file.

| 📰 Simulink Design Verif | ier Filter Explorer: sldvexControllerFilterObjectives                                                                               |      |      | $\times$ |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------|------|------|----------|
| Applied filters (1)     | Simulink Design Verifier Filter Explorer: sldvexControllerFilterObjectives<br>Add justification rules to the selected filter.       |      |      |          |
| Untitled                | <u>New filter</u><br><u>Load filter</u><br><u>Create justification rules for violations and dead logic from the active sldvData</u> |      |      |          |
|                         | Select Filter X                                                                                                                     |      |      |          |
|                         | Untitled<br><create file="" filter="" new=""></create>                                                                              |      |      |          |
|                         | OK Cancel                                                                                                                           |      |      |          |
| <                       | Revert H                                                                                                                            | lelp | Appl | Y        |

| Applied filters (2) | - Fi        |                                                                                                                         |                           |   |                                               |      |                               | ×   |
|---------------------|-------------|-------------------------------------------------------------------------------------------------------------------------|---------------------------|---|-----------------------------------------------|------|-------------------------------|-----|
| Untitled Untitled_1 | F<br>S<br>C | ilter Editor<br>Filter Name Untitled_1<br>Filename: (not saved)<br>Save as<br>Description<br>Filter Rules<br>Model Code |                           |   |                                               |      |                               | ] ^ |
|                     |             |                                                                                                                         | Type<br>by division by ze | 1 | Rationale<br>✓ due to sum bloc<br>Revert Help | View | ove rule<br>in model<br>Apply | >   |

#### Step 5: Apply the Filter File and View Results

On the **Analysis Filter** viewer, click **Apply**. The model is highlighted with the updated filter. The Divide block is highlighted in green because all the objectives of the block are valid.

To save the updated filter file, in the **Analysis Filter** viewer, click **Save Filter**, enter the name of file, and click **OK**. On the **Analysis Filter** explorer, click **Apply**. The model is highlighted with the updated filter. The Divide block is highlighted in green because all the objectives of the block are valid.

To save the updated filter file, in the **Analysis Filter** explorer, click **Save Filter**, enter the name of file, and click **OK**. On the Filter Explorer, click **Apply**. You will be prompted to provide a file name for the new filter. Enter the desired name and click **Save**. The model is highlighted with the applied filters. The Divide block is highlighted in green because all the objectives of the block are valid or justified.

Note: After applying the filter, the highlighting of the model objects is as follows:

- If all the objectives of a block are excluded or justified, it is highlighted in steel blue.
- If a block has valid and excluded or justified objectives, it is highlighted in green.
- If a block has falsified and excluded or justified objectives, it is highlighted in red.

For a detailed analysis report, in the Results Summary window, click **HTML** or **PDF**. The Design Error Detection Objectives Status chapter reports the excluded and justified objectives along with the valid and falsified objectives.

# **Objectives Excluded**

| #  | Туре                | Model Item | Description | Rationale                                        |
|----|---------------------|------------|-------------|--------------------------------------------------|
| 11 | Integer<br>overflow | <u>Abs</u> | Overflow    | Design error<br>depends on<br>upstream<br>blocks |

# **Objectives Justified**

| # | Туре                | Model Item    | Description      | Rationale                               |
|---|---------------------|---------------|------------------|-----------------------------------------|
| 8 | Division by<br>zero | <u>Divide</u> | Division by zero | due to sum<br>block integer<br>overflow |

#### **Related Topics**

- "Filter Objectives by Using Simulink Design Verifier Filter Explorer" on page 6-46
- "Detect Integer Overflow and Division-by-Zero Errors" on page 6-19

# **Detect Integer Overflow in a Model with Complex Inputs**

This example shows how to detect integer overflow errors in a model that consists of complex type inputs.

#### **Step 1: Open the Model**

The sldvexComplexInputs model contains SensorA, SensorB, and SensorC complex inputs and a Control input. The SensorA and SensorB inports are constraint to **Maximum output value** equal to 100.

open\_system('sldvexComplexInputs');



#### Simulink Design Verifier Detect Integer Overflow Errors in Model with Complex Inputs

Copyright 2019 The MathWorks, Inc.

#### Step2: Perform Design Error Detection Analysis

On the Apps tab, in the Model Verification, Validation, and Test group, select Design Verifier.

To detect design errors, click **Detect Design Errors**. After the analysis completes, the Results Summary window displays that one objective is valid and one objective is falsified.



#### **Step 3: Review Analysis Results**

In the Results Summary window, click **Highlight analysis results on model**. The Sum block whose output results in integer overflow error is highlighted in red.



To view the analysis report, click **HTML** or **PDF** in the Results Summary window. The Design Error Detection Objectives Status chapter lists the description of the valid and falsified objectives.

# **Objectives Excluded**

| #  | Туре                | Model Item | Description | Rationale                                        |
|----|---------------------|------------|-------------|--------------------------------------------------|
| 11 | Integer<br>overflow | <u>Abs</u> | Overflow    | Design error<br>depends on<br>upstream<br>blocks |

# **Objectives Justified**

| # | Туре                | Model Item    | Description      | Rationale                               |
|---|---------------------|---------------|------------------|-----------------------------------------|
| 8 | Division by<br>zero | <u>Divide</u> | Division by zero | due to sum<br>block integer<br>overflow |

The Design Errors chapter contains the test case inputs that results in integer overflow.

| Time    | 0      |
|---------|--------|
| Step    | 1      |
| SensorA | 16+93i |
| SensorB | 26+78i |
| SensorC | 94+93i |
| Control | 1      |

#### See also

- "Detect Integer Overflow Errors" on page 6-51
- "Understand the Analysis Results" on page 6-4

# Debug Integer Overflow Design Error Detection Using Model Slicer

This example shows how to use Model Slicer to debug integer overflow design errors in a Simulink  $\ensuremath{\ensuremath{\mathbb R}}$  model.

#### Prerequisites

This example uses the following products to demonstrate debugging the Design Error Detection violations:

- Simulink Design Verifier™
- Simulink Check<sup>™</sup> (Model Slicer)

#### Example

1. Open model sldvdemo\_design\_error\_detection.

open\_system('sldvdemo\_design\_error\_detection');



Copyright 2006-2023 The MathWorks, Inc.

### 2. Open Simulink Design Verifier by clicking on Apps > Design Verifier.

3. In the Design Verifier tab, click **Detect Design Errors**. Simulink Design Verifier analyzes the model and displays the results in **Results Summary** window.



The model highlights the subsystem where the failed objectives are located.



4. Open Controller subsystem and select either of the blocks that are highlighted in red.



5. In the Results window, click **Debug** to debug the violation using Model Slicer. Alternatively, in the Design Verifier tab, click **Review Results > Debug using Slicer** to debug the violation using Model Slicer.

| Pa Results: sldvdemo_design_error_detection                                                                   | —     |         | $\times$ |
|---------------------------------------------------------------------------------------------------------------|-------|---------|----------|
| $\langle - \Rightarrow \Box$                                                                                  |       |         | -        |
| Back to summary                                                                                               |       |         |          |
| sldvdemo_design_error_detection/Controller/Sum1                                                               |       |         |          |
| Integer overflow Objectives           Overflow         Error - needs simulation         - View counterexample | Debug | Justify |          |
| Derived Ranges:                                                                                               |       |         |          |
| Outport 1:[-128127.99609375]                                                                                  |       |         |          |

On clicking either of the entry points for debugging, the following setup is done on the model:

- The selected block with a failed objective is added as a starting point for Model Slicer.
- The model is highlighted with the slice responsible for the failing objective.
- The design model is simulated and paused at the time of violation.

6. Debug and analyze the model by inspecting the port labels.

Tip: Click on the output signal line of the Sum block to enable the port value label for the block.

| ufix16 En8                                                                   | Active last step bo | polean $\frac{1}{z}$ |              |
|------------------------------------------------------------------------------|---------------------|----------------------|--------------|
| InputBusFxp<br>Actual: 240<br>enable : false<br>brake : false<br>set : true> | uint8               | ufix16_En8           | Target speed |
|                                                                              | ufix16_En8          | л <b>Г</b>           | PI Cor       |

You can observe that the sum of the input variables should result in a non-zero number.

7. Investigate the input and output data types of the sum block.

| Block Parameters: Sum1   >                                                  | < |
|-----------------------------------------------------------------------------|---|
| Sum                                                                         |   |
| Add or subtract inputs. Specify one of the following:                       |   |
| Main Signal Attributes                                                      |   |
| Require all inputs to have the same data type                               |   |
| Accumulator data type: Inherit: Inherit via internal rule $\checkmark$ : >> |   |
| Output minimum: Output maximum:                                             |   |
|                                                                             |   |
| Output data type: fixdt(1,16,8)                                             |   |
| Lock data type settings against changes by the fixed-point tools            |   |
| Integer rounding mode: Floor                                                |   |
| Saturate on integer overflow                                                |   |
|                                                                             |   |
| OK Cancel Help Apply                                                        |   |

Here, the datatype conversion results in the integer overflow. The datatype for inputs is ufix16\_En8, which have a maximum value of 255.9961, whereas the datatype for output block is sfix16\_En8, which has a maximum of 127.9961. In the counterexample the value is between these two values. The overflow happens when the sum block (without saturation) first casts the input values down to its output type and then does the arithmetic operation.

#### Verification

To confirm that the integer overflow error was resolved, on the **Design Verifier** tab, click **Detect Design Errors**. After the analysis completes, the software reports that all the objectives are valid.

## **Additional Capabilities**

You can use the workflow demostrated in this example to debug the other Design Error Detection violations using Model Slicer. Following are the design errors supported:

- Division by zero
- Integer Overflow
- Non-Finate and NaN (Not a Number) floating-point values
- Specified minimum and maximum value violations
- Datastore access violations
- Specified block input range violations

## Analyzing the Results for a Dead Logic Analysis

This example demonstrates how to isolate potential causes of dead logic using the sldvexCommonCausesOfDeadLogic model. Dead logic detection finds unreachable objectives in the model that cause the model element to remain inactive.

#### Workflow

The sldvexCommonCausesOfDeadLogic model demonstrates some of the common patterns that often lead to dead logic in a model. The six subsystems in the model represent a different pattern. These subsystems are:

- **1** Conditional execution of a subsystem
- 2 Short-circuiting of a logical operator block during analysis
- **3** Parameter values treated as constants
- 4 Library-linked blocks
- 5 Upstream blocks
- **6** Restrictions on signal ranges

#### Section 1 : Run a Dead Logic Analysis

Follow these steps to run the dead logic analysis:

1: Open the model sldvexCommonCausesOfDeadLogic.

open\_system('sldvexCommonCausesOfDeadLogic');



CascadingDeadLogic

- 2: In the Apps pane, open Design Verifier.
- 3: On the **Design Verifier** tab, click **Error Detection Settings**.
- 4: In the **Configuration Parameters** dialog box:
- a. Enable the **Dead logic (partial)** option.
- b. Clear the **Run exhaustive analysis** option, if it is selected.

c. Set **Coverage objectives to be analyzed** to **Condition Decision** option. The available options from the drop-down menu are **Decision**, **Condition Decision**, and **MCDC**.

5: In the **Design Verifier** tab, Click **Detect Design Errors**.

#### Section 2: Analyze and Review the Results

The software analyzes the model for dead logic and displays the results in the Results Summary window. The results indicate that 19 of the 44 objectives are dead logic.

| 🚡 Simulink Design Verifier Results                                                                                        | Summary: sldvexCo | mmonCausesOfDeadLogic            | ×         |
|---------------------------------------------------------------------------------------------------------------------------|-------------------|----------------------------------|-----------|
|                                                                                                                           |                   |                                  |           |
| Progress                                                                                                                  |                   |                                  |           |
| Objectives processed                                                                                                      | 44/44             |                                  |           |
| Valid                                                                                                                     | 0                 |                                  |           |
| Falsified                                                                                                                 | 19                |                                  |           |
| Elapsed time                                                                                                              | 1:00              |                                  |           |
|                                                                                                                           |                   |                                  |           |
| Design error detection comple                                                                                             | ted normally.     |                                  |           |
| Simulink Design Verifier ran a<br>logic > Run exhaustive analysi<br>analysis.                                             |                   |                                  |           |
| 19/44 objectives are dead logi                                                                                            | с                 |                                  |           |
| Results:                                                                                                                  |                   |                                  |           |
| <ul> <li><u>Open filter viewer</u></li> <li><u>Highlight analysis result</u></li> <li>Detailed analysis report</li> </ul> |                   |                                  |           |
| Data saved in: sldvexCommon<br>in folder:                                                                                 |                   | <u>sldvdata.mat \</u> MATLAB\g22 | 46348 (2) |
| \sldv_output\sldvexCommonC                                                                                                | ausesorpeadLogic  |                                  |           |
|                                                                                                                           |                   |                                  |           |
|                                                                                                                           |                   |                                  |           |
|                                                                                                                           |                   |                                  |           |
|                                                                                                                           |                   | View Log                         | Close     |

### Section 3: Highlight Analysis Results in the Subsystem Blocks

This section explains the common patterns that lead to dead logic in the sldvexCommonCausesOfDeadLogic model. In the Results Summary window, click on Highlight
analysis results on model. The subsystems with dead logic are highlighted in red. These
subsystems are:

- **1** ConditionallyExecuteInputs
- **2** ShortCircuiting
- **3** Parameters
- 4 Library

- **5** CascadingDeadLogic
- 6 ConditionGreaterThan0

The subsystems in the sldvexCommonCausesOfDeadLogic model explain these patterns. Each subsystem block highlighted in red has a dead logic red. Consider each subsystem one by one to analyze and highlight the results.

#### 1. Conditional Execution of a Subsystem

If your model includes **Switch** or **Multiport Switch** blocks and the conditional input branch execution parameter is set to **On**, the conditional execution can often cause unexpected dead logic. Open the ConditionallyExecuteInputs subsystem and click the **AND** block highlighted in red. The Results window summarizes the dead logic.



In this subsystem, the Conditional input branch execution parameter is set to **On**. The AND Logical Operator block is conditionally executed, which causes the dead logic for the subsystem.

#### 2. Short-Circuiting of a Logical Operator Block During Analysis

Simulink Design Verifier treats logic blocks as if they are short-circuiting when analyzing for dead logic. Open the ShortCircuiting subsystem, and click the **AND** block highlighted in red. The Results window summarizes the dead logic.



In this model, if In3 is false, the software ignores the third input due to the short-circuiting. This is suggested as a potential explanation for the dead logic in the Results window.

#### **3. Parameter Values Treated as Constants**

If your model contains parameters, Simulink Design Verifier treats the values as constants by default, which might cause dead logic in the model. In these cases, consider configuring these parameters to be tuned during analysis. Open the ShortCircuiting subsystem and click the **Switch** block highlighted in red. The Results window summarizes the dead logic.



Here, all of the parameters are set to zero. This causes the dead logic for the Less Than block.

### Suggestion

You can use Model Slicer to find the parameters which could have an impact on a particular block by following these steps:

a. Create an object of SLSlicerAPI.ParameterDependence using Model Slicer.

```
slicerObj = slslicer('sldvexCommonCausesOfDeadLogic');
pd = slicerObj.parameterDependence;
```

b. Find the parameters affecting the **Product** block.

```
params = parametersAffectingBlock(pd, 'sldvexCommonCausesOfDeadLogic/Parameters/Product');
```

```
>> params(1)
                                            >> params(2)
ans =
                                            ans =
  VariableUsage with properties:
                                              VariableUsage with properties:
          Name: 'ParamA'
                                                       Name: 'ParamB'
        Source: 'base workspace'
                                                     Source: 'base workspace'
    SourceType: 'base workspace'
                                                 SourceType: 'base workspace'
         Users: {2×1 cell}
                                                     Users: {2×1 cell}
                                             >> params(4)
>> params(3)
                                             ans =
ans =
                                               VariableUsage with properties:
  VariableUsage with properties:
                                                        Name: 'ParamD'
          Name: 'ParamC'
                                                      Source: 'base workspace'
        Source: 'base workspace'
                                                  SourceType: 'base workspace'
    SourceType: 'base workspace'
                                                       Users: {2×1 cell}
         Users: {2×1 cell}
```

The image above displays the parameters returned by the function **parametersAffectingBlock** which have an impact on the Product block. The list of parameters returned by the function can be considered for tuning.

c. Perform clean-up to exit compile state of the model.

slicerObj.terminate;

#### 4. Library-Linked Blocks

The ProtectedDivide library subsystem has protection for division by zero. **Library** blocks may be written with defensive conditions that are redundant in some of the locations where they are used. In some cases, this may cause dead logic. Open the **Library** block, and click the ProtectedDivide subsystem highlighted in red. In this case, the inputs to the ProtectedDivide library subsystem can never experience a division by zero. This causes the guarding logic to be dead. The **Equal** block shows the dead logic. The Results window summarizes the dead logic.



Consider justifying the dead logic that arises from those library blocks.

### 5. Upstream Blocks

When a particular block has dead logic, this often leads to a cascading effect that causes downstream blocks to also have dead logic. Open the CascadingDeadLogic subsystem and click the **Less Than** block highlighted in red. The Results window summarizes the dead logic.



The dead logic in the **Less Than** block causes the dead logic in the corresponding downstream blocks. It is therefore often helpful to review the upstream dead logic before reviewing any downstream dead logic.

#### **6. Restrictions on Signal Ranges**

Root-level Inport blocks with minimum and maximum values as constraints and **Test Condition** blocks in the test generation may cause dead logic. For example, consider the ConditionGreaterThan0 **Switch** block, where the second Inport block has a minimum and maximum range of 1 and 100, respectively. This causes the **Switch** block in this subsystem to have dead logic, because the constrained range means the signal will always be greater than 0.



### Section 4: View the Analysis Report

In the Results summary window, click **HTML** to view the detailed analysis report. The report summarizes all of the dead logic results in the model.

## Chapter 3. Dead Logic

Simulink Design Verifier proved these decisions and conditions to be unreachable or dead logic. Dead logic can be a side effect of parameter configurations or minimum and maximum constraints specified on inputs. Simulink Design Verifier ran a partial check for dead logic. Consider enabling the 'Dead logic > Run exhaustive analysis' configuration option in order to perform an exhaustive analysis.

| #  | Туре      | Model Item                                   | Description                                                              |
|----|-----------|----------------------------------------------|--------------------------------------------------------------------------|
| 1  | Condition | ConditionallyExecuteInputs/Logical Operator  | Logic: input port 2 can only be true                                     |
| 2  | Decision  | ConditionallyExecuteInputs/Switch1           | trigger > threshold can never be false (output is from 3rd input port)   |
| 3  | Condition | ConditionallyExecuteInputs/Logical Operator1 | Logic: input port 1 unreachable                                          |
| 4  | Condition | ConditionallyExecuteInputs/Logical Operator1 | Logic: input port 2 unreachable                                          |
| 5  | Decision  | Parameters/Switch                            | trigger > threshold can never be true (output is<br>from 1st input port) |
| 6  | Condition | ShortCircuiting/Logical Operator             | Logic: input port 1 can only be true                                     |
| 7  | Condition | ShortCircuiting/Logical Operator1            | Logic: input port 2 can only be true                                     |
| 8  | Condition | Library/ProtectedDivide/Equal                | RelationalOperator: input1 == input2 can never be<br>true                |
| 9  | Decision  | Library/ProtectedDivide/Switch               | logical trigger input can never be true (output is from 1st input port)  |
| 10 | Condition | CascadingDeadLogic/Less Than                 | RelationalOperator: input1 < input2 can never be<br>true                 |
| 11 | Condition | CascadingDeadLogic/Logical Operator          | Logic: input port 1 can never be true                                    |
| 12 | Decision  | CascadingDeadLogic/Switch                    | logical trigger input can never be false (output is from 3rd input port) |
| 13 | Condition | CascadingDeadLogic/Logical Operator1         | Logic: input port 1 unreachable                                          |
| 14 | Condition | CascadingDeadLogic/Logical Operator1         | Logic: input port 2 unreachable                                          |
| 15 | Decision  | Assumptions/ConditionGreaterThan0            | trigger > threshold can never be false (output is from 3rd input port)   |

To perform an exhaustive analysis for dead logic, in the **Configuration Parameters Window** in the **Design Error Detection** pane, select **Run exhaustive analysis**. The software stores the detailed analysis results in the **DeadLogic field** in the Simulink Design Verifier data files. You can use the data file to further analyze the results.

## **Related Topics**

• "Common Causes for Dead Logic" on page 6-15

# **Generating Test Cases**

- "What Is Test Case Generation?" on page 7-3
- "Workflow for Test Case Generation" on page 7-5
- "Generate Test Cases for Model Decision Coverage" on page 7-6
- "Generate Test Cases for a Subsystem" on page 7-18
- "Generate Test Cases for a Reusable Library Subsystem" on page 7-21
- "Use Test Generation Advisor to Identify Analyzable Components" on page 7-24
- "Generate Test Cases for Embedded Coder Generated Code" on page 7-28
- "Model Coverage Objectives for Test Generation" on page 7-30
- "Enhance Model Coverage of Older Release Models" on page 7-32
- "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42
- "Analyze Model for Enhanced MCDC Analysis" on page 7-44
- "Basic Workflow for Enhanced MCDC Analysis" on page 7-47
- "Author Custom Test Objective Workflow" on page 7-52
- "What Is a Specification Model?" on page 7-60
- "Test Generation Examples" on page 7-66
- "Test Generation for Custom Code in MATLAB Function Block" on page 7-67
- "Use Specification Models for Requirements-Based Testing" on page 7-69
- "Flip Flop Test Generation" on page 7-80
- "Model Coverage Test Generation" on page 7-81
- "Test Objective Block" on page 7-82
- "Test Condition Block" on page 7-83
- "Cruise Control Test Generation" on page 7-84
- "Fuel Rate Controller Logic" on page 7-85
- "Extend an Existing Test Suite" on page 7-86
- "Defining and Extending Existing Tests Cases" on page 7-91
- "Using Existing Coverage Data During Subsystem Analysis" on page 7-97
- "Creating and Executing Test Cases" on page 7-100
- "Using Specified Input Minimum and Maximum Values as Constraints" on page 7-107
- "Configuring S-Function for Test Case Generation" on page 7-109
- "Code Coverage Test Generation" on page 7-111
- "Test Generation on Model with C Caller Block" on page 7-119
- "Debug Enhanced Modified Condition Decision Coverage Using Model Slicer" on page 7-121
- "Test Generation for Custom Code in a Stateflow Chart" on page 7-124
- "Generate Test Cases for Model Blocks" on page 7-126
- "Use Observer Reference Block for Test Case Generation" on page 7-130

- "Inspect Test Generation Objectives by Using Model Slicer" on page 7-135
- "Generate Tests for Model Block Component by Using Default Simulation" on page 7-138
- "Add Test Cases Using Excel File" on page 7-142
- "Achieve Missing Coverage in Custom Code" on page 7-146
- "Achieve Missing Coverage in Generated Code of RLS" on page 7-149

## What Is Test Case Generation?

The Simulink Design Verifier software can generate test cases that satisfy coverage objectives for your model, including:

- "Decision" on page 7-30
- "Condition" on page 7-30
- "MCDC" on page 7-31
- "Enhanced MCDC" on page 7-31

Test cases help you confirm model performance by demonstrating how the blocks in the model execute in different modes. When generating test cases, the software performs a formal analysis of your model. After completing the analysis, the software provides several ways for you to review the results.

**Note** If your model does not have conditions, decisions, or custom test objectives, then Simulink Design Verifier generates a test case that represents a basic simulation of your model. The test inputs satisfy minimum or maximum constraints on input ports and intermediate signal values satisfy constraints specified by the Test Condition blocks in the model.

## **Test Case Blocks**

For customizing test cases for your Simulink models, Simulink Design Verifier provides two blocks:

- The Test Objective block defines the values of a signal that a test case must satisfy.
- The Test Condition block constrains the values of a signal during analysis.

## **Test Case Functions**

To customize test cases for a Simulink model or Stateflow chart, Simulink Design Verifier provides two MATLAB functions. You can use these functions in a MATLAB Function block. Both functions are active in generated code and in Simulink Design Verifier.

- sldv.test Specifies a test objective.
- sldv.condition Specifies a test condition.

These functions:

- Identify mathematical relationships for testing in a form that can be more natural than using block parameters.
- Support specifying multiple objectives, assumptions, or conditions without complicating the model.
- Provide access to the power of MATLAB.
- Support separation of verification and model design.

For an example of how to use these functions, see the sldv.test or sldv.condition reference page.

**Note** Simulink Design Verifier blocks and functions are saved with a model. If you open the model on a MATLAB installation that does not have a Simulink Design Verifier license, you can see the blocks and functions, but they do not produce results.

## See Also

## **More About**

• "Workflow for Test Case Generation" on page 7-5

## **Workflow for Test Case Generation**

| Task | Description                                                                                                                                                                                                                                                                                                                                                      | For an example, see                                                                           |
|------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| 1    | Verify that your model is compatible for use with Simulink Design Verifier.                                                                                                                                                                                                                                                                                      | "Check Compatibility of the Example<br>Model" on page 7-7                                     |
| 2    | Optionally, use the Test Generation<br>Advisor to select model components<br>(atomic subsystems and model blocks) for<br>test generation. Before test generation,<br>you can use the results to better<br>understand your model, particularly large<br>models, complex models, or models for<br>which you are uncertain of the test<br>generation compatibility. | "Use Test Generation Advisor to Identify<br>Analyzable Components" on page 7-24               |
| 3    | If you have Stateflow objects in your<br>model, in the Configuration Parameters<br>dialog box, on the <b>Diagnostics</b> ><br><b>Stateflow</b> pane, set <b>Unreachable</b><br><b>execution path</b> to error.                                                                                                                                                   |                                                                                               |
| 4    | Optionally, instrument your model with<br>blocks or MATLAB functions that specify<br>test objectives and test conditions.                                                                                                                                                                                                                                        | "Customize Test Generation" on page 7-<br>14                                                  |
| 5    | Specify options that control how Simulink<br>Design Verifier generates test cases for<br>your model.                                                                                                                                                                                                                                                             | "Configure Test Generation Options" on<br>page 7-8                                            |
| 6    | Execute the Simulink Design Verifier analysis.                                                                                                                                                                                                                                                                                                                   | "Analyze the Example Model" on page 7-<br>8 and "Reanalyze the Example Model"<br>on page 7-16 |
| 7    | Review the analysis results.                                                                                                                                                                                                                                                                                                                                     | "Review Analysis Results" on page 7-8                                                         |

To generate test cases for your model, use the following workflow.

## See Also

## **More About**

- "Flip Flop Test Generation" on page 7-80
- "Cruise Control Test Generation" on page 7-84
- "Fuel Rate Controller Logic" on page 7-85

## **Generate Test Cases for Model Decision Coverage**

### In this section...

"Construct the Example Model" on page 7-6

"Check Compatibility of the Example Model" on page 7-7

"Configure Test Generation Options" on page 7-8

"Analyze the Example Model" on page 7-8

"Review Analysis Results" on page 7-8

"Customize Test Generation" on page 7-14

"Reanalyze the Example Model" on page 7-16

"Analyze Contradictory Models" on page 7-16

## **Construct the Example Model**

Construct a model for this example:

- **1** Create a Simulink model.
- **2** Copy the following blocks into your empty model window:
  - From the Sources library, an Inport block to initiate the input signal whose value Simulink Design Verifier controls.
  - From the Sources library, two Constant blocks to serve as Switch block data inputs.
  - From the Signal Routing library, a Switch block to provide simple logic.
  - From the Sinks library, an Outport block to receive the output signal.
- **3** In your model, double-click one of the Constant blocks and specify its **Constant value** parameter as 2.
- 4 Connect the blocks so that your model appears similar to the following diagram.



5 On the **Apps** tab, click the arrow on the right of the **Apps** section.

Under Model Verification, Validation, and Test, click Design Verifier.

- 6 On the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**.
- 7 In the Configuration Parameters dialog box, select **Solver** pane. In the **Solver selection**:

- Set the **Type** option to Fixed-step.
- Set the **Solver** option to Discrete (no continuous states).

Simulink Design Verifier analyzes only models that use a fixed-step solver.

- 8 Click **OK** to save your changes and close the Configuration Parameters dialog box.
- 9 Save your model with the name ex\_generate\_test\_cases\_example.

## Check Compatibility of the Example Model

Every time Simulink Design Verifier analyzes a model, before the analysis begins, the software performs a compatibility check. If your model is not compatible, the software cannot analyze it.

Before you start the analysis, you can also make sure that your model is compatible with Simulink Design Verifier software:

- 1 Open the ex\_generate\_test\_cases\_example model.
- 2 On the **Design Verifier** tab, click **Check Compatibility**.

The software displays the log window, which states whether or not your model is compatible for analysis.

The model you just created is compatible.

| 🔁 Simulink Design Verifier Results Summary: ex_generate_test_cases_example                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | × |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| 21-Nov-2018 17:20:53<br>Checking compatibility for test generation: model 'ex_generate_test_cases_example'<br>Compiling model with a comparison of the comparison |   |
| Save Log Generate Tests Close                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |   |

#### What If a Model Is Partially Compatible?

If the compatibility check indicates that your model is partially compatible, your model contains at least one object that Simulink Design Verifier does not support. You can analyze a partially compatible model, but, by default, the unsupported objects are stubbed out. The results of the analysis can be incomplete.

For detailed information about automatic stubbing, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

## **Configure Test Generation Options**

Configure Simulink Design Verifier to generate test cases that achieve 100% decision coverage for the ex\_generate\_test\_cases\_example model:

- 1 Open the ex\_generate\_test\_cases\_example model.
- 2 On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**.
- **3** Click **Test Generation Settings**.
- 4 In the Configuration Parameters dialog box, on the **Test Generation** pane, set the **Model coverage objectives** parameter to **Decision**.

For this example, the analysis generates test cases that record only decision coverage.

The **Test suite optimization** parameter is set by default to Auto. If you want to generate fewer but longer test cases, select LongTestcases for the **Test suite optimization** parameter.

- 5 Click **OK** to save your changes and close the Configuration Parameters dialog box.
- 6 Save the ex\_generate\_test\_cases\_example model.

## Analyze the Example Model

On the **Design Verifier** tab, click **Generate Tests**. The Simulink Design Verifier analyzes your model to generate test cases.

During the analysis, the Results Summary window shows the progress of the analysis. It displays information such as the number of test objectives processed and which objectives are satisfied.

## **Review Analysis Results**

When the software completes its analysis, the Results Summary window displays these options for reviewing the results.

| 指 Simulink Design Verifie                                     | r Results Summary: e         | ex_generate_test_cases_ex | xample X |
|---------------------------------------------------------------|------------------------------|---------------------------|----------|
|                                                               |                              |                           |          |
| Progress                                                      |                              |                           |          |
| Objectives processed                                          | 2/2                          |                           |          |
| Satisfied                                                     | 2                            |                           |          |
| Unsatisfiable                                                 | 0                            |                           |          |
| Elapsed time                                                  | 0:12                         |                           |          |
|                                                               |                              |                           |          |
| Test generation comple                                        | eted normally.               |                           |          |
| 2/2 objectives are sati                                       | fied.                        |                           |          |
| Results:                                                      |                              |                           |          |
| Highlight analys                                              | is results on model          |                           |          |
|                                                               | nulation Data Inspe          |                           |          |
|                                                               | s report: ( <u>HTML</u> ) (F | <u>PDF)</u>               |          |
| <ul> <li>Create harness</li> </ul>                            |                              |                           |          |
|                                                               | s to Simulink Test           |                           |          |
| <ul> <li>Simulate tests a</li> </ul>                          | nd produce a mode            | el coverage report        |          |
| Data saved in: <u>ex_gen</u><br>in folder: <u>H:\Document</u> | s\MATLAB\sldv_ou             |                           |          |
| \ex_generate_test_cas                                         | es_example                   |                           |          |
|                                                               |                              |                           |          |
|                                                               |                              |                           |          |
|                                                               |                              |                           |          |
|                                                               |                              | View Log                  | Close    |

The following sections describe how you can review the analysis results:

- "Review Analysis Results on the Model" on page 7-9
- "Review Detailed Analysis Report" on page 7-11
- "Review Harness Model" on page 7-12
- "Simulate Tests and Produce a Model Coverage Report" on page 7-12
- "View sldvData File" on page 7-14
- "Review Analysis Results in the Results Summary Window" on page 7-14

#### **Review Analysis Results on the Model**

Highlight the analysis results on the example model:

1 In the Results Summary window for the ex\_generate\_test\_cases\_example analysis, click Highlight analysis results on model.



The Switch block is highlighted in green, which indicates that the Switch block has test cases that satisfy its test objectives.

The Simulink Design Verifier Results window opens. As you click objects in the model, this window changes to display detailed analysis results for that object. By default, the Simulink Design Verifier Results window is always the topmost visible window. To allow the window to move behind other window, click **39** and clear **Always on top**.

| Results: ex_generate_test_cases_example                                                                                                                                                       | _          |     | ×                |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|-----|------------------|
| $\Leftrightarrow \Rightarrow \square$                                                                                                                                                         |            |     | ₩ <mark>1</mark> |
| Test generation completed normally.<br>2/2 objectives are satisfied.                                                                                                                          |            |     |                  |
| Results:                                                                                                                                                                                      |            |     |                  |
| View tests in Simulation Data Inspector     Detailed analysis report: (HTML) (PDF)     Create harness model     Export test cases to Simulink Test     Simulate tests and produce a model cov | erage repo | ort |                  |

2 Click the highlighted Switch block.

The Simulink Design Verifier Results window indicates that the analysis generated test cases for both test objectives:

- trigger > threshold
- trigger < threshold</li>

| Partic Results: ex_generate_test_cases_example               | _         |                    | $\times$ |
|--------------------------------------------------------------|-----------|--------------------|----------|
| $\leftarrow \Rightarrow \bigtriangleup$                      |           |                    | - 19     |
| Back to summary<br>ex_generate_test_cases_example/Switch     |           |                    |          |
| trigger > threshold false (output is from 3rd input<br>port) | SATISFIED | - <u>View te</u>   | st case  |
| trigger > threshold true (output is from 1st input<br>port)  | SATISFIED | ) - <u>View te</u> | st case  |
|                                                              |           |                    |          |

For more information about highlighted analysis results on a model, see "Highlight Results on the Model" on page 13-2.

### **Review Detailed Analysis Report**

Create a detailed HTML analysis report:

1 In the Simulink Design Verifier Results Summary window, in Detailed analysis report, click HTML.

The HTML report opens in a browser window.

2 The report includes the following **Table of Contents**. Click a hyperlink to navigate to a section in the report.



3 In the Table of Contents, click Summary to display the report's Summary chapter.

The Summary chapter lists information about the model and the status of the objectives—satisfied or not.

4 In the **Table of Contents**, click Analysis Information to display the Analysis Information chapter.

The Analysis Information chapter provides information about:

- The model that you analyzed.
- The options that you specified for the analysis.
- Approximations the software performed during the analysis.
- 5 In the **Table of Contents**, click Test Objectives Status to display the report's Test Objectives Status chapter.

This table indicates that the analysis satisfied both test objectives associated with the Switch block in the ex\_generate\_test\_cases\_example model, for which it generated two test cases.

6 Under the table **Test Case** column, click 2 to display the Test Case 2 section.

This section provides details about a test case that the analysis generated to achieve an objective in your model. This test case achieves test objective 1, when the Switch block passes its third input to its output port. Specifically, the software determines that a value of -1 for the Switch block control signal causes the block to pass its third input as the block output.

For more information about the HTML reports, see "Review Results" on page 13-35.

#### **Review Harness Model**

To create a harness model with test cases that satisfy the test objectives in your model, in the Simulink Design Verifier Results Summary window, click **Create harness model**.

The software creates a harness model named ex\_generate\_test\_cases\_example\_harness.



The Signal Builder block named Inputs contains the test cases. Double-click the Inputs block to see the test cases. From the Signal Builder block, you can simulate the model using the test cases and produce a model coverage report, as described in "Simulate Tests and Produce a Model Coverage Report" on page 7-12.

For more information about the harness model, see "Manage Simulink Design Verifier Harness Models" on page 13-13.

#### If Analysis Generates Many Test Cases

If you have a large model, the analysis might produce a harness model that contains a large number of test cases.

To generate fewer test cases:

- **1** Set the **Test suite optimization** parameter to LongTestcases.
- 2 Rerun the analysis.

In the LongTestcases optimization, the analysis generates fewer but longer test cases that each satisfy multiple test objectives.

### Simulate Tests and Produce a Model Coverage Report

To simulate the harness model using the generated test cases in the harness model:

**1** In the harness model, double-click the Inputs block to open the Signal Builder dialog box.

| 📣 Sign       | nal Bu         | uilder (e     | _gener        | ate_te       | st_ca | ses_e | xamp | ole_ha       | arness, | /Input | ts)    |       |        |      |                    |     |   | _    | $\times$ |
|--------------|----------------|---------------|---------------|--------------|-------|-------|------|--------------|---------|--------|--------|-------|--------|------|--------------------|-----|---|------|----------|
| ile <u>E</u> |                | <u>G</u> roup | <u>S</u> igna | al <u>A</u>  |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| ¥ 🖪          | ¥              | <b>B</b>      | l lo          |              | -     | 1.    | n.   | ▦            | Q7 ↓    | 9 F    | X      |       | Ш      | •    | <sup>all</sup>   1 | •   | 2 |      |          |
| ctive G      | Group          | : Test        | t Case 1      |              |       |       |      |              |         |        |        |       |        |      |                    |     | ~ | 0    |          |
|              |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 6            |                | In1           |               |              |       |       |      |              |         |        | -      |       |        |      |                    |     |   |      |          |
|              |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 5            | ;              |               |               |              |       |       |      |              |         |        | +      |       |        |      |                    |     |   |      |          |
|              |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 4            | 1              |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 3            |                |               |               |              |       |       |      |              |         |        | +      |       |        |      |                    |     |   |      |          |
|              |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 2            | 2              |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 1            |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    | _   |   |      |          |
|              |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      |          |
| 0            | ) <del> </del> |               |               |              |       |       |      |              |         |        | +      |       |        |      |                    |     |   |      | -        |
|              | 0              |               | 0.05          |              | 0     | .1    |      | 0.1          | 5       |        | 0.2    |       | 0.2    | 25   |                    | 0.3 |   | 0.35 | 0.       |
|              |                |               |               |              |       |       |      |              |         |        | ne (se | _     |        |      |                    |     |   |      |          |
| Name:        | In1            |               |               | -<br>        | Left  | Point |      | г            | Right   | Point  |        | ⊠ In1 |        |      |                    |     |   |      |          |
| Index:       | -              | $\sim$        |               | T: [<br>Y: [ |       |       |      | T: [<br>Y: [ |         |        |        |       |        |      |                    |     |   |      |          |
|              |                |               |               |              |       |       |      |              |         |        |        |       |        |      |                    |     |   |      | <br>     |
| ick to s     | elec           | t, Shift+o    | click to a    | add          |       |       |      |              |         |        |        | In1 ( | (#1) [ | YMin | YMax ]             |     |   |      |          |

#### 2

In the Signal Builder dialog box, click **Run all** 

The software simulates the harness model using both test cases, collects model coverage information, and displays a coverage report. The coverage report indicates that the test cases record 100% decision coverage for the ex\_generate\_test\_cases\_example model.

You can also simulate the model without creating a harness model. In the Simulink Design Verifier log window, click **Simulate tests and produce a model coverage report**.

For more information about model coverage, see "Top-Level Model Coverage Report" (Simulink Coverage).

### View sldvData File

The Simulink Design Verifier data file is a MAT-file that contains a structure named sldvData. This structure stores all the data that the analysis gathers and produces during the analysis. You can use the data file to conduct your own analysis or to generate a custom report.

To view the data file, click the data file name in the log window, in this example, ex\_generate\_test\_cases\_example\_sldvdata.mat. When you click the file name, a copy of the sldvData object is instantiated in the MATLAB workspace so that you can review and manipulate the data.

For more information about Simulink Design Verifier data files, see "Manage Simulink Design Verifier Data Files" on page 13-7.

#### **Review Analysis Results in the Results Summary Window**

As long as your model remains open, you can view the results of your most recent Simulink Design Verifier analysis in the Results Summary window.

# On the **Design Verifier** tab, in the **Review Results** section, click **Load Earlier Results** or **Results Summary** to view the results.

For any Simulink Design Verifier analysis, from the Results Summary window, you can perform these tasks.

| Task                                                                                                                                                                   | For more information                                              |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| Highlight the analysis results on the model.                                                                                                                           | "Highlight Results on the Model" on page 13-2                     |
| Generate a detailed analysis report.                                                                                                                                   | "Review Results" on page 13-35                                    |
| Create the harness model, or if the harness model<br>already exists, open it.<br>If no test cases were generated during the<br>analysis, this option is not available. | "Manage Simulink Design Verifier Harness<br>Models" on page 13-13 |
| View the data file.                                                                                                                                                    | "Manage Simulink Design Verifier Data Files" on page 13-7         |
| View the log file.                                                                                                                                                     | "View Log Files" on page 13-56                                    |

After you close your model, you can no longer view analysis results.

## **Customize Test Generation**

You can use the Test Condition block to constrain signals in your model to certain values during the analysis.

- 1 At the MATLAB command prompt, enter sldvlib to display the Simulink Design Verifier library.
- 2 Open the Objectives and Constraints sublibrary.
- **3** Copy the Test Condition block to your model by dragging it from the Simulink Design Verifier library to your model window.
- 4 In the model window, insert the Test Condition block between the Inport and Switch blocks.



**5** Double-click the Test Condition block to access its attributes.

The Test Condition block parameters dialog box opens.

6 In the **Values** box, enter [-0.1, 0.1]. When generating test cases for this model, the analysis constrains the signal values, entering the Switch block control port to the specified range.

| Block Parameters: Test Condition                                                                                                                                                                                                                                                                                                                                                                                     | × |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|
| Design Verifier Test Condition (mask) (link)                                                                                                                                                                                                                                                                                                                                                                         |   |
| Constrains signal values in Simulink Design Verifier test cases. The<br>'Values' parameter constrains the block input signal. Two element<br>vectors specify intervals. Cell arrays specify lists. The signal must<br>satisfy at least one of the values or intervals at every time step.<br>Example Values:<br>true<br>{[0 1], 2, [4 5], 6}<br>{Sldv.Interval(-2, -1), Sldv.Point(0), Sldv.Interval(0, 1, '()'), 1} |   |
| Parameters                                                                                                                                                                                                                                                                                                                                                                                                           |   |
| ☑ Enable                                                                                                                                                                                                                                                                                                                                                                                                             |   |
| Type Test Condition                                                                                                                                                                                                                                                                                                                                                                                                  | • |
| Values                                                                                                                                                                                                                                                                                                                                                                                                               |   |
| [-0.1, 0.1]                                                                                                                                                                                                                                                                                                                                                                                                          | : |
| ☑ Display values                                                                                                                                                                                                                                                                                                                                                                                                     |   |
| Pass through style (show Outport)                                                                                                                                                                                                                                                                                                                                                                                    |   |
|                                                                                                                                                                                                                                                                                                                                                                                                                      |   |
|                                                                                                                                                                                                                                                                                                                                                                                                                      |   |
| OK Cancel Help Apply                                                                                                                                                                                                                                                                                                                                                                                                 | , |

- 7 Click **OK** to save your changes and close the Test Condition block parameters dialog box.
- 8 Save your model as ex\_generate\_test\_cases\_with\_tc\_block and keep it open.

## Reanalyze the Example Model

Analyze the ex generate test cases with tc block model with the Test Condition block. To observe how the Test Condition block affects test generation, compare the result of this analysis to the result that you obtained in "Analyze Example Model" on page 5-20.

1 On the **Design Verifier** tab, click **Generate Tests**.

The Simulink Design Verifier software displays a log window and begins analyzing your model to generate test cases. When the software completes the analysis, the Results Summary window displays the options for reviewing the results.

- 2 In the Results Summary window, click HTML Report.
- 3 To begin reviewing the report, in the **Table of Contents**, click Summary.

The Summary chapter indicates that Simulink Design Verifier satisfied two test objectives in the model.

4 In the **Table of Contents**, click Analysis Information. Scroll to the bottom of this chapter, to the Constraints section.

This section lists the Test Condition block that you added to constrain the value of the Switch block control signal to the interval [-0.1, 0.1].

5 In the **Table of Contents**, click Test Objectives Status.

This table indicates that Simulink Design Verifier satisfied both test objectives for the Switch block through the two test cases generated.

6 Under the table **Test Case** column, click 1.

This section provides details about a test case that the software generated to achieve an objective in your model. This test case achieves test objective 1, when the Switch block passes its third input to its output port. Although the Test Condition block restricts the domain of input signals to the interval [-0.1, 0.1], the software determines that a value of -0.1 for the Switch block control signal satisfies this objective.

- 7 To confirm that the test case achieves 100% decision coverage, open the harness model.
- 8 Double-click the Inputs block to open the Signal Builder dialog box.
- 9

In the Signal Builder dialog box, click **Run all** 

The Simulink software simulates the harness model using both test cases, collects model coverage information, and displays a coverage report. The Summary section of the report indicates that Simulink Design Verifier generated test cases that achieve complete decision coverage for your example model.

## **Analyze Contradictory Models**

If the analysis produces the error The model is contradictory in its current configuration, the software detected a contradiction in your model and cannot analyze the model.

You can have a contradiction if your model has Test Objective blocks with incorrect parameters. For example, a contradiction can be an objective that states that a signal must be between 0 and 5 when the signal is the constant 10.

If the software detects a contradiction, all previous results are invalidated and the software reports that some of the objectives cannot be satisfied.

## See Also

## **More About**

• Model Coverage Test Generation on page 7-81

## **Generate Test Cases for a Subsystem**

You can analyze a subsystem within a model. This technique is good for large models, where you want to review the analysis in smaller, manageable reports. Following two methods help you to generate test cases for subsystem in different modes:

- "Generate Test Cases for Subsystems for Normal Mode" on page 7-18
- "Generate Test Cases for Subsystems for Software-in-the-Loop Mode" on page 7-19

## **Generate Test Cases for Subsystems for Normal Mode**

This example shows how to analyze the Controller subsystem in the sldvdemo\_cruise\_control model.

**1** Open the example model:

sldvdemo\_cruise\_control

2 Right-click the Controller subsystem, and select Design Verifier > Enable 'Treat as Atomic Unit' to Analyze.

The Function Block Parameters dialog box for the Controller subsystem opens.

**3** Select **Treat as atomic unit**.

An atomic subsystem executes as a unit relative to the parent model. Subsystem block execution does not interleave with parent block execution. You can extract atomic subsystems for use as standalone models.

To analyze a subsystem with Simulink Design Verifier, set the **Treat as atomic unit** parameter.

After you set the parameter, other parameters become available, but you can ignore them.

- 4 To close the dialog box, click **OK**.
- 5 On the Simulation tab, in the File section, select Save > Save As and save the Cruise Control Test Generation model with a new name.
- 6 To start the subsystem analysis and generate test cases, right-click the Controller subsystem, and select **Design Verifier > Generate Tests for Subsystem**.
- 7 The Simulink Design Verifier software analyzes the subsystem. When the analysis is complete, view the analysis results for the Controller subsystem by clicking one of the following options:
  - Highlight analysis results on model
  - View tests in Simulation Data Inspector
  - Detailed analysis report
  - Create harness model
  - Export test cases to Simulink Test
  - Simulate tests and produce a model coverage report

**Note** After processing a certain number of objectives, if the analysis stops, or if the analysis times out, you can use the Test Generation Advisor to better understand which subsystems are

causing the problem. For more information, see "Use Test Generation Advisor to Identify Analyzable Components" on page 7-24.

- 8 Review the results of the subsystem analysis and compare the results to the results of the fullmodel analysis as described in "Analyze a Model" on page 1-4:
  - The subsystem analysis analyzes the Controller as a standalone model.
  - The Controller subsystem contains all the test objectives in the Cruise Control Test Generation model. Both the analyses generate the same test cases.

### Generate Test Cases for Subsystems for Software-in-the-Loop Mode

This example shows how to generate test cases for atomic subsystems in software-in-the-loop (SIL) mode by using the sldvdemo\_cruise\_control\_ATS model.

1 Open the example model: sldvdemo\_cruise\_control\_ATS

```
model = 'sldvdemo_cruise_control_ATS';
open_system(model);
```

2 In the Configuration Parameters window, click Code Generation and set System Target File to ert.tlc. Alternatively, enter:

set\_param(model,'SystemTargetFile','ert.tlc');

3 Click Hardware Implementation, then set Device vendor and Device type to the vendor and type of your SIL system. For example, for a 64-bit Linux machine, set Device vendor to Intel and Device type to x-86-64 (Linux). Alternatively, enter:

```
if ismac
    lProdHWDeviceType = 'Intel->x86-64 (Mac OS X)';
    elseif isunix
    lProdHWDeviceType = 'Intel->x86-64 (Linux 64)';
    else
        lProdHWDeviceType = 'Intel->x86-64 (Windows64)';
    end
set_param(model, 'ProdHWDeviceType', lProdHWDeviceType);
```

- **4** Generate the code for the target. For subsystem analysis in SIL mode, code needs to be generated before invoking test generation.
  - a If the test generation target is **Code Generated as Top model**, generate the code for the target by entering:

```
slbuild(model,'StandaloneCoderTarget');
```

**b** If the test generation target is **Code Generated as Model Reference**, generate the code for the target by entering:

```
slbuild(model,'ModelReferenceCoderTargetOnly');
```

#### Note

- If there is a mismatch of the test generation target and the generated code interface target, then test generation returns an error.
- If you generate a code for both targets, the test generation returns an error.

5 Set up the function packaging of the subsystem by right-clicking PI Controller > Block Parameters (Subsystem) > Code Generation > Function Packaging and set as Reusable function or Nonreusable function.

Alternatively enter:

```
ssPath = [model '/PI Controller'];
set_param(ssPath, 'RTWSystemCode', 'Reusable function'); % For Resuable function
set_param(ssPath, 'RTWSystemCode', 'Nonreusable function'); % For Nonresuable function
```

- 6 In the Apps tab, click Design Verifier. Then, in the Design Verifier tab, set Target to Code Generated as Top Model. Generate tests by using one of these methods:
  - Right click the **PI Controller** block, then click **Design Verifier** > **Generate Tests for Subsystems**.
  - Select the **PI Controller** block by unpinning it from the toolstrip. Then click **Generate Tests**.
  - Create a harness for the subsystem and then invoke test generation by right-clicking the **PI Controller** block, then clicking **Test Harness** > **Create for PI Controller**.

Select the harness name and click OK.

Open the new harness. Then click **Design Verifier** and click **Generate Tests**.

Alternatively, you can use the API to generate the tests by entering:

```
opts = sldvoptions;
opts.TestgenTarget = Sldv.utils.Options.TestgenTargetGeneratedCodeStr;
[status, fileNames] = sldvrun(ssPath,opts,true);
```

7 Review the results of the subsystem analysis and compare the results to the results of the fullmodel analysis as described in "Generate Test Cases for Subsystems for Normal Mode" on page 7-18.

## **Generate Test Cases for a Reusable Library Subsystem**

A reusable library subsystem (RLS) is a subsystem that you define and include in a library and configure for reuse across models. For more information on how to configure an RLS for analysis, see "Generate Reusable Code for Subsystems Shared Across Models" (Embedded Coder). You must test the configured RLS by creating a harness from the library and not from an instance in a design model.

This example uses sldvdemo\_cruisecontrol model, where PI controller is the RLS block. You can create a harness from the instance of this RLS block as shown. Test generation of RLS can be invoked on a harness RLS block created from the library and not from its instance.



When you create the test harness from the library as shown, the test generation for the RLS code from this harness is supported by the design model.

|                              |                                                                                                                                                                                                                                                                                                  | Create Test Harness | ^ | × |
|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|---|---|
| error theat<br>PI_Controller | Specify the properties of the test harness. The component under test is the syster<br>for which the harness is being created. After creation, use the block badge to find<br>and open harnesses.<br>Component under Test: <u>mPIController RLS/PI Controller</u><br>Basic Properties Description |                     |   |   |
|                              | Name: mPIController_RLS_Harness1<br>Harnesses saved internally. More information                                                                                                                                                                                                                 |                     |   |   |
|                              | Select Function Interface PIController_CodeSpecification1                                                                                                                                                                                                                                        |                     |   |   |

This example shows how to analyse RLS code in the Software-in-the-Loop mode.

## Generate Test Cases for RLS in Software-in-the-Loop Mode

This example shows how to generate test cases for RLS in the software-in-the-loop (SIL) mode.

1. Open the example model: 'mRLS'

```
model = 'mRLS';
open_system(model);
```

2. Unlock the library model. In the Configuration Parameters window, click **Code Generation** and set **System Target File** to ert.tlc. Alternatively, enter the following command:

```
set_param(model,'Lock','off');
set_param(model,'SystemTargetFile','ert.tlc');
```

3. Click **Hardware Implementation**, then set **Device vendor** and **Device type** to the vendor and type of your SIL system. For example, for a 64-bit Linux machine, set **Device vendor** to Intel and **Device type** to x-86-64 (Linux). Alternatively, enter the following code:

```
if ismac
    lProdHWDeviceType = 'Intel->x86-64 (Mac OS X)';
elseif isunix
    lProdHWDeviceType = 'Intel->x86-64 (Linux 64)';
else
    lProdHWDeviceType = 'Intel->x86-64 (Windows64)';
end
set_param(model, 'ProdHWDeviceType', lProdHWDeviceType);
```

4. Use the device settings to set up the function interface. For more information on how to set the function interface from within a library, see Configure Function Interfaces from Within a Library.

5. Generate the top-model code before generating tests for the RLS. Before you generate the code, set up the code generation target environment. For more information on setting up the target environment, see SIL Testing a Reusable Library Subsystem.

```
orig = Simulink.fileGenControl('get','CodeGenFolderStructure');
Simulink.fileGenControl('set','CodeGenFolderStructure',...
Simulink.filegen.CodeGenFolderStructure.TargetEnvironmentSubfolder);
```

```
slbuild('mRLS');
```

```
### Starting build procedure for: Controller_CodeSpecification1
### Generating code and artifacts to 'Target environment subfolder' folder structure
### Generating code into build folder: C:\TEMP\Bdoc23a 2213998 3568\ib570499\0\tp65d2e03e\sldv-e:
### Invoking Target Language Compiler on Controller CodeSpecification1.rtw
### Using System Target File: B:\matlab\rtw\c\ert\ert.tlc
### Loading TLC function libraries
. . . . . . .
### Initial pass through model to cache user defined code
### Caching model source code
### Writing header file Controller LpOdbbft.c
### Writing header file Controller_CodeSpecification1_types.h
### Writing header file Controller CodeSpecification1.h
### Writing header file rtwtypes.h
### Writing header file Controller Lp0dbbft.h
### Writing source file Controller_CodeSpecification1.c
### Writing header file Controller_CodeSpecification1_private.h
### Writing source file ert main.c
### TLC code generation complete (took 8.15s).
### Saving binary information cache.
### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows)
```

```
### Creating 'C:\TEMP\Bdoc23a_2213998_3568\ib570499\0\tp65d2e03e\sldv-ex41550386\IntelWin64\_sha
### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows)
### Creating 'C:\TEMP\Bdoc23a_2213998_3568\ib570499\0\tp65d2e03e\sldv-ex41550386\IntelWin64\Cont
### Successful completion of code generation for: Controller_CodeSpecification1
```

The following files will be copied from IntelWin64\\_shared to C:\TEMP\Bdoc23a\_2213998\_3568\ib5704

```
Controller_LpOdbbft.c
Controller_LpOdbbft.h
shared_file.dmr
```

Files copied from IntelWin64\\_shared to C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\0\tp65d2e03e\sldv-@

6. If the library model is locked, unlock the library model to create a Simulink test harness for the subsystem block.

Create the harness for the subsystem block for a particular function interface. In this example, create the harness for the function interface Double.

7. Open the harness model and select the appropriate target and then start test generation.

**Note:** For RLS you can generate subsystem code from the library that gets compiled into a static library and can be reused by components. Test generation on the harness, created from the library and if you set the target as **Code Generated as Model Reference** you will receive an error message as this is not supported.

## See Also

#### **More About**

- "Generate Reusable Code for Subsystems Shared Across Models" (Embedded Coder)
- "Test Library Blocks" (Simulink Test)

# Use Test Generation Advisor to Identify Analyzable Components

#### In this section...

"Test Generation Advisor" on page 7-24

"Test Generation Advisor Requirements" on page 7-25

"Identify Analyzable Components" on page 7-25

"Analyze and Generate Tests for Model Components" on page 7-25

"Manually Select Components for Testing" on page 7-27

## **Test Generation Advisor**

You can use the Test Generation Advisor to select model components (atomic subsystems and model blocks) for test generation. The Test Generation Advisor summarizes test generation compatibility, condition and decision objectives, and dead logic for the model and model components.

The Test Generation Advisor performs a high-level analysis and fast dead logic detection. You can use the results to better understand your model before test generation, particularly for large models, complex models, or models for which you are uncertain of the test generation compatibility. For example, you can:

- Identify components that are incompatible with test case generation.
- Identify complex components that may be time-consuming to analyze.
- Determine instances of dead logic.
- Get a snapshot of the component hierarchy.
- Get recommended test generation parameters.



The Test Generation Advisor classifies components as analyzable, complex, or incompatible.

- *Analyzable* components are compatible with Simulink Design Verifier. The preliminary analysis indicates that Simulink Design Verifier might achieve high component coverage.
- *Complex* components are also compatible with Simulink Design Verifier. However, the preliminary analysis indicates that Simulink Design Verifier might require more time and resources to achieve high component coverage due to component complexity or other factors. For more information, see "Sources of Model Complexity" on page 14-2.
- You cannot generate tests for *incompatible* components. For more information, see "Check Model Compatibility" on page 3-2.

The results summary displays specific information about the model and each component:

- Status: The compatibility or complexity
- Objectives: The number of condition and decision objectives
- **Dead Logic Detected**: The number of instances of dead logic decided during the analysis. This might not include every instance of dead logic.
- **Objectives Decided**: The percentage of condition and decision objectives determined by test cases and dead logic.

## **Test Generation Advisor Requirements**

For analysis, your model must compile. Also, if you change the model name, you must reload the model and reopen the Test Generation Advisor.

## **Identify Analyzable Components**

To analyze your model using the Test Generation Advisor, follow this high-level workflow:

- **1** Open your model.
- 2 On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**, then click **Advisor**.
- **3** Your model compiles, and the Test Generation Advisor opens. It displays the model hierarchy and summary table.
- 4 Enter a time value for **Seconds per component**, which limits the analysis time per component. This value does not include time for other operations such as compilation.
- <sup>5</sup> Run the analysis by clicking the Start Analysis button *▶*. Track the analysis using the progress indicator.
- **6** Determine incompatibilities, complexities and characteristics from the component hierarchy tree and the results summary.
- 7 Trace from the summary to the model using the component hyperlinks.

### Analyze and Generate Tests for Model Components

This example demonstrates analysis and test generation using the Test Generation Advisor. The example model has analyzable and incompatible subsystems.

1 At the command line, enter fuelsys\_docreq to open the fuelsys\_docreq model.

- **2** Save a copy of the model in a writable location on the MATLAB path.
- 3 On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**, then click **Advisor**.

| 🤊 🕕 📔 🕨 Seconds per c                                                                                                                                              | omponent: 20                                                                                       |         |                                       |                           |                              |   |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|---------|---------------------------------------|---------------------------|------------------------------|---|
| Component Hierarchy   * E   >>                                                                                                                                     | Component Name: fuelsys_docreq                                                                     |         |                                       |                           |                              |   |
| <ul> <li>✓ ■ fuelsys_docreq</li> <li>■ control logic</li> <li>■ MAP Estimate</li> <li>■ Speed Estimate</li> <li>■ Throttle Estimate</li> <li>■ LOW Mode</li> </ul> | Overall progress<br>Components processed 0/7                                                       |         |                                       |                           |                              |   |
| 🔲 RICH Mode                                                                                                                                                        | Incompatible: 0                                                                                    | able: 0 | Â                                     | Complex:                  | 0                            |   |
|                                                                                                                                                                    | Summary of subcomponents in 'fuelsys                                                               | docreq' |                                       |                           |                              |   |
|                                                                                                                                                                    | Component Name                                                                                     | Status  | Objectives<br>(Condition<br>Decision) | Dead<br>Logic<br>Detected | Objectives<br>Decided<br>(%) |   |
|                                                                                                                                                                    | fuelsys_docreq                                                                                     |         | 167                                   | NA                        | NA                           |   |
|                                                                                                                                                                    | fuelsys_docreq/fuel rate<br>controller/control logic                                               |         | 109                                   | NA                        | NA                           | L |
|                                                                                                                                                                    | fuelsys_docreg/fuel_rate<br>controller/Sensor correction and Fault<br>Redundancy/MAP Estimate      |         | 2                                     | NA                        | NA                           | l |
|                                                                                                                                                                    | fuelsys_docreg/fuel_rate<br>controller/Sensor correction and Fault<br>Redundancy/Speed Estimate    |         | 2                                     | NA                        | NA                           | ł |
|                                                                                                                                                                    | fuelsys_docreg/fuel_rate<br>controller/Sensor correction and Fault<br>Redundancy/Throttle Estimate |         | 2                                     | NA                        | NA                           |   |
|                                                                                                                                                                    | fuelsys_docreq/fuel rate controller/Fuel                                                           |         | 2                                     | NA                        | NA                           | • |
|                                                                                                                                                                    | 4                                                                                                  |         |                                       |                           |                              | • |
| < >                                                                                                                                                                |                                                                                                    |         |                                       |                           | Help                         |   |

- 4 In the **Seconds per component** text box, enter 25.
- <sup>5</sup> Click the Start Analysis button  $\triangleright$  to begin the model analysis.
- 6 After the analysis is complete, the component tree displays results for the overall model and each component.

| 🤊 🔘 🕨 Seconds per componen                                                                               | nt: | 5 3                                                                                           |                                                                                              |          |                                                                       |          |                |                                                                        |              |
|----------------------------------------------------------------------------------------------------------|-----|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------------|----------|----------------|------------------------------------------------------------------------|--------------|
| Component Hierarchy                                                                                      | С   | omponent Name: fuelsys_docreq                                                                 |                                                                                              |          |                                                                       |          |                |                                                                        |              |
| <ul> <li>Stuelsys_docreq</li> <li>control logic</li> <li>MAP Estimate</li> <li>Speed Estimate</li> </ul> |     | Overall progress Components processed 7/7                                                     |                                                                                              |          |                                                                       |          |                |                                                                        |              |
| <ul> <li>Throttle Estimate</li> <li>LOW Mode</li> </ul>                                                  |     |                                                                                               |                                                                                              |          |                                                                       |          |                |                                                                        |              |
| RICH Mode                                                                                                |     | Incompatible: 2                                                                               | 🔗 Analyzable: 5                                                                              |          |                                                                       | Â        | Complex: 0     |                                                                        |              |
|                                                                                                          |     |                                                                                               | req'<br>onent Name                                                                           |          |                                                                       |          | ad Logic Detec | ted Objectives Decided (%)                                             |              |
|                                                                                                          |     | fuelsys_docreq<br>fuelsys_docreq/fuel rate controller/control lo                              |                                                                                              | <b>8</b> | 167<br>109                                                            | 1        |                | NA<br>94.5%                                                            |              |
|                                                                                                          |     |                                                                                               | prrection and Fault Redundancy/MAP Estimate<br>prrection and Fault Redundancy/Speed Estimate | 0        | 2                                                                     | 0        |                | 100%                                                                   |              |
|                                                                                                          |     |                                                                                               | prrection and Fault Redundancy/Throttle Estimate                                             |          | 2                                                                     | 0        |                | 100%                                                                   |              |
|                                                                                                          |     |                                                                                               | ulation/Switchable Compensation/LOW Mode                                                     | 0        | 2                                                                     | 0        |                | 100%                                                                   |              |
|                                                                                                          |     | fuelsys_docreq/fuel rate controller/Fuel Cale                                                 | zulation/Switchable Compensation/RICH Mode                                                   | 8        | 2                                                                     | N        | 1              | NA                                                                     |              |
|                                                                                                          |     | Model items that are incompatible:                                                            |                                                                                              |          |                                                                       |          |                |                                                                        |              |
|                                                                                                          |     | Model item                                                                                    |                                                                                              | lessage  | D                                                                     |          |                |                                                                        |              |
|                                                                                                          |     | fuelsys_docreq                                                                                | c                                                                                            | ntroller | Design Verifier failed<br>/Fuel Calculation/Sw<br>ation/RICH Mode' is | itchable |                | ate<br>ion with Simulink Design Verifie                                | r.           |
|                                                                                                          |     | fuelsys_docreq/fuel rate controller/Fuel Calo<br>Mode/Discrete Transfer Fcn (with initial out |                                                                                              |          |                                                                       |          |                | <u>sfer Fcn (with initial outputs)/Dis</u><br>pport non finite values. | screte State |
|                                                                                                          |     |                                                                                               |                                                                                              |          |                                                                       |          |                |                                                                        |              |
|                                                                                                          |     |                                                                                               |                                                                                              |          |                                                                       |          |                |                                                                        |              |
|                                                                                                          |     |                                                                                               |                                                                                              |          |                                                                       |          |                |                                                                        |              |

7 Highlight the control logic subsystem in the component hierarchy. The analysis was partial, in that it determined 87% of the objectives for control logic by test cases and dead logic. To load the test generation summary, click the **Show test generation results summary** link.

At the bottom of the summary, the table lists recommended test generation parameters.

| 🤊 🕕 ≽ Seconds per compone                                                                                | ent: 25 🕜                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                                           |
|----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|
| Component Hierarchy                                                                                      | Component Name: control logic                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                           |
| S fuelsys_docreq     ontrol logic     MAP Estimate     Speed Estimate     Throttle Estimate     Low Mode | Overall progress       Components processed       7/7                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                           |
| 🔇 RICH Mode                                                                                              | S Incompatible: 2 Analyzable: 5 🚯 Complex: 0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                           |
|                                                                                                          | Summary of subcomponents in 'control logic'         Component Name         Status Objectives (Condition Decision) Dead Logic Detected Objectives Decided (%)         ftelsys_docreg/fuel rate controller/control logic       109       1       94.5%         Preliminary Test Generation Results         Preliminary analysis result for control logic: 103 out of 109 objectives decided.         Show test generation results summary. (Partial)         Preliminary Dead Logic Detection         '1' objectives are dead logic in 'control logic'.         Simulink Design Verifier proved that these decision and condition outcomes cannot occur and are dead-logic in the model.         Type Model Item Description         Decision fuelys_docreg/fuel rate controllegic/Dueling_Mode/Fuel Disabled/transition(#784) |                                           |
| < >>                                                                                                     | Recommendations         Recommendation           Simulink Design Verifier Option         Recommendation           Maximum analysis time(seconds)         300           Automatic stubbing of unsupported atomic blocks         on           Testsuite generation strategy         Auto                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Extract this component and generate tests |

- 8 Click the **Component name** hyperlink. Simulink traces to the **control logic** Stateflow chart.
- **9** Generate the full set of tests for the subsystem. In the Test Generation Advisor summary for control logic, click **Extract this component and generate tests**.

### **Manually Select Components for Testing**

If you know which model components that you want to test, you can manually select these components. Break down the model into components of 100–1000 objectives each. Use the sldvextract function to extract components into a new model. You can then analyze the individual components, starting with the lowest-level subsystems.

### See Also

#### **More About**

- "Model Coverage Objectives for Test Generation" on page 7-30
- "Generate Test Cases for Model Decision Coverage" on page 7-6

# **Generate Test Cases for Embedded Coder Generated Code**

#### In this section...

"Generate Test Cases for Generated Code from the Simulink Model Toolstrip" on page 7-28 "Generate Test Cases for Generated Code by Using the Simulink Design Verifier API" on page 7-29 "Generate Test Cases for Generated Code from the Simulink Test Test Manager" on page 7-29

When you use Embedded Coder to generate code from a model set to software-in-the-loop (SIL) mode, you can use Simulink Coverage to record coverage metrics on the generated code. However, the same tests that enable you to achieve 100% model coverage might not produce 100% coverage for the generated code. Some differences between the output code and the model can cause gaps in the code coverage compared to the model coverage:

- Extra custom code files
- Shared utility files
- Code transformations, such as:
  - Expression folding
  - Simplified or expanded expressions
  - New decision points due to lookup tables

You can use Simulink Design Verifier to generate test cases to increase coverage for generate code. You generate test cases for generated code from the block diagram, by using the Simulink Design Verifier API, or from the Simulink Test Test Manager. Before you generate test cases, you need to record coverage results at least once.

## Generate Test Cases for Generated Code from the Simulink Model Toolstrip

After you Enable SIL Code Coverage for a Model (Simulink Coverage), simulate the model, and record code coverage data, you use Simulink Design Verifier to generate additional test cases for the generated code:

- 1 On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**.
  - To generate tests for code generated as top model, select **Target > Code Generated as Top Model**, then click **Generate Tests**.
  - To generate tests for code generated as model reference, select **Target > Code Generated** as **Model Reference**, then click **Generate Tests**.

Simulink Design Verifier test generation proceeds according to the test generation mode that you choose.

To learn more about the differences between code generated as top model and code generated as model reference, see:

- "Configure and Run SIL Simulation" (Embedded Coder)
- "Code Interfaces for SIL and PIL" (Embedded Coder)

• "Choose a SIL or PIL Approach" (Embedded Coder)

# Generate Test Cases for Generated Code by Using the Simulink Design Verifier API

For an example of how to programmatically generate test cases for generated code, see "Code Coverage Test Generation" on page 7-111.

## Generate Test Cases for Generated Code from the Simulink Test Test Manager

If you use the Simulink Test Test Manager to record code coverage for a model set to SIL mode, you can incrementally increase coverage for the generated code directly from the Test Manager. For more information, see "Incrementally Increase Test Coverage Using Test Case Generation" on page 16-9.

## See Also

## **More About**

• "Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28

# Model Coverage Objectives for Test Generation

#### In this section...

"Decision" on page 7-30 "Condition" on page 7-30 "MCDC" on page 7-31 "Enhanced MCDC" on page 7-31 "Relational Boundary" on page 7-31

Test cases are generated to drive your model to satisfy condition, decision, modified condition/ decision (MCDC), and custom coverage objectives. But, if your model does not have any of these objectives, then Simulink Design Verifier generates a test case that represents a basic simulation of your model. The test inputs satisfy minimum or maximum constraints on input ports and intermediate signal values satisfy constraints specified by the Test Condition blocks in the model.

## Decision

Decision coverage in Simulink Design Verifier examines blocks and Stateflow states that represent decision points in a model. For instance, the Switch block involves the decision about whether the control input is greater than a threshold value. For more information, see "Model Objects That Receive Coverage" (Simulink Coverage).

To enable decision coverage, under **Design Verifier** > **Test Generation**, for **Model coverage objectives**, select one of the following:

- Decision
- Condition Decision
- MCDC

For each decision in your model, Simulink Design Verifier generates test cases that satisfy the coverage objective. For more information, see "Decision Coverage (DC)" (Simulink Coverage).

## Condition

Condition coverage examines blocks that output the logical combination of their inputs and Stateflow transitions. For more information, see "Model Objects That Receive Coverage" (Simulink Coverage).

To enable condition coverage, under **Design Verifier** > **Test Generation**, for **Model coverage objectives**, select one of the following:

- Condition Decision
- MCDC

For each input to a logical block and each condition in a transition, Simulink Design Verifier generates test cases that satisfy the coverage objective. For more information, see "Condition Coverage (CC)" (Simulink Coverage).

## MCDC

Modified condition decision coverage examines blocks that output the logical combination of their inputs and Stateflow transitions. For more information, see "Model Objects That Receive Coverage" (Simulink Coverage).

To enable MCDC coverage, under **Design Verifier > Test Generation**, for **Model coverage objectives**, select MCDC.

For each input to a logical block and each condition in a transition, Simulink Design Verifier generates test cases that satisfy the coverage objective. For more information, see "MCDC Coverage for Stateflow Charts" (Simulink Coverage).

For information on how MCDC test generation in Simulink Design Verifier can deviate from MCDC coverage recorded by Simulink Coverage, see "Modified Condition and Decision Coverage in Simulink Design Verifier" on page 9-21.

## **Enhanced MCDC**

Enhanced MCDC is an extension of modified condition decision coverage. For a test block, enhanced MCDC generates test cases that avoid masking effects from downstream blocks, so that the test block has an effect on the output.

To enable enhanced MCDC coverage, under **Design Verifier** > **Test Generation**, for **Model coverage objectives**, select Enhanced MCDC. For more information, see "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42.

## **Relational Boundary**

Relational boundary coverage examines blocks that have an explicit or implicit relational operation and Stateflow transitions. For more information, see "Model Objects That Receive Coverage" (Simulink Coverage). Test generation for relational boundary coverage is not supported for If and Fcn blocks.

To enable relational boundary coverage, under **Design Verifier > Test Generation**, select **Include relational boundary objectives**.

For each relational operation in the model, Simulink Design Verifier generates test cases that satisfy the coverage objective. For more information, see "Relational Boundary Coverage" (Simulink Coverage).

**Note** In case your model does not have conditions, decisions, or custom test objectives, then Simulink Design Verifier will generate a test case that represents a basic simulation of your model. The test inputs will satisfy min/max constraints on input ports and intermediate signal values will satisfy constraints specified by the Test Condition blocks in the model.

# **Enhance Model Coverage of Older Release Models**

To enhance the model coverage of a model that you created in an older release, use a test generation workflow or a code generation workflow. You can leverage the latest release capabilities of Simulink Design Verifier to generate the test cases for a Model-Based Design.

These workflows enhance model coverage.

• "Enhance Model Coverage by Generating Test Cases for Older Release Model" on page 7-33



• "Enhance Model Coverage by Using Generated Code from Older Release" on page 7-37



# Enhance Model Coverage by Generating Test Cases for Older Release Model

This example shows how to upgrade model coverage of a model created in R2015b. You use test generation for supported S-functions available in the latest release.

The example model sldvexSFunctionHandlingExample contains the handwritten S-Function, which implements a lookup table algorithm. The handwritten S-Function is in the file sldvexSFunctionHandlingSFcn.c. The user source code for the lookup table is in the file sldvexSFunctionHandlingSource.c.

1. In MATLAB R2015b, open the sldvexSFunctionHandlingExample model.

open\_system('sldvexSFunctionHandlingExample');



Simulink Design Verifier S-Function Handling for Test Generation

2. To simulate the model and generate the coverage report, in the Simulink Editor, click the Run button. See "View Coverage Results in Simulink Canvas" (Simulink Coverage) .

After the simulation, the coverage report indicates that full coverage is not achieved for sldvexSFunctionHandlingExample model.

# Summary

| Model Hierarchy/Complexity        | Test 1 |     |           |
|-----------------------------------|--------|-----|-----------|
|                                   | D1     | Cl  | Execution |
| 1. sldvexSFunctionHandlingExample | 8 13%  | 50% | 100%      |
| 2 <u>isNotZero</u>                | NA     | 50% | 100%      |

3. In MATLAB R2018b or later releases, open the sldvexSFunctionHandlingExample model. The example model sldvexSFunctionHandlingExample is available in R2015b and later releases, so you can use the same model for test generation workflow.

open\_system('sldvexSFunctionHandlingExample');

To avoid any potential changes in the model, create a copy of the older release model in the current working folder, and then open the model in R2018b or later releases. To upgrade and improve models that you use in the current release, you can use the upgradeadvisor function. See "Programmatically Analyze and Upgrade Model".

4. Compile the S-function to be compatible with Simulink Design Verifier for test case generation by using slcovmex (Simulink Coverage). For more information, see "Configuring S-Function for Test Case Generation" on page 7-109.

```
slcovmex('-sldv', ...
        '-output', 'sldvexSFunctionHandlingSFcn',...
        'sldvexSFunctionHandlingSource.c','sldvexSFunctionHandlingSFcn.c');
mex C:\TEMP\Bdoc23a_2213998_3568\ib570499\0\tp5f4630b4_5f10_43a2_a702_c33a560effc4\tpd5aa63d5_e53
Building with 'Microsoft Visual C++ 2019 (C)'.
MEX completed successfully.
mex sldvexSFunctionHandlingSource.c C:\TEMP\Bdoc23a_2213998_3568\ib570499\0\tp5f4630b4_5f10_43a2_
Building with 'Microsoft Visual C++ 2019 (C)'.
MEX completed successfully.
```

5. Create an opts option for the sldvexSFunctionHandlingExample model.

```
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.ModelCoverageObjectives = 'Condition';
opts.SaveHarnessModel = 'off';
opts.SaveReport = 'off';
opts.SFcnSupport = 'on';
```

6. To generate test cases by using the specified **opts** options, use **sldvrun** to analyze the model.

[status, fileNames] = sldvrun('sldvexSFunctionHandlingExample', opts);

```
03-Mar-2023 23:40:52
Checking compatibility for test generation: model 'sldvexSFunctionHandlingExample'
Compiling model...done
Building model representation...done
```

03-Mar-2023 23:41:24

'sldvexSFunctionHandlingExample' is compatible for test generation with Simulink Design Verifier

Generating tests using model representation from 03-Mar-2023 23:41:24...

Generating output files:

03-Mar-2023 23:41:47 Results generation completed.

```
Data file:
C:\TEMP\Bdoc23a 2213998 3568\ib570499\0\tp65d2e03e\sldv-ex67693772\sldv output\sldvexSFunction
```

After analysis, the software generates a Simulink Design Verifier data file and stores it in the default location <current\_folder>\sldv\_output \sldvexSFunctionHandlingExample\_sldvdata.mat.

7. In R2015b, open the model.

open\_system('sldvexSFunctionHandlingExample');

8. Load the sldvData file created in R2018b or later releases.

a. On the **Design Verifier** tab, click **Load Earlier Results** and browse to the sldvData MAT-file generated in R2018b or later releases.

b. Click Open.



9. In the Simulink Design Verifier Results Summary window, click **Simulate tests** and produce a model coverage report. The report indicates that 100% coverage is achieved for sldvexSFunctionHandlingExample model.

# Summary

| Model Hierarchy/Complexity        | Test 1 |      |                |           |
|-----------------------------------|--------|------|----------------|-----------|
|                                   | D1     | C1   | Test Objective | Execution |
| 1. sldvexSFunctionHandlingExample | 8 100% | 100% | 100%           | 100%      |
| 2 <u>isNotZero</u>                | NA     | 100% | NA             | 100%      |

For more information, see "Manage Simulink Design Verifier Data Files" on page 13-7 and "Simulate Tests and Produce Model Coverage Report" on page 1-15.

# Enhance Model Coverage by Using Generated Code from Older Release

This example shows how to upgrade the model coverage of a model created in R2015b by using code generation workflow.

For this workflow, you must have Simulink Coder™ and Embedded Coder.

The example model sldvCrossReleaseExample contains the handwritten S-Function, which implements a relational boundary algorithm. The handwritten S-Function is in the file rel\_sfcn.c. The user source code is in the file rel\_comp.c.

To inline the S-function, use the rel\_sfcn.tlcfile. For more information, see "Inline S-Functions with TLC" (Embedded Coder).

Copy the example model sldvCrossReleaseExample and S-Function files, rel\_sfcn.c, rel\_comp.c, and rel\_sfcn.tlc in the current working folder. Copy the header files rel\_comp.h into the current working folder. You use the example model and supporting files in R2015b for a "Cross-Release Code Integration" (Embedded Coder) workflow.

**Note** The example model sldvCrossReleaseExample is created for example purpose. To perform code generation workflow by using the example model, export sldvCrossReleaseExample model to 15b. Save the model as sldvCrossReleaseExample\_15b in the current working folder. For more information, see "Export Model to Previous Version of Simulink".

2 In MATLAB R2015b, open sldvCrossReleaseExample\_15b model from the current working folder.

open\_system('sldvCrossReleaseExample\_15b');

Simulink Design Verifier Enhance Model Coverage by Using Code Generation Workflow



The Subsystem block contains a handwritten S-Function which implements a relational boundary algorithm. The S-function block returns an output value in 100-200 range.

