This paper describes a diagnosis technique for locating design errors in circuit implementations which do not match their functional specication. The method eciently propagates mismatched p atterns from erroneous outputs backward into the network and calculates circuit regions which most likely contain the error(s). In contrast to previous approaches, the described t e chnique does not depend on a xed set of error models. Therefore, it is more general and especially suitable for transistor-level circuits, which have a broader variety of possible design errors than gate-level implementations. Furthermore, the proposed method is also applicable for incomplete sets of mismatched p atterns and hence c an be used not only as a debugging aid for formal verication techniques but also for simulationbased approaches. Experiments with industrial CMOS circuits show that for most design errors the identied problem region is less than 3% of the overall circuit.
Introduction
Dierent techniques have been developed for verifying that an implemented design has the same behavior as a given \correct" specication. Classical design verication by simulation proves the correctness for only a limited set of input patterns. A complete coverage for all possible patterns can be accomplished by exhaustive comparison methods like BDD-based formal verication [1] , test vector approaches [2] or probabilistic methods [3] . In the case of a miscompare, all methods provide a partial or complete list of counter examples in the form of mismatc hed input patterns. However, from a usage point of view the designer is primarily interested in locating, and subsequently correcting, the error.
Previous work in this area has focused on error diagnosis and correction as being one problem, where a single occurrence of a design error from a predened set of possible models (e.g missing or superuous connection, wrong gate type, etc.) is assumed. The idea of error correction is to apply these hypothetical error models to potential error locations and to repeat the verication procedure until the design is correct.
A general approach t o c heck whether the modication of a single internal net function could correct a design can be formulated by means of a set of implicit Boolean equations [4, 5] . If a solution exists for these equations, then the reimplementation of the tested net is sucient to make the erroneous design correct. Although dierent pruning techniques, such as input cone intersection [4] or elimination of dominated nets [5, 6 ] h a v e been proposed, the solution of the Boolean equations is considerably expensive. In [7] , a set of pairs each consisting of a mismatched and a matched input pattern, diering in one input value only, are used to identify those gates where the propagation of the pattern pair is interrupted. The identied gates are used as an initial guess for backtracking the error. The drawback of this approach is again the limitation to single errors. Moreover, the required pairs of input patterns do not necessarily exist. In [8] , a specic method for identifying misordered inputs and outputs is presented. This approach does not deal with internal errors.
These previous approaches work on gate-level representations and are intended as a correction mechanism for errors which w ere induced by a synthesis tool or for updating a previously synthesized result after some manual change. This paper focuses on error diagnosis for transistor-level verication of CMOS designs which implies the following specic problems:
High-performance CMOS circuit design is most often done manually, where automatic error correction would not be acceptable. A general debugging technique which is able to identify potential error regions in a general way is preferred.
The variety of possible design errors introduced at the transistor level is much broader than at the gate level. After extracting an equivalent Boolean network from the transistor-level representation, errors typically appear in multiple locations of the Boolean network. A diagnosis model which i s r estricted to a single error occurrence from a xed set of templates is too simple.
In hierarchical implementations, a single error introduced in a frequently used subnetwork is replicated many times over the whole design. The common error source needs be identied. This paper describes a new diagnosis technique for the identication of possible error locations in incor-rect transistor-level implementations of combinatorial circuits. The proposed Error Coverage Algorithm (ECalgorithm) works on the equivalent Boolean structure of a CMOS circuit, where mismatched patterns are propagated from incorrect outputs backward into the network. These patterns are associated with internal nets which most likely cause the errors. The back propagation can be done implicitly for all patterns simultaneously (e.g. BDD-based) or explicitly for one pattern at a time (e.g. simulation-based).
We show that the resulting number of collected error patterns at internal nets is an excellent base for precisely identifying single design errors. We also show that, in case of multiple errors, this number can be used as a good metric for identifying problematic circuit regions where the designer should look rst. This paper is structured as follows: Section 2 presents a new gate-level diagnosis model which i s a pplied to a Boolean network extracted from a transistorlevel circuit. Section 3 describes the EC-algorithm for the back propagation of error patterns through the network. Section 4 summarizes the transistor-level verication extraction procedure and describes the application of the diagnosis technique to the extracted model. Sections 5 and 6 present results and conclusions, respectively.
