Abstract-Functional verification is becoming a major bottleneck in modern VLSI design flows. To manage this growing problem, assertion-based verification has been adopted as one of the key technologies to increase the quality and efficiency of verification. However, this technology also poses new challenges in the form of debugging and correcting errors in the assertions. In this work, we present a framework for correcting and debugging Property Specification Language assertions. The methodology uses the failing assertion, counter-example and mutation model to produce alternative properties that are verified against the design. Each one of these properties serve as a basis for possible corrections. They also provide insight into the design behavior and the failing assertion that can be used for debugging. Preliminary experimental results show that this process is effective in finding alternative assertions for all empirical instances.
I. INTRODUCTION
Functional verification and debugging remains one of the largest challenges in modern VLSI design flows taking up to 46% [1] of the total design time. In recent years, new methods have been developed to cope with the verification challenge. To increase observability in order to reduce overall debug time, assertion-based verification (ABV) [2] , [3] has been adopted to improve the verification and debug efficiency. Despite this fact, debugging still remains a significant bottleneck taking up to 60% of the total verification time [1] .
Modern ABV verification environments are typically made up of three components: design, testbench and assertions. Bugs can be introduced into any one of these components as an engineer is as likely to make a mistake in writing the design as they are in the testbench or assertions. Most debugging solutions have either focused on providing greater efficiency for manual debug [4] - [6] or have targeted automated solutions for the design [7] - [10] . The inability of current solutions to provide automation in debugging testbenches and assertions remains a roadblock to reducing the overall debug efficiency.
Temporal assertions present a unique challenges to the debugging process over traditional circuit debugging. Modern temporal assertion languages such as Property Specification Language (PSL) and SystemVerilog assertions [11] , [12] introduce new constructs and semantics compared to traditional RTL languages. The complex temporal behaviors over multiple cycles and execution threads makes it difficult for engineers to write high-quality bug-free assertions. This fact leads to one of the biggest challenges in their wide spread adoption.
Localizing the error has traditionally been the main goal of automated circuit debugging techniques. This proves effective when the circuit has many components and most of the time is spent locating erroneous components. In a similar way, it is possible to synthesize assertions [13] and apply similar localization techniques. However, this approach is less effective for debugging assertions. For example, applying path-tracing [7] to {valid; start} -> next(go) will return the entire assertion as potentially erroneous. In addition, localization does not directly help the engineer towards correcting the assertion. This suggests a need to develop new techniques beyond localization in order to effectively debug assertions.
In this work, we propose a novel framework for correcting and debugging PSL assertions that takes a different approach from previous circuit debugging techniques. It aids correction and debugging by generating a set of closely related properties to the failing assertion that have been validated against the RTL. These properties provide both suggestions for possible corrections as well as provide insight into the design behavior. This is accomplished by introducing a language independent methodology for correction and debugging of errors in assertions that produce a set of closely related verified properties. These properties are generated by an input set of modifications that mutate existing assertions. Additionally, we propose a particular set of modifications for PSL to mutate the failing assertion in order to generate closely related properties. Two techniques dealing with vacuity and multiple errors are also presented to enhance the practical viability of this approach.
Preliminary experimental results on real designs with PSL assertions written from their specifications are presented. They show that the proposed methodology and modification model are able to return verified properties for all instances. In addition, the extensions to deal with multiple error and vacuity techniques are shown to provide value in filtering out inessential properties.
The remaining sections of the paper are organized as follows. Section II provides background material. Our contributions are presented in Section III, Section IV and Section V. Section VI presents the experimental results and Section VII concludes this work.
II. PRELIMINARIES
This section gives a brief overview of the Property Specification Language (PSL) as well as concepts used extensively throughout this paper. For a more detailed treatment please refer to [2] , [12] .
PSL is a concise language for describing temporal system behavior for use in verifying RTL designs. Each system behavior can be specified by writing a property which in turn can be used as an assertion.
Properties are derived from several different types of expressions that build upon each other. A sequential extended 
regular expression (SERE) describes a behavior of one or more cycles over Boolean expressions such as delays or repetitions.