**3** Compile the S-function by using the function legacy\_code.

```
def = legacy_code('initialize');
    def.SFunctionName = 'rel_sfcn';
    def.OutputFcnSpec = 'uint8 y1 = relational_bound(uint8 u1)';
    def.HeaderFiles = {'rel_comp.h'};
    def.SourceFiles = {'rel_comp.c'};
    def.IncPaths = {pwd};
    def.SrcPaths = {pwd};
    def.Options.supportCoverageAndDesignVerifier = true;
```

```
legacy_code('sfcn_cmex_generate', def);
legacy_code('compile', def);
```

**4** To simulate the model and generate the coverage report, in the Simulink Editor, click the **Run** button. See "View Coverage Results in Simulink Canvas" (Simulink Coverage).

After the simulation, the coverage report indicates that 50% coverage is achieved for sldvCrossReleaseExample\_15b model.

## Summary

| Model Hierarchy/Complexity            |   | Test 1 | L |        |     |
|---------------------------------------|---|--------|---|--------|-----|
|                                       |   | D1     |   | Execut | ion |
| 1. <u>sldvCrossReleaseExample_15b</u> | 6 | 50%    | _ | 100%   |     |
| 2 <u>Subsystem</u>                    | 5 | 50%    | _ | 100%   | _   |

**5** To generate code using Embedded Coder, from the **Apps** tab, select **Embedded Coder**. For more information, see "Generate Code Using Embedded Coder" (Embedded Coder).

In the C Code tab, click Generate Code.

The model is preconfigured with these code generation settings.

```
set_param(sldvCrossReleaseExample_15b,'SystemTargetFile','ert.tlc');
set_param(sldvCrossReleaseExample_15b,'PortableWordSizes','on');
set_param(sldvCrossReleaseExample_15b,'SupportNonFinite','off');
set_param(sldvCrossReleaseExample_15b,'GenCodeOnly','on');
set_param(sldvCrossReleaseExample_15b,'SolverMode','SingleTasking');
set_param(sldvCrossReleaseExample_15b,'ProdEqTarget','on');
```

The software generates C code for the model and saves the files in the default folder location <current\_folder>\sldvCrossReleaseExample\_15b\_ert\_rtw.

6 Save the configuration set of the model sldvCrossReleaseExample\_15b to a MAT-file. This ConfigSet is used to set the configuration set of the model in R2018b and later releases.

```
config_set = getActiveConfigSet('sldvCrossReleaseExample_15b');
copiedConfig = config_set.copy;
save('copiedConfig.mat','copiedConfig');
```

- 7 In MATLAB R2018b or later releases, import the components exported from R2015b.
  - Before you import components in current release, rename or delete rtwtypes.h file available in the folder <current\_folder>\sldvCrossReleaseExample\_15b\_ert\_rtw. During cross-release import, MATLAB tries to regenerate a file with same name. If you do not delete or rename the file rtwtypes.h, MATLAB displays an error.
  - **b** Import the generated component code from R2015b as software-in-the-loop (SIL) block.

```
crossReleaseImport('sldvCrossReleaseExample_15b_ert_rtw',...
'sldvCrossReleaseExample_15b', 'SimulationMode','SIL');
```

The crossReleaseImport function creates an untitled model that contains software-in-theloop (SIL) block sldvCrossReleaseExample\_15b\_R2015b\_sil. 8 Add Inport and Outport ports to the sldvCrossReleaseExample\_15b\_R2015b\_sil block and save the model as sldvCrossReleaseExample\_sil\_18b.



**9** Apply the model configuration set similar to R2015b model.

```
load('copiedConfig.mat');
attachConfigSet('sldvCrossReleaseExample_sil_18b', copiedConfig, true);
setActiveConfigSet('sldvCrossReleaseExample_sil_18b', copiedConfig.Name);
```

- 10 Set the simulation mode to Software-in-the-Loop (SIL). To simulate the model, in the Simulink Editor, click the **Run** button.
- 11 To generate test cases for Embedded Coder generated code, on the Design Verifier tab, select Target > Code Generated as Top Model and click Generate Tests. For more information, see "Generate Test Cases for Embedded Coder Generated Code" on page 7-28.

After Simulink Design Verifier analysis, the software generates the test cases and saves the sldvData in folder at default location <current\_folder>\sldv\_output \sldvCrossReleaseExample sil 18b.

**12** In R2015b, open the model.

open\_system('sldvCrossReleaseExample\_15b');

- **13** Update the sldvData.ModelInfomation.Name field in sldvData same as the model name in older release. For example, sldvCrossReleaseExample\_15b.slx.
- 14 Create a harness model by using the sldvData created in R2018b or later releases. This data consists of test cases generated from Embedded Coder generated code. In the dataFile, type the location of the sldvData generated for sldvCrossReleaseExample\_sil\_18b model.

sldvmakeharness('sldvCrossReleaseExample\_15b.slx','dataFile')



#### 15

To simulate the model by using all the test cases, click the **Run all** button

The software simulates all the test cases and generates a coverage report. The report indicates that 100% coverage is achieved for  $sldvCrossReleaseExample_15b$  model.

# Summary

| Model Hierarchy/Complexity            |   | Test 1 |         |     |
|---------------------------------------|---|--------|---------|-----|
|                                       |   | Dl     | Executi | ion |
| 1. <u>sldvCrossReleaseExample_15b</u> | 6 | 100%   | 100%    |     |
| 2 <u>Subsystem</u>                    | 5 | 100%   | 100%    |     |

## See Also

## **More About**

- "Generate Test Cases for Embedded Coder Generated Code" on page 7-28
- "Cross-Release Code Integration" (Embedded Coder)
- "Manage Simulink Design Verifier Data Files" on page 13-7
- "Manage Simulink Design Verifier Harness Models" on page 13-13

# **Enhanced MCDC Coverage in Simulink Design Verifier**

Enhanced Modified Condition Decision Coverage (MCDC) is an extension of modified condition decision coverage. For a test block, enhanced MCDC generates test cases that avoid masking effects from downstream blocks, so that the test block has an effect on the output.

To detect the effect of a test block by using the enhanced MCDC coverage objective, you can consider a standard model coverage objective of a test block or you can author your own custom test objectives for analysis. For more information, see:

- Use Model Coverage Objectives for Enhanced MCDC Coverage on page 7-42
- Author Custom Test Objectives for Enhanced MCDC Coverage on page 7-43

To generate test cases by using enhanced MCDC model coverage objectives, and then analyzing the results, see Basic Workflow for Enhanced MCDC Analysis on page 7-47.

## **Use Model Coverage Objectives for Enhanced MCDC Coverage**

For a given test block, you can detect the effect on a model coverage objective from the downstream blocks. When you generate test cases by using enhanced MCDC model coverage objectives, the generated test cases avoid the masking effect from the downstream blocks. The model coverage objective is detectable at a detection site.

Consider this model that consists of a cascade of Switch, Min, and Max blocks.



The test cases generated for enhanced MCDC coverage ensure that the decision objective of the "Switch" (Simulink Coverage) test block is not masked by the downstream Min and Max blocks. The generated test cases ensure that these nonmasking conditions for Min and Max blocks are satisfied:

- 1 F < D, ensures that the Min block does not mask the Switch output.
- **2** G > E, ensures that the Max block does not mask the Min output.

The decision objective of the Switch block and the nonmasking conditions of the Min and Max blocks are satisfied along the path and are detected at the detection site (Out1). For example, the path starts from the output signal of the Switch block, propagates along the Min block, and ends at the output signal of the Max block (highlighted in the example model).

Enhanced MCDC criteria ensure better quality test cases because the test case detects the effect of a model coverage objective of the test block at the detection site. To analyze a model for enhanced MCDC analysis, see example "Analyze Model for Enhanced MCDC Analysis" on page 7-44.

## Author Custom Test Objectives for Enhanced MCDC Coverage

Enhanced MCDC considers the default coverage objectives of a test block that are detectable at the detection site. To check the detectability status of a custom test objective, you can author the test objective of a model object, and then perform enhanced MCDC analysis.

Consider this model that consists of a Product block and a Min block. The Product block does not have a coverage objective.



You can author a custom test objective for the Product block to render the output value less than 0 and detect the effect of the custom test objective at a detection site.

For more information, see Author Custom Test Objective Workflow on page 7-52.

## See Also

## **More About**

- "Model Coverage Objectives for Test Generation" on page 7-30
- "Design Verifier Pane: Test Generation" on page 15-30

# **Analyze Model for Enhanced MCDC Analysis**

This example shows how to generate test cases for enhanced Modified Condition Decision Coverage (MCDC) objectives. You generate test cases for enhanced MCDC coverage objectives and review analysis results. The sldvEnhancedMCDCExample model consists of Switch, Min, and Max blocks.

1. Open the model sldvEnhancedMCDCExample:

sldvEnhancedMCDCExample;



2. To configure the model for Enhanced MCDC objectives, in the Configuration Parameters dialog box, on the **Design Verifier > Test generation pane**, set **Model coverage objectives** to Enhanced MCDC. Click **OK**.

3. To generate test cases, on the **Design Verifier** tab, click **Generate Tests**.

After the analysis is completed, the Results Summary window displays the processed objectives and options to review the results.

4. To highlight the analysis results, click **Highlight analysis results on model**.

To analyze whether the model coverage objectives of the Switch test block are detectable, click the Switch block.

| Results: sldvEnhancedMCDCExample                              |           | _          | _           |         | $\times$ |
|---------------------------------------------------------------|-----------|------------|-------------|---------|----------|
| $\langle \Rightarrow \ominus \rangle$                         |           |            |             |         | -        |
| Back to summary                                               |           |            |             |         |          |
| sldvEnhancedMCDCExample/Switch                                |           |            |             |         |          |
| Decision Objectives                                           |           |            |             |         |          |
| trigger >= threshold false (output is<br>from 3rd input port) | Satisfied | Detectable | - <u>Vi</u> | ew test | case     |
| trigger >= threshold true (output is<br>from 1st input port)  | Satisfied | Detectable | - <u>Vi</u> | ew test | case     |
|                                                               |           |            |             |         |          |

The results show that the decision objectives of the Switch block are detectable.



5. Click **View test case**. The harness model opens and the Signal Builder block displays **Test case** 4.

You can also view the test cases from the detailed analysis report.

| Time | 0    |
|------|------|
| Step | 1    |
| A    | 0    |
| В    | -128 |
| С    | -1   |
| D    | 127  |
| E    | -128 |



Test Block trigger >= threshold false (output is from 3rd input port)

The test case inputs A, B, and C result in F = -1 and G = -1. The value of E = -128 results in H = -1, so the impact of the test objective is detected at the detection site Out1. The impact of the model coverage objective of the test block is not masked along the path and is detectable at Out1.

6. To view the detailed analysis report, click **HTML** in the Results Summary. The Test Objectives Status section lists the satisfied objectives. The coverage objective that is detectable at the detection site is summarized in the table.

#### **Objectives Satisfied**

| # | Туре     | Model Hem     | Description                                                   | Detection Status | Analysis Time<br>(sec) | Test Case |
|---|----------|---------------|---------------------------------------------------------------|------------------|------------------------|-----------|
| 1 | Decision | <u>Switch</u> | trigger >= threshold false (output is from 3rd input<br>port) | Detectable       | 32                     | <u>4</u>  |
| 2 | Decision | Switch        | trigger >= threshold true (output is from 1st input port)     | Detectable       | 33                     | <u>5</u>  |
| 3 | Decision | MinInp        | Logic to determine output input 1 is the minimum              | Detectable       | 31                     | 2         |
| 4 | Decision | MinInp        | Logic to determine output input 2 is the minimum              | Detectable       | 32                     | <u>3</u>  |
| 5 | Decision | <u>MaxInp</u> | Logic to determine output <b>input 1</b> is the maximum       | Detectable       | 31                     | 2         |
| 6 | Decision | <u>MaxInp</u> | Logic to determine output input 2 is the maximum              | Detectable       | 2                      | 1         |

Simulink Design Verifier found test cases that exercise these test objectives.

The Objectives field in the Simulink Design Verifier data files lists the detectability status and the detection sites for the model coverage objectives. For more information, see "Manage Simulink Design Verifier Data Files" on page 13-7.

#### See Also

• "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42

# **Basic Workflow for Enhanced MCDC Analysis**

To generate test cases for enhanced Modified Condition Decision Coverage (MCDC) coverage objectives:

- 1 On the **Design Verifier** tab, in the **Mode** section, select **Test Generation**.
- 2 Click Test Generation Settings.
- 3 In the Configuration Parameters dialog box, on the **Design Verifier** > **Test Generation** pane, set **Model coverage objectives** to Enhanced MCDC. Click **OK**.
- 4 Click Generate Tests.

**Note** Enhanced MCDC analysis is not supported when you "Generate Test Cases for Embedded Coder Generated Code" on page 7-28. The software considers MCDC coverage objectives for test generation analysis.

Simulink Design Verifier analyzes the model for Enhanced MCDC coverage objectives.

After the analysis is complete:

- The software highlights the model with the analysis results.
- The Results Inspector window displays the summary of the model coverage objectives including the detectability status.

| Results: sldvEnhancedMCDCExample                                        |           | _          | - [             | ) ×       |
|-------------------------------------------------------------------------|-----------|------------|-----------------|-----------|
| $\Leftarrow \Rightarrow $                                               |           |            |                 | v 😰       |
| Back to summary                                                         |           |            |                 |           |
| sldvEnhancedMCDCExample/Switch                                          |           |            |                 |           |
| Decision Objectives                                                     |           |            |                 |           |
| trigger >= threshold false (output is<br>from 3rd input port)           | Satisfied | Detectable | - <u>View t</u> | test case |
| <pre>trigger &gt;= threshold true (output is from 1st input port)</pre> | Satisfied | Detectable | - <u>View t</u> | test case |

The Results Inspector window displays these detectability statuses for a model coverage objective:

- Detectable
- Not Detectable
- Undecided

The table lists the possible combinations of the objective status and the detectability statuses.

| Objective Status             | Detectability Status | Test Case Description                                                                                                                                                                    |
|------------------------------|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Satisfied                    | Detectable           | The test case satisfies the<br>model coverage objective and<br>is detectable at the detection<br>site.                                                                                   |
| Satisfied - Needs Simulation | Detectable           | The test case satisfies the<br>model coverage objective and<br>is detectable at the detection<br>site.                                                                                   |
|                              |                      | To confirm the satisfied<br>status, you must run<br>additional simulations of test<br>cases. For more information,<br>see "Objectives Satisfied -<br>Needs Simulation" on page<br>13-46. |
| Satisfied                    | Not detectable       | The test case satisfies the<br>model coverage objective.<br>However, the test objective is<br>not detectable at any<br>detection site.                                                   |
| Satisfied                    | Undecided            | The test case satisfies the<br>model coverage objective. The<br>software is unable to show the<br>effect of model coverage<br>objective on the downstream<br>blocks.                     |
| Unsatisfiable                | Not Detectable       | The test objective is<br>unsatisfiable and not<br>detectable at any detection<br>site.                                                                                                   |
| Undecided                    | Undecided            | The test objective is<br>undecided and the software is<br>unable to show its effect on<br>the downstream blocks.                                                                         |

• The Simulink Design Verifier data file stores the detectability status and detection site for model coverage objectives. For more information see, "Manage Simulink Design Verifier Data Files" on page 13-7.

## **Configure Detection Sites using Test-pointed Logged Signals**

If you mark any signal as test-pointed logged signal, Enhanced MCDC analysis will prioritize such signals as detection sites for test blocks wherever possible. For example, consider the model shown below:



If you make the output of Min block as the test-pointed logged signal, the detection site for the switch block is min block's outport. Otherwise, it would be saturation block's outport.

```
portHandle_MinBlk = get_param('model/Min', 'PortHandles');
set_param(portHandle_MinBlk.Outport, 'TestPoint', 'on');
set_param(portHandle_MinBlk.Outport, 'DataLogging', 'on');
```

For more information on test points, see "Configure Signals as Test Points". For signal logging, refer to "Configure Signals for Logging".

## **Configure Advanced Options for Enhanced MCDC Analysis**

To analyze a model with stricter nonmasking conditions, enable the "Use strict propagation conditions" on page 15-37 option. This option is available in the Configuration Parameters dialog box, on the **Design Verifier > Test Generation** pane, in **Advanced parameters**.

The software evaluates stricter nonmasking conditions to analyze the effect on the test block from the downstream blocks. For example:

• If your model consists of Atomic Subsystem with the Function packaging option set to Auto or Inline.

Consider a model that consists of Switch and Atomic Subsystem blocks. The Function packaging option is set to Auto and you enable the "Use strict propagation conditions" on page 15-37 option. The effect of the Switch test block is detectable at the detection point Out1.



When you analyze the model with the "Use strict propagation conditions" on page 15-37 option set to Off, the software analyzes the model until the effect of the Switch test block reaches the Atomic Subsystem. The Atomic Subsystem is the detection point.

• If your model consists of blocks such as Gain or Product with the **Saturate on integer overflow** option set to **On**.

## Inspect Enhanced MCDC Objectives using Model Slicer

Model Slicer supports the following objective statuses for test case generation:

- Satisfied
- Satisfied needs simulation
- Satisfied by existing test cases
- Undecided with test case
- Undecided due to the runtime error

You can analyze enhanced MCDC objectives and their impact on the model by using Model Slicer. In the Results window, use the **Inspect** link to the right of the satisfied and detectable objectives.

| Results: sldvdemo_cruise_                                         | control   |            | - [                     | $\square$ $\times$ |
|-------------------------------------------------------------------|-----------|------------|-------------------------|--------------------|
| $\Leftarrow \Rightarrow \oslash$                                  |           |            |                         | v 😰                |
| Back to summary                                                   |           |            |                         |                    |
| sldvdemo_cruise_control/Controller/Switch2                        |           |            |                         |                    |
| Decision Objectives                                               |           |            |                         |                    |
| logical trigger input false<br>(output is from 3rd<br>input port) | Satisfied | Detectable | - View test case        | Inspect            |
| logical trigger input true<br>(output is from 1st input<br>port)  | Satisfied | Detectable | - <u>View test case</u> | Inspect            |

Alternatively, you can click on the Inspect Using Slicer button in the Design Verifier tab.

After launching Model Slicer, the tool sets the input based on the test case values that are relevant to the objective generated by Simulink Design Verifier and steps to the time of observation logged in

sldvData. Model Slicer then adds the model object being observed as the starting point and shows its impact on the detection point by highlighting the slice.



When you set the model coverage objective to enhanced MCDC in the Configuration parameter window, you can analyze its detectability along with inspecting the objective. In this case, the Slicer Configuration window allows you to switch to different modes using the slicer Configuration list.

| Mo                                                 | del Slicer 💿                                                   | ) |
|----------------------------------------------------|----------------------------------------------------------------|---|
| <b>•</b> :                                         | Slice configuration list                                       |   |
|                                                    | Name                                                           |   |
|                                                    | Configuration to inspect Enhanced MCDC objective detectability |   |
| Configuration to inspect test generation objective |                                                                |   |
|                                                    |                                                                |   |

## See Also

### **More About**

- "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42
- "Debug Enhanced Modified Condition Decision Coverage Using Model Slicer" on page 7-121
- "Create and Run Back-to-Back Tests Using Enhanced MCDC" on page 8-18

# **Author Custom Test Objective Workflow**

Enhanced Modified Condition Decision Coverage (MCDC) considers the default coverage objectives of a test block that are detectable at the detection site. To check the detectability status of a custom test objective, you can author the test objective of a model object, and perform Enhanced MCDC analysis.

Consider this model that consists of a Product block and a Min block. You can author a custom test objective for the Product block to render the output value less than 0 and detect the effect of the custom test objective at a detection site.



## **Steps for Authoring Custom Test Objectives**

This workflow describes the steps for authoring custom test objectives for a block.

**Step 1**: Create a library of atomic masked subsystem to author the custom test objectives. The masked subsystem consists of these blocks:

- Block under consideration, for example, a Product block.
- Logic to encode the custom test objective, for example, a MATLAB Function block.
- Simulink Design Verifier Test Objective blocks.



**Step 2**: In the masked subsystem:

- Add isEnabledForDetectability parameter and set the parameter to On.
- Add the detectBlock parameter with the name of the block under consideration.
- Set the Evaluate attribute of the detectBlock parameter to Off.

**Step 3**: Define the block replacement rule to replace the block under consideration with a masked subsystem.

To author custom test objectives, use blkrep\_rule\_product\_customTestObjective.m block replacement rule example file. In the block replacement file, you update the rule.BlockType and rule.ReplacementPath based on your model blocks. For more information, see "Block Replacements for Unsupported Blocks" on page 4-7.

**Step 4**: Configure your model with the block replacement rule. In the Configuration Parameters dialog box, in **Design Verifier > Block Replacements** pane, enter the **List of block replacement rules**.

**Step 5**: Select Enhanced MCDC for **Model coverage objectives** and perform test generation analysis.

## Analyze Custom Test Objectives in Model for Enhanced MCDC

This example shows how to author custom test objectives for the Product block in the sldvCustomTestObjectiveExample model. Then, it shows how you can detect the effect of the test objective at a detection site.

1. Open the sldvCustomTestObjectiveExample model:

open\_system('sldvCustomTestObjectiveExample');



Library of atomic masked subsystem: The blkReplacementlib\_customTestObjective library consists of the custProduct masked subsystem. The logic to encode the custom test objective is defined in the MATLAB Function block. The getCustomTestObjectives MATLAB Function block consists of two custom conditions for the Test Objective blocks.



The custProduct masked subsystem is preconfigured with these parameters. For more information, see "Mask Editor Overview".

| Mask Editor : custProd    | uct                 |                                                   |                           |                     | _       |              | ×      |
|---------------------------|---------------------|---------------------------------------------------|---------------------------|---------------------|---------|--------------|--------|
| Icon & Ports Parameters   | & Dialog Initia     | lization Documentation                            |                           |                     |         |              |        |
| Controls                  | Dialog box          |                                                   |                           | Property editor     |         |              |        |
| Parameter                 | Туре                | Prompt                                            | Name                      | Properties          |         |              |        |
| 31 Edit                   |                     | % <masktype></masktype>                           | DescGroupVar              | Name                | detectB |              | _      |
| Check box                 | A                   | % <maskdescription></maskdescription>             | DescTextVar               | Value               | Product | _target      |        |
| Popup                     |                     | Parameters                                        | ParameterGroupVar         | Prompt              |         |              | _      |
| Combo box                 | <b></b> , #1        |                                                   | isEnabledForDetectability |                     | edit    |              | $\sim$ |
| Listbox                   | <mark>311</mark> #2 |                                                   | detectBlock               | Attributes          |         |              |        |
| Radio button              |                     |                                                   |                           | Evaluate            | -       |              |        |
| " <sup>III</sup> " Slider |                     |                                                   |                           | Tunable             | on      |              | ~      |
| 👾 Dial                    |                     |                                                   |                           | Read only<br>Hidden |         |              |        |
| 🗎 Spinbox                 |                     |                                                   |                           | Never save          |         |              |        |
| 芏 Unit                    |                     |                                                   |                           | Constraint          | None    |              |        |
| Text Area                 |                     |                                                   |                           |                     | None    |              | $\sim$ |
| Custom Table              |                     |                                                   |                           | Enable              |         |              |        |
| Tree Tree                 |                     |                                                   |                           | Visible             |         |              |        |
| 🔛 DataTypeStr             |                     |                                                   |                           | Callback            |         |              |        |
| ≤ Min                     |                     |                                                   |                           | Tooltip             |         |              |        |
| ≥ Max                     |                     |                                                   |                           | E Layout            |         |              |        |
| 🛃 Promote                 |                     |                                                   |                           | Item location       | New ro  | w            | $\sim$ |
| Container                 |                     |                                                   |                           | Prompt location     | Left    |              | ~      |
| Group box                 |                     |                                                   |                           | Horizontal Stretch  | 1       | $\checkmark$ |        |
| 🗀 Tab                     |                     |                                                   |                           |                     |         |              |        |
| III Table                 | Dra                 | <b>g</b> or <b>Click</b> items in left palette to | add to dialog.            |                     |         |              |        |
| CollapsiblePane           | Use                 | Delete key to remove items fro                    | m dialog.                 |                     |         |              |        |
| Panel 🗸                   | Tuto                | orial:- Creating a Mask: Paramet                  | ers and Dialog Pane       |                     |         |              |        |
| Unmask Preview            | Constraint          | Manager                                           |                           | OK Cancel           | Help    | A            | pply   |

#### Block replacement rule to replace the block under consideration with a masked subsystem:

The sldvCustomTestObjectiveExample model is preconfigured with the block replacement options. The block replacement rule is defined in the

blkrep\_rule\_product\_customTestObjective file that replaces the Product block with the custProduct masked subsystem.

| Solver         Data Import/Export         Math and Data Types         Diagnostics         Hardware Implementation         Model Referencing         Simulation Target         Code Generation         Coverage         HDL Code Generation         Posign Verifier         Block Replacements         Parameters         Test Generation         Property Proving         Results         Report  | Configuration Parameters: sldvCus                                                                                                                                                                                                                                                                 | stomTestObjectiveExample/Configuration (Active) —                                                                                                                                    |    | ×   |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----|-----|
| Data Import/Export         Math and Data Types         Diagnostics         Hardware Implementation         Model Referencing         Simulation Target         Code Generation         Coverage         HDL Code Generation         Design Verifier         Block Replacements         Parameters         Test Generation         Posign Error Detection         Property Proving         Results | Q Search                                                                                                                                                                                                                                                                                          |                                                                                                                                                                                      |    |     |
| Results                                                                                                                                                                                                                                                                                                                                                                                           | Solver<br>Data Import/Export<br>Math and Data Types<br>Diagnostics<br>Hardware Implementation<br>Model Referencing<br>Simulation Target<br>Code Generation<br>Coverage<br>HDL Code Generation<br>Design Verifier<br>Block Replacements<br>Parameters<br>Test Generation<br>Design Error Detection | <ul> <li>Apply block replacements</li> <li>List of block replacement rules (in order of priority):</li> <li>blkrep_rule_product_customTestObjective</li> <li>Output model</li> </ul> |    | \$  |
|                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                      |    |     |
| OK Cancel Help Apply                                                                                                                                                                                                                                                                                                                                                                              |                                                                                                                                                                                                                                                                                                   | OK Cancel Help                                                                                                                                                                       | An | nlv |

2. To configure the model for enhanced MCDC objectives, on the **Design Verifier** tab, click **Test Generation Settings**. In the Configuration Parameters dialog box, in **Design Verifier > Test Generation** pane, for Model coverage objectives, select Enhanced MCDC. Click **OK**.

3. To generate test cases, click Generate Tests.

The software analyzes the replacement model for test generation.

| Simulink Design Verifier Res                                                                      | sults Summary: sldvCustomTestObjectiveExample_replacemen         | t × |  |
|---------------------------------------------------------------------------------------------------|------------------------------------------------------------------|-----|--|
| Progress                                                                                          |                                                                  |     |  |
| Objectives processed<br>Satisfied                                                                 | 2/4                                                              |     |  |
| Unsatisfiable                                                                                     | 1<br>0                                                           |     |  |
| Elapsed time                                                                                      | 0:10                                                             |     |  |
|                                                                                                   |                                                                  |     |  |
| 10-Jan-2019 14:17:16                                                                              |                                                                  | Â   |  |
| Preprocessing modeldone                                                                           |                                                                  |     |  |
| Checking compatibility for test generation: model<br>'sldvCustomTestObjectiveExample_replacement' |                                                                  |     |  |
| Compiling modeldone                                                                               |                                                                  |     |  |
| Building model representationdone                                                                 |                                                                  |     |  |
| 10-Jan-2019 14:18:00                                                                              | un male verbane this commentation for test concertion.           |     |  |
| with Simulink Design Verifie                                                                      | xample_replacement' is <b>compatible</b> for test generation er. |     |  |
|                                                                                                   |                                                                  |     |  |
| Generating tests using mod                                                                        | lel representation from 10-Jan-2019 14:18:00                     |     |  |
| SATISFIED - NEEDS SIM                                                                             | ULATION                                                          |     |  |
| Product/Test Objective                                                                            |                                                                  |     |  |
| Objective: T<br>Analysis Time = 00:00:09                                                          |                                                                  |     |  |
|                                                                                                   |                                                                  |     |  |
| SATISFIED<br>Min                                                                                  |                                                                  | ~   |  |
|                                                                                                   | Disable Highlighting Sto                                         | ор  |  |

4. Click **Highlight analysis results on model**. To analyze the detectability of the Product block, click the Product block.



The results show that the test objectives of the Product block are detectable. The test case is generated.

**Note:** The software is unable to confirm the objectives status through validation results for the objectives introduced by block replacement. Therefore, the test objective status is reported as satisfied - needs simulation. For more information on validation, see "How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23.

5. Click **View test case**. The harness model opens and the Signal Builder block displays the test case.

6. To view the detailed analysis report, click **HTML** in the Results Summary. The Block Replacement Summary provides details about the replaced blocks.

#### **Block Replacements Summary**

#### Table 2.1. Block Replacements

| #: |                                               |                                   | Replaced Blocks |
|----|-----------------------------------------------|-----------------------------------|-----------------|
| 1  | blkrep_rule_product_customTestObj<br>/Product | blkrep_rule_product_customTestObj | Product1        |

The Test Objectives Status section lists the objectives. The test objective that is detectable at the detection site is summarized in the table.

#### **Objectives Satisfied**

Simulink Design Verifier found test cases that exercise these test objectives.

| # | Туре     | Model Item | Description                                                       | Detection<br>Status | Analysis Time<br>(sec) | Test Case |
|---|----------|------------|-------------------------------------------------------------------|---------------------|------------------------|-----------|
| 3 | Decision | Min        | Logic to determine output <b>input 1 is the</b><br><b>minimum</b> | Detectable          | 13                     | <u>3</u>  |
| 4 | Decision | Min        | Logic to determine output <b>input 2 is the</b><br><b>minimum</b> | Detectable          | 12                     | 1         |

#### **Objectives Satisfied - Needs Simulation**

Simulink Design Verifier found test cases that exercise these test objectives. However, further simulation is needed to confirm the Satisfied status.

| # | Туре           | Model Item                                                                                                  | Description  | Detection<br>Status | Analysis Time<br>(sec) | Test Case |
|---|----------------|-------------------------------------------------------------------------------------------------------------|--------------|---------------------|------------------------|-----------|
| 1 | Test objective | Product/Test Objective. Defined by block<br>replacement rule<br>'blkrep_rule_product_customTestObjective'_  | Objective: T | Detectable          | 12                     | <u>4</u>  |
| 2 | Test objective | Product/Test Objective1. Defined by block<br>replacement rule<br>'blkrep_rule_product_customTestObjective'. | Objective: T | Detectable          | 14                     | <u>3</u>  |

## See Also

## **More About**

- "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42
- "Block Replacements for Unsupported Blocks" on page 4-7

# What Is a Specification Model?

When you systematically verify a model against requirements, you generate test cases for each requirement. These tests validate the model, which you can use to generate production code and build confidence that your model satisfies requirements. To create tests that satisfy your requirements, you can construct a *specification model*. A specification model is an executable entity that you can use to perform requirements-based testing by using Simulink Design Verifier and Requirements Toolbox.

If you have a set of requirements written in natural language text, you can express them as formal requirements by using a Requirements Table block. After defining the requirements in one or more blocks, the blocks and the signals become the specification model. Unlike the model that you want to test, known as the *design model*, the specification model only specifies what to do, not how to do it.

You can use a specification model to:

- Validate the set of requirements in a systematic and quantitative manner.
- Automate requirements-based testing.
- Identify issues with your design model and requirements.

## **Use Specification Models in Requirements-Based Testing**

To create and deploy a specification model, follow these steps:

- 1 Author the requirements Write your requirements in natural language text that describes the behavior of the system under design. Author them directly in the **Requirements Editor** or import them. For more information on importing requirements, see "Import Requirements from Third-Party Applications" (Requirements Toolbox).
- **2** Construct the specification model Design the specification model as an formal representation of the requirements by using at least one Requirements Table block.
- 3 Link the requirements Each requirement that you create in the Requirements Table block creates an equivalent requirement in the **Requirements Editor**. See "Configure Properties of Formal Requirements" (Requirements Toolbox). Link the high-level requirements to the formal requirements from the specification model.
- 4 Analyze the formal requirements for completeness and consistency Identifying incomplete and inconsistent requirement sets can be difficult to do manually. The Requirements Table block allows you to automatically analyze the requirements for these issues. See "Identify Inconsistent and Incomplete Formal Requirement Sets" (Requirements Toolbox).
- 5 Generate tests for the specification model Generate at least one test per requirement that demonstrates its conformance to that requirement. For more information on generating tests, see "Generate Test Cases for a Subsystem" on page 7-18. Simulink Design Verifier automatically creates test objectives from the requirements defined in Requirements Table blocks.
- 6 Interface the specification model with the design model The specification and design models often do not use identical input and output signals. Convert the test cases that you generate in step 5 by developing an interface between both models.
- 7 Develop the design model Develop the design model by using the requirements. Link the requirements to the design model.
- 8 Verify the design and analyze the coverage Run the tests generated in step 5 on the design model and verify whether the results agree with the specification model and requirements.

Generate a coverage report to identify the missing coverage and refine the requirements, if required.

This flow chart illustrates this process.



## **Construct a Specification Model**

Consider the autopilot controller model described in "Use Specification Models for Requirements-Based Testing" on page 7-69. In this example, you develop requirements that contain logical and temporal conditions that define outputs.

#### Identify the Specification Model Interface

List the input and output signals for the specification model that are related to the requirements that you want to test. Ignore the signals that the requirements do not specify and that do not affect the tested outputs. In this example, the requirements specify five inputs and two outputs. The specification model input signals are:

- 1 Autopilot Engage Switch A switch that enables or disables the autopilot controller
- **2** Heading Engage Switch A switch that specifies the mode of the autopilot controller when the autopilot switch is engaged
- **3** Roll Reference Target Turn Knob A knob that feeds the desired roll angle value to the autopilot controller
- 4 Heading Reference Turn Knob A knob that gives the set-point value for heading mode
- 5 Aircraft Roll Angle The current roll angle of the aircraft

The output signals are:

- 1 Aileron Command The output to the aileron actuator
- 2 Roll Reference Command The output on the display window that indicates the set-point value for the aileron actuator

#### Identify Preconditions, Postconditions, and Actions for Each Requirement

For the requirements that you want to verify, transform the textual requirements into logical expressions that can be represented as preconditions, postconditions, and actions. You define formal requirements as a combination of Preconditions, Postconditions, and Actions:

- Precondition A condition that must be true for a specified duration before evaluating the rest of the requirement
- Postcondition A condition that must be true if the associated precondition is true for the specified duration
- Action A behavior that must be performed if the associated precondition is true for the specified duration

You may find that some requirements can use a postcondition or an action interchangeably, or both postconditions and actions. Specify which you want to use based on the configuration of your design model.

For example consider this high level requirement that specifies the modes of the autopilot controller:

The autopilot controller mode is determined by the following:

- The autopilot controller is OFF when the autopilot engage switch is not engaged.
- The autopilot controller is ROLL\_HOLD\_MODE when the autopilot engage switch is engaged and the heading engage switch is not engaged.
- The autopilot controller is HDG\_HOLD\_MODE when the autopilot engage switch and the heading engage switch are both engaged.

| Requirement | Precondition                                                 | Action                |
|-------------|--------------------------------------------------------------|-----------------------|
| 1           | AP_Engage_Switch ==<br>false                                 | Mode = Off            |
| 2           | AP_Engage_Switch == true<br>&& HDG_Engage_Switch ==<br>false | Mode = ROLL_HOLD_MODE |
| 3           | AP_Eng_Switch == true &&<br>HDG_Engage_Switch ==<br>true     | Mode = HDG_Hold_Mode  |

You can write these requirements as these logical expressions:

Repeat this process for the remaining requirements.

#### **Identify Design Values Representations in Requirements**

Your requirements may specify ranges of values that your design model must satisfy, or you may want to parameterize the values that you evaluate in each requirement. These values cannot always be described easily with literal values. You can use the Requirements Table block to represent values in the expressions as constant or parameter data. See "Define Data in Requirements Table Blocks" (Requirements Toolbox). You can change data throughout simulation. In addition to assigning numerical values to data, the block supports other data types, such as strings, enumerations, or ranges. Use the representation of values that fits your needs.



In the autopilot controller model, the requirements specify threshold values for the aircraft roll angle. This graphic illustrates the numerical and verbal equivalents of the thresholds.

#### **Create the Requirements Table Blocks**

After identifying the signal representations, values, and the expressions that you want to use in the formal requirements, write the logical expression of the precondition, postconditions, and actions in the **Precondition Postcondition**, and **Action** columns for each requirement respectively. If your requirements have children or dependencies, you can include those relationships in the block. See "Establish Hierarchy in Requirements Table Blocks" (Requirements Toolbox).

Each requirement that you create in the Requirements Table block creates an equivalent requirement in the **Requirements Editor**. Update additional textual properties of the requirements, such as the description, in the editor. See "Configure Properties of Formal Requirements" (Requirements Toolbox).

In the autopilot controller model, the specification model includes two Requirements Table blocks. AP\_Mode\_Determination defines the formal requirements for the autopilot controller mode.

| Index |                                                                  | Prece            | Precondition      |                |
|-------|------------------------------------------------------------------|------------------|-------------------|----------------|
| Index | Summary                                                          | AP_Engage_Switch | HDG_Engage_Switch | Mode           |
| 1     | AP_Engage_Switch and<br>HDG_Engage_Switch both engaged           | true             | true              | HDG_HOLD_MODE  |
| 2     | AP_Engage_Switch is engaged and HDG_Engage_Switch is not engaged | true             | false             | ROLL_HOLD_MODE |
| 3     | AP_Engage_Switch is not engaged                                  | false            |                   | OFF            |

The other Requirements Table block, Cmd\_Determination, describes the desired output of the aileron command and the roll reference command.

|              |                                                                       | Precondition                   |                                                                |                              |                    | Action  |  |
|--------------|-----------------------------------------------------------------------|--------------------------------|----------------------------------------------------------------|------------------------------|--------------------|---------|--|
| Index        | Summary                                                               | Mode                           | Roll_Ref_TK                                                    | prev(Roll_Angle_Phi)         | Roll_Ref_Cmd       | Ail_Cmd |  |
| 1            | Autopilot mode is OFF                                                 | OFF                            |                                                                |                              | 0                  | Zero    |  |
| 2            | ROLL_HOLD_MODE becomes<br>active mode                                 | hasChangedTo(X,ROLL_HOLD_MODE) |                                                                |                              |                    | All     |  |
| 2.1          | Roll_Ref_TK between [-30, -3] or<br>[+3, +30] degrees                 |                                | [TK_neg_extreme, TK_neg_norm]    [TK_pos_norm, TK_pos_extreme] |                              | Roll_Ref_TK        |         |  |
| <b>▲</b> 2.2 | Roll_Ref_TK greater than -3 and less than +3:                         |                                | (TK_neg_norm, TK_pos_norm)                                     |                              |                    |         |  |
| 2.2.1        | Roll_Angle_Phi greater than<br>neg_norm and less than pos_norm        |                                |                                                                | [phi_neg_norm, phi_pos_norm] | 0                  |         |  |
| 2.2.2        | Roll_Angle_Phi greater than +30                                       |                                |                                                                | > phi_pos_extreme            | TK_pos_extreme     |         |  |
| 2.2.3        | Roll_Angle_Phi less than -30                                          |                                |                                                                | < phi_neg_extreme            | TK_neg_extreme     |         |  |
| 2.2.4<br>D   | Otherwise, Roll_Ref_Cmd default setting                               | Else                           |                                                                |                              | Roll_Angle_Phi     |         |  |
| 3            | HDG_HOLD_MODE becomes<br>active mode                                  | hasChangedTo(X,HDG_HOLD_MODE)  |                                                                |                              | HDG_Ref_TK         | All     |  |
| 4            | Otherwise, Roll_Ref_Cmd shall hold the previous value of Roll_Ref_Cmd | Else                           |                                                                |                              | prev(Roll_Ref_Cmd) | All     |  |

#### Final Specification Model

After connecting the Requirements Table blocks to the inputs, outputs, and each other, the final specification model is:



#### Prepare the Specification Model for Test Generation

Simulink Design Verifier automatically creates test objectives from the requirements defined in Requirements Table blocks. If you need to constrain the values of the test objectives, you can specify them either in the signal source, or by including them in the **Assumptions** table of the block. See "Add Assumptions to Requirements" (Requirements Toolbox). To prepare the specification model for test generation, set the model coverage objectives. In the **Design Verifier** tab, in the **Prepare** section, click **Test Generation Settings**. In the Configuration Parameters window, expand the **Design Verifier** list and click **Test Generation**. Set **Model coverage objectives** to the option that best captures the desired coverage.

## **Iterate Through the Steps**

As you develop the specification model and test your design model, you typically need to update the requirements, specification model, and design model. This process is iterative. Continue iterating until you reach the desired test outcomes, such desired model outputs and test coverage.

## See Also

**Requirements** Table

## **Related Examples**

- "Use a Requirements Table Block to Create Formal Requirements" (Requirements Toolbox)
- "Use Specification Models for Requirements-Based Testing" on page 7-69
- "Export Tests from Models That Contain Requirements Table Blocks with Simulink Design Verifier" on page 13-30

# **Test Generation Examples**

These test generation examples help you understand and use the test generation capabilities.

| Test Generation Capabilities               | Related Examples                                                                     |  |  |
|--------------------------------------------|--------------------------------------------------------------------------------------|--|--|
| Generate tests for model coverage analysis | "Cruise Control Test Generation" on page 7-84                                        |  |  |
|                                            | "Fuel Rate Controller Logic" on page 7-85                                            |  |  |
|                                            | "Flip Flop Test Generation" on page 7-80                                             |  |  |
|                                            | "Model Coverage Test Generation" on page 7-81                                        |  |  |
| Functional Requirements Testing            | "Test Condition Block" on page 7-83                                                  |  |  |
|                                            | "Test Objective Block" on page 7-82                                                  |  |  |
| Generate tests for code coverage analysis  | "Configuring S-Function for Test Case<br>Generation" on page 7-109                   |  |  |
|                                            | "Code Coverage Test Generation" on page 7-111                                        |  |  |
|                                            | "Test Generation on Model with C Caller Block"<br>on page 7-119                      |  |  |
|                                            | "Test Generation for Custom Code in a Stateflow<br>Chart" on page 7-124              |  |  |
| Extend existing test cases                 | "Defining and Extending Existing Tests Cases" or page 7-91                           |  |  |
|                                            | "Extend an Existing Test Suite" on page 7-86                                         |  |  |
|                                            | "Creating and Executing Test Cases" on page 7-<br>100                                |  |  |
|                                            | "Extend Existing Test Cases After Applying<br>Parameter Configurations" on page 5-46 |  |  |
| Achieve missing coverage                   | "Achieve Missing Coverage in Referenced Model"<br>on page 9-3                        |  |  |
|                                            | "Achieve Missing Coverage in Closed-Loop<br>Simulation Model" on page 9-11           |  |  |
|                                            | "Using Existing Coverage Data During Subsystem<br>Analysis" on page 7-97             |  |  |
| Integrate with other products              | "Export Test Cases to Simulink Test" on page 13-<br>27                               |  |  |
|                                            |                                                                                      |  |  |

## **Test Generation for Custom Code in MATLAB Function Block**

Simulink Design Verifier analysis supports models that call custom code from MATLAB function blocks by using coder.ceval. For such design models, you can generate test cases for model coverage or perform design error detection to find dead logic or detect design errors.

The table summarizes various coder.ceval use-cases that Simulink Design Verifier supports:

#### Supported coder.ceval use-cases:

| coder.ceval usage                                                | Custom code sources                                  | Analysis    |
|------------------------------------------------------------------|------------------------------------------------------|-------------|
| Basic calls - with or without arguments                          | Source files mentioned in<br>Simulink target in      | Supported   |
| Layout - rowMajor, columnMajor                                   | Configuration Parameters.                            |             |
| Passing references using<br>coder.ref, coder.wref,<br>coder.rref |                                                      |             |
| Any layout -global                                               | -                                                    | Unsupported |
| -                                                                | Source file mentioned by using coder.updateBuildInfo | Unsupported |

## Generating Tests for Custom code in MATLAB function block

This example demonstrates test generation workflow for model by using coder.ceval.

Consider a model with MATLAB function block calling the custom code by using coder.ceval.

1 Create the required source files as mentioned in coder.ceval.

The C-function checkIfSignalsInRange, represents custom code. The function returns 1 if both the signals are in acceptable range else, the function returns 0. The MATLAB function block checkIfSignalsINRangeWrapper, receives sensor inputs and invokes the C-function.

```
C file:
#include <stdio.h>
#include <stdlib.h>
#include "checkIfSignalsInRange.h"
int checkIfSignalsInRange(double sig1, double sig2) {
    double acceptableMin = 15;
    double acceptableMax = 150;
    if ( ((siq1 > acceptableMin) && (siq1 < acceptableMax)) && ((siq2 > acceptableMin) && (si
        return 1;
    }
    return 0;
Header file:
int checkIfSignalsInRange(double sig1, double sig2);
MATLAB function Block:
function result = checkIfSignalsINRangeWrapper(sig1,sig2)
result = 0;
% Check if both the signals are within acceptable range
result = coder.ceval('checkIfSignalsInRange',sig1,sig2);
```

- 2 Navigate to **Simulation Target** in **Configuration Parameters**. In the **Code information** tab add the required files.
- 3 Set the **Enable custom code analysis** option in the **Import settings** tab.
- 4 Set the model coverage objectives to Decision and invoke test generation analysis in **Configuration Parameters**.

#### Results

The model has three decision objectives, one for MATLAB function block execution and two for custom code. The two decision objectives correspond in making the outcome of if condition once true and once false. The generated test and report is as follows:

#### 4.2. CoderCevalExample

| View<br>#: | Туре     | Description                                                                                                                                                                                                                                 | Status    | Test Case |
|------------|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|-----------|
| 2          | Decision | decision ((sig1 > acceptableMin) && (sig1 < acceptableMax)) && ((sig2 > acceptableMin) && (sig2 < acceptableMax)) T (file checkIfSignalsInRange.c,                                                                                          |           | <u>1</u>  |
| 3          | Decision | function checkIfSignalsInRange, line 9)<br>decision ((sig1 > acceptableMin) && (sig1 < acceptableMax)) && ((sig2 ><br>acceptableMin) && (sig2 < acceptableMax)) F (file checkIfSignalsInRange.c,<br>function checkIfSignalsInRange, line 9) | Satisfied | 1         |

#### Generated Input Data

| Time | 0  | 0.2 |
|------|----|-----|
| Step | 1  | 2   |
| u    | 16 | 0   |
| u1   | 16 | 0   |

From the report it is inferred that in Step 1 both signals are in acceptable range and in Step 2 the signals are out of range.

# **Use Specification Models for Requirements-Based Testing**

This example shows how to use a specification model to model and test formal requirements on a model of an aircraft autopilot controller. The specification model uses two Requirements Table blocks to model the required inputs and outputs of the aircraft autopilot controller model. You generate tests from the specification model, and then run those tests on the aircraft autopilot controller model. The model that you test is the *design model*.

For more information on how to define and configure Requirements Table blocks, see "Use a Requirements Table Block to Create Formal Requirements" (Requirements Toolbox) and "Configure Properties of Formal Requirements" (Requirements Toolbox).

#### View the High-Level Requirements

Open the requirements set, AP Controller Reqs, in the Requirements Editor.

slreq.open("AP\_Controller\_Reqs");

The high-level requirements specify the outputs of the model and the autopilot controller mode. Each requirement description uses high-level language that you can use to explicitly define the logic needed in the formal requirements.

| 📓 Requirements Editor                                                                                                                        | - 🗆 X                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
|----------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| REQUIREMENTS                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| New     Open     Import     Import       File     File     Profile Editor     Add       Requirement Set     File     PROFILE     Requirement |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| $\odot$                                                                                                                                      | Requirement: 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| Index ÎD Summary                                                                                                                             | ▼ Properties                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| V 📓 AP_Controller_Reqs                                                                                                                       | Type: Functional V                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| 📄 1 1 High Level: Autopilot Controlle                                                                                                        | Index: 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| 2 2 High Level: Off Reference                                                                                                                | Custom ID: 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| 3 High Level: Roll Hold Reference                                                                                                            | Summary: High Level: Autopilot Controller Modes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| a 4 High Level: Heading hold mode                                                                                                            | Description Rationale                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| ■ 5 5 High Level: Default Behavior                                                                                                           | Immes New Roman     ∨ 11 ∨ B     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     I     < |
|                                                                                                                                              | <ul> <li>The autopilot controller has the following high level system modes: <ul> <li>OFF: The autopilot controller is off.</li> <li>ROLL_HOLD_MODE: The autopilot controller is in roll hold mode.</li> <li>HDG_HOLD_MODE: The autopilot controller is in heading hold mode.</li> </ul> </li> <li>The autopilot controller mode is determined by the following: <ul> <li>The autopilot controller is OFF when the autopilot engage switch is not engaged.</li> <li>The autopilot controller is ROLL_HOLD_MODE when the autopilot engage switch is engaged and the heading engage switch is not engaged.</li> <li>The autopilot controller is HDG_HOLD_MODE when the autopilot engage switch and the heading engage switch are both engaged.</li> </ul> </li> <li>Keywords: <ul> <li>keywords:</li> <li>Links</li> </ul> </li> </ul>                       |
| < >>                                                                                                                                         | Comments                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|                                                                                                                                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |

#### View the First Iteration of the Specification Model

Open the specification model, spec\_model\_partial.

```
spec_model = "spec_model_partial";
open_system(spec_model);
```

The model contains two Requirements Table blocks that define the formal requirements that translate the high-level requirements into testable logical expressions. The block AP\_Mode\_Determination specifies the formal requirements for the autopilot controller mode, and the block Cmd\_Determination specifies the outputs of the controller.



To view the formal requirements, inspect each Requirements Table block.

#### **Requirements Table Block for Controller Mode**

Open AP\_Mode\_Determination. The block specifies the formal requirements for the autopilot controller mode. To determine the output data Mode, AP\_Mode\_Determination specifies three requirements by using two input data:

- AP\_Engage\_Switch The autopilot engage switch
- HDG\_Engage\_Switch The heading engage switch

Each requirement uses a combination of the inputs to specify a unique output value for Mode.

| la de se |                                                                  | Prece            | Precondition      |                |
|----------|------------------------------------------------------------------|------------------|-------------------|----------------|
| Index    | Summary                                                          | AP_Engage_Switch | HDG_Engage_Switch | Mode           |
| 1        | AP_Engage_Switch and<br>HDG_Engage_Switch both engaged           | true             | true              | HDG_HOLD_MODE  |
| 2        | AP_Engage_Switch is engaged and HDG_Engage_Switch is not engaged | true             | false             | ROLL_HOLD_MODE |
| 3        | AP_Engage_Switch is not engaged                                  | false            |                   | OFF            |

#### **Requirements Table Block for Controller Commands**

Open Cmd\_Determination. Cmd\_Determination specifies the requirements for the aileron command and roll reference command. Cmd\_Determination uses four input data:

- Mode The AP\_Mode\_Determination output, Mode
- Roll Ref TK The setting of the roll reference target knob
- Roll\_Angle\_Phi The actual aircraft roll angle
- HDG\_Ref\_TK The setting of the heading reference target knob

The block uses these input data to determine the controller output data:

- Roll Ref Cmd Roll reference command
- Ail\_Cmd Aileron command

|       |                                                                          |                                | Precondition                                                   |                              | Action             |         |
|-------|--------------------------------------------------------------------------|--------------------------------|----------------------------------------------------------------|------------------------------|--------------------|---------|
| Index | Summary                                                                  | Mode                           | Roll_Ref_TK                                                    | prev(Roll_Angle_Phi)         | Roll_Ref_Cmd       | Ail_Cmd |
| 1     | Autopilot mode is OFF                                                    | OFF                            |                                                                |                              | 0                  | Zero    |
| 2     | ROLL_HOLD_MODE becomes<br>active mode                                    | hasChangedTo(X,ROLL_HOLD_MODE) |                                                                |                              |                    | All     |
| 2.1   | Roll_Ref_TK between [-30, -3] or<br>[+3, +30] degrees                    |                                | [TK_neg_extreme, TK_neg_norm]    [TK_pos_norm, TK_pos_extreme] |                              | Roll_Ref_TK        |         |
| # 2.2 | Roll_Ref_TK greater than -3 and less than +3:                            |                                | (TK_neg_norm, TK_pos_norm)                                     |                              |                    |         |
| 2.2.1 | Roll_Angle_Phi greater than<br>neg_norm and less than pos_norm           |                                |                                                                | [phi_neg_norm, phi_pos_norm] | 0                  |         |
| 2.2.2 | Roll_Angle_Phi greater than +30                                          |                                |                                                                | > phi_pos_extreme            | TK_pos_extreme     |         |
| 2.2.3 | Roll_Angle_Phi less than -30                                             |                                |                                                                | < phi_neg_extreme            | TK_neg_extreme     |         |
| 3     | HDG_HOLD_MODE becomes<br>active mode                                     | hasChangedTo(X,HDG_HOLD_MODE)  |                                                                |                              | HDG_Ref_TK         | All     |
| 4     | Otherwise, Roll_Ref_Cmd shall hold<br>the previous value of Roll_Ref_Cmd | Else                           |                                                                |                              | prev(Roll_Ref_Cmd) | All     |
| 1     |                                                                          |                                |                                                                |                              |                    |         |

In this example, the expressions use constant data to define the ranges of values for Roll\_Ref\_TK and Roll\_Angle\_Phi. You can also parameterize the values or use literal values. See "Define Data in Requirements Table Blocks" (Requirements Toolbox). To view these values, open the **Symbols** pane. In the **Modeling** tab, in the **Design Data** section, click **Symbols Pane**.

In addition to requirements, Cmd\_Determination also defines the assumptions for the design. See "Add Assumptions to Requirements" (Requirements Toolbox). In this example, the assumptions constrain the values for the roll angle and the roll reference target knob based on their physical limitations. The roll angle cannot exceed 180 or fall below - 180 degrees, and the roll reference target knob cannot exceed 30 or fall below - 30. In the table, click the **Assumptions** tab.

| Requireme                          | nts Assumptions                                |                                                 |  |
|------------------------------------|------------------------------------------------|-------------------------------------------------|--|
| Index                              | Summary                                        | Postcondition                                   |  |
| 1 Roll angle geometric limitations |                                                | Roll_Angle_Phi >= -180 && Roll_Angle_Phi <= 180 |  |
| 2                                  | Reference knob minimum<br>and maximum settings | Roll_Ref_TK <= 30 && Roll_Ref_TK >= -30         |  |

You can also specify data range limitations in the **Minimum** and **Maximum** properties of the data or explicitly specify the range from the signal with blocks.

#### **Generate Tests**

Simulink® Design Verifier<sup>™</sup> automatically creates test objectives from the requirements defined in Requirements Table blocks. To generate tests, use the Configuration Parameter window or specify the tests programmatically. See "Model Coverage Objectives for Test Generation" on page 7-30. Select different coverage objectives to determine if you want to minimize the number of tests generated, or if you want to improve test granularity and traceability.

In this example, generate tests with decision coverage and save the output to a MAT-file.

```
opts = sldvoptions;
opts.Mode = "TestGeneration";
opts.ModelCoverageObjectives = "Decision";
[~,files] = sldvrun(spec_model,opts,true);
```

Simulink Design Verifier generates the test objectives and the tests from the requirements, however the requirements satisfy only seven of the test objectives.

| 🔁 Simulink Design Verifier Re                                                                                                                                                                                                                                                                                                                                                            | sults Summary: spec_model_partial | $\times$ |  |  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|----------|--|--|
| Progress                                                                                                                                                                                                                                                                                                                                                                                 |                                   |          |  |  |
| Objectives processed<br>Satisfied<br>Unsatisfiable                                                                                                                                                                                                                                                                                                                                       | 24/24<br>7<br>0                   |          |  |  |
| Elapsed time                                                                                                                                                                                                                                                                                                                                                                             | 0:26                              |          |  |  |
| Test generation completed normally.<br>7/24 objectives satisfied.<br>17/24 objectives undecided due to runtime error                                                                                                                                                                                                                                                                     |                                   |          |  |  |
| Results:         • Open filter viewer         • Highlight analysis results on model         • View tests in Simulation Data Inspector         • Detailed analysis report: (HTML) (PDF)         • Create harness model         • Save test cases/counterexamples to spreadsheet         • Export test cases to Simulink Test         • Simulate tests and produce a model coverage report |                                   |          |  |  |

To satisfy the test objectives, you must revise the specification model. In general, avoid generating tests from a specification model without confirming that the formal requirements are complete, consistent, and correspond to the high-level requirements. Otherwise, the tests that you generate are less likely to satisfy the test objectives.

```
clear("files")
```

#### Investigate and Update the Specification Model

Investigate the specification model and update the formal requirements. In this example, the requirement set in Cmd\_Determination is missing the formal requirement that corresponds to the third bullet of requirement 3.

| Requirement: 3                                                                                                                                                                                                                                                                                                                          |                                                                                                                                                                     |  |  |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|
| ▼ Properties                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                     |  |  |  |  |
| Type:                                                                                                                                                                                                                                                                                                                                   | Functional $\checkmark$                                                                                                                                             |  |  |  |  |
| Index:                                                                                                                                                                                                                                                                                                                                  | 3                                                                                                                                                                   |  |  |  |  |
| Custom ID:                                                                                                                                                                                                                                                                                                                              | 3                                                                                                                                                                   |  |  |  |  |
| Summary:                                                                                                                                                                                                                                                                                                                                | High Level: Roll Hold Reference                                                                                                                                     |  |  |  |  |
| Descriptio                                                                                                                                                                                                                                                                                                                              | n Rationale                                                                                                                                                         |  |  |  |  |
| Dim 🕹                                                                                                                                                                                                                                                                                                                                   | ees New Roman                                                                                                                                                       |  |  |  |  |
| When roll hold mode becomes the active mode of the autopilot controller, the roll reference command<br>shall be set to the cockpit turn knob command, up to a 30 degree limit, if the turn knob is commanding<br>3 degrees or more in either direction.<br>If the turn knob is commanding between -3 and 3 degrees in either direction: |                                                                                                                                                                     |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                         | • The roll reference command shall be set to zero if the actual roll angle is less than 6 degrees, in either direction, just before the roll hold mode is received. |  |  |  |  |
| • The roll reference command shall be set to 30 degrees in the same direction as the actual roll angle if the actual roll angle is greater than 30 degrees just before the roll hold mode is received.                                                                                                                                  |                                                                                                                                                                     |  |  |  |  |
| • The roll reference command shall be set to the actual roll angle when the actual roll angle equals other angles.                                                                                                                                                                                                                      |                                                                                                                                                                     |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                     |  |  |  |  |

Open Cmd\_Determination in the model spec\_model\_final to view the updated requirement set. The additional requirement has the index 2.2.4.

```
spec_model = "spec_model_final";
load_system(spec_model);
open_system(spec_model + "/Cmd_Determination");
```

| 2.2.3 | Roll_Angle_Phi less than -30            |                               | < phi_neg_extreme | TK_neg_extreme |
|-------|-----------------------------------------|-------------------------------|-------------------|----------------|
| 2.2.4 | Otherwise, Roll_Ref_Cmd default setting | Else                          |                   | Roll_Angle_Phi |
| 3     | HDG_HOLD_MODE becomes<br>active mode    | hasChangedTo(X,HDG_HOLD_MODE) |                   | HDG_Ref_TK     |

Finding issues in your requirement set can be challenging to do manually. You can use Simulink Design Verifier to analyze the requirement set and identify inconsistencies and incompletenesses. For more information, see "Analyze the Block" (Requirements Toolbox).

#### Link High-Level and Formal Requirements

Loading the specification model loads the formal requirements in the **Requirements Editor**. Closing the specification model also closes the associated requirement set. When developing your formal requirements, link formal requirements to the corresponding high-level requirement to track the

requirements in the specification model. In this example, linking the requirements does not affect test generation or test results.

To link the first formal requirement to the corresponding high-level requirement:

- 1 In spec\_model\_final, expand the requirement set named Table1.
- 2 Right-click the formal requirement with the **Index** of 1 and select **Select for Linking with Requirement**.
- 3 Expand the AP\_Controller\_Reqs requirement set.
- 4 Right-click the requirement with an ID of 1 and click Create a link from "1: Autopilot mode is OFF" to "1: High Level: Autopilot Con...".

The link type defaults to Related to. For more information on link types, see "Link Types" (Requirements Toolbox).

#### **Generate Tests from the Updated Model**

Generate the tests from the updated specification model by using the options defined previously.

```
opts = sldvoptions;
opts.Mode = "TestGeneration";
opts.ModelCoverageObjectives = "Decision";
[~,files] = sldvrun(spec model,opts,true);
```

In this version of the specification model, the test objectives are satisfied.

| Simulink Design Verifier Results Summary: spec_model_final X |                                                                                       |         |  |  |  |
|--------------------------------------------------------------|---------------------------------------------------------------------------------------|---------|--|--|--|
|                                                              |                                                                                       |         |  |  |  |
|                                                              | Progress                                                                              |         |  |  |  |
|                                                              | Objectives processed                                                                  | 26/26   |  |  |  |
|                                                              | Satisfied                                                                             | 26      |  |  |  |
|                                                              | Unsatisfiable                                                                         | 0       |  |  |  |
|                                                              | Elapsed time                                                                          | 0:28    |  |  |  |
|                                                              |                                                                                       |         |  |  |  |
|                                                              |                                                                                       |         |  |  |  |
|                                                              | Test generation completed no                                                          | rmally. |  |  |  |
| 26/26 objectives satisfied.                                  |                                                                                       |         |  |  |  |
|                                                              |                                                                                       |         |  |  |  |
| Results:                                                     |                                                                                       |         |  |  |  |
|                                                              | <ul> <li>Open filter viewer</li> </ul>                                                |         |  |  |  |
|                                                              | Highlight analysis results on model                                                   |         |  |  |  |
|                                                              | View tests in Simulation Data Inspector                                               |         |  |  |  |
|                                                              | Detailed analysis report: ( <u>HTML</u> ) ( <u>PDF</u> )                              |         |  |  |  |
|                                                              | <u>Create harness model</u>                                                           |         |  |  |  |
|                                                              | Save test cases/counterexamples to spreadsheet     Export test cases to Simulink Test |         |  |  |  |
|                                                              | Simulate tests and produce a model coverage report                                    |         |  |  |  |
|                                                              | - inflate tests and produce a model coverage report                                   |         |  |  |  |

#### Run the Tests on the Design Model

After you create tests that satisfy the test objectives, you can run the tests on the design model. In this example, the design model is the model for the aircraft autopilot controller, sldvexRollApController.

Before you run tests on the design model, you must interface the specification model with the design model. Typically, the specification model does not produce or use the same signals as the design model. These differences can be simple or abstract. For example, the design model might use different input and output signal types than the specification model, or you may want to compare a scalar output from the design model against a range in the specification model. As a result, you need to construct an interface between the design model and the specification model.

#### Interface the Design Model with the Specification Model

In this example, the specification model spec\_model\_final and design model
sldvexRollApController inputs can interface directly, but one of the outputs is different.
spec\_model\_final represents the aileron command as a range of values, but the aileron command
value produced by sldvexRollApController is a scalar double. The interface uses a MATLAB
Function block to compare the aileron command values. The interface then verifies both outputs with
Assertion blocks. Open the model, spec\_model\_test\_interface, to view the interface.

test\_interface = "spec\_model\_test\_interface"; open\_system(test\_interface);



The MATLAB Function block compares the two signals by using this code:

```
function y = fcn(design_val, spec_val)
switch spec_val
    case Ail_Cmd.All
        y = true;
    case Ail_Cmd.Zero
        y = (design_val == 0);
    otherwise
        y = false;
and
```

#### end

#### Run the Updated Tests on the Design Model

To test and verify the design model, create a harness model that contains the:

- **1** Specification model
- 2 Design model

#### **3** Test interface and verification model

In the harness model, attach the models together. Then run the tests on the design model and verify the outputs correspond to the requirements in the harness model.

To view the harness model, open the model, sldvexDesignHarnessFinal.

```
harness_model = "sldvexDesignHarnessFinal";
open_system(harness_model);
```

Like with the interface model, not all design model inputs may directly correspond to specification model inputs. In this example, the harness model prepares the design model for testing with the five inputs specified by the specification model.



Run the updated tests on the design model from within the harness model. Use the sldvruntest function to run the tests and save the results. If you have Simulink Coverage™, you can view the results of the tests from the output of sldvruntest in a coverage report. View the coverage report by using the cvhtml (Simulink Coverage) function.

```
cvopts = sldvruntestopts;
cvopts.coverageEnabled = true;
[finalData, finalCov] = sldvruntest(...
harness_model,files.DataFile,cvopts);
cvhtml("finalCov",finalCov);
```

The coverage report shows that full coverage is achieved on the design model, sldvexRollApController.

# Summary

# Model Hierarchy/Complexity Test 1 Decision Execution 1. sldvexRollApController 8 100% 100% 2....Roll Reference 5 100% 100% 3.....Latch Phi 1 100% 100%

bdclose("all");
slreq.clear;

## See Also

**Requirements** Table

## **Related Examples**

- "What Is a Specification Model?" on page 7-60
- "Add Assumptions to Requirements" (Requirements Toolbox)
- "Export Tests from Models That Contain Requirements Table Blocks with Simulink Design Verifier" on page 13-30

# **Flip Flop Test Generation**

This example shows how to generate test cases that achieve complete model coverage for a flip-flop. The outcome of each model coverage point in this example model is a test objective. If you configure Simulink Design Verifier to generate the fewest test cases, it will satisfy as many objectives as possible in each test case.

open\_system('sldvdemo\_flipflop');



# **Model Coverage Test Generation**

This example shows how to generate test cases that achieve complete model coverage for a debouncer. The outcome of each model coverage point in this example model is a test objective. If you configure Simulink Design Verifier to generate the fewest test cases, it will satisfy as many objectives as possible in each test case.

open\_system('sldvdemo\_debounce\_modelcov');



# **Test Objective Block**

This example shows the use of two custom Test Objective blocks. The block "True" forces the output signal to be 2. The block "Edge" inside "Masked Objective" specifies that the output signal transition from 2 to 1.

open\_system('sldvdemo\_debounce\_testobjblks');



# **Test Condition Block**

This example shows how to constrain input values. The Test Condition block forces the input value to be either 0 or 1.

open\_system('sldvdemo\_debounce\_testconblk');



# **Cruise Control Test Generation**

This example shows how to generate test cases that achieve complete model coverage. By default, Simulink® Design Verifier<sup>™</sup> generates test cases that satisfy objectives in the fewest steps. One of the test objectives forces the discrete integrator in the PI controller to exceed its upper limit. When you run Simulink Design Verifier without constraints, the limit is exceeded in a single step by forcing speed to be 500. The constraint on speed limits the values in test cases between 0 and 100. This forces the test cases to take several samples to exceed the integrator limit.

open\_system('sldvdemo\_cruise\_control');



# **Fuel Rate Controller Logic**

This example shows how to generate test cases that satisfy Decision, Condition, and MCDC coverage. Simulink® Design Verifier<sup>™</sup> automatically generates test data and proves properties of models. It produces sequences of input values that satisfy a testing criteria or demonstrate a counterexample of a proof. The configuration options associated with the model specify the objectives of the analysis. When you analyze the model, Simulink Design Verifier uses exhaustive searching techniques to generate input data. When successful, it generates test data and creates a new harness model containing a Signal Builder block with the data values that satisfy the analysis objectives. NOTE: The complexity of this model might prevent test generation from completing in the allotted time. You can stop test generation and generate partial results, or you can extend the time limit by editing the Simulink Design Verifier options.

open\_system('sldvdemo\_fuelsys\_logic');



# **Extend an Existing Test Suite**

This example shows how to use Simulink Design Verifier<sup>m</sup> to extend an existing test suite to obtain missing model coverage.

You analyze an example model and generate test suite to achieve full coverage. Then, modify the model such that test cases no longer achieve full coverage. Finally, you analyze the modified model to obtain missing coverage by using Simulink® Design Verifier<sup>™</sup>.

#### Generate an Initial Test Suite

Analyze the sldvdemo\_cruise\_control model and generate a test suite that achieves full model coverage. To analyze the model to generate test cases that provide model coverage, use the sldvrun function. Set the design verification parameters with sldvoptions.

```
open_system 'sldvdemo_cruise_control';
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.ModelCoverageObjectives = 'MCDC';
opts.SaveHarnessModel = 'off';
opts.SaveReport = 'off';
[ status, files ] = sldvrun('sldvdemo_cruise_control', opts, true);
```



The test generation analysis result appears in the Simulink Design Verifier Results Summary window.

close\_system('sldvdemo\_cruise\_control',0);

#### **Verify Complete Coverage**

The sldvruntest function simulates the model with the existing test suite. The cvhtml function produces a coverage report that indicates the initial coverage of the sldvdemo\_cruise\_control model.

```
open_system 'sldvdemo_cruise_control';
[ outData, initialCov ] = sldvruntest('sldvdemo_cruise_control', files.DataFile, [], true);
cvhtml('Initial coverage',initialCov);
close_system('sldvdemo_cruise_control',0);
```

# Summary

#### Model Hierarchy/Complexity Test 1

|                            | Decision | Condition | MCDC | Execution |
|----------------------------|----------|-----------|------|-----------|
| 1. sldvdemo_cruise_control | 8 100%   | 100%      | 100% | 100%      |
| 2 <u>Controller</u>        | 7 100%   | 100%      | 100% | 100%      |
| 3 PI Controller            | 4 100%   | NA        | NA   | 100%      |

#### **Modify the Model**

Load the modified sldvdemo\_cruise\_control\_mod model. The controller target speed value is limited to 70, by using a Saturation block.

load\_system 'sldvdemo\_cruise\_control\_mod'; load\_system 'sldvdemo\_cruise\_control\_mod/Controller';



#### Measure the Coverage Achieved by the Existing Test Suite

The sldvruntest function simulates the modified sldvdemo\_cruise\_control\_mod model with an existing test suite and inputs identical to sldvdemo\_cruise\_control model. The cvhtml function produces a coverage report that indicates the modified sldvdemo\_cruise\_control\_mod model no longer achieves full coverage.

[ outData, startCov ] = sldvruntest('sldvdemo\_cruise\_control\_mod', files.DataFile, [], true); cvhtml('Coverage with the original testsuite',startCov);

## Summary

| Model Hierarchy/Complexity        | Test 1   |           |      |           |  |  |
|-----------------------------------|----------|-----------|------|-----------|--|--|
|                                   | Decision | Condition | MCDC | Execution |  |  |
| 1. sldvdemo_cruise_control_mod_10 | 88%      | 100%      | 100% | 100%      |  |  |
| 2 <u>Controller</u> 9             | 88%      | 100%      | 100% | 100%      |  |  |
| 3 <u>PI Controller</u> 4          | 67%      | NA        | NA   | 100%      |  |  |

#### **Extend an Existing Test Suite**

To achieve full model coverage, the sldvgencov function analyzes the model and extends the existing test suite.

[ status, covData, files ] = sldvgencov('sldvdemo\_cruise\_control\_mod', opts, true, startCov);

#### Verify Complete Coverage

Verify that the new test suite achieves full coverage for the sldvdemo\_cruise\_control\_mod modified model. The sldvruntest function simulates the modified model with the extended test suite. The cvhtml report shows the total coverage achieved by the sldvdemo\_cruise\_control\_mod model.

[ additionalOut, additionalCov ] = sldvruntest('sldvdemo\_cruise\_control\_mod', files.DataFile, []
totalCov = startCov + additionalCov;
cvhtml('With additional coverage',totalCov);

## Summary

| Model Hierarchy/Complexity       | Test 1    |           |      |           |  |  |
|----------------------------------|-----------|-----------|------|-----------|--|--|
|                                  | Decision  | Condition | MCDC | Execution |  |  |
| 1. sldvdemo_cruise_control_mod 1 | 10 100% 💻 | 100%      | 100% | 100%      |  |  |
| 2 <u>Controller</u>              | 9 100% 💻  | 100%      | 100% | 100%      |  |  |
| 3 <u>PI Controller</u>           | 4 100% 🗖  | NA        | NA   | 100%      |  |  |

To complete the example, close the model.

close\_system('sldvdemo\_cruise\_control\_mod');

# **Defining and Extending Existing Tests Cases**

This example shows how Simulink® Design Verifier<sup>™</sup> can extend test cases with additional time steps to efficiently generate complete test suites.

The example starts with a model containing time-delay characteristics that make test generation challenging. By creating a default test harness model and manually authoring one test, the critical obstacle to efficient test generation is removed. Simulink Design Verifier takes as input the logged values from the harness model and efficiently extends this test to create a complete test suite.

#### Model Characteristics That Motivate Test Case Extension

The sldvdemo\_sbr\_extend\_design model includes the Stateflow® Chart SBR that uses temporal logic so that very long test cases are required to make a transition from the KEY\_OFF state to the KEY\_ON state. This type of time-delay characteristic is common in designs where a delay is used to reject spurious behavior or to wait for a physical system or user to respond. In this design, satisfying the temporal logic in this transition is a common obstacle to testing any of the states and transitions within the KEY\_ON state.

Fortunately, this type of time-delay characteristic is usually easy to identify and satisfy with a manually authored test case.

open\_system('sldvdemo\_sbr\_extend\_design'); sf('0pen',sldvdemo\_ssid\_to\_sfid('sldvdemo\_sbr\_extend\_design/SBR',11));



#### **Creating a Harness Model and Defining Starting Tests**

The Simulink Design Verifier function sldvmakeharness creates a harness model with a block that generates input values to the test model included by way of a Model block.

You can modify the test data in a harness model by manually editing the data values using the Signal Builder user interface. You can also add more test cases by creating new signal groups in the block. Alternatively, you can use the signalbuilder command to programmatically accomplish the same thing.

In this example, you specify a test case that keeps the system in the KEY\_OFF state for 5 seconds:

```
[~, harnessModelFilePath] = sldvmakeharness('sldvdemo_sbr_extend_design',[],[],true);
[~, harnessModel] = fileparts(harnessModelFilePath);
startingTestTime = 0:0.5:5;
startingTestData = cell(3, 1);
lengthStartingTest = length(startingTestTime);
startingTestData{1} = zeros(1,lengthStartingTest);
startingTestData{2} = zeros(1,lengthStartingTest);
startingTestData{3} = ones(1,lengthStartingTest);
signalBuilderBlock = sldvdemo_signalbuilder_block(harnessModel);
signalBuilderBlock = startingTestData,...
```

{'Inputs.Speed','Inputs.SeatBeltFasten','Inputs.KEY'},'Starting Test Case');

signalbuilder(signalBuilderBlock, 'ActiveGroup', 2);
open\_system(signalBuilderBlock);





#### Logging Starting Tests

In order to leverage the starting test case defined above, you use the sldvlogsignals function to capture the input values in the necessary logged data format.

The first input to sldvlogsignals is the path to a Model block, and the second input is the index of signal group(s) within the harness model. When you invoke sldvlogsignals, the parent model that contains the Model block is simulated.

The parent model is not restricted to Simulink Design Verifier harness models. Alternatively, you might log data from a closed-loop simulation model that uses a Model block to include the controller so that controller test cases more realistically reflect the continuous time behavior expected in the closed-loop system.



[~, modelBlock] = find\_mdlrefs(harnessModel, false); loggeddata = sldvlogsignals(modelBlock{1},2);

### **Extending Existing Tests During Test Generation**

Before you can use existing test data during test generation, the data must be saved to a MAT-file. You enable test case extension in the Test Generation pane of the Simulink Design Verifier configuration parameters. Select **Extend existing test cases**, and specify the MAT file in the **Data file** field.

Generated tests either extend one of the starting test cases with one or more new time steps or will specify one or more time steps starting from the initial, or default, configuration.

```
save('existingtestcase.mat', 'loggeddata');
```

```
opts = sldvoptions;
opts.ExtendExistingTests = 'on';
opts.ExistingTestFile = 'existingtestcase.mat';
opts.SaveHarnessModel = 'off';
opts.SaveReport = 'off';
```

```
[~, fileNames] = sldvrun('sldvdemo_sbr_extend_design', opts, true);
```

#### Verifying Complete Coverage

The sldvruntest function verifies that the new test suite achieves complete model coverage. The cvhtml function produces a coverage report that indicates 100% Decision coverage is achieved with the generated test vectors.

```
[~, finalCov] = sldvruntest('sldvdemo_sbr_extend_design', fileNames.DataFile, [], true);
cvhtml('Final Coverage', finalCov);
```

### Summary

| Model Hierarchy/Complexity           |          | Test 1 |   |
|--------------------------------------|----------|--------|---|
|                                      | Decision |        |   |
| 1. <u>sldvdemo_sbr_extend_design</u> | 21       | 100%   |   |
| 2 <u>SBR</u>                         | 20       | 100%   |   |
| 3 <u>SF: SBR</u>                     | 19       | 100%   | _ |
| 4 <u>SF: KEY_ON</u>                  | 13       | 100%   | _ |
| 5 <u>SF: SB_UNFASTEN</u>             | 8        | 100%   |   |
| 6SF: HIGH_SPEED                      | 4        | 100%   |   |

#### **Clean Up**

To complete the demo, close all models and remove the saved logged data file.

```
close_system(harnessModel,0);
close_system('sldvdemo_sbr_extend_design');
delete('existingtestcase.mat');
```

### Using Existing Coverage Data During Subsystem Analysis

This example shows how Simulink® Design Verifier<sup>m</sup> can target its analysis to a single subsystem within a continuous-time closed-loop simulation and generate test cases for missing coverage in that subsystem.

The example starts by measuring the coverage of a subsystem in a closed-loop simulation model. Simulink Design Verifier finds new test cases that achieve the missing coverage of the subsystem.

#### Measure Coverage of the Subsystem

The sldvdemo\_autotrans model is a closed-loop simulation model. The subsystem ShiftLogic is a Stateflow® chart and represents the controller part of this model. Test cases designed in the Signal Editor block ManeuversGUI drive the closed-loop simulation. You can use the cvtest and cvsim functions to measure the model coverage achieved for this subsystem inside the closed-loop simulation model. In this example, specifying the input to cvtest as a path to the subsystem rather than to the model name results in measuring the coverage for the subsystem only. Also, the second input to cvsim specifies the time interval to simulate the model and it is derived from the time range of the current pane in the block ManeuversGUI.

The cvhtml function produces a report that indicates that 87% Decision, 67% Condition, and 33% MCDC coverage is achieved by simulating the test case authored in the block ManeuversGUI.

```
open_system('sldvdemo_autotrans');
open_system('sldvdemo_autotrans/ManeuversGUI');
test = cvtest('sldvdemo_autotrans/ShiftLogic');
test.settings.decision = 1;
test.settings.condition = 1;
test.settings.mcdc = 1;
signalEditorBlock = sldvdemo_signaleditor_block('sldvdemo_autotrans');
signalEditorTime = sldvdemo_signaleditor_DataTime(signalEditorBlock);
simulationStopTime = signalEditorTime{1,1}(end);
existingCovData = cvsim(test,[0 simulationStopTime]);
cvhtml('Existing Coverage', existingCovData);
```



Simulink Design Verifer

Copyright 1990-2019 The MathWorks, Inc.

### Find Test Cases for Missing Coverage

To use existing coverage data during test generation, save existing coverage data to a .cvt coverage data file. You can use existing coverage data by specifying the coverage data path in the **Coverage data file** parameter and setting **Ignore objectives satisfied in existing coverage data** parameter to on in the **Test Generation** pane of Simulink Design Verifier configuration parameters.

In this example, the first input to sldvrun specifies the subsystem to analyze. Instructing Simulink Design Verifier to analyze a subsystem is beneficial when the controller part of a model needs to be tested separately or when you want to divide the analysis of a large model into smaller, manageable parts.

As you can see in the report, Simulink Design Verifier only finds test cases for the coverage objectives that are not covered in the existing coverage file. Notice that 4 coverage objectives in the subsystem ShiftLogic are proven to be unsatisfiable. This is expected because the logic inside the Stateflow chart ShiftLogic uses temporal events and since this chart updates at every sample time, usage of temporal conditions should be satisfactory. Also note that, dead code within a subsystem will always be a dead code in the model containing that subsystem.