Gate-Level Model
Let N(G; W) denote a gate-level implementation of some combinatorial network with a set of primitive gates G = fG 1 ; : : : ; G g gand a set of nets W = fW 1 ; : : : ; W w ginterconnecting these gates. fPO 1 ; : : : ; P O n g W are the n primary output nets and fPI 1 ; : : : ; P I m g W are the m primary input nets of N. Without loss of generality, w e assume that each net has a fanout of one. Signals driving several destinations are modeled by m ulti-output buer gates. This enables us to distinguish between the destinations for the sake of error diagnosis. A set of Boolean variables x = ( x PI 1 ; : : : ; x PI m ) is assigned to the input nets fPI 1 ; : : : ; P I m g . Based on the structure of N and the primitive functions of G, each net W i 2 W computes some Boolean function f Wi (x).
A given functional specication of network N assigns to each output P O i an a priori correct function F PO i (x). Let us assume some verication technique is used to compare the specication with the implementation for a set of input patterns X = fX 1 ; : : : ; X p g ;1p2 m . The network N is said to be correct with respect to X if and only if:
Denition: Given a network N which implements a set of functions f PO 1 (x); : : : ; f PO n (x) and their functional specication F PO 1 (x); : : : ; F PO n (x), the set of counter examples (CEX) for the set of input patterns X is dened as: CEX = f(PO i ; X j )jf PO i (X j )6 = F PO i (X j ); X j 2 X; 1 i ng. Figure 1 gives an example of an erroneous network. Let us assume the design was wrongly implemented by adding an inverter at net g which results in incorrect , (2) the effort to reimplement the new net functions and (3) the applicability of specic error templates which can automatically be corrected (e.g. [5] ).
In the following, we i n troduce the concepts of: (1) sensitivity of counter examples and (2) error coverage of internal nets of N. Based on these denitions we state an important theorem which can be used to identify corrections for the network N. (1) The output value f PO i (X j ) is not aected by the constant assignment. (2) For the given assignment of constant v alues, the output value f PO i (X j ) becomes correct if the value f Wk (X j ) i s i n v erted. We use SEN(P O i ; X j ) to denote the set of nets to which ( P O i ; X i ) is sensitive. Figure 2 illustrates the concept of sensitivity and error coverage for two counter examples (y;101); (z;111) of gure 1. The highlighted nets are those to which the counter examples are sensitive. For example, consider (y;101) (gure 2a) with respect to net k. If a constant value 1 is assigned to net l then output f y (101) remains unaected (incorrect). The output can be corrected if the value of net k is inverted. Therefore, counter example (y;101) is sensitive to net k. In contrast, (y;101) is not sensitive t o n e t d , because there is no assignment of constant v alues to other nets such that the correction of (y;101) depends directly on the inversion of net d.
Denition: Given a set of counter examples CEX, the error coverage of a net W k is dened as EC Wk = f(PO i ; X j )j( P O i ; X j )2CEX and W k 2 SEN(P O i ; X j ) g . In contrast EC j =f(y;101); (y;111)g.
The input cone for output P O i is dened as the set of nets from which a path to P O i exists. Obviously, the input cone of P O i provides an upper bound on SEN(P O i ; X j ). However, this bound is typically loose because, input cones are independent of input patterns. In contrast, the EC-approach derives a specic sensitivity cone for each counter example.
Based on the error coverage of internal nets we can state the following theorem (proof is provided in [9] As an example of the EC-concept, gure 3a highlights the nets whose EC covers all counter examples. Note that the stated theorem and corollary provide only a necessary condition for the error identication. For example, the reimplementation of nets b, l, k or p alone can not make N correct. In other words, the coverage of all counter examples by some net W i does not imply that the reimplementation of W i alone can correct the circuit. However, our results (section 5) show that the size of ECis a strong measure for identifying problematic circuit regions, and in case of a single error this region often contains one, or only few nets.