A property specifies temporal relationships among various Boolean expressions, SEREs and other properties. A simplified grammar of common PSL operators is listed in Table I . Informally, a property is vacuously true if it only passes for some trivial or unintended reason. For example, when the left hand side of the logical implication operator (− >) is always false, the right hand side never gets evaluated thus the property is vacuous.
III. ASSERTION CORRECTION AND DEBUGGING
METHODOLOGY This section presents the methodology to automatically generate a set of verified properties to aid in correction and debugging for errors in failing assertions.
In this methodology, it is assumed that errors only exist in the assertions and the design is implemented correctly. If this is not the case, then the methodology still can provide value for debugging by giving insight into the design behavior. Note that this methodology makes no assumptions about the assertion language or the types of errors as these are functions of the input model.
The methodology returns a set of verified properties ( ) with respect to the design that closely relate to the failing assertion. This set of closely related assertions aids in the debugging process in several ways. First, serves as a suggestion for possible corrections to the failing assertion. As such, it provides an intuitive method to aid in the correction and debugging process. Second, since the properties in have been verified, they provide an in depth understanding of related design behaviors. This provides critical information in understanding the reason for the failed assertion. Finally, allows the engineer to contrast the failing assertion with closely related ones, a fact that allows the user to build intuition regarding the possible sources and causes of errors.
The overall methodology is shown in Figure 1 and consists of three main steps. The first step applies mutations which are performed after a failing assertion is detected by verification. This step takes in the failing property along with the mutation model and generates a set of closely related properties, denoted as ′ , to be verified. Each property in ′ is generated by taking the original failing assertion and applying one or more predefined modifications, or mutations, defined by the mutation The second step of the methodology quickly rules out invalid properties in ′ through simulation with the failing counter-example. A counter-example in this context is a simulation trace that shows one way for the assertion to fail. The intuition here is that since the counter-example causes the original assertion to fail, it will also provide a quick filter for related properties in ′ . It accomplishes this by evaluating each property in ′ for each cycle in the counter-example through simulation. If any of the properties in ′ fail for any of the evaluations, they are removed from ′ . The resulting set of properties is denoted by ′′ . The final step of the methodology uses an existing verification flow to filter out the remaining invalid properties in ′′ . This is the most time-consuming step in this process, which is the reason for generating ′ . The existing verification flow can either be a high coverage simulation testbench or a formal property checker. In the case of the testbench, the properties in will have a high confidence of being true. While with the formal flow, is a set of proven properties for the design. In most verification environments, both these flows are automated resulting in no wasted manual engineering time. The final set of filtered properties are verified by the environment and can be presented to the user for analysis.
IV. PSL ASSERTION MUTATION MODEL
This section describes a practical mutation model for the PSL assertions to be used with the methodology described in Section III. These mutations are designed to model common industrial errors [2] , [14] as well as misinterpretations of PSL. Note that other mutation models can be developed based on user experience.
Each mutation modifies the assertion either by adding operators, changing operators or changing parameters to operators. Each new property is generated by applying a fixed number of these mutations to the failing assertion. The number of mutations is defined to be the cardinality of the candidate and depends on the number of additions or changes to the assertion. In some cases, multiple or complex errors may require higher cardinality to model. The intuition behind this strategy is that the engineer typically has written the assertion so that it is syntactically similar to the correct one. This means that it is not necessary to explore every possible combination of expressions, only those that are similar to the failing assertion. As previously mentioned, even if the set of mutations is not exhaustive for every possible error, they still can provide value when debugging. Table II lists the different types of mutations in this model. The three columns list the name, type of source operator and the mutation that is applied to the source operator. The various types of mutations are broken up into several types which will described below.
The first group of mutations involves modifying Boolean expressions. PSL provides built-in operators for signal transitions across a pair of clock cycles and previous values. These operators can frequently be misused. For example the prev(sig, ) operator, the number of cycles ( ) to evaluate in the prev is a common source of errors. The mutation can model this error by adding or subtracting an integer .
PSL sequential binary operators make up the next group of mutations. These operators have subtle differences that are easy to misinterpret. For example, && is similar to & except with the added restriction that the lengths of the matched sequences must be the same.