To generate the harness model, Simulink Design Verifier extracts the contents of the subsystem ShiftLogic into a Test Unit component fed by a Signal Editor block containing the generated test cases.

```
cvsave('existingcov',existingCovData);
```

```
opts = sldvoptions;
opts.IgnoreCovSatisfied = 'on';
opts.CoverageDataFile = 'existingcov.cvt';
opts.ModelCoverageObjectives = 'MCDC';
opts.SaveHarnessModel = 'on';
opts.SaveReport = 'on';
```

```
[status, fileNames] = sldvrun('sldvdemo_autotrans/ShiftLogic',opts,true);
[~, harnessModel] = fileparts(fileNames.HarnessModel);
open_system(harnessModel);
```



#### **Clean Up**

To complete the demo, close all models and remove the saved coverage data file.

```
close_system('sldvdemo_autotrans');
close_system(fileNames.ExtractedModel,0);
close_system(fileNames.HarnessModel,0);
delete('existingcov.cvt');
```

# **Creating and Executing Test Cases**

This example shows how to use Simulink® Design Verifier<sup>™</sup> functions to log input signals, create a harness model, generate test cases for missing coverage, merge harness models, and execute test cases.

The example starts by logging input signals to the component that implements the controller in its parent model and creating harness model for the controller from that logged data. You use Simulink Design Verifier to find a new test case that achieves the missing coverage. Then you merge the first harness model with the harness model generated after the Simulink Design Verifier analysis. Finally, you capture all test cases and execute the controller with those test cases in simulation mode and Software-In-the-Loop (SIL) mode, and compare the results using CGV API.

#### **Check Product Availability**

This example requires a valid Stateflow® license. To demonstrate test execution in Software-In-the-Loop (SIL) mode it also requires valid Simulink® Coder<sup>m</sup> and Embedded Coder<sup>m</sup> licenses.

```
if ~license('test','Stateflow')
    return;
end
```

```
canUseSIL = license('test','Real-Time_Workshop') && ...
license('test','RTW_Embedded_Coder');
```

#### Logging Input Signals to the Component and Creating the Harness Model

The slvnvdemo\_powerwindow model contains a power window controller and a low-order plant model. The component slvnvdemo\_powerwindow/power\_window\_control\_system/control is a Model block that references the model slvnvdemo\_powerwindow\_controller, which implements the controller with a Stateflow® chart.

To create a harness model for the controller with the signals that simulate the controller in the plant model, first log the input signals and then invoke harness generation with that logged data.

```
open system('slvnvdemo powerwindow');
load_system('slvnvdemo_powerwindow_controller');
loggedSignalsPlant = ...
   sldvlogsignals('slvnvdemo powerwindow/power window control system/control');
harnessModelFilePath = ...
   sldvmakeharness('slvnvdemo powerwindow controller',loggedSignalsPlant);
[~,harnessModel] = fileparts(harnessModelFilePath);
### Starting serial model reference simulation build.
### Successfully updated the model reference simulation target for: slvnvdemo_powerwindow_contro
Build Summary
Simulation targets built:
Model
                             Action
                                                       Rebuild Reason
slvnvdemo powerwindow controller Code generated and compiled. slvnvdemo powerwindow controller
```

1 of 1 models built (0 models already up to date)
Build duration: 0h 0m 20.931s
### Starting serial model reference simulation build.
### Model reference simulation target for slvnvdemo\_powerwindow\_controller is up to date.

Build Summary

0 of 1 models built (1 models already up to date) Build duration: 0h 0m 0.55583s ### Starting serial model reference simulation build. ### Successfully updated the model reference simulation target for: slvnvdemo powerwindow contro

Build Summary

Simulation targets built:

 Model
 Action
 Rebuild Reason

 slvnvdemo powerwindow controller
 Code generated and compiled.

1 of 1 models built (0 models already up to date) Build duration: 0h 0m 13.322s





Simulink Coverage Power Window Controller Hybrid System Model



#### Measuring the Coverage with Logged Signals

Use the cvtest and cvsim functions to measure the model coverage achieved for the controller model slvnvdemo\_powerwindow\_controller with the logged signals that are captured in the harness model.

The cvhtml function produces a report that indicates that 40% Decision, 35% Condition, and 10% MCDC coverage is achieved by simulating the test cases captured from the closed-loop model.

```
test = cvtest(harnessModel);
test.modelRefSettings.enable = 'On';
test.modelRefSettings.excludeTopModel = 1;
```

covDataFromLoggedSignals = cvsim(test); cvhtml('Coverage with Logged Test Cases',covDataFromLoggedSignals);

#### Finding Test Cases for Missing Coverage

Before you can use existing coverage data during test generation, the data must be saved to a coverage data file(.cvt). You can use the existing coverage data by specifying the coverage data path in the **Coverage data file** parameter and setting the **Ignore objectives satisfied in existing coverage data** parameter to on in the **Test Generation** pane of Simulink Design Verifier configuration parameters.

As you can see in the report, Simulink Design Verifier restricts test generation to the coverage objectives that are not covered in the existing coverage file. Notice that 8 coverage objectives in the Stateflow chart control are proven to be unsatisfiable. This indicates unnecessary redundant logic that cannot be tested.

```
cvsave('existingCovFromLoggedSignals', covDataFromLoggedSignals);
```

```
opts = sldvoptions;
opts.IgnoreCovSatisfied = 'on';
opts.CoverageDataFile = 'existingCovFromLoggedSignals.cvt';
opts.ModelCoverageObjectives = 'MCDC';
opts.TestSuiteOptimization = 'LongTestcases';
opts.SaveHarnessModel = 'on';
opts.ModelReferenceHarness = 'on';
opts.MaxProcessTime = 500;
[status, fileNames] = sldvrun('slvnvdemo_powerwindow_controller',opts,true);
[~, newHarnessModel] = fileparts(fileNames.HarnessModel);
open system(newHarnessModel);
```



#### **Merging Test Cases from Harness Models**

Now use sldvmergeharness to combine generated test cases with logged test case. The command takes a list of harness models as arguments.

sldvmergeharness(harnessModel, newHarnessModel);

#### Logging Test Cases of the Harness Model

In order to programmatically execute the model slvnvdemo\_powerwindow\_controller with the test cases captured in the merged harness model, first use the sldvlogsignals function to obtain the input values of all test cases in the necessary data format.

```
loggedSignalsMergedHarness = sldvlogsignals(harnessModel);
disp(loggedSignalsMergedHarness);
```

```
LoggedTestUnitInfo: [1x1 struct]
TestCases: [1x2 struct]
```

#### Execute the Model in Simulation Mode with CGV API

Use the sldvruncgvtest function to execute the model slvnvdemo\_powerwindow\_controller in simulation mode, with test cases captured from the harness model.

```
Starting execution:
   ComponentType: topmodel
   Connectivity: sim
   InputData:
   C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27ale6fc\sldv-ex67947267\cgv_runtest\slvnvdemo_powe
End CGV execution: status completed.
Starting execution:
   ComponentType: topmodel
   Connectivity: sim
   InputData:
   C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27ale6fc\sldv-ex67947267\cgv_runtest\slvnvdemo_powe
End CGV execution: status completed.
```

#### Execute the Model in Software-In-the-Loop (SIL) Mode with CGV API

Now use the sldvruncgvtest function to execute the model slvnvdemo\_powerwindow\_controller in SIL mode, with the same test cases.

```
if canUseSIL
    runopts.cgvConn = 'sil';
else
    % When SIL is not possible, the example runs another simulation.
    runopts.cgvConn = 'sim';
end
cgvSil = sldvruncgvtest('slvnvdemo powerwindow controller',...
    loggedSignalsMergedHarness,runopts);
Starting execution:
 ComponentType: topmodel
 Connectivity: sil
 InputData:
 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex67947267\cgv runtest\slvnvdemo powe
### Starting build procedure for: slvnvdemo_powerwindow_controller
### Successful completion of build procedure for: slvnvdemo_powerwindow_controller
Build Summary
Top model targets built:
Model
                               Action
                                                            Rebuild Reason
slvnvdemo powerwindow controller Code generated and compiled. Code generation information file
1 of 1 models built (0 models already up to date)
Build duration: Oh Om 10.463s
### Preparing to start SIL simulation ...
Building with 'Microsoft Visual C++ 2019 (C)'.
MEX completed successfully.
### Starting SIL simulation for component: slvnvdemo_powerwindow_controller
### Application stopped
### Stopping SIL simulation for component: slvnvdemo powerwindow controller
End CGV execution: status completed.
Starting execution:
 ComponentType: topmodel
 Connectivity: sil
 InputData:
 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex67947267\cgv_runtest\slvnvdemo_powe
```

### Starting build procedure for: slvnvdemo powerwindow controller ### Successful completion of build procedure for: slvnvdemo powerwindow controller Build Summary Top model targets built: Model Action Rebuild Reason \_\_\_\_\_ slvnvdemo powerwindow controller Code generated and compiled. Generated code was out of date. 1 of 1 models built (0 models already up to date) Build duration: Oh Om 10.192s ### Preparing to start SIL simulation ... Building with 'Microsoft Visual C++ 2019 (C)'. MEX completed successfully. ### Starting SIL simulation for component: slvnvdemo powerwindow controller *###* Application stopped ### Stopping SIL simulation for component: slvnvdemo powerwindow controller End CGV execution: status completed.

#### **Compare Results of Simulation and SIL Modes**

The sldvruncgvtest returns a cgv.CGV object after running tests. Use the CGV API to compare the results of executions in simulation and SIL modes for each test case designed in the harness model and show that they are equal.

```
for i=1:length(loggedSignalsMergedHarness.TestCases)
  simout = cgvSim.getOutputData(i);
  silout = cgvSil.getOutputData(i);
  [matchNames, ~, mismatchNames, ~ ] = ...
    cgv.CGV.compare(simout, silout);
  fprintf('\nTest Case(%d): %d Signals match, %d Signals mismatch', ...
    i, length(matchNames), length(mismatchNames));
end
Test Case(1): 4 Signals match, 0 Signals mismatch
```

Test Case(2): 4 Signals match, 0 Signals mismatch

#### **Clean Up**

To complete the example, close all models.

```
close_system(harnessModel,0);
close_system(newHarnessModel,0);
close_system('slvnvdemo_powerwindow',0);
close_system('slvnvdemo_powerwindow_controller',0);
```

# Using Specified Input Minimum and Maximum Values as Constraints

This example shows how to use input port minimum and maximum values as analysis constraints by Simulink® Design Verifier<sup>™</sup> during both test generation and property proving.

This model is preconfigured to generate tests for MCDC. The specified minimum and maximum values are displayed in square brackets. The constraints in this example prevent some of the coverage objectives from being satisfied. When you generate tests without considering these constraints, all of the coverage objectives are satisfied.

1. The Input1 and Input2 minimum and maximum values are captured directly on their respective inport signal attributes.

2. The minimum and maximum values are specified on the Simulink.Signal objects associated with signals a and b. Simulink Design Verifier uses the signal object's values as constraints. When multiple minimum and maximum values are specified, e.g., on the inport and on the signal object, Simulink Design Verifier considers their tightest range.

3. Simulink Design Verifier considers the minimum and maximum limit ranges specified on Stateflow® data that is directly connected to the root-level input ports

4. For subsystem analysis, the subsystem root-level specified input minimum and maximum values are considered. Observe that generating tests for the Subsystem uses the constraints specified on SSIn, but ignores them for the system-level analysis.

open\_system('sldvdemo\_minmaxconstraints');

?

#### Simulink Design Verifier Using Specified Input Minimum and Maximum Values as Constraints



1. The Input1 and Input2 minimum and maximum values are captured directly on their respective inport signal attributes.

2. The minimum and maximum values are specified on the Simulink.Signal objects associated with signals a and b. Simulink Design Verifier uses the signal object's values as constraints. When multiple minimum and maximum values are specified, e.g., on the inport and on the signal object, Simulink Design Verifier considers their tightest range.

3. Simulink Design Verifier considers the minimum and maximum limit ranges specified on Stateflow data that is directly connected to the root-level input ports.

4. For subsystem analysis, the subsystem root-level specified input minimum and maximum values are considered. Observe that generating tests for the Subsystem uses the constraints specified on SSIn, but ignores them for the system-level analysis.

Copyright 2010-2019 The MathWorks, Inc.

### **Configuring S-Function for Test Case Generation**

This example shows how to compile an S-Function to be compatible with Simulink® Design Verifier<sup>™</sup> for test case generation. Simulink Design Verifier supports S-Functions that are:

- Generated with the Legacy Code Tool, with def.Options.supportCoverageAndDesignVerifier set to true,
- Generated with the SFunctionBuilder, with **Enable support for Design Verifier** selected on the **Build Info** tab of the SFunctionBuilder dialog box, or
- Compiled with the function slcovmex, with the option -sldv passed.

#### Compile S-Function to be Compatible with Simulink Design Verifier

The handwritten S-Function is found in the file sldvexSFunctionHandlingSFcn.c, and the user source code for the lookup table is found in the file sldvexSFunctionHandlingSource.c. Call the function slcovmex to compile the C-MEX S-Function and make it compatible with Simulink Design Verifier.

#### **Create Test Suite**

The example model sldvexSFunctionHandlingExample example contains the handwritten S-Function, which implements a lookup table algorithm. The S-Function block returns the interpolated value at the first output port and returns the status of the interpolation at the second output port. The second output port returns the value -1 if a lower saturation occurs, 1 if a upper saturation occurs, and 0 otherwise. Open the sldvexSFunctionHandlingExample model and configure the analysis options by turning on S-Function support for test generation. On running the analysis, Simulink Design Verifier returns a test suite that satisfies all coverage objectives.

open\_system('sldvexSFunctionHandlingExample');



```
opts.Mode = 'lestGeneration';
opts.ModelCoverageObjectives = 'ConditionDecision';
opts.SaveHarnessModel = 'off';
opts.SaveReport = 'off';
opts.SFcnSupport = 'on';
```

```
[status, fileNames] = sldvrun('sldvexSFunctionHandlingExample', opts, true);
```

### Verifying Complete Coverage

The sldvruntest function verifies that the test suite achieves complete model coverage. The cvhtml function produces a coverage report that indicates 100% Condition and Decision coverage is achieved with the generated test vectors.

```
[~, finalCov] = sldvruntest('sldvexSFunctionHandlingExample', fileNames.DataFile, [], true);
cvhtml('Final Coverage', finalCov);
```

#### **Clean Up**

To complete the demo, close all models.

```
close_system('sldvexSFunctionHandlingExample', 0);
```

### **Code Coverage Test Generation**

This example shows how to use Simulink  $\mbox{B}$  Design Verifier<sup>m</sup> to generate test cases to obtain complete code coverage.

You first collect code coverage for an example model configured for software-in-the-loop (SIL) simulation mode. Then you use Simulink® Design Verifier<sup>™</sup> to create a test suite that generates tests cases. Finally, you execute the generated test cases in SIL simulation mode to verify the complete coverage.

#### **Check Product Availability**

Make sure that you have Simulink® Coder<sup>m</sup> and Embedded Coder<sup>m</sup> software installed on your machine.

```
if ~(license('test', 'Real-Time_Workshop') && ...
    license('test', 'RTW_Embedded_Coder'))
    return
end
```

#### **Initial Setup**

Make sure that an unedited version of the model is open.

```
model = 'sldvdemo_cruise_control';
close_system(model, 0)
open system(model)
```



Copyright 2006-2023 The MathWorks, Inc.

#### Configure the Model for SIL based test generation

1. In the **Configuration Parameters** window, click **Code Generation** and set **System Target File** to ert.tlc. Alternatively, enter:

set\_param(model,'SystemTargetFile','ert.tlc');

2. Click **Hardware Implementation**, then set **Device vendor** and **Device type** to the vendor and type of your SIL system. For example, for a 64-bit Linux machine, set **Device vendor** to Intel and **Device type** to x-86-64(Windows). Alternatively, enter:

```
if ismac
    lProdHWDeviceType = 'Intel->x86-64 (Mac OS X)';
elseif isunix
    lProdHWDeviceType = 'Intel->x86-64 (Linux 64)';
else
    lProdHWDeviceType = 'Intel->x86-64 (Windows64)';
end
set_param(model, 'ProdHWDeviceType', lProdHWDeviceType);
```

#### Find Test Cases for Coverage Computation

Analyze the sldvdemo\_cruise\_control model by using Simulink® Design Verifier<sup>™</sup> to generate a test suite that achieves increased code coverage. Set the Simulink® Design Verifier<sup>™</sup> options to generate test cases to achieve MCDC coverage for the top model.

```
opts = sldvoptions;
opts.TestgenTarget = 'GenCodeTopModel';
opts.Mode = 'TestGeneration';
[~, files] = sldvrun(model, opts, true);
### Starting build procedure for: sldvdemo cruise control
### Loading TLC function libraries
. . . . . . .
### Initial pass through model to cache user defined code
### Caching model source code
### Writing header file sldvdemo cruise control types.h
### Writing header file sldvdemo cruise control.h
### Writing header file rtwtypes.h
### Writing source file sldvdemo_cruise_control.c
### Writing header file sldvdemo_cruise_control_private.h
### Writing source file ert_main.c
### TLC code generation complete (took 3.551s).
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex15502
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex15502
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex15502
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502
Microsoft (R) Program Maintenance Utility Version 14.29.30137.0
Copyright (C) Microsoft Corporation. All rights reserved.
    cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER
sldvdemo cruise control.c
### Successfully generated all binary outputs.
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502
### Successful completion of build procedure for: sldvdemo cruise control
### Preparing to start SIL simulation ...
Building with 'Microsoft Visual C++ 2019 (C)'.
MEX completed successfully.
### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows)
### Creating 'C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502968\IntelWin64\sld
### Building 'sldvdemo_cruise_control_ca': nmake -f sldvdemo_cruise_control_ca.mk all
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex15502
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex15502
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex15502
```

Microsoft (R) Program Maintenance Utility Version 14.29.30137.0 Copyright (C) Microsoft Corporation. All rights reserved. cl -c -nologo -GS -W4 -DWIN32 -D\_MT -MT -D\_CRT\_SECURE\_NO\_WARNINGS /Od /Oy- -DINTEGER\_CODE= coder\_assumptions\_hwimpl.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DINTEGER CODE= coder assumptions flt.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DINTEGER CODE= sldvdemo\_cruise\_control\_ca.c ### Creating static library ".\sldvdemo\_cruise\_control\_ca.lib" ... lib /nologo -out:.\sldvdemo\_cruise\_control\_ca.lib @sldvdemo\_cruise\_control\_ca.rsp ### Created: .\sldvdemo\_cruise\_control\_ca.lib ### Successfully generated all binary outputs. mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27ale6fc\sldv-ex15502 ### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows) ### Creating 'C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502968\IntelWin64\sldv ### Building 'sldvdemo\_cruise\_control': nmake -f sldvdemo\_cruise\_control.mk all mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502 Microsoft (R) Program Maintenance Utility Version 14.29.30137.0 Copyright (C) Microsoft Corporation. All rights reserved. cl -c -nologo -GS -W4 -DWIN32 -D\_MT -MT -D\_CRT\_SECURE\_NO\_WARNINGS /Od /Oy- -DCLASSIC\_INTER xil\_interface\_lib.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER xil data stream.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER xil services.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER xil interface.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER xilcomms\_rtiostream.c /Od /Oy- -DCLASSIC INTER cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS xil rtiostream.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER rtiostream utils.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER coder assumptions app.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE\_NO WARNINGS /Od /Oy- -DCLASSIC\_INTER coder assumptions data stream.c /Od /Oy- -DCLASSIC INTER cl -c -nologo -GS -W4 -DWIN32 -D\_MT -MT -D\_CRT\_SECURE\_NO\_WARNINGS coder\_assumptions\_rtiostream.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER sil main.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER target\_io.c cl -c -nologo -GS -W4 -DWIN32 -D\_MT -MT -D\_CRT\_SECURE\_NO\_WARNINGS /Od /Oy- -DCLASSIC INTER rtiostream\_tcpip.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D\_CRT\_SECURE\_NO\_WARNINGS /Od /Oy- -DCLASSIC\_INTER

xil instrumentation.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER codeinstr data stream.c cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER codeinstr rtiostream.c ### Creating standalone executable ".\sldvdemo\_cruise\_control.exe" ... link /RELEASE /INCREMENTAL:NO /NOLOGO kernel32.lib ws2 32.lib mswsock.lib advapi32.lib -out ### Created: .\sldvdemo\_cruise\_control.exe ### Successfully generated all binary outputs. mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502 ### Starting SIL simulation for component: sldvdemo\_cruise\_control ### Stopping SIL simulation for component: sldvdemo\_cruise\_control ### Starting build procedure for: sldvdemo\_cruise\_control ### Generating code and artifacts to 'Target environment subfolder' folder structure ### Generating code into build folder: C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-### Generated code for 'sldvdemo cruise control' is up to date because no structural, parameter of ### Saving binary information cache. ### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows) ### 'C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502968\IntelWin64\sldvdemo cru ### Building 'sldvdemo\_cruise\_control': nmake -f sldvdemo\_cruise\_control.mk buildobj mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502 Microsoft (R) Program Maintenance Utility Version 14.29.30137.0 Copyright (C) Microsoft Corporation. All rights reserved. ### Successfully generated all binary outputs. mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 ### Successful completion of build procedure for: sldvdemo cruise control Build Summary Top model targets built: Action Rebuild Reason Model sldvdemo cruise control Code compiled. Compilation artifacts were out of date. 1 of 1 models built (0 models already up to date) Build duration: Oh Om 3.6671s ### Preparing to start SIL simulation ... ### Skipping makefile generation and compilation because C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\2 ### Starting SIL simulation for component: sldvdemo\_cruise\_control rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab: rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab: ### Stopping SIL simulation for component: sldvdemo cruise control ### Completed code coverage analysis ### Starting SIL simulation for component: sldvdemo\_cruise\_control rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab: rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab: ### Stopping SIL simulation for component: sldvdemo\_cruise\_control
### Completed code coverage analysis
### Starting SIL simulation for component: sldvdemo\_cruise\_control
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:"
### Stopping SIL simulation for component: sldvdemo\_cruise\_control
### Completed code coverage analysis
### Starting SIL simulation for component: sldvdemo\_cruise\_control
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:"
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:"
### Stopping SIL simulation for component: sldvdemo\_cruise\_control
### Completed code coverage analysis</a>

| Þ                                                                                                                                                                                                                                                                                                                              | Simulink Design Verifier                                                                               | Results Summary: sldvdemo_cruise_con 💿 🛛                   |   |  |  |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|------------------------------------------------------------|---|--|--|--|
|                                                                                                                                                                                                                                                                                                                                | Progress                                                                                               |                                                            |   |  |  |  |
|                                                                                                                                                                                                                                                                                                                                | Objectives processed<br>Satisfied<br>Unsatisfiable<br>Elapsed time                                     | 30/30<br>30<br>0<br>0:55                                   |   |  |  |  |
|                                                                                                                                                                                                                                                                                                                                | Test generation (for code generated from top model) completed normally.<br>30/30 objectives satisfied. |                                                            |   |  |  |  |
| Results:         • Open filter viewer         • Highlight analysis results on model         • View tests in Simulation Data Inspector         • Detailed analysis report: (HTML) (PDF)         • Create harness model         • Export test cases to Simulink Test         • Simulate tests and produce a code coverage report |                                                                                                        |                                                            |   |  |  |  |
|                                                                                                                                                                                                                                                                                                                                |                                                                                                        | ruise control sldvdata.mat<br> _bgl-antaraa-l/sldv_output/ |   |  |  |  |
| 4                                                                                                                                                                                                                                                                                                                              |                                                                                                        |                                                            | - |  |  |  |

Note: When you run the script, the SIL test generation regenerates and recompiles the code.

#### Verify Complete Coverage

The sldvruntest function simulates the model by using the generated test suite. The cvhtml function produces a coverage report that indicates the final coverage of the sldvdemo\_cruise\_control model.

```
[~, finalCov] = sldvruntest(model, files.DataFile, [], true);
cvhtml('sil_final_coverage', finalCov);
close_system(model, 0);
```

### Starting build procedure for: sldvdemo\_cruise\_control ### Generating code and artifacts to 'Target environment subfolder' folder structure ### Generating code into build folder: C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-### Generated code for 'sldvdemo\_cruise\_control' is up to date because no structural, parameter ### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows) #### 'C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502968\IntelWin64\sldvdemo\_cru. ### Building 'sldvdemo\_cruise\_control': nmake -f sldvdemo\_cruise\_control.mk buildobj

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex155029

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502

Microsoft (R) Program Maintenance Utility Version 14.29.30137.0 Copyright (C) Microsoft Corporation. All rights reserved.

Action

### Successfully generated all binary outputs.

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502 ### Successful completion of build procedure for: sldvdemo\_cruise\_control

Build Summary

Top model targets built:

Model

Rebuild Reason

sldvdemo cruise control Code compiled. Compilation artifacts were out of date.

1 of 1 models built (0 models already up to date) Build duration: 0h 0m 2.7723s ### Preparing to start SIL simulation ... Building with 'Microsoft Visual C++ 2019 (C)'. MEX completed successfully. ### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows) ### 'C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27ale6fc\sldv-ex15502968\IntelWin64\sldvdemo\_cru: ### Building 'sldvdemo\_cruise\_control': nmake -f sldvdemo\_cruise\_control.mk all mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27ale6fc\sldv-ex155029 mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27ale6fc\sldv-ex155029

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex15502

mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv-ex155029

```
Microsoft (R) Program Maintenance Utility Version 14.29.30137.0
Copyright (C) Microsoft Corporation. All rights reserved.
    cl -c -nologo -GS -W4 -DWIN32 -D_MT -MT -D_CRT_SECURE_NO_WARNINGS /Od /Oy- -DCLASSIC INTER
xil interface.c
    cl -c -nologo -GS -W4 -DWIN32 -D MT -MT -D CRT SECURE NO WARNINGS /Od /Oy- -DCLASSIC INTER
xil instrumentation.c
### Creating standalone executable ".\sldvdemo_cruise_control.exe" ...
    link /RELEASE /INCREMENTAL:NO /NOLOGO kernel32.lib ws2 32.lib mswsock.lib advapi32.lib -out
### Created: .\sldvdemo_cruise_control.exe
### Successfully generated all binary outputs.
mathworks\batserve@BAT6234WIN64 C:\TEMP\Bdoc23a 2213998 3568\ib570499\28\tp27a1e6fc\sldv-ex15502
### Starting SIL simulation for component: sldvdemo_cruise_control
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:
### Stopping SIL simulation for component: sldvdemo cruise control
### Completed code coverage analysis
### Starting SIL simulation for component: sldvdemo cruise control
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:
### Stopping SIL simulation for component: sldvdemo_cruise_control
### Completed code coverage analysis
### Starting SIL simulation for component: sldvdemo_cruise_control
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:
### Stopping SIL simulation for component: sldvdemo_cruise_control
### Completed code coverage analysis
### Starting SIL simulation for component: sldvdemo cruise control
rtw.connectivity.HostLauncher: started executable with host process identifier <a href="matlab:
rtw.connectivity.HostLauncher: stopped executable with host process identifier <a href="matlab:
### Stopping SIL simulation for component: sldvdemo_cruise_control
### Completed code coverage analysis
```

### Summary

| File Contents/Complexity                    |          |           | Test 1 |           |          |
|---------------------------------------------|----------|-----------|--------|-----------|----------|
|                                             | Decision | Condition | MCDC   | Statement | Function |
| 1 . <u>sldvdemo_cruise_control.c</u>        | 9 100%   | 100%      | 100%   | 100%      | 100%     |
| 2 <u>sldvdemo_cruise_control_step</u>       | 7 100%   | 100%      | 100%   | 100%      | 100%     |
| 3 <u>sldvdemo_cruise_control_initialize</u> | 1        |           |        | 100%      | 100%     |
| 4 <u>sldvdemo_cruise_control_terminate</u>  | 1        |           |        | 100%      | 100%     |

Note: When you run the script, the SIL test generation regenerates and recompiles the code.

## **Test Generation on Model with C Caller Block**

This example shows how to use test generation on a model with a C Caller block and custom C code

#### Open the model containing the C Caller block and custom code

open\_system('sldvexCCallerBlockExample');

Simulink Design Verifier Test Case Generation with C Caller Block



Copyright 2018 The MathWorks, Inc.

#### Generate tests to ensure coverage of the model

Use the sldvrun function to run Simulink <sup>®</sup> Design Verifier <sup>™</sup> analysis.

```
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.ModelCoverageObjectives = 'ConditionDecision';
opts.SaveHarnessModel = 'off';
opts.SaveReport = 'off';
```

```
[status, fileNames] = sldvrun('sldvexCCallerBlockExample', opts);
```

```
27-Feb-2023 10:36:01
Checking compatibility for test generation: model 'sldvexCCallerBlockExample'
Compiling model...done
Building model representation...done
```

```
27-Feb-2023 10:36:27
```

```
'sldvexCCallerBlockExample' is compatible for test generation with Simulink Design Verifier.
```

Generating tests using model representation from 27-Feb-2023 10:36:27...

. . . . . . . . . .

```
27-Feb-2023 10:36:44
Completed normally.
Generating output files:
27-Feb-2023 10:36:46
Results generation completed.
Data file:
    /home/lucyzeng/Documents/MATLAB/ExampleManager/lucyzeng.BR2023ad.j2194193.1/sldv-ex07804984/
```

#### Verify the coverage

Use the sldvruntest function to verify that the test suite achieves complete model coverage.

```
[~, finalCov] = sldvruntest('sldvexCCallerBlockExample', fileNames.DataFile, [], true);
cvhtml('Final Coverage', finalCov);
```

#### **Clean Up**

To complete the example, close all models.

```
close_system('sldvexCCallerBlockExample', 0);
```

## Debug Enhanced Modified Condition Decision Coverage Using Model Slicer

This example shows how to find the Simulink® Design Verifier<sup>™</sup> generated objectives related to a specific model object using Model Slicer. Once the objectives are identified, Model Slicer highlights the slice at the step when the objective is observable.

This example uses the following products to demonstrate debugging enhanced Modified Condition Decision Coverage (MCDC):

- Simulink Design Verifier
- Model Slicer

Enhanced MCDC analyzes the detectability of each objective in the model and generates non-masking test cases for each objective. It coordinates the effect of downstream blocks to avoid masking effects. It also calculates detection sites for each detectable objective where the effect of the objective can be observed. This data is available in the sldvdemo\_cruise\_control\_sldvdata.mat file generated by the analysis. These detection sites can be added to the equivalence criteria of back-to-back testing.

This example uses the following slicer configuration:

- Starting point is set as the model object to be observed.
- Exclusion point is set as the detection point relevant to the objective generated by Simulink Design Verifier.
- Signal propagation is set to downstream (forward slice).

#### Step 1: Prepare the Model

1. Open the model.

```
model = 'sldvdemo_cruise_control';
open_system(model);
```

2. Load the data file generated by Simulink Design Verifier (sldvData) for test generation using Enhanced MCDC.

load('sldvdemo\_cruise\_control\_sldvdata.mat');

3. Choose the model object for which the objective must be highlighted and find its SID.

```
modelObjIdentifier = 'sldvdemo_cruise_control/Controller/Switch3';
modelobjSID = Simulink.ID.getSID(modelObjIdentifier);
```

#### Step 2: Setting Up Model Slicer

1. Enable FastRestart for the model.

```
set_param(model, 'FastRestart', 'on');
```

Enabling FastRestart will simulate the model and collect the simulation data at various time stamps. This will allow us to use **Step Back** and **Step Forward** options.

2. Create and activate Model Slicer object.

```
slicerObject = slslicer(model);
activate(slicerObject);
```

3. Set the signal propogation to **downstream**.

slicerObject.Configuration.SignalPropagation = 'downstream';

#### Step 3: Find Objectives Related to the Model Object

1. Access sldvData with an object of SldvDataExplorer class.

sldvObj = SldvDataExplorer(sldvData);

Note: The class SldvDataExplorer is a helper class. You can edit it as per your requirements.

2. Find all objectives related to the model object and the details of the objectives.

[objectives, tableOfObjectives] = sldvObj.getObjectivesForModelObj(modelobjSID); disp(tableOfObjectives);

 ObjectiveNum
 Type
 Description

 1
 "Decision"
 "logical trigger input false (output is from 3rd input port)"

 2
 "Decision"
 "logical trigger input true (output is from 1st input port)"

The follwing details of the objectives are saved in tableOfObjectives table:

- ObjectiveNum Objective number.
- Type MCDC/Decision/Condition.
- Description Description of the objective as generated by Simulink Design Verifier.
- Detectability The detectability status of an objective.
- Status The status of an objective.
- TestCaseId Integer that represents the index of a test case or counterexample that addresses an objective.

#### **Step 4: Highlighting the Objectives**

For this example, we will highlight the first objective from the table.

1. Obtain the simulation input object with the input values set according to the test case that corresponds to the objective.

[simIn, atStep, ~] = sldvObj.getSimInObjForObjective(objectives(1));

2. Allow rollback in the model so it is possible to step backwards in the model and set the number of simulation rollback steps to 1.

```
simIn = simIn.setModelParameter('EnableRollBack', 'on');
simIn = simIn.setModelParameter('NumberOfSteps', 1);
```

3. Apply Simulink input object to model.

slicerObject.applySimInToModel(simIn);

4. Find all the detection sites for the selected objective.

objectDetectionSites = sldvObj.getObjectDetectionSites(objectives(1));

5. Add all detection sites as exclusion points.

```
for n = 1:length(objectDetectionSites)
    detectionSite = objectDetectionSites(n).modelObj;
    slicerObject.addExclusionPoint(detectionSite);
end
```

6. Add the model object as an starting point.

slicerObject.addStartingPoint(modelobjSID);

7. Step to the point in the testcase where the objective is observable.

```
for q = 1:atStep
    slicerObject.stepForward();
end
```

Now you can observe that the slice is highlighted.

#### Cleanup

Perform the following actions to cleanup the model:

- 1. Clear the slicer object.
- 2. Clear the Simulink input object.

clear slicerObject simIn

3. Reset the FastRestart parameter of the model.

```
set_param(model, 'FastRestart', 'off');
```

#### See Also

• "Use Model Coverage Objectives for Enhanced MCDC Coverage" on page 7-42

# **Test Generation for Custom Code in a Stateflow Chart**

This example shows how to use test generation on a model with custom code in a Stateflow® chart.

#### Open the Model Containing Custom Code in a Stateflow Chart

open\_system('sldvexSFCustomCodeExample');

#### Simulink Design Verifier Test Case Generation with C/C++ Custom Code





#### Generate Tests to Ensure Coverage of the Model

Use the sldvrun function to run the Simulink® Design Verifier<sup>™</sup> analysis.

```
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.ModelCoverageObjectives = 'ConditionDecision';
opts.SaveHarnessModel = 'off';
opts.SaveReport = 'off';
[status, fileNames] = sldvrun('sldvexSFCustomCodeExample', opts);
```

```
27-Feb-2023 10:49:57
Checking compatibility for test generation: model 'sldvexSFCustomCodeExample'
Compiling model...done
Building model representation...done
```

```
27-Feb-2023 10:50:13
```

```
'sldvexSFCustomCodeExample' is compatible for test generation with Simulink Design Verifier.
```

Generating tests using model representation from 27-Feb-2023 10:50:13...

. . . . . . . . . .

27-Feb-2023 10:50:29
Completed normally.
Generating output files:
27-Feb-2023 10:50:30
Results generation completed.
Data file:
 /home/lucyzeng/Documents/MATLAB/ExampleManager/lucyzeng.BR2023ad.j2194193.1/sldv-ex18712703/s

#### Verify the Coverage

Use the sldvruntest function to verify that the test suite achieves complete model coverage.

```
[~, finalCov] = sldvruntest('sldvexSFCustomCodeExample', fileNames.DataFile, [], true);
cvhtml('Final Coverage', finalCov);
```

#### Clean Up

To complete the example, close all models.

```
close_system('sldvexSFCustomCodeExample', 0);
```

# **Generate Test Cases for Model Blocks**

This example shows how to generate a test case for Model block that models a power window controller in Simulink® Design Verifier<sup>m</sup>.

#### Step 1: Open the Model

The top-level model represents a power window verification system. The model contains a model reference that represents a power window controller model and that specifies the controller behavior and the modeled requirements.

To open the model of the top-level verification system, enter:

open\_system('sldvdemo\_powerwindow\_vs');



### **Power Window Controller Temporal Property Specification**

Copyright 1990-2010 The MathWorks, Inc.

The model reference points to the model sldvdemo\_powerwindowController, which responds to the driver and passenger commands by giving the commands for moving the window up or down. The model also responds if the window encounters an obstacle or if it reaches the end of the window frame in either direction.



#### Step 2: Specify Analysis Options

Specify the analysis options for test case generation:

#### 1. On the **Design Verifier** tab, change the **mode** to **Test Generation**.

#### 2. Click **Test Generation Settings**.

3. From **Test Generation** pane in the Configuration Parameters dialog box, set **Model coverage objectives** to MCDC.

#### 4. Click **OK**.

#### **Step 3: Perform Analysis and Review Results**

Perform test case generation on the Model block:

1. Right-click the **Model** block and select **Design Verifier** > **Generate Tests for Referenced Model**. Alternatively, in the **Design Verifier** pane, in the **Analyze** section, click the unpin button, then select the Model block. Then click Generate Tests.

2. Simulink Design Verifier generates test cases for the Model block. The Results window shows that the test generation completed normally.

| Þ                                                                                                                  | Simulink Design Verifier Results | Summary: Model0_replacement | 1                  | > | × |  |  |
|--------------------------------------------------------------------------------------------------------------------|----------------------------------|-----------------------------|--------------------|---|---|--|--|
| [                                                                                                                  |                                  |                             |                    |   | ^ |  |  |
|                                                                                                                    | Progress                         |                             |                    |   |   |  |  |
|                                                                                                                    | Objectives processed             | 178/178                     |                    |   |   |  |  |
|                                                                                                                    | Satisfied                        | 170                         |                    |   |   |  |  |
|                                                                                                                    | Unsatisfiable<br>Elapsed time    | 8<br>0:38                   |                    |   |   |  |  |
|                                                                                                                    | Liapsed time                     | 0.50                        |                    |   |   |  |  |
| l                                                                                                                  |                                  |                             |                    |   |   |  |  |
| Test generation completed normally.                                                                                |                                  |                             |                    |   |   |  |  |
| 170/178 objectives satisfied.<br>8/178 objectives unsatisfiable                                                    |                                  |                             |                    |   |   |  |  |
|                                                                                                                    | of 170 objectives ansatomable    |                             |                    |   |   |  |  |
|                                                                                                                    | Results:                         |                             |                    |   |   |  |  |
| Open filter viewer                                                                                                 |                                  |                             |                    |   |   |  |  |
| <ul> <li>Highlight analysis results on model</li> </ul>                                                            |                                  |                             |                    |   |   |  |  |
| <ul> <li>View tests in Simulation Data Inspector</li> <li>Detailed analysis report: (HTML) (PDF)</li> </ul>        |                                  |                             |                    |   |   |  |  |
| <u>Create harness model</u>                                                                                        |                                  |                             |                    |   |   |  |  |
| <ul> <li>Export test cases to Simulink Test</li> <li>Simulate tests and produce a model coverage report</li> </ul> |                                  |                             |                    |   |   |  |  |
|                                                                                                                    |                                  |                             |                    |   |   |  |  |
|                                                                                                                    | Data saved in: Model0_sldvdat    | ta1.mat                     |                    |   |   |  |  |
|                                                                                                                    | in folder:<br>\Model0            |                             | MATLAB\sldv_output |   |   |  |  |
|                                                                                                                    |                                  |                             |                    |   |   |  |  |
|                                                                                                                    |                                  |                             |                    |   |   |  |  |
|                                                                                                                    |                                  |                             |                    |   |   |  |  |
|                                                                                                                    |                                  |                             |                    |   |   |  |  |
| <                                                                                                                  |                                  |                             |                    | > | ~ |  |  |

3. To access the deatiled analysis report, click **HTML** in the Results window. The analysis report shows that 170 objectives are satisfied and eight objectives are unsatifiable out of the 178 objectives processed.

### Step 4: Clean Up

To complete the example, close the opened model.

close\_system('sldvdemo\_powerwindow\_vs',0);

### **Related Topics**

• "What Is Test Case Generation?" on page 7-3

# **Use Observer Reference Block for Test Case Generation**

This example shows how to generate test cases for two custom Test Objective blocks using Observer Reference block and use model representation to reanalyze the design model. For more information, see "Isolate Verification Logic with Observers" on page 12-29. To reanalyze the model, you update the verification logic and set the **Rebuild model representation** option to If change is detected. For more information, see "Model Representation for Analysis" on page 2-28.

### Step 1: Open the Model and Replace Verification Subsystem

In the Test Objective block, the block "True" forces the output signal to be 2. The block "Edge" inside "Masked Objective" specifies that the output signal transitions from 2 to 1. To open the model, enter:

open\_system('sldvdemo\_debounce\_testobjblks');



Copyright 2006-2023 The MathWorks, Inc.

To replace the Verification Subsystem **Masked Objective** in the model by the Observer Reference block, follow these steps:

(a) Right-click on the **Masked Objective** in the sldvdemo\_debounce\_testobjblks model. In the context menu, click **Observers > Move selected block to Observer > New Observer**.

(b) Click **Yes** on **move 'Verify Output' to Observer** dialog box that appears after step (a).

(c) An Observer Reference block is added to your system model, and an Observer model sldvdemo\_debounce\_testobjblks\_Observer1 is created and opened.



(d) Save the file sldvdemo\_debounce\_validprop\_Observer1 in a writable folder on the MATLAB path.

(e) Double-click on the Observer port to open the Manage Observer configuration window. The signal Switch 1 is automatically mapped to the Observer Port block in the sldvdemo\_debounce\_testobjblks\_Observer1.

| Observable Filter Observable Area                                                                                                                                                                    | ÷   | Observer: | Filter Observer                                                                  |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|-----------|----------------------------------------------------------------------------------|
| <ul> <li>sldvdemo_debounce_testobjblks</li> <li>x raw</li> <li>x Constant</li> <li>x Constant1</li> <li>More Info1</li> <li>x Switch</li> <li>True</li> <li>debounce</li> <li>x debounced</li> </ul> |     | ► 🖻 Ma    | emo_debounce_testobjblks_Observer1<br>asked Objective<br>oserver Port (Switch:1) |
|                                                                                                                                                                                                      | (() |           |                                                                                  |

(f) Select the input signal to the **Masked Objective** subsystem in the sldvdemo\_debounce\_testobjblks and click on **Test Point** in the **Signal** pane to make sure that Simulink Design Verifier successfully build the model representation for analysis.

#### **Step 2: Perform Test Generation Analysis**

To perform the test generation analysis, follow these steps:

#### On the **Design Verifier** tab, click **Generate Test**.

After the analysis completes, the Results Summary window displays that both objectives are satisfied with the test case.

To view the detailed analysis report, in the Results Summary window, click **HTML**. In the report, the Test Objectives Status chapter lists the status of the objectives for **Design Model** and **Observers Model(s)** in separate subsections.

| 3.1.1. Design Model<br>3.1.2. Observer Model(s)                                    |                                       |                   |              |                     |                     |           |  |
|------------------------------------------------------------------------------------|---------------------------------------|-------------------|--------------|---------------------|---------------------|-----------|--|
| Simulink Design Verifier generated test cases that exercise these test objectives. |                                       |                   |              |                     |                     |           |  |
| 3.1.1. Design Model                                                                |                                       |                   |              |                     |                     |           |  |
| This section contains information a                                                | about 'Objectives Satisfied' in the d | lesign model.     |              |                     |                     |           |  |
| #                                                                                  | Туре                                  | Model Item        | Description  | Analysis Time (sec) | Test Case           |           |  |
| 2                                                                                  | Test objecti                          | ve <u>True</u>    | Objective: 2 | 12                  | 1                   |           |  |
|                                                                                    |                                       |                   |              |                     |                     |           |  |
| 3.1.2. Observer Model(s)<br>This section contains information a                    | about 'Objectives Satisfied' in the c | bserver model(s). |              |                     |                     |           |  |
|                                                                                    |                                       |                   | Model Item 1 | Description         | Analysis Time (sec) | Test Case |  |

## Step 3: Modify Observer model and reanalyze without rebuilding design model representation

To generate the test case for the functional requirement, the **debounced** signal transitions from 1 to 2 without rebuilding the model representation for design model. To enable the reuse of design model representation, follow these steps:

(a) On the **Design Verifier** tab, click **Test Generation Settings > Settings**.

(b) In the Configurations Parameters dialog box, on the Design Verifier pane, in Advanced parameters, set the **Rebuild model representation** option to If change is detected and Click **OK**.

(c) To update the model parameters, follow these steps:

1. In the sldvdemo\_debounce\_testobjblks\_Observer1 window, double-click to open the **Masked Objective** subsystem and change the value of constant In1 from 1 to 2 and relational operator from > to <.

2. Save the changes in a writable MATLAB path.



(d) Perform Test Case Generation Analysis and Review Results. On the **Design Verifier** tab, click **Generate Tests**. The software validates the cached design model representation, detects no change in design model and reuses the representation for analysis.

| • | Simulink Design Verifier Results              | Summary: sldvdemo_debounce_testobjblks                     | ) | × |
|---|-----------------------------------------------|------------------------------------------------------------|---|---|
|   |                                               |                                                            |   | ^ |
|   |                                               |                                                            |   |   |
|   | Progress                                      |                                                            |   |   |
|   | Objectives processed                          | 0/1                                                        |   |   |
|   | Satisfied                                     | 0                                                          |   |   |
|   | Unsatisfiable                                 | 0                                                          |   |   |
|   | Elapsed time                                  | 0:00                                                       |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
| Г |                                               |                                                            |   |   |
|   | 15-Jan-2021 19:24:53                          |                                                            |   |   |
|   |                                               | sentation from 15-Jan-2021 19:24:06done                    |   |   |
| ľ | <u>, , , , , , , , , , , , , , , , , , , </u> |                                                            |   |   |
|   | 15-Jan-2021 19:24:56                          |                                                            |   |   |
|   |                                               | ks' is <b>compatible</b> for test generation with Simulink |   |   |
|   | Design Verifier.                              |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   | Generating tests using model r                | epresentation from 15-Jan-2021 19:24:06                    |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   |   |
|   |                                               |                                                            |   | ¥ |
| < |                                               |                                                            | > |   |

After the analysis completes, the Results Summary window display that only one test objective is satisfied.

To view the detailed analysis report, in the Results Summary window, click HTML.

#### Summary

Length: 0.06 second (7 sample periods) Objectives Satisfied: 2

#### Objectives

| Step     | Time | Model Item            | Objectives      |
|----------|------|-----------------------|-----------------|
| 7        | 0.06 | Masked Objective/Edge | 1. Objective: 1 |
| <i>′</i> |      | True                  | 2. Objective: 2 |

#### **Generated Input Data**

| Time | 0 | 0.01-0.02 | 0.03-0.05 | 0.06 |
|------|---|-----------|-----------|------|
| Step | 1 | 2-3       | 4-6       | 7    |
| raw  | 2 | 1         | 2         | 1    |

Note: If you create a new model, by default, the **Rebuild model representation** option is set to If change is detected. The software validates the cache model representation, detects no change, and reuses the model representation for analysis.

#### **Related Topics**

- "Access Model Data Wirelessly by Using Observers" (Simulink Test).
- Verification Subsystem.

## Inspect Test Generation Objectives by Using Model Slicer

This example shows how to use Model Slicer to inspect test generation objectives in a Simulink model. The Simulink® Design Verifier<sup>™</sup> analysis generates test cases and propagates the test cases to a Model block. You can see or inspect the values in the Model block at the time step at which the objective is observable and highlight the path and values using Model Slicer.

#### Prepare the Model

Open the model.

model = 'sldvdemo\_cruise\_control';
open\_system(model);

#### **Generate Test Objectives**

1. Open **Simulink Design Verifier** by clicking on **Apps > Design Verifier**.

2. In the **Design Verifie**r tab, click **Generate Tests**. Simulink Design Verifier analyzes the model and displays the results in Simulink Design Verifier Results Summary window.

3. In the model, the analysis highlights the Controller subsystem where the objectives are located.



4. Open the **Controller** subsystem and click the **PI Controller** subsystem. Alternatively, you can select any of the blocks highlighted in green color. The objectives appear in the Results window.



#### Inspect Test Objectives using Model Slicer

1. In the **Results** window, click **Inspect** to launch Model Slicer and analyze the objective. Alternatively, in the Design Verifier tab, in **Review Results** section, click **Review Results > Inspect Using Slicer.** 

| - ⇒ 43                                          |                           |              |         | $\mathbf{v}$ |
|-------------------------------------------------|---------------------------|--------------|---------|--------------|
| ack to summary                                  |                           |              |         | <br>         |
|                                                 |                           |              |         |              |
| ldudama anuica control/                         | Controllor (D)            | Controllor   |         |              |
| sldvdemo_cruise_control/                        | Controller/P              | [ Controller |         |              |
| sldvdemo_cruise_control/<br>Decision Objectives |                           |              |         |              |
|                                                 | Controller/P<br>Satisfied | Controller   | Inspect |              |

As part of the model setup, Model Slicer:

- Uses the selected block as a starting point
- Highlights the slice that represents the objective
- Simulates the model and pauses it at the time of observation

You can analyze the model by inspecting the port labels or observe the values of the test case propagated to the objective block and the path it takes.



Note that when you set the model coverage objective to enhanced MCDC, you can also inspect the objective detectability. In this case, the Model Slicer configuration allows you to switch to different modes by using the **Slice Configuration list**. For more information, see "Inspect Enhanced MCDC Objectives using Model Slicer" on page 7-50.

#### **Related Links**

• "Basic Workflow for Enhanced MCDC Analysis" on page 7-47

# Generate Tests for Model Block Component by Using Default Simulation

This example shows how to use Simulink® Design Verifier<sup>™</sup> to generate test cases for a Model block by using a default top model simulation.

This example contains Model block that acts as a controller. The top model is configured for plant-inloop simulation. You can generate test cases for a controller by using the top model simulation.

#### Set Up the Default Plant-in-Loop Controller Simulation

The model contains a power window controller and a low-order plant model. sldvexPowerWindow/
power\_window\_control\_system/control is a Model block that references the model
sldvexPowerWindowController, which implements the controller with a Stateflow® chart.

open\_system('sldvexPowerWindow');



#### Simulink Design Verifier Power Window Controller Hybrid System Model

Copyright 1990-2021 The MathWorks, Inc.

This model contains a Signal Editor block at the top level. The simulation is set up as a plant-in-loop controller simulation.



#### Simulate the Top Model and Generate Test Cases for the Controller

1. In the Apps pane, open Design Verifier.

2. In the **Analyze** section, click the Remember Selection icon to unpin the current selection.

3. Select the Model block sldvexPowerWindow/power\_window\_control\_system/control.

4. In the **Design Verifier** tab, expand **Generate Test** and click **Simulate Top Model And Generate Tests**.



#### **View Test Generation Results**

Design Verifier runs the default simulation to log inputs for the Model block sldvexPowerWindow/ power\_window\_control\_system/control. Then Design Verifier runs a test extension on logged inputs to generate additional test cases for the controller.



#### Clean Up

Close the model.

```
close_system('sldvexPowerWindow');
```

## Add Test Cases Using Excel File

This example shows how to create test cases incrementally by using Simulink® Design Verifier<sup>™</sup> supported Excel® file.

Simulink® Design Verifier<sup>™</sup> generates test cases to satisfy testing criteria, such as model objectives. Owing to support limitations and model complexity, occasionally it can generate test cases that do not cover all model objectives. Use this example to understand how to:

- Create test cases in Excel file format.
- Write a new test case manually in an Excel file.
- Create additional test cases by using test extension with Excel file.

#### Generate Test Cases by Using Design Verifier

Open the model and create test cases.

```
model = 'sldvexSpreadsheetTopoff';
open_system(model);
[~, files] = sldvrun(model);
```

```
Checking compatibility for test generation: model 'sldvexSpreadsheetTopoff'
Compiling model...done
Building model representation...done
```

'sldvexSpreadsheetTopoff' is partially compatible for test generation with Simulink Design Verif.

The model can be analyzed by Simulink Design Verifier. It contains unsupported elements that will be stubbed out during analysis. The results of the and See the Diagnostic Viewer for more details on the unsupported elements.

Generating tests using model representation from 22-Jul-2022 20:02:02...

Generating output files:

Results generation completed.

Data file: C:\Users\pdasbasu\OneDrive - MathWorks\Documents\MATLAB\ExampleManager\pdasbasu.BR2022bd.j20

#### Save Design Verifier Test Cases to Excel File

Simulink Design Verifier creates test cases in the MAT-file format by default. Save the test cases generated in the previous section in an Excel file by using any of these methods:

- Click Save to spreadsheet button in Results.
- Click Save to spreadsheet link in the results window, or results inspector.
- Use sldvgenspreadsheet function.

For this example, use the sldvgenspreadsheet function to save the test cases.

excelFilePath = sldvgenspreadsheet(model, files.DataFile);

**Note:** Importing or exporting to an Excel file is not supported for an array of bus signals. For more information, see Microsoft Excel Import, Export, and Logging Format.

#### **Identify Missing Coverage Objectives**

Simulate the model by using all test cases from the Excel file and create a coverage report. sldvruntest supports test cases from a spreadsheet as simulation input.

```
runOpts = sldvruntestopts;
runOpts.coverageEnabled = true; % Enable coverage
[~, initialCov] = sldvruntest(model, excelFilePath, runOpts); % Use test cases from Excel file for
cvhtml('Initial coverage', initialCov);
```

Observe that the value of Switch block logical trigger input is never false in the coverage report.

## Switch block "Switch"

| <u>Justify or Exclude</u> |                                  |
|---------------------------|----------------------------------|
| Parent: /sld              | <u>vexSpreadsheetTopoff</u>      |
| Metric                    | Coverage                         |
| Cyclomatic Complexity     | 1                                |
| Decision                  | 50% (1/2) decision outcomes      |
| Execution                 | 100% (1/1) objective<br>outcomes |
| Decisions analyzed        |                                  |
| logical trigger input     |                                  |
| false (output is from 3r  | rd input port)                   |

true (output is from 1st input port)

#### Write Test Case to Satisfy Coverage Objective

Determine the cause of missing the coverage objective. In this example, the model contains unsupported block *Sqrt*, which limits Simulink Design Verifier analysis.

To make the value of trigger input of Switch block false, observe that the value of inport In3 should be greater than 100. Add a new sheet in the Excel file with the test case.

50%

0/2

2/2

|   | Α    | В                                      | С                                      | D                                      |
|---|------|----------------------------------------|----------------------------------------|----------------------------------------|
| 1 | time | In1                                    | In2                                    | In3                                    |
| 2 |      | BlockPath: sldvexSpreadsheetTopoff/In1 | BlockPath: sldvexSpreadsheetTopoff/In2 | BlockPath: sldvexSpreadsheetTopoff/In3 |
| 3 |      | PortIndex: 1                           | PortIndex: 2                           | PortIndex: 3                           |
| 4 |      | Interp: zoh                            | Interp: zoh                            | Interp: zoh                            |
| 5 |      | Source: Input                          |                                        |                                        |
| 6 | 0    | 5.95663                                | 1.91836                                | 101                                    |

Verify whether the new test case satisfies the required coverage objective.

```
excelFilePath = 'WithNewTestCase.xlsx';
runOpts = sldvruntestopts;
runOpts.testIdx = 2; % Simulate only the newly added test case
runOpts.coverageEnabled = true;
[~, newTestCov] = sldvruntest(model, excelFilePath, runOpts);
cvhtml('New test coverage', newTestCov);
```

#### **Run Test Extension by Using Excel file**

Simulink Design Verifier test extension workflow generates new test cases by extending the existing test cases. This helps to satisfy additional coverage objectives by extending your new test case.

```
opts = sldvoptions(model);
opts.ExistingTestFile = excelFilePath; % Use Excel file with new test cases as input for test ex
opts.ExtendExistingTests = 'on'; % Enable test extension
[~, files] = sldvrun(model, opts);
```

Checking compatibility for test generation: model 'sldvexSpreadsheetTopoff' Compiling model...done Building model representation...done

'sldvexSpreadsheetTopoff' is partially compatible for test generation with Simulink Design Verif:

The model can be analyzed by Simulink Design Verifier. It contains unsupported elements that will be stubbed out during analysis. The results of the ana See the Diagnostic Viewer for more details on the unsupported elements.

Loading initial test data...done

Generating tests using model representation from 22-Jul-2022 20:02:34...

Generating output files:

Results generation completed.

```
Data file:
C:\Users\pdasbasu\OneDrive - MathWorks\Documents\MATLAB\ExampleManager\pdasbasu.BR2022bd.j20
```

#### Verify Complete Coverage

Simulate the model using the new test cases and verify that you now have complete coverage.

```
runOpts = sldvruntestopts;
runOpts.coverageEnabled = true; % Enable coverage
[~, finalCov] = sldvruntest(model, files.DataFile, runOpts);
cvhtml('Final coverage', finalCov);
close_system(model, 0);
```

If the new test cases still yield partial coverage, you can write a new test case in an Excel file and then run test extension workflow till complete coverage is achieved.

## Summary

## Model Hierarchy/Complexity Test 1

|                                   | Decision | Execution |
|-----------------------------------|----------|-----------|
| 1. <u>sldvexSpreadsheetTopoff</u> | 3 100%   | 100%      |

## Achieve Missing Coverage in Custom Code

This example shows you how to test for missing coverage in custom code. You can use these steps to also test for missing coverage in external C code. If you simulate a model with custom code through C Caller block, C Caller Library, or coder.ceval function, then coverage of the custom code is reported. If the code does not achieve full coverage, you can use Simulink® Design Verifier<sup>™</sup> to generate test cases that achieve full coverage. You can then use Simulink® Test Manager<sup>™</sup> to perform unit testing by generating test cases only for the custom code.

1. Open the test file.

```
testFile = 'dTest_TopOffCoverage_mFuncWithPointers.mldatx';
sltest.testmanager.load(testFile);
sltest.testmanager.view;
```

2. Simulate the test file and observe the coverage value in the Aggregated Coverage Results window.



3. As the coverage of the custom code is not 100%, click Add Tests for Missing Coverage.

|             | ▼ AGGRE0                                      | GATED COVERAGE RE                                       | ESULTS      |          |                      |           |                                      | ?        |
|-------------|-----------------------------------------------|---------------------------------------------------------|-------------|----------|----------------------|-----------|--------------------------------------|----------|
|             |                                               | te a coverage report from<br>s will be displayed with t |             |          | to justify or exclud | e missing | coverage. The filters and updated co | verage   |
|             | ANAL                                          | YZED MODEL                                              | REPORT      | COM      | DECISION             |           | EXECUTION                            | +        |
|             |                                               | hFuncWithPointers.c                                     |             | 8        | 50%                  |           | 63%                                  | ^        |
|             | <b>1</b>                                      | mFuncWithPointers                                       |             | 2        | 50%                  |           | 100%                                 |          |
| Add Tests   | s for Missing Coverag                         | le                                                      |             |          |                      | ? ×       |                                      |          |
| Generate te | sts for missing coverage for                  | hFuncWithPointers.c                                     | using Sin   | nulink   | Design Verifier.     |           |                                      |          |
| Test Case:  | <create a="" case="" new="" test=""></create> | Select a test cas test case.                            | se to add   | iteratio | n or create a new    |           |                                      | -        |
| Test Type:  | Baseline Test                                 | <ul> <li>Select the type f</li> </ul>                   | for the new | w test o | case.                |           | + Add Tests for Missing Coverage     | A Export |
| Test File:  | dTest_TopOffCoverage                          | Select a test file file. Open                           | to add ne   | w test   | s or create a new t  | est       |                                      |          |
|             |                                               |                                                         |             |          | OK Car               | icel      |                                      |          |

4. Simulink Design Verifier generates additional test cases. The custom code file, hFuncWithPointers.c contains two functions: getValue and getValuePointer.

Function 1: The function **getValue** has vector and scalar inputs. The dimensions are specified for the vector inputs.

The inputs of the harness constructed from this code contain the proper dimensions of the signals. Therefore, Simulink Design Verifier may not be able to generate correct test cases for the code.

The harness generated for this code is as shown:



The analysis result is as shown here:

| Progress             |       |  |
|----------------------|-------|--|
| Objectives processed | 12/12 |  |
| Satisfied            | 8     |  |
| Unsatisfiable        | 4     |  |
| Elapsed time         | 0:29  |  |
|                      |       |  |

Function 2: The function **getValuePointer** also has vector and scalar inputs. The dimensions are not specified for the vector inputs.

The inputs of the harness constructed from this code contain the dimensions of the signals to be inherited. Simulink Design Verifier cannot generate correct test cases for the code.



5. Add new test cases for the function **getValue** as shown:

| Test Browser Results and Artifacts                                                                                                                                                                               | 🗀 New Test Suite 1 🗙 🖍 Start Page 🗙 🔋 New Test Case 1 🗙                                                                                                                  |         |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| Filter tests by name or tags, e.g. tags: test <ul> <li>IdTest_TopOffCoverage_mFuncWithPointers*</li> <li>New Test Suite 2</li> <li>New Test Case 1</li> <li>New Test Suite 1</li> <li>New Test Case 1</li> </ul> | New Test Case 1  dTest TopOffCoverage mFuncWithPointers » New Test Suite 1 » New Test Case 1 Baseline Test Create Test Case from External File TAGS                      | Enabled |
|                                                                                                                                                                                                                  | DESCRIPTION     REQUIREMENTS     SYSTEM UNDER TEST*      Model: hFuncWithPointers_Lib     TEST HARNESS*      Harness: hFuncWithPointers_Lib_getValue_harnessTopOff     C | ?       |

From the warning message, you will get a list of functions for which Simulink Design Verifier is not invoked, and the list of corresponding harness names which you need to update manually, to achieve additional coverage. In this example, for the function **getValuePointer** no additional test case is generated, and **hFuncWithPointers\_Lib\_getValuePointer\_harnessTopOff.slx** is the corresponding harness that you need to update.

6. To manually add additional test cases for the function, **getValuePointer**, update the port specification of the **C Caller** block **getValuePointer** of the generated library model **hFuncWithPointers\_Lib**. Open the block parameter of the **C Caller** block **getValuePointer**, and update the required port dimension and save the model.

7. Add a new test suite for the updated harness, in the existing test file.

8. Simulate the test suite and generate additional test cases by using **Add Tests for Missing Coverage**. You have now generated test cases for missing coverage in custom code.

## Achieve Missing Coverage in Generated Code of RLS

This example shows you how to use use Simulink® Design Verifier<sup>™</sup> to generate test cases that achieve full coverage. If you simulate a harness of a reusable library susbsystem (RLS) in the software-in-the-loop (SIL) simulation mode, then coverage of the generated code of the RLS is reported. Using Simulink® Test Manager<sup>™</sup>, you can easily achieve full coverage by using the following steps:

Generate the top-model code before invoking simulation on the harness of the RLS. Before generating the code, you need to set up the code generation target environment. For more information on how to set up the code generation environment, see "Generate Test Cases for RLS in Software-in-the-Loop Mode" on page 7-21. After code generation, open the test file.

1. Open the test file.

```
orig = Simulink.fileGenControl('get', 'CodeGenFolderStructure');
Simulink.fileGenControl('set','CodeGenFolderStructure', Simulink.filegen.CodeGenFolderStructure.
load system('mRLS');
slbuild('mRLS');
testFile = 'dTest_TopOffCoverage_Controller.mldatx';
sltest.testmanager.load(testFile);
sltest.testmanager.view;
### Starting build procedure for: Controller_CodeSpecification1
### Generating code and artifacts to 'Target environment subfolder' folder structure
### Generating code into build folder: C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-
### Invoking Target Language Compiler on Controller CodeSpecification1.rtw
### Using System Target File: B:\matlab\rtw\c\ert\ert.tlc
### Loading TLC function libraries
### Initial pass through model to cache user defined code
### Caching model source code
### Writing header file Controller_LpOdbbft.c
### Writing header file Controller_CodeSpecification1 types.h
### Writing header file Controller CodeSpecification1.h
### Writing header file rtwtypes.h
### Writing header file Controller Lp0dbbft.h
### Writing source file Controller CodeSpecification1.c
### Writing header file Controller CodeSpecification1 private.h
### Writing source file ert_main.c
### TLC code generation complete (took 5.586s).
### Saving binary information cache.
### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows)
### Creating 'C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex58892879\IntelWin64\_sh
### Using toolchain: Microsoft Visual C++ 2019 v16.0 | nmake (64-bit Windows)
### Creating 'C:\TEMP\Bdoc23a_2213998_3568\ib570499\28\tp27a1e6fc\sldv-ex58892879\IntelWin64\Con
### Successful completion of code generation for: Controller CodeSpecification1
```

The following files will be copied from IntelWin64\\_shared to C:\TEMP\Bdoc23a\_2213998\_3568\ib5704

Controller\_Lp0dbbft.c Controller\_Lp0dbbft.h shared\_file.dmr

Files copied from IntelWin64\\_shared to C:\TEMP\Bdoc23a\_2213998\_3568\ib570499\28\tp27a1e6fc\sldv

| ANALYZED MODEL      | REPORT | COM | DECISION | EXECUTION | FUNCTION |  |
|---------------------|--------|-----|----------|-----------|----------|--|
| PI Controller 1FHZB | 9tw.c  | 4   | 17%      | 25%       | 100%     |  |
|                     |        |     |          |           |          |  |
|                     |        |     |          |           |          |  |
|                     |        |     |          |           |          |  |
|                     |        |     |          |           |          |  |
|                     |        |     |          |           |          |  |

- 2. Simulate the test file and observe the coverage value.
- 3. Click Add Tests for Missing Coverages as coverage of the generated code for the RLS is not 100%.



This workflow invokes Simulink<sup>®</sup> Design Verifier<sup>™</sup> to generate additional testcases.

| Progress             |      |  |
|----------------------|------|--|
| Objectives processed | 6/6  |  |
| Satisfied            | 6    |  |
| Jnsatisfiable        | 0    |  |
| Elapsed time         | 1:51 |  |

1/6 objective satisfied by existing test/coverage data

New test cases are added to the test file.

| Test Browser Results and Artifacts                                                                                            | 🗅 New Test Suite 2 🗙 🖍 Start Page 🗙 🖹 New Test Case 1 🗙                                                                                                          |         |
|-------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| Filter tests by name or tags, e.g. tags: test <ul> <li>dTest_TopOffCoverage_PiController*</li> <li>New Test Suite 1</li></ul> | New Test Case 1         dTest_TopOffCoverage_PIController > New Test Suite 2 > New Test Case 1         Baseline Test         Create Test Case from External File | Enabled |
|                                                                                                                               | <ul> <li>TAGS</li> <li>DESCRIPTION</li> <li>REQUIREMENTS</li> </ul>                                                                                              |         |
|                                                                                                                               |                                                                                                                                                                  | ?       |

4. Simulate the overall test file and check if you now have full coverage for the generated code for the RLS.

| values will be displayed with this res | ult.       |     |          |           |          |
|----------------------------------------|------------|-----|----------|-----------|----------|
| ANALYZED MODEL                         | REPORT     | COM | DECISION | EXECUTION | FUNCTION |
| PI Controller 1FHZB9tw.c               | - <b>P</b> | 4   | 100%     | 100%      | 100%     |
|                                        |            |     |          |           |          |

## **Extending Existing Test Cases**

- "When to Extend Existing Test Cases" on page 8-2
- "Extend Test Cases for Model with Temporal Logic" on page 8-4
- "Extend Test Cases for Closed-Loop System" on page 8-10
- "Extend Test Cases for Modified Model" on page 8-15
- "Create and Run Back-to-Back Tests Using Enhanced MCDC" on page 8-18

## When to Extend Existing Test Cases

#### In this section...

"Common Workflow for Extending Existing Test Cases" on page 8-2 "Considerations for Starting Test Cases" on page 8-3

The Simulink Design Verifier software can analyze your model using previously generated test cases that you specify. You can use this feature in the following situations:

- You encounter delays trying to analyze your model, or you see incomplete results. This can happen if your model has any of the following characteristics:
  - Temporal logic
  - Large counters
  - Model objects that are difficult to test due to complex or nonlinear logic

Analyzing the model and considering the existing test cases allows you to focus the analysis on those parts of the model that are difficult to analyze. You can combine the generated test cases to create a complete test suite for the full model.

For an example of extending existing test cases for a model that uses temporal logic, see "Extend Test Cases for Model with Temporal Logic" on page 8-4.

• You have a closed-loop simulation model that uses a Model block to include the controller. First, log the data from the Model block and then analyze the model referenced by the Model block. Using this technique, the test cases for the controller can realistically reflect the continuous time behavior expected in the closed-loop system.

For an example of extending existing test cases for a closed-loop system, see "Extend Test Cases for Closed-Loop System" on page 8-10.

• You change an existing model for which you have already generated test cases. In this situation, you can reanalyze the model, omitting the analysis results from the original version of the model. The combined test cases give you a complete test suite for the new model.

For an example of extending existing test cases for modified models, see "Extend Test Cases for Modified Model" on page 8-15.

• You apply parameter configurations or update the parameter constraint values of an existing model for which you have generated test cases. In this situation, you can reanalyze the model by reusing the previously generated test cases and extend them to achieve full model coverage. For an example of extending existing test cases when you modify parameter configurations, see "Extend Existing Test Cases After Applying Parameter Configurations" on page 5-46.

## **Common Workflow for Extending Existing Test Cases**

Use the following workflow for extending existing test cases during a test-generation analysis:

- Create the starting test cases.
- Log the starting test cases.

- Extend the existing test cases during test-generation analysis.
- Verify that you have created a complete test suite.

The examples in this category use some or all of these tasks when extending existing test cases during analysis.

## **Considerations for Starting Test Cases**

If the existing test cases are inconsistent with the model, Simulink Design Verifier ignores the test cases during test case extension. For example, if you update the constraint values of parameters and the existing test case violates the specified constraint values, the test case will be ignored.

## See Also

#### **More About**

- "Extend Test Cases for Model with Temporal Logic" on page 8-4
- "Extend Test Cases for Closed-Loop System" on page 8-10
- "Extend Test Cases for Modified Model" on page 8-15

## **Extend Test Cases for Model with Temporal Logic**

#### In this section...

"Create Starting Test Case" on page 8-4

"Log Starting Test Case" on page 8-6

"Extend Existing Test Cases" on page 8-7

"Verify Analysis Results" on page 8-8

## **Create Starting Test Case**

This example uses the sldvdemo\_sbr\_extend\_design model. This model includes a Stateflow chart SBR that uses temporal logic. The transition from the KEY\_OFF state to the KEY\_ON state occurs after the Stateflow chart has been simulated 500 times. To test this transition requires a test case with 500 time steps.

In this example, you create a test case that forces the transition to KEY\_ON by setting the KEY input to 1 for the duration of the test case. You simulate the model using this test case, satisfying the objectives for the KEY\_OFF/KEY\_ON transition. Then you analyze the model, ignoring the objectives already satisfied by the test case you create.

**1** Open the example model:

sldvdemo\_sbr\_extend\_design

2 Open the SBR Stateflow chart to see the KEY\_0FF/KEY\_0N transition.

| KEY_OFF<br>SeatBeltIcon=0; |   |                    | a• |
|----------------------------|---|--------------------|----|
| [after(500,tick)]          | , | [KEY == <b>0</b> ] |    |
| KEY_ON                     |   | - · · ·            |    |

**3** Create a model reference harness model:

```
[~, harnessModelFilePath] = ...
sldvmakeharness('sldvdemo_sbr_extend_design',[],[],true);
```

The harness model, sldvdemo\_sbr\_extend\_design\_harness, includes:

 A Model block named Test Unit that references the original model, sldvdemo\_sbr\_extend\_design.

|   | sldvdemo_sbr_exte | nd_design      |   |
|---|-------------------|----------------|---|
| ٠ | Inputs            | SeatBeltIcon — | • |
|   |                   |                |   |
|   | Test Unit         |                |   |

• A Signal Builder block named Inputs that contains the test-case inputs to the model referenced in the Model block.



Initially, the Signal Builder block contains only the default test case, with all three inputs set to  $\boldsymbol{\theta}.$ 

• A DocBlock block named Test Case Explanation that documents the test case.



Initially, the Test Case Explanation block does not have any content for the default test case.

4 sldvmakeharness returns the path to the harness model file in harnessModelFilePath. Extract the name of the harness model file into harnessModel, for later use:

[~, harnessModel] = fileparts(harnessModelFilePath);

In order to analyze the KEY\_OFF to KEY\_ON state transition, create a test case that makes the transition to the KEY\_ON state in 500 time steps:

- **1** Open the Signal Builder dialog box for the harness model.
- 2 Select Axes > Change Time Range.
- **3** The Signal Builder's time range determines the span of time over which its output is explicitly defined. In the Set the total time range dialog box, set the **Max time** field to 5 seconds, creating 500 time steps of 0.01 seconds duration each.
- 4 Set the KEY input to 1 for the duration of this starting test case, forcing the transition to the KEY\_ON state. Selecting the Inputs.KEY signal requires two clicks. First, click the signal so that dots appear at both ends of the signal.



**5** Click the Inputs.KEY signal again. The Signal Builder thickens the signal to indicate that it is selected.



- 6 At the bottom of the Signal Builder dialog box, under Left Point, enter 1 for Y.
- 7 Press **Enter** to apply the change.

The Inputs.KEY signal is set to 1 for the duration of the test case.



8 Close the Signal Builder dialog box.

## Log Starting Test Case

The next step is to log the starting test case that you created. You can then specify that Simulink Design Verifier ignore the objectives satisfied by that test case when performing an analysis.

The sldvlogsignals function records the test case data in a MAT-file that contains an sldvData structure. This structure stores all the data that the software gathers and produces during the analysis.

To log the starting test cases:

Save the name of the Model block in the harness model that references the sldvdemo\_sbr\_extend\_design model:

[~, modelBlock] = find\_mdlrefs(harnessModel, false);

2 Simulate the model referenced by the Model block using the new test case, and log the input signals in the workspace variable loggeddata:

```
loggeddata = sldvlogsignals(modelBlock{1});
```

**3** Save the logged data in a MAT-file named existingtestcase.mat:

```
save('existingtestcase.mat', 'loggeddata');
```

You will specify this file when you analyze the sldvdemo\_sbr\_extend\_design model.

## **Extend Existing Test Cases**

You can now analyze the sldvdemo\_sbr\_extend\_design model and specify that the analysis extend the test cases already satisfied. The analysis uses the existing test-case data as a starting point, and does not try to generate test cases for the KEY\_OFF to KEY\_ON transition in the SBR Stateflow chart.

Specify the starting test case and analyze the model:

**1** Open the model.

open\_system('sldvdemo\_sbr\_extend\_design');

- 2 On the **Design Verifier** tab, click **Test Generation Settings**.
- 3 In the Configuration Parameters dialog box, on the **Test Generation** pane, under **Existing test** cases, select **Extend existing test cases**.
- 4 In the **Data file** field, enter the name of the MAT-file that contains the logged data:

existingtestcase.mat

5 Clear Ignore objectives satisfied by existing test cases.

When you clear this option, the software includes the starting test case in the final test suite. You will see that the complete test suite achieves 100% model coverage.

- 6 To close the Configuration Parameters dialog box, click OK.
- 7 Save the sldvdemo\_sbr\_extend\_design model on the MATLAB path with the name sldvdemo\_sbr\_extend\_design\_test.
- 8 Click Generate Tests.

The log window first lists the objectives that the starting test case satisfied.

| Simulink Design Verifier Results                                                                                                     | Summary: sldvdemo_sbr_extend_design_test | $\times$ |  |  |  |
|--------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|----------|--|--|--|
|                                                                                                                                      | _                                        |          |  |  |  |
| Progress                                                                                                                             | -                                        |          |  |  |  |
| Objectives processed                                                                                                                 | 2/37                                     |          |  |  |  |
| Satisfied<br>Unsatisfiable                                                                                                           | 2                                        |          |  |  |  |
| Elapsed time                                                                                                                         | 0:45                                     |          |  |  |  |
|                                                                                                                                      |                                          |          |  |  |  |
|                                                                                                                                      | 2                                        | ^        |  |  |  |
| 21-Nov-2018 17:33:20<br>Checking compatibility for test<br>'sldvdemo_sbr_extend_design                                               |                                          |          |  |  |  |
| Compiling modeldone<br>Building model representation.                                                                                |                                          |          |  |  |  |
| 21-Nov-2018 17:33:27<br>'sldvdemo_sbr_extend_design_test' is <b>compatible</b> for test generation with Simulink<br>Design Verifier. |                                          |          |  |  |  |
| Loading initial test data                                                                                                            |                                          |          |  |  |  |
| Generating tests using model r                                                                                                       | representation from 21-Nov-2018 17:33:27 |          |  |  |  |
| SATISFIED                                                                                                                            |                                          |          |  |  |  |
| Chart "SBR"<br>Substate executed State "KEY<br>Analysis Time = 00:00:43                                                              | _OFF"                                    |          |  |  |  |
| SATISFIED                                                                                                                            |                                          | ¥        |  |  |  |
|                                                                                                                                      | Disable Highlighting Sto                 | p        |  |  |  |

The log window then lists the objectives generated beyond the starting test case.

## **Verify Analysis Results**

To make sure that this analysis creates a complete test suite, generate the harness model so you can simulate the model with the generated test cases:

- 1 On the **Design Verifier** tab, in the **Review Results** section, click **Create Test Harness Model**.
- 2 In the harness model sldvdemo\_sbr\_extend\_design\_test\_harness, open the Signal Builder block named Inputs.
- 3 To simulate the model using all the test cases, click the **Run all and produce coverage** button

When the simulation is complete, the model coverage report is displayed.

4 View the coverage information for the sldvdemo\_sbr\_extend\_design\_test model to see that the complete test suite achieves 100% coverage.

| Summary                            |    |      |        |  |  |  |
|------------------------------------|----|------|--------|--|--|--|
| Model Hierarchy/Complexity:        |    |      | Test 1 |  |  |  |
|                                    |    |      | D1     |  |  |  |
| 1. sldvdemo sbr extend design test | 21 | 100% |        |  |  |  |
| 2 <u>SBR</u>                       | 20 | 100% |        |  |  |  |
| 3 <u>SF: SBR</u>                   | 19 | 100% |        |  |  |  |
| 4 <u>SF: KEY_ON</u>                | 13 | 100% |        |  |  |  |
| 5SF: SB_UNFASTEN                   | 8  | 100% |        |  |  |  |
| 6SF: HIGH SPEED                    | 4  | 100% |        |  |  |  |
|                                    |    |      |        |  |  |  |

## See Also

## **Related Examples**

"Component-Based Modeling with Model Reference"

## **More About**

- "When to Extend Existing Test Cases" on page 8-2
- "Extend Test Cases for Closed-Loop System" on page 8-10
- "Extend Test Cases for Modified Model" on page 8-15

## Extend Test Cases for Closed-Loop System

#### In this section...

"Log Starting Test Case" on page 8-10

"Extend Existing Test Cases" on page 8-12

Suppose that you have a model with a closed-loop controller in a model referenced by a Model block. You do not record 100% coverage for the referenced model. Extending existing test cases can help you achieve 100% coverage. The Simulink Design Verifier software adds time steps to the existing test cases when analyzing the controller implemented by the referenced model. The test cases that result from the analysis realistically reflect the continuous time behavior expected in the closed-loop controller.

A *closed-loop controller* passes instructions to the controlled system and receives information from the environment as the control instructions execute. The controller can adapt and change its instructions as it receives this information.

## Log Starting Test Case

This example uses the "Component-Based Modeling with Model Reference" example model sldemo\_mdlref\_basic.sldemo\_mdlref\_basic model. The CounterA Model block references the model sldemo\_mdlref\_counter. When you simulate the parent model, sldemo\_mdlref\_basic, and collect coverage, you record only 75% coverage for sldemo\_mdlref\_counter. Log the data from the simulation and extend those test cases to achieve 100% coverage for the referenced model.

1 Open the "Component-Based Modeling with Model Reference" example model sldemo\_mdlref\_basic.

openExample('sldemo\_mdlref\_basic')

2 On the **Apps** tab, click the arrow on the right of the **Apps** section.

Under Model Verification, Validation, and Test, click Coverage Analyzer.

- **3** On the **Coverage** tab, click **Settings**.
- 4 In the **Coverage** pane of the Configuration Parameters, select **Enable coverage analysis**.
- 5 Select Referenced Models.