Since the input cones of erroneous outputs give an upper bound on SEN(P O i ; X j ), their intersection provides an upper bound on the set of nets which c o v er all counter examples (see gure 3b). Again this bound is very loose because, input cones are independent o f input patterns. In contrast, the EC-approach i n tersects the specic sensitivity cone for each counter example. This technique is powerful because it is typical for design errors to cause a large number of mismatched input patterns and multiple incorrect outputs. Corollary: If C = fW c1 ; : : : ; W cp g is a correction of N, then there exists at least one net W k 2 C such that: j EC Wk j jC EXj p . In other words, if network N is assumed to have less than p errors, we can identify a set of nets which contains at least one of these errors. Although generally the size of the set of such nets increases for a growing number of errors, their identication provides a valuable debugging aid to handle multiple design errors.
EC-Algorithm
The idea of the EC-algorithm is to compute the error coverage of individual nets by propagating the counter examples from erroneous outputs backward into the network. The logic gates of the network will act as propagation lters where, depending on the input and resulting output values at these gates, specic counter examples are further propagated or blocked.
Let Figure 4 gives the gate-sensitivity for some primitive gate functions. For example, consider the gatesensitivity of an AND gate for the value pair (1; 0). In this case it is assumed that some primary input pattern X j causes a 1 at the input and (because some other input is 0) a 0 at the output. We s a y W O is not sensitive t o W I , because inverting the value at W I can never cause a change of the value at W O for any constant v alue assignment to the other inputs of the AND gate. Therefore, (1; 0) 6 2 P R O P ( AND; W I ; W O ). The idea is that if the output value 0 of an AND gate is incorrect, then all inputs which are 1 can not be held responsible for the error. The EC-algorithm uses P R O P ( G k ; W I ; W O ) as a \gate-lter" to decide whether for the corresponding input pattern a counter example is to be back propagated through G k . The implementation of the EC-algorithm can be done implicitly for all input patterns or explicitly for one pattern at a time. The explicit approach complements a simulation based verication method by a n additional step of backward-simulating mismatched input patterns. The implicit approach can be done by a BDD-based implementation of the set operations for simultaneously back propagating all mismatched input patterns. The corresponding Boolean expressions for the \gate-lter" P R O P ( G k ; W I ; W O ) are given in the third column of gure 4. For implementation purposes, to distinguish between mismatched patterns of dierent counter examples, additional output specic BDD-variables must be inserted.
Theorem: If F(x) is the functional specication of some incorrect design N, then the EC-algorithm computes the error coverage EC Wi for the internal nets of N (see [9] for detailed proof).
Transistor-Level Error Diagnosis
Algorithms for formally verifying the correctness of a CMOS implementation v ersus its gate-level specication are usually based on a switch-level interpretation of the transistor circuit [10, 11, 12] . Such approaches check the static equivalence of the function without considering the timing or delay dependent behavior of the circuit. A common approach is to rst extract a functionally equivalent Boolean network from the transistor-level design, and then prove the correctness of the Boolean network against the gate-level specication.
In the following, we informally summarize the extraction procedure of the Boolean network from transistor-level designs and demonstrate the application of the described diagnosis technique. To simplify the discussion, and to focus on the main idea of transistor-level error diagnosis, we exclude both ratiologic (i.e. MOS circuits where the function depends on the strength ratio of certain transistors) and combinatorial loops from consideration. In contrast to the gate-level model presented in section 2, we relax the denition of a net to include connections with multiple fanouts.