Sequential repetition operators are the next group of mutations. These operators allow repetition of signals in consecutive or non-consecutive forms with subtle differences. Mutations either involve changing the repetition operator or changing the number of repetitions by integers or . When mutating using or , the cardinality will be increased by the absolute value of the integer. For example, changing [=1] to [=3] will increase the cardinality by 2.
The next group of mutations involve the concatenation (;) and fusion (:) operators used to define a single thread of behavior for SERE. These mutations either change the operator used, or append a delay to model any errors in timing.
The last group of mutations involve the property layer operators. The first type of mutations involve the next family of operators. These mutations aim to ensure the correct operator is used (next_a vs. next_e) or modify the number or range on the statement. The second type of mutation involve the implication operator. In this case, the mutation allows a multiple cycle delay after the antecedent with the addition of next [ ] operator.
V. PRACTICAL CONSIDERATIONS AND EXTENSIONS
The methodology outlined in Section III along with the model in Section IV generates a set of closely related properties, . However practically speaking, they are only useful if the number of properties returned by the methodology is small enough to be analyzed by an engineer. Two techniques that greatly reduce the number of properties are discussed here.
The first technique deals with vacuous assertions. Assertions that are vacuous typically are considered erroneous since their intended behavior is not exercised. Similarly, all verified properties that are found to be vacuous for all evaluations are removed from , reducing its size significantly as seen in the experimental results.
The second technique deals with multiple cardinalities. As the cardinality increases, the size of the mutated properties, ′ , increases exponentially. This may become unmanageable at higher cardinalities. To deal with this, ′ can be reduced by eliminating properties with mutations that have been verified at lower cardinalities. The intuition here is that the removed properties do not add value because they are more difficult to contrast with the original assertion. This proves to be very effective in reducing the size of ′ for higher cardinalities by removing these inessential properties.
VI. EXPERIMENTS
This section presents experimental results for the proposed PSL correction and debug framework. The experiments are run on a single core of a dual-core AMD Athlon 64 4800+ CPU with 4 GB of RAM. A commercial simulator and property checker were used for the simulation and verification steps. The instances were generated from Verilog RTL designs from OpenCores [15] and our industrial partners. The PSL assertions are written from the specifications of the design.
To remove bias from the results, we do not artificially insert errors into the assertions. Instead, we insert an error into the RTL so that there is a mismatch between the RTL and PSL assertions. We then assume the RTL is correct and PSL is erroneous and try to correct it. For each RTL error, an instance is created by selecting a failing assertion to be the mutation target of our methodology. Each instance is named by the design name followed by a number. Table III shows the experimental results. The first four columns show the instance name, number of synthesized gates and state elements and the number of variables or operators in the assertion. The next ten columns show the results from the experiments. Column five shows the cardinality, while columns six and seven show the number of initial candidates with and without the cardinality optimization from Section V respectively. Columns eight to eleven show the number of cycles in the counter-example, the number of passing properties after simulation with the counter-example, the number of proven vacuous properties, and the final set of verified properties respectively. The final three columns show the Table III , verified properties ( ) are found for each of the instances when cardinality increased from one to three. An important point is that the size of is relatively small ensuring that it can be practically analyzed by a human. Moreover, we also notice that each one of these properties is proven with respect to the design. This can be used to help with debugging by understanding the design, even if they do not directly correct the error.
An example of a correction for risc2 is: {(instr0 == igoto) && valid; !valid; 1'b1[ * 2]; valid} |-> prev(pc,2) <= prev(tmp,3). The RTL bug that was inserted in this case was one of the previous pipeline stages of pc was incorrectly concatenated. This shows up indirectly in the verified property but clearly points to a problem with the consequent signals.
The effectiveness of the vacuity and cardinality enhancements can also be seen when analyzing the columns labelled unopt ′ , ′ , and vac. The reduction in some cases is quite significant such as in pipeline1 where it reduces 60% of the candidates when = 3. The average reduction from both enhancements is 20% showing the benefit of the technique.
VII. CONCLUSION
In this work, we present a framework for debugging and correcting PSL assertions. It uses the failing assertion, corresponding counter-example along with a mutation model to produce closely related assertions that are verified against the design. These closely related properties serve as a basis for both correction and debugging of the erroneous assertions. Experimental results show that the framework can find alternative properties for all instances.