Note that the analysis records coverage only for referenced models with **Simulation mode** set to Normal, SIL, or PIL. In sldemo\_mdlref\_basic, the CounterC Model block has **Simulation mode** set to Accelerator, so you cannot record coverage for it.

- 6 Under Coverage metrics, set the structural coverage level to Modified Condition Decision Coverage (MCDC) to record decision, condition, and modified condition/decision coverage.
- 7 Click OK.
- 8 Click Analyze Coverage.

To open the coverage report, in the **Review Results** section, click **Generate Report**.

When the simulation completes, the generated coverage report opens in a browser window. The report shows the following coverage results for the referenced model:

- Condition: 50% (2/4) condition outcomes
- Decision: 25% (1/4) decision outcomes
- MCDC: 0% (0/2) conditions reversed the outcome

The coverage results are also highlighted in the referenced model, sldemo\_mdlref\_counter. You can select individual model objects to view specific coverage results in the Coverage dialog box, as shown in the following screenshot.



**9** To log the input signals for the CounterA Model block in sldemo\_mdlref\_basic during simulation, at the MATLAB command prompt, enter the following code:

logged\_data = sldvlogsignals('sldemo\_mdlref\_basic/CounterA');

**10** Save the logged data in a MAT-file named existingtestcase.mat:

```
save('existingtestcase.mat', 'logged_data');
```

When you analyze the model referenced in CounterA (sldemo\_mdlref\_counter) to extend existing test cases, you specify this MAT-file.

## **Extend Existing Test Cases**

Analyze the sldemo\_mdfref\_counter model, specifying that the analysis extend the test cases already satisfied:

- 1 To open the sldemo\_mdfref\_counter model, in the sldemo\_mdlref\_basic model, doubleclick the CounterA Model block.
- 2 On the **Design Verifier** tab, click **Test Generation Settings**.
- **3** In the Configuration Parameters dialog box, on the **Test Generation** pane, in the **Model coverage objectives** box, select MCDC.
- 4 Under Advanced parameters, select Add tests for the missing coverage.
- 5 Select the **Extend using existing data** check box.
- 6 In **Coverage Data** field, specify the name of the MAT-file that contains the logged data, in this case, existingtestcase.mat
- 7 Click OK.
- 8 Click Generate Tests.

The analysis first loads the objectives satisfied by the logged test cases. Then it adds extra time steps to those test cases and tries to satisfy any missing objectives. When the analysis completes, the Simulink Design Verifier log window opens and indicates that all 12 objectives are satisfied.

**9** To view the analysis results on the model, in the Simulink Design Verifier log window, select **Highlight analysis results on model**.

The Simulink Design Verifier results are highlighted in the referenced model, sldemo\_mdlref\_counter. You can select individual model objects to view specific analysis
results in the Simulink Design Verifier Results dialog box, as shown in the following screenshot.



- **10** To verify the results of the analysis and review the generated test cases, in the Simulink Design Verifier log window, select **Generate detailed analysis report**.
- **11** To collect model coverage using the extended test suite, in the Simulink Design Verifier log window, select **Simulate tests and produce a model coverage report**.

When the simulation completes, the generated coverage report opens in a browser window. The report now shows the following coverage results for the referenced model sldemo mdlref counter:

- Condition: 100% (4/4) condition outcomes
- Decision: 100% (4/4) decision outcomes
- MCDC: 100% (2/2) conditions reversed the outcome

## See Also

### **Related Examples**

• "Component-Based Modeling with Model Reference"

## **More About**

- "When to Extend Existing Test Cases" on page 8-2
- "Extend Test Cases for Model with Temporal Logic" on page 8-4
- "Extend Test Cases for Modified Model" on page 8-15

## **Extend Test Cases for Modified Model**

## In this section...

"Create Starting Test Cases" on page 8-15 "Extend Existing Test Cases" on page 8-15

Suppose that you have a model that you have already analyzed using Simulink Design Verifier, and you modify the model. The original test suite may not record 100% coverage for the modified model. Reanalyze the modified model to make sure that it satisfies all the new test objectives. Instead of reanalyzing the entire model, you focus the new analysis on just the modified part of the model. In this way, you leverage the test cases created for the original model, extending them to satisfy any new objectives.

This example uses the sldvdemo\_cruise\_control model. You analyze the model and generate test cases. Then you analyze a modified version of that model, sldvdemo\_cruise\_control\_mod, extending the test cases from the original analysis. The analysis returns a complete test suite for the new model.

## **Create Starting Test Cases**

Analyze the sldvdemo\_cruise\_control model and generate test cases that achieve 100% coverage.

**1** Open the example model:

```
sldvdemo_cruise_control
```

2 To start a Simulink Design Verifier analysis for the sldvdemo\_cruise\_control model, doubleclick the Run Simulink Design Verifier block.



Run Simulink Design Verifier

The analysis satisfies 34 test objectives for the sldvdemo\_cruise\_control model. The software stores the resulting data file in a subfolder of the MATLAB Current Folder:

sldv\_output\sldvdemo\_cruise\_control\sldvdemo\_cruise\_control\_sldvdata.mat

In the next section, when you analyze the modified model, this data file specifies the starting test cases that you extend.

3 Close the sldvdemo\_cruise\_control model and all the files created by the analysis. If asked, do not save any changes you made to the model.

## **Extend Existing Test Cases**

The sldvdemo\_cruise\_control\_mod model is a modified version of sldvdemo\_cruise\_control. The Controller subsystem contains a Saturation block that specifies that the target speed cannot exceed 70.

Open the modified model and analyze it, extending the test cases that you generated when analyzing the sldvdemo\_cruise\_control model:

1 Open the example model, the modified version of sldvdemo\_cruise\_control:

sldvdemo\_cruise\_control\_mod

**2** Double-click the Controller subsystem to see the change to the original model, a Saturation block that specifies the maximum speed:



- **3** Close the Controller subsystem.
- 4 On the **Design Verifier** tab, click **Test Generation Settings**.
- 5 In the Configuration Parameters dialog box, on the **Test Generation** pane, under **Existing test** cases, select **Extend existing test cases**.
- 6 In the **Data file** field, click **Browse** and navigate to the MAT-file created in the MATLAB Current Folder when analyzing the original model:

sldv\_output\sldvdemo\_cruise\_control\sldvdemo\_cruise\_control\_sldvdata.mat

7 Clear Ignore objectives satisfied by existing test cases.

When you clear this option, the analysis includes the test cases recorded in the file sldvdemo\_cruise\_control\_sldvdata.mat in the final test suite.

- 8 Click **Apply** to save these settings.
- **9** To start the analysis, click **Generate Tests**.

The analysis first loads the 34 objectives satisfied by the initial test cases. Then it adds extra time steps to those test cases and tries to satisfy any missing objectives.

10 In the Results Summary window, click Generate detailed analysis report.

The analysis satisfied a total of 38 satisfied objectives for the sldvdemo\_cruise\_control\_mod model. The analysis satisfied four additional objectives that correspond to the Saturation block.

| Objectives Satisfied |              |                                |                                                                   |              |  |  |  |
|----------------------|--------------|--------------------------------|-------------------------------------------------------------------|--------------|--|--|--|
| Sin                  | nulink Desig | n Verifier found test cases th | at exercise these test objective                                  | es.          |  |  |  |
| #                    | Туре         | Model Item                     | Description                                                       | Test<br>Case |  |  |  |
| 1                    | Decision     | Controller/Switch1             | logical trigger input<br>false (output is from<br>3rd input port) | 3            |  |  |  |
| 2                    | Decision     | Controller/Switch1             | logical trigger input<br>true (output is from 1st<br>input port)  | 1            |  |  |  |
| 3                    | Decision     | Controller/Saturation          | input > lower limit F                                             | 1            |  |  |  |
| 4                    | Decision     | Controller/Saturation          | input > lower limit T                                             | 3            |  |  |  |
| 5                    | Decision     | Controller/Saturation          | input >= upper limit F                                            | 1            |  |  |  |
| 6                    | Decision     | Controller/Saturation          | input >= upper limit T                                            | 10           |  |  |  |

## See Also

## **More About**

- "When to Extend Existing Test Cases" on page 8-2
- "Extend Test Cases for Model with Temporal Logic" on page 8-4
- "Extend Test Cases for Closed-Loop System" on page 8-10

## **Create and Run Back-to-Back Tests Using Enhanced MCDC**

This example shows you how to create and run a back-to-back test using enhanced MCDC. Enhanced MCDC analyzes the detectability of each objective in the model and generates non-masking test cases for each objective. For more information, see "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42.

Back-to-back tests in Simulink® Test<sup>™</sup> compare the results of normal simulations with the generated code results from software-in-the-loop, processor-in-the-loop, or hardware-in-the-loop simulations.

#### Section 1: Prepare the Model

1. Open the model:

model = ('sldvSliceCruiseControl');
open\_system(model);



Copyright 2015 The MathWorks, Inc.

2. Prepare the model for code generation and logging.

```
set_param(model, 'ProdHWDeviceType', 'Intel->x86-64 (Linux 64)');
set_param(model, 'ProdLongLongMode', 'on');
set_param(model, 'SaveOutput', 'on');
set_param(model, 'SignalLogging', 'on');
set_param(model, 'SaveFormat', 'Dataset');
```

Note: You can also optionally mark internal signals in the model as test-pointed logged signals (for example, sldvSliceCruiseControl/CruiseControlMode/opMode/Switch,) so that these signals are prioritized as detection sites during the enhanced MCDC analysis. For more information, see "Configure Detection Sites using Test-pointed Logged Signals" on page 7-48.

3. Generate the code.

In the Apps tab, click Embedded Coder, and then click Generate Code.

Embedded coder generates the code generation report for model. Close the generated report window. Simulink Design Verifier uses information on logged signals from the generated code to configure the detection sites for enhanced MCDC. If you do not generate the code, Simulink Design Verifier uses the information on test-pointed logged signals from the model to configure the detection sites for enhanced MCDC.

## Section 2: Create Back-to-Back Tests Using Enhanced MCDC

Follow these steps to create back-to-back tests in the **Simulink Test** Test Manager:

1. To open the **Simulink Test** tab, in the **Apps** tab, in the **Model Verification, Validation, and Test** section, click **Simulink Test**.

2. To open the Test Manager, in the **Tests** tab, click **Simulink Test Manager**.

3. Click **New > Test for Model Component**. The Create Test for Model Component wizard opens.

4. To specify the **Top Model** to test, fill the fields by clicking the Use currently selected model component button next to the **Top Model** field.

| Create Test for Model Component <u>System</u> > Test Inputs > Verification Strategy > Generated Test |                                       |  |  |  |  |
|------------------------------------------------------------------------------------------------------|---------------------------------------|--|--|--|--|
| What is your Co                                                                                      | mponent Under Test (CUT)?             |  |  |  |  |
| Top Model:                                                                                           | sldvSliceCruiseControl                |  |  |  |  |
| Component:                                                                                           | Specify a valid block path (optional) |  |  |  |  |
| ✓ Create Te                                                                                          | est Harness for component             |  |  |  |  |

5. Click **Next** to specify how to use the Simulink Design Verifier to generate test inputs. Select **Use Design Verifier to generate test input scenarios**. This option runs the model and creates inputs using Simulink Design Verifier.



6. Click **Next** to select the testing method. Select **Perform back-to-back testing**. For **Simulation1**, select Normal. For **Simulation2**, select Software-in-the-Loop (SIL). Select **Set Model coverage objectives as Enhanced MCDC**.

| Create Test for Model Component                                                                                                                           |                                                                                     |  |  |  |  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------|--|--|--|--|
| <u>System</u> > <u>Test</u>                                                                                                                               | nputs > Verification Strategy > Generated Test                                      |  |  |  |  |
| How do you wan                                                                                                                                            | t to test the component?                                                            |  |  |  |  |
| <ul> <li>Use component under test output as baseline<br/>Simulate the top model and record the outputs of the component to be used as baseline</li> </ul> |                                                                                     |  |  |  |  |
| Perform back-to<br>Set up a test to<br>Select simulation                                                                                                  | compare the component under test outputs in different simulation modes              |  |  |  |  |
| Simulation1:                                                                                                                                              | Normal                                                                              |  |  |  |  |
| Simulation2:                                                                                                                                              | Software-in-the-Loop (SIL)                                                          |  |  |  |  |
|                                                                                                                                                           | ✓ Set Model coverage objectives as Enhanced MCDC                                    |  |  |  |  |
| -                                                                                                                                                         | cation logic in the created harness<br>ogic will be automatically added to the test |  |  |  |  |

7. Click **Next** to specify the input source, format, and where to save the test data and generated tests. For **Specify the file format**, select MAT. For **Specify location to save test data**, use the default location name.

| Create Test for Model Component                                    |                                         |                |  |  |  |
|--------------------------------------------------------------------|-----------------------------------------|----------------|--|--|--|
| System > Test Inputs                                               | <u>s</u> > <u>Verification Strategy</u> | Generated Test |  |  |  |
| How do you want to sa                                              | ave the test data?                      |                |  |  |  |
| Select test harness input                                          |                                         |                |  |  |  |
| Inports                                                            | ▼ MAT                                   | -              |  |  |  |
| Specify location to save te                                        | est data:                               |                |  |  |  |
| sltest_sldvSliceCruiseC                                            | ontrol                                  |                |  |  |  |
| Where do you want to                                               | save the generated test(s)?             |                |  |  |  |
| Add tests to the currently selected test file.                     |                                         |                |  |  |  |
| <ul> <li>Create a new test file containing the test(s).</li> </ul> |                                         |                |  |  |  |
| Test File Location:                                                | sltest_sldvSliceCruiseControl_test      | s              |  |  |  |

8. Click **Done**. **Simulink Test** creates the test cases and closes the wizard.

## Section 3: Run Back-to-Back Tests

To run the back-to-back test, click **Run** in Simulink Test Manager.

#### Clean Up

To complete the example, close the model.

bdclose(model);

#### **Related Topics**

- "Create Back-to-Back Tests Using Enhanced MCDC" on page 16-20
- "Generate Tests and Test Harnesses for a Model or Components" (Simulink Test)

## Achieving Test Cases for Missing Model Coverage

- "Generate Test Cases for Missing Coverage Data" on page 9-2
- "Achieve Missing Coverage in Referenced Model" on page 9-3
- "Achieve Missing Coverage in Subsystems and Model Blocks" on page 9-10
- "Achieve Missing Coverage in Closed-Loop Simulation Model" on page 9-11
- "Analyze Coverage for Lookup Table Boundary Values" on page 9-14
- "Modified Condition and Decision Coverage in Simulink Design Verifier" on page 9-21
- "Achieve Coverage in Models with Variable-Size Inputs" on page 9-24

## **Generate Test Cases for Missing Coverage Data**

If you simulate your model and record coverage data, but your model does not achieve 100% coverage, Simulink Design Verifier can find test cases that achieve the missing coverage. The software targets the test-generation analysis for the part of the model that is missing coverage, ignoring the model coverage data that was recorded during simulation.

The following examples describe how to focus the test-generation analysis on a part of the model that did not achieve 100% coverage:

- "Achieve Missing Coverage in Referenced Model" on page 9-3
- "Achieve Missing Coverage in Closed-Loop Simulation Model" on page 9-11

## **Achieve Missing Coverage in Referenced Model**

If you simulate a referenced model that does not achieve full coverage, you can use Simulink Design Verifier to generate test cases that achieve full coverage. There are two approaches:

- Programmatically achieve missing coverage: Generate test cases for a referenced model with APIs for test-generation analysis.
- Incrementally increase coverage: Generate test cases for the test harness model with missing coverage analysis features.

## **Programmatically Achieve Missing Coverage in Referenced Model**

- "Record Coverage Data for Example Model" on page 9-3
- "Find Test Cases for the Missing Coverage" on page 9-4
- "Achieve Missing Coverage" on page 9-5
- "Verify Complete Model Coverage" on page 9-5

This example model uses a referenced model that does not achieve full coverage. When you run a test-generation analysis on the referenced model and combine it with previously recorded coverage data, you can achieve 100% coverage for the referenced model.

## **Record Coverage Data for Example Model**

Simulate the example model. Record condition, decision, and MCDC coverage.

1 Open the "Component-Based Modeling with Model Reference" example model sldemo\_mdlref\_basic.

```
openExample('sldemo_mdlref_basic');
```

The Model blocks CounterA, CounterB, and CounterC reference the model sldemo\_mdlref\_counter.

2 On the Apps tab, click the arrow on the right of the Apps section.

#### Under Model Verification, Validation, and Test, click Coverage Analyzer.

- **3** On the **Coverage** tab, click **Settings**.
- 4 On the **Coverage** pane of the Configuration Parameters dialog box, set the following options:
  - Select Enable coverage analysis.
  - Select Referenced Models.
  - Click **Select Models**. In the Select Models for Coverage Analysis dialog box, select the check box for the referenced model sldemo\_mdlref\_counter. Click **OK**.

The check box for sldemo\_mdlref\_counter becomes visible, corresponding to CounterA and CounterB. Coverage is not enabled for CounterC because the reference model CounterC is in Accelerator simulation mode.

- Specify which types of coverage to record during simulation. Under **Coverage metrics**, select **MCDC**.
- 5 In the **Coverage** > **Results** pane of the Configuration Parameters. Set the following options:

- Select **Save last run in workspace variable** to save the collected coverage data from the most recent simulation run in a variable in the MATLAB workspace.
- Select **Generate report automatically after analysis** to specify that the simulation create a coverage report.
- In the **cvdata object name** field, enter **covdata\_original** to specify a unique name for the coverage data workspace variable.

6 Click OK.

7 To record the coverage data, start the simulation of the sldemo\_mdlref\_basic model.

After the simulation, the coverage report opens. The report indicates that the following coverage is achieved for the referenced model sldemo\_mdlref\_counter:

- Decision: 25%
- Condition: 50%
- MCDC: 0%

The simulation saves the coverage data in the MATLAB workspace variable covdata\_original, a cvdata object that contains the coverage data.

**8** Save the coverage data in a file on the MATLAB path:

```
cvsave('existingcov', covdata_original);
```

Keep the model open as you continue through this example.

#### Find Test Cases for the Missing Coverage

To achieve 100% coverage for the sldemo\_mdlref\_counter model, run a test-generation analysis that uses the existing coverage data.

1 Open the referenced model. At the command line, enter:

open\_system('sldemo\_mdlref\_counter');

2 Create an sldvoptions object:

opts = sldvoptions;

When you create the sldvoptions object, specify:

- That the analysis ignores satisfied coverage data.
- The file name containing the satisfied coverage data (existingcov.cvt)

Enter the following commands to specify these options:

```
opts.IgnoreCovSatisfied = 'on';
opts.CoverageDataFile = 'existingcov.cvt';
```

3 Analyze the referenced model, sldemo\_mdlref\_counter, by using the specified options:

[status, fileNames] = sldvrun('sldemo\_mdlref\_counter',opts,true);

The Simulink Design Verifier analysis satisfies seven objectives and creates one test case for the referenced model.

The next procedure simulates the referenced model, sldemo\_mdlref\_counter, with the test case that the analysis created.

#### **Achieve Missing Coverage**

To achieve the missing coverage for the referenced model, sldemo\_mdlref\_counter, simulate the model by using the test case from the Simulink Design Verifier analysis.

**1** Open the referenced model. At the command line, enter:

open\_system('sldemo\_mdlref\_counter');

2 Create a cvtest object for the simulation and specify recording decision, condition, and MCDC coverage.

```
cvt = cvtest('sldemo_mdlref_counter');
cvt.settings.decision = 1;
cvt.settings.condition = 1;
cvt.settings.mcdc = 1;
```

3 Specify recording coverage and set the name of the cvtest object.

```
runOpts = sldvruntestopts;
runOpts.coverageEnabled = true;
runOpts.coverageSetting = cvt;
```

4 Simulate the model with the cvtest object, cvt, and the test case, as defined in fileNames.DataFile. Save the recorded coverage data in the workspace variable covdata\_missing.

[~, covdata\_missing] = sldvruntest('sldemo\_mdlref\_counter', fileNames.DataFile, runOpts);

#### Verify Complete Model Coverage

You saved the coverage data from the simulation of the top-level model, sldemo\_mdlref\_basic, in the workspace variable covdata\_original. To create a report that combines the coverage data from the top-level model with the missing coverage data from the referenced model, sldemo\_mdlref\_counter, enter the following command:

cvhtml('Coverage Summary', covdata\_original, covdata\_missing);

The report shows that by analyzing the referenced model and using those results to record coverage, you can achieve 100% decision, condition, and MCDC coverage.

#### Summary

| Model Hierarchy/Complex  | city: | Test 1 |      |     | Test 2 |      |      | Total |      |
|--------------------------|-------|--------|------|-----|--------|------|------|-------|------|
|                          | D1    | C1     | MCDC | D1  | C1     | MCDC | D1   | C1    | MCDC |
| 1. sldemo mdlref counter | 3 25% | 50%    | 0%   | 75% | 100%   | 0%   | 100% | 100%  | 100% |

## **Increase Coverage for Referenced Models in a Test Harness**

- "Generate Test Harness Model and Record Coverage Data" on page 9-6
- "Generate Test Cases for the Missing Coverage" on page 9-6
- "Update Simulink Design Verifier Analysis Options" on page 9-9
- "View Active Results for Missing Coverage Analysis" on page 9-9
- "Limitations" on page 9-9

You can incrementally achieve full coverage for a generated test harness model. This example shows how to first generate a test harness model that does not achieve full coverage. Next, it shows how to run missing coverage analysis on the test harness model to generate test cases for 100% coverage.

**Note** This approach supports only test harness models generated by Simulink Design Verifier that reference the input model. The **Design Verifier** app is not available for test harness models when the test unit is copied from the top model. For more information see, "Reference input model in generated harness" on page 15-60.

## Generate Test Harness Model and Record Coverage Data

To achieve full coverage for the sldemo\_mdlref\_counter model, run a missing coverage analysis on the Simulink Design Verifier generated harness model.

**1** Open the example model:

open\_system('sldemo\_mdlref\_counter');

2 Create a harness model for referenced model sldemo\_mdlref\_counter:

[savedHarnessFilePath] = sldvmakeharness('sldemo\_mdlref\_counter');

For more information about the harness model, see "Manage Simulink Design Verifier Harness Models" on page 13-13.

- 3 In the harness model sldemo\_mdlref\_counter\_harness, the Format parameter must be Dataset to make the referenced model sldemo\_mdlref\_counter and the harness model sldemo\_mdlref\_counter\_harness have the same parameter settings. For more information see, "Model Configuration Parameters: Data Import/Export".
- 4 Simulate the sldemo\_mdlref\_counter\_harness model to record the coverage achieved by the test cases in the harness model. After the simulation, the coverage report appears. The report indicates that the following coverage is achieved for sldemo\_mdlref\_counter:

## Summary

. . . . .

| Model Hierarchy/Complexity Test I |          |           |      |           |                     |  |  |  |
|-----------------------------------|----------|-----------|------|-----------|---------------------|--|--|--|
|                                   | Decision | Condition | MCDC | Execution | Relational Boundary |  |  |  |
| 1. <u>sldemo_mdlref_counter</u>   | 3 25% 💻  | 50%       | 0%   | 86%       | 50%                 |  |  |  |

#### Generate Test Cases for the Missing Coverage

. . . . . . .

**1** Open the harness model:

. .....

open\_system('sldemo\_mdlref\_counter\_harness');

To generate test cases for the missing coverage, on the **Design Verifier** tab, click **Add Missing Coverage**. A notification indicates the number of new tests that are added.



2 The Signal Builder dialog box shows the **Missing coverage test case 1** added to the previous **Test Case 1**.

| ile E    | dit G    | roup   | Sign    | al    | Axes   | Hel   | р   |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
|----------|----------|--------|---------|-------|--------|-------|-----|----|----------|-------|--------|-------------|--------|---------|-------|------|-------------|----------|---|----------|----|
| F 🔛      | 光目       | • 6    | l in    | Cil   | -      | г.    | n.  |    | <b>₫</b> | ið t  | đ 🛛    | •           | Ш      |         | all   | 1    | <b>&gt;</b> | *        |   |          |    |
| ctive 0  | Group:   | Test   | Case    | 1     |        |       |     |    |          |       |        |             |        |         |       |      |             | -        | 0 |          |    |
|          |          |        | t Case  |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| 1        | Г        | Mise   | sing co | verag | e test | case  | 1   |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
|          | u        | oper   |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| 0        |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          | _  |
|          | 1        |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
|          |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| -1<br>1  |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
|          |          | put    |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
|          |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| C        | )        |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
|          |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| -1       |          |        |         |       | 1      |       | -   |    |          |       |        |             |        |         |       | I    |             | -        |   | 1        |    |
| 1        |          | ver    |         |       |        |       |     |    |          |       |        |             | T      |         |       |      |             |          |   |          |    |
|          |          | vei    |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| C        | )        |        |         |       |        |       | +   |    | -        |       |        |             | -      |         |       |      |             |          |   |          |    |
|          |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             |          |   |          |    |
| -1       |          |        |         |       |        |       |     |    |          |       |        |             |        |         |       |      |             | <u> </u> |   | <u> </u> |    |
|          | 0        | 0.0    | )2      | 0.    | 04     | 0     | .06 |    | 0.08     |       | 0.1    |             | 0.12   | -       | 0.    | 14   | 0           | .16      | 0 | .18      | 0. |
|          |          |        |         |       | 1 - 0  | Dein  |     |    | Diebé    |       | ne (se | -           | pper   |         |       |      |             |          |   |          |    |
|          |          |        |         | 1     |        | Point | L   |    | Right    | Point |        | 🗹 ir        | nput   |         |       |      |             |          |   |          |    |
| lame:    | <u> </u> | 1      |         | T:    |        |       |     | T: |          |       |        | <b>₽</b> 10 | wer    |         |       |      |             |          |   |          |    |
| ndex:    | 1        | •      |         | Y:    |        |       |     | Y: |          |       |        |             |        |         |       |      |             |          |   |          |    |
| ick to s | elect, S | hift+r | lick to | bhc   |        |       |     |    |          |       |        |             | oor (# | €4.). Γ | VIIIa | YMax | /1          |          |   |          |    |

#### 3

In the Signal Builder dialog box, click **Run all**. The software simulates the harness model by using all the test cases, collects model coverage information, and displays a coverage report. The coverage report indicates that the missing coverage analysis records 100% coverage for sldemo\_mdlref\_counter.

## Summary

#### Model Hierarchy/Complexity Test 1

|                          | Decision | Condition | MCDC | Execution | Relational Boundary |
|--------------------------|----------|-----------|------|-----------|---------------------|
| 1. sldemo_mdlref_counter | 3 100%   | 100%      | 100% | 100%      | 50%                 |

## **Update Simulink Design Verifier Analysis Options**

**1** Open the harness model.

open\_system('sldemo\_mdlref\_counter\_harness');

On the **Design Verifier** tab, click **Test Generation Settings**. The Configuration Parameters dialog box for referenced model sldemo\_mdlref\_counter opens. You can set design verifier options for missing coverage analysis. For more information see, "Options in Configuration Parameters Dialog Box" on page 15-2.

## View Active Results for Missing Coverage Analysis

**1** Open the referenced model.

open\_system('sldemo\_mdlref\_counter');

On the **Design Verifier** tab, in the **Review Results** section, click **Load Earlier Results**. Browse to the previously generated data file and click **Open**.

To view active results for missing coverage test cases, click **Results Summary**. The Results Summary window opens with the missing coverage analysis results. For more information on active results, see "Review Analysis Results" on page 13-57. The missing coverage test cases data is stored in a MAT-file that contains a structure named sldvData. For more information see, "Generate sldvData Structure" on page 13-7.

#### Limitations

- **1** Missing Coverage analysis is a user interface-based workflow. Command-line functions are not available for Missing Coverage analysis.
- **2** Constraining values for parameters is not supported in the Missing Coverage analysis workflow. For more information see, "Use Parameter Table" on page 5-7.

## See Also

## **More About**

- "Generate Test Cases for Missing Coverage Data" on page 9-2
- "Achieve Missing Coverage in Closed-Loop Simulation Model" on page 9-11

## Achieve Missing Coverage in Subsystems and Model Blocks

If your model has a Subsystem block that does not achieve full coverage, you can convert it to model referenced in a Model block. "Convert Subsystems to Referenced Models" describes how to convert a subsystem to a referenced model. You can then follow the steps described in "Achieve Missing Coverage in Referenced Model" on page 9-3.

You cannot convert some subsystems to Model blocks. To test a subsystem to see if you can convert it to a Model block, use the Simulink.SubSystem.convertToModelReference function. If that function cannot convert the subsystem, an error message describes why the conversion failed.

It is possible that you have a Stateflow chart or a MATLAB Function block that does not achieve full coverage. You cannot convert Stateflow charts and MATLAB Function blocks to referenced models.

When you cannot use a Model block, follow the steps described in "Achieve Missing Coverage in Closed-Loop Simulation Model" on page 9-11.

## See Also

## **More About**

- "Achieve Missing Coverage in Referenced Model" on page 9-3
- "Achieve Missing Coverage in Closed-Loop Simulation Model" on page 9-11

## Achieve Missing Coverage in Closed-Loop Simulation Model

#### In this section...

"Record Coverage Data for the Model" on page 9-11 "Find Test Cases for Missing Coverage" on page 9-12

If you have a subsystem or a Stateflow chart that does not achieve 100% coverage, and you do not want to convert the subsystem or chart to a Model block, follow this example to achieve full coverage.

The example uses a closed-loop controller model. A *closed-loop controller* passes instructions to the controlled system and receives information from the environment as the control instructions are executed. The controller can adapt and change its instructions as it receives this information.

The sldvdemo\_autotrans model is a closed-loop simulation model. The ShiftLogic Stateflow chart represents the controller part of this model. Test cases designed in the ManeuversGUI Signal Builder block drive the closed-loop simulation.

## **Record Coverage Data for the Model**

To simulate the model, recording condition, decision, and MCDC coverage for the ShiftLogic controller:

**1** Open the example model:

sldvdemo\_autotrans

2 On the **Apps** tab, click the arrow on the right of the **Apps** section.

Under Model Verification, Validation, and Test, click Coverage Analyzer.

- **3** On the **Coverage** tab, click **Settings**.
- 4 On the **Coverage** pane in the Configuration Parameters dialog box. set the following options:
  - Select Enable coverage analysis.
  - Select Subsystem and click Select Subsystem.
  - In the Subsystem Selection dialog box, select ShiftLogic and click OK.
- 5 Under Coverage metrics, select Modified Condition Decision Coverage (MCDC).
- 6 Clear the **Other metrics** if they are selected.
- 7 In the **Coverage** > **Results** pane of the Configuration Parameters dialog box, set the following options:
  - In the **cvdata object name** field, enter **covdata\_original\_controller** to specify a unique name for the coverage data workspace variable.
  - Select Generate report automatically after analysis.
- 8 Click OK.
- 9 Start the simulation of the sldvdemo\_autotrans model to record the coverage data.

After the simulation, the coverage report opens. The report indicates that the following coverage is achieved for the ShiftLogic Stateflow chart:

- Decision: 87% (27/31)
- Condition: 67% (8/12)
- MCDC: 33% (2/6) conditions reversed the outcome

The simulation saves the coverage data in the MATLAB workspace variable covdata\_original\_controller, a cvtest object that contains the coverage data.

**10** Save the coverage data in a file on the MATLAB path:

```
cvsave('existingcov',covdata_original_controller);
```

## Find Test Cases for Missing Coverage

To find the missing coverage for the ShiftLogic chart, run a subsystem analysis on that block. Use this technique to focus your analysis on an individual part of the model.

To achieve 100% coverage for the ShiftLogic controller, run a test-generation analysis that uses the existing coverage data.

- 1 Right-click the ShiftLogic block and select **Design Verifier > Options**.
- 2 In the Configuration Parameters dialog box, under the **Select** tree, choose the **Design Verifier** node. Under **Analysis options** in the **Mode** field, select **Test** generation.
- **3** Under the **Design Verifier** node, select **Test Generation**. Under **Existing coverage data**, select **Ignore objectives satisfied in existing coverage data**.
- 4 In the **Coverage data file** field, enter the name of the file containing the coverage data that you recorded during simulation:

existingcov.cvt

- **5** Click **Apply** to save these settings.
- 6 Under the **Select** tree, click **Design Verifier**.
- 7 On the main **Design Verifier** pane, click **Generate Tests**.

The analysis extracts the Stateflow chart into a new model named ShiftLogic0. The analysis analyzes the new model, ignoring the coverage objectives previously satisfied and recorded in the existingcov.cvt file.

8 When the test-generation analysis is complete, in the Simulink Design Verifier log window, select Simulate tests and produce a model coverage report.

The report indicates that the following coverage is achieved for the ShiftLogic chart in simulation with the test cases generated by Simulink Design Verifier:

- Decision: 84% (26/31)
- Condition: 83% (10/12)
- MCDC: 67% (4/6) conditions reversed the outcome

The Simulink Design Verifier report lists six test cases for the extracted model that satisfy the objectives not covered in the existingcov.cvt file.

The Simulink Design Verifier report indicates that two coverage objectives in the Stateflow chart ShiftLogic are proven unsatisfiable. The implicit event tick is never false because the

ShiftLogic chart is updated at every time step. The analysis cannot satisfy condition or MCDC coverage for either instance of the temporal event after(TWAIT, tick).

after(TWAIT, tick) is semantically equivalent to
Event == tick && temporalCount(tick) >= TWAIT
If you move after(TWAIT, tick) into the condition, as in
[after(TWAIT, tick) && speed < down\_th]
Simulink Design Verifier determines that tick is always true of
</pre>

Simulink Design Verifier determines that tick is always true, so it only tests the
temporalCount(tick) >= TWAIT part of after(TWAIT, tick). The analysis is able to find
test objectives that satisfy condition and MCDC coverage for after(TWAIT, tick).

## See Also

## **More About**

- "Generate Test Cases for Missing Coverage Data" on page 9-2
- "Achieve Missing Coverage in Referenced Model" on page 9-3

## **Analyze Coverage for Lookup Table Boundary Values**

Lookup tables are standard block sets that approximate functions. Simulink Coverage defines the coverage of lookup tables by checking if all grid points defined by breakpoints are covered or satisfied during simulation. For more information, see "N-Dimensional Lookup Table" (Simulink Coverage).

You can leverage Simulink Design Verifier to generate tests that hit the boundary values of a lookup table. The minimum and maximum breakpoints for each dimension, also known as the *corner points*, define the boundaries of the lookup table. Achieving such coverage is a common use case in the aerospace and automotive domains.

| Breakpoints Column |         | (1) | (2) | (3) |  |  |
|--------------------|---------|-----|-----|-----|--|--|
| Row                | <b></b> | 1   | 2   | 3   |  |  |
| (1)                | 10      | 1   | 2   | 3   |  |  |
| (2)                | 20      | 4   | 5   | 6   |  |  |
| (3)                | 30      | 7   | 8   | 9   |  |  |

Consider this two-dimensional lookup table:

The breakpoints that represent corner points are:

Dimension 1 : 10, 30 Dimension 2: 1, 3

The breakpoints that represent the boundaries of this lookup table are (10, 1), (10, 3), (30, 1), and (30,3). The tests corresponding to the lookup table boundary satisfy the following coverage metrics:

Corner 1: Input 1 < 10, Input2 < 1 Corner 2: Input 1 < 10, Input2 > 3 Corner 3: Input 1 > 30, Input2 < 1 Corner 4: Input 1 > 30, Input2 > 3

This example leverages block replacement framework provided by Simulink Design Verifier to generate tests.

Consider the controller unit (control logic) and the fault approximation unit (Sensor correction and Fault Redundancy) as shown:



- control logic: The control logic statechart checks for the normal and failure modes of throttle, speed, and manifold absolute pressure (MAP).
- Sensor correction and Fault Redundancy: If there is a failure in the throttle, speed, and MAP values, the subsystem Sensor correction and Fault Redundancy approximates their values by using these tables:



• Throttle Estimate: The lookup table Thrott Estimation Table (2-D) estimates the throttle position based on the values of speed and pressure.

- Speed Estimate: The lookup table Speed Table (2-D) estimates the speed based on the estimated value of throttle position and pressure.
- MAP Estimate: The lookup table Pressure Estimate (2-D) estimates the MAP based on the estimated value of speed and throttle.

Simulink Design Verifier generates boundary value coverage tests for each of these lookup tables. To describe the results, consider lookup table defined for Throttle Estimate as shown:



- Throttle estimation lookup table uses speed (Sensor index '2') and manifold pressure (Sensor index '4') sensor values as inputs.
- The lookup table has 19 breakpoints for pressure with 0.05....0.95 as corner points, and 18 breakpoints for speed with 50....le3 as corner points.

The corner points for this lookup table are:

Breakpoints 1 (speedVect): 50,1000 Breakpoints 2 (press): 0.05,0.95

The generated tests attempt to hit the boundary points highlighted in the table. The tests require these breakpoint combinations to cover the boundary values.

**Note** The Engine Speed and MAP inputs are inputs to the breakpoints speedVect and press, respectively.

Corner 1: Engine Speed < 50, MAP < 0.05 Corner 2: Engine Speed < 50, MAP > 0.95 Corner 3: Engine Speed > 1000, MAP < 0.05 Corner 4: Engine Speed > 1000, MAP > 0.95

The replacement rule, InstrumentLUTForCornerValueCoverage is shipped with the example mentioned here.

## Generate Tests for Lookup Table Boundary Values

This example shows how to generate tests for lookup table boundary value coverage.



## **Open the Model**

open\_system('sldvdemo\_fuelsys\_lookup\_corner\_value\_coverage');

## **Specify the Analysis Options**

To specify the analysis options:

- 1. In the Apps tab, click Coverage Analyzer.
- 2. In the Coverage tab, click Settings to open the Configuration Parameters window.
- 3. Expand Other metrics, then select the Lookup table option. Click OK.
- 4. In the left pane, click **Block Replacements**. Select **Apply block replacements**.

5. In **List of block replacement rules (in order of priority)**, specify the rule as InstrumentLUTForCornerValueCoverage. Click **OK**.

6. In the **Test Generation** pane, set **Model Coverage Objectives** to None.

Note: Because the test generation settings, **Test conditions** and **Test Objectives** are enabled, Simulink Design Verifier generates tests for the custom test objectives defined in the block replacement rule.

#### **Perform Analysis**

To generate tests only for the custom test objectives for the lookup table:

1. In the **Design Verifier** tab, click **Generate Tests**.

2. To view the coverage results, click the **Simulate Tests and produce a model coverage report** link.

#### **Review Results**

After simulating the test cases and generating a coverage report, the top left and right corners are covered while the bottom left and right corners are uncovered.

#### 6. SubSystem block "<u>Throttle Estimate</u>"

| Justify or Exclude                       |                                      |                                                                        |
|------------------------------------------|--------------------------------------|------------------------------------------------------------------------|
| Parent: <u>sldv</u>                      | <u> /demo_fuelsys_lookup_corner_</u> | value_coverage/Fault Correction/Sensor correction and Fault Redundancy |
| Metric                                   | Coverage (this object)               | Coverage (inc. descendants)                                            |
| Cyclomatic Complexity                    | 2                                    | 2                                                                      |
| Lookup Table                             | NA                                   | 2% (7/380) interpolation/extrapolation intervals                       |
| Execution                                | NA                                   | 100% (1/1) objective outcomes                                          |
| Lookup_n-D block " <u>Thrott Estimat</u> | <u>ion Table (2-D)</u> "             |                                                                        |
|                                          |                                      |                                                                        |

#### Justify or Exclude

| Parent:          | sldvdemo_fuelsys_lookup_corner_value_coverage/Fault Correction/Sensor correction and Fault Redundancy/Throttle Estimate |
|------------------|-------------------------------------------------------------------------------------------------------------------------|
| Uncovered Links: | •                                                                                                                       |
|                  |                                                                                                                         |

| Metric                | Coverage                                         |
|-----------------------|--------------------------------------------------|
| Cyclomatic Complexity | 0                                                |
| Lookup Table          | 2% (7/380) interpolation/extrapolation intervals |
| Execution             | 100% (1/1) objective outcomes                    |

#### Look-up Table Details



The status of the test objectives associated with the 'Thrott Estimation Table (2-D)' Lookup table:

#### Status: Objectives Satisfied

#### Summary

Length: 0.24 second (25 sample periods) Objectives Satisfied: 4

#### Objectives

| Step | Time | Model Item                                                                                                                                                                                            | Objectives                                                                                                                                                                        |
|------|------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 4    | 0.03 | Fault Correction/Sensor correction and Fault Redundancy/Throttle Estimate/Thrott Estimation Table (2-<br>D)/MATLAB Function. Defined by block replacement rule 'InstrumentLUTForCornerValueCoverage', | $9. sldv.test(u \leq BreakpointsForDimension1(1) \&\& \ v \leq BreakpointsForDimension2(1))$                                                                                      |
| 11   |      | Fault Correction/Sensor correction and Fault Redundancy/Speed Estimate/Speed Table (2-D)/MATLAB<br>Function. Defined by block replacement rule 'InstrumentLUTForCornerValueCoverage'.                 | $\underline{6. sldv.test} (\underline{n} \geq \underline{BreakpointsForDimension1} (\underline{end}) \underline{\&} \underline{v} \leq \underline{BreakpointsForDimension2} (1))$ |
| 22   | 0.21 | Fault Correction/Sensor correction and Fault Redundancy/Throttle Estimate/Thrott Estimation Table (2-<br>D)/MATLAB Function. Defined by block replacement rule InstrumentLUTForCornerValueCoverage,   | $\underline{11. sldv.test} (\underline{u} \leq BreakpointsForDimension1(\underline{1}) \& \underline{w} \geq BreakpointsForDimension2(\underline{end})).$                         |
| 25   |      | Fault Correction/Sensor correction and Fault Redundancy/MAP Estimate/Pressure Estimate (2-<br>D)/MATLAB Function. Defined by block replacement rule 'InstrumentLUTForCornerValueCoverage',            | $\underline{3. sldv.test}(\underline{u} \leq \underline{BreakpointsForDimension1(1) \&\& \ v \geq \underline{BreakpointsForDimension2(end)})$                                     |

#### Generated Input Data

| Time         | 0-0.02   | 0.03-0.04 | 0.05 | 0.06-0.07 | 0.08-0.09 | 0.1-0.11 | 0.12-0.13 | 0.14-0.15 | 0.16-0.18 | 0.19-0.2 | 0.21-0.22 | 0.23     | 0.24 |
|--------------|----------|-----------|------|-----------|-----------|----------|-----------|-----------|-----------|----------|-----------|----------|------|
| Step         | 1-3      | 4-5       | 6    | 7-8       | 9-10      | 11-12    | 13-14     | 15-16     | 17-19     | 20-21    | 22-23     | 24       | 25   |
| Throttle     | 102.5913 | 0         | 0    | 4         | 0         | 120      | 46.9065   | 3         | 3         | 114.8857 | 0         | 1.052    | 120  |
| Engine Speed | 758.0162 | 0         | 1000 | 0         | 0         | 0        | 171.8017  | 1000      | 1         | 534.8037 | 0.05      | 302.5962 | 1    |
| EGO          | 7.4011   | 0         | 0    | 0         | 0         | 0        | 6.866     | 0         | 0         | 10.6192  | 0         | 0.91743  | 0    |
| MAP          | 1.0093   | 0         | 0    | 0         | 0.5005    | 0.001    | 0.37509   | 0.001     | 0.001     | 0.61965  | 1         | 1.3732   | 0    |

From the above figure:

**LUT Boundary:** Engine Speed < 50, MAP < 0.05

Corner: Top Left

Analysis: This objectives is satisfied at time 0.03 (Step 4).

LUT Boundary: Engine Speed < 50, MAP > 0.95

Corner: Top Right

Analysis: This objectives is satisfied at time 0.21 (Step 22).

Status: Objectives Unsatisfiable

#### 3.2. Objectives Unsatisfiable

Simulink Design Verifier proved these test objectives to be unreachable by any test case. This often indicates the presence of dead logic in the model. This can be a side effect of parameter configurations or minimum and maximum constraints specified on inputs. In Test Generation, this can also be a result of constraints resulting from Test Condition blocks.

| #  | Туре           | Model Item                                                                                                                                                                                              | Description                                                                          | Analysis Time (sec) |
|----|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------|---------------------|
| 1  | Test objective | Fault Correction/Sensor correction and Fault Redundancy/MAP<br>Estimate/Pressure Estimate (2-D)/MATLAB Function. Defined by block<br>replacement rule 'InstrumentLUTForCornerValueCoverage'.            | sldv.test(u < BreakpointsForDimension1(1) && v <<br>BreakpointsForDimension2(1))     | 17                  |
| 2  | Test objective | Fault Correction/Sensor correction and Fault Redundancy/MAP<br>Estimate/Pressure Estimate (2-D)/MATLAB Function. Defined by block<br>replacement rule 'InstrumentLUTForCornerValueCoverage'.            | sldv.test(u > BreakpointsForDimension1(end) && v <<br>BreakpointsForDimension2(1))   | 17                  |
| 4  | Test objective | Fault Correction/Sensor correction and Fault Redundancy/MAP<br>Estimate/Pressure Estimate (2-D)/MATLAB Function. Defined by block<br>replacement rule 'InstrumentLUTForCornerValueCoverage'.            | sldv.test(u > BreakpointsForDimension1(end) && v ><br>BreakpointsForDimension2(end)) | 17                  |
| 5  | Test objective | Fault Correction/Sensor correction and Fault Redundancy/Speed Estimate/Speed<br>Table (2-D)/MATLAB Function. Defined by block replacement rule<br>Instrument/UTForCornerValueCoverage.                  | sldv.test(u < BreakpointsForDimension1(1) && v <<br>BreakpointsForDimension2(1))     | 17                  |
| 7  | Test objective | Fault Correction/Sensor correction and Fault Redundancy/Speed Estimate/Speed<br>Table (2:D) (MATLAB Function. Defined by block replacement rule<br>InstrumentLUTForCornerValueCoverage_                 | sldv.test(u < BreakpointsForDimension1(1) && v ><br>BreakpointsForDimension2(end))   | 17                  |
| 10 | Test objective | Fault Correction/Sensor correction and Fault Redundancy/Throttle<br>Estimate/Thrott Estimation Table (2-D)/MATLAB Function. Defined by block<br>replacement rule 'InstrumentLUTForCornerValueCoverage'. | sldv.test(u > BreakpointsForDimension1(end) && v <<br>BreakpointsForDimension2(1))   | 17                  |
| 12 | Test objective | Fault Correction/Sensor correction and Fault Redundancy/Throttle<br>Estimate:Thrott Estimation Table (2-D)/MATLAB Function, Defined by block<br>replacement rule 'Instrument/UTForCornerValueCoverage', | sldv.test(u > BreakpointsForDimension1(end) && v ><br>BreakpointsForDimension2(end)) | 17                  |

From the above figure:

#### LUT Boundary: Engine Speed > 1000, MAP < 0.05

**Corner:** Bottom Left

**Analysis:** In the **Control logic** statechart, the input speed has the following values:

Minimum speed: 0 Maximum Speed: 1000

The statechart input speed is directly connected to the root inport Engine Speed. Hence, the same range constraints are applied to it. Due to these min/max constraints, the value of **Engine Speed** can never be set to a value >1000, hence this test objective becomes unsatisfiable.

**LUT Boundary:** Engine Speed > 1000, MAP > 0.95

**Corner:** Bottom Right

**Analysis:** The value of 'Engine Speed' can never be set to a value >1000, hence this test objective becomes unsatisfiable.

#### Clean Up

To complete the example, close the model.

close\_system('sldvdemo\_fuelsys\_lookup\_corner\_value\_coverage',0);

# Modified Condition and Decision Coverage in Simulink Design Verifier

Depending on the settings you apply for Simulink Coverage coverage recording, there can be a difference between the definition of modified condition and decision (MCDC) coverage used for model coverage analysis in Simulink Coverage and the definition used for test case generation analysis in Simulink Design Verifier.

## MCDC Definitions for Simulink Coverage and Simulink Design Verifier

Simulink Design Verifier and Simulink Coverage represent MCDC objectives in two different ways:

- Simulink Coverage treats each condition of a logical expression as an MCDC objective.
- Simulink Design Verifier treats the true and false halves of each independence pair as separate MCDC objectives.

The Simulink Design Verifier Results window shows **Justified** for any justified MCDC objectives. Click on the corresponding **View** link to see the filter rule in the Simulink Design Verifier Analysis Filter window.

Unsatisfiable or undecided MCDC objectives include a **Justify** link. Click on this link to create a corresponding filter rule. Because every MCDC objective in Simulink Coverage corresponds to two MCDC objectives in Simulink Design Verifier, the Simulink Design Verifier MCDC objectives are justified in pairs.

For example, in the image below, when you click on the **Justify** link for the MCDC expression expression for output with input port 4 **false**, creates a filter rule that justifies this MCDC objective as well as the MCDC objective for when that expression is **true**.

| Þ                                                                                                      | Results: mMCDC_covfilt_tg                  |                                    | -         |             |      |                            |                             |                                |                   |               |
|--------------------------------------------------------------------------------------------------------|--------------------------------------------|------------------------------------|-----------|-------------|------|----------------------------|-----------------------------|--------------------------------|-------------------|---------------|
| 4                                                                                                      | ightarrow  ightarrow  ightarrow            |                                    |           | v 🗹         | 2    |                            |                             |                                |                   |               |
| Back to summary                                                                                        |                                            |                                    |           |             |      | Analysis Filter: myModel   |                             |                                |                   | - 🗆 X         |
| mMCDC_covfilt_tg/AND_block                                                                             |                                            |                                    |           |             |      |                            |                             |                                |                   |               |
| Possible causes for dead logic:                                                                        |                                            |                                    |           |             |      | Model                      |                             |                                |                   |               |
| This block is treated as short-circuiting during analysis. For more information, see<br>documentation. |                                            |                                    |           |             | Name | Туре                       | Mode                        | Rationale                      |                   |               |
|                                                                                                        | Condition Objectives                       |                                    |           |             |      | insultant 2 subserve of    |                             | 2                              | and a strange     |               |
|                                                                                                        | Logic: input port 1 true Satisfied         | - View test case                   |           |             |      | input port 2 outcome of    | by MCDC outcome             | Justified                      | some rationale    |               |
|                                                                                                        | Logic: input port 1 false Satisfied        | - View test case                   |           |             |      | input port 3 outcome of    | by MCDC outcome             | Justified                      | another rationale | Remove rule   |
|                                                                                                        | Logic: input port 2 true Satisfied         | <ul> <li>View test case</li> </ul> |           |             |      |                            | - /                         |                                |                   | ricinove raie |
|                                                                                                        | Logic: input port 2 false Satisfied        | <ul> <li>View test case</li> </ul> |           |             |      |                            |                             |                                |                   | View in model |
|                                                                                                        | Logic: input port 3 true Satisfied         | <ul> <li>View test case</li> </ul> |           |             |      |                            |                             |                                |                   |               |
|                                                                                                        | Logic: input port 3 false Satisfied        | <ul> <li>View test case</li> </ul> |           |             |      |                            |                             |                                |                   |               |
|                                                                                                        | Logic: input port 4 true Satisfied         | <ul> <li>View test case</li> </ul> |           |             |      |                            |                             |                                |                   |               |
|                                                                                                        | Logic: input port 4 false Unsatisfiabl     | e <u>Justify</u>                   |           |             |      |                            |                             |                                |                   |               |
|                                                                                                        | MCDC Objectives                            |                                    |           |             |      |                            |                             |                                |                   |               |
|                                                                                                        | expression for output with input port 1 tr | e Satisfied                        | - View te | est case    |      | Selected rule input port 2 | 2 outcome of expression for | r output in Logic block "AND_b | lock1"            |               |
|                                                                                                        | expression for output with input port 1 fa | se Satisfied                       | - View te | est case    |      |                            |                             |                                |                   |               |
|                                                                                                        | expression for output with input port 4 tr | e Satisfied                        | - View te | est case    |      | Filename: S                | `mcdcFilter\mcdcFilter.cvf  |                                |                   |               |
| expression for output with input port 4 false Unsatisfiable Justify                                    |                                            |                                    |           | Save filter |      |                            |                             |                                |                   |               |
| expression for output with input port 2 true Justified View                                            |                                            |                                    |           |             |      |                            |                             |                                |                   |               |
| expression for output with input port 2 false Justified View                                           |                                            |                                    |           | Load filter |      |                            |                             |                                |                   |               |
| expression for output with input port 3 true Justified View                                            |                                            |                                    |           |             |      |                            |                             |                                |                   |               |
|                                                                                                        | expression for output with input port 3 fa | se Justified                       | View      |             |      |                            |                             |                                |                   |               |
|                                                                                                        |                                            |                                    |           |             |      |                            |                             |                                |                   |               |

Simulink Design Verifier always uses the masking MCDC definition for test case generation. By default, Simulink Coverage also uses the masking MCDC definition when recording coverage. However, if you set the CovMcdcMode model configuration parameter to 'UniqueCause', Simulink Coverage instead uses the unique-cause MCDC definition when recording coverage. For information

on the differences between the masking MCDC definition and the unique-cause MCDC definition, see "Modified Condition and Decision Coverage (MCDC) Definitions in Simulink Coverage" (Simulink Coverage).

Setting the CovMcdcMode model configuration parameter to 'UniqueCause' can result in differences between MCDC reporting in Simulink Coverage and test generation in Simulink Design Verifier. An example of this difference can be seen in analysis results for logical expressions containing a mixture of AND and OR operators, as in this Stateflow transition.



Given that A, B, and C are each separate inputs, there are five possible ways to evaluate the condition on the Stateflow transition, shown in the following table.

|   | Α | В | С | (A && B)    C |
|---|---|---|---|---------------|
| 1 | F | X | F | F             |
| 2 | F | x | Т | Т             |
| 3 | Т | F | F | F             |
| 4 | Т | F | Т | Т             |
| 5 | Т | Т | Х | Т             |

Satisfying MCDC for a Boolean variable requires a pair of condition evaluations, showing that a change in that variable alone changes the evaluation of the entire expression. In this example, MCDC can be satisfied for C with either the pair 1, 2 or the pair 3, 4. In both of those cases, the value of the expression changed because the value of C changed, while all other variable values stayed the same.

Each pair has a different set of values for A and B which are held constant, but each pair contains one evaluation where C and out are true and one evaluation where C and out are false. To satisfy MCDC for C, Simulink Design Verifier test generation analysis accepts any pair containing one evaluation of true values and one evaluation of false values for C and out. In this example, Simulink Design Verifier test generation analysis accepts any pair 1, 2 and pair 3, 4 but also pair 1, 4 and pair 2, 3. Simulink Coverage model coverage analysis using the unique-cause MCDC definition is satisfied only by pair 1, 2 or by pair 3, 4.

The preceding example assumes that A, B, and C are all separate inputs. When input A is constrained to be the same value as C, as in this model, only a subset of condition evaluations are possible.



This subset of condition evaluations for the Stateflow transition is shown in the following table.

|   | Α | В | С | (A && B)    C |
|---|---|---|---|---------------|
| 1 | F | x | F | F             |
| 4 | Т | F | Т | Т             |
| 5 | Т | Т | X | Т             |

Evaluations 2 and 3 are no longer possible, so neither pair 1, 2 nor pair 3, 4 is possible. As a result, unique-cause MCDC for C can no longer be satisfied in Simulink Coverage model coverage analysis. Since pair 1, 4 is still possible, however, Simulink Design Verifier test generation analysis reports that MCDC for C is satisfiable.

The complexity of MCDC analysis for logical expressions with a mixture of AND and OR operators causes this difference between results from Simulink Coverage set to unique-cause MCDC analysis and Simulink Design Verifier. The default CovMcdcMode model configuration parameter value of 'Masking' does not cause this discrepancy. However, if you require the use of unique-cause MCDC analysis in Simulink Coverage, you can minimize this effect by using the IndividualObjectives test suite optimization for test generation analysis in Simulink Design Verifier For more information, see the Tip section of "Test suite optimization" on page 15-34.

## See Also

## **More About**

• "MCDC" on page 7-31

## Achieve Coverage in Models with Variable-Size Inputs

This example shows you how to achieve model coverage in models with variable-size input signals by using Simulink Design Verifier<sup>m</sup>.

#### **Open the Model**

The model in this example has two input ports that pass variable-size signals. Input port 1 (in1) of the model is of variable size signal with maximum dimension [3,3].

```
open_system('sldvVariableSizeAtInport');
```



Copyright 2023 The MathWorks, Inc.

#### **Create and Detach Harness Model**

- 1. Open Simulink Test in the Apps pane.
- 2. Click Add Test Harness in the Create Test Harness section.
- 3. Click **OK** in the **Create Test Harness** dialog box.
- 4. Click **Detach And Export** in the **Harness** tab.



#### **Drive Variable-size Input Port with Fixed Dimension Signals**

Simulink Design Verifier<sup>™</sup> supports models with fixed-size signals at the input ports. Enhance the harness model such that it has fixed-size input ports but produces variable-size signals at the design interface.

1. Add a **Switch** block to the harness model and in the **Block Parameters** dialog box on the **Signal Attributes** tab, select **Allow different data input sizes** checkbox.

2. Set the dimensions of the two data ports of the Switch block to [3,3] and [2,2] to ensure that you have a variable-dimension signal **in1** of the design model.

| Block Parameters: In1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | >   | < |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|---|
| Main Signal Attributes Execution Output function call                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |     | ^ |
| Minimum: Maximum:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | :   |   |
| Data type:       Inherit: auto       Image: Solution of the s |     |   |
| inherit<br>Port dimensions (-1 for inherited):                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 1.0 |   |
| [1,3]<br>Variable-size signal: Yes<br>Signal type: auto                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | *   |   |
| <                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | >   | ~ |
| OK Cancel Help App                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | oly |   |

## Generate Tests to Achieve Coverage

- 1. Open **Design Verifier** in the **Apps** pane of the updated harness.
- 2. Click **Generate Tests** in the **Analyze** section.
- 3. Click **Simulate tests** and generate the model coverage report in the Results summary window.

## Summary

| Model Hierarchy/Complexity  | rchy/Complexity Test 1 |           |      |                |                        |                       |                         |           |  |  |
|-----------------------------|------------------------|-----------|------|----------------|------------------------|-----------------------|-------------------------|-----------|--|--|
|                             | Decision               | Condition | MCDC | Test Objective | <b>Proof Objective</b> | <b>Test Condition</b> | <b>Proof Assumption</b> | Execution |  |  |
| 1. sldvVariableSizeAtInport | NA                     | 100%      | 100% | NA             | NA                     | NA                    | NA                      | 100%      |  |  |

# **Verifying Model Components**

- "What Is Component Verification?" on page 10-2
- "Functions for Component Verification" on page 10-3
- "Verify a Component for Code Generation" on page 10-4

## What Is Component Verification?

#### In this section...

"Component Verification Approaches" on page 10-2

"Simulink Design Verifier Tools for Component Verification" on page 10-2

## **Component Verification Approaches**

Component verification lets you test a design component in your model using either of the following approaches:

- Within the context of the model that contains the component Using systematic simulation of closed-loop controllers requires that you verify components within a control system model. Doing so lets you test the control algorithms with your model. This approach is called system analysis.
- As standalone components For a high level of confidence in the component algorithm, verify the component in isolation from the rest of the system. This approach is called component analysis.

Verifying standalone components provides three advantages:

- You can use analysis to focus on portions of the design that you cannot test because of the physical limitations of the system being controlled.
- You can use this approach for open-loop simulations to test the plant model without feedback control.
- You can use this approach when the model is unavailable or when you need to simulate a control system model in accelerated mode for performance reasons.

## Simulink Design Verifier Tools for Component Verification

By isolating the component to verify, and using tools that Simulink Design Verifier provides, you create test cases that let you expand the scope of the testing for large models. This expanded testing helps you accomplish the following:

- Achieve 100% model coverage If certain model components do not record 100% coverage, the top-level model cannot achieve 100% coverage. By verifying these components individually, you can create test cases that fully specify the component interface, allowing the component to record 100% coverage.
- Debug the component To verify that each model component satisfies the specified design requirements, you can create test cases that verify that specific components perform as designed.
- Test the robustness of the component To verify that a component handles unexpected inputs and calculations properly, you can create test cases that generate data. Then, test the error-handling capabilities in the component.

# **Functions for Component Verification**

The Simulink Design Verifier software provides several functions that facilitate the tasks associated with component verification.

| Function         | Task                                                                                                                                                                                                                                      |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| sldvlogsignals   | Simulate a Simulink model and log input signals to a Model block in<br>the model. If you modify the test cases in the Signal Builder harness<br>model, use this approach for logging input signals to the harness<br>model itself.        |
| sldvmakeharness  | Create a harness model for a component, using logged input signals<br>if specified, or using the default signals.<br>For more information about harness models, see "Manage Simulink<br>Design Verifier Harness Models" on page 13-13.    |
| sldvmergeharness | Merge test cases from several harness models into a single harness model.                                                                                                                                                                 |
| sldvextract      | Extract an atomic subsystem or atomic subchart into a new model.                                                                                                                                                                          |
| sldvruntest      | Simulate a model, executing the specified test cases to record model coverage and outport values.                                                                                                                                         |
| sldvruncgvtest   | Invoke the Code Generation Verification (CGV) API, and execute the specified test cases on the generated code for the model.                                                                                                              |
|                  | <b>Note</b> To execute a model in different modes of execution, use the CGV API to verify the numerical equivalence of results. For more information about the CGV API, see "Programmatic Code Generation Verification" (Embedded Coder). |

Component verification functions do not support the following Simulink features:

- Variable-step solvers for sldvruntest
- Component interfaces that contain:
  - Variable-size signals
  - Multiword fixed-point data types larger than 128 bits

# Verify a Component for Code Generation

#### In this section...

"About the Example Model" on page 10-4

"Prepare the Component for Verification" on page 10-6

"Record Coverage for the Component" on page 10-7

"Use Simulink Design Verifier Software to Record Additional Coverage" on page 10-7

"Combine the Harness Models" on page 10-8

"Execute the Component in Simulation Mode" on page 10-9

"Execute the Component in Software-in-the-Loop (SIL) Mode" on page 10-10

#### About the Example Model

This example uses the slvnvdemo\_powerwindow model to show how to verify a component in the context of the model that contains that component. As you work through this example, you use the Simulink Design Verifier component verification functions to create test cases and measure coverage for a referenced model. In addition, you can execute the referenced model in both simulation mode and Software-in-the-Loop (SIL) mode using the Code Generation Verification (CGV) API.

**Note** You must have the following product licenses to run this example:

- Stateflow
- Embedded Coder
- Simulink Coder

The component that you verify is a Model block named control. This component resides inside the power\_window\_control\_system subsystem in the top level of the slvnvdemo\_powerwindow model. The power\_window\_control\_system subsystem is shown below.



The control Model block references the slvnvdemo\_powerwindow\_controller model.





The referenced model contains a Stateflow chart **control**, which implements the logic for the power window controller.



#### Prepare the Component for Verification

To verify the referenced model slvnvdemo\_powerwindow\_controller, create a harness model that contains the input signals that simulate the controller in the plant model:

1 Open the slvnvdemo\_powerwindow example model and the referenced model:

```
open_system('slvnvdemo_powerwindow');
open_system('slvnvdemo_powerwindow_controller');
```

2 Open the power\_window\_control\_system subsystem in the example model.

The Model block named control in the power\_window\_control\_system subsystem references the component that you verify during this example, slvnvdemo\_powerwindow\_controller.

3 Simulate the Model block that references the slvnvdemo\_powerwindow\_controller model and log the input signals to the Model block:

```
loggedSignalsPlant = sldvlogsignals( ...
    'slvnvdemo_powerwindow/power_window_control_system/control');
```

sldvlogsignals stores the logged signals in loggedSignalsPlant.

**4** Generate a harness model with the logged signals:

```
harnessModelFilePath = sldvmakeharness( ...
    'slvnvdemo_powerwindow_controller', loggedSignalsPlant);
```

sldvmakeharness creates and opens a harness model named
slvnvdemo\_powerwindow\_controller\_harness. The Signal Builder block contains one test
case containing the logged signals.

For more information about harness models, see "Manage Simulink Design Verifier Harness Models" on page 13-13.

**5** For use later in this example, save the name of the harness model:

[~, harnessModel] = fileparts(harnessModelFilePath);

**6** Leave all windows open for the next part of this example.

Next, you will record coverage for the slvnvdemo\_powerwindow\_controller model.

#### **Record Coverage for the Component**

Model coverage is a measure of how thoroughly a test case tests a model, and the percentage of pathways that a test case exercises. To record coverage for the slvnvdemo\_powerwindow\_controller model:

1 Create a default options object, required by the sldvruntest function:

run0pts = sldvruntestopts;

2 Specify to simulate the model, and record coverage:

runOpts.coverageEnabled = true;

**3** Simulate the referenced model and record coverage:

4 Display the HTML coverage report:

cvhtml('Coverage with Test Cases', covDataFromLoggedSignals);

The slvnvdemo\_powerwindow\_controller model achieved:

- Decision coverage: 40%
- Condition coverage: 35%
- MCDC coverage: 10%

For more information about decision coverage, condition coverage, and MCDC coverage, see "Types of Model Coverage" (Simulink Coverage).

Because you did not achieve 100% coverage for the slvnvdemo\_powerwindow\_controller model, next, you will analyze the model to record additional coverage and create additional test cases.

#### Use Simulink Design Verifier Software to Record Additional Coverage

You can use Simulink Design Verifier to analyze the slvnvdemo\_powerwindow\_controller model and collect coverage. You can specify that the analysis ignore any previously satisfied objectives and record additional coverage.

To record additional coverage for the model:

**1** Save the coverage data that you recorded for the logged signals in a file:

```
cvsave('existingCovFromLoggedSignal', covDataFromLoggedSignals);
```

2 Create a default options object for the analysis:

opts = sldvoptions;

**3** Specify that the analysis generate test cases to record decision, condition, and modified condition/decision coverage:

opts.ModelCoverageObjectives = 'MCDC';

4 Specify that the analysis ignore objectives that you satisfied when you logged the signals to the Model block:

opts.IgnoreCovSatisfied = 'on';

**5** Specify the name of the file that contains the satisfied objectives data:

opts.CoverageDataFile = 'existingCovFromLoggedSignal.cvt';

**6** Specify that the analysis create long test cases that satisfy several objectives:

opts.TestSuiteOptimization = 'LongTestcases';

Creating a smaller number of test cases each of which satisfies multiple test objectives saves time when you execute the generated code in the next section.

7 Specify to create a harness model that references the component using a Model block:

opts.saveHarnessModel = 'on';
opts.ModelReferenceHarness = 'on';

The harness model that you created from the logged signals in "Prepare the Component for Verification" on page 10-6 uses a Model block that references the slvnvdemo\_powerwindow\_controller model. The harness model that the analysis creates must also use a Model block that references slvnvdemo\_powerwindow\_controller. You can append the test case data to the first harness model, creating a single test suite.

**8** Analyze the model using Simulink Design Verifier:

```
[status, fileNames] = sldvrun('slvnvdemo_powerwindow_controller', ...
opts, true);
```

The analysis creates and opens a harness model slvnvdemo\_powerwindow\_controller\_harness. The Signal Builder block contains one long test case that satisfies 74 test objectives.

You can combine this test case with the test case that you created in "Prepare the Component for Verification" on page 10-6, to record additional coverage for the slvnvdemo powerwindow controller model.

**9** Save the name of the new harness model and open it:

[~, newHarnessModel] = fileparts(fileNames.HarnessModel); open\_system(newHarnessModel);

Next, you will combine the two harness models to create a single test suite.

#### **Combine the Harness Models**

You created two harness models when you:

- Logged the signals to the control Model block that references the slvnvdemo powerwindow controller model.
- Analyzed the slvnvdemo\_powerwindow\_controller model.

If you combine the test cases in both harness models, you can record coverage that gets you closer to achieving 100% coverage:

**1** Combine the harness models by appending the most recent test cases to the test cases for the logged signals:

```
sldvmergeharness(harnessModel, newHarnessModel);
```

The Signal Builder block in the slvnvdemo\_powerwindow\_controller\_harness model now contains both test cases.

**2** Log the signals to the harness model:

loggedSignalsMergedHarness = sldvlogsignals(harnessModel);

3 Use the combined test cases to record coverage for the slvnvdemo\_powerwindow\_controller\_harness model. First, configure the options object for sldvruntest:

```
runOpts = sldvruntestopts;
runOpts.coverageEnabled = true;
```

4 Simulate the model and record and display the coverage data:

```
[~, covDataFromMergedSignals] = sldvruntest( ...
    'slvnvdemo_powerwindow_controller', loggedSignalsMergedHarness, ...
    runOpts);
cvhtml('Coverage with Merged Test Cases', covDataFromMergedSignals);
```

The slvnvdemo powerwindow controller model now achieves:

- Decision coverage: 100%
- Condition coverage: 80%
- MCDC coverage: 60%

#### **Execute the Component in Simulation Mode**

To verify that the generated code for the model produces the same results as simulating the model, use the Code Generation Verification (CGV) API methods.

**Note** To execute a model in different modes of execution, use the CGV API to verify the numerical equivalence of results. For more information about the CGV API, see "Programmatic Code Generation Verification" (Embedded Coder).

When you perform this procedure, the simulation compiles and executes the model code using both test cases.

**1** Create a default options object for sldvruncgvtest:

```
runcgvopts = sldvruntestopts('cgv');
```

**2** Specify to execute the model in simulation mode:

runcgvopts.cgvConn = 'sim';

3 Execute the slvnv\_powerwindow\_controller model using the two test cases and the runcgvopts object:

```
cgvSim = sldvruncgvtest('slvnvdemo_powerwindow_controller', ...
loggedSignalsMergedHarness, runcgvopts);
```

These steps save the results in the workspace variable cgvSim.

Next, you will execute the same model with the same test cases in Software-in-the-Loop (SIL) mode and compare the results from both simulations.

For more information about Normal simulation mode, see "Execute the Model" (Embedded Coder).

#### Execute the Component in Software-in-the-Loop (SIL) Mode

When you execute a model in Software-in-the-Loop (SIL) mode, the simulation compiles and executes the generated code on your host computer.

In this section, you execute the slvnvdemo\_powerwindow\_controller model in SIL mode and compare the results to the previous section, when you executed the model in simulation mode.

**1** Specify to execute the model in SIL mode:

runcgvopts.cgvConn = 'sil';

2 Execute the slvnv\_powerwindow\_controller model using the two test cases and the runcgvopts object:

```
cgvSil = sldvruncgvtest('slvnvdemo_powerwindow_controller', ...
loggedSignalsMergedHarness, runcgvopts);
```

The workspace variable cgvSil contains the results of the SIL mode execution.

3 Compare the results in cgvSil to the results in cgvSim, created from the simulation mode execution. Use the compare (Embedded Coder) method to compare the results from the two simulations:

```
for i=1:length(loggedSignalsMergedHarness.TestCases)
   simout = cgvSim.getOutputData(i);
   silout = cgvSil.getOutputData(i);
   [matchNames, ~, mismatchNames, ~ ] = ...
        cgv.CGV.compare(simout, silout);
```

```
end
```

**4** Display the results of the comparison in the MATLAB Command Window:

```
fprintf(['\nTest Case(%d):%d Signals match, %d Signals mismatch\r'],...
i, length(matchNames), length(mismatchNames));
```

As expected, the results of the two simulations match.

For more information about Software-in-the-Loop (SIL) simulations, see "What Are SIL and PIL Simulations?" (Embedded Coder).

# **Considering Specified Minimum and Maximum Values for Inputs During Analysis**

- "Minimum and Maximum Input Constraints" on page 11-2
- "Specify Input Ranges on Simulink and Stateflow Elements" on page 11-4
- "Specification of Input Ranges in sldvData Fields" on page 11-10

# **Minimum and Maximum Input Constraints**

#### In this section...

"Simulink Design Verifier Support for Specified Input Minimum and Maximum Values" on page 11-  $\!\!\!\!2$ 

"Limitations of Simulink Design Verifier Support for Specified Minimum and Maximum Values" on page 11-2

When creating a model, you can specify minimum and maximum values on input ports to mimic environmental constraints as part of your design. The Simulink Design Verifier analysis can automatically consider these values as constraints for:

- Design error detection
- Test case generation
- Property proving

Specifying minimum and maximum input values is similar to using the Test Condition block to constrain signals for test case generation or the Proof Assumption block to constrain signals for property proving. The Test Condition and Proof Assumption blocks capture the analysis constraints. The Simulink Design Verifier software can also consider the design constraints captured in the Inport block minimum and maximum parameters as constraints for analysis.

**Note** For more information about signal values, see "Investigate Signal Values".

# Simulink Design Verifier Support for Specified Input Minimum and Maximum Values

By default, Simulink Design Verifier considers any minimum and maximum input values specified for Inport blocks in your model. To enable this capability:

- 1 On the **Design Verifier** tab, in the **Prepare** section, from the drop-down menu for the mode settings, click **Settings**.
- 2 In the Configuration Parameters dialog box, on the **Design Verifier** pane, select the **Use specified input minimum and maximum values** parameter.
- **3** After the analysis completes, to view the design minimum and maximum constraints for your model, click **Generate detailed analysis reports**.

The constraints are listed in the **Analysis Information** chapter of the Simulink Design Verifier report.

# Limitations of Simulink Design Verifier Support for Specified Minimum and Maximum Values

Simulink Design Verifier support for specified minimum and maximum values has the following limitations:

• The analysis considers specified minimum and maximum values on root-level Inport blocks only. The analysis ignores minimum and maximum values specified on other Simulink blocks.

# See Also

## **More About**

• "Specify Signal Ranges"

# **Specify Input Ranges on Simulink and Stateflow Elements**

When you specify input range constraints on Simulink and Stateflow elements, Simulink Design Verifier considers these constraints during analysis.

"Specify Input Ranges for Inport Blocks" on page 11-4 "Specify Input Ranges for Simulink.Signal Objects" on page 11-5 "Specify Input Ranges for Stateflow Data Objects" on page 11-5 "Specify Input Ranges for Subsystems" on page 11-6 "Specify Input Ranges for Global Data Stores" on page 11-7 "Specify Input Ranges for Bus Elements" on page 11-8

#### **Specify Input Ranges for Inport Blocks**

After you specify the output minimum and maximum values on Inport blocks, Simulink Design Verifier analysis uses the minimum and maximum values as constraints.

The following example model restricts the signals from two Inport blocks:

- Input1 block: Minimum: 1, Maximum: 5
- Input2 block: Minimum: -1, Maximum: 1



When you use Simulink Design Verifier, to analyze this model, the analysis produces these results:

- The output from Input1 is never less than 0, therefore the first input to the Logical Operator block is never false. The objective that the first input to the Logical Operator equals false is unsatisfiable.
- The Logical Operator block cannot achieve 100% modified condition/decision coverage (MCDC) coverage because the condition where the first input is false never occurs.

The detailed analysis report shows the values you use as constraints for Input1 and Input2.

**Note** Simulink Design Verifier considers the full range of possible values (and any minimum and maximum constraints) for root-level inports only.

#### Specify Input Ranges for Simulink.Signal Objects

Using the Model Explorer, in the model workspace, you can specify minimum and maximum values on Simulink.Signal objects associated with input signals.

The following example model uses the Simulink.Signal objects associated with the input signals a and b to restrict the signal values:

- Signal a: Minimum: 1, Maximum: 5
- Signal b: Minimum: -1, Maximum: 1



When you analyze this model, the results are the same as if you specified the minimum and maximum values on the input ports.

#### Specifying Signal Ranges on Inport Blocks and Signals

If you specify ranges on the Inport blocks and on the signals, the analysis considers the smallest range for the values. For example, if you specify a range of 4..12 on an input port and a range of 1..8 on the signal from the input port, the analysis considers the range 4..8.

#### Specify Input Ranges for Stateflow Data Objects

Using the Model Explorer, you can specify ranges on data objects that are directly connected to the root-level input ports for a Stateflow chart.

In the following example model, the Stateflow chart named Chart has a data object, x, whose range you specified as 0 < x < 10. In this chart, x must be greater than 15 to trigger the transition from low to high.





The value of x ranges from 0 through 10, therefore the transition condition [x > 15] is never true. The transition from low to high never occurs. Because the high state is never entered, the transition condition [x < 15] is never tested, and the transition from high to low never occurs. The chart is always in the low state.

When you analyze this model, these objectives are proven unsatisfiable:

- The high state is never entered.
- The transition condition [x > 15] is always false, never true.
- The condition [x < 15] is never tested, so it is never true or false.

The analysis report indicates the values that you use as constraints for x: [0, 10].

#### **Specify Input Ranges for Subsystems**

The Simulink Design Verifier software considers specified input minimum and maximum values as constraints only at the top level of a model. You can specify minimum and maximum values on Input ports on subsystems, but when you analyze the top-level model, the software ignores those values.

When you perform the subsystem analysis, the software considers specified minimum and maximum values on the input ports of the subsystem.

For example, consider the following model and its subsystem.



In Subsystem, the specified minimum and maximum values for input port SSIn are -10 and 10, respectively. The lower and upper limits for the Saturation block are -15 and 15, respectively.



If you right-click Subsystem in the top-level model and select **Design Verifier > Generate Tests for Subsystem**, the analysis considers the specified minimum and maximum values as constraints on the SSIn port.

| Name        | Design Min Max Constraint |
|-------------|---------------------------|
| <u>SSIn</u> | [-10, 10]                 |

#### **Constraints: Design Min Max Constraints**

The analysis identifies two unsatisfiable objectives:

- input > lower limit F: The input is always greater than the lower limit on the Saturation block (-15).
- input >= upper limit T: The input is never greater than or equal to the upper limit on the Saturation block (15).

If you analyze the model that contains Subsystem, the analysis does not consider the values specified on the input port SSIn in the subsystem. The analysis considers only the root-level input ports at the respective level of the hierarchy for analysis.

#### **Specify Input Ranges for Global Data Stores**

A data store is a repository to which you can write data and from which you can read data, without having to connect an input or output signal directly to the data store. You create a data store by using a Data Store Memory block or a Simulink.Signal object. You can specify minimum and maximum values for any data store.

During subsystem analysis, Simulink Design Verifier creates an input port to mimic the execution context for a global data store. For more information, see "Extract Subsystems for Analysis" on page 14-15. If the data store has specified minimum and maximum values, those values are assigned as minimum and maximum values on the new input port. Simulink Design Verifier analysis considers the input minimum and maximum values as subsystem-level analysis constraints.

In the following example model, data store A has a minimum value of 0 and a maximum value of 10.



The atomic subsystem reads values from the data store and checks to see if the input is less than 0. The Compare To Zero block outputs 1 if the input is less than 0, and outputs 0 if the input is greater than or equal to 0. The Test Objective block checks to see if the output is ever 1.



In the top-level model, if you right-click Subsystem and select **Design Verifier > Generate Tests for Subsystem**, the analysis considers the constraints for data store A to be [0, 10].

The analysis does not satisfy the objective specified in the Test Objective block. The input is always greater than or equal to 0, therefore the output from the Compare To Zero block is always 0.

#### **Specify Input Ranges for Bus Elements**

open system('sldvBusMinMaxExample');

When you define a bus, you can specify minimum and maximum values for the elements in the bus. Simulink Design Verifier considers these minimum and maximum values when analyzing subsystems and models that use the bus as an input signal.

Consider a subsystem that inputs a bus of three fields, each with a defined minimum and maximum. To view this subsystem, add the examples folder to the current MATLAB path and at the command line, enter:



•

| Bus Element  | Bus Element Minimum | Bus Element Maximum |  |  |
|--------------|---------------------|---------------------|--|--|
| vehicleSpeed | 0                   | 125                 |  |  |
| throttle     | 0                   | 100                 |  |  |
| engineSpeed  | 0                   | 7600                |  |  |

The subsystem has test objectives that confirm that each element does not exceed a constant. The vehicleSpeed signal is limited to a maximum value lower than the test objective.



Set the current folder to a writable folder. In the top-level mode, right-click Subsystem and select **Design Verifier > Generate Tests for Subsystem**. The Condition Objective for testing vehicleSpeed > 135 is not satisfiable due to the maximum specification on the vehicleSpeed element.

# Specification of Input Ranges in sldvData Fields

When you analyze a model, Simulink Design Verifier generates a data file when it completes its analysis. The data file is a MAT-file that contains an sldvData structure. The sldvData structure stores all the data that the software gathers and produces during the analysis. You can use the data file to customize your own analysis or to generate a custom report.