The extraction of the equivalent Boolean network from a CMOS design is based on functional nets in the transistor circuit. These nets include all primary inputs, primary outputs and the nets which control gates of MOS transistors. The extraction procedure assigns two Boolean functions f 1 and f 0 to each functional net. f 1 and f 0 dene the cases for which the net is logically 1 and 0, respectively. Consider the erroneous CMOS circuit of gure 5 for which gure 6 gives the corresponding Boolean network. Nets a; b; c; s; and y establish the set of functional nets because they are either circuit terminals or drive some transistor gate. The corresponding nets in the Boolean representation are marked as a 0 ; a 1 ; b 0 ; b 1 ; c 0 ; c 1 ; y 0 ;and y 1 . In contrast, d and e (gure 5) are not functional nets and therefore they have no counter part in the Boolean network. For each primary input, both polarities of the corresponding input variable are assigned to f 1 and f 0 (e.g. a 1 = a; a 0 = a). For primary outputs and internal nets, the ON-sets of f 1 and f 0 describe the set of input patterns for which the net is driven by V D D and GROUND, respectively. In other words, f 1 (X i ) = 1 means that there is a path of interconnected transistors from that net to V D D such that all transistors are conducting if pattern X i is applied at the circuit inputs. In a similar manner f 0 (X i ) = 1 denotes some path to GROUND. The equivalent of a path in the transistor circuit is an AND gate in the Boolean network. The AND inputs are driven by the gate functions f 1 (for NMOS) or f 0 (for PMOS) of the corresponding path transistors. The AND outputs of all paths driving a net to V D D or GROUND are collected by OR-gates to generate f 1 or f 0 , respectively.
The circuit of gure 5 contains ten paths, eight driving net y and two driving net c. F or example, path P 1 drives y by V D D if transistors t 1 and t 7 are conducting. As shown in gure 6, the AND of path P 1 is fed by a 0 for t1 and c 1 for t 7 , which are PMOS and NMOS transistors, respectively. Consider that the given multiplexer example (gure 5) is incorrectly implemented where t 8 is an NMOS transistor, instead of a PMOS. This error causes the two paths P 3 = ft 8 ; t 1 g and P 4 = ft 8 ; t 2 gto be activated by the wrong polarity of input s. In the Boolean representation, this error is reected by connecting the input of both paths AND's, P 3 and P 4 , t o s 1 instead of s 0 . Note that for this particular example, a single error in the transistor circuit causes two errors in the corresponding Boolean network.
The verication step proves the correct implementation of the circuit outputs against a given specication. f 1 and f 0 of each output must be compared against both polarities F 1 and F 0 of their specied function, respectively. F or the multiplexer output y, gure 6 shows the implemented functions f y 1 and f y 0 and their specication F y 1 and F y 0 . The mismatched input patterns are (011) and (101), respectively.
In addition to the comparison of the circuit outputs, a set of consistency checks can be formulated for each functional net. For example, if the designer is using a circuit technique which excludes the application of ratio-logic, the intersection of f 1 and f 0 detects collisions where the net is driven simultaneously by V D D and GROUND. Similarly, the union of both functions could identify conditions for which a net is oating, i.e. not driven by V D D or GROUND. These checks can directly be mapped into some Boolean structure providing additional test points. For the example in gure 6, output z computes the intersection of f y 1 and f y 0 , nding collisions for input patterns (011) and (101). Typical design errors often cause violations of these consistency checks at many i n ternal nets. This results in a large amount of additional counter examples which signicantly improves the discrimination capability of the presented diagnosis technique.
The presented EC-algorithm was applied to the Boolean network for the four counter examples CEX = f(y 1 ;011); (z;101); (z;011); (y 0 ; 101)g. A s a result only two nets cover all counter examples. These nets and their counter parts in the original transistor circuit are highlighted in gure 6 and gure 5, respectively. Note that the extraction and diagnosis algo- rithms work directly on the transistor circuit by i n terpreting it according to the equivalent Boolean network. Therefore, the inputs t 8 for the paths AND gates P 3 and P 4 are not distinguished and treated as one net. This enables the diagnosis algorithm to exactly identify the erroneous gate-connection of t 8 and net s 1 .
