Detecting Data Store Access Conflict in Simulink by Solving Boolean Satisfiability Problems Zhi Han and Pieter J. Mosterman MathWorks, Three Apple Hill Drive, Natick, MA, 01760, USA Abstract— This paper presents a method to statically analyze a Simulink R  model to detect two potential problems with data store memory blocks: (i) a value may be read from a data store before it is written and (ii) a data store may be overwritten before its value is read by other blocks. The analysis employs a Boolean satisfiability (SAT) solver and so obviates extensive testing by means of simulation. It is illustrated how this supports model elaboration in Model-Based Design by performing the analysis on a task model of a digital controller implementation. I. I NTRODUCTION The use of digital control has become the norm in mod- ern engineered systems. In particular, complex embedded systems such as the Joint Strike Fighter rely on software consisting of millions of lines of code to enable opera- tion [25]. Taking a multitude of control laws from their mathematical representation to an integrated computational implementation has thus become a critical challenge in the design of such embedded control systems. This calls for a gradual refinement of specifications so as to: • allow quick iterations over incremental design choices and their validity and feasibility, and • minimize the distance to implementation and the chance of introducing errors. Also, capturing specifications at different levels of detail with a comprehensive language allows easy communication between all stakeholders and potential issues can be traced back to and solved at different points in the design [15]. In general, the myriad implementation aspects are pre- ferrably addressed incrementally where the order depends on preference, processes, and workflows. The execution aspects of a control law implementation typically involve first deriving a discrete-time representation of the initial continuous-time control law. This representation is then con- verted into a task-based representation that can be executed by the operating system running on digital hardware. Further implementation considerations are, for example, the use of arguments in functions or using globals for the exchange of data, the use of fixed-point vs. floating-point data types, and partitioning into (potentially reusable) functions. Model-Based Design revolves around the use of a compu- tational representation of specifications; the models of the system under design [15], [22]. The computational form allows automation of many of the required design activities such as computing dynamic behavior, implementating a specification in software, and generating tests. Combined with a sufficiently rich modeling formalism, Model-Based Design provides critical competitive product development advantages (e.g., [16]). An important design consideration is the task structure and schedule of the control law computations. In case values are communicated between tasks through shared memory, the schedule has to be carefully designed to prevent inadvertent use of stale values. In general, this can prove to be a challenging assignment, especially with schedules that allow conditional task execution. The potential data store access problems, such as reading a value before it was written quickly becomes intractable to the designer, especially if blocks have to be explored across the subsystem hierarchy. This work employs a Boolean satisfiability (SAT) solver (e.g., [21], [24]) to analyze data store access patterns directly on a Simulink R  [19] block diagram representation so as to facilitate incremental design of implementation effects. The static nature of the analysis obviates exhaustive testing (e.g., by simulation) to verify that a given memory access pattern does not arise in any execution. The SAT solver input consists of the block execution relationship and the possible run-time problem encoded as a Boolean formula. This formula is true if and only if the specified pattern of memory access contention can occur and the counterexample is displayed to the user in an execution graph. Otherwise, no execution can evidence the offending pattern. Section II first discusses and compares some related work. Section III motivates the problem based on complications in implementing an adaptive controller. Section IV explains block execution in a Simulink model. Section V introduces the data structure and main procedure for memory access checking. Section VI presents the encoding of the execution structure as Boolean formulae. Section VII illustrates the method first with an abstract example and then the adaptive controller. Section VIII evaluates and concludes this work. II. RELATED WORK While dynamic analysis by numerical simulations is well established in industrial Model-Based Design, static analysis is rapidly gaining popularity. A number of software tools have been developed to use formal methods for static analysis of Simulink models (e.g., [7], [9], [12], [14], [20]). Most of these tools require translating the Simulink models to a representation amenable to formal analysis (e.g., [1], [5], [8], [26]). The analysis may not require simulation of the original model but usually has much greater compu- tational complexity. Because Simulink models are mostly hybrid dynamic systems, scalability makes it difficult to