If your model contains specified minimum and maximum values on the input ports, the sldvData structure contains information about those values. For example, after analyzing the ex\_minmax\_on\_inports model in "Specify Input Ranges for Inport Blocks" on page 11-4, the data file contains the following values:

• For the Input1 block:

٠

```
sldvData.Constraints.DesignMinMax(1).value{1}.low
ans =
    1
sldvData.Constraints.DesignMinMax(1).value{1}.high
ans =
    5
For the Input2 block:
sldvData.Constraints.DesignMinMax(2).value{1}.low
ans =
    -1
sldvData.Constraints.DesignMinMax(2).value{1}.high
ans =
    1
```

# **Proving Properties of a Model**

- "What Is Property Proving?" on page 12-2
- "Workflow for Proving Model Properties" on page 12-4
- "Prove Properties in a Model" on page 12-5
- "Prove System-Level Properties Using Verification Model" on page 12-20
- "Prove Properties in a Subsystem" on page 12-23
- "Model Requirements" on page 12-24
- "Isolate Verification Logic with Observers" on page 12-29
- "Property Proving with an Invalid Property" on page 12-32
- "Property Proving with Multiple Properties" on page 12-33
- "Property Proving with an Assumption Block" on page 12-34
- "Property Proving Workflow for Cruise Control" on page 12-35
- "Property Proving Workflow for Fixed-Point Cruise Control with Block Replacements" on page 12-39
- "Property Proving Using MATLAB Function Block" on page 12-40
- "Property Proving Using MATLAB Truth Table Block" on page 12-41
- "Property Proving Workflow for Thrust Reverser" on page 12-42
- "Debounce Temporal Properties" on page 12-43
- "Power Window Controller Temporal Properties" on page 12-46
- "Debug Property Proving Violations by Using Model Slicer" on page 12-55
- "Design and Verify Properties in a Model" on page 12-60
- "Validate Requirements by Analyzing Model Properties" on page 12-63
- "Use Observer Reference Blocks for Property Proving Analysis" on page 12-70
- "Prove Properties with Requirements Table Blocks" on page 12-73

# What Is Property Proving?

A property is a requirement that you model in Simulink or Stateflow, or by using MATLAB Function or Requirements Table blocks. A property can be a simple requirement, such as a signal in your model that must attain a particular value or range of values during simulation.

A property can also be a requirement on the model that involves a number of input and output signals modeled as a logical expression that needs to be proved.

The Simulink Design Verifier software performs a formal analysis of your model to prove or disprove the specified properties. After completing the analysis, the software offers several ways for you to review the results:

- Highlighted on the model
- A harness model with test cases
- A detailed HTML report

#### **Proof Blocks**

The Simulink Design Verifier software provides two blocks so you can specify property proofs in your Simulink models:

- Proof Objective Define the values of a signal to prove
- Proof Assumption Constrain the values of a signal during a proof

**Note** Blocks from the Model Verification library in the Simulink software behave like Proof Objective blocks during Simulink Design Verifier proofs. You can use Assertion blocks and other Model Verification blocks to specify properties of your model. For more information about these blocks, see "Model Verification".

#### **Proof Functions**

The Simulink Design Verifier software provides two Stateflow and MATLAB for code generation functions to specify property proving for a Simulink model or Stateflow chart:

- sldv.prove Specifies a proof objective
- sldv.assume Specifies a proof assumption

These functions:

- Identify mathematical relationships for proving properties in a form that can be more natural than using block parameters
- Support specifying multiple objectives, assumptions, or conditions without complicating the model.
- Provide access to the power of MATLAB.
- Support separation of verification and model design.

For an example of how to use these proof functions, see the sldv.prove reference page.

**Note** Simulink Design Verifier blocks and functions are saved with a model. If you open the model on a MATLAB installation that does not have a Simulink Design Verifier license, you can see the blocks and functions, but they do not produce results.

# **Workflow for Proving Model Properties**

To prove properties of your design model, use the following workflow:

- **1** Determine the verification objectives for your design model, e.g., based on your requirements specifications.
- 2 Instrument your design model to specify proof objectives and proof assumptions.
  - For simple properties, instrument your model with blocks or MATLAB functions that specify the proof objectives.
  - For system-level properties, construct a verification model that contains a Model block that references the design model and define the properties on the design model interface using the same inputs and outputs.
- **3** Define analysis constraints using the Proof Assumption block or sldv.assume. These constraints apply to all enabled proof objectives.

**Note** The proof assumptions are applied to all enabled proof objectives. Make sure that you do not specify any contradictory assumptions because that might invalidate the entire analysis.

- 4 Specify options that control how Simulink Design Verifier proves the properties of your model.
- 5 Execute the Simulink Design Verifier analysis and review the results.

For an exercise that demonstrates this workflow, see "Prove Properties in a Model" on page 12-5.

#### See Also

#### **More About**

- "Property Proving Workflow for Cruise Control" on page 12-35
- "Property Proving Workflow for Fixed-Point Cruise Control with Block Replacements" on page 12-39
- "Property Proving Workflow for Thrust Reverser" on page 12-42

# **Prove Properties in a Model**

| In this section                                     |  |
|-----------------------------------------------------|--|
| "About This Example" on page 12-5                   |  |
| "Construct Example Model" on page 12-5              |  |
| "Check Compatibility of Example Model" on page 12-6 |  |
| "Instrument Example Model" on page 12-7             |  |
| "Configure Property-Proving Options" on page 12-8   |  |
| "Analyze Example Model" on page 12-8                |  |
| "Review Analysis Results" on page 12-8              |  |
| "Customize Example Proof" on page 12-15             |  |
| "Reanalyze Example Model" on page 12-16             |  |
| "Review Results of Second Analysis" on page 12-16   |  |
| "Analyze Contradictory Models" on page 12-18        |  |
| "Prove Properties in a Large Model" on page 12-19   |  |

# **About This Example**

The following sections describe a Simulink model, for which you prove a property that you specify using a Proof Objective block. This example demonstrates the property-proving capabilities of Simulink Design Verifier.

| Task | Description                                                                                            | See                                                   |  |  |  |
|------|--------------------------------------------------------------------------------------------------------|-------------------------------------------------------|--|--|--|
| 1    | Construct the example model.                                                                           | "Construct Example Model" on page 12-5                |  |  |  |
| 2    | Verify that your model is compatible with Simulink Design Verifier.                                    | "Check Compatibility of Example Model" on page 12-6   |  |  |  |
| 3    | Add a Proof Objective block to your<br>model to prepare for its proof."Instrument Example Model" on pa |                                                       |  |  |  |
| 4    | Configure Simulink Design Verifier to prove properties.                                                | "Configure Property-Proving Options" on page 12-<br>8 |  |  |  |
| 5    | Prove a property of your model.                                                                        | "Analyze Example Model" on page 12-8                  |  |  |  |
| 6    | Review the analysis results.                                                                           | "Review Analysis Results" on page 12-8                |  |  |  |
| 7    | Add proof assumptions to specify analysis constraints.                                                 | "Customize Example Proof" on page 12-15               |  |  |  |
| 8    | Prove a property of the customized model and interpret the results.                                    | "Reanalyze Example Model" on page 12-16               |  |  |  |

In this example, you perform the following tasks.

## **Construct Example Model**

Construct a Simulink model to use in this example:

- **1** Create an empty Simulink model.
- 2 Copy the following blocks into your empty model window:
  - From the Sources library, an Inport block to initiate the input signal whose value Simulink Design Verifier controls
  - From the Logic and Bit Operations library, a Compare To Zero block to provide simple logic
  - From the Sinks library, an Outport block to receive the output signal
- **3** Connect these blocks such so your model appears similar to the following model:



- 4 On the **Modeling** tab, click **Model Settings**.
- **5** On the Configuration Parameters dialog box, in the **Solver** pane, in the **Solver selection**:
  - Set the **Type** option to Fixed-step.
  - Set the **Solver** option to Discrete (no continuous states).

The Simulink Design Verifier can analyze only models that use a fixed-step solver.

- 6 Click **OK** to save your changes and close the Configuration Parameters dialog box.
- 7 Save your model with the name ex\_property\_proving\_example\_basic.

## **Check Compatibility of Example Model**

Every time Simulink Design Verifier software analyzes a model, before the analysis begins, the software performs a compatibility check. If your model is not compatible, the software cannot analyze it.

You can also make sure you model is compatible with Simulink Design Verifier before you start the analysis:

- 1 Open the ex\_property\_proving\_example\_basic model.
- 2 On the **Design Verifier** tab, click **Check Compatibility**.

The Simulink Design Verifier software displays the log window, which states whether or not your model is compatible.

The model you just created is compatible.

| 🚡 Simulink Design Verifier Results Summary: ex_property_proving_example_basic 🛛 🗙                                                                                                                                                                                                                                      |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 27-Jun-2017 16:24:40<br>Checking compatibility for test generation: model<br>'ex_property_proving_example_basic'<br>Compiling modeldone<br>Building model representationdone<br>27-Jun-2017 16:24:42<br>'ex_property_proving_example_basic' is <b>compatible</b> for test generation with<br>Simulink Design Verifier. |
| Save Log Generate Tests Close                                                                                                                                                                                                                                                                                          |

#### What If a Model Is Partially Compatible?

If the compatibility check indicates that your model is partially compatible, your model contains at least one object that Simulink Design Verifier does not support. You can analyze a partially compatible model, but, by default, unsupported objects are stubbed out. The results of the analysis may be incomplete. For detailed information about automatic stubbing, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

#### Instrument Example Model

Prepare your example model so that you can prove its properties with Simulink Design Verifier. Specifically, instrument the model by adding and configuring a Proof Objective block:

1 In the MATLAB Command Window, enter sldvlib.

The Simulink Design Verifier library appears.

- **2** Open the Objectives and Constraints sublibrary.
- **3** Copy the Proof Objective block to your model and insert it between the Compare To Zero and Outport blocks.
- 4 In your model, double-click the Proof Objective block.

The Proof Objective block parameters dialog box opens.

5 In the Values box, enter 1.

The Simulink Design Verifier software will attempt to prove that the signal output by the Compare To Zero block always attains this value for any signals that it receives.

6 Click **OK** to apply your changes and close the Proof Objective block parameters dialog box.



7 Save your model and keep it open.

#### **Configure Property-Proving Options**

Configure Simulink Design Verifier to prove properties of the ex\_property\_proving\_example\_basic model that you instrumented:

- 1 Open the ex\_property\_proving\_example\_basic model.
- 2 On the **Design Verifier** tab, in the **Mode** section, select **Property Proving**.
- 3 Click Property Proving Settings.
- 4 Click **OK** to apply your changes and close the Configuration Parameters dialog box.

**Note** On the **Property Proving** pane, you can optionally specify values for other parameters that control how Simulink Design Verifier proves properties of your model. For more information, see "Design Verifier Pane: Property Proving" on page 15-52.

5 Save the ex\_property\_proving\_example\_basic model.

#### Analyze Example Model

To analyze the ex\_property\_proving\_example\_basic model, on the **Design Verifier** tab, click **Prove Properties**. Simulink Design Verifier begins a property-proving analysis.

During the analysis, the log window shows the progress of the analysis. It displays information such as the number of objectives processed and which objectives were satisfied or falsified.

To terminate the analysis at any time, in the log window, click **Stop**.

#### **Review Analysis Results**

When the analysis is complete, the log window displays the following options for reviewing the results:

- Highlight the analysis results on the model
- Generate a detailed HTML analysis report
- Create a harness model with test cases
- Simulate the test cases created by the model and produce a model coverage report

You can also view the Simulink Design Verifier data file. For detailed information about the data file, see "Manage Simulink Design Verifier Data Files" on page 13-7.

The following sections describe how you can review the analysis results:

- "Review Results on Model" on page 12-9
- "Review Detailed Analysis Report" on page 12-10
- "Review Harness Model" on page 12-12
- "Simulate Model with Counterexample" on page 12-13
- "Review Analysis Results" on page 12-15

#### **Review Results on Model**

You can review the analysis results at a glance by viewing the blocks that are highlighted in the model window. The highlighting can have four colors:

- Green The analysis proved all the proof objectives valid.
- Red The analysis disproved a proof objective and generated a counterexample that falsified that objective.
- Orange The analysis disproved a proof objective, but it could not generate a counterexample or the proof objective remained undecided. This result occurs due to:
  - A proof objective on a signal whose value the software cannot control, for example, a Constant block
  - A proof objective that depends on nonlinear computation
  - A proof objective that creates an arithmetic error, such as division by zero
  - Automatic stubbing being enabled, and the analysis encountering an unsupported block whose operation it does not understand but that the analysis requires to generate the counterexample
  - The analysis timing out
  - Limitations of the analysis engine
- Gray The model object was not part of the analysis.

Highlight the analysis results on the example model:

1 In the Results Summary window for the ex\_property\_proving\_example\_basic analysis, click **Highlight analysis results on model**.



The Proof Objective block is highlighted in red, which indicates that a proof objective was falsified with a counterexample.

The Simulink Design Verifier Results window appears.



As you click objects in the model, this window changes to display detailed analysis results for that object.

| Paresults: ex_property_proving_example_basic                                                                    | —        | $\times$ |
|-----------------------------------------------------------------------------------------------------------------|----------|----------|
| $\Leftarrow \Rightarrow $                                                                                       |          | - 19     |
| Back to summary<br>ex_property_proving_example_basic/Proof O<br>Objective: T ERROR - <u>View counterexample</u> | bjective |          |

**Tip** By default, the Simulink Design Verifier Results window is always the topmost visible window. To allow the window to move behind other window, click **32** and clear **Always on top**.

2 Click the highlighted Proof Objective block.

The Simulink Design Verifier Results window indicates that the proof objective that the output signal from the Compare to Zero was not 1 was disproved with a counterexample.

#### **Review Detailed Analysis Report**

To create a detailed HTML analysis report:

**1** In the Simulink Design Verifier Results Summary window, click **Generate detailed analysis report**.

The HTML report opens in a browser window.

**2** The report includes the following **Table of Contents**. Click a hyperlink to navigate to particular section in the report.

# Summary 2. Analysis Information 3. Proof Objectives Status 4. Properties

3 In the Table of Contents, click Summary.

# Chapter 1. Summary

#### Analysis Information

| Model:         | ex_property_proving_example_basic |
|----------------|-----------------------------------|
| Mode:          | Property proving                  |
| Status:        | Completed normally                |
| Analysis Time: | 11s                               |

The Summary provides an overview of the analysis results, and it indicates that Simulink Design Verifier identified a counterexample that falsifies an objective in your model.

4 In the Table of Contents, click Proof Objectives Status.

# **Objectives Falsified with Counterexamples**

| # | Proof              |                 |              | Analysis<br>Time<br>(sec) | Counterexample |  |
|---|--------------------|-----------------|--------------|---------------------------|----------------|--|
|   | Proof<br>objective | Proof Objective | Objective: T | 12                        | 1              |  |

The Objectives Falsified with Counterexamples table lists the proof objectives that Simulink Design Verifier disproved using a counterexample that it generated. You can locate the objective in your model window by clicking Proof Objective; the software highlights the corresponding Proof Objective block in your model window.

**5** In the Objectives Falsified with Counterexamples table, under the **Counterexample** column, click **1**.

# **Proof Objective**

#### Summary

Model Item: <u>Proof Objective</u> Property: Objective: T Status: Falsified

#### Counterexample

| ſ | Time | 0 |
|---|------|---|
|   | Step | 1 |
|   | Inl  | 1 |

This section displays information about proof objective 1 and provides details about the counterexample that Simulink Design Verifier generated to disprove that objective. In this counterexample, a signal value of 99 falsifies the objective that you specified using the Proof Objective block. That is, 99 is not less than or equal to 0, which causes the Compare To Zero block to return 0 (false) instead of 1 (true).

#### **Review Harness Model**

Create a harness model with counterexamples that falsify the proof objectives in your model:

**1** In the Simulink Design Verifier log window, click **Create harness model**.

The software creates a harness model named ex\_property\_proving\_example\_basic\_harness.



The harness model contains the following items:

- Signal Builder block named Inputs A group of signals that falsify proof objectives.
- Subsystem block named Test Unit A copy of your model.
- DocBlock named Test Case Explanation A textual description of the counterexamples that the analysis generates.

• A Size-Type block — A subsystem that transmits signals from the Inputs block to the Test Unit block. This block verifies that the size and data type of the signals are consistent with the Test Unit block.

| Signal Builde File Edit Git    |          | oroving_exa<br>Axes He |       | ss/Inputs)     |                                   |                           |                     |                       | • <mark>• •</mark> |
|--------------------------------|----------|------------------------|-------|----------------|-----------------------------------|---------------------------|---------------------|-----------------------|--------------------|
|                                |          |                        | .n. 🔳 | ক্র ভি শ্রু    | $\boxtimes$ $\blacktriangleright$ | II ■ <mark>⊾</mark> all   | 1 🔁                 | ₹.                    |                    |
| Active Group: Counterexample 1 |          |                        |       |                |                                   |                           |                     |                       |                    |
| 2                              |          |                        |       |                |                                   |                           |                     |                       |                    |
| In1                            |          |                        |       |                |                                   |                           | 1                   | 1                     |                    |
| 1.8                            |          |                        |       | <br> <br> <br> |                                   | <br>-<br>-<br>-<br>-<br>- | *<br>!<br>!<br>!    | <br> <br> <br> <br>   |                    |
| 1.6                            |          |                        |       |                |                                   |                           |                     |                       |                    |
| 1.4                            |          |                        |       |                |                                   | <br>                      | ,<br>,<br>,<br>,    | ,<br>,<br>,<br>,<br>, |                    |
| 1.2                            |          |                        |       |                |                                   | ,<br>,<br>,<br>,          | <br> <br> <br> <br> | <br> <br> <br> <br>   |                    |
| 1                              |          |                        |       |                |                                   |                           |                     |                       |                    |
| 0.8                            |          |                        |       |                |                                   | <br>                      |                     | <br> <br>             |                    |
| 0.6                            |          |                        |       |                |                                   |                           | ,<br>,<br>,         | ,<br>,<br>,           |                    |
| 0.4                            |          |                        |       |                |                                   |                           |                     |                       |                    |
| 0.2                            |          |                        |       |                |                                   | ,<br>                     | ¦<br>+              |                       |                    |
| 0                              |          |                        |       |                |                                   | ,<br>,<br>,               |                     | <br> <br>             |                    |
| 0                              | 0.02 0.0 | )4 0.(                 | 06 0. | 08 0.<br>Time  |                                   | .12 0.                    | .14 0.              | .16 0.                | 18 0.2             |
|                                |          | Left Poi               | nt F  | Right Point    | Ini                               |                           | (                   | shown)                | *                  |
| Name: In1                      | Т        | F:                     | T:    |                |                                   |                           |                     |                       |                    |
| Index: 1                       | ▼ Y      | (;                     | Y;    |                |                                   |                           |                     |                       | +                  |
| ok                             |          |                        |       |                | In1 (#                            | t1) [YMin YN              | lax ]               |                       |                    |

**2** Double-click the Inputs block.

The input signal 1 causes the output of the Compare to Zero block to be 0. This counterexample violates the proof objective that specifies that the output of the Compare to Zero block be 1.

#### Simulate Model with Counterexample

Simulate the harness model to observe the counterexample that falsifies the proof objective in your model:

- 1 Open the ex\_property\_proving\_example\_basic model.
- 2 On the **Simulation** tab, click **Library Browser**.
- **3** From the Sinks library, copy a Scope block into your harness model window. The Scope block allows you to see the value of the signal output by the Compare To Zero block in your model.
- 4 In your harness model window, connect the output signal of the Test Unit subsystem to the Scope block.



**5** To simulate your harness model, on the **Simulation** tab, click **Run**.

The Simulink software simulates the harness model.

6 In your harness model window, double-click the Scope block to open its display window.



The Scope block displays the value of the signal output by the Compare To Zero block in your model. In this example, the Compare To Zero block returns 0 (false) throughout the simulation, which falsifies the proof objective that the output of the Compare to Zero block be 1 (true). The counterexample that the Signal Builder block supplies falsifies the proof objective.

#### **Review Analysis Results**

As long as your model remains open, you can view the results of your most recent Simulink Design Verifier analysis results in the Results Summary window.

On the **Design Verifier** tab, in the **Review Results** section, click **Results Summary**. The Results Summary window opens displaying the results of the latest Simulink Design Verifier analysis.

For any Simulink Design Verifier analysis, from the Results Summary window, you can perform the following tasks.

| Task                                                                                                                                                                      | For more information                                              |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| Highlight the analysis results on the model.                                                                                                                              | "Highlight Results on the Model" on page 13-2                     |
| Generate a detailed analysis report.                                                                                                                                      | "Review Results" on page 13-35                                    |
| Create the harness model, or if the harness model<br>already exists, open it.<br>If no counterexamples were created during the<br>analysis, this option is not available. | "Manage Simulink Design Verifier Harness<br>Models" on page 13-13 |
| View the data file.                                                                                                                                                       | "Manage Simulink Design Verifier Data Files" on page 13-7         |
| View the log file.                                                                                                                                                        | "View Log Files" on page 13-56                                    |

After you close your model, you can no longer view the analysis results.

#### **Customize Example Proof**

Modify the simple Simulink model whose proof objective Simulink Design Verifier disproved in the previous task. Specifically, customize the proof by adding and configuring a Proof Assumption block:

**1** In the MATLAB Command Window, type sldvlib.

The Simulink Design Verifier library opens.

- **2** Open the Objectives and Constraints sublibrary.
- **3** Copy the Proof Assumption block to your model.
- 4 In your model window, insert the Proof Assumption block between the Inport and Compare To Zero blocks.
- 5 In your model, double-click the Proof Assumption block to access its attributes.

The Proof Assumption block parameter dialog box opens.

- 6 In the **Values** box, enter [-1, 0]. When proving properties of this model, Simulink Design Verifier constrains the signal values entering the Compare To Zero block to the specified range. If the input to the Compare to Zero block is always within this range, the output of the Compare to Zero block will always be 1.
- 7 Click **Apply** and then **OK** to apply your changes and close the Proof Assumption block parameter dialog box.



8 Save the ex\_property\_proving\_example\_basic model and keep it open.

## **Reanalyze Example Model**

Analyze the model that you modified to see how the Proof Assumption block affects the propertyproving analysis.

Open the ex\_property\_proving\_example\_basic model. On the **Design Verifier** tab, click **Prove Properties**.

When the analysis is complete, the log window displays the options. There is no option to create a harness model, because the analysis satisfied all proof objectives in your model, so there are no counterexamples.

## **Review Results of Second Analysis**

Review the results of the second analysis:

- "Review Results on the Model" on page 12-16
- "Review Analysis Report" on page 12-17

#### **Review Results on the Model**

Highlight the model to see the analysis results:

#### **1** Click **Highlight analysis results on model**.

The Proof Objective is now highlighted in green.



2 Click the Proof Objective block.

The Simulink Design Verifier Results window shows that the proof objective that states that the signal be 1 is valid.

| Page Results: ex_property_proving_example_with_pa_block                                  | —       |    | ×    |
|------------------------------------------------------------------------------------------|---------|----|------|
| $\langle - \Rightarrow \Box$                                                             |         |    | - 19 |
| Back to summary<br>ex_property_proving_example_with_pa_block/Proof<br>Objective: T VALID | Objecti | ve |      |

#### **Review Analysis Report**

Review the analysis results in the detailed report:

- **1** Click Generate detailed analysis report.
- 2 In the Table of Contents, click Summary.

# Chapter 1. Summary

#### Analysis Information

| Model:         | ex_property_proving_example_with_pa_block |  |
|----------------|-------------------------------------------|--|
| Mode:          | Property proving                          |  |
| Status:        | Completed normally                        |  |
| Analysis Time: | 11s                                       |  |

#### **Objectives Status**

Number of Objectives: 1 Objectives Valid: 1

The Summary chapter indicates that Simulink Design Verifier proved a proof objective in the model.

**3** The Constraints section lists the analysis constraint you specified in the Proof Assumption block.

| Constraints          |                     |
|----------------------|---------------------|
| Analysis Constraints | 5                   |
| Name                 | Analysis Constraint |
| Assumption           | [-1, 0]             |

4 Scroll back to the top of the browser window. In the **Table of Contents**, click **Proof Objectives Status**.

# **Objectives Valid**

| # | Туре               | Model Item      | Description  | Analysis<br>Time<br>(sec) | Counterexample |
|---|--------------------|-----------------|--------------|---------------------------|----------------|
| 1 | Proof<br>objective | Proof Objective | Objective: T | 5                         | n/a            |

The Objectives Proven Valid table lists the proof objectives that Simulink Design Verifier proved to be valid.

5 Scroll down to view the Properties chapter or go to the top of the browser window and in the Table of Contents, click Properties.

# **Proof Objective**

#### Summary

Model Item: <u>Proof Objective</u> Property: Objective: T Status: Valid

The Proof Objective summary indicates that Simulink Design Verifier proved an objective that you specified in your model. The Proof Assumption block restricts the domain of the input signals to the interval [-1, 0]. Therefore, the software proves that this interval does not contain values that are greater than zero, thereby satisfying the proof objective.

## **Analyze Contradictory Models**

If the analysis produces the error The model is contradictory in its current configuration, the software detected a contradiction in your model and it cannot analyze the model. You can have a contradiction if your model has Proof Assumption blocks with incorrect parameters. For example, an assumption could state that a signal must be between 0 and 5 when the signal is constant 10.

If the software detects a contradiction, all previous results are invalidated and the software reports that all the properties are falsified.

**Note** Constraints added at the inputs either through design minimum/maximum or test conditions/ proof assumptions do not lead to a contradiction. However, if you constrain signals that are downstream of a computation using test conditions/proof assumptions, you must ensure that the constrained condition is feasible through the model computation. Otherwise, the resulting model is contradictory that may produces invalid results with or without an explicit analysis error. To ensure that the constraints are feasible, first try the same condition using a Test Objective. If it can be satisfied, you can use the same condition safely as a constraint.

## **Prove Properties in a Large Model**

A thorough proof of your model requires that Simulink Design Verifier search through all reachable configurations of your model—even the ones that are reached only after long time delays. The computation time and memory required to search a model completely often make an exhaustive proof impractical.

"Prove Properties in Large Models" on page 14-24 gives detailed information about strategies you can use to improve the performance of a property-proving analysis of a large model.

## See Also

## **More About**

- "Property Proving with an Invalid Property" on page 12-32
- "Property Proving with Multiple Properties" on page 12-33
- "Property Proving with an Assumption Block" on page 12-34

# **Prove System-Level Properties Using Verification Model**

## In this section...

"When to Use a Verification Model for Property Proving" on page 12-20

"About This Example" on page 12-20

"Understand the Verification Model" on page 12-20

"Prove the Properties of the Design Model" on page 12-21

"Fix the Verification Model" on page 12-22

# When to Use a Verification Model for Property Proving

If your model has system-wide properties that affect the behavior of the model, you might want to prove the properties without changing the design model. To do this, you create a verification model that includes:

- Model block that references the design model
- One or more verification subsystems that define the properties and any required constraints

# **About This Example**

The design model sldvdemo\_sbr\_design models the logic for a seat belt reminder light. If the ignition is turned on, the seat belts are unfastened, and the car exceeds a certain speed, the seat belt reminder light turns on.

The sldvdemo\_sbr\_verification model is a verification model that defines some constraints and verifies the properties in the sldvdemo\_sbr\_design model. The Model block in the verification model references the design model, so that the verification logic exists only in the verification model.

The sldvdemo\_sbr\_verification model contains a property that is falsified, because a constraint is disabled. In the sldvdemo\_sbl\_verification\_fixed model, the constraint is enabled and all the properties are proven valid.

# **Understand the Verification Model**

Take these steps to understand how the verification model works:

**1** Open the verification model:

sldvdemo\_sbr\_verification

The Design Model block is a Model block that references sldvdemo\_sbr\_design. The SBR Stateflow chart in the design model assumes that the KEY input is initially 0.

**2** Open the Safety Properties subsystem that specifies the properties of the design model that you want to prove.

This subsystem contains a MATLAB Function block called **MATLAB Property**. The code in this block specifies the property that the seat belt reminder should be on when the ignition is on, the seat belt is not fastened, and the speed is less than 15:

**3** Close the Safety Properties subsystem.

4 Open the Input Constraints subsystem.

This subsystem defines the following constraints:

- The key can have three positions: 0, 1, 2
- The speed is constrained to fall between 10 and 30.
- The key must start at 0 and can only change by one increment at a time. For example, the key can change from 0 to 1 or 1 to 2, but not from 0 to 2. In this verification model, this constraint is not enabled.
- 5 Close the Input Constraints subsystem, but keep the sldvdemo\_sbr\_verification model open.

## Prove the Properties of the Design Model

Analyze the sldvdemo\_sbr\_verification model to prove the properties:

1 In the sldvdemo\_sbr\_verification model window, to start the analysis, double-click the **Run** button to start the analysis.

When the analysis completes, the Simulink Design Verifier log window indicates that one objective is falsified - needs simulation. For more information, see "Objectives Falsified - Needs Simulation" on page 13-49.

2 To see which objective was falsified, click Highlight analysis results on model.

The Safety Properties subsystem is highlighted in orange.

**3** Open the Safety Properties subsystem and click the MATLAB Property block.

The Simulink Design Verifier Results window indicates that the statement

```
sldv.prove(implies(activeCond,SeatBeltIcon))
```

was false during at least one time step.

| Partication Results: sldvdemo_sbr_verification                            | —               |         | $\times$      |
|---------------------------------------------------------------------------|-----------------|---------|---------------|
| $\Rightarrow \Rightarrow @$                                               |                 |         | -             |
| Back to summary<br>sldvdemo_sbr_verification/Safety Prope<br>Property     | rties/MAT       | LAB     |               |
| sldv.prove(implies(activ ERROR - NEEDS<br>eCond,SeatBeltIcon)) SIMULATION | - <u>View c</u> | ountere | <u>xample</u> |

4 Click View counterexample to see the signal values that violated this property.

The Signal Builder block opens with the counterexample. The KEY input was initially 2, which is invalid.

To validate the property specified in the Safety Properties subsystem, you have to make sure that the initial value of KEY is 0.

# **Fix the Verification Model**

The Input Constraints subsystem in the verification model contained three constraints. The third constraint, which requires that the initial value of KEY be 0, and that KEY can only change in increments of 1, is disabled.



To see how this property is validated when you enable the third constraint:

1 In the sldvdemo\_sbr\_verification model, click **Open Fixed Model**.

The sldvdemo\_sbr\_verification\_fixed verification model opens.

**2** Open the Input Constraints subsystem.

This third constraint is now enabled so that  $\mathsf{KEY}$  has an initial value of 0 and changes in increments of 1.

- **3** Close the Input Constraints subsystem.
- 4 In the sldvdemo\_sbr\_verification\_fixed model, to start the analysis, double-click the Run block.

The analysis proves the validity of the property.

# See Also

## **More About**

- "Property Proving Using MATLAB Function Block" on page 12-40
- "Property Proving Using MATLAB Truth Table Block" on page 12-41

# **Prove Properties in a Subsystem**

If you have a large model, you can prove the properties of a subsystem in the model and review the analyses in smaller, manageable reports. The workflow for proving properties in a subsystem is:

- **1** Open the model that contains the subsystem.
- 2 Make the subsystem atomic.
- **3** Run Simulink Design Verifier using the **Prove Properties of Subsystem** option.
- **4** Review the results.

The tutorial in "Generate Test Cases for a Subsystem" on page 7-18 explains how to generate test cases for the Controller subsystem in the Cruise Control Test Generation model. The steps for proving properties are similar to those for generating test cases, except that you select the **Prove Properties of Subsystem** option instead of the **Generate Tests for Subsystem** option.

# **Model Requirements**

The Simulink Design Verifier block library includes a sublibrary Example Properties. The Example Properties sublibrary includes:

- "Basic Properties" on page 12-24 Four examples that demonstrate how to prove basic properties.
- "Temporal Properties" on page 12-26 Four examples that demonstrate how to define temporal properties on Boolean signals

The workflow for using these examples in your model is:

- **1** Copy these examples into your Verification Subsystem block.
- **2** Adapt them, if required, for the specific properties that you want to prove.
- **3** Run the Simulink Design Verifier analysis to prove that the assertions in these examples never fail.
- 4 If the assertion fails, the software creates a counterexample that causes the assertion to fail and then generates a harness model.
- **5** On the harness model, execute the counterexample to confirm that the assertion fails with that counterexample.

## **Basic Properties**

To view the Basic Properties examples:

**1** Open the Simulink Design Verifier block library. Type:

sldvlib

- 2 Double-click the Examples sublibrary.
- 3 Double-click the **Basic Properties** block that contains the examples.

The sections that follow describe each example in the Block Properties sublibrary in detail.

## **Conditions that Trigger a Result**

The Simulink Design Verifier Implies block allows you to test for conditions that trigger a result. This example specifies that if condition A is true, result B must always be true.



Implies operation describes conditions that should trigger a result.

## **Increasing or Decreasing Signals**

The two examples in this section specify that a signal is either:

- Always increasing or staying constant
- · Always decreasing or staying constant



Increasing and decreasing operations describe signals that should increase or decrease.

#### **Exclusivity Operation**

This example describes four conditions that should not be true at the same time.



Exclusivity operation describes conditions that should never be true at same time.

### **Conditions with One True Element**

This example specifies that only one of the four input signals can be true.



Mutual exclusivity operation describes conditions that should have exactly one true element.

# **Temporal Properties**

To view the Temporal Properties examples:

**1** Open the Simulink Design Verifier block library. Type:

sldvlib

- 2 Double-click the Temporal Properties sublibrary.
- **3** Double-click the **Temporal Properties** block that contains the examples.

The sections that follow describe each example in the Temporal Properties sublibrary in detail.

## Synchronize the Output with the Input

When the input In1 equals ACTIVE, the input In2 is set to INACTIVE after five time steps.



### Make a Signal Inactive After a Delay

In this example, after five consecutive time steps where the SENSOR\_HIGH input is true, the CMD signal becomes true. CMD is true as long as SENSOR\_HIGH is true, unless the block is reset by the MANUAL\_RESET signal.



## Extend a True Signal

In this example, after the input becomes true, the output becomes true for the number of time steps specified in the Detector block, in this case, 5. The input remains true for 5 time steps as well.



### Test the Input Against a Specified Threshold

When the input In3 equals ON and the input In4 is less than the constant THRESHOLD, In3 is set to OFF within five time steps.



# See Also

## **More About**

- "Debounce Temporal Properties" on page 12-43
- "Power Window Controller Temporal Properties" on page 12-46

# **Isolate Verification Logic with Observers**

You can isolate the verification logic in a model by using Observer Reference blocks. Use Observer Reference blocks when you want to keep the verification logic separate from your design model. When you use an Observer Reference, you can make changes to the Observer model without changing the design model. Using Observer Reference blocks can help you specify properties or requirements early in the model design or across multiple model designs. The Observer Reference block also allows you to:

- Model design requirements as properties and prove them using Simulink Design Verifier.
- Establish baseline results based on the captured output and detect model regressions.
- Generate test cases for functional design requirements using custom test objectives.



Double-click an Observer Reference block to open the Observer model. Observer Reference blocks can only be at the top level of a system model and do not have input ports. For more information, see "Access Model Data Wirelessly by Using Observers" (Simulink Test).

# **Replace a Verification Subsystem with an Observer Reference Block**

When authoring custom verification objectives, the Observer Reference block can be used in place of the Verification Subsystem block. The Observer Reference block references a separate verification model called the Observer model that you use to verify your system model. Converting a Verification Subsystem block to an Observer Reference block can declutter a system model. To convert a Verification Subsystem block to an Observer Reference block, right-click the verification subsystem and select **Observers > Move selected block to Observer > New Observer**. This operation cannot be undone. This action adds an Observer Reference block to your system model and opens the Observer model. You must save the Observer model in a writable folder on the MATLAB path.

Consider the case where the model sldvdemo\_debounce\_validprop contains the Verification Subsystem block Verify Output.



By converting the subsystem to an Observer Reference block, you remove the signals that connect subsystem to the system model while preserving the ability to test the integrity of the system.



The two signals, debounce and raw, are automatically mapped to two Observer Port blocks in the Observer model, sldvdemo\_debounce\_validprop\_Observer1.

| Observable Area:                                                                                                                                                                                                                                                                               | Filter Observable Area | _ | Observer: | Filter Observer |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------|---|-----------|-----------------|
| <ul> <li>▼ sldvdemo_debounce_</li> <li>Yaraw</li> <li>+2 Outport1</li> <li>&gt; Constant</li> <li>&gt; Constant1</li> <li>&gt; Constant1</li> <li>&gt; Switch</li> <li>Gebounce</li> <li>+2 Outport1</li> <li>Goff</li> <li>Goff</li> <li>Gon</li> <li>Wait</li> <li>&gt; debounced</li> </ul> | validprop              |   |           |                 |

You can verify the properties of sldvdemo\_debounce\_validprop without making any changes to the design model.

# **Report on Observer Reference Blocks**

If your model includes an Observer Reference block, the Simulink Design Verifier analysis report shows the property proving, test case generation, and design error information for the Observer Reference blocks in the **Observer Model(s)** subsection and the design model information in the **Design Model** subsection. For more information, see "Review Results" on page 13-35.

## Limitations

- Simulink Design Verifier does not support:
  - Observer models that include Model blocks
  - Observer models observing a constant signal
  - Applying block replacement rules to Observer models
  - Observer models that run at a different base rate than the design model
  - Tuning the parameters inside an Observer model
  - Test generation for code generated by Embedded Coder for models that contain Observer Reference blocks
  - Observer model that uses variable-step solver settings to execute the analysis

**Note** If an Observer model includes any of the restrictions in this list, the software ignores the corresponding Observer Reference block during the analysis.

- Simulink Design Verifier analysis returns an error when you:
  - Analyze standalone Observer models
  - Perform subsystem extraction on an Observer Reference block

## See Also

Observer Port (Simulink Test) | Observer Reference (Simulink Test) | "Use Observer Reference Blocks for Property Proving Analysis" on page 12-70 | "Use Observer Reference Block for Test Case Generation" on page 7-130

## **External Websites**

• "Access Model Data Wirelessly by Using Observers" (Simulink Test)

# **Property Proving with an Invalid Property**

This example shows how to find an invalid property using Simulink® Design Verifier<sup>™</sup> property proving analysis. It attempts to prove that when the sum of the current and six previous input values is greater than 6, the output equals 2. In this case, the property is invalid because a single large input value (e.g. 255) causes the sum to be greater than 6. Simulink Design Verifier produces a counterexample that demonstrates the violation.

open\_system('sldvdemo\_debounce\_falseprop');





# **Property Proving with Multiple Properties**

This example shows how to perform a property proving analysis with multiple properties. The model is configured for the analysis to attempt to prove that:

- When the current and six previous input values are true, the output will be true.
- When the current and six previous input values are false, the output will be false.

open\_system('sldvdemo\_debounce\_validprop');





# **Property Proving with an Assumption Block**

This example shows how to perform a Simulink® Design Verifier<sup>™</sup> property proof using a Proof Assumption block. It attempts to prove that when the sum of the current and six previous input values is greater than 6, the output equals 2. The model includes a Proof Assumption block that constrains the input to be 0 or 1. Simulink Design Verifier searches for violations of 20 or fewer time steps. It is unable to find a violation because the property is valid under the assumption.

open\_system('sldvdemo\_debounce\_assumeblk');



Copyright 2006-2023 The MathWorks, Inc.

# **Property Proving Workflow for Cruise Control**

This example shows how to find a property violation by using Simulink® Design Verifier<sup>™</sup> property proving analysis. You model safety requirements as properties and then verify the design model against requirements.

When you perform property proving analysis, Simulink Design Verifier generates a counterexample that you use to debug the property violation.

### Step 1: Open the Model

The sldvdemo\_cruise\_control\_verification model contains a model reference to the sldvdemo\_cruise\_control\_defective design model. The design model is a cruise control system that consists of a PI Controller that computes the throttle output based on the difference between the actual and target speed.

open\_system('sldvdemo\_cruise\_control\_verification');



Copyright 2006-2020 The MathWorks, Inc.

The safety properties for the throttle output are modeled in the Safety Properties verification subsystem by the Assertion block.

#### open\_system('sldvdemo\_cruise\_control\_verification/Safety Properties');

Property: When the brake is applied for three consecutive steps, the throttle goes to zero.



#### **Step 2: Perform Property Proving Analysis**

#### On the **Design Verifier** tab, click **Prove Properties**.

After the analysis completes, the Results Summary window reports that one objective was falsified.

The harness model is generated and the Signal Builder dialog box opens and displays the counterexample.



#### Step 3: Simulate the Counterexample to Replicate the Error

In the Signal Builder dialog box, click the **Start simulation** button > .

The Diagnostic Viewer window displays an error stating that the simulation was terminated because an assertion occurred at time 0.04.

Optionally, you can debug the property violation by using the Model Slicer. For more information, see "Debug Property Proving Violations by Using Model Slicer" on page 12-55.

## Step 4: Open the Fixed Model

The erroneous behavior exhibited by the counter example is fixed in the sldvdemo\_cruise\_control\_verification\_fixed model.

open\_system('sldvdemo\_cruise\_control\_verification\_fixed');



Copyright 2006-2020 The MathWorks, Inc.

In the property proving workflow, you may be required to redesign the system and/or redefine the property and perform such iterations.

Open the referenced model sldvdemo\_cruise\_control\_fixed and open the Controller subsystem. In this subsystem, the updated design model resets the throttle output when Active Control is active.

On the **Design Verifier** tab, click **Prove Properties**. After the analysis completes, the Results Summary window reports that the objective is valid.

### See Also

• "Workflow for Proving Model Properties" on page 12-4

• "Prove System-Level Properties Using Verification Model" on page 12-20

# **Property Proving Workflow for Fixed-Point Cruise Control with Block Replacements**

This example shows how to prove properties in a fixed-point cruise control algorithm. It references the design model using model reference so that the original design model is unchanged. A block replacement rule specifies the property that checks if an overflow is possible. The verification subsystem specifies an assumption on the range of the speed input during property proving. This model configures Simulink Design Verifier to apply a block replacement to the Sum block that feeds the outport of the fixed-point PI Controller in the referenced model and return a counterexample that demonstrates an overflow.

open\_system('sldvdemo\_cruise\_control\_fxp\_verification');



Copyright 2006-2019 The MathWorks, Inc.

# **Property Proving Using MATLAB Function Block**

This example shows how to verify the seat belt reminder design model. The Safety Properties block below it contains a property specified in MATLAB® that indicates when the icon should be active. Simulink® Design Verifier<sup>™</sup> analyzes the design model and safety property to prove correctness or to identify counterexamples. In this model, the property is violated because the design implicitly assumes that the KEY input starts at 0 and changes by increments of 1.

open\_system('sldvdemo\_sbr\_verification');



Copyright 2006-2023 The MathWorks, Inc.

# **Property Proving Using MATLAB Truth Table Block**

This example shows how to verify the seat belt reminder design model referenced in the top block above. The Safety Properties block below it contains a property specified in MATLAB Truth Table that indicates when the SeatBeltIcon output should be active. Simulink Design Verifier analyzes the design model and safety property to prove correctness or to identify counterexamples. In this model, the property is proven under the explicit assumption that the KEY input starts at 0 and changes by increments of 1.

open\_system('sldvexSBRVerificationTruthTableFixedExample');

?

# Simulink Design Verifier Property Proving Using MATLAB Truth Table Block



Part 2: Proving properties valid

Copyright 2013-2023 The MathWorks, Inc.

# **Property Proving Workflow for Thrust Reverser**

This example shows how to verify safety properties in a thrust reverser design model. The Properties block below it contains four safety properties. Simulink® Design Verifier<sup>™</sup> analyzes the design model and safety properties to prove correctness or to identify counterexamples. The use of model referencing eliminates the need to add verification content to the design model, allowing the verification content to exist independently from the design.

open\_system('sldvdemo\_thrustrvs\_verification');



Copyright 2006-2023 The MathWorks, Inc.

# **Debounce Temporal Properties**

This example shows how to model temporal system requirements for property proving and test case generation using Simulink® Design Verifier<sup>™</sup> Temporal Operator blocks.

### **Temporal Operators**

The Simulink® Design Verifier<sup>™</sup> library provides three basic temporal operator blocks can be used to model temporal properties. The intent of the temporal operators is to support the specification of temporal requirements, such that the modeled property has a closer co-relation to the actual textual requirement. These blocks are low-level building blocks for constructing more complex temporal properties.

#### **Debounce Model and Requirements**

Consider a debounce logic that debounces between values of 0 and 1 based on the input holding a value for a fixed number of time steps.

The debounce functionality is captured in the containing Stateflow® chart.

```
open_system('sldvdemo_debounce_to')
open_system('sldvdemo_debounce_to/debounce')
```



Consider two requirements of the debounce model that you would like to verify.

### **Requirement 1:**

Whenever the input equals 1 for more than 6 steps, the output shall be equal to 2.

### **Requirement 2:**

Whenever the input becomes 0 for more than 5 steps after the output was 2, the output shall equal 1 as long as the input stays at 0.

#### **Property Specification**

For specifying **Requirement 1**, you first represent the constraint that **input equals 1 for more than 6 steps**. This can be captured by the Detector block from the Temporal Operator Blocks Library. On detecting that the input value is 1 for 7 (or more than 6) time steps, you want to check that the output equals 2 as long as input stays equal to 1 after the detection. Use the "Synchronized" option of the Detector block followed by an Implies block to capture this.

open\_system('sldvdemo\_debounce\_to/Verify True Output1')



Multiple temporal operator blocks can be combined to construct more complex temporal properties. Consider **Requirement 2**.





For illustration, this requirement is broken down roughly into three pieces of interest:

- 1 After the output was 2: This is an enabling condition for your property. While checking the rest of the constraints, you want to know if this condition was true at some point in the past. This type of an enabling condition is typically followed by an Extender (either "Finite" or "Infinite") that, in combination with other constraints, might form the first input to your implication.
- 2 The input becomes 0 for more than 5 steps and check something as long as input stays 0: For the same reason as the first property, you use a Detector with "Synchronized" output ("Time steps for input detection" = 6).

**3** The output shall equal 1: This is the condition that you want to verify whenever the first two constraints hold. This is captured through a logical Implies block. Note that you cannot use Within Implies block here.

### **Property Proving**

Once the temporal requirements have been modeled, you can perform property proving on these using Simulink Design Verifier.

### **Clean Up**

To complete the example, close all the opened models.

```
close_system('sldvdemo_TOBlocks',0);
close_system('sldvdemo_debounce_to',0);
```

# **Power Window Controller Temporal Properties**

This example shows how to model temporal system requirements in a power window controller model for property proving and test case generation using Simulink® Design Verifier<sup>™</sup> Temporal Operator blocks.

### **Temporal Operators**

The Simulink® Design Verifier<sup>™</sup> library provides three basic temporal operator blocks which can be used to model temporal properties. The intent of the temporal operators is to support the specification of temporal requirements, such that the modeled property has a closer correlation to the actual textual requirement. These blocks are low-level building blocks for constructing more complex temporal properties.

## **Power Window Controller**

The power window controller responds to the driver and passenger commands by giving the commands for moving the window up or down. It also responds to an obstacle and to reaching the end of the window frame in either direction.

Consider the following two requirements for the power window controller:

## **Requirement 1 (Obstacle Response)**

Whenever an obstacle is detected, the controller shall give the down command for 1 second.

### **Requirement 2 (AutoDown feature)**

If the driver presses the down button for less than 1 second, the controller keeps giving the down command until the end has been reached or the driver presses the up button.

```
%Model of the power window controller
open_system('sldvdemo_powerwindowController')
open_system('sldvdemo_powerwindowController/control')
```



#### **Property Specification**

The power window verification system is the top-level model that contains a model reference to the power window controller model specifying the controller behavior and the modeled requirements.

```
%Model of the top-level verification system
open_system('sldvdemo_powerwindow_vs')
```



## **Power Window Controller Temporal Property Specification**

Copyright 1990-2010 The MathWorks, Inc.

**Global Assumptions:** The power window controller is an open system. This makes the environment controlled inputs, obstacle and endstop (end of the window frame) to occur freely. To constrain the environment, add two global assumptions for your controller model.

1) The obstacle and the endstop inputs never become true at the same time.

2) The obstacle does not occur multiple times within the following 1-second interval.

For the temporal assumption on obstacle, use a Detector block with output type of "Delayed Fixed Duration" to capture the fixed duration of 1 second (5 time steps with 0.2 sample time).

# % Global Assumptions open\_system('sldvdemo\_powerwindow\_vs/Global Assumptions')

#### These assumptions using the 'Assumption' blocks apply globally to all property proofs



1. Obstacle and EndStop not true simultaneously 2. Obstacle shall not occur multiple times within the following 1 sec interval.



Now consider the first controller requirement for **Obstacle Response**.

```
% Obstacle Response
open_system('sldvdemo_powerwindow_vs/Verification Subsystem2')
```

# Requirement:

Whenever an obstacle is detected, then the down command shall be given for 1 second.



Here, use the Detector block with output type of "Delayed Fixed Duration" for the property specification. After detection of the obstacle, construct a fixed interval of 4 steps. Note that the input is not observed during the output construction phase for the Detector with "Delayed Fixed Duration" output type. In the case where the obstacle can occur freely in absence of the assumption, you might wish to observe all the intermediate occurrences of the obstacle. This can be achieved through an Extender block with "Finite" extension duration of 4 time steps.

Now consider the AutoDown feature of the power window controller.



#### Requirement (Autodown)

If the driver presses the down button for less than 5 steps, then the controller gives the down command as long as end has not been reached or the driver presses the up button.



For illustration, consider this property specification in smaller parts:

- 1 The first temporal duration of interest, "driver presses the down button for less than 1 second", is captured by Detector1. At sample rate of 0.2, the 1-second interval is broken down into 5 time steps. On detection of the down signal, Detector1 constructs a 5-step fixed temporal duration at its output, which you will subsequently use in combination with other constraints.
- 2 For the AutoDown feature, you know that the down signal cannot be pressed for more than 1 second, or 5 time steps. Thus, you want to ensure that both driver up and down are "true" or both are "false" in less than 5 steps after down is pressed. By taking the AND of this driver neutral and the Detector output, enforce the constraint that driver down can be pressed for any number of consecutive time steps less than 5.
- **3** You also need to ensure that, during this period, other signals such as obstacle, EndStop and DriverUp are not true, since these will take the controller out of responding to the down press. This is captured using Detector2 by enforcing that NOT(HaltDown) is true for 5 time steps.

Detector2 has "Delayed Fixed Duration" output type. It also has "Time steps for input detection" = 5 and "Time steps for output duration" = 1.

- 4 Take the AND of these constructed durations.
- 5 For the AutoDown feature, you do not want to limit the number of time steps for which the controller gives the down command. You know that you want the controller to keep giving the down command as long as the driver does not press an up or down command again, or an obstacle or the physical end of the window frame is not hit. This behavior can be captured by the Extender block with "Infinite" extension period and an external reset signal that encodes the condition to end the extension.
- **6** The final piece is an Implies block that takes the temporal duration constructed as explained above and checks if the controller down command is true for every time step of this duration.

Once you have this initial property specification, you can use it for property proving with Simulink Design Verifier. You will get a counterexample for this property. The counterexample shows a scenario where the down command is given when the controller was in the emergency down state due to the response to an earlier detected obstacle. After you add a constraint to avoid this, you will get another counterexample: if the down button is pressed when previously the up command was being given, the AutoDown feature is disabled and the down command is given only as long as the down button is pressed. Looking at these counterexamples and observing the model, you can see a pattern that the AutoDown feature is enabled only when the controller is in a neutral state to begin with when the driver presses the down button.

Incorporate this constraint by forcing the controller output to be neutral - neither up nor down command is true - as a precondition for the AutoDown property. This property is proven valid.

% Valid AutoDown
open\_system('sldvdemo\_powerwindow\_vs/Verification Subsystem3')



#### Requirement (Autodown)

If the driver presses the down button for less than 5 steps, then the controller gives the down command as long as end has not been reached or the driver presses the up button.



### **Test Case Generation for Property Validation**

Once the properties are specified, in addition to property proving, you can run Simulink Design Verifier to automatically generate test cases that exercise various conditions in the property. This can be achieved by placing custom Test Objective blocks at appropriate locations in the property.

One such location to place a Test Objective block (with "true" value) is on the signal feeding into the first input of the Implies block (as shown in the above property). On running test generation, this Test Objective is satisfied and you will get a test case exercising the various constraints encoded in the property. Simulink Design Verifier can also create a test harness to simulate this test case. The Signal Builder block with relevant signals is shown below.



One can now simulate this test case, and see how the temporal durations are created in the property by placing a scope that displays the input and output values of the two Detector blocks and No\_Cmd.



Manually inspecting the test case values enables you to see if the specified property behaves as intended.

This Test Objective block helps in identifying a scenario where the property is valid while the Implies block is not trivially true. An Implies block is trivially true when its output is true because of its first input being false. When you get a test case satisfying this Test Objective, you know that there is at least one case where the first input to the Implies block is true.

This exercise can help you validate your property specifications by manually inspecting the test cases automatically generated by Simulink Design Verifier.

#### **Clean Up**

To complete the example, close all the opened models.

```
close_system('sldvdemo_TOBlocks',0);
close_system('sldvdemo_powerwindowController',0);
close_system('sldvdemo_powerwindow_vs',0);
```

## **Debug Property Proving Violations by Using Model Slicer**

This example shows how to debug property proving violations by using Model Slicer. Consider the model sldvdemo\_cruise\_control\_verification. This model contains an **Assertion** block.

The Verification subsystem **Safety Properties** models a property that should hold true for the design model. This subsystem contains an **Assertion** Block (BrakeAssertion) that verifies the property. Simulink Design Verifier Property Proving analysis will try to falsify the assertion. If Simulink Design Verifier is successful it will generate a counterexample falsifying the assertion. We can use Model Slicer to debug this falsified assertion.

1. Open model sldvdemo\_cruise\_control\_verification.

open\_system ('sldvdemo\_cruise\_control\_verification')



Copyright 2006-2020 The MathWorks, Inc.

2. Open Simulink Design Verifier by clicking on **Apps > Design Verifier**.

3. Click **Prove Properties**. Simulink Design Verifier analyses the model and displays the results in Results Summary window.

| 🚡 Simulink Design Verifier Resul                                                                                                                | ts Summary: sldvdemo                         | o_cruise_control_verification_ | _replace X   |
|-------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|--------------------------------|--------------|
| Progress                                                                                                                                        |                                              |                                |              |
| Objectives processed<br>Valid<br>Falsified                                                                                                      | 1/1<br>0<br>1                                |                                |              |
| Elapsed time                                                                                                                                    | 0:25                                         |                                |              |
| Property proving completed r                                                                                                                    | ormally.                                     |                                |              |
| 1/1 objective falsified                                                                                                                         |                                              |                                |              |
| Results:                                                                                                                                        |                                              |                                |              |
| Highlight analysis results     View tests in Simulation     Detailed analysis report     Open harness model     Export test cases to Simulation | n Data Inspector<br>t: ( <u>HTML</u> ) (PDF) |                                |              |
| Data saved in: <u>sldvdemo_cru</u><br>in folder: <u>C:\Users\pgurajal\[</u>                                                                     |                                              |                                | verification |
|                                                                                                                                                 |                                              |                                |              |
|                                                                                                                                                 |                                              |                                |              |
|                                                                                                                                                 |                                              |                                |              |
|                                                                                                                                                 |                                              | View Log                       | Close        |

The model highlights the subsystem where the **Assertion** block is located.



4. Open Safety Properties subsystem and select the falsified Assertion block.

5. Click **Debug Using Slicer** from the toolstrip menu to debug the violation using Model Slicer. Alternatively, you can click **Debug** in the results Inspector window.

On Clicking either of the entry points the following setup is done on the model:

a. The Assertion block is added as a starting point for Model Slicer.

- b. The model is highlighted with the counterexample generated by Simulink Design Verifier analysis.
- c. The design model is simulated and paused at the time-step of assertion failure.

6. Debug and analyze the model by using the Step Back and Step Forward buttons, and inspecting the Port labels.

- The Assert block tests if the output of **A** implies **B** (A==>B) is **false**.
- A is **true** when the brake input in is **true** for three consecutive time steps.
- **B** is **true** when the **Throttle\_out** <= **0**



You can notice that the simulation is stopped at t=0.04 when the condition A==>B is false. This can be observed from the Port labels.

a. On the **Simulation** tab, click the **Step Back** to see the port labels of all the blocks at T = (T-0.1).



You can notice that the Port label of A is **false** till T=0.04, when it becomes **true**. At this point the Port label of **B** is **false** (Throttle\_Out > 0). The property is falsified because **Throttle\_Out** is greater than 0.

b. To view the blocks that results in the failure, open the **Design Model** > **Controller**. The dependent blocks and path are highlighted.



To view the fix, open sldvdemo\_cruise\_control\_verification model and the click the **Open** Fixed Model button on the canvas.

## **Design and Verify Properties in a Model**

You can use Simulink® Design Verifier<sup>™</sup> to model design requirements as properties and then prove properties in a model. To verify that the properties associated with the model requirements hold under all possible input values, use property proving analysis. If the requirement fails, Simulink Design Verifier provides counterexamples to debug the failure.

This example explains how you can model design requirements as properties by using a Proof Objective block and then verify the property for simplified cruise control model discussed in "Analyze a Simple Cruise Control Model".

### Step 1: Design Property Using Verification Subsystem

The model sldvexSimpleCruiseControlProperties consists of Verification Subsystem, that consists of function requirements modeled by using Proof Objective block.

```
load_system('sldvexSimpleCruiseControlProperty');
open_system('sldvexSimpleCruiseControlProperty/Verification Subsystem');
```



#### **Step 2: Perform Property Proving Analysis**

On the **Apps** tab, click arrow on the far right of the Apps section. Under **Model Verification**, **Validation**, **and Test** gallery, click **Design Verifier**.

To perform property proving analysis, click **Prove Properties**. The software analyzes the model and displays the results in the Results Summary window. The result indicates that one objective is valid under approximation.

| Progress                                                                                                                                                                                                                             |            |  |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|--|
| Objectives processed<br>Valid                                                                                                                                                                                                        | 1/1        |  |
| Falsified                                                                                                                                                                                                                            | ő          |  |
| Elapsed time                                                                                                                                                                                                                         | 0:52       |  |
|                                                                                                                                                                                                                                      |            |  |
| Property proving complete                                                                                                                                                                                                            | d normally |  |
|                                                                                                                                                                                                                                      | a normany. |  |
| 1/1 objective valid under approximation                                                                                                                                                                                              |            |  |
| Results:                                                                                                                                                                                                                             |            |  |
| <ul> <li>Highlight analysis results on model</li> <li>Detailed analysis report: (HTML) (PDF)</li> </ul>                                                                                                                              |            |  |
| Data saved in: <a href="mailto:sldvexSimpleCruiseControlProperty_sldvdata.mat">sldvexSimpleCruiseControlProperty_sldvdata.mat</a><br>in folder: <a href="mailto:H:\Documents\MATLAB\sldv_output">H:\Documents\MATLAB\sldv_output</a> |            |  |
| \sldvexSimpleCruiseContro                                                                                                                                                                                                            | biProperty |  |

### Step 3: Review Analysis Results

On the **Design Verifier** tab, in the Review Results section, click **Highlight in Model**.

The property that is valid under approximation is highlighted in orange. Click the Proof Objective block. The Results Inspector window displays the objectives of the Proof Objective block.



To view the HTML report, in the Review Results section, click **HTML Report**. The Proof Objective Status chapter lists the proof objective that is found valid under approximation.

## **Objectives Valid under Approximation**

| # | Туре               | Model Item                                       | Description  | Analysis<br>Time<br>(sec) | Counterexample |
|---|--------------------|--------------------------------------------------|--------------|---------------------------|----------------|
|   | Proof<br>objective | <u>Verification</u><br>Subsystem/Proof Objective | Objective: T | 51                        | n/a            |

### See also

- "What Is Property Proving?" on page 12-2
- "Prove Properties in a Model" on page 12-5

## Validate Requirements by Analyzing Model Properties

Validate a requirement set by analyzing properties that model individual requirements. Falsified properties indicate design and requirement set incompleteness.

#### Overview

In this example, you analyze model properties that are based on four requirements of an engine thrust reverser system. Falsified results from the property analysis suggest that the system design requirements are incomplete -- the system allows behavior that violates several of the following requirements:

- **1** The thrust reverser shall not deploy if the airspeed is greater than 150 knots.
- 2 The thrust reverser shall not deploy if the aircraft is in the air, as indicated by the value of the weight on wheels sensors. If the aircraft is in the air, the signal value for each of two weight on wheels (WOW) sensors is false.
- 3 The thrust reverser shall not deploy if the value of either thrust sensor is positive.
- **4** The thrust reverser shall not deploy if the rotational speed of the landing gear wheels is less than a threshold value.

To better understand the model behavior, you analyze dependencies for a time series input that causes undesirable model behavior because the system lacks required control logic. Then, you analyze a revised control system model which passes the property analysis.

#### Analyze the Safety Properties

1. Click the **Open Model** button to open the original model and create a working directory of the example files.



### **Requirements Validation Using Property Analysis Example**

Copyright 2019-2020 The MathWorks, Inc.

The Safety Properties subsystem is a Verification Subsystem block from the Simulink® Design Verifier<sup>™</sup> library. The verification logic in Safety Properties models the safety requirements. For example, the airspeed requirement is verified by:



If average airspeed > 150 knots, deploy cannot be true.

For more information about Verification Subsystem blocks, see Verification Subsystem.

2. View the requirements. In the model, click the **Show Perspectives views** icon at the lower right and select **Requirements**. The **Requirements** pane opens. Expand thrust\_reverser\_safety\_requirements.

The safety requirements link to the Assertion blocks in the Safety Properties subsystem. The Assertion blocks are considered proof objectives. The verification status for each requirement reflects the property analysis results of its corresponding Assertion block.

3. Display the verification status for the requirements. Right-click one of the requirements in the browser and select **Verification Status**. The **Verified** column indicates that the requirements are unexecuted.

|     | Index                               | ID   | Summary              | Verified |
|-----|-------------------------------------|------|----------------------|----------|
| × 🔓 | thrust_reverser_safety_requirements |      |                      |          |
|     | ■ 1                                 | R1.1 | Airspeed Condition   |          |
|     | ≣ 2                                 | R1.2 | WOW Condition        |          |
|     | ≣ 3                                 | R1.3 | Throttle Condition   |          |
|     | ≣ 4                                 | R1.4 | Wheelspeed Condition |          |

4. Analyze the model properties. In the **Apps** tab, click **Design Verifier**. In the **Design Verifier** tab, click **Prove Properties**.

When the property analysis completes, click the **Refresh** button to update the status in the **Verified** column. The results show that three out of four objectives are falsified -- analysis found a signal condition that falsifies the properties, and therefore violates the requirements.



#### **Analyze Model Behavior with Counterexamples**

From the Design Verifier Results Summary window, click **HTML** to open the detailed analysis report. In Chapter 4, each falsified property lists a counterexample. For example, in the counterexample that falsifies the airspeed requirement:

- At t = 0.1, the thrust reverser is deployed with airspeed below the threshold.
- At t = 0.2, the thrust reverser is still deployed with airspeed above the threshold.

The counterexample time series indicates a condition that might be difficult to encounter in simulation, but nonetheless causes model behavior that violates a requirement. Investigate the behavior by analyzing signal dependencies in the counterexample:

1. In the **Design Verifier** tab, click the **Highlight in Model** button.

2. Select the airspeed valid assertion block in the **Test Unit > Safety Properties > airspeed property** subsystem.

3. In the **Design Verifier** tab, click the **Debug Using Slicer** button. The model highlights dependencies of the airspeed valid assertion, and displays signal values at T = 0.2.



4. Move up one level in the model, to the **Safety Properties** subsystem. Step back through the counterexample simulation time. In the **Simulation** tab, click **Step Back**.

5. At T = 0.1, the average airspeed is below the threshold, and the thrust reverser is deployed. Stepping forward, at T = 0.2, the average airspeed is above the threshold, and the thrust reverser is still deployed. This violates a requirement.



The falsified property and the dependency analysis suggest that the control system algorithm is incompletely designed, and the requirements are incomplete.

### Analyze the Redesigned System

Redesigning a control system requires rethinking requirements. In this case, the lack of an intermediate standby state allows undesirable system behavior when inputs change suddenly. Adding an intermediate deployment mode which delays thrust reverser response resolves the issue.

Open the reqs\_validation\_property\_proving\_redesigned\_model model. Open the thrustReversers chart.



### **Requirements Validation Using Property Analysis Example**

Copyright 2019-2020 The MathWorks, Inc.



The additional design requirement states that the thrust reverser shall deploy after a pause. The redesigned model includes:

- An additional aboutToBeDeployed state.
- Expanded transition conditions that return to undeployed.

Create links from the verification blocks in the redesigned model to the requirements:

- 1. In the model, from the Apps tab, click Requirements Manager.
- 2. In the **Requirements** tab, click **Requirements Editor**.

3. Open thrust\_reverser\_safety\_requirements in the Requirements Editor.

4. For requirement 1.1, Airspeed Condition, link to the airspeed valid block in the Safety Properties > airspeed property subsystem. Drag R1.1 from the requirements browser to the airspeed valid block in the model.

5. The new link appears in the Requirements Editor, in the right pane, under Links.

6. Delete the link to the assert block in the original model. If the original model is closed, this link appears unresolved. Next to the link, click the **Delete Link** icon.

| ▼ Links                                                                                                                |                                        |
|------------------------------------------------------------------------------------------------------------------------|----------------------------------------|
| <ul> <li>□ ← Verified by:</li> <li>▲ reqs_validation_property_proving_</li> <li>△ airspeed valid</li> <li>③</li> </ul> | original_model:5:29 ♂ ¥<br>Delete Link |

7. Repeat for the other three requirements and verification blocks in the redesigned model.

Run the property analysis on the revised model. View the results in the Requirements pane.



The results show that the properties are valid.

¥

## **Use Observer Reference Blocks for Property Proving Analysis**

This example shows you how to use an Observer Reference block to perform property proving analysis with multiple properties without making changes to the model. In this example, you replace an existing verification subsystem with an Observer Reference block. However, you can add an Observer Reference block to your model even if your model does not have a verification subsystem to replace. For more information, see "Access Model Data Wirelessly by Using Observers" (Simulink Test).

The model **sldvdemo\_debounce\_validprop** is configured for analysis and attempts to prove that:

- 1 When the current and six previous input values are true, the output will be true.
- 2 When the current and six previous input values are false, the output will be false.

For a detailed description of the Observer Reference block, see "Isolate Verification Logic with Observers" on page 12-29.

#### Step 1: Open the Model

The sldvdemo\_debounce\_validprop model contains a verification subsystem called Verify Output. For more information on the Verification Subsystem, see Verification Subsystem. To open the model, enter:

```
open_system('sldvdemo_debounce_validprop');
```





#### Step 2: Replace the Verification Subsystem with an Observer Reference Block

Perform these steps to create a new Observer Reference block and replace the Verify Output verification subsystem.

1. Right-click the Verify Output subsystem. In the context menu, click **Observers > Move selected block to Observer > New Observer**.

2. Click **Yes** in the dialog box that appears.



3. An Observer Reference block replaces the verification subsystem. The sldvdemo\_debounce\_validprop\_Observer1 Observer model opens.

4. Save sldvdemo\_debounce\_validprop\_Observer1 in a writable folder on the MATLAB path.

5. Double-click one of the Observer Port blocks to open the Manage Observer Block window. The two signals, debounce and raw, are automatically map to the two Observer Port blocks in the sldvdemo\_debounce\_validprop\_Observer1 Observer model.

| Manage Observer                                                                                                                                                                                                                                        | Block 'sldvdemo_deb         | ounce_validprop/Verif                            | y Output'       |    |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|--------------------------------------------------|-----------------|----|
| The left panel shows the block hierar<br>Observer model. Select an entity in the<br>or delete. Right click on tree nodes for                                                                                                                           | ne left panel to observe, o | U .                                              | -               |    |
| Observable Area: Filter Observal                                                                                                                                                                                                                       | ole Area                    | Observer:                                        | Filter Observer |    |
| <ul> <li>sldvdemo_debounce_validprop</li> <li>raw</li> <li>Constant</li> <li>Constant1</li> <li>Constant1</li> <li>More Info1</li> <li>Switch</li> <li>debounce</li> <li>Cutport1</li> <li>Off</li> <li>On</li> <li>Wait</li> <li>debounced</li> </ul> |                             | 은 Observer P<br>은 Observer P<br>P P Verify Outpu |                 | r1 |

### **Step 3: Perform Property Proving Analysis**

To perform the property proving analysis, follow these steps:

1. In the top-level model, on the **Design Verifier** tab, click **Prove Properties**.

2. After the analysis completes, the Simulink Design Verifier Results Summary window reports that two objectives are satisfied.

3. Open the HTML analysis report to see a detailed report that includes information about the toplevel model and Observers.

### Step 4: Review the Property Proving Analysis Report

The analysis report shows the Observer information for property proving in the Observer Model(s) section of the Properties chapter.

## 4.2. Observer Model(s)

This section contains information about each property in the observer model(s).

### 4.2.1. Verify Output/FoutCorrect

### Summary

Model Item: <u>Verify Output/FoutCorrect</u> Property: Objective: T Status: Valid

### 4.2.2. Verify Output/ToutCorrect

### Summary

Model Item: <u>Verify Output/ToutCorrect</u> Property: Objective: T Status: Valid

### Step 5: Cleanup

Close the model.

bdclose('sldvdemo\_debounce\_validprop');

### **Related Topics**

• "Isolate Verification Logic with Observers" on page 12-29

## **Prove Properties with Requirements Table Blocks**

This example shows how to use a Requirements Table block and Simulink® Design Verifier<sup>™</sup> to prove the properties of a engine thrust reverser system.

When you use a Requirements Table block and Simulink Design Verifier for property proving:

- 1 Each requirement in the block defines a formal requirement that you can use to test properties of a model, subsystem, or block. In this example, the Requirements Table block represents the requirements as preconditions and postconditions.
- 2 Each requirement in the block produces a corresponding requirement in the Requirements Editor. See "Configure Properties of Formal Requirements" (Requirements Toolbox).
- 3 Simulink Design Verifier produces proof objectives for the requirements in the requirement set. The postconditions define the logical conditions that you would normally define in Proof Objective blocks. The block evaluates the proof objective associated with a postcondition only if the precondition is true.

For more information, see "Use a Requirements Table Block to Create Formal Requirements" (Requirements Toolbox) and "What Is Property Proving?" on page 12-2.

#### View the Requirements in the Requirements Table Block

Open the example model, property\_proving\_reqtable. In this example, you test the properties of the engine thrust reverser system, which is modeled by the chart, ThrustReverserDeployLogic. The Requirements Table block uses the chart input signals and deploy output signal to observe the chart behavior. The block defines data in expressions to assess the inputs and outputs of the chart. See "Define Data in Requirements Table Blocks" (Requirements Toolbox).



Prove Properties with a Requirements Table Block

Copyright 2022 The MathWorks, Inc.

To view the verification logic associated with each requirement, open the Requirements Table block. The requirements correspond to the requirements in the requirement set used in the example "Validate Requirements by Analyzing Model Properties" on page 12-63. The block proves these properties:

- **1** The thrust reverser shall not deploy if the airspeed is greater than 150 knots.
- 2 The thrust reverser shall not deploy if the aircraft is in the air, as indicated by the value of the weight on wheels sensors. If the aircraft is in the air, the signal value for each of two weight on wheels (WOW) sensors is false.
- 3 The thrust reverser shall not deploy if the value of either thrust sensor is positive.
- **4** The thrust reverser shall not deploy if the rotational speed of the landing gear wheels is less than a threshold value.

Each requirement defines a property. If the preconditions are valid, the postcondition must also be satisfied to prove the property.

| Index | Summary                                                                                                                                                                                                                                        | Precondition                             | Postcondition<br>deploy |
|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|-------------------------|
| 1     | Thrust reverser shall not deploy if airspeed is greater than 150.                                                                                                                                                                              | mean(airspeed) > 150                     | false                   |
| 2     | Thrust reverser shall not deploy if the aircraft is<br>in the air, as indicated by the value of the weigh<br>on wheels sensors. If the aircraft is in the air,<br>the signal value for each of two weight on<br>wheels (WOW) sensors is false. | t                                        | false                   |
| 3     | Thrust reverser shall not deploy if the value of either throttle position is positive.                                                                                                                                                         | sum(throttle) >= 3                       | false                   |
| 4     | Thrust reverser shall not deploy if landing gear wheels rotational speed is less than 10.                                                                                                                                                      | wheelspeed(1) < 10 && wheelspeed(2) < 10 | false                   |

### **Prove Properties**

To prove the properties, in the **Design Verifier** tab, click **Prove Properties**. In this example, the properties of the chart are proven. The Requirements Table block highlights the postconditions associated with the proven proof objectives in green.



If the requirement proof objective is falsified, the block highlights the requirement in red. Otherwise, if Simulink Design Verifier is unable to prove or disprove the proof objective, the block highlights the requirement in yellow. You can investigate this behavior by replacing the chart in this example with

the first iteration of the chart used in the "Validate Requirements by Analyzing Model Properties" on page 12-63 example.

### See Also

**Requirements Table** 

## **Related Examples**

- "Prove Properties in a Model" on page 12-5
- "Use a Requirements Table Block to Create Formal Requirements" (Requirements Toolbox)
- "Export Tests from Models That Contain Requirements Table Blocks with Simulink Design Verifier" on page 13-30

# **Reviewing the Results**

- "Highlight Results on the Model" on page 13-2
- "Manage Simulink Design Verifier Data Files" on page 13-7
- "Manage Simulink Design Verifier Harness Models" on page 13-13
- "Simulate Harness Model with Signal Editor Inputs Block" on page 13-22
- "Export Test Cases to Simulink Test" on page 13-27
- "Export Tests from Models That Contain Requirements Table Blocks with Simulink Design Verifier" on page 13-30
- "Review Results" on page 13-35
- "View Log Files" on page 13-56
- "Review Analysis Results" on page 13-57

## **Highlight Results on the Model**

### In this section...

"Results Review with Model Highlighting" on page 13-2

"Simulink Design Verifier Results Inspector" on page 13-2

"Highlight Results on Model Automatically" on page 13-2

"Green Highlighting on Model" on page 13-4

"Red Highlighting on Model" on page 13-4

"Orange Highlighting on Model" on page 13-4

"Gray Highlighting on Model" on page 13-6

## **Results Review with Model Highlighting**

When you analyze a model by using Simulink Design Verifier, the analyzed model objects are automatically highlighted in one of these colors:

- Green
- Red
- Orange
- Gray

You can review the analysis results at a glance by viewing the objects that are highlighted in the Simulink Editor.

## Simulink Design Verifier Results Inspector

When a model is highlighted, you can click an object for which the analysis recorded results. The Simulink Design Verifier Results Inspector then displays the detailed analysis results for that object.

## **Highlight Results on Model Automatically**

During analysis, Simulink Design Verifier highlights the model objects automatically when the objectives status is updated. By default, the automatic highlighting is enabled. To disable the highlighting, click **Disable Highlighting** in the Results Summary window.

| 🚹 Simulink Design Verifie                    | er Results Summary: sldvdemo_cruise_control    | × |
|----------------------------------------------|------------------------------------------------|---|
| Progress                                     |                                                |   |
| -                                            |                                                |   |
| Objectives processed<br>Satisfied            | 21/32 21                                       |   |
| Unsatisfiable                                | 0                                              |   |
| Elapsed time                                 | 0:15                                           |   |
|                                              |                                                |   |
|                                              |                                                | ~ |
| 27-Jun-2017 16:19:00                         |                                                |   |
|                                              | for test generation: model                     |   |
| 'sldvdemo_cruise_cont                        |                                                |   |
| Compiling modeldon<br>Checking compatibility |                                                |   |
| circoning company                            |                                                |   |
| 27-Jun-2017 16:19:01                         |                                                |   |
| vith Simulink Design V                       | trol' is <b>compatible</b> for test generation |   |
| with Simulink Design v                       | enner.                                         |   |
|                                              |                                                |   |
| Generating tests using<br>16:19:01           | compatibility results from 27-Jun-2017         |   |
| 10119101                                     |                                                |   |
| SATISFIED                                    |                                                |   |
| Controller/Logical Ope                       | rator<br>•C2) && (C3    C4) with C1 (Logical   | 5 |
| LUGIC. MEDC (CI da A                         |                                                | • |
|                                              | Disable Highlighting Sto                       | D |

In the Simulink Editor, results highlighting appears on the model. When highlighting is enabled, the Results Inspector opens displaying the summary of status for analysis objectives.



**Note** Simulink Design Verifier does not highlight the Stateflow state transition tables. The Simulink Design Verifier reports, data files, and log files include the analysis data for the state transition tables. Using the report, you can navigate to the state transition tables.

## **Green Highlighting on Model**

Objects that are highlighted in green have the following meaning for each type of analysis.

| Analysis Mode          | Green highlighting                                                                                                              |  |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------|--|
| Design error detection | The analysis did not find overflow or division-by-zero errors.                                                                  |  |
|                        | The analysis did not find dead logic.                                                                                           |  |
|                        | • The analysis did not find intermediate or output signals outside the range of user-specified minimum and maximum constraints. |  |
|                        | • The analysis did not find out of bound array access errors.                                                                   |  |
| Test generation        | The analysis found test cases that satisfy the test objectives.                                                                 |  |
| Property proving       | The analysis found all the proof objectives as valid.                                                                           |  |

## **Red Highlighting on Model**

Objects that are highlighted in red have the following meaning, depending on the analysis type.

| Analysis Mode          | Red highlighting                                                                                                         |
|------------------------|--------------------------------------------------------------------------------------------------------------------------|
| Design error detection | • The analysis found at least one test case that causes overflow or division-by-zero errors.                             |
|                        | The analysis found dead logic.                                                                                           |
|                        | • The analysis found intermediate or output signals outside the range of user-specified minimum and maximum constraints. |
|                        | • The analysis found at least one test case that causes an out of bound array access error.                              |
| Test generation        | The analysis did not satisfy certain test objectives.                                                                    |
| Property proving       | The analysis disproved a proof objective and generated a counterexample that falsified that objective.                   |

If your model contains at least one object highlighted in red, there might be further design errors in your model that Simulink Design Verifier does not highlight in red. If an object in your design causes run-time errors, Simulink Design Verifier might not be able to determine further errors on objects that are downstream of or rely on the results of the object that causes the run-time errors. Resolve the errors that cause the initial red highlighting and rerun the analysis to determine if Simulink Design Verifier highlights other objects in your model as red.