Results
The EC-algorithm is part of a BDD-based verication system, VERITY, which is being used for CMOS processor designs within IBM. To e v aluate the diagnosis capabilities of the presented approach, random errors were introduced into a set of industrial CMOS circuits of varying complexity. First, the verication step generates the complete set of counter examples. Next, the EC-algorithm is applied to back propagate these counter examples into the network. Based on the size of the resulting error coverage at internal nets, and depending on the number of assumed error locations, circuit regions are identied which contain at least one error.
The rst experiment e v aluates the discrimination capabilities for single errors. For each circuit example, a single randomly chosen net was manipulated by either connecting it to a dierent source or setting it to a constant v alue. Table 1 summarizes the results. We dene a suspicious net as one which is possibly causing an error. The column titled \cone intersection" reports the size of the input cone intersection of all erroneous outputs (including test points). For single errors the intersection provides the set of nets which must contain the error. In some cases (e.g. e2 or e3) this method gives a tight bound, producing only few nets. However, it is more typical for the cone intersection to result in a considerably large fraction of the whole circuit (e.g. e9 or e12).
The right portion of the table summarizes the performance for the EC-algorithm. As shown, the number of resulting nets in the suspicious circuit region is signicantly smaller than the input cone intersection. The average size of the error region comprises 1.8% of the whole circuit; for most examples it is below 3%. Note that larger circuit examples produce a relatively smaller number of suspicious nets.
The reported numbers for memory usage and CPU time (IBM RS6000, Model 340) consider only the resources for the diagnosis algorithm. A memory usage of 0 indicates that no additional BDD-nodes were allocated by the EC-algorithm, and hence a maximum reusage of existing BDD-nodes from the verication part. Other examples (e.g. e9 and e12) demand a signicantly large amount of new BDD-nodes as well as CPU time for the BDD-operations. This increase is caused by the ordering of the BDD-variables. In the implementation, the ordering is optimized for the extraction of the output functions only and does not consider the operations for back propagating error patterns. We expect that in future implementations techniques for dynamically changing the variable ordering [13] will reduce this problem. (table 1) .
The second experiment illustrates the distribution of the error coverage for varying numbers of errors. The EC-algorithm was applied to example e6 containing one, two, four, and eight randomly introduced errors. Figure 7 shows the histogram for the error cov-erage of all 3510 nets. For example, in case of a single error, 4 nets have an error coverage of 100%, 9 nets cover more than 99%, 11 nets more than 91%, etc. As expected, as the errors increase, the distribution of the error coverage becomes atter resulting in an increasing number of nets in the suspicious circuit region. According the second corollary, for an assumed number of errors, we can identify some part of the circuit which must contain at least one of them. For each EC distribution, the \" denotes the identied circuit region which m ust contain at least one of the errors. For the one, two, four, and eight errors, this region comprises 4, 13, 39, and 133 out of 3510 nets, respectively; still a small fraction of the overall network. This clearly illustrates that even for multiple errors, the EC-algorithm provides a valuable debugging aid for the designer.
Conclusion
This paper describes a technique for locating design errors in incorrectly implemented circuits. As compared to previous approaches, the proposed method is independent of predened error models and is not restricted to errors which are correctable in terms of given correction templates. The algorithm is based on a single ecient network traversal for back propagating mismatched input patterns from erroneous outputs.
The resulting error coverage at internal nets of the circuit provides an upper bound for the identication of nets whose reimplementation can correct the design. Practical experiments demonstrate that for single occurrences of design errors this bound is tight, producing only one or few nets as possible error candidates. Results show that, even for multiple errors, the size of the identied region which contains at least one error is suciently small, providing a valuable debugging aid in practical design environments.
This paper has mainly focused on error diagnosis for transistor-level designs. Nevertheless, the proposed technique is equally applicable to complement other gate-level error correction techniques. The presented method provides a strong selection mechanism for reducing the set of possible error candidates, which is more general and faster than prior preselection schemes. Since the resulting number of error candidates is small, more expensive and complex correction algorithms can be applied.