## Orange Highlighting on Model

Objects that are highlighted in orange have the following meaning, depending on the analysis type.

| Analysis Mode          | Orange highlighting                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Design error detection | For the highlighted model object,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|                        | • The analysis did not decide at least one design error detection objective. This situation can occur when:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
|                        | <ul> <li>The analysis is still in progress.</li> <li>The analysis times out.</li> <li>The analysis cannot decide a design error detection objective because of division by zero or nonlinear arithmetic.</li> <li>The software cannot decide a design error detection objective because of stubbing. For more information, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.</li> <li>The software cannot decide a design error detection objective because of limitations of the analysis engine. For example, if the analysis encounters an unbounded while loop, it performs an approximation. For more information, see "Role of Approximations During Model Analysis" on page 2-20.</li> <li>The analysis found dead logic that approximations can impact. For more information, see "How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23.</li> </ul> |
|                        | <ul> <li>The analysis found valid objectives that approximations can impact.<br/>For more information, see "How Simulink Design Verifier Reports<br/>Approximations Through Validation Results" on page 2-23.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| Test generation        | For the highlighted model object,                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|                        | • The analysis did not decide at least one test objective. This situation can occur when:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                        | The analysis is still in progress.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                        | <ul> <li>The analysis times out.</li> <li>The analysis cannot decide a test objective because of division by zero or nonlinear arithmetic.</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|                        | • The software cannot decide a test objective because of stubbing.<br>For more information, see "Handle Incompatibilities with<br>Automatic Stubbing" on page 2-7.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                        | • The software cannot decide a test objective because of limitations of the analysis engine. For example, if the analysis encounters an unbounded while loop, it performs an approximation. For more information, see "Role of Approximations During Model Analysis" on page 2-20.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
|                        | • The analysis found unsatisfiable objectives that approximations can impact. For more information, see "How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
|                        | • The analysis is unable to confirm the satisfied status through validation results. For more information, see "Objectives Satisfied - Needs Simulation" on page 13-46.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |

| Analysis Mode    | Orange highlighting                                                                                                                                                                                                                                                                 |
|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Property proving | For the highlighted model object,                                                                                                                                                                                                                                                   |
|                  | • The analysis did not decide at least one proof objective. This situation can occur when:                                                                                                                                                                                          |
|                  | • The analysis is still in progress.                                                                                                                                                                                                                                                |
|                  | • The analysis times out.                                                                                                                                                                                                                                                           |
|                  | • A proof objective exists on a signal whose value the software cannot control, for example, a Constant block.                                                                                                                                                                      |
|                  | <ul> <li>The analysis cannot decide a proof objective because of division<br/>by zero or nonlinear arithmetic.</li> </ul>                                                                                                                                                           |
|                  | • The software cannot decide a proof objective because of stubbing. For more information, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.                                                                                                                       |
|                  | • The software cannot decide a proof objective because of limitations of the analysis engine. For example, if the analysis encounters an unbounded while loop, it performs an approximation. For more information, see "Role of Approximations During Model Analysis" on page 2-20. |
|                  | • The analysis found valid objectives that approximations can impact.<br>For more information, see "How Simulink Design Verifier Reports<br>Approximations Through Validation Results" on page 2-23.                                                                                |
|                  | <ul> <li>The software is unable to confirm the falsified status through<br/>validation results. For more information, see "Objectives Falsified -<br/>Needs Simulation" on page 13-49.</li> </ul>                                                                                   |

## Gray Highlighting on Model

Objects that are highlighted in gray have the following meaning.

| Analysis Mode          | Gray Highlighting                              |
|------------------------|------------------------------------------------|
| Design error detection | The model object was not part of the analysis. |
| Test generation        |                                                |
| Property proving       |                                                |

## Manage Simulink Design Verifier Data Files

Simulink Design Verifier generates a data file after completing the analysis. The data file is a MAT-file that contains the sldvData structure. This structure stores all the data the software gathers and produces during the analysis. Although the software displays the same data graphically in the harness model and report, you can use the data file for further custom analysis or to generate a custom report.

### Generate sldvData Structure

Complete these steps to explore the contents of the sldvData structure.

**1** Generate test cases for the sldvdemo\_flipflop model.

```
sldvdemo_flipflop;
sldvrun('sldvdemo_flipflop');
```

2 Load the sldvData structure for the sldvdemo\_flipflop model to the MATLAB workspace.

load('sldv\_output\sldvdemo\_flipflop\sldvdemo\_flipflop\_sldvdata.mat')

**3** Display the names of the fields in the structure.

```
sldvData =
```

```
ModelInformation: [1x1 struct]
AnalysisInformation: [1x1 struct]
ModelObjects: [1x2 struct]
Constraints: []
Objectives: [1x12 struct]
TestCases: [1x4 struct]
Version: '2.1'
```

## Model Information Fields in sldvData

The following sections describe the fields in the sldvData structure:

### **Model Information**

The ModelInformation field contains information about the model you analyze in Simulink Design Verifier. This table describes the subfields in the ModelInformation field.

| Subfield Name    | Description                                                    |
|------------------|----------------------------------------------------------------|
| Name             | Model name.                                                    |
| Version          | Model number.                                                  |
| Author           | User name.                                                     |
| TimeStamp        | Date and time of last update.                                  |
| SubsystemPath    | Full path name of the subsystem (if any) that was analyzed.    |
| ExtractedModel   | Name of model extracted to analyze subsystem in SubsystemPath. |
| ReplacementModel | Name of model containing block replacements.                   |

| Subfield Name     | Description                                            |
|-------------------|--------------------------------------------------------|
| HarnessOwnerModel | Name of owner of analyzed Simulink Test harness model. |

### **Analysis Information**

The AnalysisInformation field lists the analysis options and related information. The table describes the AnalysisInformation field.

| Subfield Name               | Description                                                                                                                                                 |
|-----------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Status                      | Status of analysis.                                                                                                                                         |
| AnalysisTime                | Duration in seconds of analysis                                                                                                                             |
| Options                     | Deep copy of the Simulink Design Verifier options object used during the analysis.                                                                          |
| InputPortInfo               | Cell array of structures with information about everyInport block in top level of system.                                                                   |
| OutputPortInfo              | Cell array of structures with information about every Outport block in top level of system.                                                                 |
| SampleTimes                 | For internal use only.                                                                                                                                      |
| Parameters                  | For internal use only.                                                                                                                                      |
| AbstractedBlocks            | For internal use only.                                                                                                                                      |
| Approximations              | Structure describing approximations performed during analysis. For<br>more information, see "Role of Approximations During Model Analysis"<br>on page 2-20. |
| ReplacementInfo             | For internal use only.                                                                                                                                      |
| PreProcessingTime           | Time in seconds to build or reuse model representation.                                                                                                     |
| ModelRepresentationIn<br>fo | Date and time of model representation used in analysis.                                                                                                     |

### **Model Objects**

The ModelObjects field lists the model items and their associated objectives. The table describes the ModelObjects field.

| Subfield Name  | Description                                                                           |
|----------------|---------------------------------------------------------------------------------------|
| descr          | Full path to model object, including objects in Stateflow chart.                      |
| typeDesc       | Type of model object, returned as S for a state object and T for a transition object. |
| slPath         | Full path to Simulink model object.                                                   |
| sf0bjType      | Type of Stateflow object. Example: S for state and T for transition.                  |
| sfObjNum       | Integer representing a unique identifier for Stateflow object.                        |
| sid            | For internal use only.                                                                |
| designSid      | For internal use only.                                                                |
| replacementSid | For internal use only.                                                                |

| Subfield Name | Description                                                                    |
|---------------|--------------------------------------------------------------------------------|
| objectives    | Vector of integers representing indices of objectives related to model object. |

### Constraints

The Constraints field lists information about specified minimum and maximum values (if any) on input ports in your model. The table describes the Constraints field.

| Subfield Name | Description                                                                                       |
|---------------|---------------------------------------------------------------------------------------------------|
| -             | Cell array of structures containing name and<br>minimum and maximum values of each input<br>port. |

### Objectives

The Objectives field lists information about each objective, such as its type, status, and description. The table describes the Objectives field.

| Subfield Name    | Description                                                                                                                                                                                                                                                     |
|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| type             | Type of objective.                                                                                                                                                                                                                                              |
| status           | Status of objective.                                                                                                                                                                                                                                            |
| descr            | Description associated with objective.                                                                                                                                                                                                                          |
| label            | Label of objective.                                                                                                                                                                                                                                             |
| outcomeValue     | Integer representing outcome of objective.                                                                                                                                                                                                                      |
| coveragePointIdx | Integer representing index of coverage point associated with objective.                                                                                                                                                                                         |
| linkInfo         | For internal use only.                                                                                                                                                                                                                                          |
| range            | For internal use only.                                                                                                                                                                                                                                          |
| detectability    | Detectability status of objective.<br>This field appears in the data file when you set the analysis "Mode" on<br>page 15-10 to Test Generation and "Model coverage objectives" on<br>page 15-31 to Enhanced MCDC.                                               |
| detectionSites   | Simulink Identifier (SID) array of detection sites for detectable<br>objectives.<br>This field appears in the data file when you set the analysis "Mode" on<br>page 15-10 to Test Generation and "Model coverage objectives" on<br>page 15-31 to Enhanced MCDC. |
| modelObjectIdx   | Integer representing index of model object associated with objective.                                                                                                                                                                                           |
| analysistime     | Analysis time of objective.                                                                                                                                                                                                                                     |
| testCaseIdx      | Integer representing index of test case or counterexample addressed in objective.                                                                                                                                                                               |

#### **Test Cases or Counterexamples**

This field name depends on the type of check:

- If you set the **Mode** parameter to **Design error detection**, the **CounterExamples** field provides information on each test case that results in an integer-overflow or division-by-zero error.
- If you set the **Mode** parameter to **Test** generation, the **TestCases** field lists information about each test case, such as its signal values and test objectives.
- If you set the **Mode** parameter to **Property proving**, the **CounterExamples** field lists information about each counterexample and the proof objective it falsifies.

Subfield Name Description timeValues Vector of time values associated with signals in test case or counterexample. dataValues Vector of data values associated with signals in test case or counterexample. paramValues Structure representing details of parameters associated with test case or counterexample containing these fields: name— Parameter name. value — Parameter value. **noEffect** — Logical to signify if parameter value affects an objective. stepValues Vector that specifies the number of time steps that comprise signals in a test case or counterexample. objectives Structure that specifies objectives that a test case or a counterexample addresses. Its fields includeobjectiveIdx — Integer that represents the index of an objective that a test case achieves or a counterexample falsifies. atTime — Time value at which either a test case achieves an objective or a counterexample falsifies an objective. atStep — Time step at which either a test case achieves an objective or a counterexample falsifies an objective. dataNoEffect Cell array of logical vectors that specifies whether a signal's data values affect an objective. The vector uses 1 to indicate that a signal's data value does not affect an objective; otherwise, it uses 0. expectedOutput Cell array of vectors that specifies the output values that result from simulating the model using the test case signals. Each cell represents the output values associated with a different Outport block in the top-level system. This subfield is populated if you select Include expected output values.

The table describes the TestCases and CounterExamples fields.

#### **Version Field**

The Version field lists the of Simulink Design Verifier version used in the analysis.

#### **Dead Logic Field**

If you analyze your model for dead logic by using the "Run a Partial Check for Dead Logic" on page 6-7 option, the DeadLogic field in the sldvData structure lists information about each dead logic objective.

This table describes each subfield of the DeadLogic field.

| Subfield Name | Description                                                                                 |
|---------------|---------------------------------------------------------------------------------------------|
| label         | Description of dead logic objective.                                                        |
| descr         | Full path to model object, including objects in Stateflow chart.                            |
| modelObjIdx   | Integer representing index of model object associated with objective.                       |
| coverageType  | Type of coverage objective.                                                                 |
| coverageIdx   | Integer that represents the index of a coverage point that is associated with an objective. |
| ObjectiveIdx  | Integer that represents the index of an objective that is associated with a model object.   |

### Simulate Models Using Data Files

You can use the sldvruntest function to simulate a model by using test cases or counterexamples that reside in a Simulink Design Verifier data file. Complete these steps to simulate the sldvdemo\_flipflop model using a test case in its data file.

**1** Simulate the sldvdemo\_flipflop model and generate test cases:

sldvdemo\_flipflop

**2** Save the location of the data file that Simulink Design Verifier generates after analyzing the model.

```
sldvDataFile = 'sldv_output\sldvdemo_flipflop\sldvdemo_flipflop_sldvdata.mat'
```

3 Use the sldvruntest function to simulate the sldvdemo\_flipflop model using the second test case in the data file:

```
[ outdata ] = sldvruntest('sldvdemo_flipflop', sldvDataFile, 2)
```

The sldvruntest outputs is an array of Simulink.SimulationOutput objects.

4 Examine the output data from the first test case using the Simulink.SimulationOutput object:

```
tout_sldvruntest = outdata(1).find('tout_sldvruntest');
xout_sldvruntest = outdata(1).find('xout_sldvruntest');
yout_sldvruntest = outdata(1).find('yout_sldvruntest');
logsout_sldvruntest = outdata(1).find('logsout_sldvruntest');
```

### Load Results from Data Files

You can load the results of a previous analysis of a model from a data file. For more information, see "Load Previous Results" on page 13-57 and sldvloadresults.

### See Also

"Review Analysis Results" on page 13-57 | sldvreport | "Load Previous Results" on page 13-57

## **Manage Simulink Design Verifier Harness Models**

### In this section...

"Harness Model Generation" on page 13-13

"Create a Harness Model" on page 13-13

"Contents of a Harness Model" on page 13-13

"Configuration of the Harness Model" on page 13-19

"Simulate the Harness Model" on page 13-19

## **Harness Model Generation**

A harness model provides an isolated environment to test design changes. You can create a harness model during Simulink Design Verifier analysis or after the analysis.

The contents of the harness model depends on the value of the **Mode** parameter, set in the Configuration Parameters dialog box on the **Design Verifier** pane:

- Design error detection The harness model contains the test cases that result in errors during simulation.
- Test generation The harness model contains the test cases that achieve test objectives.
- **Property proving** The harness model contains counterexamples that falsify the proof objectives.

By default, the **Generate separate harness model after analysis** parameter is disabled.

**Note** The Simulink Design Verifier software generates a harness model only when the top-level model that you are analyzing contains an Inport block.

## **Create a Harness Model**

To create a harness model before or after the analysis, use these methods:

- Before the analysis, in the Configuration Parameters dialog box, on the **Design Verifier** > **Results** pane, select **Generate separate harness model after analysis**.
- After the analysis, in the Simulink Design Verifier Results Summary window, select **Create** harness model.

## **Contents of a Harness Model**

Simulink Design Verifier software creates a harness model that contains these items:

- **Inputs** The Inputs block is a Signal Builder or Signal Editor block based on the "Harness source" on page 15-61 option set in the **Design Verifier > Results** pane.
  - Signal Builder: This block contains signals that are comprised of the test cases or counterexamples that Simulink Design Verifier generates. The Signal Builder block contains signals only for input signals that are used in the model. If an input signal has no effect on the output of the model, that signal is not included in the Signal Builder block.



To open the Signal Builder dialog box and view its signals, double-click the Inputs block. Each signal group represents a unique test case or counterexample. To view the signals associated with a particular test case or counterexample, in the Signal Builder dialog box, select **Active Group**.

After Simulink Design Verifier performs test generation analysis on the sldvdemo\_cruise\_control model with the default options, this Signal Builder block shows
the signals for Test Case 7.



If you select the LongTestcases option of the **Test suite optimization** parameter, the analysis creates fewer, longer test cases. For example, if you select the LongTestcases option for the sldvdemo\_cruise\_control model, the analysis produces one long test case instead of nine shorter test cases. This Signal Builder dialog box shows the signals for the long test case. For more information about the Signal Builder dialog box, see "Signal Groups".



• Signal Editor: This block contains scenarios that are comprised of the test cases or counterexamples that Simulink Design Verifier generates. The Signal Editor block contains signals only for input signals that are used in the model. If an input signal has no effect on the output of the model, that signal is not included in the Signal Editor block.

After Simulink Design Verifier generates harness model, the input MAT-file for the Signal Editor block is saved at the default location <current\_folder>\sldv\_output \<model\_name>\<model\_name>\_harness\_HarnessInputs.mat.



To open the Signal Editor dialog box and view the scenarios of signal sources, double-click the Inputs block. The **Active scenario** lists the test cases or counterexamples. To create and edit scenarios, launch the Signal Editor user interface. For more information, see "Create and Edit Signal Data".

| Block Parameters: Inputs X                                                                                                                                                    |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Signal Editor                                                                                                                                                                 |
| The Signal Editor block displays and allows you to create or edit<br>interchangeable scenarios of signal sources and quickly switch the scenarios<br>into and out of a model. |
| Scenario                                                                                                                                                                      |
| File name: \sldvdemo_cruise_control_harness_HarnessInputs.mat                                                                                                                 |
| Active scenario: TestCase_1                                                                                                                                                   |
| Signal properties                                                                                                                                                             |
| To create and edit scenarios, launch Signal Editor user interface.                                                                                                            |
| Parameters                                                                                                                                                                    |
| Active signal: speed ~                                                                                                                                                        |
| Output a bus signal                                                                                                                                                           |
| Unit (e.g., m, m/s^2, N*m): <u>SI, English,</u>                                                                                                                               |
| inherit                                                                                                                                                                       |
| Sample time: [0.01,0]                                                                                                                                                         |
| Interpolate data                                                                                                                                                              |
| Enable zero-crossing detection                                                                                                                                                |
| Form output after final data value by: Holding final value                                                                                                                    |
|                                                                                                                                                                               |
| OK Cancel Help Apply                                                                                                                                                          |

- **Size-Type** This Subsystem block transmits signals from the Inputs block to the Test Unit block. It verifies that the size and data type of the signals are consistent with the Test Unit block.
- Test Unit This Model block references the original model that Simulink Design Verifier analyzed.

If you do not select the **Reference input model in generated harness** on the **Design Verifier** > **Results** pane in the **Configuration Parameters** dialog box, the **Test Unit** created is a Subsystem block.

If the Test Unit in the harness model is a subsystem, the values of the parameters on the **Optimization** and **Math and Data Types** panes might impact the coverage results.

• **Test Case Explanation** — This DocBlock block documents the test cases or counterexamples that Simulink Design Verifier generates. To view the description of each test case or counterexample, double-click the Test Case Explanation block. The block lists either the test objectives that each test case achieves or the proof objectives that each counterexample falsifies.

```
1 Test Case 1 (8 Objectives)
        Parameter values:
2
3
4
        1. Controller/Switch3 - logical trigger input false (output is from 3rd input port) @ T=0.00
 5
        2. Controller/Switch2 - logical trigger input true (output is from 1st input port) @ T=0.00
        3. Controller/Switchl - logical trigger input true (output is from 1st input port) @ T=0.00
 6
 7
        4. Controller/Logical Operatorl - Logic: input port 1 false @ T=0.00
8
        5. Controller/Logical Operator2 - Logic: input port 1 true @ T=0.00
9
        6. Controller/Logical Operator - Logic: input port 1 false @ T=0.00
10
        7. Controller/Logical Operator - (Cl && ~C2) && (C3 || C4) with Cl (Logical Operator Inl) false @ T=0.00
11
        8. Controller/PI Controller - enable logical value false @ T=0.00
12
13 Test Case 2 (4 Objectives)
14
       Parameter values:
15
16
        1. Controller/Logical Operator1 - Logic: input port 1 true @ T=0.00
17
        2. Controller/Logical Operator - Logic: input port 1 true @ T=0.00
        3. Controller/Logical Operator - Logic: input port 2 false @ T=0.00
18
        4. Controller/Logical Operator - (Cl && ~C2) && (C3 || C4) with C2 (Logical Operator1 Inl) false @ T=0.00
19
20
21 Test Case 3 (1 Objectives)
22
        Parameter values:
23
24
        1. Controller/Switch2 - logical trigger input false (output is from 3rd input port) @ T=0.00
25
26 Test Case 4 (1 Objectives)
27
        Parameter values:
28
29
        1. Controller/Switch3 - logical trigger input true (output is from 1st input port) @ T=0.00
30
31 Test Case 5 (6 Objectives)
32
        Parameter values:
```

## **Configuration of the Harness Model**

Simulink Design Verifier generates the harness model with these settings.

- The harness model start time is always 0. If the original model uses a nonzero start time, the software ignores the start time and uses 0 for the simulation start time for test cases and counterexamples.
- The harness model stop time always equals the stop time of the longest test case in the Inputs block.
- By default, the software enables coverage analysis and generates a coverage report for the harness models that contain test cases. The coverage reporting is enabled with default options. You can customize these settings by using "Specify Coverage Options" (Simulink Coverage).
- By default, if you select **Ignore objective based on filter** and provide a coverage filter file for the Test Unit, the coverage filter file applies to the harness model. For more information, see "Coverage data" on page 15-38.
- For models that use the complex type Inport block, a Signal Editor block is used as the harness source regardless of the **Harness source** that you specify.

## Simulate the Harness Model

The harness model enables you to simulate a copy of your original model by using the test cases or counterexamples that Simulink Design Verifier generates. Using the harness model, you can simulate:

• A counterexample.

- A single test case, for which the Simulink Coverage software collects and displays model coverage information.
- All the test cases, for which the Simulink Coverage software collects and displays cumulative model coverage information.

**Note** If you analyze a model that is simulated with sample time warnings, when you simulate the harness model, the warnings might be reported as errors, causing the simulation to fail.

### Simulate Harness Model by Using the Signal Builder Source Block

To simulate a single test case or counterexample:

- 1 In the harness model, double-click the Inputs block.
- 2 In the Signal Builder dialog box, select the **Active Group** with a particular test case or counterexample.

The Signal Builder dialog box displays the signals that comprise the selected test case or counterexample.

3

## Click the **Start simulation** button

The Simulink software simulates the harness model by using the signals associated with the selected test case or counterexample. When simulating a test case, the Simulink Coverage software collects model coverage information and displays a coverage report.

To simulate all test cases and measure their combined model coverage:

- **1** In the harness model, double-click the Inputs block.
- 2

In the Signal Builder dialog box, click the **Run all** button

The Simulink software simulates the harness model by using all test cases, while the Simulink Coverage software collects model coverage information and displays a coverage report.

When you click **Run all**, the software simulates all the test cases by using the stop time for the harness model. The stop time equals the stop time for the longest test case, so you might accumulate additional coverage when you simulate the shorter test cases.

For more information, see "Simulating with Signal Groups".

### Simulate Harness Model by Using the Signal Editor Inputs Block

To simulate a single test case or counterexample:

- **1** In the harness model, double-click the Inputs block.
- 2 In the Signal Editor dialog box, select the **Active scenario** with a particular test case or counterexample and click **OK**.
- 3 In the Simulink editor, click the **Run** button.

The Simulink software simulates the harness model by using the scenario of signal sources associated with the selected test case or counterexample. When simulating a test case, the Simulink Coverage software collects model coverage information and displays a coverage report.

To simulate all the test cases and measure their combined model coverage, use cvsim (Simulink Coverage) or parsim command. For example, see Simulate Harness Model with Signal Editor Inputs Block on page 13-22.

## See Also

"Creating and Executing Test Cases" on page 7-100 | "Create Harness Model" on page 1-12

# **Simulate Harness Model with Signal Editor Inputs Block**

This example shows how to generate model coverage report by simulating the test harness model with the Signal Editor Inputs block. You can simulate a single test case or counterexample by selecting the active scenario in the Signal Editor dialog box. For more information see, "Simulate Harness Model by Using the Signal Editor Inputs Block" on page 13-20.

To simulate all the test cases and measure their combined model coverage, use the cvsim or the parsim command.

In this example, you generate a harness model by selecting the Signal Editor as the harness source. The Signal Editor scenarios consists of signal sources that are associated with the test cases or counterexamples. Then, to generate combined model coverage report, you simulate all the scenarios by using the cvsim or parsim function.

### 1. Open the model and configure harness options

Create a harness model for the sldvdemo\_cruise\_control model by using the sldvharnessopts options. Set the HarnessSource option to Signal Editor.

```
model = 'sldvdemo_cruise_control';
open_system(model);
opts = sldvoptions;
opts.Mode = 'TestGeneration';
opts.SaveHarnessModel = 'on';
opts.HarnessSource = 'Signal Editor';
opts.HarnessModelFileName = 'sldvdemo_cruise_control_harness';
opts.SaveReport = 'off';
```



Copyright 2006-2019 The MathWorks, Inc.

### 2. Generate test cases

Analyze the model by using the sldvrun function and sldvoptions.

```
sldvrun('sldvdemo_cruise_control', opts);
save_system('sldvdemo_cruise_control_harness');
Checking compatibility for test generation: model 'sldvdemo_cruise_control'
Compiling model...done
Building model representation...done
'sldvdemo_cruise_control' is compatible for test generation with Simulink Design Verifier.
Generating tests using model representation from 31-Dec-2021 02:59:04...
.....
Completed normally.
Generating output files:
```

```
The analysis did not produce a harness model.
Unable to read MAT-file C:\Users\pdasbasu\AppData\Roaming\MathWorks\MATLAB\R2022a\matlabprefs.ma
```

Results generation completed.

```
Data file:
```

C:\Users\pdasbasu\OneDrive - MathWorks\Documents\MATLAB\ExampleManager\pdasbasu.Bdoc22a.j1830



## 3. Generate combined model coverage report

Simulink Design Verifier automatically configures Signal Editor harness in multiple simulation mode. To simulate the generated test cases and gather coverage for Test Unit, click **Run all (Coverage)** button on Simulation toolstrip menu.



Test Case Explanation

Alternatively, after the analysis generates the harness model, you can use this code that uses cvtest and cvsim functions to generate the combined model coverage report.

```
signalEditorBlock = 'sldvdemo cruise control harness/Inputs';
numOfScenarios = str2double(get_param(signalEditorBlock, 'NumberOfScenarios'));
harnessModel = 'sldvdemo_cruise_control_harness';
test = cvtest(harnessModel);
test.modelRefSettings.enable = 'On';
test.modelRefSettings.excludeTopModel = 1;
covData = [];
for id = 1:numOfScenarios
set param(signalEditorBlock, 'ActiveScenario', id);
aCovData = cvsim(harnessModel);
if isempty(covData)
covData = aCovData;
else
covData = covData + aCovData;
end
end
save system('sldvdemo cruise control harness');
cvhtml('Coverage Harness', covData);
```

Optionally, you can use this code that uses the parsim function to generate the combined model coverage report.

```
signalEditorBlock = 'sldvdemo cruise control harness/Inputs';
numOfScenarios = str2double(get param(signalEditorBlock, 'NumberOfScenarios'));
harnessModel = 'sldvdemo_cruise_control_harness';
simIn = Simulink.SimulationInput.empty(0,numOfScenarios);
for id = 1:numOfScenarios
    simIn(id) = Simulink.SimulationInput(harnessModel);
    simIn(id) = simIn(id).setBlockParameter(signalEditorBlock, 'ActiveScenario', id);
    simIn(id) = simIn(id).setModelParameter('CovEnable', 'on');
    simIn(id) = simIn(id).setModelParameter('CovSaveSingleToWorkspaceVar', 'on');
end
simOut = parsim(simIn);
cvhtml('Coverage Harness',simOut.covdata);
[31-Dec-2021 02:59:45] Checking for availability of parallel pool...
Starting parallel pool (parpool) using the 'local' profile ...
Connected to the parallel pool (number of workers: 6).
[31-Dec-2021 03:00:49] Starting Simulink on parallel workers...
[31-Dec-2021 03:01:16] Configuring simulation cache folder on parallel workers...
[31-Dec-2021 03:01:17] Loading model on parallel workers...
[31-Dec-2021 03:01:26] Running simulations...
[31-Dec-2021 03:01:45] Completed 1 of 3 simulation runs
[31-Dec-2021 03:01:45] Completed 2 of 3 simulation runs
[31-Dec-2021 03:01:45] Completed 3 of 3 simulation runs
[31-Dec-2021 03:01:45] Cleaning up parallel workers...
```

The coverage report indicates that 100% coverage is achieved by simulating all the test cases for sldvdemo\_cruise\_control\_model.

## Summary

Model Hierarchy/Complexity Test 1

|                                   | Decision | Condition | Test Objective | <b>Proof Objective</b> | Test Condition | <b>Proof Assumption</b> | Execution |
|-----------------------------------|----------|-----------|----------------|------------------------|----------------|-------------------------|-----------|
| 1. <u>sldvdemo_cruise_control</u> | 8 100%   | 100%      | NA             | NA                     | 100%           | NA                      | 100%      |
| 2 <u>Controller</u>               | 7 100%   | 100%      | NA             | NA                     | NA             | NA                      | 100%      |
| 3 <u>PI Controller</u>            | 4 100%   | NA        | NA             | NA                     | NA             | NA                      | 100%      |

### 5. Clean Up

% To complete this example, close the models. close\_system('sldvdemo\_cruise\_control\_harness', 0); close\_system('sldvdemo\_cruise\_control', 0);

# **Export Test Cases to Simulink Test**

Model verification often requires repeated testing to achieve certain objectives or coverage criteria. If you run repeated tests, consider using the Test Manager in Simulink Test to structure your test cases, archive test results, and generate reports. You can generate test cases using Simulink Design Verifier and export the test inputs to new test cases automatically created in the Simulink Test Manager.

To export generate inputs to new test cases in Simulink Test:

- 1 Choose an existing Simulink Design Verifier results file or generate new results by analyzing your model.
  - If you use an existing results file, you can load results by either:
    - Using the Simulink Test command sltest.import.sldvData.
    - Using **Load Earlier Results** in the **Design Verifier** tab. Select the MAT-file or Excel<sup>®</sup> file with the analysis results.
  - If you run a model analysis, the Design Verifier Results Summary window appears after the analysis completes.
- 2 In the results summary window, click **Export test cases to Simulink Test**. The Export Design Verifier Test Cases dialog box opens.
- **3** In the Export Design Verifier Test Cases dialog box, you can:
  - Choose Harness Source to Inport, Signal Editor or Signal Builder.
  - Set the **Test Data Format** to MAT or Excel.
  - Click **OK** to generate the test file and test harness.
- 4 Simulink Test generates the test file and test harness. In the Test Manager, expand the new test file in the **Test Browser** to see the individual test cases.

## **Generate and Export Test Cases to Simulink Test**

This example shows how to generate test cases to achieve coverage objectives for a controller subsystem. The example also shows how to add functional test cases from test harnesses in the model. This example requires a Simulink Test license.

The model is a closed-loop heat pump system. The controller accepts the measured room temperature and set temperature inputs. The controller outputs a bus of three signals controlling the fan, heat pump, and the direction of the heat pump. The model contains a harness that tests heating and cooling scenarios.

**1** Open the model.

open\_system('sltestTestCaseFromDVExample.slx'));

- **2** Set the current working folder to a writable folder.
- **3** In the model, generate tests for the Controller subsystem. Right-click the Controller block and select **Design Verifier > Generate Tests for Subsystem**.
- 4 In the Simulink Design Verifier Results Summary window, click **Export test cases to Simulink Test**.

5 In the Export Design Verifier Test Cases dialog box, click **OK**.

| Export Design Verifier Test Cases                                                            | + = ×        |
|----------------------------------------------------------------------------------------------|--------------|
| Export test cases or counterexamples generated by Simulink Design Verifier to Simulink Test. |              |
| Component under Test: <u>sitestTestCaseFromDVExample/Controller</u>                          |              |
| Test Harness Options                                                                         |              |
| Test Harness: sltestTestCaseFromDVExample_sldvharness                                        |              |
| Harness Source: Inport                                                                       | •            |
| Test Data Format: MAT                                                                        | •            |
| Test Manager Options                                                                         |              |
| <ul> <li>Use a new test file</li> <li>Reuse an existing test file</li> </ul>                 |              |
| Test File: sltestTestCaseFromDVExample/sltestTestCaseFromDVExample_test.mldatx               | Browse       |
| Test Case: <create a="" case="" new="" test=""></create>                                     | •            |
| <u>OK</u> <u>Cancel</u>                                                                      | <u>H</u> elp |

The Test Manager displays six new test cases in the test file.

| Test Browser Results and Artifacts                                    | 🗏 New Test Case 1 🛛 🗙 | 🖍 Start Page 🛛 🗙     |                |                |                   |       |
|-----------------------------------------------------------------------|-----------------------|----------------------|----------------|----------------|-------------------|-------|
| Filter tests by name or tags, e.g. tags: test                         | ▼ITERATIONS*          |                      |                |                |                   | ?     |
| <ul> <li>TestFile_GeneratedTests</li> <li>New Test Suite 1</li> </ul> | ▼ TABLE ITERAT        | IONS*                |                |                |                   | ?     |
| 🗐 New Test Case 1                                                     | ✓ NAME                | SIGNAL BUILDER GROUP | PARAMETER SET  | EXTERNAL INPUT | LOGGED SIGNAL SET | +     |
|                                                                       | ✓ Test Case 1         | Test Case 1          | [Default] None | [Default] None | [Default] None    |       |
|                                                                       | ✓ Test Case 2         | Test Case 2          | [Default] None | [Default] None | [Default] None    |       |
|                                                                       | ✔ Test Case 3         | Test Case 3          | [Default] None | [Default] None | [Default] None    |       |
|                                                                       | ✔ Test Case 4         | Test Case 4          | [Default] None | [Default] None | [Default] None    |       |
|                                                                       | ✓ Test Case 5         | Test Case 5          | [Default] None | [Default] None | [Default] None    |       |
|                                                                       | ✓ Test Case 6         | Test Case 6          | [Default] None | [Default] None | [Default] None    |       |
|                                                                       |                       |                      |                | Auto Genera    | te 🕂 Add 🛅 Dele   | ete 🔻 |

**6** In the model, click the perspective view badge to see the new test harness.



- 7 Add a test case to the other test harness in the model. In the Test Manager, point to the new test file name and click the Synchronize Test File button <.</p>
- 8 The Test Manager prompts you to add tests for the Requirement2 test harness. Select Simulation for the test type and click **Update Test File**.

The Test Manager adds the Requirement2 test case to the test file.

## See Also

sltest.import.sldvData

# Export Tests from Models That Contain Requirements Table Blocks with Simulink Design Verifier

If you create models that contain Requirements Table blocks and you generate tests with Simulink Design Verifier, you can export the tests to the **Test Manager**. When configuring the tests, you can specify the test harness that you want to use. After running the tests, you can determine if the tests fail or pass, and inspect the results further.

## **Construct the Model and Generate Tests**

Simulink Design Verifier creates test objectives from the requirements defined in Requirements Table blocks. To generate tests, construct a model, called the specification model, with Requirements Table blocks and Simulink blocks that do not define test objectives. See "What Is a Specification Model?" on page 7-60. After you create the requirements, confirm that the requirement set in each Requirements Table block is complete and consistent by analyzing them. See "Identify Inconsistent and Incomplete Formal Requirement Sets" (Requirements Toolbox). If you do not create complete and consistent requirements, Simulink Design Verifier may not be able to create tests that satisfy the test objectives.

After constructing the requirements, generate tests in the specification model.

- 1 In the Apps tab, click Design Verifier.
- 2 In the **Mode** section, set the mode to **Test Generation**.
- 3 In the Prepare section, click Test Generation Settings. The Requirements Table block supports test generation with decision, condition, MCDC, enhanced MCDC, and relational boundary coverage objectives. Specify the objectives in the Model coverage objectives parameter. For more information on these options, See "Model Coverage Objectives for Test Generation" on page 7-30. Click OK.
- 4 In the **Analyze** section, click **Generate Tests**. Simulink Design Verifier indicates how many objectives from the requirements are satisfied.

| Progress                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                      |                             |             |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|-----------------------------|-------------|
| Objectives processed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | 18/18                |                             |             |
| Satisfied                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | 18                   |                             |             |
| Unsatisfiable                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | 0                    |                             |             |
| Elapsed time                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 0:38                 |                             |             |
| Test generation completed<br>18/18 objectives satisfied.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | l normally.          |                             |             |
| Results:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |                      |                             |             |
| Open filter explorer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                      |                             |             |
| <ul> <li>Highlight analysis realized and the second se</li></ul> |                      |                             |             |
| <ul> <li><u>View tests in Simula</u></li> <li>Detailed analysis re</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                      |                             |             |
| Create harness mo                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                      |                             |             |
| <ul> <li>Save test cases/cou</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |                      | eadsheet                    |             |
| <ul> <li>Export test cases to</li> <li>Simulate tests and</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                      | arago report                |             |
| <ul> <li>Simulate tests and</li> </ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | produce a model cove | erage report                |             |
| Data saved in: CordLockRe                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                      | mat                         |             |
| n folder: <u>C:\Users\ssating</u>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |                      | )23b\slrequirements\Analyze | FormalRequi |
| rementsEVSELockExample                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |                      |                             | a ormantequ |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                      |                             |             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                      |                             |             |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                      |                             |             |

5 If at least one of the objectives is not satisfied, update your requirements. If you did not analyze the requirements before, analyze them now.

## Export the Tests to the Test Manager

If you have Simulink Test, you can export the tests to the **Test Manager**. In the Simulink Design Verifier Results Summary window, click **Export test cases to Simulink Test**.

Test generation completed normally. 18/18 objectives satisfied.

Results:

- Open filter explorer
- Highlight analysis results on model
- View tests in Simulation Data Inspector
- Detailed analysis report: (<u>HTML</u>) (<u>PDF</u>)
- Create harness model
- Save test cases/counterexamples to spreadsheet
- Export test cases to Simulink Test
- Simulate tes and produce a model coverage report

The Export Design Verifier Test Cases window displays the properties that you can adjust before exporting.

| 🞦 Export Design Verifier Test Cases                                                          | ×      |  |  |
|----------------------------------------------------------------------------------------------|--------|--|--|
| Export test cases or counterexamples generated by Simulink Design Verifier to Simulink Test. |        |  |  |
| Component under Test: <u>CordLockReqTable_v2</u>                                             |        |  |  |
| Test Harness Options                                                                         |        |  |  |
| Test Harness: CordLockReqTable_v2_sldvharness                                                |        |  |  |
| Harness Source: Inport                                                                       | $\sim$ |  |  |
| Test Data Format: MAT                                                                        | ~      |  |  |
| Test Manager Options                                                                         |        |  |  |
| • Use a new test file                                                                        |        |  |  |
| ○ Reuse an existing test file                                                                |        |  |  |
| Test File: putput\CordLockReqTable_v2\CordLockReqTable_v2_test.mldatx Browse                 |        |  |  |
| Test Case: <create a="" case="" new="" test=""></create>                                     | ~      |  |  |
| OK Cancel Help                                                                               | >      |  |  |

For more information on the properties you can select, see "Export Test Cases to Simulink Test" on page 13-27.

## **Run the Tests**

After exporting the tests, Simulink Test registers the requirements in the Requirements Table blocks to the test cases they generate. To view these assignments, open the **Test Manager**. Then select the test case in the **Test Browser** pane. In the **Test Case** pane, expand the **Iterations** section.

| TABLE ITERATIONS* |             |                                   |                |
|-------------------|-------------|-----------------------------------|----------------|
| ✓ NAME            | DESCRIPTION | REQUIREMENTS                      | EXTERNAL INPUT |
| ✓ Test Case:1     | None        | Requirement 1: Lock when evse c   | Test Case:1    |
| ✓ Test Case:2     | None        | Requirement 6: Unlock during em.  | Test Case:2    |
| ✓ Test Case:3     | None        | Requirement 2: Unlock during nor. | Test Case:3    |
| ✓ Test Case:4     | None        | Requirement 7: Unlock SessionSto. | Test Case:4    |
| ✓ Test Case:5     | None        | Requirement 9: Unlock when com.   | Test Case:5    |
| / Tect Cace:6     | None        | Dequirement 2: Upleak during on   | Test Case 6    |

If you have a manually created test harness that you want to run the tests on, in the **Test Browser** pane, select the test case and expand **System Under Test**. In the **Model** field, specify the model, and clear the model from the **Harness** field.

## **Inspect Test Failures**

If one of your tests fail, you may need investigate causes of the failure. If you use verification blocks in your harness to verify the outputs of your design and specification model, or if you capture design model outputs in requirement postconditions, you can use property proving on the test harness and run **Model Slicer** to identify the conditions that cause an assertion failure.

- **1** Open the test harness model.
- 2 In the **Design Verifier** tab, in the **Mode** section, select **Property Proving**.
- 3 In the **Prepare** section, click **Property Proving Settings**. If your specification model uses at least one postcondition, the Requirements Table block highlights the postconditions green if the associated proof objectives are satisfied, red if they are not, and orange for other conditions.

| Index | Summary                                                                                                 | Precondition                             | Postcondition<br>deploy |
|-------|---------------------------------------------------------------------------------------------------------|------------------------------------------|-------------------------|
| 1     | The thrust reverser system<br>shall not deploy if the average<br>airspeed is greater than 150<br>knots. | mean(airspeed) > 150                     | false                   |
| 2     | The thrust reverser system shall not deploy if any two WOW sensors are false.                           | sum(wow) >= 3                            | false                   |
| 3     | The thrust reverser system<br>shall not deploy if the two thrust<br>sensors are greater than 0.         | sum(throttle) >= 3                       | false                   |
| 4     | The thrust reverser system<br>shall not deploy if either<br>wheelspeed sensor is less than<br>10 knots. | wheelspeed(1) < 10 && wheelspeed(2) < 10 | false                   |

If you use verification blocks, Simulink Design Verifier highlights the blocks that assert a failure in red.

4 If you use verification blocks, select the highlighted verification block. In the Results window, click **debug**. The model displays the values that correspond to each signal that caused the failure. These values only display outside of the Requirements Table block.

For more information, see "Debug Property Proving Violations by Using Model Slicer" on page 12-55 and "Prove Properties with Requirements Table Blocks" on page 12-73.

## See Also

**Requirements** Table

## **Related Examples**

- "Use a Requirements Table Block to Create Formal Requirements" (Requirements Toolbox)
- "What Is Property Proving?" on page 12-2
- "What Is a Specification Model?" on page 7-60
- "Use Specification Models for Requirements-Based Testing" on page 7-69

# **Review Results**

| In this section                                            |
|------------------------------------------------------------|
| "Simulink Design Verifier Report Generation" on page 13-35 |
| "Create Analysis Reports" on page 13-35                    |
| "Front Matter" on page 13-35                               |
| "Summary Chapter" on page 13-36                            |
| "Analysis Information Chapter" on page 13-36               |
| "Derived Ranges Chapter" on page 13-40                     |
| "Objectives Status Chapters" on page 13-42                 |
| "Model Items Chapter" on page 13-50                        |
| "Design Errors Chapter" on page 13-51                      |
| "Test Cases Chapter" on page 13-52                         |
| "Properties Chapter" on page 13-54                         |

## Simulink Design Verifier Report Generation

After an analysis, Simulink Design Verifier can generate an HTML report that contains detailed information about the analysis results.

The analysis report contains hyperlinks that allow you to:

- Navigate to a specific part of the report
- Navigate to the object in your Simulink model for which the analysis recorded results

You can also generate an additional PDF version of the Simulink Design Verifier report.

## **Create Analysis Reports**

To create a detailed analysis report before or after the analysis, do one of the following:

- Before the analysis, in the Configuration Parameters dialog box, on the **Design Verifier > Report** pane, select **Generate report of the results**. If you want to save an additional PDF version of the Simulink Design Verifier report, select **Generate additional report in PDF format**.
- After the analysis, in the Simulink Design Verifier log window, you can choose HTML or PDF format and **Generate detailed analysis report**.

## **Front Matter**

The report begins with two sections:

- "Title" on page 13-35
- "Table of Contents" on page 13-36

## Title

The title section lists the following information:

- Model or subsystem name Simulink Design Verifier analyzed
- User name associated with the current MATLAB session
- Date and time that Simulink Design Verifier generated the report

### **Table of Contents**

The table of contents follows the title section. Clicking items in the table of contents allows you to navigate quickly to particular chapters in the report.

## **Summary Chapter**

The **Summary** chapter of the report lists the following information:

- Name of the model
- MATLAB release in which the analysis was performed
- Checksum value that represents the state of the model analyzed
- Analysis mode
- Model Representation
- Test generation target (applicable for test case generation analysis)
- Analysis status
- Preprocessing time
- Analysis time
- Status of objectives analyzed. This includes the percentage number for each status

| Analysis Information     |                         |                          |              |
|--------------------------|-------------------------|--------------------------|--------------|
| Model:                   | sldvdemo_cruise_control |                          |              |
| Release:                 | R2021a Prerelease       |                          |              |
| Checksum:                | 863976376 4198703694    | 241457 <mark>61</mark> 5 | 5 2412704551 |
| Mode:                    | Test generation         |                          |              |
| Model Representation:    | Built on 09-Nov-2020 14 | :28:46                   |              |
| Test Generation Target   | Model                   |                          |              |
| Status:                  | Completed normally      |                          |              |
| PreProcessing Time:      | 4s                      |                          |              |
| Analysis Time:           | 25s                     |                          |              |
| <b>Objectives Status</b> |                         |                          |              |
| Number of Objectives     | :                       | 32                       |              |
| Objectives Satisfied:    |                         | 32                       | (100%)       |

## **Analysis Information Chapter**

The Analysis Information chapter of the report includes the following sections:

- "Model Information" on page 13-37
- "Analysis Options" on page 13-37
- "Unsupported Blocks" on page 13-38
- "User Artifacts" on page 13-39
- "Constraints" on page 13-39
- "Block Replacements Summary" on page 13-39
- "Approximations" on page 13-39
- "Analysis Harness Information" on page 13-40

### **Model Information**

The Model Information section provides the following information about the current version of the model:

- Path and file name of the model that Simulink Design Verifier analyzed
- Model version
- Date and time that the model was last saved
- Name of the person who last saved the model

## Analysis Options

The Analysis Options section provides information about the Simulink Design Verifier analysis settings.

The Analysis Options section lists the parameters that affected the Simulink Design Verifier analysis. If you enabled coverage filtering, the name of the filter file is included in this section.

# **Analysis Options**

| Mode:                                                                 | TestGeneration     |
|-----------------------------------------------------------------------|--------------------|
| Rebuild Model Representation:                                         | Always             |
| Test generation target:                                               | Model              |
| Test Suite Optimization:                                              | CombinedObjectives |
| Maximum Testcase Steps:                                               | 500time steps      |
| Test Conditions:                                                      | UseLocalSettings   |
| Test Objectives:                                                      | UseLocalSettings   |
| Model Coverage Objectives:                                            | MCDC               |
| Include Relational Boundary Objectives:                               | off                |
| Maximum Analysis Time:                                                | 300s               |
| Block Replacement:                                                    | off                |
| Parameters Analysis:                                                  | off                |
| Include expected output values:                                       | off                |
| Randomize data that do not affect the outcome:                        | off                |
| Additional analysis to reduce instances of rational<br>approximation: | off                |
| Save Data:                                                            | on                 |
| Save Hamess:                                                          | off                |
| Save Report:                                                          | off                |

**Note** For more information about these parameters, see "Simulink Design Verifier Options" on page 15-2.

## **Unsupported Blocks**

If your model includes unsupported blocks, by default, automatic stubbing is enabled to allow the analysis to proceed. With automatic stubbing enabled, the software considers only the interface of the unsupported blocks, not their actual behavior. This technique allows the software to complete the analysis. However, the analysis may achieve only partial results if any of the unsupported model blocks affect the simulation outcome.

The Unsupported Blocks section appears only if the analysis stubbed unsupported blocks; it lists the unsupported blocks in a table, with a hyperlink to each block in the model.

| Block                | Туре               |
|----------------------|--------------------|
| Discrete State-Space | DiscreteStateSpace |

For more information about automatic stubbing, see "Handle Incompatibilities with Automatic Stubbing" on page 2-7.

### **User Artifacts**

The User Artifacts section provides information about test data and coverage data in the Simulink Design Verifier analysis.

### Constraints

The Constraints section provides information about test conditions that Simulink Design Verifier applied when it analyzed a model.

| Name       | Analysis Constraint |  |
|------------|---------------------|--|
| constraint | [0, 100]            |  |

You can navigate to the constraint in your model by clicking the hyperlink in the Constraints table. The software highlights the corresponding Test Condition block in your model window and opens a new window showing the block in detail.

### **Block Replacements Summary**

The Block Replacements Summary provides an overview of the block replacements that Simulink Design Verifier executed. It appears only if Simulink Design Verifier replaced blocks in a model.

Each row of the table corresponds to a particular block replacement rule that Simulink Design Verifier applied to the model. The table lists the following:

- Name of the file that contains the block replacement rule and the value of the BlockType parameter the rule specifies
- Description of the rule that the MaskDescription parameter of the replacement block specifies
- Names of blocks that Simulink Design Verifier replaced in the model

To locate a particular block replacement in your model, click on the name for that replacement in the Replaced Blocks column of the table; the software highlights the affected block in your model window and opens a new window that displays the block in detail.

| #: | Replacement Rule / Block Type     | Rule Description                                                                                                                                          | Replaced Blocks                                    |
|----|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
| 1  | blkrep_rule_switch_normal /Switch | Inserts test objectives for<br>switch blocks that require<br>each switch position be<br>demonstrated when the<br>values of input ports 1 and<br>3 differ. | <u>Switch1</u><br><u>Switch2</u><br><u>Switch3</u> |

### Approximations

Each row of the Approximations table describes a specific type of approximation that Simulink Design Verifier used during its analysis of the model.

| # | Туре                   | Description                                                                                                                                    |  |
|---|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|--|
| 1 | Rational approximation | The model includes floating-point arithmetic. Simulink Design Verifier approximates floating-point arithmetic with rational number arithmetic. |  |

**Note** Review the analysis results carefully when the software uses approximations. In rare cases, an approximation may result in test cases that fail to achieve test objectives or counterexamples that fail to falsify proof objectives. For example, a floating-point round-off error might prevent a signal from exceeding a designated threshold value.

### **Analysis Harness Information**

The **Analysis Harness Information** section provides an overview of the analysis harness generated by Simulink Design Verifier used to analyze the model. The **Analysis Harness Information** section shows these sub-sections based on whether the model is an export-function model or a model that contains Function Caller blocks without corresponding Simulink functions.

### Schedule for Export Function analysis

Simulink Design Verifier assumes an analysis harness for invoking Export Functions during analysis. For example, this table shows the analysis harness for the model sldvExportFunction\_autosar\_multirunnables:

| Order |           | unction-Call Inport Sample Nu<br>Time(sec) sar |   |
|-------|-----------|------------------------------------------------|---|
| 1     | Runnable1 | 1                                              | 1 |
| 2     | Runnable2 | 1                                              | 1 |
| 3     | Runnable3 | 10                                             | 1 |

### Stubbed Simulink Functions for Analysis

This table in the **Stubbed Simulink Functions for Analysis** lists the function prototypes that correspond to the stubbed Simulink functions which are stubbed in the analysis harness:

| Function Prototype                              |               |
|-------------------------------------------------|---------------|
| [EventFailed,ERR] = TPS2StuckLow_GetEventFailed | <u>led()</u>  |
| [EventFailed,ERR] = TPS2StuckHigh_GetEventFa    | <u>iled()</u> |
| [EventFailed,ERR] = TPS1StuckLow_GetEventFai    | <u>led()</u>  |
| [EventFailed,ERR] = TPS1StuckHigh_GetEventFa    | iled()        |
| <u>ERR = TPS_SetEventStatus(EventStatus)</u>    |               |

**Note** Simulink Design Verifier assumes the outputs of stubbed Simulink functions do not change when the function is invoked multiple times during a single time step.

## **Derived Ranges Chapter**

In a design error detection analysis, the analysis calculates the derived ranges of the signal values for the Outports for each block in the model. This information can help you identify the source of data overflow or division-by-zero errors.

The table in the **Derived Ranges** chapter of the analysis report lists these bounds.

| Signal                                                                                                | Derived Ranges                |  |
|-------------------------------------------------------------------------------------------------------|-------------------------------|--|
| Controller/Constant1- outport 1                                                                       | 1                             |  |
| Controller/Unit Delay- outport 1                                                                      | [-InfInf]                     |  |
| Controller/Sum- outport 1                                                                             | [-InfInf]                     |  |
| Controller/Constant3- outport 1                                                                       | 1                             |  |
| Controller/Sum2- outport 1                                                                            | [-InfInf]                     |  |
| Controller/Switch3/Switch. Defined by block replacement rule<br>'blkrep rule switch normal' outport 1 | [-InfInf]                     |  |
| Controller/Switch2/Switch. Defined by block replacement rule<br>'blkrep rule switch normal' outport 1 | [-InfInf]                     |  |
| Controller/Switch1/Switch. Defined by block replacement rule<br>'blkrep rule switch normal' outport 1 | [-InfInf]                     |  |
| Controller/Sum1- outport 1                                                                            | [-InfInf]                     |  |
| Controller/Logical Operator1- outport 1                                                               | [FT]                          |  |
| Controller/Unit Delay1- outport 1                                                                     | [FT]                          |  |
| Controller/Logical Operator2- outport 1                                                               | [FT]                          |  |
| Controller/Logical Operator- outport 1                                                                | [FT]                          |  |
| <u>throt- outport 1</u>                                                                               | [-<br>3.5954e+3063.5954e+306] |  |
| target- outport 1                                                                                     | [-InfInf]                     |  |

If an Observer Reference block is used in the design error detection analysis, then this section will show the observer information in a **Observer Model (s)** subsection and design model information in **Design Model** subsection.

The table in the Design Model subsection shows the list of each derived range in the sldvdemo\_debounce\_validprop example model.

| Signal                             | Derived<br>Ranges |
|------------------------------------|-------------------|
| <u>Constant- Outport 1</u>         | 2                 |
| <u>Constant1- Outport 1</u>        | 1                 |
| <u>Chart "debounce"- Outport 1</u> | [FT]              |
| Switch- Outport 1                  | [12]              |
| debounced- Outport 1               | [12]              |

The Observer model(s) section will not show derived ranges reported as the observers are ignored for design error detection analysis.

## **Objectives Status Chapters**

This section of the report provides information about all the objectives in a model, including the type of the objective, the model item that corresponds to the type, and objective description.

- "Design Error Detection Objectives Status" on page 13-43
- "Test Objectives Status" on page 13-45
- "Proof Objectives Status" on page 13-47
- "Objectives Undecided due to Runtime Error" on page 13-49
- "Objectives Undecided Due to Division by Zero" on page 13-49
- "Objectives Undecided Due to Nonlinearities" on page 13-50
- "Objectives Undecided Due to Stubbing" on page 13-50
- "Objectives Undecided Due to Array Out of Bounds" on page 13-50
- "Objectives Undecided" on page 13-50

The software identifies the presence of approximations and reports them at the level of each objective status. For more information, see "How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23. This table summarizes the objective status for Simulink Design Verifier analysis modes.

| Analysis Mode          | Objective Status                                                  |
|------------------------|-------------------------------------------------------------------|
| Design error detection | "Dead Logic" on page 13-44                                        |
|                        | "Dead Logic under Approximation" on page 13-44                    |
|                        | "Active Logic - Needs Simulation" on page 13-44                   |
|                        | "Objectives Valid" on page 13-44                                  |
|                        | "Objectives Valid under Approximation" on page 13-45              |
|                        | "Objectives Falsified with Counterexamples" on page 13-45         |
|                        | • "Objectives Error - Needs Simulation" on page 13-45             |
|                        | • "Objectives Undecided Due to Division by Zero" on page 13-49    |
|                        | • "Objectives Undecided Due to Nonlinearities" on page 13-50      |
|                        | "Objectives Undecided Due to Stubbing" on page 13-50              |
|                        | "Objectives Undecided" on page 13-50                              |
|                        | • "Objectives Undecided Due to Array Out of Bounds" on page 13-50 |

| Analysis Mode    | Objective Status                                                  |
|------------------|-------------------------------------------------------------------|
| Test generation  | "Objectives Satisfied" on page 13-46                              |
|                  | "Objectives Satisfied - Needs Simulation" on page 13-46           |
|                  | "Objectives Unsatisfiable" on page 13-47                          |
|                  | • "Objectives Unsatisfiable under Approximation" on page 13-47    |
|                  | "Objectives Undecided with Testcases" on page 13-47               |
|                  | "Objectives Undecided due to Runtime Error" on page 13-49         |
|                  | • "Objectives Undecided Due to Division by Zero" on page 13-49    |
|                  | "Objectives Undecided Due to Nonlinearities" on page 13-50        |
|                  | "Objectives Undecided Due to Stubbing" on page 13-50              |
|                  | "Objectives Undecided" on page 13-50                              |
|                  | • "Objectives Undecided Due to Array Out of Bounds" on page 13-50 |
| Property proving | "Objectives Valid" on page 13-48                                  |
|                  | "Objectives Valid under Approximation" on page 13-48              |
|                  | "Objectives Falsified with Counterexamples" on page 13-48         |
|                  | "Objectives Falsified - Needs Simulation" on page 13-49           |
|                  | "Objectives Undecided with Counterexamples" on page 13-49         |
|                  | "Objectives Undecided due to Runtime Error" on page 13-49         |
|                  | "Objectives Undecided Due to Division by Zero" on page 13-49      |
|                  | "Objectives Undecided Due to Nonlinearities" on page 13-50        |
|                  | "Objectives Undecided Due to Stubbing" on page 13-50              |
|                  | "Objectives Undecided" on page 13-50                              |
|                  | "Objectives Undecided Due to Array Out of Bounds" on page 13-50   |

### **Design Error Detection Objectives Status**

If you run a design error detection analysis, the **Design Error Detection Objectives Status** section can include the following objective statuses:

- "Dead Logic" on page 13-44
- "Dead Logic under Approximation" on page 13-44
- "Active Logic Needs Simulation" on page 13-44
- "Objectives Valid" on page 13-44
- "Objectives Valid under Approximation" on page 13-45
- "Objectives Falsified with Counterexamples" on page 13-45
- "Objectives Error Needs Simulation" on page 13-45

If an Observer Reference block is used in the design error detection analysis, then this section will show the observer information in **Observer Model(s)** subsection and design model information in **Design Model** subsection. This section will be empty when there are no active logic present in the model.

The table in the Design model subsection shows the list of active logic in the sldvdemo\_debounce\_validprop example model.

| # | Туре     | Model Item         | Description                       | Analysis Time<br>(sec) |
|---|----------|--------------------|-----------------------------------|------------------------|
| 3 | Decision | IC hart "debounce" | Substate executed<br>State "Off"  | 11                     |
| 4 | Decision | I hart "debounce"  | Substate executed<br>State "On"   | 14                     |
| 5 | Decision | Chart "debounce"   | Substate executed<br>State "Wait" | 11                     |

The Observer model(s) section will not show any active logic reported as the observers are ignored for design error detection analysis.

### Dead Logic

The **Dead Logic** section lists the items for which the analysis found dead logic.

This image shows the **Dead Logic** section of the generated analysis report for the sldvdemo\_fuelsys\_logic\_simple model.

| # | Type      | Model Item                                                                                    | Description                            |
|---|-----------|-----------------------------------------------------------------------------------------------|----------------------------------------|
| 1 | Condition | Transition "[ <u>speed==0 &amp; press &lt; zero_th</u> " from<br>"speed_norm" to "speed_fail" | "press < zero_thresh" can only be true |
| 2 |           | Transition " <u>[in(Sens_Failure_Counter.Mu</u> " from<br>Junction #2 to "Shutdown"           | trigger expression can only be true    |

### **Dead Logic under Approximation**

The **Dead Logic under Approximation** section lists the model items for which the analysis found dead logic under the impact of approximation.

In releases before R2017b, this section can include objectives that were marked as **Dead Logic**.

This image shows the **Dead Logic under Approximation** section of the generated analysis report.

| # | Туре      | Model Item |                            | Analysis<br>Time (sec) | Test Case |
|---|-----------|------------|----------------------------|------------------------|-----------|
| 2 | Condition | emlblock1  | Script: isequal(A1,A1eq) F | 13                     | n/a       |

#### Active Logic - Needs Simulation

The **Active Logic - Needs Simulation** section lists the model items for which the analysis found active logic. To confirm the active logic status, you must run additional simulations of test cases.

In releases before R2017b, this section can include objectives that were marked as Active Logic.

This image shows a portion of the **Active Logic - Needs Simulation** section of the generated analysis report for the sldvdemo\_fuelsys\_logic\_simple model.

| # | Туре     | Model Item                          | Description                    | Analysis<br>Time (sec) | Test Case |
|---|----------|-------------------------------------|--------------------------------|------------------------|-----------|
| 3 | Decision | State " <u>Oxygen_Sensor_Mode</u> " | Substate executed "O2_fail"    | 28                     | 1         |
| 4 | Decision | State "Oxygen_Sensor_Mode"          | Substate executed "O2_normal"  | 27                     | 1         |
| 5 | Decision | State " <u>Oxygen_Sensor_Mode</u> " | Substate executed "O2_warmup"  | 27                     | 1         |
| 6 | Decision | State "Pressure_Sensor_Mode"        | Substate executed "press_fail" | 28                     | 1         |

#### **Objectives Valid**

The **Objectives Valid** section lists the design error detection objectives that the analysis found valid. For these objectives, the analysis determined that the described design errors cannot occur.

In releases before R2017b, this section can include objectives that were marked as Proven Valid.

This image shows the **Objectives Valid** section of the generated analysis report for the sldvdemo design error detection model.

| #  | Type     | Model Item                                            |          | Analysis<br>Time (sec) | Test Case |
|----|----------|-------------------------------------------------------|----------|------------------------|-----------|
| 3  | Overflow | Controller/Sum                                        | Overflow | 8                      | n/a       |
| 18 | Overflow | Controller/PI Controller/Discrete-<br>Time Integrator | Overflow | 8                      | n/a       |
| 21 | Overflow | Controller/PI Controller/Kp                           | Overflow | 8                      | n/a       |
| 24 | Overflow | Controller/PI Controller/Kp1                          | Overflow | 8                      | n/a       |
| 27 | Overflow | Controller/PI Controller/Sum                          | Overflow | 8                      | n/a       |

#### **Objectives Valid under Approximation**

The **Objectives Valid under Approximation** section lists the design error detection objectives that the analysis found valid under the impact of approximation.

In releases before R2017b, this section can include objectives that were marked as Proven Valid.

This image shows the **Objectives Valid under Approximation** section of the generated analysis report.

| ŧ | ŧ  | Туре                | Model Item |                  | Analysis<br>Time (sec) | Test Case |
|---|----|---------------------|------------|------------------|------------------------|-----------|
| 1 | 12 | Division by<br>zero | Divide     | Division by zero | 40                     | n/a       |

#### **Objectives Falsified with Counterexamples**

The **Objectives Falsified with Counterexamples** lists the set of design error detection objects whose counterexamples have been simulated and verified to observe the reported errors.

This image shows the **Objectives Falsified with Counterexamples** section of the generated analysis report for the sldvdemo\_design\_error\_detection model.

| #  | Туре                | Model Item      |          | Analysis<br>Time (sec) | Test Case |
|----|---------------------|-----------------|----------|------------------------|-----------|
| 7  | Integer<br>overflow | Controller/Sum2 | Overflow | 39                     | 1         |
| 12 | Integer<br>overflow | Controller/Sum1 | Overflow | 39                     | 2         |

#### **Objectives Error - Needs Simulation**

The **Objectives Error- Needs Simulation** section lists the design error detection objectives for which the analysis found test cases that demonstrate design errors. To confirm the falsified status, you must run additional simulations of test cases.

In releases before R2017b, this section can include objectives that were marked as Falsified.

This image shows the **Objectives Error** - **Needs Simulation** section of the generated analysis report for the sldvdemo\_array\_bounds model.

| #  | Туре         | Model Item   | Description     | Analysis<br>Time (sec) | Test Case |
|----|--------------|--------------|-----------------|------------------------|-----------|
| 16 | Array bounds | State "Diff" | Array bounds: u | 26                     | 1         |
| 17 | Array bounds | State "Diff" | Array bounds: u | 26                     | 2         |

#### **Test Objectives Status**

If you run a test case generation analysis, the **Test Objectives Status** section can include the following objective statuses:

• "Objectives Satisfied" on page 13-46

- "Objectives Satisfied Needs Simulation" on page 13-46
- "Objectives Unsatisfiable" on page 13-47
- "Objectives Unsatisfiable under Approximation" on page 13-47
- "Objectives Undecided with Testcases" on page 13-47

When you analyze a model with **Model coverage objectives** set to Enhanced MCDC, the software reports the detection status of model items. For more information, see "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42.

If an Observer Reference block is used in the test case generation analysis, then each test objective status section will show the observer information in **Observer Model(s)** sub-section an design model information in **Design Model** subsection. These subsections will be empty if no test objective found in the model.

The table shows a part of **Objectives Satisfied** test objectives for the design model in the sldvdemo\_debounce\_testobjblks example model.

| # | Туре           | Model Item  | Description  | Analysis<br>Time (sec) | Test Case |
|---|----------------|-------------|--------------|------------------------|-----------|
| 2 | Test objective | <u>True</u> | Objective: 2 | 29                     | 1         |

The table shows a part of **Objectives Satisfied** test objectives for observer model in the sldvdemo\_debounce\_testobjblks example model.

| # | Туре           | Model Item                      | Description  | Analysis Time<br>(sec) | Test Case |
|---|----------------|---------------------------------|--------------|------------------------|-----------|
| 1 | Test objective | <u>Masked</u><br>Objective/Edge | Objective: 1 | 29                     | 2         |

#### **Objectives Satisfied**

The **Objectives Satisfied** section lists the test objectives that the analysis satisfied. The generated test cases cover the objectives.

This image shows a portion of the **Objectives Satisfied** section of the generated analysis report for the sldvdemo\_fuelsys\_logic\_simple example model.

| # | Туре     | Model Item                         | Description                                    | Analysis<br>Time (sec) | Test<br>Case |
|---|----------|------------------------------------|------------------------------------------------|------------------------|--------------|
| 1 | Decision | control logic.Oxygen_Sensor_Mode   | State: Substate executed State "O2_fail"       | 97                     | <u>35</u>    |
| 2 | Decision | control logic.Oxygen_Sensor_Mode   | State: Substate executed State<br>"O2_normal"  | 94                     | <u>31</u>    |
| 3 | Decision | control logic.Oxygen_Sensor_Mode   | State: Substate executed State<br>"O2_warmup"  | 72                     | 1            |
| 4 | Decision | control logic.Pressure_Sensor_Mode | State: Substate executed State<br>"press_fail" | 79                     | 2            |
| 5 | Decision | control logic.Pressure_Sensor_Mode | State: Substate executed State<br>"press_norm" | 72                     | 1            |

#### **Objectives Satisfied - Needs Simulation**

The **Objectives Satisfied - Needs Simulation** section lists the test objectives that the analysis satisfied. To confirm the satisfied status, you must run additional simulations of test cases.

In releases before R2017b, this section can include objectives that were marked as **Satisfied**.

This image shows the **Objectives Satisfied - Needs Simulation** section of the generated analysis report.

| # | Туре     | Model Item        |                        | Analysis<br>Time (sec) | Test Case |
|---|----------|-------------------|------------------------|------------------------|-----------|
| 1 | Decision | Simulink Function | Function call executed | 11                     | 1         |

#### **Objectives Unsatisfiable**

The **Objectives Unsatisfiable** section lists the test objectives that the analysis determined could not be satisfied.

In releases before R2017b, this section can include objectives that were marked as **Proven Unsatisfiable**.

This image shows the **Objectives Unsatisfiable** section of the generated analysis report for the sldvdemo\_fuelsys\_logic\_simple example model.

| #   | Туре     | Model Item                                                                           | Description                                                                                    | Analysis<br>Time (sec) | Test Case |
|-----|----------|--------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|------------------------|-----------|
| 61  |          | control logic.Speed_Sensor_Mode."<br>[speed==0 & press < zero_th"                    | Transition: Condition 2, "press <<br>zero_thresh" F                                            | 13                     | n/a       |
| 67  |          | control logic.Speed_Sensor_Mode."<br>[speed==0 & press < zero_th"                    | Transition: MCDC Transition trigger<br>expression with Condition 2, "press <<br>zero_thresh" F | 13                     | n/a       |
| 106 | Decision | <u>control</u><br>logic_Fueling_Mode_Fuel_Disabled_"<br>[in(Sens_Failure_Counter_Mu" | Transition: Transition trigger expression F                                                    | 13                     | n/a       |

#### **Objectives Unsatisfiable under Approximation**

The **Objectives Unsatisfiable under Approximation** section lists the test objectives that the analysis determined could not be satisfied due to approximation during analysis.

In releases before R2017b, this section can include objectives that were marked as **Proven Unsatisfiable**.

This image shows the **Objectives Unsatisfiable under Approximation** section of the generated analysis report.

| # | Туре     | Model Item                  |               | Analysis<br>Time (sec) | Test Case |
|---|----------|-----------------------------|---------------|------------------------|-----------|
| 5 | Decision | Chart_WithLengthGuard.Box.B | State: Mloc F | 21                     | n/a       |

#### **Objectives Undecided with Testcases**

The **Objectives Undecided with Testcases** section lists the test objectives that are undecided due to the impact of approximation during analysis.

In releases before R2017b, this section can include objectives that were marked as **Satisfied**.

This image shows the **Objectives Undecided with Testcases** section of the generated analysis report for the sldvApproximationsExample example model.

| # | Type     | Model Item |                                                                | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|----------------------------------------------------------------|------------------------|-----------|
| 1 | Decision |            | logical trigger input false (output is<br>from 3rd input port) | 14                     | 2         |

#### **Proof Objectives Status**

If you run a property-proving analysis, the **Proof Objectives Status** section can include:

- "Objectives Valid" on page 13-48
- "Objectives Valid under Approximation" on page 13-48

- "Objectives Falsified with Counterexamples" on page 13-48
- "Objectives Falsified Needs Simulation" on page 13-49
- "Objectives Undecided with Counterexamples" on page 13-49

If an Observer Reference block is used in the property-proving analysis, then each proof objective status section will show the observer information in **Observer Model(s)** subsection and design model information in **Design Model** subsection. These subsections will be empty when no objective is found in the model.

The table shows **Objectives Valid** proof objectives for the Observer model in the sldvdemo\_debounce\_validprop example model.

| # | Туре            | Model Item                                 | Description  | Analysis Time<br>(sec) |
|---|-----------------|--------------------------------------------|--------------|------------------------|
| 1 | Proof objective | <u>Verify</u><br><u>Output/FoutCorrect</u> | Objective: T | 8                      |
| 2 |                 | <u>Verify</u><br><u>Output/ToutCorrect</u> | Objective: T | 8                      |

#### **Objectives Valid**

The **Objectives Valid** section lists the proof objectives that the analysis found valid.

In releases before R2017b, this section can include objectives that were marked as Proven Valid.

This image shows the **Objectives Valid** section of the generated analysis report for the sldvdemo\_debounce\_validprop example model.

| # | Туре               | Model Item                |              | Analysis<br>Time (sec) | Counterexample |
|---|--------------------|---------------------------|--------------|------------------------|----------------|
|   | Proof<br>objective | Verify Output/FoutCorrect | Objective: T | 16                     | n/a            |
| 2 | Proof<br>objective | Verify Output/ToutCorrect | Objective: T | 17                     | n/a            |

#### **Objectives Valid under Approximation**

The **Objectives Valid under Approximation** section lists the proof objectives that the analysis found valid under the impact of approximation.

In releases before R2017b, this section can include objectives that were marked as **Objectives Proven Valid**.

This image shows the **Objectives Valid under Approximation** section of the generated analysis report.

| # | Туре               | Model Item      |                 | Analysis<br>Time (sec) | Counterexample |
|---|--------------------|-----------------|-----------------|------------------------|----------------|
| 1 | Proof<br>objective | MATLAB Function | sldv.prove(x>0) | 9                      | n/a            |

#### **Objectives Falsified with Counterexamples**

The **Objectives Falsified with Counterexamples** section lists the proof objectives that the analysis disproved. The generated counterexample shows the violation of the proof objective.

This image shows the **Objectives Falsified with Counterexamples** section of the generated analysis report for the sldvdemo\_debounce\_falseprop example model.

| # | ¥ | Туре   | Model Item                   |        | Analysis<br>Time (sec) | Counterexample |
|---|---|--------|------------------------------|--------|------------------------|----------------|
|   | L | Assert | Verify True Output/Assertion | Assert | 1                      | 1              |

#### **Objectives Falsified - Needs Simulation**

The **Objectives Falsified - Needs Simulation** section lists the proof objectives that the analysis disproved. To confirm the falsified status, you must run additional simulations of counterexamples.

In releases before R2017b, this section can include objectives that were marked as **Objectives** Falsified with Counterexamples.

This image shows the **Objectives Falsified - Needs Simulation** section of the generated analysis report.

| # | Туре               | Model Item                           | Description                                  | Analysis<br>Time (sec) | Counterexample |
|---|--------------------|--------------------------------------|----------------------------------------------|------------------------|----------------|
|   | Proof<br>objective | Safety Properties/MATLAB<br>Property | sldv.prove(implies(activeCond,SeatBeltIcon)) | 12                     | 1              |

#### **Objectives Undecided with Counterexamples**

The **Objectives Undecided with Counterexamples** section lists the proof objectives undecided due to the impact of approximation during analysis.

In releases before R2017b, this section can include objectives that were marked as Falsified.

This image shows the **Objectives Undecided with Counterexamples** section of the generated analysis report.

| # | Туре               | Model Item      |                   | Analysis<br>Time (sec) | Counterexample |
|---|--------------------|-----------------|-------------------|------------------------|----------------|
| 1 | Proof<br>objective | Proof Objective | Objective: [1, 2] | 11                     | 1              |

#### **Objectives Undecided due to Runtime Error**

For proof objectives and test objectives, the **Objectives Undecided due to Runtime Error** section lists the undecided objectives during analysis due to a run-time error. The run-time error occurred during simulation of a test case or counterexample.

In releases before R2017b, this section can include objectives that were marked as **Falsified** or **Satisfied**.

This image shows the **Objectives Undecided due to Runtime Error** section of the generated analysis report.

| # | ŧ | Туре      | Model Item          |                                           | Analysis<br>Time (sec) | Test Case |
|---|---|-----------|---------------------|-------------------------------------------|------------------------|-----------|
| 1 |   | Condition | Relational Operator | RelationalOperator: input1 == input2<br>T | 13                     | 1         |

#### **Objectives Undecided Due to Division by Zero**

For all types of objectives, the **Objectives Undecided Due to Division by Zero** section lists the undecided objectives during analysis due to division-by-zero errors in the associated model items. To detect division-by-zero errors before running further analysis on your model, follow the procedure in "Detect Integer Overflow and Division-by-Zero Errors" on page 6-19.

| # | Туре     | Model Item |                        | Analysis<br>Time (sec) | Test Case |
|---|----------|------------|------------------------|------------------------|-----------|
| 1 | Decision | Saturation | input > lower limit F  | 0                      | n/a       |
| 2 | Decision | Saturation | input > lower limit T  | 0                      | n/a       |
| 3 | Decision | Saturation | input >= upper limit F | 0                      | n/a       |
| 4 | Decision | Saturation | input >= upper limit T | 0                      | n/a       |

### **Objectives Undecided Due to Nonlinearities**

For all types of objectives, the **Objectives Undecided Due to Nonlinearities** section lists the undecided objectives during analysis due to required computation of nonlinear arithmetic. Simulink Design Verifier does not support nonlinear arithmetic or nonlinear logic.

| #  | Туре     | Model Item               | Description                         | Analysis<br>Time (sec) | Test Case |
|----|----------|--------------------------|-------------------------------------|------------------------|-----------|
| 30 | Decision | BasicRollMode/Integrator | integration result <= lower limit T | 2                      | n/a       |
| 32 | Decision | BasicRollMode/Integrator | integration result >= upper limit T | 2                      | n/a       |

### **Objectives Undecided Due to Stubbing**

For all types of objectives, the **Objectives Undecided Due to Stubbing** section lists model items with undecided objectives during analysis due to stubbing. In releases before R2013b, these objectives can include objectives that were marked as **Objectives Satisfied - No Test Case** or **Objectives Falsified - No Counterexample**.

| # | Туре     | Model Item | Description            | Analysis Time<br>(sec) |
|---|----------|------------|------------------------|------------------------|
| 2 | Decision | Saturation | input > lower limit F  | 12                     |
| 3 | Decision | Saturation | input > lower limit T  | 12                     |
| 4 | Decision | Saturation | input >= upper limit F | 12                     |
| 5 | Decision | Saturation | input >= upper limit T | 12                     |

### **Objectives Undecided Due to Array Out of Bounds**

For all types of objectives, the **Objectives Undecided Due to Array Out of Bounds** section lists the undecided objectives during analysis due to array out of bounds errors in the associated model items. To detect out of bounds array errors in your model, see "Detect Out of Bound Array Access Errors" on page 6-28.

| # | Туре           | Model Item     |                      | Analysis<br>Time (sec) | Test Case |
|---|----------------|----------------|----------------------|------------------------|-----------|
| 1 | Test objective | Test Objective | Objective: (3, Inf)  | 18                     | n/a       |
| 2 | Test objective | Test Objective | Objective: (-Inf, 0) | 18                     | n/a       |

### **Objectives Undecided**

For all types of objectives, the **Objectives Undecided** section lists the objectives for which the analysis was unable to determine an outcome in the allotted time.

In this property-proving example, either the software exceeded its analysis time limit (which the **Maximum analysis time** parameter specifies) or you aborted the analysis before it completed processing these objectives.

| # | Туре               | Model Item                |              | Analysis<br>Time (sec) | Counterexample |
|---|--------------------|---------------------------|--------------|------------------------|----------------|
| 1 | Proof<br>objective | Verify Output/FoutCorrect | Objective: T | -1                     | n/a            |
| 2 | Proof<br>objective | Verify Output/ToutCorrect | Objective: T | -1                     | n/a            |

## **Model Items Chapter**

The **Model Items** chapter of the report includes a table for each object in the model that defines coverage objectives. The table for a particular object lists all of the associated objectives, the objective types, objective descriptions, and the status of each objective at the end of the analysis.

The table for an individual object in the model looks similar to this one for the Discrete-Time Integrator in the PI Controller subsystem of the sldvdemo\_cruise\_control example model.

| #: | Туре     | Description                            | Status    | Test<br>Case |
|----|----------|----------------------------------------|-----------|--------------|
| 31 | Decision | integration result <=<br>lower limit F | Satisfied | <u>3</u>     |
| 32 | Decision | integration result <=<br>lower limit T | Satisfied | <u>8</u>     |
| 33 | Decision | integration result >=<br>upper limit F | Satisfied | <u>3</u>     |
| 34 | Decision | integration result >=<br>upper limit T | Satisfied | <u>9</u>     |

To highlight a given object in your model, click **View** at the upper-left corner of the table; the software opens a new window that displays the object in detail. To view the details of the test case that was applied to a specific objective, click the test case number in the last column of the table.

If an Observer Reference block is used in the property-proving analysis, then each model item section will show the observer information in **Observer Model(s)** subsection an design model information in **Design Model** subsection. These subsections will be empty if no test objective found in the model.

The table shows one of the test objectives for the design model in the sldvdemo\_debounce\_testobjblks example model.

| #: | Туре           | Description  | Status    | Test Case |
|----|----------------|--------------|-----------|-----------|
| 2  | Test objective | Objective: 2 | Satisfied | <u>1</u>  |

The table shows one of the test objectives for the observer model in the sldvdemo\_debounce\_testobjblks example model.

| #: | Туре           | Description  | Status    | Test Case |
|----|----------------|--------------|-----------|-----------|
| 1  | Test objective | Objective: 1 | Satisfied | 2         |

# **Design Errors Chapter**

If you perform design error detection analysis and the analysis detects design errors in the model, the report includes a **Design Errors** chapter. This chapter summarizes the design errors that the analysis falsified:

- "Table of Contents" on page 13-51
- "Summary" on page 13-51
- "Test Case" on page 13-52

#### **Table of Contents**

The Design Errors chapter contains a table of contents. Each item in the table of contents is a hyperlink to results about a specific design error.

#### Summary

The Summary section lists:

- The model item
- The type of design error that was detected (overflow or division by zero)
- The status of the analysis (Falsified or Proven Valid)

In the following example, the software analyzed the sldvdemo\_debounce\_falseprop model to detect design errors. The analysis detected an overflow error in the Sum block in the Verification Subsystem named Verify True Output.

| Model Item: | Verify True Output/Sum |
|-------------|------------------------|
| Type:       | Overflow               |
| Status:     | Falsified              |

## Test Case

The Test Case section lists the time step and corresponding time at which the test case falsified the design error objective. The Inport block raw had a value of 255, which caused the overflow error.



## **Test Cases Chapter**

If you run a test generation analysis, the report includes a **Test Cases** chapter. This chapter includes sections that summarize the test cases the analysis generated:

- "Table of Contents" on page 13-52
- "Summary" on page 13-52
- "Objectives" on page 13-53
- "Generated Input Data" on page 13-53
- "Expected Output" on page 13-53
- "Long Test Cases" on page 13-54

#### **Table of Contents**

The Test Cases chapter contains a table of contents. Each item in the table of contents is a hyperlink to information about a specific test case.

#### Summary

The Summary section lists:

- Length of the signals that comprise the test case
- Total number of test objectives that the test case achieves

Length: 0.06 second (7 sample periods) Objectives Satisfied: 1

## Objectives

The Objectives section lists:

- The time step at which the test case achieves that objective.
- The time at which the test case achieves that objective.
- A link to the model item associated with that objective. Clicking the link highlights the model item in the Simulink Editor.
- The objective that was achieved with a link to navigate between the **Test Objectives Status** and **Test Cases** chapters.

| Step | Time | Model Item                           | Objectives                                                                                                       |
|------|------|--------------------------------------|------------------------------------------------------------------------------------------------------------------|
| 2    |      |                                      | 112. Substate exited when parent exits "Low_Emissions"           123. Substate exited when parent exits "Warmup" |
| 7    | 0.06 | Transition "DEC" from "FL1" to "FL0" | 86. trigger expression true                                                                                      |

#### Generated Input Data

For each input signal associated with the model item, the Generated Input Data section lists the time step and corresponding time at which the test case achieves particular test objectives. If the signal value does not change over those time steps, the table lists the time step and time as ranges.

| Time   | 0  | 0.01-<br>0.05 | 0.06 |
|--------|----|---------------|------|
| Step   | 1  | 2-6           | 7    |
| enable | 1  | 1             | 1    |
| brake  | 0  | 0             | 0    |
| set    | 1  | 0             | 1    |
| inc    | 1  | 1             | -    |
| dec    | 1  | 0             | -    |
| speed  | 97 | 0             | 0    |

**Note** The Generated Input Data table displays a dash (-) instead of a number as a signal value when the value of the signal at that time step does not affect the test objective. The table does not include the entire signal if all values of a signal are having no impact. In the harness model, the Inputs block represents these values with zeros unless you enable the **Randomize data that does not affect outcome** parameter (see "Randomize data that do not affect the outcome" on page 15-58).

## **Expected Output**

If you select the **Include expected output values** on the **Design Verifier > Results** pane of the Configuration Parameters dialog box, the report includes the Expected Output section for each test case. For each output signal associated with the model item, this table lists the expected output value at each time step.

| Time   | 0  | 0.01 | 0.02   | 0.03   | 0.04   | 0.05   | 0.06 |
|--------|----|------|--------|--------|--------|--------|------|
| Step   | 1  | 2    | 3      | 4      | 5      | 6      | 7    |
| throt  | 0  | 1.96 | 1.9898 | 2.0197 | 2.0497 | 2.0798 | 0.05 |
| target | 97 | 98   | 99     | 100    | 101    | 102    | 0    |

## Long Test Cases

If you set the **Test suite optimization** option to LongTestcases, the Test Cases chapter in the report includes fewer sections about longer test cases.

## Test Case 1

This section contains detailed information about each generated test case.

## Summary

| Length:                  | 0.26 second (27 sample periods) |
|--------------------------|---------------------------------|
| Objectives<br>Satisfied: | 259                             |

# **Properties Chapter**

If you run a property-proving analysis, the report includes a **Properties** chapter. This chapter includes sections that summarize the proof objectives and any counterexamples the software generated:

- "Table of Contents" on page 13-54
- "Summary" on page 13-55
- "Counterexample" on page 13-55

## **Table of Contents**

The Properties chapter contains a table of contents. Each item in the table of contents is a hyperlink to information about a specific property that was falsified.

If an Observer Reference block is used in the property-proving analysis, then each properties chapter will show the observer information in **Observer Model(s)** subsection an design model information in **Design Model** subsection. It will be empty when there are no properties in the model.

The table shows one of the properties for the observer model in the sldvdemo\_debounce\_validprop example model.

Model Item: <u>Verify Output/FoutCorrect</u> Property: Objective: T Status: Valid

#### Summary

The Summary section lists:

- The model item that the software analyzed
- The type of property that was evaluated
- The status of the analysis

In the following example, the software analyzed the sldvdemo\_cruise\_control\_verification model for property proving. The analysis proved that the input to the Assertion block named BrakeAssertion was nonzero.

| Model Item: | Safety Properties/BrakeAssertion |
|-------------|----------------------------------|
| Property:   | Assert                           |
| Status:     | Falsified                        |

#### Counterexample

The Counterexample section lists the time step and corresponding time at which the counterexample falsified the property. This section also lists the values of the signals at that time step.

| Time                             | 0 | 0.01 | 0.02-0.04 |
|----------------------------------|---|------|-----------|
| Step                             | 1 | 2    | 3-5       |
| InputData.Actual_speed           | 0 | 0    | 0         |
| InputData.Switches.enable        | 1 | 1    | 0         |
| InputData.Switches.brake         | 0 | 0    | 1         |
| InputData.Switches.set           | 1 | 0    | 0         |
| InputData.Switches.setIncDec.inc | 1 | 1    | 0         |
| InputData.Switches.setIncDec.dec | 0 | 0    | 0         |

# **View Log Files**

Every time you analyze a model, Simulink Design Verifier creates a log file. To view the log file, click **View Log** in the Simulink Design Verifier log window.

The log file contains a list of the analysis results for each object in the model. The content of the log file corresponds to the analysis results displayed in the log window during the analysis.

```
1
   20-Mar-2019 15:49:20
2
   Checking compatibility for test generation: model 'sldvdemo cruise control'
3
4
   Compiling model...done
5
   Building model representation...done
6
7
    20-Mar-2019 15:49:42
8
   'sldvdemo cruise control' is compatible for test generation with Simulink Design Verifier.
9
10
11
   Generating tests using model representation from 20-Mar-2019 15:49:42...
12
13 SATISFIED
14
   Controller/Switch3
15
   logical trigger input true (output is from 1st input port)
16
   Analysis Time = 00:00:12
17
18 SATISFIED
19 Controller/PI Controller
20
   enable logical value true
21 Analysis Time = 00:00:12
22
23 SATISFIED
24
   Controller/PI Controller/Discrete-Time Integrator
25 integration result >= upper limit false
26 Analysis Time = 00:00:12
```

# **Review Analysis Results**

#### In this section...

"View Active Results" on page 13-57 "Load Previous Results" on page 13-57 "Explore Results" on page 13-57

# View Active Results

After analysis is complete, the Simulink Design Verifier Results Summary window opens, showing different ways you can use the results. See "Explore Results" on page 13-57.

If you close the Results Summary window so you can fix the cause of any analysis errors in your model, you might need to review the analysis results again. If you have not closed your model since you ran the analysis, you can reopen the latest analysis results for your model.

On the **Design Verifier** tab, click **Results Summary** to view the Results Summary window. The Results Summary window reopens with the latest analysis results for your model.

# **Load Previous Results**

If you want to review results of a previous analysis on a model, you can load these results from the analysis data file. On the **Design Verifier** tab, click **Load Earlier Results** and browse to the data file that corresponds to the analysis you want to review. Click **Results Summary**.

For more information on analysis data files, see "Manage Simulink Design Verifier Data Files" on page 13-7.

If you load analysis results for a model from a data file that was generated with a previous version of that model, you might see unexpected effects. To avoid inconsistencies between your model and analysis results data, when you load results for a model, choose a data file that contains results from the same version of that model.

# **Explore Results**

With active or previous analysis results loaded in the Results Summary window, you can perform the following tasks.

| Task                                         | For more information                          |
|----------------------------------------------|-----------------------------------------------|
| Highlight the analysis results on the model. | "Highlight Results on the Model" on page 13-2 |
| Generate a detailed analysis report.         | "Review Results" on page 13-35                |

| Task                                                                       | For more information                                              |
|----------------------------------------------------------------------------|-------------------------------------------------------------------|
| Create the harness model, or if the harness model already exists, open it. | "Manage Simulink Design Verifier Harness<br>Models" on page 13-13 |
| You will not be able to create the harness model if:                       |                                                                   |
| • No design error objectives were falsified                                |                                                                   |
| No test cases were generated                                               |                                                                   |
| No counterexamples were created                                            |                                                                   |
| View the data file.                                                        | "Manage Simulink Design Verifier Data Files" on page 13-7         |
| View the log file.                                                         | "View Log Files" on page 13-56                                    |

# See Also

# **More About**

- "Design Verifier Pane: Results" on page 15-56
- "Manage Simulink Design Verifier Data Files" on page 13-7
- "Review Results" on page 13-35

# Analyzing Large Models and Improving Performance

- "Sources of Model Complexity" on page 14-2
- "Analyze a Large Model" on page 14-3
- "Increase Allocated Memory for Analysis Report Generation" on page 14-7
- "Manage Model Data to Simplify the Analysis" on page 14-8
- "Partition Model Inputs for Incremental Test Generation" on page 14-11
- "Bottom-Up Approach to Model Analysis" on page 14-13
- "Extract Subsystems for Analysis" on page 14-15
- "Logical Operations" on page 14-21
- "Analyzing Models with Large Verification State Space" on page 14-22
- "Counters and Timers" on page 14-23
- "Prove Properties in Large Models" on page 14-24

# **Sources of Model Complexity**

Some characteristics of Simulink models can cause problems during a Simulink Design Verifier analysis in the following ways:

- Complexity of model inputs due to:
  - Large number of inputs (The number of inputs can vary, depending on the individual model.)
  - Types of inputs (floating-point values, for example)
  - The way the inputs affect the model state and the objectives of the analysis
- Number of possible simulation paths through a model
- Portions of the model that cannot be reached
- Large counters in the model

The topics in "Reduce Model Complexity" describe techniques designed to reduce the impact of this complexity and achieve the best performance from Simulink Design Verifier.

Most of these techniques focus on test generation for large models. However, you can use many of them to detect design errors or prove the properties of a large model and generate counterexamples when a property is disproved. In addition, "Prove Properties in Large Models" on page 14-24 describes specific techniques for proving properties in a large model.

# Analyze a Large Model

## In this section...

"Types of Large Model Problems" on page 14-3

"Summarize Model Hierarchy and Compatibility" on page 14-3

"Use the Default Parameter Values" on page 14-4

"Modify the Analysis Parameters" on page 14-5

"Stop the Analysis Before Completion" on page 14-5

# Types of Large Model Problems

The Simulink Design Verifier software may encounter some of these problems when analyzing a large model:

- Unsatisfiable objectives The software proved there are no test cases that exercise these test objectives, and did not generate any test cases.
- Undecided objectives The software was not able to satisfy or falsify these objectives.
- Objectives with errors This problem usually occurs when a model component uses nonlinear arithmetic, which can affect a test objective.
- Cannot complete the analysis in the time allotted This problem may indicate an area of your model where the software encountered problems, or you may need to increase value of the **Maximum analysis time** parameter.
- Analysis hangs If the number of objectives processed remains constant for a considerable length of time, the software has likely encountered complexity between the model and its objectives.
- Does not achieve a high percentage of model coverage When you run the test cases on the harness model, the percentage of model coverage is insufficient for your design.

The next few sections describe the initial steps to take when analyzing a large model. Although these steps address test generation, you can use a similar approach when detecting design errors or proving properties in a model.

# Summarize Model Hierarchy and Compatibility

You can use the Test Generation Advisor to summarize test generation compatibility, condition and decision objectives, and dead logic for the model and model components.

The Test Generation Advisor performs a high-level analysis and fast dead logic detection. You can use the results to better understand your model, particularly large models, complex models, or models for which you are uncertain of their compatibility with Simulink Design Verifier. For example, you can:

- Identify incompatibilities with test case generation.
- Identify complex components that might be time-consuming to analyze.
- Determine instances of dead logic.
- Get a summary of the component hierarchy.
- Get recommended test generation parameters.

To access the Test Generation Advisor, on the **Design Verifier** tab, in the **Mode** section, click **Test Generation**. In the **Prepare** section, click **Advisor**. For more information see "Use Test Generation Advisor to Identify Analyzable Components" on page 7-24.

# **Use the Default Parameter Values**

When you generate test cases, you should generally begin by analyzing the model using the Simulink Design Verifier default parameter values:

- 1 Check to see if your model is compatible with Simulink Design Verifier, as described in "Check Model Compatibility" on page 3-2.
- 2 Using the default parameter values, analyze the model. The following table lists the default values for parameters in the Configuration Parameters dialog box that you might change when analyzing large models.

| Parameter                    | Default Value      | Description                                                                                       |
|------------------------------|--------------------|---------------------------------------------------------------------------------------------------|
| Maximum analysis time<br>(s) |                    | If the analysis does not finish within the specified time, the analysis times out and terminates. |
| Test suite optimization      | Auto               | Generates test cases that address more than one test objective.                                   |
| Model coverage<br>objectives | Condition/Decision | Generates test cases that achieve condition and decision coverage.                                |

- **3** Review the following information in the Simulink Design Verifier log window while the analysis runs:
  - Number of objectives processed How many objectives were processed? Did the analysis hang after processing a certain number of objectives? The answers to these questions might give you a clue about where a problem might lie.
  - Number of objectives satisfied/Number of objectives falsified Which objectives were falsified?
  - Time elapsed Did the analysis time out, or did it finish within the specified maximum analysis time?
- 4 When the analysis completes, you can highlight the results in the model and individually review the analysis of each model object, as described in "Highlight Results on the Model" on page 13-2. You can also generate and review the Simulink Design Verifier HTML report. This report contains links to the model elements for satisfied and falsified objectives so you can see what portions of the model might have problems. For more information, see "Review Results" on page 13-35.
- **5** For a test generation analysis, if all the test objectives have been satisfied, run the test cases on the harness model to determine model coverage.

If model coverage is enough for your design, you do not need to do anything else. If the coverage is insufficient, take additional steps to improve the analysis performance, as described in the following sections.

**Note** A large percentage of falsified objectives and poor model coverage often indicate that you need to change model parameter values to get complete coverage. This can occur when you have tunable parameters in Constant blocks that are connected to enabled subsystems or to the trigger inputs of Switch blocks. In these situations, configure Simulink Design Verifier parameter support as described in the example "Specify Parameter Configuration for Full Coverage" on page 5-17.

## **Modify the Analysis Parameters**

If the analysis satisfied most but not all of the objectives, try the following steps:

- **1** Increase the **Maximum analysis time** parameter. This gives the analysis more time to satisfy all the objectives.
- 2 Set the **Model coverage objectives** parameter to **Decision**. Selecting this option generates only test cases that achieve decision coverage. These test cases are a subset of the MCDC option.
- **3** Rerun the analysis and review the report.

If the results are still not satisfactory, try the techniques described in the following sections.

# **Stop the Analysis Before Completion**

Watch the **Objectives processed** value in the log window. If about 50 percent of the **Maximum analysis time** parameter has elapsed and this value does not increase, the model analysis may have trouble processing certain objectives. If the analysis does not progress, take the following steps:

**1** Click **Stop** in the log window.

A dialog box appears, informing you that the analysis was aborted and asking you if you still want to produce results.

2 Click **Yes** to save the results of the analysis so far.

The log window lists the following options, depending on which analysis mode you ran:

- Highlight analysis results on model
- Generate detailed analysis report
- Create harness model
- Simulate tests and produce a model coverage report
- **3** Click Generate detailed analysis report.
- **4** In the HTML report, review the following sections to identify the model elements that are causing problems:
  - Objectives Undecided when the Analysis was Stopped
  - Objectives Producing Errors
- **5** Review the model elements that have undecided objectives or objectives with errors to see if these problems are present. Consult the pages in the **More Information** column for specific techniques to improve the analysis.

| Problem in Your Model | More Information                                                                  |
|-----------------------|-----------------------------------------------------------------------------------|
| Floating-point inputs | <ul> <li>"Manage Model Data to Simplify the<br/>Analysis" on page 14-8</li> </ul> |
|                       | "Bottom-Up Approach to Model Analysis"     on page 14-13                          |
| Nonlinear operations  | "Logical Operations" on page 14-21                                                |
|                       | "Bottom-Up Approach to Model Analysis"     on page 14-13                          |

| Problem in Your Model        | More Information                                                        |
|------------------------------|-------------------------------------------------------------------------|
| Large state spaces           | "Analyzing Models with Large Verification<br>State Space" on page 14-22 |
|                              | "Bottom-Up Approach to Model Analysis"     on page 14-13                |
| Large timers and time delays | "Counters and Timers" on page 14-23                                     |
|                              | "Bottom-Up Approach to Model Analysis"     on page 14-13                |

# **Increase Allocated Memory for Analysis Report Generation**

When you analyze a model with a large root-level input signal count, you may encounter an insufficient memory error when Simulink Design Verifier is generating the report.

When this occurs, you need to increase the amount of memory the Sun<sup>®</sup> Java<sup>®</sup> Virtual Machine (JVM<sup>TM</sup>) software can allocate. For steps on how to increase this memory, see "Increase the MATLAB JVM Memory Allocation Limit" (MATLAB Report Generator).

# Manage Model Data to Simplify the Analysis

#### In this section...

"Simplify Data Types" on page 14-8

"Constrain Data" on page 14-8

# **Simplify Data Types**

One way to simplify your model is to use for the designated signal data type a data type requiring the least amount of space for the expected data. For example, do not use an int data type for Boolean data, because only one bit is required for Boolean data.

In another example, suppose you have a Sum block with two inputs that are always integers between -10 and 10. Set the **Output data type** parameter to int8, rather than int32 or double.

To display the signal data types, on the **Debug** tab, click **Information Overlays > Port Data Type**.

# **Constrain Data**

Another effective technique for reducing complexity is to restrict the inputs to a set of representative values or, ideally, a single constant value. This process, called discretization, treats the input as if it were an enumeration. Discretization allows you to handle nonlinear arithmetic from multiplication and division in the simplest way possible.

The following model has a Product block feeding a Saturation block. The inputs x and y have specific design ranges as shown and the Saturation block limits the input signal to the upper and lower saturation values which is 8000 and 0 RPM.



The Simulink Design Verifier software generates errors when attempting to satisfy the upper and lower limits of the Saturation block, because the software does not support nonlinear arithmetic. To work around these errors, restrict one of the inputs to a set of discrete values.

Identify discrete values that are required to satisfy your testing needs. For example, you may have an input for model speed, and your design contains paths of execution that are conditioned on speed above or below thresholds of 80, 150, 600, and 8000 RPM. For an effective analysis, constrain speed values to be 50, 100, 200, 1000, 5000, or 10000 RPM so that every threshold can be either active or inactive.

If you need to use more than two or three values, consider specifying the constrained values using an expression like

```
num2cell(minval:increment:maxval)
```

Using the previous example model, restrict the second input (y) to be either 1, 2, 5, or 10 using the Test Condition block as shown in the following model. The Simulink Design Verifier software produces test cases for all inputs.



You can also constrain signals that are intermediate or output values of the model. Constraining such signals makes it easier to work around multiplication or division inside lower level subsystems that do not depend on model inputs.

**Note** Discretization is best limited to a small number of inputs (less than 10). If your model requires discretization of many inputs, try to achieve model coverage through successive simulations, as described in "Partition Model Inputs for Incremental Test Generation" on page 14-11.

Test Condition blocks do not need to be placed exactly on the inputs. In deciding where to place the constraints in your model, consider the following guidelines:

- Favor constraints on the input values because the software can process inputs easier.
- If you need to place constraints on both the input and the output, for example, to avoid nonlinear arithmetic, one of the constraints should be a range such as [minval maxval]. The software first tests the values at both ends of the range and can return a test case, even if the underlying calculations are nonlinear.
- Make sure that constraints at corresponding input and output points are not contradictory. Do not constrain the output signals to values that are not achievable because of the constraints on the input values.
- Avoid creating constraints that contradict the model. Such contradictions occur when a constraint can never be satisfied because it contradicts some aspect of the model or another constraint. Analyzing contradictory models can cause Simulink Design Verifier to hang.

The next model is a simple example of a contradictory model. The second input to the Multiply block is the constant 1, but the Test Condition block constrains it to a value of 2, 5, or 10. The analysis cannot achieve all the test objectives in this model.



• When you work with large models that have many multiplication and division operations, you may find it easier to add constraints to all of the floating-point inputs rather than to identify the precise set of inputs that require constraints.

# **Partition Model Inputs for Incremental Test Generation**

As described in "Constrain Data" on page 14-8, you can constrain the values of model inputs using the Simulink Design Verifier Test Condition block.

Like other Simulink parameters, constraint values can be shared across several blocks by referencing a common workspace variable; you can initialize constraint values using MATLAB commands. If you have several inputs related to speed, such as desired speed, measured speed, and average speed, you might choose to constrain all of them to the same set of values.

As an advanced technique for experienced MATLAB programmers, you can use parameterized constraints and successive runs of Simulink Design Verifier to implement an incremental test generation technique:

- **1** Partition model inputs so that some are held constant, some are constrained to sets of constants using the Test Condition block, and some can have any value.
- **2** Generate test cases and run those test cases to collect model coverage.
- **3** Choose new values and partition the inputs with these new values.
- 4 Generate test cases for missing coverage using the sldvgencov function and the current test coverage.

**Note** To view an example of extending an existing test suite to achieve missing model coverage, enter the following at the command prompt in the MATLAB Command Window:

showdemo('sldvdemo\_incremental\_test\_generation')

**5** Repeat steps 3 and 4 until you have achieved the desired coverage.

Partition the model inputs that enable further simplification when an analysis runs. Consider the following model, which has three mutually independent enabled subsystems:

- Normal Mode
- Shutdown Mode
- Failure Mode



You can incrementally generate test cases for each subsystem by constraining the first input to a constant value before running an analysis. In this way, as you create test cases for each subsystem, the software ignores the complexity of the other two subsystems.

# **Bottom-Up Approach to Model Analysis**

#### In this section...

"Reuse of Analysis Results from Subsystems at the System level" on page 14-13 "Limitations" on page 14-14

Simulink Design Verifier software works most effectively at analyzing large models using a bottom-up approach. In this approach, the software analyzes smaller model components first, which can be faster than using the default Auto test suite optimization.

The bottom-up approach offers several advantages:

- It allows you to solve the problems that slow down error detection, test generation, or property proving in a controlled environment.
- Solving problems with small model components before analyzing the model as a whole is more efficient, especially if you have unreachable components in your model that you can only discover in the context of the model.
- You can iterate more quickly—find a problem and fix it, find another problem and fix it, and so on.
- If one model component has a problem—for example, a component is unreachable in simulation—that can prevent the software from generating tests for *all* the objectives in a large model.

Try this workflow with your large model:

- **1** Use the Test Generation Advisor to identify analyzable model components and generate tests for these components. For more information, see "Use Test Generation Advisor to Identify Analyzable Components" on page 7-24.
- 2 Fix any problems by adding constraints or specifying block replacements.
- **3** After you analyze the smaller components, reapply the required constraints and substitutions to the original model. Analyze the full model.

When you finish a bottom-up analysis, you have a top-level model that Simulink Design Verifier can analyze quickly.

## Reuse of Analysis Results from Subsystems at the System level

This section explains how the results for Simulink Design Verifier run on the unit level generalize to the system level. This could be used in certain circumstances as a replacement for running Simulink Design Verifier at the system level, or to restrict the checks that need to run at the system level.

These points describe how Simulink Design Verifier generalizes the results on the unit level to the system level:

- When the design errors prove to be valid or, if you find dead logic at the unit level, the same results are considered valid (or dead logic) at the integration level. Without the system context, analysis at the unit level allows for a less constrained set of behaviors than those experienced in a unit when running at the system level. In other words, when the design error is valid in an unconstrained setting, it is valid in the more constrained setting.
- When there are design errors or an absence of dead logic at the unit level, the results might be different at the integration level. You must then reanalyze these objectives at the integration level.

# Limitations

These limitations are for reusing of analysis results from subsystems, at the system level:

- If the configuration parameter values between the unit level and the system level differ, the Simulink Design Verifier results may change at the system level.
- If floating-point Inf/NaN check is run at the unit level, the inputs to the unit are assumed to be finite, and similarly if the subnormal check is run at the unit level, the inputs to the unit are assumed to be normal. If you need to consider Inf/NaN and subnormal as inputs to the unit level, consider either disabling these checks or analyzing at the integration level. For more information, see "Assumptions and Limitations" on page 6-33.
- If you use sldvextract function, in order to extract a unit for analysis, Simulink Design Verifier in some cases, inserts a Data Store Memory block and Data Store Read and/or Data Store Write blocks. For more information, see "Analyze Subsystems That Read from Global Data Storage" on page 14-16. This leads to a different simulation behavior for the unit level. Additionally, the data store access violation checks may experience different results.

# **Extract Subsystems for Analysis**

## In this section...

"Overview of Subsystem Extraction" on page 14-15

"sldvextract Function" on page 14-15

"Structure of the Extracted Model" on page 14-15

"Analyze Subsystems That Read from Global Data Storage" on page 14-16

"Analyze Function-Call Subsystems" on page 14-17

"Analyze Global Simulink Function" on page 14-19

# **Overview of Subsystem Extraction**

If you have a large model that slows down your analysis or has unreachable objectives, you may want to analyze atomic subsystems or Stateflow atomic subcharts using Simulink Design Verifier. This technique allows you to implement a bottom-up approach to analyzing a large model, as described in "Bottom-Up Approach to Model Analysis" on page 14-13.

When you analyze a subsystem or atomic subchart, the software:

- Extracts the subsystem or subchart into a new model.
- If required, adds blocks to the newly created model that replicate the execution context of the subsystem or subchart within its parent model.
- Analyzes the extracted model and produces results.

**Note** The Simulink Design Verifier software can only analyze atomic subsystems and atomic subcharts.

For more information about analyzing subsystems, see "Generate Test Cases for a Subsystem" on page 7-18.

For more information about analyzing atomic subcharts, see "Analyze a Stateflow Atomic Subchart" on page 1-17.

# sldvextract Function

The sldvextract function allows you to extract subsystems and atomic subcharts for component verification. By extracting the subsystem or atomic subchart, you can verify the component in isolation from the rest of the system, allowing you to test the component algorithm. For more information, see "What Is Component Verification?" on page 10-2 and "Functions for Component Verification" on page 10-3.

# Structure of the Extracted Model

When you analyze a subsystem or atomic subchart, Simulink Design Verifier creates a new model that contains the subsystem or atomic subchart, and any input and output ports that correspond to the ports connected to the original subsystem.

The software assigns the following properties to the ports in the new model, as determined by compiling the original model:

- Data types
- Sample rates
- Signal dimensions
- Minimum and maximum values of the signal ranges

The software names the new model *subsystem\_name*, where *subsystem\_name* is the name of the subsystem.

The next sections provide examples of how Simulink Design Verifier extracts and analyzes subsystems.

## Analyze Subsystems That Read from Global Data Storage

A data store is a repository to which you can write data, and from which you can read data, without having to connect an input or output signal directly to the data store.

You create a data store using a Data Store Memory block or a Simulink.Signal object. The Data Store Memory block or Simulink.Signal object represents the data store and specifies its properties. Every data store must have a unique name.

When you analyze a subsystem that reads data from a data store that is accessed outside the subsystem, the analysis:

- Adds a Data Store Memory block to the new model.
- Adds an input port that writes to the data store. Since the input writes to the data store, the data can have any values (within the specified data type) for the purpose of the Simulink Design Verifier analysis.
- If the data store specifies minimum and maximum values, those values are assigned to the new input port.

The following example analyzes a subsystem in the sl\_subsys\_fcncall8 example model:

1. Open the sl\_subsys\_fcncall8 example model:

open\_system('sl\_subsys\_fcncall8');

This model defines a data store A, from which the atomic subsystem Reader reads data using a Data Store Read block.

2. Right-click the Reader subsystem and select **Design Verifier > Generate Tests** for Subsystem.

The Simulink Design Verifier log window shows that the software extracts the subsystem into a new model named Reader, analyzes the extracted model, and offers you the choice of which results to produce.

3. Open the new Reader model that the software created in <current\_folder>\sldv\_output \Reader.



The new Inport block A writes into the data store, which is used by the subsystem Reader in the new model.

## **Analyze Function-Call Subsystems**

A function-call subsystem is a triggered subsystem whose execution is determined by logic internal to a C MEX S-function instead of by the value of a signal. Function-call subsystems are always atomic.

Note: For more information, see "Implement Function-Call Subsystems with S-Functions".

When you analyze a model with a function-call subsystem, Simulink Design Verifier creates a new model with an Inport block that mimics the trigger and a copy of the subsystem. The software then analyzes the new model.

The following example analyzes a function-call subsystem in the sl\_subsys\_fcncall2 model:

1. Open the sl\_subsys\_fcncall2 example model:

open\_system("sl\_subsys\_fcncall2");

2. This model contains a Stateflow<sup>™</sup> chart named Chart that triggers the function-call subsystem f.

Right-click the f subsystem and select **Design Verifier > Generate Tests** for Subsystem.

The software extracts the subsystem into a new model named f0, analyzes the extracted model, and produces results.

| 🚡 Simulink Design Verifier Results Summary: f0 🛛 🕹 🗙                               |              |          |       |  |
|------------------------------------------------------------------------------------|--------------|----------|-------|--|
|                                                                                    |              |          |       |  |
| Progress                                                                           |              |          |       |  |
| Objectives processed                                                               | 5/5          |          |       |  |
| Satisfied                                                                          | 5            |          |       |  |
| Unsatisfiable                                                                      | 0            |          |       |  |
| Elapsed time                                                                       | 0:11         |          |       |  |
| L                                                                                  |              |          |       |  |
| Test generation compl                                                              | eted normall | у.       |       |  |
| 5/5 objectives are satisfied.                                                      |              |          |       |  |
| Results:                                                                           |              |          |       |  |
| Highlight analysis results on model                                                |              |          |       |  |
|                                                                                    |              |          |       |  |
| View tests in Simulation Data Inspector     Detailed analysis report: (HTML) (PDF) |              |          |       |  |
| Create harness                                                                     |              |          |       |  |
| Export test cases to Simulink Test                                                 |              |          |       |  |
| Simulate tests and produce a model coverage report                                 |              |          |       |  |
| - Innalace cests and produce a model coverage report                               |              |          |       |  |
| Data saved in: <u>f0_sldvdata.mat</u>                                              |              |          |       |  |
| in folder: <u>H:\Documents\MATLAB\sldv_output\f0</u>                               |              |          |       |  |
|                                                                                    |              |          |       |  |
|                                                                                    |              |          |       |  |
|                                                                                    | Γ            |          | Class |  |
|                                                                                    |              | View Log | Close |  |

3. Open the f0 model that the software created in <current\_folder>\sldv\_output\f0.

The Inport block and the new subsystem block mimic the trigger for the function-call subsystem f in the new  ${\rm f0}$  model.



## **Analyze Global Simulink Function**

A Simulink  $\mbox{$\mathbb{B}$}$  function is a computational unit that calculates a set of outputs when provided with a set of inputs.

When you analyze Simulink Function subsystem, Simulink Design Verifier<sup>™</sup> creates a new model containing a MATLAB function block \_SldvExportFcnScheduler and a copy of the subsystem. This MATLAB Function block invokes Simulink Functions aperiodically and is driven by inports which represent the input arguments of the Simulink Function. An additional Inport block called FcnTriggerPort, the value of which indicates whether to invoke a particular function in a time step or not.

The following example analyzes a global Simulink function in the sldvexGlobalSimFcn model:

1. Open the sldvexGlobalSimFcn model.

open\_system("sldvexGlobalSimFcn");

2. Right-click the subsystem and select **Design Verifier > Generate Tests** for Subsystem.

The software extracts the subsystem into a new model and analyzes the extracted model, and produces results.

3. Open the new model SimulinkFunctionRunnable0 that the software creates in <current\_folder>\sldv\_output\.

The Inport block FcnTriggerPort, invokes the Simulink Function SimulinkFunctionRunnable in the new SimulinkFunctionRunnable0 model.



# **Logical Operations**

If you have a Simulink model with both logical and arithmetic operations, consider analyzing only the logical operations.

The Simulink Design Verifier software does not support nonlinear arithmetic of floating-point numbers, as occurs with multiplication or division, unless one of the multiply operands or the divisor is a constant.

To simplify models that contain integers or floating-point numbers, the software maps the model computations into expressions of Boolean variables. For example, the software might represent an eight-bit number as a set of eight Boolean values, with one for each digit. It might represent a bitwise OR operation of two eight-bit integers as eight separate logical OR operations.

Mapping problems of one data type into Boolean variables is complex, and this complexity increases when the software performs such mapping. The software handles models with predominantly logical signals more efficiently than it does those with large integer or floating-point signals.

**Note** Simulink Design Verifier software can handle floating-point inputs when their values impact the design through linear inequalities such as x < y or a > 0.

In addition, input complexity can result from certain cast operations. For example, casting a double to an int8 can introduce a non-linearity in certain situations.

# Analyzing Models with Large Verification State Space

Persistent design variables (variables that are assigned in one time step and used in a later time step during simulation) affect the complexity of analysis in much the same way as input complexity. You can use one or more of the following techniques to simplify the complexity of the state space you want to search:

- Apply constraints to input signals that are delayed.
- Constrain the inputs to states that are contained within conditionally executed subsystems.
- Limit the number of test case steps by setting the Maximum test case step parameter to 20.
- Increase the sample time for part or all of the model. (This procedure is similar to reducing timer thresholds, as described in "Counters and Timers" on page 14-23.) A test case that you generate at a lower sample rate often has similarities to the test case with a high sample rate that you need to achieve an objective.
- Use tight variable types where ever possible. For example, if a flag with values of 0 or 1 only is defined as a double, restrict the type to Boolean.

States that are computed from previous state values present a special challenge. For example, if you want to restrict the integrator value in a PID controller, you can only use a set of values that includes all reachable values from the initial value. Otherwise, the input must be forced to 0. Neither of these limitations is practical and would probably make the analysis less complete.

Alternatively, you can use existing simulation data to help satisfy your testing needs. If you have existing test data, run it on your model and collect model coverage. For an example of extending an existing test suite to achieve missing model coverage, see "Extend an Existing Test Suite" on page 7-86.

# **Counters and Timers**

Simulink Design Verifier analysis searches through sequences of states to find input values that drive the analysis to reach a state that satisfies an objective. Each counter value or timer step corresponds to a different state, so the presence of long timers or counters can dramatically increase the size of the state representation. Since analysis complexity depends on the size of the state representation, you must give special consideration to counters and timers in your model to avoid over complicating Simulink Design Verifier analysis.

**Note** For the purposes of Simulink Design Verifier analysis, the term configuration refers to a set of values for all the persistent information in your model.

The search process investigates all configurations that can be reached in a single timer step before considering any of the configurations that can be reached in two timer steps. Likewise, the search investigates all configurations that can be reached in two timer steps before it considers any configuration that requires three or more timer steps, and so on. The number of timer steps required to exhaust the counter directly affects the number of states that the analysis needs to search. Models that contain time delays, such as countdown timers, complicate the analysis by forcing the search to span a large number of states.

You may see similar effects when systems use extensive averaging and filtering to delay the response to a change in inputs. Any aspect of the design that delays the response causes the test sequences to contain more timer steps, resulting in longer test cases that are more difficult to identify.

Some basic techniques you can use to improve analysis performance in models with counters or timers include the following:

- Choose very small values for time delays. A system with a logical error when a time delay is set to 2000 steps usually demonstrates that error if the time delay is changed to 2 steps. If your system has several delays, choose small but unique values for each of them so that your delays are progressively satisfied.
- Make the initial values of counters and timers parameter values that Simulink Design Verifier can modify. The software finds initial values that allow shorter test cases to exceed thresholds. For more information, see "Parameter Configuration for Analysis" on page 5-2.
- Choose higher frequency cutoffs for filters and fewer samples to average to minimize filtering delays.

Some more advanced techniques you can use to improve analysis performance in models with counters or timers include the following:

- Use sldvtimer to identify timer patterns that can be optimized for Simulink Design Verifier test generation.
- Use an existing test case or set of test cases that exhausts the counter or timer, and extend those test cases to create a full test suite. For more information, see "Defining and Extending Existing Tests Cases" on page 7-91.

# **Prove Properties in Large Models**

Property proving uses the same underlying techniques as design error detection and test generation and suffers from the same performance limitations. However, unlike design error detection or test generation, you often cannot simplify the problem without compromising the validity of the results.

You can quickly prove simple proof objectives that are not affected by model dynamics. However, a thorough proof requires that Simulink Design Verifier search through all reachable configurations of your model—even the ones that are reached only after long time delays. The computation time and memory required to search a model completely often make an exhaustive proof impractical.

There are two techniques you can use to improve the performance of property proving in a large model:

#### In this section...

"Find Property Violations While Designing Your Model" on page 14-24

"Combine Proving Properties and Finding Proof Violations" on page 14-24

## Find Property Violations While Designing Your Model

Simulink Design Verifier software offers a strategy that quickly identifies property violations in larger, more complicated models. While designing your model, analyze your model using this strategy so that you can fix any property violations before finalizing your design.

To identify property violations of a model, on the **Design Verifier > Property Proving** pane of the Configuration Parameters dialog box, specify the value of the **Strategy** parameter as FindViolation. When you use this strategy, the **Maximum violation steps** parameter becomes active so that you can specify an upper bound for the number of time steps in the search.

During analysis, the software searches only for property violations within the specified number of time steps. By identifying and fixing the property violations first, you improve the performance of a property-proving analysis that uses the **Prove** strategy.

If a violation is not detected, it is impossible to violate the property with any input sequence having fewer time steps than the specified limit. However, you cannot prove that the property is true because there might be a counterexample within more time steps than the specified limit.

# **Combine Proving Properties and Finding Proof Violations**

Use the following technique for proving properties in large model. This technique combines proving and searching for violations:

- 1 On the **Design Verifier > Property Proving** pane, set the **Strategy** parameter to **Prove**.
- 2 On the **Design Verifier** pane, use a relatively short value for the **Maximum analysis time** parameter, such as 5-10 minutes. If trivial counterexamples exist or if your properties do not depend on model dynamics—the analysis should complete in that amount of time.
- 3 Change the **Strategy** parameter to FindViolation, and choose a small bound for the **Maximum violation steps** parameter, such as 4, 5, or 6. If your properties have simple counterexamples, the software should discover them.
- 4 If you do not find any violations with a small bound, increase the bound and look for longer counterexamples.

- **a** Increase the bound in several increments, and observe the processing time and memory consumption. System resources might limit the length of violation that can be searched.
- **b** In addition, consider the dynamics of your model and the number of time steps required to transition between an arbitrary pair of configurations. If you choose too large a bound, the violation search can be more complex than the unbounded proof.
- 5 If you can run violation searches with relatively large bounds, e.g., 30–50 time steps, switch back to the Prove strategy, and use a longer time limit, such as several hours.

# Simulink Design Verifier Configuration Parameters

- "Simulink Design Verifier Options" on page 15-2
- "Design Verifier Pane" on page 15-9
- "Design Verifier Pane: Block Replacements" on page 15-19
- "Design Verifier Pane: Parameters and Variants" on page 15-22
- "Design Verifier Pane: Test Generation" on page 15-30
- "Design Verifier Pane: Design Error Detection" on page 15-42
- "Design Verifier Pane: Property Proving" on page 15-52
- "Design Verifier Pane: Results" on page 15-56
- "Design Verifier Pane: Report" on page 15-63

# **Simulink Design Verifier Options**

#### In this section...

"Options in Configuration Parameters Dialog Box" on page 15-2

"Design Verification Options Objects" on page 15-2

"Command-Line Parameters for Design Verification Options" on page 15-2

# **Options in Configuration Parameters Dialog Box**

You can set options for Simulink Design Verifier analysis in the Configuration Parameters dialog box. To view the options, open **Design Verifier** tab. In the **Prepare** section, from the drop-down menu for the mode settings, and click **Settings**. The **Design Verifier** pane of the model configuration parameters opens.

By default, options for Simulink Design Verifier do not appear in the Configuration Parameters dialog box. When you open the **Design Verifier** tab, Simulink Design Verifier associates its default options with the model. After you save the model, you can access options for Simulink Design Verifier directly from the Configuration Parameters dialog box.

See "Set Model Configuration Parameters for a Model" for more information about working with this interface.

# **Design Verification Options Objects**

You can use the sldvoptions function to specify Simulink Design Verifier options at the command line.

To view in the MATLAB Command Window the design verification options associated with a Simulink model, use the following syntax:

```
opts = sldvoptions('model_name');
get(opts)
```

# **Command-Line Parameters for Design Verification Options**

Use the following parameters to configure the behavior of Simulink Design Verifier. Use the get\_param and set\_param functions to retrieve and specify values for these parameters programmatically.

For each parameter, the **Location** column indicates where you can set its value in the Configuration Parameters dialog box. The **Values** column shows the type of value required, the possible values (separated with a vertical line), and the default value (enclosed in braces).

| Parameter | Location                                                                                                       | Values             |
|-----------|----------------------------------------------------------------------------------------------------------------|--------------------|
|           | Set by the Floating point<br>absolute tolerance parameter on<br>the Design Verifier > Test<br>Generation pane. | double {'1.0e-05'} |

| Parameter                            | Location                                                                                                                                                       | Values                                                                     |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
| DVAssertions                         | Set by the Assertion blocks<br>parameter on the Design Verifier<br>> Property Proving pane.                                                                    | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}                       |
| DVAutomaticStubbing                  | Set by the <b>Automatic stubbing</b><br>of unsupported blocks and<br>functions parameter on the<br>Design Verifier pane.                                       | {'on'}   'off'                                                             |
| DVBlockReplacement                   | Set by the <b>Apply block</b><br>replacements parameter on the<br>Design Verifier > Block<br>Replacements pane.                                                | 'on'   {'off'}                                                             |
| DVBlockReplacement-<br>ModelFileName | Set by the File path of the<br>output model parameter on the<br>Design Verifier > Block<br>Replacements pane.                                                  | <pre>character array { '\$ModelName \$_replacement ' }</pre>               |
| DVBlockReplacement-<br>RulesList     | Set by the List of block<br>replacement rules parameter on<br>the Design Verifier > Block<br>Replacements pane.                                                | <pre>character array {'<factorydefaultrules>'}</factorydefaultrules></pre> |
| DVCodeAnalysisExtraOptions           | Set by the <b>Additional options for</b><br><b>code analysis</b> parameter on the<br><b>Design Verifier</b> pane.                                              | character array { ' ' }                                                    |
| DVCoverageDataFile                   | Set by the <b>Coverage data file</b><br>parameter on the <b>Design Verifier</b><br><b>&gt; Test Generation</b> pane.                                           | character array { ' ' }                                                    |
| DVCovFilter                          | Set by the <b>Ignore objectives</b><br><b>based on filter</b> parameter on the<br><b>Design Verifier</b> pane.                                                 | 'on'   {'off'}                                                             |
| DVCovFilterFileName                  | Set by the <b>Filter file(s)</b> parameter<br>on the <b>Design Verifier</b> pane.                                                                              | character array { ' ' }                                                    |
| DVDataFileName                       | Set by the <b>Data file name</b><br>parameter on the <b>Design Verifier</b><br>> <b>Results</b> pane.                                                          | <pre>character array { '\$ModelName \$_sldvdata' }</pre>                   |
| DVDeadLogicObjectives                | Set by the <b>Coverage objectives</b><br>to be analyzed parameter on the<br>Design Verifier > Design Error<br>Detection pane.                                  | 'Decision'  <br>{'ConditionDecision'}   'MCDC'                             |
| DVDesignMinMaxCheck                  | Set by the <b>Specified minimum</b><br><b>and maximum value violations</b><br>parameter on the <b>Design Verifier</b><br>> <b>Design Error Detection</b> pane. | 'on'   {'off'}                                                             |
| DVDesignMinMaxConstraints            | Set by the <b>Use specified input</b><br><b>minimum and maximum values</b><br>parameter on the <b>Design Verifier</b><br>pane.                                 | {'on'}   'off'                                                             |

| Parameter                              | Location                                                                                                                                            | Values                                                |
|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
| DVDetectActiveLogic                    | Set by <b>Run exhaustive analysis</b><br>on the <b>Design Verifier &gt; Design</b><br><b>Error Detection</b> pane.                                  | 'on'   {'off'}                                        |
| DVDetectBlockInputRange-<br>Violations | Set by <b>Specified block input</b><br>range violations on the <b>Design</b><br>Verifier > Design Error<br>Detection pane.                          | 'on'   {'off'}                                        |
| DVDetectDeadLogic                      | Set by <b>Dead logic (partial)</b> on<br>the <b>Design Verifier &gt; Design</b><br><b>Error Detection</b> pane.                                     | 'on'   {'off'}                                        |
| DVDetectDivisionByZero                 | Set by the <b>Division by zero</b><br>parameter on the <b>Design Verifier</b><br>> <b>Design Error Detection</b> pane.                              | {'on'}   'off'                                        |
| DVDetectDSM-<br>AccessViolations       | Set by the <b>Data store access</b><br>violations parameter on the<br><b>Design Verifier &gt; Design Error</b><br><b>Detection</b> pane.            | 'on'   {'off'}                                        |
| DVDetectInfNaN                         | Set by the Non-finite and NaN<br>floating-point values parameter<br>on the Design Verifier > Design<br>Error Detection pane.                        | 'on'   {'off'}                                        |
| DVDetectInteger0verflow                | Set by the <b>Integer overflow</b><br>parameter on the <b>Design Verifier</b><br>> <b>Design Error Detection</b> pane.                              | {'on'}   'off'                                        |
| DVDetectOutOfBounds                    | Set by the <b>Out of bound array</b><br>access parameter on the <b>Design</b><br>Verifier > <b>Design Error</b><br>Detection pane.                  | {'on'}   'off'                                        |
| DVDetectSubnormal                      | Set by the <b>Subnormal floating-</b><br><b>point values</b> parameter on the<br><b>Design Verifier &gt; Design Error</b><br><b>Detection</b> pane. | 'on'   {'off'}                                        |
| DVDisplayReport                        | Set by the <b>Display report</b><br>parameter on the <b>Design Verifier</b><br>> <b>Report</b> pane.                                                | {'on'}   'off'                                        |
| DVExtendExistingTests                  | Set by the <b>Extend existing test</b><br><b>cases</b> parameter on the <b>Design</b><br><b>Verifier &gt; Test Generation</b> pane.                 | 'on'   {'off'}                                        |
| DVExistingTestFile                     | Set by the <b>Data file</b> parameter on<br>the <b>Design Verifier &gt; Test</b><br><b>Generation</b> pane.                                         | character array { ' ' }                               |
| DVHarnessModelFileName                 | Set by the <b>Harness model file</b><br><b>name</b> parameter on the <b>Design</b><br><b>Verifier &gt; Results</b> pane.                            | <pre>character array {'\$ModelName \$_harness'}</pre> |

| Parameter                        | Location                                                                                                                                                                                     | Values                                                                      |
|----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| DVHarnessSource                  | Set by the <b>Harness source</b><br>parameter on the <b>Design Verifier</b><br><b>&gt; Results</b> pane.                                                                                     | {'Signal Builder'}   'Signal<br>Editor'                                     |
| DVIgnoreCovSatisfied             | Set by the <b>Ignore objectives</b><br><b>satisfied in existing coverage</b><br><b>data</b> parameter on the <b>Design</b><br><b>Verifier &gt; Test Generation</b> pane.                     | 'on'   {'off'}                                                              |
| DVIgnoreExistTestSatisfied       | Set by the <b>Ignore objectives</b><br><b>satisfied by existing test cases</b><br>parameter on the <b>Design Verifier</b><br><b>&gt; Test Generation</b> pane.                               | {on'}  'off'                                                                |
| DVIncludeRelational-<br>Boundary | Set by the <b>Include relational</b><br><b>boundary objectives</b> parameter<br>on the <b>Design Verifier &gt; Test</b><br><b>Generation</b> pane.                                           | {'on'}   'off'                                                              |
| DVMakeOutputFilesUnique          | Set by the <b>Make output file</b><br><b>names unique by adding a</b><br><b>suffix</b> check box on the <b>Design</b><br><b>Verifier</b> pane.                                               | {'on'}   'off'                                                              |
| DVMaxProcessTime                 | Set by the <b>Maximum analysis</b><br><b>time</b> parameter on the <b>Design</b><br><b>Verifier</b> pane.                                                                                    | double {300}                                                                |
| DVMaxTestCaseSteps               | Set by the <b>Maximum test case</b><br>steps parameter on the <b>Design</b><br>Verifier > Test Generation pane.                                                                              | int32 {10000}                                                               |
| DVMaxViolationSteps              | Set by the <b>Maximum violation</b><br><b>steps</b> parameter on the <b>Design</b><br><b>Verifier &gt; Property Proving</b><br>pane.                                                         | int32 {'20'}                                                                |
| DVMode                           | Set by the <b>Mode</b> parameter on the <b>Design Verifier</b> pane.                                                                                                                         | {'TestGeneration'}  <br>'DesignErrorDetection'  <br>'PropertyProving'       |
| DVModelCoverageObjectives        | Set by the <b>Model coverage</b><br>objectives parameter on the<br>Design Verifier > Test<br>Generation pane.                                                                                | 'None'   'Decision'  <br>{'ConditionDecision'}   'MCDC'<br>  'EnhancedMCDC' |
| DVModelReferenceHarness          | Set by the <b>Reference input</b><br><b>model in generated harness</b><br>parameter on the <b>Design Verifier</b><br>> <b>Results</b> pane of the<br>Configuration Parameters dialog<br>box. | 'on'   {'off'}                                                              |
| DVOutputDir                      | Set by <b>Output folder</b> on the <b>Design Verifier</b> pane.                                                                                                                              | <pre>character array {'sldv_output/ \$ModelName\$'}</pre>                   |

| Parameter                         | Location                                                                                                                                                                                       | Values                                                                 |
|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|
| DVParameterConstraints            | Set by <b>Constraint</b> column in<br>Parameter Table on the <b>Design</b><br><b>Verifier &gt; Parameters</b> pane.                                                                            | double array {[]}                                                      |
| DVParameterNames                  | Set by <b>Name</b> column in Parameter<br>Table on the <b>Design Verifier &gt;</b><br><b>Parameters</b> pane.                                                                                  | double array {[]}                                                      |
| DVParameterUseInAnalysis          | Set by <b>Use</b> column in Parameter<br>Table on the <b>Design Verifier</b> ><br><b>Parameters</b> pane.                                                                                      | cell array {[]}                                                        |
| DVParameters                      | Set by <b>Enable parameter</b><br>configuration on the Design<br>Verifier > Parameters pane.                                                                                                   | 'on'   {'off'}                                                         |
| DVParametersConfigFileName        | Set by <b>Parameter configuration</b><br><b>file</b> on the <b>Design Verifier</b> ><br><b>Parameters</b> pane.<br>This parameter is disabled when<br>DVParametersUseConfig is set<br>to 'on'. | <pre>character array {'sldv_params_template.m'}</pre>                  |
| DVParametersUseConfig             | Set by <b>Use parameter table</b> on<br>the <b>Design Verifier</b> ><br><b>Parameters</b> pane.<br>When set to 'on', this parameter<br>disables DVParametersConfig-<br>FileName.               | 'on'   {'off'}                                                         |
| DVProofAssumptions                | Set by the <b>Proof assumptions</b><br>parameter on the <b>Design Verifier</b><br>> <b>Property Proving</b> pane.                                                                              | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}                   |
| DVProvingStrategy                 | Set by the <b>Strategy</b> parameter on<br>the <b>Design Verifier &gt; Property</b><br><b>Proving</b> pane.                                                                                    | <pre>'FindViolation'   {'Prove'}   'ProveWithViolationDetection'</pre> |
| DVRandomizeNoEffectData           | Set by the <b>Randomize data that</b><br><b>do not affect the outcome</b><br>parameter on the <b>Design Verifier</b><br><b>&gt; Results</b> pane.                                              | 'on'   {'off'}                                                         |
| DVRebuildModel-<br>Representation | Set by the <b>Rebuild model</b><br><b>representation</b> parameter on the<br><b>Design Verifier</b> pane.                                                                                      | 'Always'   {'If change is<br>detected'}                                |
| DVReduceRationalApprox            | Set by the <b>Run additional</b><br><b>analysis to reduce instances of</b><br><b>rational approximation</b><br>parameter on the <b>Design Verifier</b><br>pane.                                | {'on'}   'off'                                                         |

| Parameter               | Location                                                                                                                                 | Values                                                       |
|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| DVRelativeTolerance     | Set by the Floating point<br>relative tolerance parameter on<br>the Design Verifier > Test<br>Generation pane.                           | double {'0.01'}                                              |
| DVReportFileName        | Set by the <b>Report file name</b><br>parameter on the <b>Design Verifier</b><br>> <b>Report</b> pane.                                   | <pre>character array {'\$ModelName \$_report'}</pre>         |
| DVReportIncludeGraphics | Set by the <b>Include screen shots</b><br>of properties parameter on the<br><b>Design Verifier &gt; Report</b> pane.                     | 'on'   {'off'}                                               |
| DVReportPDFFormat       | Set by the <b>Generate additional</b><br><b>report in PDF format</b> parameter<br>on the <b>Design Verifier &gt; Report</b><br>pane.     | 'on'   {off'}                                                |
| DVSaveExpectedOutput    | Set by the <b>Include expected</b><br><b>output values</b> parameter on the<br><b>Design Verifier &gt; Results</b> pane.                 | 'on'   {'off'}                                               |
| DVSaveHarnessModel      | Set by the <b>Generate separate</b><br>harness model after analysis<br>parameter on the <b>Design Verifier</b><br>> <b>Results</b> pane. | 'on'   {off'}                                                |
| DVSaveReport            | Set by the <b>Generate report of</b><br><b>the results</b> parameter on the<br><b>Design Verifier &gt; Report</b> pane.                  | 'on'   {off'}                                                |
| DVSFcnSupport           | Set by the <b>Support S-Functions</b><br>in the analysis parameter on the<br><b>Design Verifier</b> pane.                                | {'on'}   off'                                                |
| DVSlTestHarnessName     | Set by the <b>Test Harness Name</b><br>parameter on the <b>Design Verifier</b><br>> <b>Results</b> pane.                                 | <pre>character array { '\$ModelName \$_sldvharness ' }</pre> |
| DVSlTestFileName        | Set by the <b>Test File Name</b><br>parameter on the <b>Design Verifier</b><br>> <b>Results</b> pane.                                    | <pre>character array { '\$ModelName \$_test ' }</pre>        |
| DVStrictEnhancedMCDC    | Set by the Use strict<br>propagation conditions<br>parameter on the Design Verifier<br>> Test Generation pane.                           | 'on'   {'off'}                                               |
| DVTestConditions        | Set by the <b>Test conditions</b><br>parameter on the <b>Design Verifier</b><br>> <b>Test Generation</b> pane.                           | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}         |
| DVTestgenTarget         | Set by the <b>Test generation</b><br><b>target</b> parameter on the <b>Design</b><br><b>Verifier &gt; Test Generation</b> pane.          | {'Model'}   'GenCodeTopModel' <br>'GenCodeModelRef'          |

| Parameter               | Location                                                                                                                                                                                                                                                                                                                                                  | Values                                                                                        |
|-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|
| DVTest0bjectives        | Set by the <b>Test objectives</b><br>parameter on the <b>Design Verifier</b><br>> <b>Test Generation</b> pane.                                                                                                                                                                                                                                            | 'EnableAll'   'DisableAll'  <br>{'UseLocalSettings'}                                          |
| DVTestSuiteOptimization | Set by the <b>Test suite</b><br><b>optimization</b> parameter on the<br><b>Design Verifier &gt; Test</b><br><b>Generation</b> pane.<br>If you analyze your model by using<br>the Legacy LargeModel<br>(Nonlinear Extended), the<br>software displays a warning<br>message that this option has been<br>removed and suggests that you<br>use Auto instead. | {'Auto'}  <br>'IndividualObjectives' <br>'LongTestcases' 'LargeModel<br>(Nonlinear Extended)' |
| DVUseParallel           | Set by the Validate test cases or<br>counterexamples with parallel<br>computing parameter on the<br>Design Verifier pane.                                                                                                                                                                                                                                 | 'on'   {'off'}                                                                                |

# See Also

## **More About**

- "Design Verifier Pane" on page 15-9
- sldvoptions

# **Design Verifier Pane**

| Analysis options                                                                                                                                                                       |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Mode:                                                                                                                                                                                  | Test generation 👻                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| Maximum analysis time (s):                                                                                                                                                             | : 300                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| Dutput                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Output folder: sldv_output/                                                                                                                                                            | /\$ModelName\$                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Make output file names                                                                                                                                                                 | unique by adding a suffix                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                                                                                                                                                                                        | Check Model Compatibility                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
|                                                                                                                                                                                        | Generate Tests                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| <ul> <li>Advanced parameters</li> </ul>                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|                                                                                                                                                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| Rebuild model representati                                                                                                                                                             | ion: Always 💌                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|                                                                                                                                                                                        | ion: Always 🔹                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
|                                                                                                                                                                                        | insupported blocks and functions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| Automatic stubbing of u                                                                                                                                                                | insupported blocks and functions                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| <ul> <li>Automatic stubbing of u</li> <li>Support S-Functions in</li> <li>Use specified input min</li> </ul>                                                                           | insupported blocks and functions the analysis                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| <ul> <li>Automatic stubbing of u</li> <li>Support S-Functions in</li> <li>Use specified input min</li> <li>Run additional analysis</li> </ul>                                          | insupported blocks and functions<br>the analysis<br>imum and maximum values                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| <ul> <li>Automatic stubbing of u</li> <li>Support S-Functions in</li> <li>Use specified input min</li> <li>Run additional analysis</li> </ul>                                          | Insupported blocks and functions<br>the analysis<br>imum and maximum values<br>to reduce instances of rational approximation<br>ounterexamples with parallel computing                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| <ul> <li>Automatic stubbing of u</li> <li>Support S-Functions in</li> <li>Use specified input min</li> <li>Run additional analysis</li> <li>Validate test cases or compared</li> </ul> | Insupported blocks and functions<br>the analysis<br>imum and maximum values<br>to reduce instances of rational approximation<br>ounterexamples with parallel computing<br>analysis: <a href="https://www.empty-computing-computing-computing-compty-computing-computing-computing-computing-compty-computing-computing-computing-compty-computing-compty-computing-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compty-compt&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;&lt;ul&gt;     &lt;li&gt;Automatic stubbing of u&lt;/li&gt;     &lt;li&gt;Support S-Functions in&lt;/li&gt;     &lt;li&gt;Use specified input min&lt;/li&gt;     &lt;li&gt;Run additional analysis&lt;/li&gt;     &lt;li&gt;Validate test cases or co&lt;/li&gt;     &lt;li&gt;Additional options for code&lt;/li&gt; &lt;/ul&gt;&lt;/td&gt;&lt;td&gt;Insupported blocks and functions&lt;br&gt;the analysis&lt;br&gt;imum and maximum values&lt;br&gt;to reduce instances of rational approximation&lt;br&gt;ounterexamples with parallel computing&lt;br&gt;analysis: &lt;a href=" mailto:empty="">"&gt;</a> |

## In this section...

"Design Verifier Pane Overview" on page 15-10 "Mode" on page 15-10 "Maximum analysis time" on page 15-11 "Output folder" on page 15-11 "Make output file names unique by adding a suffix" on page 15-12 "Check Model Compatibility" on page 15-13 "Generate Tests/Detect Errors/Prove Properties" on page 15-13

## In this section... "Rebuild model representation" on page 15-13 "Automatic stubbing of unsupported blocks and functions" on page 15-13 "Support S-Functions in the analysis" on page 15-14 "Use specified input minimum and maximum values" on page 15-15 "Run additional analysis to reduce instances of rational approximation" on page 15-15 "Validate test cases or counterexamples with parallel computing" on page 15-16 "Additional options for code analysis" on page 15-17 "Ignore objectives based on filter" on page 15-17 "Filter file(s)" on page 15-18 "Browse..." on page 15-18

## **Design Verifier Pane Overview**

Specify analysis options and configure Simulink Design Verifier output.

## Mode

Specify the analysis mode for Simulink Design Verifier.

## Settings

Default: Test generation

```
Design error detection
```

Detects integer and fixed-point overflow errors and division-by-zero errors in a model

## Test generation

Generates test cases for a model.

Property proving

Proves properties of a model.

## Тір

Simulink Design Verifier specifies the value of this option when you select one of these analysis options from the **Design Verifier** tab, in the **Mode** section:

- Select **Design Error Detection**, then click **Detect Design Errors**.
- Select **Test Generation**, then click **Generate Tests**.
- Select **Property Proving**, then click **Prove Properties**.

## Dependency

When you set the **Mode** parameter, the button below **Check Model Compatibility** changes as follows:

- Mode: Test generation, button reads: Generate Tests
- Mode: Design error detection, button reads: Detect Errors
- Mode: Property proving, button reads: Prove Properties

```
Command-Line Information
Parameter: DVMode
Type: character array
Value: 'TestGeneration' | 'DesignErrorDetection' | 'PropertyProving'
Default: 'TestGeneration'
```

#### See Also

- "Overview of the Simulink Design Verifier Workflow" on page 1-19
- "What Is Design Error Detection?" on page 6-2
- "What Is Test Case Generation?" on page 7-3
- "What Is Property Proving?" on page 12-2

## Maximum analysis time

Specify the maximum time (in seconds) that Simulink Design Verifier spends analyzing a model. You can set the value of maximum analysis time to the value that you are willing to provide to the analysis. You can also stop the analysis at any time.

#### Settings

#### Default: 300

The value that you enter represents the maximum number of seconds Simulink Design Verifier analyzes your model.

#### **Command-Line Information**

Parameter: DVMaxProcessTime Type: double Value: any valid value Default: 300

## **Output folder**

Specify a path name to which Simulink Design Verifier writes its output.

#### Settings

#### Default: sldv\_output/\$ModelName\$

- Enter a path that is either absolute or relative to the current folder.
- **\$ModelName\$** is a token that represents the model name.

## Тір

You can use the following parameters to customize the names and locations of Simulink Design Verifier output:

- On the **Results** pane:
  - Data file name
  - Harness model file name
  - Simulink Test options > Test File name
- On the **Report** pane:
  - Report file name
  - File path of the output model
- On the **Block Replacements** pane:
  - File path of the output model

Command-Line Information Parameter: DVOutputDir Type: character array Value: any valid path Default: 'sldv output/\$ModelName\$'

#### See Also

"Review Analysis Results"

## Make output file names unique by adding a suffix

Specify whether Simulink Design Verifier makes its output file names unique by appending a numeric suffix.

#### Settings

#### Default: On

🔽 On

Appends an incremental numeric suffix to Simulink Design Verifier output file names. Selecting this option prevents the software from overwriting existing files that have the same name.

🔲 Off

Does not append a suffix to Simulink Design Verifier output file names. In this case, the software might overwrite existing files that have the same name.

#### **Command-Line Information**

Parameter: DVMakeOutputFilesUnique
Type: character array
Value: 'on' | 'off'
Default: 'on'

## See Also

"Review Analysis Results"

## **Check Model Compatibility**

Run a check to assess your model for compatibility with Simulink Design Verifier. For more information, see "Simulink Design Verifier Checks".

## **Generate Tests/Detect Errors/Prove Properties**

When you set the **Mode** parameter, this button changes as follows:

• Mode: Test generation, button reads: Generate Tests

For more information, see "What Is Test Case Generation?" on page 7-3.

• Mode: Design error detection, button reads: Detect Errors

For more information, see "What Is Design Error Detection?" on page 6-2.

• Mode: Property proving, button reads: Prove Properties

For more information, see "What Is Property Proving?" on page 12-2.

## **Rebuild model representation**

Specify whether to rebuild model representation for Simulink Design Verifier analysis.

## Settings

#### Default: If change is detected

Always

Always rebuild the model representation.

If change is detected

Rebuild the model representation only when the software detects any change in the model.

## Command-Line Information

Parameter: DVRebuildModelRepresentation
Type: character array
Value: 'Always' | 'IfChangeIsDetected'
Default: 'If change is detected'

## See Also

"Check Model Compatibility" on page 3-2

## Automatic stubbing of unsupported blocks and functions

Specify whether to ignore unsupported blocks and functions during analysis.

## Settings

## Default: On

🔽 On

Ignores unsupported blocks and functions and proceeds with the analysis.

🔲 Off

Displays a warning when Simulink Design Verifier encounters an unsupported block or function and asks if you want to continue the analysis.

```
Command-Line Information
Parameter: DVAutomaticStubbing
Type: character array
Value: 'on' | 'off'
```

## See Also

Default: 'on'

"Handle Incompatibilities with Automatic Stubbing" on page 2-7

## Support S-Functions in the analysis

Specify whether to enable support for S-Functions that have been compiled to be compatible with Simulink Design Verifier.

## Settings

## Default: On

🔽 On

Enables support for S-Functions that have been compiled to be compatible with Simulink Design Verifier.

🔲 Off

Simulink Design Verifier automatically stubs S-Functions during analysis.

#### Command-Line Information Parameter: DVSFcnSupport

Type: character array Value: 'on' | 'off' Default: 'on'

## See Also

"Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28

"Configuring S-Function for Test Case Generation" on page 7-109

"Handle Incompatibilities with Automatic Stubbing" on page 2-7

## Use specified input minimum and maximum values

Specify whether to generate test cases that consider specified minimum and maximum values as constraints for all input signals in your model.

## Settings

## Default: On

🔽 On

Considers specified minimum and maximum values as constraints for all input signals.

🔲 Off

Ignores any specified minimum and maximum values.

```
Command-Line Information
Parameter: DVDesignMinMaxConstraints
Type: character array
Value: 'on' | 'off'
Default: 'on'
```

## See Also

"Minimum and Maximum Input Constraints" on page 11-2

## Run additional analysis to reduce instances of rational approximation

Specify whether Simulink Design Verifier attempts to reduce the use of rational approximation during analysis.

## Settings

## Default: On

```
🔽 On
```

When you use Simulink Design Verifier to analyze models, Simulink Design Verifier attempts to reduce the use of rational approximation if the model. Enabling this setting may increase analysis time.

🔲 Off

Simulink Design Verifier does not attempt to reduce the use of rational approximation during analysis.

## **Command-Line Information**

```
Parameter: DVReduceRationalApprox
Type: character array
Value: 'on' | 'off'
Default: 'on'
```

## Validate test cases or counterexamples with parallel computing

Specifies whether to validate test cases or counterexamples with parallel computing. This option requires a Parallel Computing Toolbox™ license.

## When to Use Parallel Computing for Validation

In general, parallel execution can help reduce the validation time if:

- You have a complex Simulink model that takes a long time to simulate.
- The Simulink Design Verifier analysis exceeds the maximum analysis time and results in a number of objectives with the Needs Simulation status. For more information, see "Objectives Satisfied Needs Simulation" on page 13-46 and "Objectives Falsified Needs Simulation" on page 13-49.
- The test generation analysis generates long test cases. This may be because you have set **Test suite optimization** to LongTestcases or the **Maximum test case steps** value is greater than the default value. For more information, see "Test Generation Pane Overview" on page 15-31.

The following points must be considered when using parallel computing for validation:

- Starting a parallel pool can take time, which impacts the overall analysis time. To reduce the analysis time:
  - Make sure that the parallel pool is already running before you run a test generation analysis. By default, the parallel pool shuts down after being idle for a specified number of minutes. To change the setting, see the topic 'Specify Your Parallel Preferences' in Parallel Computing Toolbox.
  - Load Simulink on all the parallel pool workers.
- The simulation occurs sequentially when:
  - The cluster is not local. Configure parallel preferences to use the local cluster only. To change the setting, see the topic 'Specify Your Parallel Preferences' in Parallel Computing Toolbox.
  - The model is in dirty state prior to launching the SLDV analysis.
  - The model has ToFile blocks.
  - The model is an internal harness.
- Cross-product features such as **functional testing and coverage analysis** from Simulink Test Manager do not support parallel computing for validation. For more information, see "Perform Functional Testing and Analyze Test Coverage" (Simulink Test).

## Settings

## Default: Off

🔽 On

If you have a Parallel Computing Toolbox license, then Simulink Design Verifier validates test cases or counterexamples in parallel across multiple workers on the same machine.

🔲 Off

Simulink Design Verifier validates test cases or counterexamples in serial.

Command-Line Information Parameter: DVUseParallel Type: character array Value: 'on' | 'off' Default: 'off'

## See Also

"How Simulink Design Verifier Reports Approximations Through Validation Results" on page 2-23

## Additional options for code analysis

Specify additional options for analyzing S-functions that have been compiled to be compatible with Simulink Design Verifier. For more information, see "Support Limitations and Considerations for S-Functions and C/C++ Code" on page 3-28.

## Settings

## Default: ' '

Enter additional options for analyzing S-Functions that have been compiled to be compatible with Simulink Design Verifier. For example, to specify the maximum size of arrays, enter defaultArraySize = 512.

## Command-Line Information

Parameter: DVCodeAnalysisExtraOptions Type: character array Value: any valid option for analyzing S-Functions Default: ' '

## Ignore objectives based on filter

Specify to analyze the model, ignoring the objectives in the **Filter file(s)**. The **Filter file(s)** contains the model coverage objectives for test generation, dead logic detection, and design error detection objectives that you want to filter from analysis.

## Settings

## Default: Off

🔽 On

Ignores objectives in the Filter file(s) during test generation and design error detection analysis.

🔲 Off

Generates results for all the objectives during test generation and design error detection analysis, including those in the **Filter file(s)**.

## Dependency

This parameter enables **Filter file(s)**.

## **Command-Line Information**

Parameter: DVCovFilter
Type: character array
Value: 'on' | 'off'
Default: 'off'

## See Also

"Coverage Filtering" (Simulink Coverage)

## Filter file(s)

Specify folder and file name(s) for the file(s) that contains the model coverage objectives and design error detection objectives that you want to filter from analysis.

## Settings

## Default: ''

• Specify the name of the folder and file name(s) that contain the objectives that you want to ignore from test generation and design error detection analysis.

Click the **Browse** button to select an existing **Filter file(s)**.

## **Command-Line Information**

Parameter: DVCovFilterFileName
Type: character array
Value: valid file paths separated by comma or semi-colon
Default: ' '

## See Also

"Coverage Filter Rules and Files" (Simulink Coverage)

Filter Objectives by Using Analysis Filter Viewer on page 6-46

## Browse...

Browse to the file that contains the objectives that you want to ignore from design error detection and test generation analysis.

## Dependency

This button is enabled by Ignore objectives based on filter.

# **Design Verifier Pane: Block Replacements**

| Block Replacements                                      |   |
|---------------------------------------------------------|---|
| Apply block replacements                                |   |
| List of block replacement rules (in order of priority): |   |
|                                                         | 1 |
| Output model                                            |   |
| File path of the output model: <pre></pre>              |   |

## In this section...

"Block Replacements Pane Overview" on page 15-19

"Apply block replacements" on page 15-19

"List of block replacement rules" on page 15-20

"File path of the output model" on page 15-20

## **Block Replacements Pane Overview**

Specify options that control how Simulink Design Verifier preprocesses the models it analyzes.

## See Also

"Perform Block Replacement"

## Apply block replacements

Specify whether Simulink Design Verifier replaces blocks in a model before its analysis.

## Settings

Default: Off

🔽 On

Replaces blocks in a model before Simulink Design Verifier analyzes it.

🔲 Off

Does not replace blocks in a model before Simulink Design Verifier analyzes it.

## Dependencies

This parameter enables List of block replacement rules and File path of the output model.

Command-Line Information Parameter: DVBlockReplacement Type: character array Value: 'on' | 'off' Default: 'off'

## See Also

"Perform Block Replacement"

## List of block replacement rules

Specify a list of block replacement rules that Simulink Design Verifier executes before its analysis.

## Settings

Default: <FactoryDefaultRules>

- Specify block replacement rules as a list delimited by spaces, commas, or carriage returns.
- The Simulink Design Verifier software processes block replacement rules in the order that you list them.
- If you specify the default value, Simulink Design Verifier uses its factory default block replacement rules.

## Dependency

This parameter is enabled when you select **Apply block replacements**.

#### **Command-Line Information**

Parameter: DVBlockReplacementRulesList
Type: character array
Value: any valid rules
Default: '<FactoryDefaultRules>'

## See Also

"Perform Block Replacement"

## File path of the output model

Specify a folder and file name for the model that results after applying block replacement rules.

## Settings

## Default: \$ModelName\$\_replacement

• Optionally, enter a path that is either absolute or relative to the path name specified in **Output** folder.

- Enter a file name for the model that results after applying block replacement rules.
- **\$ModelName\$** is a token that represents the model name.

## Dependency

This parameter is enabled when you select **Apply block replacements**.

## **Command-Line Information**

Parameter: DVBlockReplacementModelFileName
Type: character array
Value: any valid path and file name
Default: '\$ModelName\$\_replacement'

## See Also

"Perform Block Replacement"

# **Design Verifier Pane: Parameters and Variants**

| Paran  | neters                                                    |
|--------|-----------------------------------------------------------|
| Para   | rameter configuration: Treat all parameters as constants  |
| Par    | ameter specification                                      |
| P      | Parameter table                                           |
|        | Enable Disable Clear Highlight in Model                   |
|        | Use Name Constraint Value Min Max Model Element           |
|        |                                                           |
|        |                                                           |
|        |                                                           |
|        |                                                           |
|        | Find parameters Import Export                             |
| P      | Parameter configuration file: <empty> Browse Edit</empty> |
| Variar | nts                                                       |
| 1      | Analyze all Startup Variants Launch Variant Manager       |
|        |                                                           |
|        |                                                           |
|        |                                                           |
|        | OK Cancel Help Apply                                      |

## In this section...

"Parameters Pane Overview" on page 15-23 "Parameter configuration" on page 15-23 "Enable" on page 15-23 "Disable" on page 15-23 "Clear" on page 15-23 "Highlight in Model" on page 15-24 "Use" on page 15-24 "Name" on page 15-24 "Constraint" on page 15-25 "Value" on page 15-25 "Min" on page 15-26 "Max" on page 15-26 "Model Element" on page 15-26 "Find parameters" on page 15-27 "Import" on page 15-27 "Export" on page 15-27 "Parameter configuration file" on page 15-27 "Browse..." on page 15-28 "Edit..." on page 15-28 "Analyze all Startup Variants" on page 15-28 "Launch Variant Manager..." on page 15-29

## **Parameters Pane Overview**

Specify options that control how Simulink Design Verifier uses parameter configurations when analyzing models.

## **Parameter configuration**

Specify the parameter configuration from these options available in drop-down:

- Treat all parameters as constants
- Automatically infer parameter specification. See "Automatically Infer Parameter Specification" on page 5-32
- Determine from generated code. See "Determine from Generated Code" on page 5-36
- Use parameter table. See "Use Parameter Table" on page 5-7
- Use parameter configuration file. See "Use Parameter Configuration File" on page 5-29

## Settings

Default: None

```
Command-Line Information
```

```
Parameter: DVParameterConfiguration
Type: enum
Value: 'None' | 'Auto' | 'DetermineFromGeneratedCode' | 'UseParameterTable' |
'UseParameterConfigFile'
Default: 'None'
```

## See Also

"Use Parameter Table" on page 5-7

## Enable

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Disable

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Clear

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Highlight in Model

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Use

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

The **Use** column specifies whether to use this row's named parameter and specified constraint in the current parameter configuration.

## Settings

## Default: Off

🔽 On

Use this parameter and its specified constraint in the current parameter configuration.

🔲 Off

Do not use this parameter and its specified constraint in the current parameter configuration.

## Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

## See Also

"Use Parameter Table" on page 5-7

## Name

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

The Name column displays the name of the parameter.

## Settings

Default: empty

## Tips

To load the model parameters into the Parameter Table, at the bottom of the table, click **Find in Model**. When possible, the software automatically generates constraint values for each parameter.

## Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

## See Also

"Use Parameter Table" on page 5-7

## Constraint

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

The **Constraint** column contains the specified value range for the parameter.

## Settings

Default: empty

#### Tips

To autogenerate parameter constraints, at the bottom of the Parameter Table, click **Find in Model**.

## Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

## See Also

"Use Parameter Table" on page 5-7

## Value

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

The **Value** column contains the value of the parameter in the base workspace. If the parameter is defined in a Simulink data dictionary that is linked to the model, the **Value** column contains the value of the parameter in the data dictionary.

## Settings

**Default:** empty

## Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

## See Also

"Use Parameter Table" on page 5-7

## Min

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

For parameters of type Simulink.Parameter with a specified minimum value, the **Min** column contains the specified minimum value for the parameter.

## Settings

## **Default:** empty

## Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

## See Also

- "Use Parameter Table" on page 5-7
- Simulink.Parameter

## Max

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

For parameters of type Simulink.Parameter with a specified maximum value, the **Max** column contains the specified maximum value for the parameter.

## Settings

**Default:** empty

## Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

## See Also

- "Use Parameter Table" on page 5-7
- Simulink.Parameter

## **Model Element**

In the Parameter Table, each row represents a parameter that can be constrained to specified values during Simulink Design Verifier analysis.

The **Model Element** column displays the path to the model elements where the parameter is used.

Settings

Default: empty

#### Dependency

This column is enabled by setting **Parameter configuration** to **Use parameter table**.

#### See Also

"Use Parameter Table" on page 5-7

## **Find parameters**

The software searches your model for parameters that you can configure and loads them in the **Parameter Table**. If your model uses a configuration reference, Simulink Design Verifier does not support the search for parameters when using the **Find in Model** button. For more information, see "Share a Configuration with Multiple Models".

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Import

Adds parameters to the **Parameter Table** from a list stored in a file.

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Export

Exports the current parameters in the **Parameter Table** to a file.

## Dependency

This button is enabled by setting **Parameter configuration** to **Use parameter table**.

## Parameter configuration file

Specify a MATLAB function that defines parameter configurations for a model.

## Settings

**Default**: sldv\_params\_template.m

- The default file, sldv\_params\_template.m, is a template that you can edit and save. The comments in the template explain the syntax you use to specify parameter configurations.
- Click the **Browse** button to select an existing MATLAB file.
- Click the **Edit** button to open the specified MATLAB file in an editor.

## Dependency

This parameter is enabled by setting **Parameter configuration** to **Use parameter table**.

## **Command-Line Information**

Parameter: DVParametersConfigFileName
Type: character array
Value: any valid MATLAB file
Default: 'sldv params template.m'

#### See Also

"Use Parameter Table" on page 5-7

## Browse...

Browse to the parameter configuration file.

#### Dependency

This button is enabled by **Enable parameter configuration**. This button is disabled by **Use parameter table**.

## Edit...

Edit the current parameter configuration file.

## Dependency

This button is enabled by **Enable parameter configuration**. This button is disabled by **Use parameter table**.

## Analyze all Startup Variants

Specify to analyze models that contain variant blocks where the **Variant activation time** parameter is startup.

## Settings

## Default: On

🔽 On

Simulink Design Verifier analyze models that contain variant blocks with the **Variant activation time** parameter set to startup.

## 🔲 Off

Simulink Design Verifier analyzes only active variant blocks with **Variant activation time** parameter set to startup.

#### **Command-Line Information**

Parameter: DVAnalyzeAllStartupVariants
Type: character array
Value: 'on' | 'off'
Default: 'on'

## See Also

"Variant Activation Time for Variant Blocks"

## Launch Variant Manager...

Launch the Variant Manager to view or define constraints on variant control parameters. Simulink Design Verifier applies these constraints during the analysis.

## See Also

- "Variant Manager for Simulink"
- "Parameter Configuration for Analysis" on page 5-2
- "Verify and Validate Variant Models with Startup Activation Time"

# **Design Verifier Pane: Test Generation**

| Test Generation                                                                                |                                                  |        |  |
|------------------------------------------------------------------------------------------------|--------------------------------------------------|--------|--|
| Test generation target:                                                                        | Model -                                          |        |  |
| Model coverage objectives:                                                                     | MCDC                                             |        |  |
| Test conditions:                                                                               | Use local settings                               | -      |  |
| Test objectives:                                                                               | Use local settings                               | -      |  |
| Maximum test case steps:                                                                       | 500                                              |        |  |
| Test suite optimization:                                                                       | Auto                                             | -      |  |
| Relational Boundary Objective                                                                  | s                                                |        |  |
| Include relational bounda                                                                      | ary objectives                                   |        |  |
| Floating point absolute tolera                                                                 | ance: 0.00001 Floating point relative tolerance: | 0.01   |  |
| <ul> <li>Advanced parameters</li> </ul>                                                        |                                                  |        |  |
| Enhanced MCDC                                                                                  |                                                  |        |  |
| Use strict propagation                                                                         | conditions                                       |        |  |
| Add tests for the missing co                                                                   | verage                                           |        |  |
| Extend using existing                                                                          | coverage data                                    |        |  |
| Coverage data: <empty></empty>                                                                 |                                                  | Browse |  |
| Extend using existing test data                                                                |                                                  |        |  |
| Test data: <empty> Browse</empty>                                                              |                                                  |        |  |
| $\checkmark$ Separate objectives satisfied with the existing tests/coverage data in the report |                                                  |        |  |

## In this section...

"Test Generation Pane Overview" on page 15-31

"Test generation target" on page 15-31

"Model coverage objectives" on page 15-31

"Test conditions" on page 15-32

"Test objectives" on page 15-33

"Maximum test case steps" on page 15-33

"Test suite optimization" on page 15-34

| In this section                                                                                   |
|---------------------------------------------------------------------------------------------------|
| "Include relational boundary objectives" on page 15-35                                            |
| "Floating point absolute tolerance" on page 15-36                                                 |
| "Floating point relative tolerance" on page 15-36                                                 |
| "Use strict propagation conditions" on page 15-37                                                 |
| "Extend using existing coverage data" on page 15-38                                               |
| "Coverage data" on page 15-38                                                                     |
| "Browse" on page 15-39                                                                            |
| "Extend using existing test data" on page 15-39                                                   |
| "Test data" on page 15-39                                                                         |
| "Browse" on page 15-40                                                                            |
| "Separate objectives satisfied with the existing tests/coverage data in the report" on page 15-40 |

## **Test Generation Pane Overview**

Specify options that control how Simulink Design Verifier generates tests for the models it analyzes.

## See Also

• "Workflow for Test Case Generation" on page 7-5

## **Test generation target**

Specify the target for test generation.

- **Default:** Model generates test cases for the model.
- Code Generated as Top Model generates the code for the target as top model followed by test cases generation using the generated code.
- Code Generated as Model Reference generates the code for target as model reference followed by test cases generation using the generated code.

## **Command-Line Information**

Parameter: DVTestgenTarget
Type: character array
Value: 'Model' | 'GenCodeTopModel' | 'GenCodeModelRef' |

## See Also

- "Code Coverage Test Generation" on page 7-111
- "Generate Test Cases for Embedded Coder Generated Code" on page 7-28

## Model coverage objectives

Specify the type of model coverage that Simulink Design Verifier attempts to achieve.

## Settings

#### Default: Condition Decision

#### None

Generates test cases that achieve only the custom objectives that you specified in your model using, for example, Test Objective blocks.

#### Decision

Generates test cases that achieve decision coverage. For more information, see "Decision" on page 7-30.

#### Condition Decision

Generates test cases that achieve condition and decision coverage. For more information, see "Condition" on page 7-30.

## MCDC

Generates test cases that achieve modified condition decision coverage (MCDC). When you select MCDC, Simulink Design Verifier automatically enables every coverage objective for decision and condition coverage. For more information, see "MCDC" on page 7-31.

## Enhanced MCDC

Generates test cases that achieve enhanced MCDC coverage. When you select Enhanced MCDC, Simulink Design Verifier automatically enables MCDC coverage. For more information, see "Enhanced MCDC" on page 7-31.

## **Command-Line Information**

```
Parameter: DVModelCoverageObjectives
Type: character array
Value: 'None' | 'Decision' | 'ConditionDecision' | 'MCDC'| 'EnhancedMCDC'
Default: 'ConditionDecision'
```

## See Also

- "What Is Test Case Generation?" on page 7-3
- "Workflow for Test Case Generation" on page 7-5

## **Test conditions**

Specify whether Test Condition blocks in your model are enabled or disabled.

## Settings

**Default:** Use local settings

Use local settings

Enables or disables Test Condition blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

Enable all

 ${\tt Enables}$  all Test Condition blocks in the model regardless of the settings of their  ${\tt Enable}$  parameters.

Disable all

Disables all Test Condition blocks in the model regardless of the settings of their **Enable** parameters.

## Command-Line Information

```
Parameter: DVTestConditions
Type: character array
Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll'
Default: 'UseLocalSettings'
```

## See Also

- Test Condition
- "Workflow for Test Case Generation" on page 7-5

## **Test objectives**

Specify whether Test Objective blocks in your model are enabled or disabled.

## Settings

Default: Use local settings

Use local settings

Enables or disables Test Objective blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

```
Enable all
```

Enables all Test Objective blocks in the model regardless of the settings of their **Enable** parameters.

```
Disable all
```

Disables all Test Objective blocks in the model regardless of the settings of their **Enable** parameters.

## **Command-Line Information**

```
Parameter: DVTestObjectives
Type: character array
Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll'
Default: 'UseLocalSettings'
```

## See Also

- Test Objective
- "Workflow for Test Case Generation" on page 7-5

## Maximum test case steps

Specify the maximum number of simulation steps Simulink Design Verifier takes when attempting to satisfy a test objective.

The analysis uses the **Maximum test case steps** parameter during certain parts of the testgeneration analysis to bound the number of steps that test generation uses. When you set a small value for this parameter, the parts of the analysis that are bounded complete in less time. When you set a larger value, the bounded parts of the analysis take longer, but it is possible for these parts of the analysis to generate longer test cases.

To achieve the best performance, set the **Maximum test case steps** parameter to a value just large enough to bound the longest required test case, even if the test cases that are ultimately generated are longer than this value.

When you also specify LongTestcases for the **Test suite optimization** parameter, the analysis uses successive passes of test generation to extend a potential test case so that it satisfies more objectives. When this happens, the analysis applies the **Maximum test case steps** parameter to each individual iteration of test generation.

## Settings

## **Default:** 10000

You can specify a value that represents the maximum number of simulation steps Simulink Design Verifier takes when attempting to satisfy a test objective.

## **Command-Line Information**

Parameter: DVMaxTestCaseSteps Type: int32 Value: any valid value Default: 10000

## See Also

• "Workflow for Test Case Generation" on page 7-5

## Test suite optimization

Specify the optimization strategy to use when generating test cases.

## Settings

## Default: Auto

Auto

Analyzes the model by using a strategy that automatically adapts to the model for better analysis performance and precision.

## IndividualObjectives

Maximizes the number of test cases in a suite by generating cases that each address only one test objective. Each test case tends to be short, that is, it includes only a few time steps.

## LongTestcases

Combines test cases to create a smaller number of test cases. This strategy generates fewer, but longer, test cases that each satisfy multiple test objectives.

## Legacy LargeModel (Nonlinear Extended)

Analyzes the model by using a static strategy that does not adapt to the model. When you analyze a model by using Legacy LargeModel (Nonlinear Extended), Simulink Design Verifier

displays a warning message that this option is deprecated and suggests that you use Auto. Auto is most likely to produce better analysis results than Legacy LargeModel (Nonlinear Extended).

```
Command-Line Information
Parameter: DVTestSuiteOptimization
Type: character array
Value: 'Auto' | 'IndividualObjectives' | 'LongTestcases' | Legacy LargeModel
(Nonlinear Extended)
Default: 'Auto'
```

## See Also

- "Workflow for Test Case Generation" on page 7-5
- Simulink Design Verifier Options on page 15-2

## Include relational boundary objectives

Specify generation of test cases that satisfy relational boundary objectives. The objective applies to blocks such as Relational Operator that have an explicit or implicit relational operation. The tests check the relational operations in these blocks with:

- Equal operand values for integer and fixed-point operands.
- Operand values within a certain tolerance for all operands. For integer and fixed-point operands, the tolerance is fixed. For floating-point operands, the tolerance is computed using the inputs and a tolerance value that you specify. If you do not specify a tolerance value, the default values are used.

## Settings

#### Default: Off

🔽 On

For supported blocks, generates the test cases to satisfy relational boundary objectives.

🔲 Off

Ignores the relational boundary objectives for generating the test cases.

#### Dependencies

If you select this option, you can use default values or specify values for:

- "Floating point absolute tolerance" on page 15-36
- "Floating point relative tolerance" on page 15-36

#### Command-Line Information

Parameter: DVIncludeRelationalBoundary
Type: character array
Value: 'on'|'off'
Default: 'off'

## See Also

- "Relational Boundary" on page 7-31
- "Model Objects That Receive Coverage" (Simulink Coverage)
- "Supported and Unsupported Simulink Blocks in Simulink Design Verifier" on page 3-7

## Floating point absolute tolerance

Specify a value for absolute tolerance used in relational boundary tests. The relational boundary objectives apply to blocks such as Relational Operator that have an explicit or implicit relational operation. The tolerance value applies only if the relational operations in those blocks use floating point operands.

- For integer operands, the tolerance value is fixed at 1.
- For fixed-point operands, the tolerance value is the least significant bit.

## Settings

#### Default: 1.0000e-05

For supported blocks, the relational boundary tests check the relational operations in the block with operand values that differ by a certain tolerance. The software calculates the tolerance value using the following formula

max(absTol, relTol\* max(|lhs|,|rhs|)), where:

- absTol is the absolute tolerance value that you specify.
- relTol is a relative tolerance value that you can specify.
- lhs is the left operand and rhs the right operand.
- max(x,y) returns x or y, whichever is greater.

## Dependencies

To enter a value for this option, select "Include relational boundary objectives" on page 15-35.

## **Command-Line Information**

Parameter: DVAbsoluteTolerance Type: double Value: Any valid value Default: 1.0000e-05

## See Also

- "Relational Boundary" on page 7-31
- "Model Objects That Receive Coverage" (Simulink Coverage)

## Floating point relative tolerance

Specify a value for relative tolerance used in relational boundary tests. The relational boundary objectives apply to blocks such as Relational Operator that have an explicit or implicit relational

operation. The tolerance value applies only if the relational operations in those blocks use floating point operands.

- For integer operands, the tolerance value is fixed at 1.
- For fixed-point operands, the tolerance value is the least significant bit.

#### Settings

#### **Default:** 0.01

For supported blocks, the relational boundary tests check the relational operations in the block with operand values that differ by a certain tolerance. The software calculates the tolerance value using the following formula

max(absTol, relTol\* max(|lhs|,|rhs|)), where:

- absTol is an absolute tolerance value that you can specify.
- relTol is the relative tolerance value that you specify.
- lhs is the left operand and rhs the right operand.
- max(x,y) returns x or y, whichever is greater.

#### Dependencies

To enter a value for this option, select "Include relational boundary objectives" on page 15-35.

Command-Line Information Parameter: DVRelativeTolerance Type: double Value: Any valid value Default: 0.01

#### See Also

- "Relational Boundary" on page 7-31
- "Model Objects That Receive Coverage" (Simulink Coverage)

## Use strict propagation conditions

Specify whether to use strict propagation conditions for enhanced MCDC analysis.

#### Settings

#### Default: Off

🔽 On

Use strict propagation condition for enhanced MCDC analysis.

Off

Does not use strict propagation conditions for enhanced MCDC analysis.

## Dependency

This parameter is enabled when you select Enhanced MCDC as Model coverage objectives.

```
Command-Line Information
Parameter: DVStrictEnhancedMCDC
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

## See Also

• "Enhanced MCDC" on page 7-31

## Extend using existing coverage data

Specify whether to use your existing coverage data for test generation. Simulink Design Verifier generates test cases for the objectives not covered in your existing coverage data.

## Settings

## Default: Off

🔽 On

Extend the coverage in **Coverage data** by generating additional test cases.

🔲 Off

Analysis ignores existing Coverage data.

#### **Command-Line Information**

Parameter: DVIgnoreCovSatisfied
Type: character array
Value: 'on' | 'off'
Default: 'off'

## Coverage data

Specify the folder and file name for a file that contains data about satisfied coverage objectives.

## Settings

Default: ''

- Specify the folder and file name for a file that contains the satisfied coverage objectives data.
- Click **Browse** to navigate to and select an existing file.

## **Command-Line Information**

Parameter: DVCoverageDataFile
Type: character array
Value: any valid path and file name

Default: ' '

# Browse

Browse to the coverage file that contains the data about satisfied coverage objectives.

# Dependencies

To enable this parameter, select **Extend using existing coverage data**.

# See Also

- "Achieve Missing Coverage in Closed-Loop Simulation Model" on page 9-11
- "Generate Tests"

# Extend using existing test data

Specify whether to extend the set of generated test cases in Simulink Design Verifier by importing previously generated test cases, test cases logged from a harness model, or a closed-loop simulation model.

# Settings

# Default: Off

🔽 On

Use test cases specified in **Test data** to extend the set of generated test cases.

🔲 Off

Analysis ignores the existing **Test data**.

```
Command-Line Information
Parameter: DVExtendExistingTests
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

# Test data

Specify a folder and file name for the MAT-file that contains the generated or logged test case data.

# Settings

Default: ''

- Specify a folder and file name for the MAT-file that contains the logged test case data in an sldvData object.
- Click Browse to navigate to and select an existing file.

#### Command-Line Information Parameter: DVExistingTestFile Type: character array Value: any valid path and file name Default: ''

# Browse

Browse to the MAT-file that contains the generated or logged test case data and data about satisfied coverage objectives.

# Dependencies

To enable this parameter, select **Extend using existing test data**.

# See Also

- "When to Extend Existing Test Cases" on page 8-2
- "Common Workflow for Extending Existing Test Cases" on page 8-2

# Separate objectives satisfied with the existing tests/coverage data in the report

Specify whether to separate the test objective statuses that are satisfied by the existing tests or coverage data from the extended coverage and test data in the analysis report.

# Settings

## Default: On

🔽 On

Generates an analysis report where the existing tests and coverage data are separate from the extended test and coverage data.

🔲 Off

Generates a report that combines existing and extended coverage and test data.

## **Command-Line Information**

```
Parameter: DVIgnoreExistTestSatisfied
Type: character array
Value: 'on' | 'off'
Default: 'on'
```

## See Also

- "Extend Test Cases for Closed-Loop System" on page 8-10
- "Manage Simulink Design Verifier Data Files" on page 13-7

# **More About**

- "Design Verifier Pane" on page 15-9
- "Generate Test Cases for Model Decision Coverage" on page 7-6
- "Workflow for Test Case Generation" on page 7-5

# **Design Verifier Pane: Design Error Detection**

| Mode  | ling Errors                                              |
|-------|----------------------------------------------------------|
|       | Dead logic (partial)                                     |
|       | Run exhaustive analysis                                  |
|       | Out of bound array access                                |
|       | Data store access violations                             |
| Nume  | erical Errors                                            |
| 1     | Division by zero                                         |
| 1     | Integer overflow                                         |
|       | Non-finite and NaN floating-point values                 |
|       | Subnormal floating-point values                          |
| Signa | al Range Errors                                          |
|       | Specified minimum and maximum value violations           |
|       | Specified block input range violations                   |
| High- | Integrity Systems Modeling Checks                        |
|       | Usage of remainder and reciprocal operations - hisl_0002 |
|       | Usage of square root operations - hisl_0003              |
|       | Usage of log and log10 operations - hisl_0004            |
|       | Usage of Reciprocal Square Root blocks - hisl_0028       |

# In this section...

"Design Error Detection Pane Overview" on page 15-43

"Dead logic (partial)" on page 15-43

"Run exhaustive analysis" on page 15-43

"Coverage objectives to be analyzed" on page 15-44

"Out of bound array access" on page 15-45

"Data store access violations" on page 15-45

"Division by zero" on page 15-46

"Integer overflow" on page 15-46

"Non-finite and NaN floating-point values" on page 15-47

"Subnormal floating-point values" on page 15-47

# In this section...

"Specified minimum and maximum value violations" on page 15-48

"Specified block input range violations" on page 15-48

"Usage of rem and reciprocal operations - hisl\_0002" on page 15-49

"Usage of Square Root operations - hisl\_0003" on page 15-50

"Usage of log and log10 operations - hisl\_0004" on page 15-50

"Usage of Reciprocal Square Roots blocks - hisl\_0028" on page 15-51

# **Design Error Detection Pane Overview**

Specify options that control how Simulink Design Verifier detects runtime errors in the models it analyzes.

# **Dead logic (partial)**

Specify whether to analyze your model for dead logic. This may result in a partial analysis. Select **Run exhaustive analysis** to always run an exhaustive analysis.

# Settings

Default: Off

🔽 On

Reports dead logic identified in your model.

🔲 Off

Does not analyze for dead logic.

```
Command-Line Information
Parameter: DVDetectDeadLogic
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

## See Also

• "Dead Logic Detection" on page 6-7

# Run exhaustive analysis

Specify whether to run an exhaustive analysis for dead logic in the model.

## Settings

Default: Off

# 🔽 On

Perform an exhaustive analysis for dead logic in your model.

🔲 Off

Does not perform exhaustive analysis for dead logic in your model.

# **Command-Line Information**

Parameter: DVDetectActiveLogic
Type: character array
Value: 'on' | 'off'
Default: 'off'

# Dependency

To enable this parameter, select **Dead logic (partial)**.

## See Also

"Dead Logic Detection" on page 6-7

# Coverage objectives to be analyzed

Specify the coverage objectives to analyze for dead logic in the model.

## Settings

## Default: 'ConditionDecision'

Decision

Analyze decision coverage objectives for dead logic.

**Condition Decision** 

Analyze condition and decision coverage objectives for dead logic.

MCDC

Analyze modified condition decision coverage (MCDC) objectives for dead logic.

## **Command-Line Information**

Parameter: DVDeadLogicObjectives
Type: character array
Value: 'Decision' | 'ConditionDecision' | 'MCDC'
Default: 'ConditionDecision'

## Dependency

This parameter is dependent upon **Dead logic (partial)** and works only when **Dead logic (partial)** is also enabled.

# See Also

"Dead Logic Detection" on page 6-7

# Out of bound array access

Specify whether to analyze your model for out of bound array access errors.

# Settings

# Default: On

🔽 On

Reports out of bound array access errors in your model.

🔲 Off

Does not report out of bound array access errors in your model.

#### Command-Line Information Parameter: DVDetectOutOfBounds Type: character array Value: 'on' | 'off' Default: 'on'

# See Also

"Detect Out of Bound Array Access Errors" on page 6-28

# Data store access violations

Specify whether to analyze your model for data store access violations. Design error detection checks for these violations related to Data Store Memory blocks:

- Read-before-write
- Write-after-read
- Write-after-write

## Settings

## **Default:** Off

🔽 On

Reports data store access violations in your model.

🔲 Off

Does not report data store access violations in your model.

## **Command-Line Information**

```
Parameter: DVDetectDSMAccessViolations
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

"Detecting Access Order Errors"

# **Division by zero**

Specify whether to analyze your model for division-by-zero errors.

# Settings

# Default: On

🔽 On

Reports division-by-zero errors in your model.

```
🔲 Off
```

Does not report division-by-zero errors in your model.

Command-Line Information Parameter: DVDetectDivisionByZero Type: character array Value: 'on' | 'off' Default: 'on'

## See Also

"Detect Integer Overflow and Division-by-Zero Errors" on page 6-19

# **Integer overflow**

Specify whether to analyze your model for integer and fixed-point data overflow errors.

## Settings

# Default: On

🔽 On

Reports integer or fixed-point data overflow errors in your model.

🔲 Off

Does not report integer or fixed-point data overflow errors in your model.

Command-Line Information

```
Parameter: DVDetectIntegerOverflow
Type: character array
Value: 'on' | 'off'
Default: 'on'
```

"Detect Integer Overflow and Division-by-Zero Errors" on page 6-19

# Non-finite and NaN floating-point values

Specify whether to analyze your model for non-finite and NaN floating-point values.

## Settings

Default: Off

🔽 On

Reports non-finite and NaN floating-point values in your model.

🔲 Off

Does not report non-finite and NaN floating-point values in your model.

Command-Line Information Parameter: DVDetectInfNaN Type: character array Value: 'on' | 'off' Default: 'off'

## See Also

"Detect Non-Finite, NaN, and Subnormal Floating-Point Values" on page 6-33

# Subnormal floating-point values

Specify whether to analyze your model for subnormal floating-point values.

## Settings

# Default: Off

🔽 On

Reports subnormal floating-point values in your model.

🔲 Off

Does not report subnormal floating-point values in your model.

# Command-Line Information

```
Parameter: DVDetectSubnormal
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

"Detect Non-Finite, NaN, and Subnormal Floating-Point Values" on page 6-33

# Specified minimum and maximum value violations

Specify whether to check that the intermediate and output signals in your model are within the range of user-specified minimum and maximum constraints.

## Settings

## Default: Off

# 🔽 On

Checks that intermediate and output signals are within the range of user-specified minimum and maximum constraints.

🔲 Off

Does not check that intermediate and output signals are within the range of user-specified minimum and maximum constraints.

## **Command-Line Information**

```
Parameter: DVDesignMinMaxCheck
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

## See Also

"Check for Specified Minimum and Maximum Value Violations" on page 6-23

# Specified block input range violations

Specify whether to analyze your model for block input range violations. The check detects input range violations for blocks with these settings:

- For these blocks, when the **Diagnostic for out-of-range input** parameter is set to Warning or Error:
  - n-D Lookup Table
  - Interpolation Using Prelookup
  - Prelookup
  - Direct Lookup Table (n-D)
- Multiport Switch blocks, when the **Diagnostic for default case** parameter is set to Warning or Error.
- Trigonometric Function blocks, when the Approximation method parameter is set to CORDIC

**Note** The check does not flag block input range violations for n-D Lookup Table blocks, when the **Interpolation method** is set to Akima spline or Cubic spline.

**Note** The check does not flag block input range violations for Trigonometric Function blocks with CORDIC **Approximation method**, for which the **Function** parameter is atan2 and the data types of the input signals are double.

#### Settings

Default: Off

🔽 On

Reports block input range violations in your model.

🔲 Off

Does not report block input range violations in your model.

```
Command-Line Information
Parameter: DVDetectBlockInputRangeViolations
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

#### See Also

"Detect Block Input Range Violations"

# Usage of rem and reciprocal operations - hisl\_0002

Specify whether to check the usage of rem and reciprocal operations that cause non-finite results.

This corresponds to the hisl\_0002 check for High-Integrity Systems Modeling. For more information, see hisl\_0002: Usage of Math Function blocks (rem and reciprocal).

#### Settings

#### Default: Off

🔽 On

Reports violations of the hisl\_0002 check in your model.

🔲 Off

Does not report violations of the hisl\_0002 check in your model.

#### Command-Line Information

```
Parameter: DVDetectHISMViolationsHisl_0002
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

"Model Advisor Checks for High-Integrity Systems Modeling Guidelines"

Math Function

# Usage of Square Root operations - hisl\_0003

Specify whether to check the usage of Square Root operations with inputs that can be negative.

This corresponds to the hisl\_0003 check for High-Integrity Systems Modeling. For more information, see hisl\_0003: Usage of Square Root blocks.

# Settings

# Default: Off

🔽 On

Report violations of the hisl\_0003 check in your model.

🔲 Off

Does not report violations of the hisl\_0003 check in your model.

```
Command-Line Information
Parameter: DVDetectHISMViolationsHisl_0003
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

# See Also

"Model Advisor Checks for High-Integrity Systems Modeling Guidelines"

Sqrt

# Usage of log and log10 operations - hisl\_0004

Specify whether to check the usage of log and log10 operations that cause non-finite results.

This corresponds to the hisl\_0004 check for High-Integrity Systems Modeling. For more information, see hisl\_0004: Usage of Math Function blocks (natural logarithm and base 10 logarithm).

# Settings

# Default: Off

🔽 On

Report violations of the hisl\_0004 check in your model.

🔲 Off

Does not report violations of the hisl\_0004 check in your model.

#### Command-Line Information Parameter: DVDetectHISMViolationsHisl\_0004 Type: character array Value: 'on' | 'off' Default: 'off'

# See Also

"Model Advisor Checks for High-Integrity Systems Modeling Guidelines"

# Usage of Reciprocal Square Roots blocks - hisl\_0028

Specify whether to check the usage of Reciprocal Square Root blocks with inputs that can go zero or negative.

This corresponds to the hisl\_0028 check for High Integrity Systems Modeling. For more information, see hisl\_0028: Usage of Reciprocal Square Root blocks.

# Settings

# Default: Off

🔽 On

Report violations of the hisl\_0028 check in your model.

🔲 Off

Does not report violations of the hisl 0028 check in your model.

# **Command-Line Information**

Parameter: DVDetectHISMViolationsHisl\_0028
Type: character array
Value: 'on' | 'off'
Default: 'off'

# See Also

"Model Advisor Checks for High-Integrity Systems Modeling Guidelines"

# **Design Verifier Pane: Property Proving**

| Property Proving         |               |   |  |  |  |  |
|--------------------------|---------------|---|--|--|--|--|
| Assertion blocks:        | Enable all    | • |  |  |  |  |
| Proof assumptions:       | Enable all    | • |  |  |  |  |
| Strategy:                | FindViolation | • |  |  |  |  |
| Maximum violation steps: | 20            |   |  |  |  |  |

## In this section...

"Property Proving Pane Overview" on page 15-52

"Assertion blocks" on page 15-52

"Proof assumptions" on page 15-53

"Strategy" on page 15-53

"Maximum violation steps" on page 15-54

# **Property Proving Pane Overview**

Specify options that control how Simulink Design Verifier proves properties for the models it analyzes.

# See Also

- "What Is Property Proving?" on page 12-2
- "Workflow for Proving Model Properties" on page 12-4
- "Prove Properties in a Model" on page 12-5

# **Assertion blocks**

Specify whether Assertion blocks in your model are enabled or disabled.

## Settings

**Default:** Use local settings

```
Use local settings
```

Enables or disables Assertion blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

```
Enable all
```

Enables all Assertion blocks in the model regardless of the settings of their **Enable** parameters. Disable all

Disables all Assertion blocks in the model regardless of the settings of their **Enable** parameters.

# **Command-Line Information**

Parameter: DVAssertions
Type: character array
Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll'
Default: 'UseLocalSettings'

# See Also

- Assertion
- "Workflow for Proving Model Properties" on page 12-4
- "Prove Properties in a Model" on page 12-5

# **Proof assumptions**

Specify whether Proof Assumption blocks in your model are enabled or disabled.

# Settings

Default: Use local settings

Use local settings

Enables or disables Proof Assumption blocks based on the value of the **Enable** parameter of each block. If a block's **Enable** parameter is selected, the block is enabled; otherwise, the block is disabled.

Enable all

Enables all Proof Assumption blocks in the model regardless of the settings of their **Enable** parameters.

Disable all

Disables all Proof Assumption blocks in the model regardless of the settings of their **Enable** parameters.

# Command-Line Information

```
Parameter: DVProofAssumptions
Type: character array
Value: 'UseLocalSettings' | 'EnableAll' | 'DisableAll'
Default: 'UseLocalSettings'
```

## See Also

- Proof Assumption
- "Workflow for Proving Model Properties" on page 12-4
- "Prove Properties in a Model" on page 12-5

# Strategy

Specify the strategy that Simulink Design Verifier uses when proving properties.

# Settings

#### Default: Prove

Prove

Performs property proofs.

# FindViolation

Searches only for property violations within the number of simulation steps specified by the **Maximum violation steps** option.

## ProveWithViolationDetection

Searches both for property violations, as well as tries to prove properties for which it failed to detect a violation. This strategy is a relatively optimal balance between the ProveWithViolationDetection and FindViolation strategies.

# Dependency

Selecting FindViolation or ProveWithViolationDetection enables the Maximum violation steps parameter.

# **Command-Line Information**

Parameter: DVProvingStrategy
Type: character array
Value: 'Prove' | 'FindViolation' | 'ProveWithViolationDetection'
Default: 'Prove'

## See Also

- "What Is Property Proving?" on page 12-2
- "Workflow for Proving Model Properties" on page 12-4
- "Prove Properties in a Model" on page 12-5

# Maximum violation steps

Specify the maximum number of simulation steps over which Simulink Design Verifier searches for property violations.

## Settings

## Default: 20

The Simulink Design Verifier software does not search beyond the maximum number of simulation steps that you specify. Therefore, it cannot identify violations that might occur later in a simulation.

## Dependency

This parameter is enabled when you set **Strategy** to FindViolation or ProveWithViolationDetection.

# Command-Line Information Parameter: DVMaxViolationSteps

Type: int32 Value: any valid value Default: 20

# See Also

- "What Is Property Proving?" on page 12-2
- "Workflow for Proving Model Properties" on page 12-4
- "Prove Properties in a Model" on page 12-5

# **Design Verifier Pane: Results**

| Data file name:      | \$ModelNa   | ame\$_sldvdata             |
|----------------------|-------------|----------------------------|
| Include expect       | cted output | ut values                  |
| Randomize d          | ata that d  | lo not affect the outcome  |
| larness model opt    | ions        |                            |
| Generate sep         | arate har   | rness model after analysis |
| Harness model fi     | le name:    | <empty></empty>            |
| ✓ Reference inp      | out model   | l in generated harness     |
| Harness source:      | Signal E    | Editor 🗸                   |
| Simulink Test option | ns          |                            |
| Test File name:      | \$Mo        | odelName\$_test            |
| Test Harness nar     | ne: \$Mo    | odelName\$_sldvharness     |

| In this section                                                |
|----------------------------------------------------------------|
| "Results Pane Overview" on page 15-56                          |
| "Data file name" on page 15-57                                 |
| "Include expected output values" on page 15-57                 |
| "Randomize data that do not affect the outcome" on page 15-58  |
| "Generate separate harness model after analysis" on page 15-59 |
| "Harness model file name" on page 15-59                        |
| "Reference input model in generated harness" on page 15-60     |
| "Harness source" on page 15-61                                 |
| "Test File Name" on page 15-61                                 |
| "Test Harness Name" on page 15-62                              |

# **Results Pane Overview**

Specify options that control how Simulink Design Verifier handles the results that it generates.

# See Also

"Review Analysis Results"

# Data file name

Specify a folder and file name for the MAT-file that contains the data generated during the analysis, stored in an sldvData structure.

# Settings

# Default: \$ModelName\$\_sldvdata

- Optionally, enter a path that is either absolute or relative to the path name specified in **Output** folder.
- Enter a file name for the MAT-file.
- **\$ModelName\$** is a token that represents the model name.

Command-Line Information Parameter: DVDataFileName Type: character array Value: any valid path and file name Default: '\$ModelName\$\_sldvdata'

# See Also

- "Manage Simulink Design Verifier Data Files" on page 13-7
- "Review Analysis Results"

# Include expected output values

Simulate the model using test case signals and include the output values in the Simulink Design Verifier data file.

# Settings

# Default: Off

# 🔽 On

Simulates the model using the test case signals that the analysis produces. For each test case, the software collects the simulation output values associated with Outport blocks in the top-level system and includes those values in the MAT-file that it generates.

```
🔲 Off
```

Does not simulate the model and collect output values for inclusion in the MAT-file that the analysis generates.

# Tips

- The TestCases.expectedOutput subfield of the MAT-file contains the output values. For more information, see "Generate sldvData Structure" on page 13-7.
- When **Include expected output values** is enabled, Simulink Design Verifier successively simulates the model using each test case that it generates. Enabling this option requires more time for Simulink Design Verifier to complete its analysis.

# **Command-Line Information**

Parameter: DVSaveExpectedOutput
Type: character array
Value: 'on' | 'off'
Default: 'off'

# See Also

- "Manage Simulink Design Verifier Data Files" on page 13-7
- "Review Analysis Results"

# Randomize data that do not affect the outcome

Specify whether to use random values instead of zeros for input signals that have no impact on test or proof objectives.

# Settings

## Default: Off

🔽 On

Assigns random values to test case or counterexample signals that do not affect the outcome of test or proof objectives in a model. This option can enhance traceability and improve your regression tests.

🔲 Off

Assigns zeros to test case or counterexample signals that do not affect the outcome of test or proof objectives in a model.

## Tips

- This option replaces default data values with random values when the Simulink Design Verifier internal analysis engine does not specify a value. When a value does not influence the satisfaction of a test or proof objective, the generated analysis report indicates that value with a dash (-).
- Simulink Design Verifier generated analysis reports show the setting of this option.
- Enable this option to enhance traceability when simulating test cases or counterexamples. For instance, consider the following model:



Only the signal entering the Switch block control port impacts its decision coverage. If the **Randomize data that does not affect outcome** parameter is off, Simulink Design Verifier uses

zeros to represent the signals from In1 and In3. When inspecting the results from test case or counterexample simulations, it is unclear which of these signals passes through the Switch block because they have the same value. But if the **Randomize data that does not affect outcome** parameter is on, the software uses unique values to represent each of those signals. In this case, it is easier to determine which signal passes through the Switch block.

# Command-Line Information

Parameter: DVRandomizeNoEffectData
Type: character array
Value: 'on' | 'off'
Default: 'off'

# See Also

- "Manage Simulink Design Verifier Data Files" on page 13-7
- "Review Analysis Results"

# Generate separate harness model after analysis

Create a harness model generated by the Simulink Design Verifier analysis.

# Settings

# Default: Off

🔽 On

Saves the harness model that Simulink Design Verifier generates as a model file.

🔲 Off

Does not save the harness model that Simulink Design Verifier generates.

# Dependency

This parameter enables Harness model file name.

```
Command-Line Information
Parameter: DVSaveHarnessModel
Type: character array
Value: 'on' | 'off'
Default: 'off'
```

# See Also

- "Manage Simulink Design Verifier Harness Models" on page 13-13
- "Review Analysis Results"

# Harness model file name

Specify a folder and file name for the harness model.

# Settings

#### Default: \$ModelName\$\_harness

- Optionally, enter a path that is either absolute or relative to the path name specified in **Output** folder.
- Enter a file name for the harness model.
- **\$ModelName\$** is a token that represents the model name.

# Dependency

This parameter is enabled by Generate separate harness model after analysis.

#### Command-Line Information Parameter: DVHarnessModelFileName Type: character array Value: any valid path and file name Default: '\$ModelName\$\_harness'

# See Also

- "Manage Simulink Design Verifier Harness Models" on page 13-13
- "Review Analysis Results"

# **Reference input model in generated harness**

Use a Model block to reference the model to run in the harness model.

# Settings

# Default: On

🔽 On

Uses a Model block to reference the model to run in the harness model.

🔲 Off

Uses a copy of the model in the harness model.

## Tips

• If the Test Unit in the harness model is a subsystem, the values of the Simulink simulation optimization parameters on the Configuration Parameters dialog box can affect the coverage results.

**Note** The simulation optimization parameters are on the following Configuration Parameters dialog box panes:

- Optimization pane
- Optimization > Signals and Parameters pane
- Optimization > Stateflow pane

• On the **Design Verifier > Parameters** pane, if you select the **Apply parameters** parameter, Simulink Design Verifier uses a subsystem that contains a copy of the original model in the harness model, even if you select **Reference input model in generated harness**.

Command-Line Information Parameter: DVModelReferenceHarness Type: character array Value: 'on' | 'off' Default: 'off'

## See Also

- "Manage Simulink Design Verifier Harness Models" on page 13-13
- "Review Analysis Results"

# Harness source

Specify the type of Inputs block for the harness model.

## Settings

Default: Signal Editor

Signal Editor

Generates a separate harness model with the Signal Editor block as the Inputs block.

Signal Builder

Generates a separate harness model with the Signal Builder block as the Inputs block.

## Dependency

This parameter is enabled by Generate separate harness model after analysis.

Command-Line Information Parameter: DVHarnessSource Type: character array Value: 'Signal Editor' | 'Signal Builder' Default: 'Signal Editor'

## See Also

• "Manage Simulink Design Verifier Harness Models" on page 13-13

# Test File Name

Name and path for test file name in Simulink Test

## Settings

Default: \$ModelName\$\_test

- Enter a file name for the test file containing Simulink Design Verifier results.
- **\$ModelName\$** is a token that represents the model name.
- You can enter an absolute path, or a path relative to that specified by **Output folder** in the Design Verifier pane.

## Dependency

This parameter is visible and enabled if you have a Simulink Test license.

## **Command-Line Information**

Parameter: DVSlTestFileName
Type: character array
Value: any valid path and file name
Default: '\$ModelName\$ test'

#### See Also

• "Increase Coverage by Generating Test Inputs" (Simulink Test)

# **Test Harness Name**

Name of the test harness in Simulink Test

#### Settings

## Default: \$ModelName\$\_sldvharness

- Enter a valid name for the test harness built to simulate Simulink Design Verifier test cases. The test harness corresponds to the test file specified by the parameter **Test File name**.
- The **\$ModelName\$** token represents the model name.
- Enter a valid MATLAB identifier for the test harness name.

#### Dependency

This parameter is visible and enabled with a Simulink Test license.

Command-Line Information Parameter: DVSlTestHarnessName Type: character array Value: any valid file name Default: '\$ModelName\$ sldvharness'

## See Also

• "Increase Coverage by Generating Test Inputs" (Simulink Test)

# **Design Verifier Pane: Report**

| Report                                   |  |  |  |  |  |  |  |
|------------------------------------------|--|--|--|--|--|--|--|
| Generate report of the results           |  |  |  |  |  |  |  |
| Generate additional report in PDF format |  |  |  |  |  |  |  |
| Report file name: <empty></empty>        |  |  |  |  |  |  |  |
| Include screen shots of properties       |  |  |  |  |  |  |  |
| ✓ Display report                         |  |  |  |  |  |  |  |
|                                          |  |  |  |  |  |  |  |

# "Display report" on page 15-66 Report Pane Overview

"Report file name" on page 15-64

"Report Pane Overview" on page 15-63

"Generate report of the results" on page 15-63

"Include screen shots of properties" on page 15-65

"Generate additional report in PDF format" on page 15-64

In this section...

Specify options that control how Simulink Design Verifier reports its results.

# See Also

- "Review Results" on page 13-35
- "Review Analysis Results"

# Generate report of the results

Generate and save a Simulink Design Verifier report.

# Settings

# Default: Off

🔽 On

Saves the  $\ensuremath{\mathsf{HTML}}$  report that Simulink Design Verifier generates.

🔲 Off

Does not generate a Simulink Design Verifier report.

# Dependencies

This parameter enables the following parameters:

- Generate additional report in PDF format
- Report file name
- Include screen shots of properties
- Display report

#### Command-Line Information Parameter: DVSaveReport Type: character array Value: 'on' | 'off' Default: 'off'

# See Also

- "Review Results" on page 13-35
- "Review Analysis Results"

# Generate additional report in PDF format

Save an additional PDF version of the Simulink Design Verifier report.

# Settings

## Default: Off

🔽 On

Saves an additional PDF version of the Simulink Design Verifier report.

🔲 Off

Does not save an additional PDF version of the Simulink Design Verifier report.

# Dependency

This parameter is enabled by Generate report of the results.

#### Command-Line Information Parameter: DVReportPDFFormat Type: character array Value: 'on' | 'off' Default: 'off'

# See Also

- "Review Results" on page 13-35
- "Review Analysis Results"

# **Report file name**

Specify a folder and file name for the report that Simulink Design Verifier analysis generates.

# Settings

# Default: \$ModelName\$\_report

- Optionally, enter a path that is either absolute or relative to the path name specified in **Output** folder.
- Enter a file name for the report that the analysis generates.
- **\$ModelName\$** is a token that represents the model name.

# Dependency

This parameter is enabled by **Generate report of the results**.

Command-Line Information Parameter: DVReportFileName Type: character array Value: any valid path and file name Default: '\$ModelName\$\_report'

# See Also

- "Review Results" on page 13-35
- "Review Analysis Results"

# Include screen shots of properties

Includes screen shots of properties in the Simulink Design Verifier report. Only valid in propertyproving mode.

## Settings

# Default: Off

🔽 On

Includes screen shots of properties in the Simulink Design Verifier report. Only valid in property-proving mode.

🔲 Off

Does not include screen shots of properties in the Simulink Design Verifier report.

# Dependency

This parameter is enabled by **Generate report of the results** in the Reports pane and **Generate separate harness model after analysis** in the Results pane.

# **Command-Line Information**

Parameter: DVReportIncludeGraphics
Type: character array
Value: 'on' | 'off'

# Default: 'off'

## See Also

- "Review Results" on page 13-35
- "Review Analysis Results"

# **Display report**

Display the report that the Simulink Design Verifier analysis generates after completing its analysis.

# Settings

# Default: On

🔽 On

Displays the report that the analysis generates after completing its analysis.

🔲 Off

Does not display the report that the analysis generates after completing its analysis.

# Dependency

This parameter is enabled by **Generate report of the results**.

# **Command-Line Information**

```
Parameter: DVDisplayReport
Type: character array
Value: 'on' | 'off'
Default: 'on'
```

## See Also

- "Review Results" on page 13-35
- "Review Analysis Results"

# **Verification and Validation**

- "Test Model Against Requirements and Report Results" on page 16-2
- "Analyze Models for Standards Compliance and Design Errors" on page 16-7
- "Perform Functional Testing and Analyze Test Coverage" on page 16-9
- "Analyze Code and Test Software-in-the-Loop" on page 16-12
- "Create Back-to-Back Tests Using Enhanced MCDC" on page 16-20

# **Test Model Against Requirements and Report Results**

# **Requirements - Test Traceability Overview**

Traceability between requirements and test cases helps you interpret test results and see the extent to which your requirements are verified. You can link a requirement to elements that help verify it, such as test cases in the Test Manager, verify statements in a Test Sequence block, or Model Verification blocks in a model. When you run tests, a pass/fail summary appears in your requirements set.

This example demonstrates a common requirements-based testing workflow for a cruise control model. You start with a requirements set, a model, and a test case. You add traceability between the tests and the safety requirements. You run the test, summarize the verification status, and report the results.



In this example, you conduct a simple test of two requirements in the set:

- That the cruise control system transitions to disengaged from engaged when a braking event has occurred
- That the cruise control system transitions to disengaged from engaged when the current vehicle speed is outside the range of 20 mph to 90 mph.

# **Display the Requirements**

**1** Open the example project.

```
openExample("shared_vnv/CruiseControlVerificationProjectExample");
pr = openProject("SimulinkVerificationCruise");
```

- 2 In the models folder, open the simulinkCruiseAddReqExample model.
- **3** Display the requirements. Click the **•••** icon in the lower-right corner of the model canvas, and select **Requirements**. The requirements appear below the model canvas.
- 4 Display the verification and implementation status. Right-click a requirement and select **Verification Status** and **Implementation Status**.



5 In the Project window, open the Simulink Test file slReqTests.mldatx from the tests folder. The test file opens in the Test Manager.

# **Link Requirements to Tests**

Link the requirements to the test case.

In the Project window, open the Simulink Test file slReqTests.mldatx from the tests folder. The test file opens in the Test Manager. Explore the test suite and select Safety Tests.

Return to the model. Right-click on requirement S  $\ 3.1$  and select Link from Selected Test Case.

A link to the Safety Tests test case is added to Verified by. The yellow bars in the Verified column indicate that the requirements are not verified.

| Requi | rements - simul | inkCruiseAddReqExamp |                      |              |             |           |                   |
|-------|-----------------|----------------------|----------------------|--------------|-------------|-----------|-------------------|
| View: | Requirements    | - 🛐 🗖 F              |                      | <u>k</u> 🗄 🛱 | ୍ ୧         | Se        | ▼ Links           |
|       | Index           | ID                   | Summary              | Verified     | Impleme     | ented ^   | □ 🗢 Verified by:  |
| ~     | ≣ 3             | Safety Requirements  | Safety Requirements  |              | )           |           | Safety Tests ??   |
|       | 3.1             | S 3.1                | Vehicle braking dise |              |             |           |                   |
|       | ≣ 3.2           | S 3.2                | System engagemen     |              | $) \square$ |           | <                 |
|       | ≣ 3.3           | S 3.3                | Target speed limita  |              | $) \square$ |           |                   |
|       | ≣ 3.4           | S 3.4                | Speed outside limit  |              | )           | <b></b> • |                   |
| Ready | 1               |                      |                      | 15           | 0%          |           | FixedStepDiscrete |

2 Also add a link for item S 3.4.

# **Run the Test**

The test case uses a test harness SafetyTest\_Harness1. In the test harness, a test sequence sets the input conditions and checks the model behavior:

• The BrakeTest sequence engages the cruise control, then applies the brake. It includes the verify statement

```
verify(engaged == false,...
'verify:brake',...
'system must disengage when brake applied')
```

• The LimitTest sequence engages the cruise control, then ramps up the vehicle speed until it exceeds the upper limit. It includes the verify statement.

```
verify(engaged == false,...
    'verify:limit',...
    'system must disengage when limit exceeded')
```

- **1** Return to the Test Manager. To run the test case, click **Run**.
- 2 When the test finishes, review the results. The Test Manager shows that both assessments pass and the plot provides the detailed results of each verify statement.

| Test Browser                        | Results and Ar      | tifacts      | 🖹 Safety Tests 🗙 🛃 Visualize 🗙 |    |
|-------------------------------------|---------------------|--------------|--------------------------------|----|
| Filter results by name or ta        | igs, e.g. tags: te  | est 🔳        | verify:limit                   |    |
| 7                                   |                     |              |                                |    |
| NAME                                |                     | STATUS       |                                |    |
| ✓ Results: 2019-Jun-21 11:29:55 1 ⊘ |                     | 10           | Fail                           |    |
|                                     |                     | 0            | Fall-                          |    |
| 👻 📓 Verify Stateme                  | ents                | 0            |                                |    |
| verify:brake                        | e                   | 0            |                                |    |
| ✓ verify:limit                      | ✓ verify:limit ⊘    |              | Pass                           |    |
|                                     |                     |              |                                |    |
| PROPERTY                            | VALUE               |              |                                |    |
| Name                                | Name 🖸 verify:limit |              |                                |    |
| Block Path                          | SafetyTest_H        | arness1/Test |                                |    |
| Interp Method zoh                   |                     |              | Untested                       |    |
| Sync Method union                   |                     |              |                                |    |
| Units                               |                     |              |                                |    |
| Sample Time                         |                     |              |                                |    |
| Data Type                           | slTestResult        |              | -2 0 2 4 6 8 10 12 14 16 18 2  | 20 |

# **3** Return to the model and refresh the Requirements. The green bar in the **Verified** column indicates that the requirement has been successfully verified.

| Requi | rements - simulinkC | ruiseAddReqExample  |                           |          |             | ₹× |                       |                   |
|-------|---------------------|---------------------|---------------------------|----------|-------------|----|-----------------------|-------------------|
| View: | Requirements -      |                     | E Z 🔏 🗄 🗄                 | 1        | Search      |    | Keywords:             |                   |
|       | Index               | ID                  | Summary                   | Verified | Implemented | ^  | Revision information: |                   |
| ~     | ≣ 3                 | Safety Requirements | Safety Requirements       |          |             | )  | ▼ Links               |                   |
|       | 3.1                 | S 3.1               | Vehicle braking disenga   |          |             |    | LIIKS                 |                   |
|       | ≣ 3.2               | S 3.2               | System engagement spe     |          |             |    | Verified by:          |                   |
|       | ≣ 3.3               | S 3.3               | Target speed limitations  |          |             |    | Safety Tests          |                   |
|       | ≣ 3.4               | S 3.4               | Speed outside limits dise |          |             |    |                       |                   |
|       |                     |                     |                           |          |             | 4  |                       | *                 |
| Ready |                     |                     |                           | 1259     | 6           |    |                       | FixedStepDiscrete |

# **Report the Results**

- **1** Create a report using a custom Microsoft Word template.
  - **a** From the Test Manager results, right-click the test case name. Select **Create Report**.
  - **b** In the Create Test Result Report dialog box, set the options:
    - Title SafetyTest
    - Results for All Tests
    - File Format DOCX
    - For the other options, keep the default selections.
  - ${\boldsymbol{\mathsf{c}}}\qquad \text{Enter a file name and select a location for the report.}$
  - d For the **Template File**, select the **ReportTemplate.dotx** file in the **documents** project folder.
  - e Click Create.

- **2** Review the report.
  - a The Test Case Requirements section specifies the associated requirements
  - **b** The **Verify Result** section contains details of the two assessments in the test, and links to the simulation output.

# **Related Examples**

- "Link to Requirements" (Simulink Test)
- "Validate Requirements Links in a Model" (Requirements Toolbox)
- "Customize Requirements Traceability Report for Model" (Requirements Toolbox)

# **External Websites**

Requirements-Based Testing Workflow

# **Analyze Models for Standards Compliance and Design Errors**

# **Standards and Analysis Overview**

During model development, check and analyze your model to increase confidence in its quality. Check your model against standards such as MAB style guidelines and high-integrity system design guidelines such as DO-178 and ISO 26262. Analyze your model for errors, dead logic, and conditions that violate required properties. Using the analysis results, update your model and document exceptions. Report the results using customizable templates.



# **Check Model for Style Guideline Violations and Design Errors**

This example shows how to use the Model Advisor to check a cruise control model for MathWorks<sup>®</sup> Advisory Board (MAB) style guideline violations and design errors. Select checks and run the analysis on the model. Iteratively debug issues using the Model Advisor and rerun checks to verify that it is in compliance. After passing your selected checks, report results.

# **Check Model for MAB Style Guideline Violations**

Check that your model complies with MAB guidelines by using the Model Advisor.

1 Open the example project. On the command line, enter

```
openExample("shared_vnv/CruiseControlVerificationProjectExample");
pr = openProject("SimulinkVerificationCruise");
```

2 Open the simulinkCruiseErrorAndStandardsExample model.

open\_system simulinkCruiseErrorAndStandardsExample

- 3 In the **Modeling** tab, select **Model Advisor**.
- 4 Click OK to select simulinkCruiseErrorAndStandardsExample from the System Hierarchy.
- 5 Check your model for MAB style guideline violations using Simulink Check.
  - a In the left pane, in the **By Product** > **Simulink Check** > **Modeling Standards** > **MAB Checks** folder, select:

- Check Indexing Mode
- Check model diagnostic parameters
- **b** Right-click on the **MAB Checks** node and select **Run Checks**.
- **c** To review the configuration parameter settings that violate MAB style guidelines, run the **Check model diagnostic parameters** check.
- **d** The analysis results appear in the right pane on the **Report** tab. Report displays the violation details and the recommended action.
- **e** Click the parameter hyperlinks, which opens the Configuration Parameters dialog box, and update the model diagnostic parameters. Save the model.
- **f** To verify that your model passes, rerun the check. Repeat steps from **c** to **e**, if necessary, to reach compliance.
- **g** To generate a results report of the Simulink Check checks, select the **MAB Checks** node, and then, from the toolstrip, click **Report**.

# **Check Model for Design Errors**

While in the Model Advisor, you can also check your model for hidden design errors using Simulink Design Verifier.

- 1 In the left pane, in the **By Products > Simulink Design Verifier** folder, select **Design Error Detection**.
- 2 If not already checked, click the box beside **Design Error Detection**. All checks in the folder are selected.
- **3** From the tool strip, click **Run Checks**.
- 4 After the Model Advisor analysis, from the tool strip, click **Report**. This generates a HTML report of the check analysis.
- 5 In the generated report, click a **Simulink Design Verifier Results Summary** hyperlink. The dialog box provides tools to help you diagnose errors and warnings in your model.
  - a Review the analysis results on the model. Click the Compute target speed subsystem. The Simulink Design Verifier Results Inspector window provides derived ranges that can help you understand the source of an error by identifying the possible signal values.
  - **b** Review the harness model or create one if it does not already exist.
  - **c** View tests and export test cases.
  - d Review the analysis report. To see a detailed analysis report, click HTML or PDF.

# See Also

# **Related Examples**

- "Check Model Compliance by Using the Model Advisor"
- "Collect Model Metrics Using the Model Advisor"
- "Analyze Models for Design Errors" on page 6-4
- "Prove Properties in a Model" on page 12-5

# **Perform Functional Testing and Analyze Test Coverage**

Functional testing begins with building test cases based on requirements. These tests can cover key aspects of your design and verify that individual model components meet requirements. Test cases include inputs, expected outputs, and acceptance criteria.

By collecting individual test cases within test suites, you can run functional tests systematically. To check for regression, add baseline criteria to the test cases and test the model iteratively. Coverage measurement reflects the extent to which these tests have fully exercised the model. Coverage measurement also helps you to add tests and requirements to meet coverage targets.



## Incrementally Increase Test Coverage Using Test Case Generation

This example shows how to perform requirements-based tests for a cruise control model. The tests link to a requirements document. You:

- **1** Run the tests.
- 2 Determine test coverage by using Simulink Coverage.
- 3 Increase coverage with additional tests generated by Simulink Design Verifier.
- 4 Report the results.

#### **Open the Test Harness and Model**

**1** Open the project:

```
openExample("shared_vnv/CruiseControlVerificationProjectExample");
pr = openProject("SimulinkVerificationCruise");
```

2 Open the model and the test harness. At the command line, enter:

```
open_system simulinkCruiseAddReqExample
sltest.harness.open("simulinkCruiseAddReqExample","SafetyTest_Harness1")
```

**3** Load the test suite from "Test Model Against Requirements and Report Results" (Simulink Test) and open the Simulink Test Manager.

```
pf = fullfile(pr.RootFolder, "tests", "slReqTests.mldatx");
```

```
tf = sltest.testmanager.TestFile(pf);
```

sltest.testmanager.view

- 4 Open the Test Sequence block. The sequence verifies system disengagement when either:
  - The brake pedal is pressed.
  - Speed exceeds a limit.

#### Measure Model Coverage

- 1 In the Simulink Test Manager, select the slReqTests test file.
- 2 To enable coverage collection, in the right page under **Coverage Settings**:
  - Select Record coverage for referenced models.
  - Specify a coverage filter by using **Coverage filter filename**.
  - Select **Decision**, **Condition**, and **MCDC**.
- **3** Click **Run** on the Test Manager toolstrip.
- 4 After the test completes, select **Results**. The test achieves 50% decision coverage, 41% condition coverage, and 25% MCDC coverage.

▼AGGREGATED COVERAGE RESULTS

|                               |        |    |          |           |      | -               |
|-------------------------------|--------|----|----------|-----------|------|-----------------|
|                               |        |    |          |           |      |                 |
|                               |        |    |          |           |      |                 |
|                               |        |    |          |           |      |                 |
| 指 simulinkCruiseAddReqExample |        | 31 | 50%      | 41%       | 25%  | · · · · · · · · |
| ANALYZED MODEL                | REPORT | со | DECISION | CONDITION | MCDC |                 |

#### Generate Tests to Increase Model Coverage

- 1 Use Simulink Design Verifier to generate additional tests to increase model coverage. In **Results** and Artifacts, select the slReqTests test file and open the Aggregated Coverage Results section located in the right pane.
- 2 Right-click the test results and select Add Tests for Missing Coverage.
- 3 Under Harness, choose Create a new harness.
- **4** Click **OK** to add tests to the test suite using Simulink Design Verifier. The model being tested must either be on the MATLAB path or in the working folder.
- **5** On the Test Manager toolstrip, click **Run** to execute the updated test suite. The test results include coverage for the combined test case inputs, achieving increased model coverage.

Alternatively, you can create and use tests to increase coverage programmatically by using sltest.testmanager.addTestsForMissingCoverage and sltest.testmanager.TestOptions.

## See Also

## **Related Examples**

- "Link to Requirements" (Simulink Test)
- "Assess Model Simulation Using verify Statements" (Simulink Test)
- "Compare Model Output to Baseline Data" (Simulink Test)
- "Generate Test Cases for Model Decision Coverage" on page 7-6
- "Increase Test Coverage for a Model" (Simulink Test)

# Analyze Code and Test Software-in-the-Loop

### Code Analysis and Testing Software-in-the-Loop Overview

You can analyze code to detect errors, check standards compliance, and evaluate key metrics such as length and cyclomatic complexity. For handwritten code, you typically check for run-time errors with static code analysis and run test cases that evaluate the code against requirements and evaluate code coverage. Based on the results, you refine the code and add tests.

In this example, you generate code and demonstrate that the code execution produces equivalent results to the model by using the same test cases and baseline results. Then you compare the code coverage to the model coverage. Based on test results, add tests and modify the model to regenerate code.



## Analyze Code for Defects, Metrics, and MISRA C:2012

This workflow describes how to check if your model produces MISRA<sup>™</sup> C:2012 compliant code and how to check your generated code for code metrics and defects. To produce more MISRA compliant code from your model, you use the code generation and Model Advisor. To check whether the code is MISRA compliant, you use the Polyspace MISRA C:2012 checker and report generation capabilities. For this example, you use the model simulinkCruiseErrorAndStandardsExample. To open the model:

**1** Open the project.

```
openExample("shared_vnv/CruiseControlVerificationProjectExample");
pr = openProject("SimulinkVerificationCruise");
```

2 From the project, open the model simulinkCruiseErrorAndStandardsExample.



#### **Run Code Generator Checks**

Check your model by using the Code Generation Advisor. Configure code generation parameters to generate code more compliant with MISRA C and more compatible with Polyspace.

- **1** Right-click Compute target speed and select **C/C++ Code > Code Generation Advisor**.
- 2 Select the Code Generation Advisor folder. In the right pane, move Polyspace to **Selected objectives prioritized**. The MISRA C:2012 guidelines objective is already selected.

| Available objectives                                                                                       | Selected objectives -           | prioritized |
|------------------------------------------------------------------------------------------------------------|---------------------------------|-------------|
| Execution efficiency<br>ROM efficiency<br>RAM efficiency<br>Traceability<br>Safety precaution<br>Debugging | MISRA C:2012 guide<br>Polyspace |             |
|                                                                                                            |                                 |             |

Code Generation Objectives (System target file: ert.tlc)

#### **3** Click **Run Selected Checks**.

The Code Generation Advisor checks whether the model includes blocks or configuration settings that are not recommended for MISRA C:2012 compliance and Polyspace code analysis. For this

model, the check for incompatible blocks passes, but some configuration settings are incompatible with MISRA compliance and Polyspace checking.

Code Generation Advisor
 Check model configuration settings against code generation objectives
 Check for blocks not recommended for MISRA C:2012

- 4 Click the check that did not pass. Accept the parameter changes by selecting **Modify Parameters**.
- 5 Rerun the check by selecting **Run This Check**.

#### **Run Model Advisor Checks**

Before you generate code from your model, use the Model Advisor to check your model for MISRA C and Polyspace compliance. This example shows you how to use the Model Advisor to check your model before generating code.

- 1 At the bottom of the Code Generation Advisor window, select **Model Advisor**.
- 2 Under the By Task folder, select the Modeling Standards for MISRA C:2012 advisor checks.
- 3 Click **Run Checks** and review the results.
- 4 If any of the tasks fail, make the suggested modifications and rerun the checks until the MISRA modeling guidelines pass.

#### **Generate and Analyze Code**

After you have done the model compliance checking, you can generate the code. With Polyspace, you can check your code for compliance with MISRA C:2012 and generate reports to demonstrate compliance with MISRA C:2012.

- In the Simulink editor, right-click Compute target speed and select C/C++ Code > Build This Subsystem.
- 2 Use the default settings for the tunable parameters and select **Build**.
- **3** After the code is generated, in the Simulink Editor, right-click Compute target speed and select **Polyspace > Options**.
- 4 Click **Configure** to choose more advanced Polyspace analysis options in the Polyspace configuration window.

| ✓ Polyspace File Edit Tools Window Help                              |                                 |                           |      | — | ×   |  |  |  |  |  |
|----------------------------------------------------------------------|---------------------------------|---------------------------|------|---|-----|--|--|--|--|--|
| Configuration                                                        |                                 |                           |      |   | ₽₽× |  |  |  |  |  |
| simulinkCruisExample_config ×                                        |                                 |                           |      | ٥ | Þ∎  |  |  |  |  |  |
| Target & Compiler<br>Macros<br>Environment Settings                  | Coding Standards & Code Metrics |                           |      |   |     |  |  |  |  |  |
| Inputs & Stubbing<br>Multitasking                                    | Set checkers by file            |                           |      |   |     |  |  |  |  |  |
| Coding Standards & Code Metrics                                      | Coding Standards                |                           |      |   |     |  |  |  |  |  |
| Bug Finder Analysis                                                  | Check MISRA C:2004              | required-rules $\sim$     | View |   |     |  |  |  |  |  |
| <ul> <li>Verification Assumptions</li> <li>Check Behavior</li> </ul> | Check MISRA AC AGC              | OBL-rules $\sim$          | View |   |     |  |  |  |  |  |
| Precision                                                            | Check MISRA C:2012              | mandatory-required $\sim$ | View |   |     |  |  |  |  |  |
| Scaling                                                              | Use generated code requiremen   | ts                        |      |   |     |  |  |  |  |  |
| Reporting                                                            | Effective boolean types Type    |                           |      |   |     |  |  |  |  |  |
| Run Settings<br>Advanced Settings                                    | boolean_T                       |                           |      |   |     |  |  |  |  |  |
|                                                                      |                                 |                           |      |   |     |  |  |  |  |  |
|                                                                      | Check SEI CERT-C all            | <ul> <li>View</li> </ul>  |      |   |     |  |  |  |  |  |
|                                                                      | Check ISO/IEC TS 17961 all      | <ul> <li>View</li> </ul>  |      |   |     |  |  |  |  |  |
|                                                                      | Check custom rules              |                           |      |   |     |  |  |  |  |  |
|                                                                      | Code Metrics                    |                           |      |   |     |  |  |  |  |  |
|                                                                      | Calculate Code Metrics          |                           |      |   |     |  |  |  |  |  |

- 5 On the left pane, click **Coding Standards & Code Metrics**, then select **Calculate Code Metrics** to enable code metric calculations for your generated code.
- 6 Save and close the Polyspace configuration window.
- 7 From your model, right-click Compute target speed and select Polyspace > Verify > Code Generated For Selected Subsystem.

Polyspace Bug Finder analyzes the generated code for a subset of MISRA checks. You can see the progress of the analysis in the MATLAB Command Window. After the analysis finishes, the Polyspace environment opens.

#### **Review Results**

The Polyspace environment shows you the results of the static code analysis.

**1** Expand the tree for rule 8.7 and click through the different results.

Rule 8.7 states that functions and objects should not be global if the function or object is local. As you click through the 8.7 violations, you can see that these results refer to variables that other components also use, such as CruiseOnOff. You can annotate your code or your model to justify every result. Because this model is a unit in a larger program, you can also change the configuration of the analysis to check only a subset of MISRA rules.

| V Polyspace     | Bug Finder - Compute \\home-00-a    | ah\mhaines\Documents\M                 | ATLAB\projects\slexan        | nples\cruise3\results    | _Compute\Compute   |           |                                                                         | - [            | ×          |
|-----------------|-------------------------------------|----------------------------------------|------------------------------|--------------------------|--------------------|-----------|-------------------------------------------------------------------------|----------------|------------|
| File Reporti    | ng Metrics Tools Window             | Help                                   |                              |                          |                    |           |                                                                         |                |            |
| 🔒 🕙 🔚 🕨         | 🖻 Run 🔳 Stop 🔍                      |                                        |                              |                          |                    |           |                                                                         |                | -          |
| 🔳 Results List  |                                     |                                        |                              |                          | a 4:               | < 🛛 💟 Sou | urce                                                                    |                | 0 4 × <    |
| All results     | 🗸 🌾 New 🗐 🗸 💠 😂                     | Showing 118/118 🔻                      |                              |                          |                    | Comp      | pute.c ×                                                                |                | ≥ ≣ v      |
| Family          | Tinformation                        | ਕੇ File                                | Class                        | Function                 | Severity           | 22        | #aerine Compute_IN_Accel                                                | ((uint8_1)10)  | Start Page |
| E-MISRA C:201   | 12 49                               |                                        | _                            | -                        |                    | 23        | · · ·                                                                   | ((uint8_T)1U)  | age        |
| 1 -2 Unused     | code 32                             |                                        |                              |                          |                    | 24        | 1 1 1 1 H H H                                                           | ((uint8_T)2U)  |            |
| 🕀 4 Code d      | esign 3                             |                                        |                              |                          |                    | 25        |                                                                         | ((uint8_T)0U)  |            |
|                 | tions and definitions 14            |                                        |                              |                          |                    | 26        |                                                                         | ((uint8_T)2U)  |            |
|                 | nctions and objects should not be   |                                        |                              |                          | anslation unit. 14 | 27        | #define Compute_IN_ON                                                   | ((uint8_T)1U)  |            |
| ~ ~             | cacegory r narbory                  | Compute.c                              | Global Scope                 | File Scope               |                    |           |                                                                         | ((uint8_T)2U)  |            |
| ~ ~             |                                     | Compute.c                              | Global Scope                 | File Scope               |                    | 29        |                                                                         | ((uint8_T)3U)  |            |
| ~               | cacegory r narioory                 | Compute.c<br>Compute.c                 | Global Scope<br>Global Scope | File Scope<br>File Scope |                    | 30        |                                                                         |                |            |
| ~               | cacagorifi inarisorif               | Compute.c                              | Global Scope                 | File Scope               |                    | 31        | 7                                                                       |                |            |
| ~               |                                     | Compute.c                              | Global Scope                 | File Scope               |                    | 32        | DW_Compute_T Compute_DW;                                                |                |            |
| ~               |                                     | Compute.c                              | Global Scope                 | File Scope               |                    | 33        |                                                                         |                |            |
| ~ ~             | * Category: Advisory                | Compute.c                              | Global Scope                 | File Scope               |                    |           | 7                                                                       |                |            |
| <               |                                     |                                        |                              |                          | >                  | 35        | RT_MODEL_Compute_T Compute M_;<br>RT MODEL Compute T *const Compute M * |                |            |
| Project Bro     | owser 🔲 Results List                |                                        |                              |                          |                    | 37        |                                                                         | - acompute_n_; |            |
| Result Deta     | ile .                               |                                        |                              |                          | a 4.               |           |                                                                         |                |            |
| Variable tra    |                                     |                                        |                              |                          | Compute            |           |                                                                         |                |            |
|                 |                                     |                                        |                              |                          | Compute            | 40        |                                                                         | ss: Global */  |            |
| Result Review   | w                                   |                                        |                              |                          |                    | 41        | boolean T AccelResSw;                                                   | ,,             |            |
| Severity        |                                     | <ul> <li>Enter comment here</li> </ul> | ·                            |                          |                    | 42        |                                                                         |                |            |
| Status          |                                     | ~                                      |                              |                          |                    | 43        | - v · ·                                                                 |                |            |
| Status          |                                     |                                        |                              |                          |                    | 44        | boolean T CruiseOnOff;                                                  |                |            |
|                 | 012 8.7 (Advisory) 💿                |                                        |                              |                          |                    | 45        |                                                                         |                |            |
|                 | objects should not be defined with  | h external linkage if they a           | are referenced in only       | one translation unit     | t.                 | 46        | boolean T engaged;                                                      |                |            |
|                 | ute_M' should have internal linkage |                                        |                              |                          |                    | 47        | uint8 T tspeed;                                                         |                |            |
|                 |                                     |                                        |                              |                          |                    | 48        |                                                                         |                |            |
|                 |                                     |                                        |                              |                          |                    | 49        | /* Definition for custom storage clas                                   | ss: Global */  |            |
|                 |                                     |                                        |                              |                          |                    | 50        |                                                                         |                |            |
|                 |                                     |                                        |                              |                          |                    | 51        |                                                                         |                |            |
|                 |                                     |                                        |                              |                          |                    | 52        |                                                                         |                |            |
|                 |                                     |                                        |                              |                          |                    |           |                                                                         |                | ~          |
|                 |                                     |                                        |                              |                          |                    |           | <                                                                       |                | >          |
| 🛛 🔏 Configurati | ion 📝 Result Details                |                                        |                              |                          |                    | M Da      | ashboard 🛛 🗹 Source 📄 Output Summary                                    |                |            |

- 2 In your model, right-click Compute target speed and select **Polyspace** > **Options**.
- **3** Set the **Settings from** option to **Project configuration** to choose a subset of MISRA rules in the Polyspace configuration.
- 4 Click **Configure**.
- 5 In the Polyspace window, on the left pane, click Coding Standards & Code Metrics. Then select Check MISRA C:2012 and, from the drop-down list, select single-unit-rules. Now Polyspace checks only the MISRA C:2012 rules that are applicable to a single unit.
- **6** Save and close the Polyspace configuration window.
- 7 Rerun the analysis with the new configuration.

The rules Polyspace showed previously were found because the model was analyzed by itself. When you limited the rules Polyspace checked to the single-unit subset, Polyspace found only two violations.



When you integrate this model with its parent model, you can add the rest of the MISRA C:2012 rules.

#### **Generate Report**

To demonstrate compliance with MISRA C:2012 and report on your generated code metrics, you must export your results. If you want to generate a report every time you run an analysis, see Generate report (Polyspace Bug Finder).

- **1** If they are not open already, open your results in the Polyspace environment.
- 2 From the toolbar, select **Reporting > Run Report**.
- **3** Select **BugFinderSummary** as your report type.
- 4 Click Run Report.

The report is saved in the same folder as your results.

**5** To open the report, select **Reporting > Open Report**.

### Test Code Against Model Using Software-in-the-Loop Testing

You previously showed that the model functionality meets its requirements by running test cases based on those requirements. Now run the same test cases on the generated code to show that the code produces equivalent results and fulfills the requirements. Then compare the code coverage to the model coverage to see the extent to which the tests exercised the generated code.

1 In MATLAB, in the project window, open the tests folder, then open SILTests.mldatx. The file opens in the Test Manager.

- 2 Review the test case. On the Test Browser pane, navigate to SIL Equivalence Test Case. This equivalence test case runs two simulations for the simulinkCruiseErrorAndStandardsExample model using a test harness.
  - Simulation 1 is a model simulation in normal mode.
  - Simulation 2 is a software-in-the-loop (SIL) simulation. For the SIL simulation, the test case runs the code generated from the model instead of running the model.

The equivalence test logs one output signal and compares the results from the simulations. The test case also collects coverage measurements for both simulations.

- 3 Run the equivalence test. Select the test case and click **Run**.
- 4 Review the results in the Test Manager. In the **Results and Artifacts** pane, select **SIL Equivalence Test Case** to see the test results. The test case passed and the results show that the code produced the same results as the model for this test case.

| TESTS            |                            |                          |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             |     |
|------------------|----------------------------|--------------------------|-----------------|--------------|------------|----------|-----------|-----------------------|------------|---------------|-----------|-----------|----------------|------|-----------------|--------------|-------------|-----|
| New Open S       | ave                        | Test Spec Ru<br>Report T | n Run v<br>Step | vith Stop    | Parallel   | Report   | Visualize | Highlight<br>in Model |            |               | Pref      | erences   | ?<br>Help<br>▼ |      |                 |              |             |     |
| FILE             | EDIT                       |                          |                 | RUN          |            |          |           | RESUL                 | .TS        |               | ENVIR     | ONMENT RE | SOURCES        |      |                 |              |             |     |
| Test E           | Browser Results and Art    | ifacts                   | x S             | IL Equival   | lence Tes  | t Case   | × 👔       | Start Page            | × 🖹 SI     | L Equivalence | e Test Ca | ase ×     |                |      |                 |              |             |     |
| Filter results b | oy name or tags, e.g. tags | s 🗐 🍸                    | ▶ SUI           | IMARY        |            |          |           |                       |            |               |           |           |                |      |                 |              |             | ?   |
|                  | 2021-Feb-04 10:35:44       | 10                       | ► LOO           | )S           |            |          |           |                       |            |               |           |           |                |      |                 |              |             | ?   |
| 👻 📄 SIL B        | Equivalence Test Case      | 0                        | ▼ DES           | CRIPTIC      | N          |          |           |                       |            |               |           |           |                |      |                 |              |             | ?   |
| • 📓 E(           | quivalence Criteria Resul  | lt 🥑                     |                 | Double-clie  | ck to edit |          |           |                       |            |               |           |           |                |      |                 |              |             |     |
| ► 🖬 Ve           | erify Statements 1         | 0                        |                 | /ERAGE       |            | 0        |           |                       |            |               |           |           |                |      |                 |              |             | ?   |
| ▶ 📓 Ve           | erify Statements 2         | 0                        | + 00            | ERAGE        | RESULI     | 3        |           |                       |            |               |           |           |                |      |                 |              |             | r   |
| ▶ 🔁 Ci           | urrent: Sim Output 1 (sim  | nulink                   |                 | ANALYZED     | MODEL      |          |           |                       | REPOR      | T SIM MODE    | COM.      | DECISION  | CONDITION      | MCDC | EXECUTION       | FUNCTION     | FUNCTION    | -   |
| ▶ 🕅 Ci           | urrent: Sim Output 2 (sim  | nulink                   |                 |              | 5u32.c     |          |           |                       | REPOR      | SIL           | 2         | 0% -      |                |      |                 | 0%           |             |     |
|                  |                            |                          |                 |              |            | eFrrorAr | dStanda   | irdsExampl            |            | ModelRe.      |           |           | _ 44%          |      |                 |              |             |     |
|                  |                            |                          |                 |              |            |          |           | rdsExampl             |            | Normal        | 31        |           | 44%            |      |                 | 10070        | 5578        | -   |
|                  |                            |                          |                 | <u>siniu</u> | IIIIKCIUI  | EIIUAI   | lustanua  | irusexampi            | <u>e</u> • | Normai        | 51        | 30%       | 4170           | 20%  |                 |              |             |     |
| 4                |                            | F                        |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             | *   |
| PROPERTY         | VALUE                      |                          |                 |              |            |          |           |                       |            |               |           |           |                | +    | Add Tests for I | Vissing Cove | rage 🛛 🐺 Ex | ort |
| Name             | SIL Equiva                 | lence Te 🔺               |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             |     |
| Status           | 10                         |                          |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             |     |
| Start Time       | 02/04/2021 10              | :36:10                   |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             |     |
| End Time         | 02/04/2021 10              |                          |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             |     |
| Туре             | Equivalence Te             | est 👻                    |                 |              |            |          |           |                       |            |               |           |           |                |      |                 |              |             |     |

5 Expand the Coverage Results section of the results. The coverage measurements show the extent to which the test case exercised the model and the code. When you run multiple test cases, you can view aggregated coverage measurements in the results for the whole run. Use the coverage results to add tests and meet coverage requirements, as shown in "Perform Functional Testing and Analyze Test Coverage".

You can also test the generated code on your target hardware by running a processor-in-the-loop (PIL) simulation. By adding a PIL simulation to your test cases, you can compare the test results and coverage results from your model to the results from the generated code as it runs on the target hardware. For more information, see "Code Verification Through Software-in-the-Loop and Processor-in-the-Loop Execution" (Embedded Coder).

## See Also

## **Related Examples**

- "Run Polyspace Analysis on Code Generated with Embedded Coder" (Polyspace Bug Finder)
- "Test Two Simulations for Equivalence" (Simulink Test)
- "Export Test Results" (Simulink Test)

# **Create Back-to-Back Tests Using Enhanced MCDC**

Back-to-back tests, or equivalence tests, compare the results of normal simulations with the generated code results from software-in-the-loop (SIL), processor-in-the-loop (PIL), or hardware-in-the-loop (HIL) simulations. You can generate back-to-back tests in Simulink Test that use Enhanced MCDC.



## Set Up Test Inputs and Verification Strategy

If you want to test a component under test or subsystems in Simulink Test, you can use the **Create Test for Component wizard** by selecting **New > Create Test for Model Component** Simulink Test Test Manager, **Use Design Verifier to generate test input scenarios**. For detailed information, see "Generate Tests and Test Harnesses for a Model or Components" (Simulink Test).

To compare the results of running the component in two different simulation modes, select **Perform back-to-back testing** on the **Verification Strategy** tab of the wizard. For SIL testing an atomic subsystem or a reusable library subsystem, the subsystem or library that contains the subsystem must already have generated code. See "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42 for more information.

| Create Test fo    | r Model Component                                                      |
|-------------------|------------------------------------------------------------------------|
| <u>System</u> > 1 | Test Inputs > Verification Strategy > Generated Test                   |
| How do you war    | nt to test the component?                                              |
|                   | t under test output as baseline                                        |
| Simulate the to   | p model and record the outputs of the component to be used as baseline |
| Perform back-te   | 0                                                                      |
| Set up a test to  | compare the component under test outputs in different simulation modes |
| Select simulation | on modes:                                                              |
| Simulation1:      | Normal 👻                                                               |
| Simulation2:      | Software-in-the-Loop (SIL) 🔻                                           |
|                   | ✓ Set Model coverage objectives as Enhanced MCDC                       |
|                   | ication logic in the created harness                                   |
| No verification   | logic will be automatically added to the test                          |
|                   |                                                                        |
|                   |                                                                        |

If, under **Perform back-to-back testing**you select Software-in-the-Loop or Processor-inthe-Loop for **Simulation2**, the **Set Model Coverage Objective as Enhanced MCDC** option appears. Enhanced MCDC extends decision coverage by generating test cases that avoid masking effects from downstream blocks.

## See Also

### **Related Examples**

- "Create and Run Back-to-Back Tests Using Enhanced MCDC" on page 8-18
- "Enhanced MCDC Coverage in Simulink Design Verifier" on page 7-42
- "Generate Tests and Test Harnesses for a Model or Components" (Simulink Test)

Glossary

| abstraction                                            | The process of ignoring certain aspects of model behavior that do not affect the test objective or property under investigation.                                                                                                                                                                                                                                                                                                                                                                                                                  |
|--------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| analysis model                                         | The target model for a Simulink Design Verifier analysis. If you select<br>an atomic subsystem for analysis, the analysis model is generated by<br>extracting the subsystem to a new model.                                                                                                                                                                                                                                                                                                                                                       |
| assumption                                             | A property that is assumed to be true during a property proof. The proof result holds only when the assumption is true.                                                                                                                                                                                                                                                                                                                                                                                                                           |
| block replacement rule                                 | A rule that is registered with Simulink Design Verifier and defines how<br>instances of specific blocks are replaced by an alternate<br>implementation. The software uses MATLAB commands to define<br>when and how to apply a block replacement rule (see "Block<br>Replacements for Unsupported Blocks" on page 4-7).                                                                                                                                                                                                                           |
| component verification                                 | The process of verifying an individual components in a model. You can<br>verify a component within the execution context of the model, or<br>independently of its parent model.                                                                                                                                                                                                                                                                                                                                                                   |
| condition coverage                                     | Measures the percentage of the total number of logic conditions<br>associated with logical model objects that the simulation actually<br>exercised. Enabling condition coverage causes every decision and<br>condition coverage outcome to be enabled. See "Types of Model<br>Coverage" (Simulink Coverage).                                                                                                                                                                                                                                      |
|                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| constraint                                             | A property that is forced to be true during test case generation.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| constraint<br>counterexample                           | A property that is forced to be true during test case generation.<br>A test case that demonstrates a property violation.                                                                                                                                                                                                                                                                                                                                                                                                                          |
|                                                        |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| counterexample                                         | A test case that demonstrates a property violation.<br>A test objective that defines when a coverage point results in a                                                                                                                                                                                                                                                                                                                                                                                                                           |
| counterexample<br>coverage objective                   | <ul><li>A test case that demonstrates a property violation.</li><li>A test objective that defines when a coverage point results in a particular outcome.</li><li>A decision, condition, or MCDC expression associated with a model object. Each coverage point has a fixed number of mutually exclusive</li></ul>                                                                                                                                                                                                                                 |
| counterexample<br>coverage objective<br>coverage point | <ul> <li>A test case that demonstrates a property violation.</li> <li>A test objective that defines when a coverage point results in a particular outcome.</li> <li>A decision, condition, or MCDC expression associated with a model object. Each coverage point has a fixed number of mutually exclusive outcomes.</li> <li>Measures the percentage of the total number of simulation paths through model objects that the simulation actually traversed. Decision coverage is a subset of modified decision/condition coverage. See</li> </ul> |

| modified condition/<br>decision coverage<br>(MCDC) | Measures the independence of logical block inputs and transition<br>conditions associated with logical model objects during the<br>simulation. When you set the coverage objective to MCDC, Simulink<br>Design Verifier automatically enables every coverage objective for<br>decision coverage and condition coverage as well. |
|----------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                    | Note that MCDC test cases are not generated for XOR configured logic operators. You can achieve MCDC by using the same tests that would be generated from AND configured blocks or OR configured blocks.                                                                                                                        |
|                                                    | See "Types of Model Coverage" (Simulink Coverage).                                                                                                                                                                                                                                                                              |
| nonlinear arithmetic                               | A computation in the model that cannot be expressed as a combination of mutually exclusive linear expressions. Nonlinear arithmetic can affect a property or test objective, and it can cause the analysis to return an error. In this case, you should apply simplifying approximations and abstractions.                      |
| property                                           | A logical expression of the signals and data values, within a model,<br>that is intended to be proven true during simulation. Properties<br>evaluate at specific points in the model.                                                                                                                                           |
| property violation                                 | The condition during a simulation when a property is false.                                                                                                                                                                                                                                                                     |
| test case                                          | A sequence of numeric values and input data time that you input to a model during its simulation.                                                                                                                                                                                                                               |
| test harness                                       | A model that runs test cases on an analysis model.                                                                                                                                                                                                                                                                              |
| test objective                                     | A logical expression of the signals and data values, within a model,<br>that is intended to be true at least once in the resulting test case<br>during simulation. Test objectives evaluate at specific points in the<br>model.                                                                                                 |
| Test Objective block                               | The block that you add to a model to define test objectives. In the block mask, define test objectives as values or ranges that an input signal must satisfy during a test case.                                                                                                                                                |
| unsatisfiable test<br>objective                    | The status of a test objective that indicates a test case cannot be<br>generated for the specified approximations. This includes floating-<br>point approximations and maximum-step limitations specified in the<br><b>Design Verifier &gt; Test Generation</b> pane of the Configuration<br>Parameters dialog box.             |
| validated property                                 | The status of a property that indicates no counterexample exists,<br>subject to floating-point approximations and the settings specified in<br>the <b>Property Proving</b> pane of the Configuration Parameters dialog<br>box.                                                                                                  |